[PATCH] bpf: program printed in bpf_debug compatible format
Elazar Leibovich
elazarl at gmail.com
Tue Jun 5 18:35:10 UTC 2018
By defaut, none-abbreviated bpf program is printed as:
<len>, <op> <jt> <jk> <k>, <op> <jt> <jk> <k>...
A format consumable by the bpf_debug tool from the linux
kernel.
An example strace output when running strace -e seccomp:
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=9, filter=9,32 0 0 4,21 0
6 3221225534,32 0 0 0,53 4 0 1073741824,21 2 0 2,21 1 0 60,21 0 1
231,6 0 0 2147418112,6 0 0 0}) = 0
Pasting the output in bpf_debug:
$ ./bpf_debug
> load bpf 9,32 0 0 4,21 0 6 3221225534,32 0 0 0,53 4 0
1073741824,21 2 0 2,21 1 0 60,21 0 1 231,6 0 0 2147418112,6 0 0 0
> disassemble
l0: ld [4]
l1: jeq #0xc000003e, l2, l8
l2: ld [0]
l3: jge #0x40000000, l8, l4
l4: jeq #0x2, l7, l5
l5: jeq #0x3c, l7, l6
l6: jeq #0xe7, l7, l8
l7: ret #0x7fff0000
l8: ret #0
Note that if the output is truncated, in case the user
has submitted a bpf program > maximum BPF program size,
the length prefix is adapted to the truncated size.
Signed-off-by: Elazar Leibovich <elazarl at gmail.com>
---
bpf_filter.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-bpf-program-printed-in-bpf_debug-compatible-format.patch
Type: text/x-patch
Size: 794 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180605/722ad038/attachment.bin>
More information about the Strace-devel
mailing list