[PATCH] bpf: program printed in bpf_debug compatible format
Elazar Leibovich
elazarl at gmail.com
Thu Jun 14 09:37:39 UTC 2018
Hi,
When will this patch get reviewed?
I want to set a reminder to myself, to make sure it wouldn't be forgotten.
On Tue, Jun 5, 2018 at 9:35 PM, Elazar Leibovich <elazarl at gmail.com> wrote:
> By defaut, none-abbreviated bpf program is printed as:
>
> <len>, <op> <jt> <jk> <k>, <op> <jt> <jk> <k>...
>
> A format consumable by the bpf_debug tool from the linux
> kernel.
>
> An example strace output when running strace -e seccomp:
>
> seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=9, filter=9,32 0 0 4,21 0
> 6 3221225534,32 0 0 0,53 4 0 1073741824,21 2 0 2,21 1 0 60,21 0 1
> 231,6 0 0 2147418112,6 0 0 0}) = 0
>
> Pasting the output in bpf_debug:
>
> $ ./bpf_debug
> > load bpf 9,32 0 0 4,21 0 6 3221225534,32 0 0 0,53 4 0
> 1073741824,21 2 0 2,21 1 0 60,21 0 1 231,6 0 0 2147418112,6 0 0 0
> > disassemble
> l0: ld [4]
> l1: jeq #0xc000003e, l2, l8
> l2: ld [0]
> l3: jge #0x40000000, l8, l4
> l4: jeq #0x2, l7, l5
> l5: jeq #0x3c, l7, l6
> l6: jeq #0xe7, l7, l8
> l7: ret #0x7fff0000
> l8: ret #0
>
> Note that if the output is truncated, in case the user
> has submitted a bpf program > maximum BPF program size,
> the length prefix is adapted to the truncated size.
>
> Signed-off-by: Elazar Leibovich <elazarl at gmail.com>
> ---
> bpf_filter.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180614/d3bd8254/attachment.html>
More information about the Strace-devel
mailing list