[PATCH] bpf: program printed in bpf_debug compatible format
Elazar Leibovich
elazarl at gmail.com
Tue Jun 26 16:08:45 UTC 2018
ping.
On Thu, Jun 14, 2018 at 12:37 PM Elazar Leibovich <elazarl at gmail.com> wrote:
> Hi,
>
> When will this patch get reviewed?
>
> I want to set a reminder to myself, to make sure it wouldn't be forgotten.
>
> On Tue, Jun 5, 2018 at 9:35 PM, Elazar Leibovich <elazarl at gmail.com>
> wrote:
>
>> By defaut, none-abbreviated bpf program is printed as:
>>
>> <len>, <op> <jt> <jk> <k>, <op> <jt> <jk> <k>...
>>
>> A format consumable by the bpf_debug tool from the linux
>> kernel.
>>
>> An example strace output when running strace -e seccomp:
>>
>> seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=9, filter=9,32 0 0 4,21 0
>> 6 3221225534,32 0 0 0,53 4 0 1073741824,21 2 0 2,21 1 0 60,21 0 1
>> 231,6 0 0 2147418112,6 0 0 0}) = 0
>>
>> Pasting the output in bpf_debug:
>>
>> $ ./bpf_debug
>> > load bpf 9,32 0 0 4,21 0 6 3221225534,32 0 0 0,53 4 0
>> 1073741824,21 2 0 2,21 1 0 60,21 0 1 231,6 0 0 2147418112,6 0 0 0
>> > disassemble
>> l0: ld [4]
>> l1: jeq #0xc000003e, l2, l8
>> l2: ld [0]
>> l3: jge #0x40000000, l8, l4
>> l4: jeq #0x2, l7, l5
>> l5: jeq #0x3c, l7, l6
>> l6: jeq #0xe7, l7, l8
>> l7: ret #0x7fff0000
>> l8: ret #0
>>
>> Note that if the output is truncated, in case the user
>> has submitted a bpf program > maximum BPF program size,
>> the length prefix is adapted to the truncated size.
>>
>> Signed-off-by: Elazar Leibovich <elazarl at gmail.com>
>> ---
>> bpf_filter.c | 13 ++++++++++++-
>> 1 file changed, 12 insertions(+), 1 deletion(-)
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180626/329b99ee/attachment.html>
More information about the Strace-devel
mailing list