Implement custom version of CO-RE BPF probe, following the same approach as for
the custom EBPF one. The proposed solution:
-
Restructure current kernel-modules/probe to contain two subdirectories,
ebpf and core_bpf for custom ebpf and core_bpf probes correspondingly.
-
Construct a cmake configuration, similar to that in Falco, to build
separate probes with modern_bpf dependencies.
-
For each captured syscall introduce one probe with two BPF progs
tp_btf/sys_{enter|exit}_syscall, similar to attached progs from Falco.
-
Teach the cmake configuration to assemble the final probe by picking up the
custom bits and the actual tail-called BPF program from the Falco build.
-
Verify it's limitations for other architectures.
Implement custom version of CO-RE BPF probe, following the same approach as for
the custom EBPF one. The proposed solution:
Restructure current
kernel-modules/probeto contain two subdirectories,ebpfandcore_bpffor custom ebpf and core_bpf probes correspondingly.Construct a cmake configuration, similar to that in Falco, to build
separate probes with
modern_bpfdependencies.For each captured syscall introduce one probe with two BPF progs
tp_btf/sys_{enter|exit}_syscall, similar to attached progs from Falco.Teach the cmake configuration to assemble the final probe by picking up the
custom bits and the actual tail-called BPF program from the Falco build.
Verify it's limitations for other architectures.