Loading...
1// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2/* Copyright (c) 2019 Netronome Systems, Inc. */
3
4#include <ctype.h>
5#include <errno.h>
6#include <string.h>
7#include <unistd.h>
8#include <net/if.h>
9#ifdef USE_LIBCAP
10#include <sys/capability.h>
11#endif
12#include <sys/utsname.h>
13#include <sys/vfs.h>
14
15#include <linux/filter.h>
16#include <linux/limits.h>
17
18#include <bpf/bpf.h>
19#include <bpf/libbpf.h>
20#include <zlib.h>
21
22#include "main.h"
23
24#ifndef PROC_SUPER_MAGIC
25# define PROC_SUPER_MAGIC 0x9fa0
26#endif
27
28enum probe_component {
29 COMPONENT_UNSPEC,
30 COMPONENT_KERNEL,
31 COMPONENT_DEVICE,
32};
33
34#define BPF_HELPER_MAKE_ENTRY(name) [BPF_FUNC_ ## name] = "bpf_" # name
35static const char * const helper_name[] = {
36 __BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
37};
38
39#undef BPF_HELPER_MAKE_ENTRY
40
41static bool full_mode;
42#ifdef USE_LIBCAP
43static bool run_as_unprivileged;
44#endif
45
46/* Miscellaneous utility functions */
47
48static bool check_procfs(void)
49{
50 struct statfs st_fs;
51
52 if (statfs("/proc", &st_fs) < 0)
53 return false;
54 if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
55 return false;
56
57 return true;
58}
59
60static void uppercase(char *str, size_t len)
61{
62 size_t i;
63
64 for (i = 0; i < len && str[i] != '\0'; i++)
65 str[i] = toupper(str[i]);
66}
67
68/* Printing utility functions */
69
70static void
71print_bool_feature(const char *feat_name, const char *plain_name,
72 const char *define_name, bool res, const char *define_prefix)
73{
74 if (json_output)
75 jsonw_bool_field(json_wtr, feat_name, res);
76 else if (define_prefix)
77 printf("#define %s%sHAVE_%s\n", define_prefix,
78 res ? "" : "NO_", define_name);
79 else
80 printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
81}
82
83static void print_kernel_option(const char *name, const char *value,
84 const char *define_prefix)
85{
86 char *endptr;
87 int res;
88
89 if (json_output) {
90 if (!value) {
91 jsonw_null_field(json_wtr, name);
92 return;
93 }
94 errno = 0;
95 res = strtol(value, &endptr, 0);
96 if (!errno && *endptr == '\n')
97 jsonw_int_field(json_wtr, name, res);
98 else
99 jsonw_string_field(json_wtr, name, value);
100 } else if (define_prefix) {
101 if (value)
102 printf("#define %s%s %s\n", define_prefix,
103 name, value);
104 else
105 printf("/* %s%s is not set */\n", define_prefix, name);
106 } else {
107 if (value)
108 printf("%s is set to %s\n", name, value);
109 else
110 printf("%s is not set\n", name);
111 }
112}
113
114static void
115print_start_section(const char *json_title, const char *plain_title,
116 const char *define_comment, const char *define_prefix)
117{
118 if (json_output) {
119 jsonw_name(json_wtr, json_title);
120 jsonw_start_object(json_wtr);
121 } else if (define_prefix) {
122 printf("%s\n", define_comment);
123 } else {
124 printf("%s\n", plain_title);
125 }
126}
127
128static void print_end_section(void)
129{
130 if (json_output)
131 jsonw_end_object(json_wtr);
132 else
133 printf("\n");
134}
135
136/* Probing functions */
137
138static int read_procfs(const char *path)
139{
140 char *endptr, *line = NULL;
141 size_t len = 0;
142 FILE *fd;
143 int res;
144
145 fd = fopen(path, "r");
146 if (!fd)
147 return -1;
148
149 res = getline(&line, &len, fd);
150 fclose(fd);
151 if (res < 0)
152 return -1;
153
154 errno = 0;
155 res = strtol(line, &endptr, 10);
156 if (errno || *line == '\0' || *endptr != '\n')
157 res = -1;
158 free(line);
159
160 return res;
161}
162
163static void probe_unprivileged_disabled(void)
164{
165 int res;
166
167 /* No support for C-style ouptut */
168
169 res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
170 if (json_output) {
171 jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
172 } else {
173 switch (res) {
174 case 0:
175 printf("bpf() syscall for unprivileged users is enabled\n");
176 break;
177 case 1:
178 printf("bpf() syscall restricted to privileged users\n");
179 break;
180 case -1:
181 printf("Unable to retrieve required privileges for bpf() syscall\n");
182 break;
183 default:
184 printf("bpf() syscall restriction has unknown value %d\n", res);
185 }
186 }
187}
188
189static void probe_jit_enable(void)
190{
191 int res;
192
193 /* No support for C-style ouptut */
194
195 res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
196 if (json_output) {
197 jsonw_int_field(json_wtr, "bpf_jit_enable", res);
198 } else {
199 switch (res) {
200 case 0:
201 printf("JIT compiler is disabled\n");
202 break;
203 case 1:
204 printf("JIT compiler is enabled\n");
205 break;
206 case 2:
207 printf("JIT compiler is enabled with debugging traces in kernel logs\n");
208 break;
209 case -1:
210 printf("Unable to retrieve JIT-compiler status\n");
211 break;
212 default:
213 printf("JIT-compiler status has unknown value %d\n",
214 res);
215 }
216 }
217}
218
219static void probe_jit_harden(void)
220{
221 int res;
222
223 /* No support for C-style ouptut */
224
225 res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
226 if (json_output) {
227 jsonw_int_field(json_wtr, "bpf_jit_harden", res);
228 } else {
229 switch (res) {
230 case 0:
231 printf("JIT compiler hardening is disabled\n");
232 break;
233 case 1:
234 printf("JIT compiler hardening is enabled for unprivileged users\n");
235 break;
236 case 2:
237 printf("JIT compiler hardening is enabled for all users\n");
238 break;
239 case -1:
240 printf("Unable to retrieve JIT hardening status\n");
241 break;
242 default:
243 printf("JIT hardening status has unknown value %d\n",
244 res);
245 }
246 }
247}
248
249static void probe_jit_kallsyms(void)
250{
251 int res;
252
253 /* No support for C-style ouptut */
254
255 res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
256 if (json_output) {
257 jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
258 } else {
259 switch (res) {
260 case 0:
261 printf("JIT compiler kallsyms exports are disabled\n");
262 break;
263 case 1:
264 printf("JIT compiler kallsyms exports are enabled for root\n");
265 break;
266 case -1:
267 printf("Unable to retrieve JIT kallsyms export status\n");
268 break;
269 default:
270 printf("JIT kallsyms exports status has unknown value %d\n", res);
271 }
272 }
273}
274
275static void probe_jit_limit(void)
276{
277 int res;
278
279 /* No support for C-style ouptut */
280
281 res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
282 if (json_output) {
283 jsonw_int_field(json_wtr, "bpf_jit_limit", res);
284 } else {
285 switch (res) {
286 case -1:
287 printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
288 break;
289 default:
290 printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
291 }
292 }
293}
294
295static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
296 char **value)
297{
298 char *sep;
299
300 while (gzgets(file, buf, n)) {
301 if (strncmp(buf, "CONFIG_", 7))
302 continue;
303
304 sep = strchr(buf, '=');
305 if (!sep)
306 continue;
307
308 /* Trim ending '\n' */
309 buf[strlen(buf) - 1] = '\0';
310
311 /* Split on '=' and ensure that a value is present. */
312 *sep = '\0';
313 if (!sep[1])
314 continue;
315
316 *value = sep + 1;
317 return true;
318 }
319
320 return false;
321}
322
323static void probe_kernel_image_config(const char *define_prefix)
324{
325 static const struct {
326 const char * const name;
327 bool macro_dump;
328 } options[] = {
329 /* Enable BPF */
330 { "CONFIG_BPF", },
331 /* Enable bpf() syscall */
332 { "CONFIG_BPF_SYSCALL", },
333 /* Does selected architecture support eBPF JIT compiler */
334 { "CONFIG_HAVE_EBPF_JIT", },
335 /* Compile eBPF JIT compiler */
336 { "CONFIG_BPF_JIT", },
337 /* Avoid compiling eBPF interpreter (use JIT only) */
338 { "CONFIG_BPF_JIT_ALWAYS_ON", },
339 /* Kernel BTF debug information available */
340 { "CONFIG_DEBUG_INFO_BTF", },
341 /* Kernel module BTF debug information available */
342 { "CONFIG_DEBUG_INFO_BTF_MODULES", },
343
344 /* cgroups */
345 { "CONFIG_CGROUPS", },
346 /* BPF programs attached to cgroups */
347 { "CONFIG_CGROUP_BPF", },
348 /* bpf_get_cgroup_classid() helper */
349 { "CONFIG_CGROUP_NET_CLASSID", },
350 /* bpf_skb_{,ancestor_}cgroup_id() helpers */
351 { "CONFIG_SOCK_CGROUP_DATA", },
352
353 /* Tracing: attach BPF to kprobes, tracepoints, etc. */
354 { "CONFIG_BPF_EVENTS", },
355 /* Kprobes */
356 { "CONFIG_KPROBE_EVENTS", },
357 /* Uprobes */
358 { "CONFIG_UPROBE_EVENTS", },
359 /* Tracepoints */
360 { "CONFIG_TRACING", },
361 /* Syscall tracepoints */
362 { "CONFIG_FTRACE_SYSCALLS", },
363 /* bpf_override_return() helper support for selected arch */
364 { "CONFIG_FUNCTION_ERROR_INJECTION", },
365 /* bpf_override_return() helper */
366 { "CONFIG_BPF_KPROBE_OVERRIDE", },
367
368 /* Network */
369 { "CONFIG_NET", },
370 /* AF_XDP sockets */
371 { "CONFIG_XDP_SOCKETS", },
372 /* BPF_PROG_TYPE_LWT_* and related helpers */
373 { "CONFIG_LWTUNNEL_BPF", },
374 /* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
375 { "CONFIG_NET_ACT_BPF", },
376 /* BPF_PROG_TYPE_SCHED_CLS, TC filters */
377 { "CONFIG_NET_CLS_BPF", },
378 /* TC clsact qdisc */
379 { "CONFIG_NET_CLS_ACT", },
380 /* Ingress filtering with TC */
381 { "CONFIG_NET_SCH_INGRESS", },
382 /* bpf_skb_get_xfrm_state() helper */
383 { "CONFIG_XFRM", },
384 /* bpf_get_route_realm() helper */
385 { "CONFIG_IP_ROUTE_CLASSID", },
386 /* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
387 { "CONFIG_IPV6_SEG6_BPF", },
388 /* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
389 { "CONFIG_BPF_LIRC_MODE2", },
390 /* BPF stream parser and BPF socket maps */
391 { "CONFIG_BPF_STREAM_PARSER", },
392 /* xt_bpf module for passing BPF programs to netfilter */
393 { "CONFIG_NETFILTER_XT_MATCH_BPF", },
394 /* bpfilter back-end for iptables */
395 { "CONFIG_BPFILTER", },
396 /* bpftilter module with "user mode helper" */
397 { "CONFIG_BPFILTER_UMH", },
398
399 /* test_bpf module for BPF tests */
400 { "CONFIG_TEST_BPF", },
401
402 /* Misc configs useful in BPF C programs */
403 /* jiffies <-> sec conversion for bpf_jiffies64() helper */
404 { "CONFIG_HZ", true, }
405 };
406 char *values[ARRAY_SIZE(options)] = { };
407 struct utsname utsn;
408 char path[PATH_MAX];
409 gzFile file = NULL;
410 char buf[4096];
411 char *value;
412 size_t i;
413
414 if (!uname(&utsn)) {
415 snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
416
417 /* gzopen also accepts uncompressed files. */
418 file = gzopen(path, "r");
419 }
420
421 if (!file) {
422 /* Some distributions build with CONFIG_IKCONFIG=y and put the
423 * config file at /proc/config.gz.
424 */
425 file = gzopen("/proc/config.gz", "r");
426 }
427 if (!file) {
428 p_info("skipping kernel config, can't open file: %s",
429 strerror(errno));
430 goto end_parse;
431 }
432 /* Sanity checks */
433 if (!gzgets(file, buf, sizeof(buf)) ||
434 !gzgets(file, buf, sizeof(buf))) {
435 p_info("skipping kernel config, can't read from file: %s",
436 strerror(errno));
437 goto end_parse;
438 }
439 if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
440 p_info("skipping kernel config, can't find correct file");
441 goto end_parse;
442 }
443
444 while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
445 for (i = 0; i < ARRAY_SIZE(options); i++) {
446 if ((define_prefix && !options[i].macro_dump) ||
447 values[i] || strcmp(buf, options[i].name))
448 continue;
449
450 values[i] = strdup(value);
451 }
452 }
453
454end_parse:
455 if (file)
456 gzclose(file);
457
458 for (i = 0; i < ARRAY_SIZE(options); i++) {
459 if (define_prefix && !options[i].macro_dump)
460 continue;
461 print_kernel_option(options[i].name, values[i], define_prefix);
462 free(values[i]);
463 }
464}
465
466static bool probe_bpf_syscall(const char *define_prefix)
467{
468 bool res;
469
470 bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
471 res = (errno != ENOSYS);
472
473 print_bool_feature("have_bpf_syscall",
474 "bpf() syscall",
475 "BPF_SYSCALL",
476 res, define_prefix);
477
478 return res;
479}
480
481static void
482probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
483 const char *define_prefix, __u32 ifindex)
484{
485 char feat_name[128], plain_desc[128], define_name[128];
486 const char *plain_comment = "eBPF program_type ";
487 size_t maxlen;
488 bool res;
489
490 if (ifindex)
491 /* Only test offload-able program types */
492 switch (prog_type) {
493 case BPF_PROG_TYPE_SCHED_CLS:
494 case BPF_PROG_TYPE_XDP:
495 break;
496 default:
497 return;
498 }
499
500 res = bpf_probe_prog_type(prog_type, ifindex);
501#ifdef USE_LIBCAP
502 /* Probe may succeed even if program load fails, for unprivileged users
503 * check that we did not fail because of insufficient permissions
504 */
505 if (run_as_unprivileged && errno == EPERM)
506 res = false;
507#endif
508
509 supported_types[prog_type] |= res;
510
511 if (!prog_type_name[prog_type]) {
512 p_info("program type name not found (type %d)", prog_type);
513 return;
514 }
515 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
516 if (strlen(prog_type_name[prog_type]) > maxlen) {
517 p_info("program type name too long");
518 return;
519 }
520
521 sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
522 sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
523 uppercase(define_name, sizeof(define_name));
524 sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
525 print_bool_feature(feat_name, plain_desc, define_name, res,
526 define_prefix);
527}
528
529static void
530probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
531 __u32 ifindex)
532{
533 char feat_name[128], plain_desc[128], define_name[128];
534 const char *plain_comment = "eBPF map_type ";
535 size_t maxlen;
536 bool res;
537
538 res = bpf_probe_map_type(map_type, ifindex);
539
540 /* Probe result depends on the success of map creation, no additional
541 * check required for unprivileged users
542 */
543
544 if (!map_type_name[map_type]) {
545 p_info("map type name not found (type %d)", map_type);
546 return;
547 }
548 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
549 if (strlen(map_type_name[map_type]) > maxlen) {
550 p_info("map type name too long");
551 return;
552 }
553
554 sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
555 sprintf(define_name, "%s_map_type", map_type_name[map_type]);
556 uppercase(define_name, sizeof(define_name));
557 sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
558 print_bool_feature(feat_name, plain_desc, define_name, res,
559 define_prefix);
560}
561
562static void
563probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
564 const char *define_prefix, unsigned int id,
565 const char *ptype_name, __u32 ifindex)
566{
567 bool res = false;
568
569 if (supported_type) {
570 res = bpf_probe_helper(id, prog_type, ifindex);
571#ifdef USE_LIBCAP
572 /* Probe may succeed even if program load fails, for
573 * unprivileged users check that we did not fail because of
574 * insufficient permissions
575 */
576 if (run_as_unprivileged && errno == EPERM)
577 res = false;
578#endif
579 }
580
581 if (json_output) {
582 if (res)
583 jsonw_string(json_wtr, helper_name[id]);
584 } else if (define_prefix) {
585 printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
586 define_prefix, ptype_name, helper_name[id],
587 res ? "1" : "0");
588 } else {
589 if (res)
590 printf("\n\t- %s", helper_name[id]);
591 }
592}
593
594static void
595probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
596 const char *define_prefix, __u32 ifindex)
597{
598 const char *ptype_name = prog_type_name[prog_type];
599 char feat_name[128];
600 unsigned int id;
601
602 if (ifindex)
603 /* Only test helpers for offload-able program types */
604 switch (prog_type) {
605 case BPF_PROG_TYPE_SCHED_CLS:
606 case BPF_PROG_TYPE_XDP:
607 break;
608 default:
609 return;
610 }
611
612 if (json_output) {
613 sprintf(feat_name, "%s_available_helpers", ptype_name);
614 jsonw_name(json_wtr, feat_name);
615 jsonw_start_array(json_wtr);
616 } else if (!define_prefix) {
617 printf("eBPF helpers supported for program type %s:",
618 ptype_name);
619 }
620
621 for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
622 /* Skip helper functions which emit dmesg messages when not in
623 * the full mode.
624 */
625 switch (id) {
626 case BPF_FUNC_trace_printk:
627 case BPF_FUNC_probe_write_user:
628 if (!full_mode)
629 continue;
630 /* fallthrough */
631 default:
632 probe_helper_for_progtype(prog_type, supported_type,
633 define_prefix, id, ptype_name,
634 ifindex);
635 }
636 }
637
638 if (json_output)
639 jsonw_end_array(json_wtr);
640 else if (!define_prefix)
641 printf("\n");
642}
643
644static void
645probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
646{
647 bool res;
648
649 res = bpf_probe_large_insn_limit(ifindex);
650 print_bool_feature("have_large_insn_limit",
651 "Large program size limit",
652 "LARGE_INSN_LIMIT",
653 res, define_prefix);
654}
655
656static void
657section_system_config(enum probe_component target, const char *define_prefix)
658{
659 switch (target) {
660 case COMPONENT_KERNEL:
661 case COMPONENT_UNSPEC:
662 print_start_section("system_config",
663 "Scanning system configuration...",
664 "/*** Misc kernel config items ***/",
665 define_prefix);
666 if (!define_prefix) {
667 if (check_procfs()) {
668 probe_unprivileged_disabled();
669 probe_jit_enable();
670 probe_jit_harden();
671 probe_jit_kallsyms();
672 probe_jit_limit();
673 } else {
674 p_info("/* procfs not mounted, skipping related probes */");
675 }
676 }
677 probe_kernel_image_config(define_prefix);
678 print_end_section();
679 break;
680 default:
681 break;
682 }
683}
684
685static bool section_syscall_config(const char *define_prefix)
686{
687 bool res;
688
689 print_start_section("syscall_config",
690 "Scanning system call availability...",
691 "/*** System call availability ***/",
692 define_prefix);
693 res = probe_bpf_syscall(define_prefix);
694 print_end_section();
695
696 return res;
697}
698
699static void
700section_program_types(bool *supported_types, const char *define_prefix,
701 __u32 ifindex)
702{
703 unsigned int i;
704
705 print_start_section("program_types",
706 "Scanning eBPF program types...",
707 "/*** eBPF program types ***/",
708 define_prefix);
709
710 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
711 probe_prog_type(i, supported_types, define_prefix, ifindex);
712
713 print_end_section();
714}
715
716static void section_map_types(const char *define_prefix, __u32 ifindex)
717{
718 unsigned int i;
719
720 print_start_section("map_types",
721 "Scanning eBPF map types...",
722 "/*** eBPF map types ***/",
723 define_prefix);
724
725 for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
726 probe_map_type(i, define_prefix, ifindex);
727
728 print_end_section();
729}
730
731static void
732section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
733{
734 unsigned int i;
735
736 print_start_section("helpers",
737 "Scanning eBPF helper functions...",
738 "/*** eBPF helper functions ***/",
739 define_prefix);
740
741 if (define_prefix)
742 printf("/*\n"
743 " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
744 " * to determine if <helper_name> is available for <prog_type_name>,\n"
745 " * e.g.\n"
746 " * #if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
747 " * // do stuff with this helper\n"
748 " * #elif\n"
749 " * // use a workaround\n"
750 " * #endif\n"
751 " */\n"
752 "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper) \\\n"
753 " %sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
754 define_prefix, define_prefix, define_prefix,
755 define_prefix);
756 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
757 probe_helpers_for_progtype(i, supported_types[i], define_prefix,
758 ifindex);
759
760 print_end_section();
761}
762
763static void section_misc(const char *define_prefix, __u32 ifindex)
764{
765 print_start_section("misc",
766 "Scanning miscellaneous eBPF features...",
767 "/*** eBPF misc features ***/",
768 define_prefix);
769 probe_large_insn_limit(define_prefix, ifindex);
770 print_end_section();
771}
772
773#ifdef USE_LIBCAP
774#define capability(c) { c, false, #c }
775#define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
776#endif
777
778static int handle_perms(void)
779{
780#ifdef USE_LIBCAP
781 struct {
782 cap_value_t cap;
783 bool set;
784 char name[14]; /* strlen("CAP_SYS_ADMIN") */
785 } bpf_caps[] = {
786 capability(CAP_SYS_ADMIN),
787#ifdef CAP_BPF
788 capability(CAP_BPF),
789 capability(CAP_NET_ADMIN),
790 capability(CAP_PERFMON),
791#endif
792 };
793 cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
794 unsigned int i, nb_bpf_caps = 0;
795 bool cap_sys_admin_only = true;
796 cap_flag_value_t val;
797 int res = -1;
798 cap_t caps;
799
800 caps = cap_get_proc();
801 if (!caps) {
802 p_err("failed to get capabilities for process: %s",
803 strerror(errno));
804 return -1;
805 }
806
807#ifdef CAP_BPF
808 if (CAP_IS_SUPPORTED(CAP_BPF))
809 cap_sys_admin_only = false;
810#endif
811
812 for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
813 const char *cap_name = bpf_caps[i].name;
814 cap_value_t cap = bpf_caps[i].cap;
815
816 if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
817 p_err("bug: failed to retrieve %s status: %s", cap_name,
818 strerror(errno));
819 goto exit_free;
820 }
821
822 if (val == CAP_SET) {
823 bpf_caps[i].set = true;
824 cap_list[nb_bpf_caps++] = cap;
825 }
826
827 if (cap_sys_admin_only)
828 /* System does not know about CAP_BPF, meaning that
829 * CAP_SYS_ADMIN is the only capability required. We
830 * just checked it, break.
831 */
832 break;
833 }
834
835 if ((run_as_unprivileged && !nb_bpf_caps) ||
836 (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
837 (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
838 /* We are all good, exit now */
839 res = 0;
840 goto exit_free;
841 }
842
843 if (!run_as_unprivileged) {
844 if (cap_sys_admin_only)
845 p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
846 bpf_caps[0].name);
847 else
848 p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
849 capability_msg(bpf_caps, 0),
850#ifdef CAP_BPF
851 capability_msg(bpf_caps, 1),
852 capability_msg(bpf_caps, 2),
853 capability_msg(bpf_caps, 3)
854#else
855 "", "", "", "", "", ""
856#endif /* CAP_BPF */
857 );
858 goto exit_free;
859 }
860
861 /* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
862 if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
863 CAP_CLEAR)) {
864 p_err("bug: failed to clear capabilities: %s", strerror(errno));
865 goto exit_free;
866 }
867
868 if (cap_set_proc(caps)) {
869 p_err("failed to drop capabilities: %s", strerror(errno));
870 goto exit_free;
871 }
872
873 res = 0;
874
875exit_free:
876 if (cap_free(caps) && !res) {
877 p_err("failed to clear storage object for capabilities: %s",
878 strerror(errno));
879 res = -1;
880 }
881
882 return res;
883#else
884 /* Detection assumes user has specific privileges.
885 * We do not use libpcap so let's approximate, and restrict usage to
886 * root user only.
887 */
888 if (geteuid()) {
889 p_err("full feature probing requires root privileges");
890 return -1;
891 }
892
893 return 0;
894#endif /* USE_LIBCAP */
895}
896
897static int do_probe(int argc, char **argv)
898{
899 enum probe_component target = COMPONENT_UNSPEC;
900 const char *define_prefix = NULL;
901 bool supported_types[128] = {};
902 __u32 ifindex = 0;
903 char *ifname;
904
905 set_max_rlimit();
906
907 while (argc) {
908 if (is_prefix(*argv, "kernel")) {
909 if (target != COMPONENT_UNSPEC) {
910 p_err("component to probe already specified");
911 return -1;
912 }
913 target = COMPONENT_KERNEL;
914 NEXT_ARG();
915 } else if (is_prefix(*argv, "dev")) {
916 NEXT_ARG();
917
918 if (target != COMPONENT_UNSPEC || ifindex) {
919 p_err("component to probe already specified");
920 return -1;
921 }
922 if (!REQ_ARGS(1))
923 return -1;
924
925 target = COMPONENT_DEVICE;
926 ifname = GET_ARG();
927 ifindex = if_nametoindex(ifname);
928 if (!ifindex) {
929 p_err("unrecognized netdevice '%s': %s", ifname,
930 strerror(errno));
931 return -1;
932 }
933 } else if (is_prefix(*argv, "full")) {
934 full_mode = true;
935 NEXT_ARG();
936 } else if (is_prefix(*argv, "macros") && !define_prefix) {
937 define_prefix = "";
938 NEXT_ARG();
939 } else if (is_prefix(*argv, "prefix")) {
940 if (!define_prefix) {
941 p_err("'prefix' argument can only be use after 'macros'");
942 return -1;
943 }
944 if (strcmp(define_prefix, "")) {
945 p_err("'prefix' already defined");
946 return -1;
947 }
948 NEXT_ARG();
949
950 if (!REQ_ARGS(1))
951 return -1;
952 define_prefix = GET_ARG();
953 } else if (is_prefix(*argv, "unprivileged")) {
954#ifdef USE_LIBCAP
955 run_as_unprivileged = true;
956 NEXT_ARG();
957#else
958 p_err("unprivileged run not supported, recompile bpftool with libcap");
959 return -1;
960#endif
961 } else {
962 p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
963 *argv);
964 return -1;
965 }
966 }
967
968 /* Full feature detection requires specific privileges.
969 * Let's approximate, and warn if user is not root.
970 */
971 if (handle_perms())
972 return -1;
973
974 if (json_output) {
975 define_prefix = NULL;
976 jsonw_start_object(json_wtr);
977 }
978
979 section_system_config(target, define_prefix);
980 if (!section_syscall_config(define_prefix))
981 /* bpf() syscall unavailable, don't probe other BPF features */
982 goto exit_close_json;
983 section_program_types(supported_types, define_prefix, ifindex);
984 section_map_types(define_prefix, ifindex);
985 section_helpers(supported_types, define_prefix, ifindex);
986 section_misc(define_prefix, ifindex);
987
988exit_close_json:
989 if (json_output)
990 /* End root object */
991 jsonw_end_object(json_wtr);
992
993 return 0;
994}
995
996static int do_help(int argc, char **argv)
997{
998 if (json_output) {
999 jsonw_null(json_wtr);
1000 return 0;
1001 }
1002
1003 fprintf(stderr,
1004 "Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
1005 " %1$s %2$s help\n"
1006 "\n"
1007 " COMPONENT := { kernel | dev NAME }\n"
1008 "",
1009 bin_name, argv[-2]);
1010
1011 return 0;
1012}
1013
1014static const struct cmd cmds[] = {
1015 { "probe", do_probe },
1016 { "help", do_help },
1017 { 0 }
1018};
1019
1020int do_feature(int argc, char **argv)
1021{
1022 return cmd_select(cmds, argc, argv, do_help);
1023}
1// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2/* Copyright (c) 2019 Netronome Systems, Inc. */
3
4#include <ctype.h>
5#include <errno.h>
6#include <string.h>
7#include <unistd.h>
8#include <net/if.h>
9#include <sys/utsname.h>
10#include <sys/vfs.h>
11
12#include <linux/filter.h>
13#include <linux/limits.h>
14
15#include <bpf.h>
16#include <libbpf.h>
17#include <zlib.h>
18
19#include "main.h"
20
21#ifndef PROC_SUPER_MAGIC
22# define PROC_SUPER_MAGIC 0x9fa0
23#endif
24
25enum probe_component {
26 COMPONENT_UNSPEC,
27 COMPONENT_KERNEL,
28 COMPONENT_DEVICE,
29};
30
31#define BPF_HELPER_MAKE_ENTRY(name) [BPF_FUNC_ ## name] = "bpf_" # name
32static const char * const helper_name[] = {
33 __BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
34};
35
36#undef BPF_HELPER_MAKE_ENTRY
37
38/* Miscellaneous utility functions */
39
40static bool check_procfs(void)
41{
42 struct statfs st_fs;
43
44 if (statfs("/proc", &st_fs) < 0)
45 return false;
46 if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
47 return false;
48
49 return true;
50}
51
52static void uppercase(char *str, size_t len)
53{
54 size_t i;
55
56 for (i = 0; i < len && str[i] != '\0'; i++)
57 str[i] = toupper(str[i]);
58}
59
60/* Printing utility functions */
61
62static void
63print_bool_feature(const char *feat_name, const char *plain_name,
64 const char *define_name, bool res, const char *define_prefix)
65{
66 if (json_output)
67 jsonw_bool_field(json_wtr, feat_name, res);
68 else if (define_prefix)
69 printf("#define %s%sHAVE_%s\n", define_prefix,
70 res ? "" : "NO_", define_name);
71 else
72 printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
73}
74
75static void print_kernel_option(const char *name, const char *value)
76{
77 char *endptr;
78 int res;
79
80 /* No support for C-style ouptut */
81
82 if (json_output) {
83 if (!value) {
84 jsonw_null_field(json_wtr, name);
85 return;
86 }
87 errno = 0;
88 res = strtol(value, &endptr, 0);
89 if (!errno && *endptr == '\n')
90 jsonw_int_field(json_wtr, name, res);
91 else
92 jsonw_string_field(json_wtr, name, value);
93 } else {
94 if (value)
95 printf("%s is set to %s\n", name, value);
96 else
97 printf("%s is not set\n", name);
98 }
99}
100
101static void
102print_start_section(const char *json_title, const char *plain_title,
103 const char *define_comment, const char *define_prefix)
104{
105 if (json_output) {
106 jsonw_name(json_wtr, json_title);
107 jsonw_start_object(json_wtr);
108 } else if (define_prefix) {
109 printf("%s\n", define_comment);
110 } else {
111 printf("%s\n", plain_title);
112 }
113}
114
115static void
116print_end_then_start_section(const char *json_title, const char *plain_title,
117 const char *define_comment,
118 const char *define_prefix)
119{
120 if (json_output)
121 jsonw_end_object(json_wtr);
122 else
123 printf("\n");
124
125 print_start_section(json_title, plain_title, define_comment,
126 define_prefix);
127}
128
129/* Probing functions */
130
131static int read_procfs(const char *path)
132{
133 char *endptr, *line = NULL;
134 size_t len = 0;
135 FILE *fd;
136 int res;
137
138 fd = fopen(path, "r");
139 if (!fd)
140 return -1;
141
142 res = getline(&line, &len, fd);
143 fclose(fd);
144 if (res < 0)
145 return -1;
146
147 errno = 0;
148 res = strtol(line, &endptr, 10);
149 if (errno || *line == '\0' || *endptr != '\n')
150 res = -1;
151 free(line);
152
153 return res;
154}
155
156static void probe_unprivileged_disabled(void)
157{
158 int res;
159
160 /* No support for C-style ouptut */
161
162 res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
163 if (json_output) {
164 jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
165 } else {
166 switch (res) {
167 case 0:
168 printf("bpf() syscall for unprivileged users is enabled\n");
169 break;
170 case 1:
171 printf("bpf() syscall restricted to privileged users\n");
172 break;
173 case -1:
174 printf("Unable to retrieve required privileges for bpf() syscall\n");
175 break;
176 default:
177 printf("bpf() syscall restriction has unknown value %d\n", res);
178 }
179 }
180}
181
182static void probe_jit_enable(void)
183{
184 int res;
185
186 /* No support for C-style ouptut */
187
188 res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
189 if (json_output) {
190 jsonw_int_field(json_wtr, "bpf_jit_enable", res);
191 } else {
192 switch (res) {
193 case 0:
194 printf("JIT compiler is disabled\n");
195 break;
196 case 1:
197 printf("JIT compiler is enabled\n");
198 break;
199 case 2:
200 printf("JIT compiler is enabled with debugging traces in kernel logs\n");
201 break;
202 case -1:
203 printf("Unable to retrieve JIT-compiler status\n");
204 break;
205 default:
206 printf("JIT-compiler status has unknown value %d\n",
207 res);
208 }
209 }
210}
211
212static void probe_jit_harden(void)
213{
214 int res;
215
216 /* No support for C-style ouptut */
217
218 res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
219 if (json_output) {
220 jsonw_int_field(json_wtr, "bpf_jit_harden", res);
221 } else {
222 switch (res) {
223 case 0:
224 printf("JIT compiler hardening is disabled\n");
225 break;
226 case 1:
227 printf("JIT compiler hardening is enabled for unprivileged users\n");
228 break;
229 case 2:
230 printf("JIT compiler hardening is enabled for all users\n");
231 break;
232 case -1:
233 printf("Unable to retrieve JIT hardening status\n");
234 break;
235 default:
236 printf("JIT hardening status has unknown value %d\n",
237 res);
238 }
239 }
240}
241
242static void probe_jit_kallsyms(void)
243{
244 int res;
245
246 /* No support for C-style ouptut */
247
248 res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
249 if (json_output) {
250 jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
251 } else {
252 switch (res) {
253 case 0:
254 printf("JIT compiler kallsyms exports are disabled\n");
255 break;
256 case 1:
257 printf("JIT compiler kallsyms exports are enabled for root\n");
258 break;
259 case -1:
260 printf("Unable to retrieve JIT kallsyms export status\n");
261 break;
262 default:
263 printf("JIT kallsyms exports status has unknown value %d\n", res);
264 }
265 }
266}
267
268static void probe_jit_limit(void)
269{
270 int res;
271
272 /* No support for C-style ouptut */
273
274 res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
275 if (json_output) {
276 jsonw_int_field(json_wtr, "bpf_jit_limit", res);
277 } else {
278 switch (res) {
279 case -1:
280 printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
281 break;
282 default:
283 printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
284 }
285 }
286}
287
288static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
289 char **value)
290{
291 char *sep;
292
293 while (gzgets(file, buf, n)) {
294 if (strncmp(buf, "CONFIG_", 7))
295 continue;
296
297 sep = strchr(buf, '=');
298 if (!sep)
299 continue;
300
301 /* Trim ending '\n' */
302 buf[strlen(buf) - 1] = '\0';
303
304 /* Split on '=' and ensure that a value is present. */
305 *sep = '\0';
306 if (!sep[1])
307 continue;
308
309 *value = sep + 1;
310 return true;
311 }
312
313 return false;
314}
315
316static void probe_kernel_image_config(void)
317{
318 static const char * const options[] = {
319 /* Enable BPF */
320 "CONFIG_BPF",
321 /* Enable bpf() syscall */
322 "CONFIG_BPF_SYSCALL",
323 /* Does selected architecture support eBPF JIT compiler */
324 "CONFIG_HAVE_EBPF_JIT",
325 /* Compile eBPF JIT compiler */
326 "CONFIG_BPF_JIT",
327 /* Avoid compiling eBPF interpreter (use JIT only) */
328 "CONFIG_BPF_JIT_ALWAYS_ON",
329
330 /* cgroups */
331 "CONFIG_CGROUPS",
332 /* BPF programs attached to cgroups */
333 "CONFIG_CGROUP_BPF",
334 /* bpf_get_cgroup_classid() helper */
335 "CONFIG_CGROUP_NET_CLASSID",
336 /* bpf_skb_{,ancestor_}cgroup_id() helpers */
337 "CONFIG_SOCK_CGROUP_DATA",
338
339 /* Tracing: attach BPF to kprobes, tracepoints, etc. */
340 "CONFIG_BPF_EVENTS",
341 /* Kprobes */
342 "CONFIG_KPROBE_EVENTS",
343 /* Uprobes */
344 "CONFIG_UPROBE_EVENTS",
345 /* Tracepoints */
346 "CONFIG_TRACING",
347 /* Syscall tracepoints */
348 "CONFIG_FTRACE_SYSCALLS",
349 /* bpf_override_return() helper support for selected arch */
350 "CONFIG_FUNCTION_ERROR_INJECTION",
351 /* bpf_override_return() helper */
352 "CONFIG_BPF_KPROBE_OVERRIDE",
353
354 /* Network */
355 "CONFIG_NET",
356 /* AF_XDP sockets */
357 "CONFIG_XDP_SOCKETS",
358 /* BPF_PROG_TYPE_LWT_* and related helpers */
359 "CONFIG_LWTUNNEL_BPF",
360 /* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
361 "CONFIG_NET_ACT_BPF",
362 /* BPF_PROG_TYPE_SCHED_CLS, TC filters */
363 "CONFIG_NET_CLS_BPF",
364 /* TC clsact qdisc */
365 "CONFIG_NET_CLS_ACT",
366 /* Ingress filtering with TC */
367 "CONFIG_NET_SCH_INGRESS",
368 /* bpf_skb_get_xfrm_state() helper */
369 "CONFIG_XFRM",
370 /* bpf_get_route_realm() helper */
371 "CONFIG_IP_ROUTE_CLASSID",
372 /* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
373 "CONFIG_IPV6_SEG6_BPF",
374 /* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
375 "CONFIG_BPF_LIRC_MODE2",
376 /* BPF stream parser and BPF socket maps */
377 "CONFIG_BPF_STREAM_PARSER",
378 /* xt_bpf module for passing BPF programs to netfilter */
379 "CONFIG_NETFILTER_XT_MATCH_BPF",
380 /* bpfilter back-end for iptables */
381 "CONFIG_BPFILTER",
382 /* bpftilter module with "user mode helper" */
383 "CONFIG_BPFILTER_UMH",
384
385 /* test_bpf module for BPF tests */
386 "CONFIG_TEST_BPF",
387 };
388 char *values[ARRAY_SIZE(options)] = { };
389 struct utsname utsn;
390 char path[PATH_MAX];
391 gzFile file = NULL;
392 char buf[4096];
393 char *value;
394 size_t i;
395
396 if (!uname(&utsn)) {
397 snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
398
399 /* gzopen also accepts uncompressed files. */
400 file = gzopen(path, "r");
401 }
402
403 if (!file) {
404 /* Some distributions build with CONFIG_IKCONFIG=y and put the
405 * config file at /proc/config.gz.
406 */
407 file = gzopen("/proc/config.gz", "r");
408 }
409 if (!file) {
410 p_info("skipping kernel config, can't open file: %s",
411 strerror(errno));
412 goto end_parse;
413 }
414 /* Sanity checks */
415 if (!gzgets(file, buf, sizeof(buf)) ||
416 !gzgets(file, buf, sizeof(buf))) {
417 p_info("skipping kernel config, can't read from file: %s",
418 strerror(errno));
419 goto end_parse;
420 }
421 if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
422 p_info("skipping kernel config, can't find correct file");
423 goto end_parse;
424 }
425
426 while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
427 for (i = 0; i < ARRAY_SIZE(options); i++) {
428 if (values[i] || strcmp(buf, options[i]))
429 continue;
430
431 values[i] = strdup(value);
432 }
433 }
434
435end_parse:
436 if (file)
437 gzclose(file);
438
439 for (i = 0; i < ARRAY_SIZE(options); i++) {
440 print_kernel_option(options[i], values[i]);
441 free(values[i]);
442 }
443}
444
445static bool probe_bpf_syscall(const char *define_prefix)
446{
447 bool res;
448
449 bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
450 res = (errno != ENOSYS);
451
452 print_bool_feature("have_bpf_syscall",
453 "bpf() syscall",
454 "BPF_SYSCALL",
455 res, define_prefix);
456
457 return res;
458}
459
460static void
461probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
462 const char *define_prefix, __u32 ifindex)
463{
464 char feat_name[128], plain_desc[128], define_name[128];
465 const char *plain_comment = "eBPF program_type ";
466 size_t maxlen;
467 bool res;
468
469 if (ifindex)
470 /* Only test offload-able program types */
471 switch (prog_type) {
472 case BPF_PROG_TYPE_SCHED_CLS:
473 case BPF_PROG_TYPE_XDP:
474 break;
475 default:
476 return;
477 }
478
479 res = bpf_probe_prog_type(prog_type, ifindex);
480
481 supported_types[prog_type] |= res;
482
483 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
484 if (strlen(prog_type_name[prog_type]) > maxlen) {
485 p_info("program type name too long");
486 return;
487 }
488
489 sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
490 sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
491 uppercase(define_name, sizeof(define_name));
492 sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
493 print_bool_feature(feat_name, plain_desc, define_name, res,
494 define_prefix);
495}
496
497static void
498probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
499 __u32 ifindex)
500{
501 char feat_name[128], plain_desc[128], define_name[128];
502 const char *plain_comment = "eBPF map_type ";
503 size_t maxlen;
504 bool res;
505
506 res = bpf_probe_map_type(map_type, ifindex);
507
508 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
509 if (strlen(map_type_name[map_type]) > maxlen) {
510 p_info("map type name too long");
511 return;
512 }
513
514 sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
515 sprintf(define_name, "%s_map_type", map_type_name[map_type]);
516 uppercase(define_name, sizeof(define_name));
517 sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
518 print_bool_feature(feat_name, plain_desc, define_name, res,
519 define_prefix);
520}
521
522static void
523probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
524 const char *define_prefix, __u32 ifindex)
525{
526 const char *ptype_name = prog_type_name[prog_type];
527 char feat_name[128];
528 unsigned int id;
529 bool res;
530
531 if (ifindex)
532 /* Only test helpers for offload-able program types */
533 switch (prog_type) {
534 case BPF_PROG_TYPE_SCHED_CLS:
535 case BPF_PROG_TYPE_XDP:
536 break;
537 default:
538 return;
539 }
540
541 if (json_output) {
542 sprintf(feat_name, "%s_available_helpers", ptype_name);
543 jsonw_name(json_wtr, feat_name);
544 jsonw_start_array(json_wtr);
545 } else if (!define_prefix) {
546 printf("eBPF helpers supported for program type %s:",
547 ptype_name);
548 }
549
550 for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
551 if (!supported_type)
552 res = false;
553 else
554 res = bpf_probe_helper(id, prog_type, ifindex);
555
556 if (json_output) {
557 if (res)
558 jsonw_string(json_wtr, helper_name[id]);
559 } else if (define_prefix) {
560 printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
561 define_prefix, ptype_name, helper_name[id],
562 res ? "1" : "0");
563 } else {
564 if (res)
565 printf("\n\t- %s", helper_name[id]);
566 }
567 }
568
569 if (json_output)
570 jsonw_end_array(json_wtr);
571 else if (!define_prefix)
572 printf("\n");
573}
574
575static int do_probe(int argc, char **argv)
576{
577 enum probe_component target = COMPONENT_UNSPEC;
578 const char *define_prefix = NULL;
579 bool supported_types[128] = {};
580 __u32 ifindex = 0;
581 unsigned int i;
582 char *ifname;
583
584 /* Detection assumes user has sufficient privileges (CAP_SYS_ADMIN).
585 * Let's approximate, and restrict usage to root user only.
586 */
587 if (geteuid()) {
588 p_err("please run this command as root user");
589 return -1;
590 }
591
592 set_max_rlimit();
593
594 while (argc) {
595 if (is_prefix(*argv, "kernel")) {
596 if (target != COMPONENT_UNSPEC) {
597 p_err("component to probe already specified");
598 return -1;
599 }
600 target = COMPONENT_KERNEL;
601 NEXT_ARG();
602 } else if (is_prefix(*argv, "dev")) {
603 NEXT_ARG();
604
605 if (target != COMPONENT_UNSPEC || ifindex) {
606 p_err("component to probe already specified");
607 return -1;
608 }
609 if (!REQ_ARGS(1))
610 return -1;
611
612 target = COMPONENT_DEVICE;
613 ifname = GET_ARG();
614 ifindex = if_nametoindex(ifname);
615 if (!ifindex) {
616 p_err("unrecognized netdevice '%s': %s", ifname,
617 strerror(errno));
618 return -1;
619 }
620 } else if (is_prefix(*argv, "macros") && !define_prefix) {
621 define_prefix = "";
622 NEXT_ARG();
623 } else if (is_prefix(*argv, "prefix")) {
624 if (!define_prefix) {
625 p_err("'prefix' argument can only be use after 'macros'");
626 return -1;
627 }
628 if (strcmp(define_prefix, "")) {
629 p_err("'prefix' already defined");
630 return -1;
631 }
632 NEXT_ARG();
633
634 if (!REQ_ARGS(1))
635 return -1;
636 define_prefix = GET_ARG();
637 } else {
638 p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
639 *argv);
640 return -1;
641 }
642 }
643
644 if (json_output) {
645 define_prefix = NULL;
646 jsonw_start_object(json_wtr);
647 }
648
649 switch (target) {
650 case COMPONENT_KERNEL:
651 case COMPONENT_UNSPEC:
652 if (define_prefix)
653 break;
654
655 print_start_section("system_config",
656 "Scanning system configuration...",
657 NULL, /* define_comment never used here */
658 NULL); /* define_prefix always NULL here */
659 if (check_procfs()) {
660 probe_unprivileged_disabled();
661 probe_jit_enable();
662 probe_jit_harden();
663 probe_jit_kallsyms();
664 probe_jit_limit();
665 } else {
666 p_info("/* procfs not mounted, skipping related probes */");
667 }
668 probe_kernel_image_config();
669 if (json_output)
670 jsonw_end_object(json_wtr);
671 else
672 printf("\n");
673 break;
674 default:
675 break;
676 }
677
678 print_start_section("syscall_config",
679 "Scanning system call availability...",
680 "/*** System call availability ***/",
681 define_prefix);
682
683 if (!probe_bpf_syscall(define_prefix))
684 /* bpf() syscall unavailable, don't probe other BPF features */
685 goto exit_close_json;
686
687 print_end_then_start_section("program_types",
688 "Scanning eBPF program types...",
689 "/*** eBPF program types ***/",
690 define_prefix);
691
692 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
693 probe_prog_type(i, supported_types, define_prefix, ifindex);
694
695 print_end_then_start_section("map_types",
696 "Scanning eBPF map types...",
697 "/*** eBPF map types ***/",
698 define_prefix);
699
700 for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
701 probe_map_type(i, define_prefix, ifindex);
702
703 print_end_then_start_section("helpers",
704 "Scanning eBPF helper functions...",
705 "/*** eBPF helper functions ***/",
706 define_prefix);
707
708 if (define_prefix)
709 printf("/*\n"
710 " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
711 " * to determine if <helper_name> is available for <prog_type_name>,\n"
712 " * e.g.\n"
713 " * #if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
714 " * // do stuff with this helper\n"
715 " * #elif\n"
716 " * // use a workaround\n"
717 " * #endif\n"
718 " */\n"
719 "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper) \\\n"
720 " %sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
721 define_prefix, define_prefix, define_prefix,
722 define_prefix);
723 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
724 probe_helpers_for_progtype(i, supported_types[i],
725 define_prefix, ifindex);
726
727exit_close_json:
728 if (json_output) {
729 /* End current "section" of probes */
730 jsonw_end_object(json_wtr);
731 /* End root object */
732 jsonw_end_object(json_wtr);
733 }
734
735 return 0;
736}
737
738static int do_help(int argc, char **argv)
739{
740 if (json_output) {
741 jsonw_null(json_wtr);
742 return 0;
743 }
744
745 fprintf(stderr,
746 "Usage: %s %s probe [COMPONENT] [macros [prefix PREFIX]]\n"
747 " %s %s help\n"
748 "\n"
749 " COMPONENT := { kernel | dev NAME }\n"
750 "",
751 bin_name, argv[-2], bin_name, argv[-2]);
752
753 return 0;
754}
755
756static const struct cmd cmds[] = {
757 { "probe", do_probe },
758 { "help", do_help },
759 { 0 }
760};
761
762int do_feature(int argc, char **argv)
763{
764 return cmd_select(cmds, argc, argv, do_help);
765}