eBPF可以修改系统调用的返回值或参数吗? [英] Can eBPF modify the return value or parameters of a syscall?

问题描述

为模拟某些行为，我想将探针附加到syscall上，并在传递某些参数时修改返回值.另外，在函数的参数成为进程之前对其进行修改也就足够了.

To simulate some behavior I would like to attach a probe to a syscall and modify the return value when certain parameters are passed. Alternatively, it would also be enough to modify the parameters of the function before they are processes.

使用BPF可以吗?

推荐答案

我相信将eBPF附加到kprobes/kretprobes可使您对函数参数和返回值进行读取访问，但是您不能篡改它们.我不确定100％； IO Visor项目邮件列表或IRC频道是寻求确认的好地方(irc.oftc.net上的#iovisor).

I believe that attaching eBPF to kprobes/kretprobes gives you read access to function arguments and return values, but that you cannot tamper with them. I am NOT 100% sure; good places to ask for confirmation would be the IO Visor project mailing list or IRC channel (#iovisor at irc.oftc.net).

作为一种替代解决方案，我知道您至少可以使用 strace 来更改syscall的返回值. -e选项.引用手册页:

As an alternative solution, I know you can at least change the return value of a syscall with strace, with the -e option. Quoting the manual page:

-e inject=set[:error=errno|:retval=value][:signal=sig][:when=expr]
       Perform syscall tampering for the specified set of syscalls.

此外，在此的演示和故障注入Fosdem 2017，如果您有兴趣的话.这是幻灯片中的一个示例命令:

Also, there was a presentation on this, and fault injection, at Fosdem 2017, if it is of any interest to you. Here is one example command from the slides:

strace -P precious.txt -efault=unlink:retval=0 unlink precious.txt

编辑:如Ben所述，有关kprobes和跟踪点的eBPF绝对是只读的，用于跟踪和监视用例.在IRC上，我也对此进行了确认.

As stated by Ben, eBPF on kprobes and tracepoints is definitively read only, for tracing and monitoring use cases. I also got confirmation about this on IRC.

这篇关于eBPF可以修改系统调用的返回值或参数吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！