Can ebpf only use kprobe to monitor kernel functions?

413 Views Asked by ray At 04 April 2025 at 12:15

I want to monitor a Linux kernel function using ebpf. Now, I write code using bcc like this:

#!/usr/bin/python3
# coding=utf-8
from bcc import BPF
from time import sleep
# define BPF program

bpf_program = """

int test_func(void  *ctx) {
    bpf_trace_printk("hello");
    return 0;
}
"""

# load BPF

b = BPF(text=bpf_program)
b.attach_kprobe(event="__x64_sys_getpid", fn_name="test_func")

while 1:
    sleep(100)
    b.trace_print()

This works fine and I know it's implemented based on kprobe.

But I wonder if I can only use kprobe to monitor any kernel function in ebpf?

Original Q&A

There are 1 best solutions below

Dylan Reimerink On 17 November 2022 at 15:10

Mostly. Kprobes can attach to pretty much any function except for blacklisted functions.

Kprobes can probe most of the kernel except itself. This means that there are some functions where kprobes cannot probe. Probing (trapping) such functions can cause a recursive trap (e.g. double fault) or the nested probe handler may never be called. Kprobes manages such functions as a blacklist. If you want to add a function into the blacklist, you just need to (1) include linux/kprobes.h and (2) use NOKPROBE_SYMBOL() macro to specify a blacklisted function. Kprobes checks the given probe address against the blacklist and rejects registering it, if the given address is in the blacklist.

Can ebpf only use kprobe to monitor kernel functions?

There are 1 best solutions below

Related Questions in LINUX

Related Questions in KERNEL

Related Questions in EBPF

Related Questions in KPROBE

Trending Questions

Popular # Hahtags

Popular Questions