1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (c) 2019 Netronome Systems, Inc. */
9 #include <sys/utsname.h>
12 #include <linux/filter.h>
13 #include <linux/limits.h>
20 #ifndef PROC_SUPER_MAGIC
21 # define PROC_SUPER_MAGIC 0x9fa0
24 enum probe_component {
30 #define BPF_HELPER_MAKE_ENTRY(name) [BPF_FUNC_ ## name] = "bpf_" # name
31 static const char * const helper_name[] = {
32 __BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
35 #undef BPF_HELPER_MAKE_ENTRY
37 /* Miscellaneous utility functions */
39 static bool check_procfs(void)
43 if (statfs("/proc", &st_fs) < 0)
45 if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
51 static void uppercase(char *str, size_t len)
55 for (i = 0; i < len && str[i] != '\0'; i++)
56 str[i] = toupper(str[i]);
59 /* Printing utility functions */
62 print_bool_feature(const char *feat_name, const char *plain_name,
63 const char *define_name, bool res, const char *define_prefix)
66 jsonw_bool_field(json_wtr, feat_name, res);
67 else if (define_prefix)
68 printf("#define %s%sHAVE_%s\n", define_prefix,
69 res ? "" : "NO_", define_name);
71 printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
74 static void print_kernel_option(const char *name, const char *value)
79 /* No support for C-style ouptut */
83 jsonw_null_field(json_wtr, name);
87 res = strtol(value, &endptr, 0);
88 if (!errno && *endptr == '\n')
89 jsonw_int_field(json_wtr, name, res);
91 jsonw_string_field(json_wtr, name, value);
94 printf("%s is set to %s\n", name, value);
96 printf("%s is not set\n", name);
101 print_start_section(const char *json_title, const char *plain_title,
102 const char *define_comment, const char *define_prefix)
105 jsonw_name(json_wtr, json_title);
106 jsonw_start_object(json_wtr);
107 } else if (define_prefix) {
108 printf("%s\n", define_comment);
110 printf("%s\n", plain_title);
115 print_end_then_start_section(const char *json_title, const char *plain_title,
116 const char *define_comment,
117 const char *define_prefix)
120 jsonw_end_object(json_wtr);
124 print_start_section(json_title, plain_title, define_comment,
128 /* Probing functions */
130 static int read_procfs(const char *path)
132 char *endptr, *line = NULL;
137 fd = fopen(path, "r");
141 res = getline(&line, &len, fd);
147 res = strtol(line, &endptr, 10);
148 if (errno || *line == '\0' || *endptr != '\n')
155 static void probe_unprivileged_disabled(void)
159 /* No support for C-style ouptut */
161 res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
163 jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
167 printf("bpf() syscall for unprivileged users is enabled\n");
170 printf("bpf() syscall restricted to privileged users\n");
173 printf("Unable to retrieve required privileges for bpf() syscall\n");
176 printf("bpf() syscall restriction has unknown value %d\n", res);
181 static void probe_jit_enable(void)
185 /* No support for C-style ouptut */
187 res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
189 jsonw_int_field(json_wtr, "bpf_jit_enable", res);
193 printf("JIT compiler is disabled\n");
196 printf("JIT compiler is enabled\n");
199 printf("JIT compiler is enabled with debugging traces in kernel logs\n");
202 printf("Unable to retrieve JIT-compiler status\n");
205 printf("JIT-compiler status has unknown value %d\n",
211 static void probe_jit_harden(void)
215 /* No support for C-style ouptut */
217 res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
219 jsonw_int_field(json_wtr, "bpf_jit_harden", res);
223 printf("JIT compiler hardening is disabled\n");
226 printf("JIT compiler hardening is enabled for unprivileged users\n");
229 printf("JIT compiler hardening is enabled for all users\n");
232 printf("Unable to retrieve JIT hardening status\n");
235 printf("JIT hardening status has unknown value %d\n",
241 static void probe_jit_kallsyms(void)
245 /* No support for C-style ouptut */
247 res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
249 jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
253 printf("JIT compiler kallsyms exports are disabled\n");
256 printf("JIT compiler kallsyms exports are enabled for root\n");
259 printf("Unable to retrieve JIT kallsyms export status\n");
262 printf("JIT kallsyms exports status has unknown value %d\n", res);
267 static void probe_jit_limit(void)
271 /* No support for C-style ouptut */
273 res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
275 jsonw_int_field(json_wtr, "bpf_jit_limit", res);
279 printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
282 printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
287 static char *get_kernel_config_option(FILE *fd, const char *option)
289 size_t line_n = 0, optlen = strlen(option);
290 char *res, *strval, *line = NULL;
294 while ((n = getline(&line, &line_n, fd)) > 0) {
295 if (strncmp(line, option, optlen))
297 /* Check we have at least '=', value, and '\n' */
298 if (strlen(line) < optlen + 3)
300 if (*(line + optlen) != '=')
303 /* Trim ending '\n' */
304 line[strlen(line) - 1] = '\0';
306 /* Copy and return config option value */
307 strval = line + optlen + 1;
308 res = strdup(strval);
317 static void probe_kernel_image_config(void)
319 static const char * const options[] = {
322 /* Enable bpf() syscall */
323 "CONFIG_BPF_SYSCALL",
324 /* Does selected architecture support eBPF JIT compiler */
325 "CONFIG_HAVE_EBPF_JIT",
326 /* Compile eBPF JIT compiler */
328 /* Avoid compiling eBPF interpreter (use JIT only) */
329 "CONFIG_BPF_JIT_ALWAYS_ON",
333 /* BPF programs attached to cgroups */
335 /* bpf_get_cgroup_classid() helper */
336 "CONFIG_CGROUP_NET_CLASSID",
337 /* bpf_skb_{,ancestor_}cgroup_id() helpers */
338 "CONFIG_SOCK_CGROUP_DATA",
340 /* Tracing: attach BPF to kprobes, tracepoints, etc. */
343 "CONFIG_KPROBE_EVENTS",
345 "CONFIG_UPROBE_EVENTS",
348 /* Syscall tracepoints */
349 "CONFIG_FTRACE_SYSCALLS",
350 /* bpf_override_return() helper support for selected arch */
351 "CONFIG_FUNCTION_ERROR_INJECTION",
352 /* bpf_override_return() helper */
353 "CONFIG_BPF_KPROBE_OVERRIDE",
358 "CONFIG_XDP_SOCKETS",
359 /* BPF_PROG_TYPE_LWT_* and related helpers */
360 "CONFIG_LWTUNNEL_BPF",
361 /* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
362 "CONFIG_NET_ACT_BPF",
363 /* BPF_PROG_TYPE_SCHED_CLS, TC filters */
364 "CONFIG_NET_CLS_BPF",
365 /* TC clsact qdisc */
366 "CONFIG_NET_CLS_ACT",
367 /* Ingress filtering with TC */
368 "CONFIG_NET_SCH_INGRESS",
369 /* bpf_skb_get_xfrm_state() helper */
371 /* bpf_get_route_realm() helper */
372 "CONFIG_IP_ROUTE_CLASSID",
373 /* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
374 "CONFIG_IPV6_SEG6_BPF",
375 /* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
376 "CONFIG_BPF_LIRC_MODE2",
377 /* BPF stream parser and BPF socket maps */
378 "CONFIG_BPF_STREAM_PARSER",
379 /* xt_bpf module for passing BPF programs to netfilter */
380 "CONFIG_NETFILTER_XT_MATCH_BPF",
381 /* bpfilter back-end for iptables */
383 /* bpftilter module with "user mode helper" */
384 "CONFIG_BPFILTER_UMH",
386 /* test_bpf module for BPF tests */
389 char *value, *buf = NULL;
399 snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
401 fd = fopen(path, "r");
402 if (!fd && errno == ENOENT) {
403 /* Some distributions put the config file at /proc/config, give
405 * Sometimes it is also at /proc/config.gz but we do not try
406 * this one for now, it would require linking against libz.
408 fd = fopen("/proc/config", "r");
411 p_info("skipping kernel config, can't open file: %s",
416 ret = getline(&buf, &n, fd);
417 ret = getline(&buf, &n, fd);
419 p_info("skipping kernel config, can't read from file: %s",
424 if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
425 p_info("skipping kernel config, can't find correct file");
431 for (i = 0; i < ARRAY_SIZE(options); i++) {
432 value = get_kernel_config_option(fd, options[i]);
433 print_kernel_option(options[i], value);
440 for (i = 0; i < ARRAY_SIZE(options); i++)
441 print_kernel_option(options[i], NULL);
444 static bool probe_bpf_syscall(const char *define_prefix)
448 bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
449 res = (errno != ENOSYS);
451 print_bool_feature("have_bpf_syscall",
460 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
461 const char *define_prefix, __u32 ifindex)
463 char feat_name[128], plain_desc[128], define_name[128];
464 const char *plain_comment = "eBPF program_type ";
469 /* Only test offload-able program types */
471 case BPF_PROG_TYPE_SCHED_CLS:
472 case BPF_PROG_TYPE_XDP:
478 res = bpf_probe_prog_type(prog_type, ifindex);
480 supported_types[prog_type] |= res;
482 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
483 if (strlen(prog_type_name[prog_type]) > maxlen) {
484 p_info("program type name too long");
488 sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
489 sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
490 uppercase(define_name, sizeof(define_name));
491 sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
492 print_bool_feature(feat_name, plain_desc, define_name, res,
497 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
500 char feat_name[128], plain_desc[128], define_name[128];
501 const char *plain_comment = "eBPF map_type ";
505 res = bpf_probe_map_type(map_type, ifindex);
507 maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
508 if (strlen(map_type_name[map_type]) > maxlen) {
509 p_info("map type name too long");
513 sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
514 sprintf(define_name, "%s_map_type", map_type_name[map_type]);
515 uppercase(define_name, sizeof(define_name));
516 sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
517 print_bool_feature(feat_name, plain_desc, define_name, res,
522 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
523 const char *define_prefix, __u32 ifindex)
525 const char *ptype_name = prog_type_name[prog_type];
531 /* Only test helpers for offload-able program types */
533 case BPF_PROG_TYPE_SCHED_CLS:
534 case BPF_PROG_TYPE_XDP:
541 sprintf(feat_name, "%s_available_helpers", ptype_name);
542 jsonw_name(json_wtr, feat_name);
543 jsonw_start_array(json_wtr);
544 } else if (!define_prefix) {
545 printf("eBPF helpers supported for program type %s:",
549 for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
553 res = bpf_probe_helper(id, prog_type, ifindex);
557 jsonw_string(json_wtr, helper_name[id]);
558 } else if (define_prefix) {
559 printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
560 define_prefix, ptype_name, helper_name[id],
564 printf("\n\t- %s", helper_name[id]);
569 jsonw_end_array(json_wtr);
570 else if (!define_prefix)
574 static int do_probe(int argc, char **argv)
576 enum probe_component target = COMPONENT_UNSPEC;
577 const char *define_prefix = NULL;
578 bool supported_types[128] = {};
583 /* Detection assumes user has sufficient privileges (CAP_SYS_ADMIN).
584 * Let's approximate, and restrict usage to root user only.
587 p_err("please run this command as root user");
594 if (is_prefix(*argv, "kernel")) {
595 if (target != COMPONENT_UNSPEC) {
596 p_err("component to probe already specified");
599 target = COMPONENT_KERNEL;
601 } else if (is_prefix(*argv, "dev")) {
604 if (target != COMPONENT_UNSPEC || ifindex) {
605 p_err("component to probe already specified");
611 target = COMPONENT_DEVICE;
613 ifindex = if_nametoindex(ifname);
615 p_err("unrecognized netdevice '%s': %s", ifname,
619 } else if (is_prefix(*argv, "macros") && !define_prefix) {
622 } else if (is_prefix(*argv, "prefix")) {
623 if (!define_prefix) {
624 p_err("'prefix' argument can only be use after 'macros'");
627 if (strcmp(define_prefix, "")) {
628 p_err("'prefix' already defined");
635 define_prefix = GET_ARG();
637 p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
644 define_prefix = NULL;
645 jsonw_start_object(json_wtr);
649 case COMPONENT_KERNEL:
650 case COMPONENT_UNSPEC:
654 print_start_section("system_config",
655 "Scanning system configuration...",
656 NULL, /* define_comment never used here */
657 NULL); /* define_prefix always NULL here */
658 if (check_procfs()) {
659 probe_unprivileged_disabled();
662 probe_jit_kallsyms();
665 p_info("/* procfs not mounted, skipping related probes */");
667 probe_kernel_image_config();
669 jsonw_end_object(json_wtr);
677 print_start_section("syscall_config",
678 "Scanning system call availability...",
679 "/*** System call availability ***/",
682 if (!probe_bpf_syscall(define_prefix))
683 /* bpf() syscall unavailable, don't probe other BPF features */
684 goto exit_close_json;
686 print_end_then_start_section("program_types",
687 "Scanning eBPF program types...",
688 "/*** eBPF program types ***/",
691 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
692 probe_prog_type(i, supported_types, define_prefix, ifindex);
694 print_end_then_start_section("map_types",
695 "Scanning eBPF map types...",
696 "/*** eBPF map types ***/",
699 for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
700 probe_map_type(i, define_prefix, ifindex);
702 print_end_then_start_section("helpers",
703 "Scanning eBPF helper functions...",
704 "/*** eBPF helper functions ***/",
709 " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
710 " * to determine if <helper_name> is available for <prog_type_name>,\n"
712 " * #if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
713 " * // do stuff with this helper\n"
715 " * // use a workaround\n"
718 "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper) \\\n"
719 " %sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
720 define_prefix, define_prefix, define_prefix,
722 for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
723 probe_helpers_for_progtype(i, supported_types[i],
724 define_prefix, ifindex);
728 /* End current "section" of probes */
729 jsonw_end_object(json_wtr);
730 /* End root object */
731 jsonw_end_object(json_wtr);
737 static int do_help(int argc, char **argv)
740 jsonw_null(json_wtr);
745 "Usage: %s %s probe [COMPONENT] [macros [prefix PREFIX]]\n"
748 " COMPONENT := { kernel | dev NAME }\n"
750 bin_name, argv[-2], bin_name, argv[-2]);
755 static const struct cmd cmds[] = {
756 { "probe", do_probe },
761 int do_feature(int argc, char **argv)
763 return cmd_select(cmds, argc, argv, do_help);