Reputation: 61
Can I use eBPF to replace a kernel function?
Can I use eBPF to reimplement a kernel function and jump to the reimplemented function when the original function is called, skipping the original function altogether?
For example, there is a kernel function A:
void A()
{
xxx;
}
Can I use eBPF to reimplement function A as ebpf_A, so that when function A is called, ebpf_A is executed instead of A? So I can do some other things in ebpf_A.
If I can, how can I do it?
Upvotes: 2
Views: 292
Answers (1)
Reputation: 7968
As of writing this, it isn't possible to replace arbitrary functions. It is however possible to replace certain function pointers in structures, these have to be pre-designated to allow this.
To allow this a new program type was introduced called BPF_PROG_TYPE_STRUCT_OPS. The original patch set focused on allowing you to replace the default TCP Congestion Control. I believe that so far that is the only actual use-case for which this is enabled.
Upvotes: 1
Related Questions
- ebpf - use ringbuf and perfbuf depending on kernel version
- Can ebpf only use kprobe to monitor kernel functions?
- How can an ebpf program change kernel execution flow or call kernel functions?
- Does libbpf provide an API that allows user space to pass a value to kernel space?
- Can eBPF call dynamic libraries?
- How can I attached a BPF program to a kernel function via a kprobe?
- Compile ebpf _kern.c outside the kernel tree and link stand alone libbpf to _user.c
- ebpf: intercepting function calls
- Can I replace a Linux kernel function with a module?
- how to replace a static kernel function without modifying and precomiling linux kernel