Program type BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
Raw tracepoint writable programs are similar to raw tracepoint programs, but they allow you to write to the given context.
Usage
This program type can be attached to tracepoints that were placed at specific locations in the kernel by the kernel developers. Unlike non-writable tracepoints, these ones can write to the whole context or parts of the context. This essentially allows you to modify the kernel's behavior at runtime in a very specific way.
Writable raw tracepoint programs can only be attached to tracepoints which have been created with the DEFINE_EVENT_WRITABLE or DECLARE_TRACE_WRITABLE macros.
In practice there are very limited of such tracepoints, on only one as of kernel v6.14 is nbd_send_request
Context
The context to this program type is an array of u64 values. Each element representing an argument of the tracepoint. The program has to cast the elements to their proper type, libbpf provides the BPF_PROG macro to help with this.
The first element of the context is referred to as the "writable buffer", it will be a pointer to a values which is allowed to be modified. The verifier will check that you do not attempt to modify any other parts or modify outside of the bounds of the writable buffer.
Attachment
Raw tracepoints can be attached in two ways, first is with a dedicated syscall, the second method is with the more generic BPF link syscall.
Syscall
The dedicated syscall BPF_RAW_TRACEPOINT_OPEN can be used to attach the raw tracepoint. This requires the name field to be set to a string containing the name of the tracepoint to which the user whishes to attach to. The prog_fd attribute field should be set to the file descriptor of the BPF program to attach.
Docs could be improved
This part of the docs is incomplete, contributions are very welcome
Example
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2020 Facebook */
SEC("raw_tp.w/bpf_testmod_test_writable_bare")
int BPF_PROG(handle_raw_tp_writable_bare,
struct bpf_testmod_test_writable_ctx *writable)
{
raw_tp_writable_bare_in_val = writable->val;
writable->early_ret = raw_tp_writable_bare_early_ret;
writable->val = raw_tp_writable_bare_out_val;
return 0;
}
Helper functions
Not all helper functions are available in all program types. These are the helper calls available for raw tracepoint writable programs:
Supported helper functions
bpf_cgrp_storage_deletebpf_cgrp_storage_getbpf_copy_from_userbpf_copy_from_user_taskbpf_current_task_under_cgroupbpf_dynptr_databpf_dynptr_from_membpf_dynptr_readbpf_dynptr_writebpf_find_vmabpf_for_each_map_elembpf_get_branch_snapshotbpf_get_current_ancestor_cgroup_idbpf_get_current_cgroup_idbpf_get_current_commbpf_get_current_pid_tgidbpf_get_current_taskbpf_get_current_task_btfbpf_get_current_uid_gidbpf_get_func_ipbpf_get_ns_current_pid_tgidbpf_get_numa_node_idbpf_get_prandom_u32bpf_get_smp_processor_idbpf_get_stackbpf_get_stackidbpf_get_task_stackbpf_jiffies64bpf_kptr_xchgbpf_ktime_get_boot_nsbpf_ktime_get_nsbpf_ktime_get_tai_nsbpf_loopbpf_map_delete_elembpf_map_lookup_elembpf_map_lookup_percpu_elembpf_map_peek_elembpf_map_pop_elembpf_map_push_elembpf_map_update_elembpf_per_cpu_ptrbpf_perf_event_outputbpf_perf_event_readbpf_perf_event_read_valuebpf_probe_readbpf_probe_read_kernelbpf_probe_read_kernel_strbpf_probe_read_strbpf_probe_read_userbpf_probe_read_user_strbpf_probe_write_userbpf_ringbuf_discardbpf_ringbuf_discard_dynptrbpf_ringbuf_outputbpf_ringbuf_querybpf_ringbuf_reservebpf_ringbuf_reserve_dynptrbpf_ringbuf_submitbpf_ringbuf_submit_dynptrbpf_send_signalbpf_send_signal_threadbpf_snprintfbpf_snprintf_btfbpf_spin_lockbpf_spin_unlockbpf_strncmpbpf_tail_callbpf_task_pt_regsbpf_task_storage_deletebpf_task_storage_getbpf_this_cpu_ptrbpf_timer_cancelbpf_timer_initbpf_timer_set_callbackbpf_timer_startbpf_trace_printkbpf_trace_vprintkbpf_user_ringbuf_drain
KFuncs
There are currently no kfuncs supported for this program type