Custom CO-RE BPF probe

Question

Opened this issue a year ago · 0 comments

Implement custom version of CO-RE BPF probe, following the same approach as for
the custom EBPF one. The proposed solution:

Restructure current kernel-modules/probe to contain two subdirectories,
ebpf and core_bpf for custom ebpf and core_bpf probes correspondingly.
Construct a cmake configuration, similar to that in Falco, to build
separate probes with modern_bpf dependencies.
For each captured syscall introduce one probe with two BPF progs
tp_btf/sys_{enter|exit}_syscall, similar to attached progs from Falco.
Teach the cmake configuration to assemble the final probe by picking up the
custom bits and the actual tail-called BPF program from the Falco build.
Verify it's limitations for other architectures.