Мониторинг в Linux на уровне ядра. Краткое практическое введение в eBPF+Cilium

Добрый день, всем читающим данную статью. Недавно эксперементируя с eBPF для разработки нового функционала своей EDR для linux-серверов , я столкнулся с огромной проблемой: на просторах интернета есть огромный пласт статей по теории работы с eBPF, однако кратких практических статей как работать с BPF мной найдено не было. Если быть более точным, то такие статьи есть, однако, они не дают понимания функционала. В общем, в данной статье хотелось бы написать краткий гайд по работе с eBPF с уклоном в практику

https://habr.com/ru/articles/972602/

#eBPF #bpf #go #edr #разработка #мониторинг #трассировка #ядро #ядро_linux #linux

☀️The deeply detailed talk from ulexec and secoalba from @inversive_xyz about reverse engineering #Solana #eBPF binaries with #radare2 was built on top of several improvements for the elf bin parser and the architecture support for the 64bit #BPF.

All that stuff was also included in the last r2-6.0.6 release:

- esil emulation of bytecode
- pseudo decompilation
- AI-based disassembly
- bpf-specific elf relocs
- bpf-specific analysis plugin to extract strings
- document every bpf instruction
- support multiple "cpu" models
- binary patching and assembling BPF instructions

Cook some popcorns and take notes because their presentation was really detailed! Worth watching!
🎥 https://www.youtube.com/watch?v=IAt-HgKPN88

Je suis à Cyb'Air aujourd'hui et mes slides sont sur https://GitHub.com/cryptax/talks.

C'était sur des variantes de 2025 de Linux/Symbiote et BPFDoor. Avec des nouveautés sur le filtre BPF comme le support d'IPv6.

Les samples sont analysés avec r2, r2ai, r2mcp et mcpico.

#malware #cybair #salon #BPF #AI

Enable BPF filtering on sockets https://www.undeadly.org/cgi?action=article;sid=20251030110053 #openbsd #bpf #filtering #sockets #networking #security #development #poc #proofofconcept #earlydays #freesoftware #libresoftware

Kernel Recipes 2025 c'est fini : les vidéos sont en ligne ! https://linuxfr.org/news/kernel-recipes-2025-c-est-fini-les-videos-sont-en-ligne #kernel_recipes #virtualisation #conférence #communauté #kernel #Noyau #rust #bpf

Wow, riveting stuff: a bunch of geeks decided it's finally time for a #GNU makeover with #BPF support. They gathered at the 2025 GNU Tools #Cauldron to talk shop—because nothing screams #innovation like a cauldron and a horde of #kernel #enthusiasts 🧙🔧. Who knew #toolchains could be this exciting? 🌟
https://lwn.net/Articles/1039827/ #HackerNews #ngated

Next steps for BPF support in the GNU toolchain

https://lwn.net/Articles/1039827/

#HackerNews #BPF #GNU #Toolchain #Linux #Development #OpenSource #TechNews

Support for signing #BPF programms has hit #Linux-next and thus is slated for inclusion in #kernel 6.18:

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=58a5820582e4c809dd26b3f2d396cf072411d6e8

Quote from that merge commit: ""BPF Signing has gone over multiple discussions in various conferences with the kernel and BPF community and the following patch series is a culmination of the current of discussion and signed BPF programs. […]

Signing also paves the way for allowing unprivileged users to load vetted BPF programs and helps in adhering to the principle of least privlege […]""

See also the recent @lwn article "Possible paths for signing BPF programs": https://lwn.net/Articles/1031854/

#LinuxKernel

You could also use #bpf instead of #strace, albeit modern strace uses bpf if told so:

How to use the new Docker Seccomp profiles https://blog.jessfraz.com/post/how-to-use-new-docker-seccomp-profiles/

#Google #engineer Roman #Gushchin has proposed the ability for the #Linux #kernel to customize the out-of-memory " #OOM" behavior using #BPF programs.

https://www.phoronix.com/news/Linux-OOM-BPF-Proposal

#Google #engineer Roman #Gushchin has proposed the ability for the #Linux #kernel to customize the out-of-memory " #OOM" behavior using #BPF programs. www.phoronix.com/news/Linux-O...

New Linux Patches Allow Manipu...

It's been too long since the last ebpf_exporter release, so I cut v2.5.0 today.

https://github.com/cloudflare/ebpf_exporter/releases/tag/v2.5.0

#ebpf_exporter #ebpf #bpf #linux #kernel

'"Today we are marking the celebration of Alan #Turing's 113th birthday by implementing the #Enigma machine in #eBPF. The Enigma machine was not developed by Turing himself, but it was the machine he famously broke during World War II."'

https://isovalent.com/blog/post/breaking-boundaries-implementing-the-enigma-machine-in-ebpf/

#Linux #LinuxKernel #kernel #bpf

dhcpd(8): use UDP sockets instead of BPF https://www.undeadly.org/cgi?action=article;sid=20250613111800 #openbsd #dhcpd #tcpip #networking #udp #bpf #development #newfeature #testing #freesoftware #libresoftware

Before wiping the pre-installed #Windows 11 Pro on my new Beelink mini PC, I tested #WSL2 with #Fedora #Linux. I compiled my pet project, I/O Riot NG (ior), which requires many system libraries, including #BPF. I’m impressed—everything works just like on native Fedora, and my tool runs and traces I/O syscalls with BPF out of the box. I might would prefer now Windows over MacOS if I had to chose between those two for work.

https://codeberg.org/snonux/ior

Ummm 🤔

#linux #kernel #bpf #fanotify #lsm #opensource

https://lwn.net/Articles/1018493/

Ummm 🤔

#linux #kernel #bpf #fanotify #lsm #opensource

https://lwn.net/Articles/1018493/

@blainsmith

> One generally would not write BPF-C to filter traffic on their laptop and trade the performance of BPF for the ease of use of iptables and nftables.

I mean, you could, if there was a reasonably easy-to-use firewall language with a compiler that generates suitable #BPF. There's no natural law that says the source language for BPF must be C.

And it would be nice if the #Linux kernel had only one firewall system and not three.

🌘 更快速的防火牆：bpfilter
➤ BPF 技術賦能，打造更高效能的網路封包過濾器
✤ https://lwn.net/Articles/1017705/
bpfilter 是一個新興專案，旨在透過將過濾規則轉換為 BPF 程序，提升 iptables 的效能。它結合了 nftables 的易用性和 BPF 的效能，並透過 daemon、library 和 CLI 三個組件實現封包過濾。目前 bpfilter 已支援透過 iptables 前端進行 IPv4 位址和協議欄位的過濾，並正在研發支援 nftables 的功能。
+ 「這個專案看起來很有潛力，如果能完美支援 nftables，將會是網路管理員的一大利器！」
+ 「BPF 確實很強大，但學習曲線較陡峭，希望 bpfilter 能降低使用門檻。」
#網路安全 #BPF #效能優化