tools/bpf/bpftool/feature.c

   1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
   2 /* Copyright (c) 2019 Netronome Systems, Inc. */
   3
   4 #include <ctype.h>
   5 #include <errno.h>
   6 #include <string.h>
   7 #include <unistd.h>
   8 #include <net/if.h>
   9 #ifdef USE_LIBCAP
  10 #include <sys/capability.h>
  11 #endif
  12 #include <sys/utsname.h>
  13 #include <sys/vfs.h>
  14
  15 #include <linux/filter.h>
  16 #include <linux/limits.h>
  17
  18 #include <bpf/bpf.h>
  19 #include <bpf/libbpf.h>
  20 #include <zlib.h>
  21
  22 #include "main.h"
  23
  24 #ifndef PROC_SUPER_MAGIC
  25 # define PROC_SUPER_MAGIC       0x9fa0
  26 #endif
  27
  28 enum probe_component {
  29         COMPONENT_UNSPEC,
  30         COMPONENT_KERNEL,
  31         COMPONENT_DEVICE,
  32 };
  33
  34 #define BPF_HELPER_MAKE_ENTRY(name)     [BPF_FUNC_ ## name] = "bpf_" # name
  35 static const char * const helper_name[] = {
  36         __BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
  37 };
  38
  39 #undef BPF_HELPER_MAKE_ENTRY
  40
  41 static bool full_mode;
  42 #ifdef USE_LIBCAP
  43 static bool run_as_unprivileged;
  44 #endif
  45
  46 /* Miscellaneous utility functions */
  47
  48 static bool check_procfs(void)
  49 {
  50         struct statfs st_fs;
  51
  52         if (statfs("/proc", &st_fs) < 0)
  53                 return false;
  54         if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
  55                 return false;
  56
  57         return true;
  58 }
  59
  60 static void uppercase(char *str, size_t len)
  61 {
  62         size_t i;
  63
  64         for (i = 0; i < len && str[i] != '\0'; i++)
  65                 str[i] = toupper(str[i]);
  66 }
  67
  68 /* Printing utility functions */
  69
  70 static void
  71 print_bool_feature(const char *feat_name, const char *plain_name,
  72                    const char *define_name, bool res, const char *define_prefix)
  73 {
  74         if (json_output)
  75                 jsonw_bool_field(json_wtr, feat_name, res);
  76         else if (define_prefix)
  77                 printf("#define %s%sHAVE_%s\n", define_prefix,
  78                        res ? "" : "NO_", define_name);
  79         else
  80                 printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
  81 }
  82
  83 static void print_kernel_option(const char *name, const char *value,
  84                                 const char *define_prefix)
  85 {
  86         char *endptr;
  87         int res;
  88
  89         if (json_output) {
  90                 if (!value) {
  91                         jsonw_null_field(json_wtr, name);
  92                         return;
  93                 }
  94                 errno = 0;
  95                 res = strtol(value, &endptr, 0);
  96                 if (!errno && *endptr == '\n')
  97                         jsonw_int_field(json_wtr, name, res);
  98                 else
  99                         jsonw_string_field(json_wtr, name, value);
 100         } else if (define_prefix) {
 101                 if (value)
 102                         printf("#define %s%s %s\n", define_prefix,
 103                                name, value);
 104                 else
 105                         printf("/* %s%s is not set */\n", define_prefix, name);
 106         } else {
 107                 if (value)
 108                         printf("%s is set to %s\n", name, value);
 109                 else
 110                         printf("%s is not set\n", name);
 111         }
 112 }
 113
 114 static void
 115 print_start_section(const char *json_title, const char *plain_title,
 116                     const char *define_comment, const char *define_prefix)
 117 {
 118         if (json_output) {
 119                 jsonw_name(json_wtr, json_title);
 120                 jsonw_start_object(json_wtr);
 121         } else if (define_prefix) {
 122                 printf("%s\n", define_comment);
 123         } else {
 124                 printf("%s\n", plain_title);
 125         }
 126 }
 127
 128 static void print_end_section(void)
 129 {
 130         if (json_output)
 131                 jsonw_end_object(json_wtr);
 132         else
 133                 printf("\n");
 134 }
 135
 136 /* Probing functions */
 137
 138 static int read_procfs(const char *path)
 139 {
 140         char *endptr, *line = NULL;
 141         size_t len = 0;
 142         FILE *fd;
 143         int res;
 144
 145         fd = fopen(path, "r");
 146         if (!fd)
 147                 return -1;
 148
 149         res = getline(&line, &len, fd);
 150         fclose(fd);
 151         if (res < 0)
 152                 return -1;
 153
 154         errno = 0;
 155         res = strtol(line, &endptr, 10);
 156         if (errno || *line == '\0' || *endptr != '\n')
 157                 res = -1;
 158         free(line);
 159
 160         return res;
 161 }
 162
 163 static void probe_unprivileged_disabled(void)
 164 {
 165         int res;
 166
 167         /* No support for C-style ouptut */
 168
 169         res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
 170         if (json_output) {
 171                 jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
 172         } else {
 173                 switch (res) {
 174                 case 0:
 175                         printf("bpf() syscall for unprivileged users is enabled\n");
 176                         break;
 177                 case 1:
 178                         printf("bpf() syscall restricted to privileged users\n");
 179                         break;
 180                 case -1:
 181                         printf("Unable to retrieve required privileges for bpf() syscall\n");
 182                         break;
 183                 default:
 184                         printf("bpf() syscall restriction has unknown value %d\n", res);
 185                 }
 186         }
 187 }
 188
 189 static void probe_jit_enable(void)
 190 {
 191         int res;
 192
 193         /* No support for C-style ouptut */
 194
 195         res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
 196         if (json_output) {
 197                 jsonw_int_field(json_wtr, "bpf_jit_enable", res);
 198         } else {
 199                 switch (res) {
 200                 case 0:
 201                         printf("JIT compiler is disabled\n");
 202                         break;
 203                 case 1:
 204                         printf("JIT compiler is enabled\n");
 205                         break;
 206                 case 2:
 207                         printf("JIT compiler is enabled with debugging traces in kernel logs\n");
 208                         break;
 209                 case -1:
 210                         printf("Unable to retrieve JIT-compiler status\n");
 211                         break;
 212                 default:
 213                         printf("JIT-compiler status has unknown value %d\n",
 214                                res);
 215                 }
 216         }
 217 }
 218
 219 static void probe_jit_harden(void)
 220 {
 221         int res;
 222
 223         /* No support for C-style ouptut */
 224
 225         res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
 226         if (json_output) {
 227                 jsonw_int_field(json_wtr, "bpf_jit_harden", res);
 228         } else {
 229                 switch (res) {
 230                 case 0:
 231                         printf("JIT compiler hardening is disabled\n");
 232                         break;
 233                 case 1:
 234                         printf("JIT compiler hardening is enabled for unprivileged users\n");
 235                         break;
 236                 case 2:
 237                         printf("JIT compiler hardening is enabled for all users\n");
 238                         break;
 239                 case -1:
 240                         printf("Unable to retrieve JIT hardening status\n");
 241                         break;
 242                 default:
 243                         printf("JIT hardening status has unknown value %d\n",
 244                                res);
 245                 }
 246         }
 247 }
 248
 249 static void probe_jit_kallsyms(void)
 250 {
 251         int res;
 252
 253         /* No support for C-style ouptut */
 254
 255         res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
 256         if (json_output) {
 257                 jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
 258         } else {
 259                 switch (res) {
 260                 case 0:
 261                         printf("JIT compiler kallsyms exports are disabled\n");
 262                         break;
 263                 case 1:
 264                         printf("JIT compiler kallsyms exports are enabled for root\n");
 265                         break;
 266                 case -1:
 267                         printf("Unable to retrieve JIT kallsyms export status\n");
 268                         break;
 269                 default:
 270                         printf("JIT kallsyms exports status has unknown value %d\n", res);
 271                 }
 272         }
 273 }
 274
 275 static void probe_jit_limit(void)
 276 {
 277         int res;
 278
 279         /* No support for C-style ouptut */
 280
 281         res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
 282         if (json_output) {
 283                 jsonw_int_field(json_wtr, "bpf_jit_limit", res);
 284         } else {
 285                 switch (res) {
 286                 case -1:
 287                         printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
 288                         break;
 289                 default:
 290                         printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
 291                 }
 292         }
 293 }
 294
 295 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
 296                                            char **value)
 297 {
 298         char *sep;
 299
 300         while (gzgets(file, buf, n)) {
 301                 if (strncmp(buf, "CONFIG_", 7))
 302                         continue;
 303
 304                 sep = strchr(buf, '=');
 305                 if (!sep)
 306                         continue;
 307
 308                 /* Trim ending '\n' */
 309                 buf[strlen(buf) - 1] = '\0';
 310
 311                 /* Split on '=' and ensure that a value is present. */
 312                 *sep = '\0';
 313                 if (!sep[1])
 314                         continue;
 315
 316                 *value = sep + 1;
 317                 return true;
 318         }
 319
 320         return false;
 321 }
 322
 323 static void probe_kernel_image_config(const char *define_prefix)
 324 {
 325         static const struct {
 326                 const char * const name;
 327                 bool macro_dump;
 328         } options[] = {
 329                 /* Enable BPF */
 330                 { "CONFIG_BPF", },
 331                 /* Enable bpf() syscall */
 332                 { "CONFIG_BPF_SYSCALL", },
 333                 /* Does selected architecture support eBPF JIT compiler */
 334                 { "CONFIG_HAVE_EBPF_JIT", },
 335                 /* Compile eBPF JIT compiler */
 336                 { "CONFIG_BPF_JIT", },
 337                 /* Avoid compiling eBPF interpreter (use JIT only) */
 338                 { "CONFIG_BPF_JIT_ALWAYS_ON", },
 339                 /* Kernel BTF debug information available */
 340                 { "CONFIG_DEBUG_INFO_BTF", },
 341                 /* Kernel module BTF debug information available */
 342                 { "CONFIG_DEBUG_INFO_BTF_MODULES", },
 343
 344                 /* cgroups */
 345                 { "CONFIG_CGROUPS", },
 346                 /* BPF programs attached to cgroups */
 347                 { "CONFIG_CGROUP_BPF", },
 348                 /* bpf_get_cgroup_classid() helper */
 349                 { "CONFIG_CGROUP_NET_CLASSID", },
 350                 /* bpf_skb_{,ancestor_}cgroup_id() helpers */
 351                 { "CONFIG_SOCK_CGROUP_DATA", },
 352
 353                 /* Tracing: attach BPF to kprobes, tracepoints, etc. */
 354                 { "CONFIG_BPF_EVENTS", },
 355                 /* Kprobes */
 356                 { "CONFIG_KPROBE_EVENTS", },
 357                 /* Uprobes */
 358                 { "CONFIG_UPROBE_EVENTS", },
 359                 /* Tracepoints */
 360                 { "CONFIG_TRACING", },
 361                 /* Syscall tracepoints */
 362                 { "CONFIG_FTRACE_SYSCALLS", },
 363                 /* bpf_override_return() helper support for selected arch */
 364                 { "CONFIG_FUNCTION_ERROR_INJECTION", },
 365                 /* bpf_override_return() helper */
 366                 { "CONFIG_BPF_KPROBE_OVERRIDE", },
 367
 368                 /* Network */
 369                 { "CONFIG_NET", },
 370                 /* AF_XDP sockets */
 371                 { "CONFIG_XDP_SOCKETS", },
 372                 /* BPF_PROG_TYPE_LWT_* and related helpers */
 373                 { "CONFIG_LWTUNNEL_BPF", },
 374                 /* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
 375                 { "CONFIG_NET_ACT_BPF", },
 376                 /* BPF_PROG_TYPE_SCHED_CLS, TC filters */
 377                 { "CONFIG_NET_CLS_BPF", },
 378                 /* TC clsact qdisc */
 379                 { "CONFIG_NET_CLS_ACT", },
 380                 /* Ingress filtering with TC */
 381                 { "CONFIG_NET_SCH_INGRESS", },
 382                 /* bpf_skb_get_xfrm_state() helper */
 383                 { "CONFIG_XFRM", },
 384                 /* bpf_get_route_realm() helper */
 385                 { "CONFIG_IP_ROUTE_CLASSID", },
 386                 /* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
 387                 { "CONFIG_IPV6_SEG6_BPF", },
 388                 /* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
 389                 { "CONFIG_BPF_LIRC_MODE2", },
 390                 /* BPF stream parser and BPF socket maps */
 391                 { "CONFIG_BPF_STREAM_PARSER", },
 392                 /* xt_bpf module for passing BPF programs to netfilter  */
 393                 { "CONFIG_NETFILTER_XT_MATCH_BPF", },
 394                 /* bpfilter back-end for iptables */
 395                 { "CONFIG_BPFILTER", },
 396                 /* bpftilter module with "user mode helper" */
 397                 { "CONFIG_BPFILTER_UMH", },
 398
 399                 /* test_bpf module for BPF tests */
 400                 { "CONFIG_TEST_BPF", },
 401
 402                 /* Misc configs useful in BPF C programs */
 403                 /* jiffies <-> sec conversion for bpf_jiffies64() helper */
 404                 { "CONFIG_HZ", true, }
 405         };
 406         char *values[ARRAY_SIZE(options)] = { };
 407         struct utsname utsn;
 408         char path[PATH_MAX];
 409         gzFile file = NULL;
 410         char buf[4096];
 411         char *value;
 412         size_t i;
 413
 414         if (!uname(&utsn)) {
 415                 snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
 416
 417                 /* gzopen also accepts uncompressed files. */
 418                 file = gzopen(path, "r");
 419         }
 420
 421         if (!file) {
 422                 /* Some distributions build with CONFIG_IKCONFIG=y and put the
 423                  * config file at /proc/config.gz.
 424                  */
 425                 file = gzopen("/proc/config.gz", "r");
 426         }
 427         if (!file) {
 428                 p_info("skipping kernel config, can't open file: %s",
 429                        strerror(errno));
 430                 goto end_parse;
 431         }
 432         /* Sanity checks */
 433         if (!gzgets(file, buf, sizeof(buf)) ||
 434             !gzgets(file, buf, sizeof(buf))) {
 435                 p_info("skipping kernel config, can't read from file: %s",
 436                        strerror(errno));
 437                 goto end_parse;
 438         }
 439         if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
 440                 p_info("skipping kernel config, can't find correct file");
 441                 goto end_parse;
 442         }
 443
 444         while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
 445                 for (i = 0; i < ARRAY_SIZE(options); i++) {
 446                         if ((define_prefix && !options[i].macro_dump) ||
 447                             values[i] || strcmp(buf, options[i].name))
 448                                 continue;
 449
 450                         values[i] = strdup(value);
 451                 }
 452         }
 453
 454 end_parse:
 455         if (file)
 456                 gzclose(file);
 457
 458         for (i = 0; i < ARRAY_SIZE(options); i++) {
 459                 if (define_prefix && !options[i].macro_dump)
 460                         continue;
 461                 print_kernel_option(options[i].name, values[i], define_prefix);
 462                 free(values[i]);
 463         }
 464 }
 465
 466 static bool probe_bpf_syscall(const char *define_prefix)
 467 {
 468         bool res;
 469
 470         bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
 471         res = (errno != ENOSYS);
 472
 473         print_bool_feature("have_bpf_syscall",
 474                            "bpf() syscall",
 475                            "BPF_SYSCALL",
 476                            res, define_prefix);
 477
 478         return res;
 479 }
 480
 481 static void
 482 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
 483                 const char *define_prefix, __u32 ifindex)
 484 {
 485         char feat_name[128], plain_desc[128], define_name[128];
 486         const char *plain_comment = "eBPF program_type ";
 487         size_t maxlen;
 488         bool res;
 489
 490         if (ifindex)
 491                 /* Only test offload-able program types */
 492                 switch (prog_type) {
 493                 case BPF_PROG_TYPE_SCHED_CLS:
 494                 case BPF_PROG_TYPE_XDP:
 495                         break;
 496                 default:
 497                         return;
 498                 }
 499
 500         res = bpf_probe_prog_type(prog_type, ifindex);
 501 #ifdef USE_LIBCAP
 502         /* Probe may succeed even if program load fails, for unprivileged users
 503          * check that we did not fail because of insufficient permissions
 504          */
 505         if (run_as_unprivileged && errno == EPERM)
 506                 res = false;
 507 #endif
 508
 509         supported_types[prog_type] |= res;
 510
 511         if (!prog_type_name[prog_type]) {
 512                 p_info("program type name not found (type %d)", prog_type);
 513                 return;
 514         }
 515         maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
 516         if (strlen(prog_type_name[prog_type]) > maxlen) {
 517                 p_info("program type name too long");
 518                 return;
 519         }
 520
 521         sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
 522         sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
 523         uppercase(define_name, sizeof(define_name));
 524         sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
 525         print_bool_feature(feat_name, plain_desc, define_name, res,
 526                            define_prefix);
 527 }
 528
 529 static void
 530 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
 531                __u32 ifindex)
 532 {
 533         char feat_name[128], plain_desc[128], define_name[128];
 534         const char *plain_comment = "eBPF map_type ";
 535         size_t maxlen;
 536         bool res;
 537
 538         res = bpf_probe_map_type(map_type, ifindex);
 539
 540         /* Probe result depends on the success of map creation, no additional
 541          * check required for unprivileged users
 542          */
 543
 544         if (!map_type_name[map_type]) {
 545                 p_info("map type name not found (type %d)", map_type);
 546                 return;
 547         }
 548         maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
 549         if (strlen(map_type_name[map_type]) > maxlen) {
 550                 p_info("map type name too long");
 551                 return;
 552         }
 553
 554         sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
 555         sprintf(define_name, "%s_map_type", map_type_name[map_type]);
 556         uppercase(define_name, sizeof(define_name));
 557         sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
 558         print_bool_feature(feat_name, plain_desc, define_name, res,
 559                            define_prefix);
 560 }
 561
 562 static void
 563 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
 564                           const char *define_prefix, unsigned int id,
 565                           const char *ptype_name, __u32 ifindex)
 566 {
 567         bool res = false;
 568
 569         if (supported_type) {
 570                 res = bpf_probe_helper(id, prog_type, ifindex);
 571 #ifdef USE_LIBCAP
 572                 /* Probe may succeed even if program load fails, for
 573                  * unprivileged users check that we did not fail because of
 574                  * insufficient permissions
 575                  */
 576                 if (run_as_unprivileged && errno == EPERM)
 577                         res = false;
 578 #endif
 579         }
 580
 581         if (json_output) {
 582                 if (res)
 583                         jsonw_string(json_wtr, helper_name[id]);
 584         } else if (define_prefix) {
 585                 printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
 586                        define_prefix, ptype_name, helper_name[id],
 587                        res ? "1" : "0");
 588         } else {
 589                 if (res)
 590                         printf("\n\t- %s", helper_name[id]);
 591         }
 592 }
 593
 594 static void
 595 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
 596                            const char *define_prefix, __u32 ifindex)
 597 {
 598         const char *ptype_name = prog_type_name[prog_type];
 599         char feat_name[128];
 600         unsigned int id;
 601
 602         if (ifindex)
 603                 /* Only test helpers for offload-able program types */
 604                 switch (prog_type) {
 605                 case BPF_PROG_TYPE_SCHED_CLS:
 606                 case BPF_PROG_TYPE_XDP:
 607                         break;
 608                 default:
 609                         return;
 610                 }
 611
 612         if (json_output) {
 613                 sprintf(feat_name, "%s_available_helpers", ptype_name);
 614                 jsonw_name(json_wtr, feat_name);
 615                 jsonw_start_array(json_wtr);
 616         } else if (!define_prefix) {
 617                 printf("eBPF helpers supported for program type %s:",
 618                        ptype_name);
 619         }
 620
 621         for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
 622                 /* Skip helper functions which emit dmesg messages when not in
 623                  * the full mode.
 624                  */
 625                 switch (id) {
 626                 case BPF_FUNC_trace_printk:
 627                 case BPF_FUNC_trace_vprintk:
 628                 case BPF_FUNC_probe_write_user:
 629                         if (!full_mode)
 630                                 continue;
 631                         /* fallthrough */
 632                 default:
 633                         probe_helper_for_progtype(prog_type, supported_type,
 634                                                   define_prefix, id, ptype_name,
 635                                                   ifindex);
 636                 }
 637         }
 638
 639         if (json_output)
 640                 jsonw_end_array(json_wtr);
 641         else if (!define_prefix)
 642                 printf("\n");
 643 }
 644
 645 static void
 646 probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
 647 {
 648         bool res;
 649
 650         res = bpf_probe_large_insn_limit(ifindex);
 651         print_bool_feature("have_large_insn_limit",
 652                            "Large program size limit",
 653                            "LARGE_INSN_LIMIT",
 654                            res, define_prefix);
 655 }
 656
 657 static void
 658 section_system_config(enum probe_component target, const char *define_prefix)
 659 {
 660         switch (target) {
 661         case COMPONENT_KERNEL:
 662         case COMPONENT_UNSPEC:
 663                 print_start_section("system_config",
 664                                     "Scanning system configuration...",
 665                                     "/*** Misc kernel config items ***/",
 666                                     define_prefix);
 667                 if (!define_prefix) {
 668                         if (check_procfs()) {
 669                                 probe_unprivileged_disabled();
 670                                 probe_jit_enable();
 671                                 probe_jit_harden();
 672                                 probe_jit_kallsyms();
 673                                 probe_jit_limit();
 674                         } else {
 675                                 p_info("/* procfs not mounted, skipping related probes */");
 676                         }
 677                 }
 678                 probe_kernel_image_config(define_prefix);
 679                 print_end_section();
 680                 break;
 681         default:
 682                 break;
 683         }
 684 }
 685
 686 static bool section_syscall_config(const char *define_prefix)
 687 {
 688         bool res;
 689
 690         print_start_section("syscall_config",
 691                             "Scanning system call availability...",
 692                             "/*** System call availability ***/",
 693                             define_prefix);
 694         res = probe_bpf_syscall(define_prefix);
 695         print_end_section();
 696
 697         return res;
 698 }
 699
 700 static void
 701 section_program_types(bool *supported_types, const char *define_prefix,
 702                       __u32 ifindex)
 703 {
 704         unsigned int i;
 705
 706         print_start_section("program_types",
 707                             "Scanning eBPF program types...",
 708                             "/*** eBPF program types ***/",
 709                             define_prefix);
 710
 711         for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
 712                 probe_prog_type(i, supported_types, define_prefix, ifindex);
 713
 714         print_end_section();
 715 }
 716
 717 static void section_map_types(const char *define_prefix, __u32 ifindex)
 718 {
 719         unsigned int i;
 720
 721         print_start_section("map_types",
 722                             "Scanning eBPF map types...",
 723                             "/*** eBPF map types ***/",
 724                             define_prefix);
 725
 726         for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
 727                 probe_map_type(i, define_prefix, ifindex);
 728
 729         print_end_section();
 730 }
 731
 732 static void
 733 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
 734 {
 735         unsigned int i;
 736
 737         print_start_section("helpers",
 738                             "Scanning eBPF helper functions...",
 739                             "/*** eBPF helper functions ***/",
 740                             define_prefix);
 741
 742         if (define_prefix)
 743                 printf("/*\n"
 744                        " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
 745                        " * to determine if <helper_name> is available for <prog_type_name>,\n"
 746                        " * e.g.\n"
 747                        " *      #if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
 748                        " *              // do stuff with this helper\n"
 749                        " *      #elif\n"
 750                        " *              // use a workaround\n"
 751                        " *      #endif\n"
 752                        " */\n"
 753                        "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper)      \\\n"
 754                        "        %sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
 755                        define_prefix, define_prefix, define_prefix,
 756                        define_prefix);
 757         for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
 758                 probe_helpers_for_progtype(i, supported_types[i], define_prefix,
 759                                            ifindex);
 760
 761         print_end_section();
 762 }
 763
 764 static void section_misc(const char *define_prefix, __u32 ifindex)
 765 {
 766         print_start_section("misc",
 767                             "Scanning miscellaneous eBPF features...",
 768                             "/*** eBPF misc features ***/",
 769                             define_prefix);
 770         probe_large_insn_limit(define_prefix, ifindex);
 771         print_end_section();
 772 }
 773
 774 #ifdef USE_LIBCAP
 775 #define capability(c) { c, false, #c }
 776 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
 777 #endif
 778
 779 static int handle_perms(void)
 780 {
 781 #ifdef USE_LIBCAP
 782         struct {
 783                 cap_value_t cap;
 784                 bool set;
 785                 char name[14];  /* strlen("CAP_SYS_ADMIN") */
 786         } bpf_caps[] = {
 787                 capability(CAP_SYS_ADMIN),
 788 #ifdef CAP_BPF
 789                 capability(CAP_BPF),
 790                 capability(CAP_NET_ADMIN),
 791                 capability(CAP_PERFMON),
 792 #endif
 793         };
 794         cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
 795         unsigned int i, nb_bpf_caps = 0;
 796         bool cap_sys_admin_only = true;
 797         cap_flag_value_t val;
 798         int res = -1;
 799         cap_t caps;
 800
 801         caps = cap_get_proc();
 802         if (!caps) {
 803                 p_err("failed to get capabilities for process: %s",
 804                       strerror(errno));
 805                 return -1;
 806         }
 807
 808 #ifdef CAP_BPF
 809         if (CAP_IS_SUPPORTED(CAP_BPF))
 810                 cap_sys_admin_only = false;
 811 #endif
 812
 813         for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
 814                 const char *cap_name = bpf_caps[i].name;
 815                 cap_value_t cap = bpf_caps[i].cap;
 816
 817                 if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
 818                         p_err("bug: failed to retrieve %s status: %s", cap_name,
 819                               strerror(errno));
 820                         goto exit_free;
 821                 }
 822
 823                 if (val == CAP_SET) {
 824                         bpf_caps[i].set = true;
 825                         cap_list[nb_bpf_caps++] = cap;
 826                 }
 827
 828                 if (cap_sys_admin_only)
 829                         /* System does not know about CAP_BPF, meaning that
 830                          * CAP_SYS_ADMIN is the only capability required. We
 831                          * just checked it, break.
 832                          */
 833                         break;
 834         }
 835
 836         if ((run_as_unprivileged && !nb_bpf_caps) ||
 837             (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
 838             (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
 839                 /* We are all good, exit now */
 840                 res = 0;
 841                 goto exit_free;
 842         }
 843
 844         if (!run_as_unprivileged) {
 845                 if (cap_sys_admin_only)
 846                         p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
 847                               bpf_caps[0].name);
 848                 else
 849                         p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
 850                               capability_msg(bpf_caps, 0),
 851 #ifdef CAP_BPF
 852                               capability_msg(bpf_caps, 1),
 853                               capability_msg(bpf_caps, 2),
 854                               capability_msg(bpf_caps, 3)
 855 #else
 856                                 "", "", "", "", "", ""
 857 #endif /* CAP_BPF */
 858                                 );
 859                 goto exit_free;
 860         }
 861
 862         /* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
 863         if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
 864                          CAP_CLEAR)) {
 865                 p_err("bug: failed to clear capabilities: %s", strerror(errno));
 866                 goto exit_free;
 867         }
 868
 869         if (cap_set_proc(caps)) {
 870                 p_err("failed to drop capabilities: %s", strerror(errno));
 871                 goto exit_free;
 872         }
 873
 874         res = 0;
 875
 876 exit_free:
 877         if (cap_free(caps) && !res) {
 878                 p_err("failed to clear storage object for capabilities: %s",
 879                       strerror(errno));
 880                 res = -1;
 881         }
 882
 883         return res;
 884 #else
 885         /* Detection assumes user has specific privileges.
 886          * We do not use libpcap so let's approximate, and restrict usage to
 887          * root user only.
 888          */
 889         if (geteuid()) {
 890                 p_err("full feature probing requires root privileges");
 891                 return -1;
 892         }
 893
 894         return 0;
 895 #endif /* USE_LIBCAP */
 896 }
 897
 898 static int do_probe(int argc, char **argv)
 899 {
 900         enum probe_component target = COMPONENT_UNSPEC;
 901         const char *define_prefix = NULL;
 902         bool supported_types[128] = {};
 903         __u32 ifindex = 0;
 904         char *ifname;
 905
 906         set_max_rlimit();
 907
 908         while (argc) {
 909                 if (is_prefix(*argv, "kernel")) {
 910                         if (target != COMPONENT_UNSPEC) {
 911                                 p_err("component to probe already specified");
 912                                 return -1;
 913                         }
 914                         target = COMPONENT_KERNEL;
 915                         NEXT_ARG();
 916                 } else if (is_prefix(*argv, "dev")) {
 917                         NEXT_ARG();
 918
 919                         if (target != COMPONENT_UNSPEC || ifindex) {
 920                                 p_err("component to probe already specified");
 921                                 return -1;
 922                         }
 923                         if (!REQ_ARGS(1))
 924                                 return -1;
 925
 926                         target = COMPONENT_DEVICE;
 927                         ifname = GET_ARG();
 928                         ifindex = if_nametoindex(ifname);
 929                         if (!ifindex) {
 930                                 p_err("unrecognized netdevice '%s': %s", ifname,
 931                                       strerror(errno));
 932                                 return -1;
 933                         }
 934                 } else if (is_prefix(*argv, "full")) {
 935                         full_mode = true;
 936                         NEXT_ARG();
 937                 } else if (is_prefix(*argv, "macros") && !define_prefix) {
 938                         define_prefix = "";
 939                         NEXT_ARG();
 940                 } else if (is_prefix(*argv, "prefix")) {
 941                         if (!define_prefix) {
 942                                 p_err("'prefix' argument can only be use after 'macros'");
 943                                 return -1;
 944                         }
 945                         if (strcmp(define_prefix, "")) {
 946                                 p_err("'prefix' already defined");
 947                                 return -1;
 948                         }
 949                         NEXT_ARG();
 950
 951                         if (!REQ_ARGS(1))
 952                                 return -1;
 953                         define_prefix = GET_ARG();
 954                 } else if (is_prefix(*argv, "unprivileged")) {
 955 #ifdef USE_LIBCAP
 956                         run_as_unprivileged = true;
 957                         NEXT_ARG();
 958 #else
 959                         p_err("unprivileged run not supported, recompile bpftool with libcap");
 960                         return -1;
 961 #endif
 962                 } else {
 963                         p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
 964                               *argv);
 965                         return -1;
 966                 }
 967         }
 968
 969         /* Full feature detection requires specific privileges.
 970          * Let's approximate, and warn if user is not root.
 971          */
 972         if (handle_perms())
 973                 return -1;
 974
 975         if (json_output) {
 976                 define_prefix = NULL;
 977                 jsonw_start_object(json_wtr);
 978         }
 979
 980         section_system_config(target, define_prefix);
 981         if (!section_syscall_config(define_prefix))
 982                 /* bpf() syscall unavailable, don't probe other BPF features */
 983                 goto exit_close_json;
 984         section_program_types(supported_types, define_prefix, ifindex);
 985         section_map_types(define_prefix, ifindex);
 986         section_helpers(supported_types, define_prefix, ifindex);
 987         section_misc(define_prefix, ifindex);
 988
 989 exit_close_json:
 990         if (json_output)
 991                 /* End root object */
 992                 jsonw_end_object(json_wtr);
 993
 994         return 0;
 995 }
 996
 997 static int do_help(int argc, char **argv)
 998 {
 999         if (json_output) {
1000                 jsonw_null(json_wtr);
1001                 return 0;
1002         }
1003
1004         fprintf(stderr,
1005                 "Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
1006                 "       %1$s %2$s help\n"
1007                 "\n"
1008                 "       COMPONENT := { kernel | dev NAME }\n"
1009                 "       " HELP_SPEC_OPTIONS " }\n"
1010                 "",
1011                 bin_name, argv[-2]);
1012
1013         return 0;
1014 }
1015
1016 static const struct cmd cmds[] = {
1017         { "probe",      do_probe },
1018         { "help",       do_help },
1019         { 0 }
1020 };
1021
1022 int do_feature(int argc, char **argv)
1023 {
1024         return cmd_select(cmds, argc, argv, do_help);
1025 }