Is it possible to read a userspace file (from kernelspace) using BPF/eBPF?
Question
I know that as a general note files should not be read from kernelspace.
However I am interested in looking for keywords in certain files using a BPF program.
Ideally I would like the BPF program to be able to be attached to a Kprobe and when the event triggers I would like it to say read a file and count the instances that a keyword appears within the file.
Can anyone tell me if it is possible to read in a file like this, and perhaps offer some guidance as to how I might go about this.
Thanks, Sam
1 answers
solution1
0 2021-02-08 15:06:04
No, this is not possible.
But you can maybe achieve something close if you reconsider your design:
- If the file you want to read is directly associated to the process you want to probe, then for example you could attach an eBPF program to the function used by this process to access the file (such as the
readorwritesystem calls). You will not be able to access the file, but you may have access to the data read or written by your process, and count the instances of your keywords in there. - If the file content is not directly related to the process you trace, but it is somehow needed to take a decision, you could maybe process it with a user space program, and then feed relevant data (such as the number of occurrences of your keyword) into an eBPF map. The eBPF program can then read this data and take decisions based on it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.