Re: one-shot BPF program in the context of a specific PID

Alexei Starovoitov

On Tue, Dec 20, 2022 at 8:03 AM Andrei Matei <andreimatei1@...> wrote:

Hi Alexei,

I'm playing around with using BPF to read a given process' memory for debugging purposes. I'd like to recreate some of the experience that a debugger gives you by stopping and ptrace-ing another process, except without the "stopping" part. One of the aspects is around getting a snapshot of the running process; for example, for a Go program, this involves reading the information that the Go runtime has about all the Goroutines, walking their stacks, and collecting different variables from the different stack frames.
You'll notice that this use case doesn't quite fit as a uprobe - I don't want the BPF program to be run when a particular program counter is hit; instead, I want the BPF program to run whenever the debugger decides to run it. Crucially, the BPF program needs to run *within the virtual memory context* of the debugged program, so it can bpf_probe_read_user() its memory. So, I want process A to trigger a BPF program that will execute within process B. Or, is there perhaps a way to read the virtual memory of an arbitrary program?
yes. That's what bpf iterator of task->vma is for.
The prog doesn't need to execute "within process B" to read its memory.

Have you considered using a task iterator parametrized with a particular task?
I had not. I'm reading about it now, but I'm not sure if it helps me. If it applies, can you please say more?
I think that is exactly what you need.
The iterator can read mm of another process as long as
you can ptrace it.
The same permission checks as gdb.
The main difference is that bpf iter doesn't stop another process.
See task iter and vma selftests including bpf_find_vma helper
that can also be useful.


On Tue, Dec 20, 2022 at 9:16 AM Alexei Starovoitov <alexei.starovoitov@...> wrote:

On Sun, Dec 18, 2022 at 4:09 PM Andrei Matei <andreimatei1@...> wrote:

Hello iovisor friends,

I'm curious what my options are for running a BPF program once, immediately, in the virtual memory context of a particular (user space) process. For example, say I want to read the current value from a known virtual memory address in the process' space. I'm curious if there's an official answer or, short of that, tricks that people might have used.
What I want is similar in spirit to BPF_PROG_RUN, I think, except that I think I want my program type to be perf-event (and BPF_PROG_RUN doesn't seem to support this program type), and I want to also control specify which process I'm interested in.

I feel like one solution might be around sending a signal to the process I'm interested in and placing a uprobe somewhere on the signal handling path, but I'm not sure of a general way to do this. Any suggestion is most welcome.
Could you describe what prog is going to do?
Have you considered using a task iterator parametrized with a particular task?

Join { to automatically receive all group messages.