@ -27,6 +27,7 @@ replace (
github.com/golangci/lint-1 => github.com/golangci/lint-1 v0.0.0-20190420132249-ee948d087217
github.com/kubernetes-sigs/cri-tools => github.com/rancher/cri-tools v1.16.1-k3s.1
github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009
github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.0-rc10
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1
github.com/prometheus/client_golang => github.com/prometheus/client_golang v0.9.2
github.com/prometheus/client_model => github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910
@ -66,6 +67,7 @@ require (
github.com/bronze1man/goStrongswanVici v0.0.0-20190828090544-27d02f80ba40 // indirect
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23 // indirect
github.com/canonical/go-dqlite v1.1.0
github.com/cilium/ebpf v0.0.0-20200501092852-53d52285d8b3 // indirect
github.com/containerd/cgroups v0.0.0-20190923161937-abd0b19954a6 // indirect
github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69
github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 // indirect
@ -109,12 +111,13 @@ require (
github.com/rootless-containers/rootlesskit v0.6.0
github.com/sirupsen/logrus v1.4.2
github.com/spf13/pflag v1.0.5
github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 // indirect
github.com/tchap/go-patricia v2.3.0+incompatible // indirect
github.com/theckman/go-flock v0.7.1 // indirect
github.com/urfave/cli v1.21.0
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
golang.org/x/net v0.0.0-20191004110552-13f9640d40b9
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3
golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9
google.golang.org/grpc v1.23.0
gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 // indirect
gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5 // indirect
@ -93,6 +93,8 @@ github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5/go.mod h1:/iP1
github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b h1:T4nWG1TXIxeor8mAu5bFguPJgSIGhZqv/f0z55KCrJM=
github.com/checkpoint-restore/go-criu v0.0.0-20190109184317-bdb7599cd87b/go.mod h1:TrMrLQfeENAPYPRsJuq3jsqdlRh3lvi6trTZJG8+tho=
github.com/cheekybits/genny v0.0.0-20170328200008-9127e812e1e9/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
github.com/cilium/ebpf v0.0.0-20200501092852-53d52285d8b3 h1:ycJILTuzypoGfRnSbZmMuPlFVnXy6uk3CFy5QEwD2aI=
github.com/cilium/ebpf v0.0.0-20200501092852-53d52285d8b3/go.mod h1:XT+cAw5wfvsodedcijoh1l9cf7v1x9FlFB/3VmF/O8s=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cloudflare/cfssl v0.0.0-20180726162950-56268a613adf h1:eOyFuj3h/Vj5e4voOM16NNrHsUR3jhD0duh76LHMj6Y=
github.com/cloudflare/cfssl v0.0.0-20180726162950-56268a613adf/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
@ -199,49 +201,6 @@ github.com/flosch/pongo2 v0.0.0-20190707114632-bbf5a6c351f4/go.mod h1:T9YF2M40nI
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/galal-hussein/kubernetes v1.16.9-k3s1 h1:6STsNcV/BXalr31C5vV7mG9PldWS18BiieQxHOKzDO4=
github.com/galal-hussein/kubernetes v1.16.9-k3s1/go.mod h1:bpUsy1qP0W6EtkxrPluP02p2+wyVN+95lkjPKnLQZtc=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/api v1.16.9-k3s1 h1:TwJFSR/RLRmik5kfh5uRZNYYxeaOvsGQ6Ir4GkE/R4o=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/api v1.16.9-k3s1/go.mod h1:hF711SYP9H3Bqm/pquHb7I9hmYCbyZmz7AZRaXu1rqE=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.9-k3s1 h1:ATFkC6HkDclYiT1xZOb7wGxMSPZ5r/Mg2W39m4AmR3U=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.9-k3s1/go.mod h1:axITnwRoy4D5D7Wg2zBeulO0qC8Txk2q8KbWiY+knpI=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/apimachinery v1.16.9-k3s1 h1:+BNAt58QKZ0uzCILxzGvU8JBx4vHU4RCnHLw+Xr+FWY=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/apimachinery v1.16.9-k3s1/go.mod h1:Zhu4M1LCh6KQuW4HZ59l5qY0wPKnx4KjpPPR4WC33+o=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/apiserver v1.16.9-k3s1 h1:um0GmCU+l6NeG2wJ+NqTgJczZXLVSfr2LJOPCM9AXlc=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/apiserver v1.16.9-k3s1/go.mod h1:PV2FNVyrn55rUCxs4JcEdwxXaOrU2zY1epuW8zId1eo=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cli-runtime v1.16.9-k3s1 h1:7H9r1q5d4u7MNi6wfwpI1E3rPW2NinMi2GLPDNo+uy0=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cli-runtime v1.16.9-k3s1/go.mod h1:VpFACNqiYpPtmofpGz77fAfDTDyOnbvU0rJ2CpM40A4=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/client-go v1.16.9-k3s1 h1:7TX2MsIForu3YALpDhJgph03XWun8x/cISkNcZU+36o=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/client-go v1.16.9-k3s1/go.mod h1:o1JsPLiZ5bL+KsLEe/wHo65emfcWBAsa0hSpWuMRX80=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cloud-provider v1.16.9-k3s1 h1:KDF46+XnFR3WgfSMkpBpKpl0AEzRC+pWMQ8o0K6wUgM=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cloud-provider v1.16.9-k3s1/go.mod h1:mkOG2NRE3z5O+q3d1mmg3DiltNAqprjQWCJEqS941Sk=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cluster-bootstrap v1.16.9-k3s1 h1:GnGH5vrGuU7I/WnBekzRrdz1B5vs/ED1S0T01wdWxGc=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cluster-bootstrap v1.16.9-k3s1/go.mod h1:VRJM3GFPwH5SheYrgtmNLDThbGZV36jQbE4KLzoI9bg=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/code-generator v1.16.9-k3s1 h1:EvtE1Qx9t0ZAXwC/qlCkHT8oTVWui6jN1RU5+fYt2D0=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/code-generator v1.16.9-k3s1/go.mod h1:Xg9C2lkA8xiEQpNxCGud7q0rGveR+ejYB16e/3mCLVU=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/component-base v1.16.9-k3s1 h1:6fL7vw88HONRMlKGV+cKSCwjSlhmoFWKxm9gxiPJ40E=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/component-base v1.16.9-k3s1/go.mod h1:f4FAu7hsUOeHiLm8TTj5sA9RbgPp4cMYiMD7III70Uc=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cri-api v1.16.9-k3s1 h1:ZeaF2KyNeI5mO1aknhBzeokdbwkm2bgekNMmV4Ry3Ps=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/cri-api v1.16.9-k3s1/go.mod h1:cBkf5Pgf0kssF+HGNYRkpkOLu2WYWB5OugNuN1DDCTI=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/csi-translation-lib v1.16.9-k3s1 h1:m6jeFHplNLFWCpjCCf5EVWHYqbjsAgcTbzYfHVr3dEE=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/csi-translation-lib v1.16.9-k3s1/go.mod h1:74gMNDhIex44m9pwyDxvegJ/1iwIV+GeY4vnqW+elB0=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-aggregator v1.16.9-k3s1 h1:S7N3WygX0teuJgm2BlIjvo+H+94g/UgWqi8rbpZ73dQ=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-aggregator v1.16.9-k3s1/go.mod h1:dyU7jPslQdL95RNVzpjl9+owb71I/f+nnYrK5K0Wdb0=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-controller-manager v1.16.9-k3s1 h1:2LZGmTi/lQHlvylDX9z3iAXeA7F7cZYqCGPtDR/rtjo=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-controller-manager v1.16.9-k3s1/go.mod h1:FrrkxvHzedrKyAIOTcAJjBonY3PstmNd+OlcwBg+j3Y=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-proxy v1.16.9-k3s1 h1:82WFD18gst6DAzKdAoSEl73E1uD/aJiuUZUb2E2dkqo=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-proxy v1.16.9-k3s1/go.mod h1:xy5tBvt9vGo0qIyDI+z0lQRj4FBPmDvVTCkB1vnKg4w=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-scheduler v1.16.9-k3s1 h1:YAcowY8VaUxaO8foU5t865C0ca9+fjJdgpZ6qQwkWvY=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kube-scheduler v1.16.9-k3s1/go.mod h1:jqwAYW696VyYRvVNjjqC4MYV0N6SiKdfx+nyfPlIwqM=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kubectl v1.16.9-k3s1 h1:pqnGDaGaGJHSDVQkwGMjASYGFo5Jh3ojYvbqqQ2426s=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kubectl v1.16.9-k3s1/go.mod h1:6RX5jlm+srJDUD2pXvwTaygK2GcN7o4cztrKOqoKmiQ=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kubelet v1.16.9-k3s1 h1:Oe2ODxfBs4U0EKTl3C4vYu69FpFMKjkyDGQ03cFAS4I=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/kubelet v1.16.9-k3s1/go.mod h1:TYwPJHyAg97PV1XzgDrp/il12tZ5cwWHT6tECzCEwG0=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/legacy-cloud-providers v1.16.9-k3s1 h1:W5Bv+avUaE4aCUyCXuD6ohQn07fqRzOiGEFdviEspWI=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/legacy-cloud-providers v1.16.9-k3s1/go.mod h1:tUmOWcMug23gITlfkI8tDjgeDdD7xiNR6ylYS0LavV4=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/metrics v1.16.9-k3s1 h1:+aNfFNmd8jnLAeAN6RTDGUTbueqOq28Hp0BHNuirpdA=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/metrics v1.16.9-k3s1/go.mod h1:pM/0ywERZODloMTAJKiUWRfmKBEhCf8oWgzBm1N5M/o=
github.com/galal-hussein/kubernetes/staging/src/k8s.io/sample-apiserver v1.16.9-k3s1/go.mod h1:0UFeNCG39wNOWlDZdmxwT/wvLX8ZjRT3zY1/FYoXctE=
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
@ -593,9 +552,8 @@ github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2i
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830 h1:yvQ/2Pupw60ON8TYEIGGTAI77yZsWYkiOeHFZWkwlCk=
github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runc v1.0.0-rc10 h1:AbmCEuSZXVflng0/cboQkpdEOeBsPMjz6tmq4Pv8MZw=
github.com/opencontainers/runc v1.0.0-rc10/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1 h1:AcjCvgprf9I23wEYTHuyuHcuuQAp4hK5l+u1FUXgVaM=
github.com/opencontainers/runtime-spec v0.0.0-20180911193056-5684b8af48c1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
@ -646,91 +604,48 @@ github.com/rancher/helm-controller v0.2.2 h1:MUqisy53/Ay1EYOF2uTCYBbGpgtZLNKKrI0
github.com/rancher/helm-controller v0.2.2/go.mod h1:0JkL0UjxddNbT4FmLoESarD4Mz8xzA5YlejqJ/U4g+8=
github.com/rancher/kine v0.2.5 h1:UE0HrxloO95zPEXYN/n8Rwejx276fc7s8I5JbJcLdmY=
github.com/rancher/kine v0.2.5/go.mod h1:SdBUuE7e3XyrJvdBxCl9TMMapF+wyZnMZSP/H59OqNE=
github.com/rancher/kubernetes v1.16.7-k3s1 h1:VW2B05bhthzhdzx+rpwdJXfZUh+lPLZ+kCxKQNKOTck=
github.com/rancher/kubernetes v1.16.7-k3s1/go.mod h1:sxuzQA0f4V+psd5kT0qyYqJx196wROK/8dyWBPePQCU=
github.com/rancher/kubernetes v1.16.9-k3s1 h1:nDwCACEG8aHziJXCDBffT/wCh8UiUbEcyK8WIKP3w1g=
github.com/rancher/kubernetes v1.16.9-k3s1/go.mod h1:bpUsy1qP0W6EtkxrPluP02p2+wyVN+95lkjPKnLQZtc=
github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.7-k3s1 h1:YpH1M5Xu+GL9ye3d8og056zsRqA06DqnXrQY6niV1MI=
github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.7-k3s1/go.mod h1:hF711SYP9H3Bqm/pquHb7I9hmYCbyZmz7AZRaXu1rqE=
github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.9-k3s1 h1:QXMRJ7XS8jRme1Gp8Zza8wKhSKeQCYceznoI2KRUpXk=
github.com/rancher/kubernetes/staging/src/k8s.io/api v1.16.9-k3s1/go.mod h1:hF711SYP9H3Bqm/pquHb7I9hmYCbyZmz7AZRaXu1rqE=
github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.7-k3s1 h1:iVO9gOqo787Ud30XCFHqk9mci5GDnYEUhLIpZQXGY68=
github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.7-k3s1/go.mod h1:axITnwRoy4D5D7Wg2zBeulO0qC8Txk2q8KbWiY+knpI=
github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.9-k3s1 h1:jlK5yHiz3kATwAW7t0JQzDSdV3aH+7Tb/glTOZTUWxE=
github.com/rancher/kubernetes/staging/src/k8s.io/apiextensions-apiserver v1.16.9-k3s1/go.mod h1:axITnwRoy4D5D7Wg2zBeulO0qC8Txk2q8KbWiY+knpI=
github.com/rancher/kubernetes/staging/src/k8s.io/apimachinery v1.16.7-k3s1 h1:vDxTqWGXEbFOLgLCSUxTVqhYQiKmVLvitAeWeKrNODk=
github.com/rancher/kubernetes/staging/src/k8s.io/apimachinery v1.16.7-k3s1/go.mod h1:Zhu4M1LCh6KQuW4HZ59l5qY0wPKnx4KjpPPR4WC33+o=
github.com/rancher/kubernetes/staging/src/k8s.io/apimachinery v1.16.9-k3s1 h1:5uS3NZ6dq2zCPNCxp+dARjJllCy60ennyksHKcjc0i4=
github.com/rancher/kubernetes/staging/src/k8s.io/apimachinery v1.16.9-k3s1/go.mod h1:Zhu4M1LCh6KQuW4HZ59l5qY0wPKnx4KjpPPR4WC33+o=
github.com/rancher/kubernetes/staging/src/k8s.io/apiserver v1.16.7-k3s1 h1:SQs4LP9xrmOkaw/fo7DqKd+/uw/yfhG/XORkTa7fpFU=
github.com/rancher/kubernetes/staging/src/k8s.io/apiserver v1.16.7-k3s1/go.mod h1:QfUd8oxpHNGGqjTcFtbhCEsbFTs2XqeAmUdWodNuiZA=
github.com/rancher/kubernetes/staging/src/k8s.io/apiserver v1.16.9-k3s1 h1:xwlf0jF/9XtPp2TJcUQ5oDjvY3E+GrIprWuHM92lhFk=
github.com/rancher/kubernetes/staging/src/k8s.io/apiserver v1.16.9-k3s1/go.mod h1:PV2FNVyrn55rUCxs4JcEdwxXaOrU2zY1epuW8zId1eo=
github.com/rancher/kubernetes/staging/src/k8s.io/cli-runtime v1.16.7-k3s1 h1:JxhlMKHiLwE23Nz9WD+3U/7f0ueaceN10bydfBp1h7A=
github.com/rancher/kubernetes/staging/src/k8s.io/cli-runtime v1.16.7-k3s1/go.mod h1:VpFACNqiYpPtmofpGz77fAfDTDyOnbvU0rJ2CpM40A4=
github.com/rancher/kubernetes/staging/src/k8s.io/cli-runtime v1.16.9-k3s1 h1:+U26QONj5pdtBEaeYz7SKKXHREjoowSzMjNIdjRix0g=
github.com/rancher/kubernetes/staging/src/k8s.io/cli-runtime v1.16.9-k3s1/go.mod h1:VpFACNqiYpPtmofpGz77fAfDTDyOnbvU0rJ2CpM40A4=
github.com/rancher/kubernetes/staging/src/k8s.io/client-go v1.16.7-k3s1 h1:xRi4CPvUDJ3RoioD87U3lXVfbnYqgLJBhzL6H02pXL8=
github.com/rancher/kubernetes/staging/src/k8s.io/client-go v1.16.7-k3s1/go.mod h1:ha/1XT6rx/Pb2npurCZUK4clbOha0bQM+u9w+VlQf98=
github.com/rancher/kubernetes/staging/src/k8s.io/client-go v1.16.9-k3s1 h1:lFVPf1K7rVdBGDArD3UYT0AQoNiIZOZr8WIIEkq+wMg=
github.com/rancher/kubernetes/staging/src/k8s.io/client-go v1.16.9-k3s1/go.mod h1:o1JsPLiZ5bL+KsLEe/wHo65emfcWBAsa0hSpWuMRX80=
github.com/rancher/kubernetes/staging/src/k8s.io/cloud-provider v1.16.7-k3s1 h1:8bQm1aznzfmIpaEJgXcN/dIQJZ3XztCD11Qlh8DYjy4=
github.com/rancher/kubernetes/staging/src/k8s.io/cloud-provider v1.16.7-k3s1/go.mod h1:mkOG2NRE3z5O+q3d1mmg3DiltNAqprjQWCJEqS941Sk=
github.com/rancher/kubernetes/staging/src/k8s.io/cloud-provider v1.16.9-k3s1 h1:A4j23KfzGMiwKKrB4vne1JfpIWLd1mLk9V/bMZRikek=
github.com/rancher/kubernetes/staging/src/k8s.io/cloud-provider v1.16.9-k3s1/go.mod h1:mkOG2NRE3z5O+q3d1mmg3DiltNAqprjQWCJEqS941Sk=
github.com/rancher/kubernetes/staging/src/k8s.io/cluster-bootstrap v1.16.7-k3s1 h1:gWcCGSHiNzhlEGtvONaCQOO1JwNPfL9Ccyohc6vxpA4=
github.com/rancher/kubernetes/staging/src/k8s.io/cluster-bootstrap v1.16.7-k3s1/go.mod h1:l7tRtjxOLJVHBKW+bdNxDGKGfNW4rZK+2+JNCaVS2sY=
github.com/rancher/kubernetes/staging/src/k8s.io/cluster-bootstrap v1.16.9-k3s1 h1:b0s9iko+KE6Hd3qkxOpMCd2ZKzzy54PD1+c6mad8EW0=
github.com/rancher/kubernetes/staging/src/k8s.io/cluster-bootstrap v1.16.9-k3s1/go.mod h1:VRJM3GFPwH5SheYrgtmNLDThbGZV36jQbE4KLzoI9bg=
github.com/rancher/kubernetes/staging/src/k8s.io/code-generator v1.16.7-k3s1 h1:lQC4yNLzfG3tXin7twjIq+Pdk21jeep0ou3pESh/VOU=
github.com/rancher/kubernetes/staging/src/k8s.io/code-generator v1.16.7-k3s1/go.mod h1:Xg9C2lkA8xiEQpNxCGud7q0rGveR+ejYB16e/3mCLVU=
github.com/rancher/kubernetes/staging/src/k8s.io/code-generator v1.16.9-k3s1 h1:YpwR8hU8n0i6UFd8q6sqjCIILSxDzC8iuNodF7vcYPc=
github.com/rancher/kubernetes/staging/src/k8s.io/code-generator v1.16.9-k3s1/go.mod h1:Xg9C2lkA8xiEQpNxCGud7q0rGveR+ejYB16e/3mCLVU=
github.com/rancher/kubernetes/staging/src/k8s.io/component-base v1.16.7-k3s1 h1:Ty1mHt/ImMzbmhmyOksoyWbl52vxwMv5d0cOsmHrFP4=
github.com/rancher/kubernetes/staging/src/k8s.io/component-base v1.16.7-k3s1/go.mod h1:f4FAu7hsUOeHiLm8TTj5sA9RbgPp4cMYiMD7III70Uc=
github.com/rancher/kubernetes/staging/src/k8s.io/component-base v1.16.9-k3s1 h1:zIQdd0kBgEqBE2BP7OAvAo4eUBhpTb6HsB0SeW/QBFU=
github.com/rancher/kubernetes/staging/src/k8s.io/component-base v1.16.9-k3s1/go.mod h1:f4FAu7hsUOeHiLm8TTj5sA9RbgPp4cMYiMD7III70Uc=
github.com/rancher/kubernetes/staging/src/k8s.io/cri-api v1.16.7-k3s1 h1:d2HHz2CuBQI3j3oYURefahFlViq50oufx0MyuMjwV/8=
github.com/rancher/kubernetes/staging/src/k8s.io/cri-api v1.16.7-k3s1/go.mod h1:cBkf5Pgf0kssF+HGNYRkpkOLu2WYWB5OugNuN1DDCTI=
github.com/rancher/kubernetes/staging/src/k8s.io/cri-api v1.16.9-k3s1 h1:WnTPOkr5Nv9gkPAbgbjEwZhBcMzzjKTqfQ7SUlxQP3Y=
github.com/rancher/kubernetes/staging/src/k8s.io/cri-api v1.16.9-k3s1/go.mod h1:cBkf5Pgf0kssF+HGNYRkpkOLu2WYWB5OugNuN1DDCTI=
github.com/rancher/kubernetes/staging/src/k8s.io/csi-translation-lib v1.16.7-k3s1 h1:7CXpPiCMJPwvaPwZ/rwruQJGSNCnsGNtyBH7E8m3NeU=
github.com/rancher/kubernetes/staging/src/k8s.io/csi-translation-lib v1.16.7-k3s1/go.mod h1:74gMNDhIex44m9pwyDxvegJ/1iwIV+GeY4vnqW+elB0=
github.com/rancher/kubernetes/staging/src/k8s.io/csi-translation-lib v1.16.9-k3s1 h1:zZrfNqhrcKd2A+VZvuUpD50HPbL37Gn5tPKIt54dlCI=
github.com/rancher/kubernetes/staging/src/k8s.io/csi-translation-lib v1.16.9-k3s1/go.mod h1:74gMNDhIex44m9pwyDxvegJ/1iwIV+GeY4vnqW+elB0=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-aggregator v1.16.7-k3s1 h1:ifkHzBIJIQcHec+mKsPgbUvejVtdxFANgT37FtwctVw=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-aggregator v1.16.7-k3s1/go.mod h1:dyU7jPslQdL95RNVzpjl9+owb71I/f+nnYrK5K0Wdb0=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-aggregator v1.16.9-k3s1 h1:ebAirKofvGWV+368C5emDoG5jaGvvVeeEOSd0stpfYU=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-aggregator v1.16.9-k3s1/go.mod h1:dyU7jPslQdL95RNVzpjl9+owb71I/f+nnYrK5K0Wdb0=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-controller-manager v1.16.7-k3s1 h1:i0QUwVSMPNYU3qLgu+EhEq67BUQ/GO/Dsw/vfk93hGE=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-controller-manager v1.16.7-k3s1/go.mod h1:FrrkxvHzedrKyAIOTcAJjBonY3PstmNd+OlcwBg+j3Y=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-controller-manager v1.16.9-k3s1 h1:usYxKkdzlDirblD/BVb6BFjR1rcZYibTZYo2JR6Eiqw=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-controller-manager v1.16.9-k3s1/go.mod h1:FrrkxvHzedrKyAIOTcAJjBonY3PstmNd+OlcwBg+j3Y=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-proxy v1.16.7-k3s1 h1:Le+Y4S9bawHxlX2HA/LXVIDySxEKCpkxahPKIviVVhM=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-proxy v1.16.7-k3s1/go.mod h1:xy5tBvt9vGo0qIyDI+z0lQRj4FBPmDvVTCkB1vnKg4w=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-proxy v1.16.9-k3s1 h1:6RE0RMpU3p/9VCraiRe4jE1mxtQ0ithH/qsXjQmDMtM=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-proxy v1.16.9-k3s1/go.mod h1:xy5tBvt9vGo0qIyDI+z0lQRj4FBPmDvVTCkB1vnKg4w=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-scheduler v1.16.7-k3s1 h1:TxPExaNRijsEFD/o7td08omHU0Zf3EweukmmeE62lNI=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-scheduler v1.16.7-k3s1/go.mod h1:jqwAYW696VyYRvVNjjqC4MYV0N6SiKdfx+nyfPlIwqM=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-scheduler v1.16.9-k3s1 h1:F8ZcmFomMBpjPuTErdqVookdaAT3gqAYBNH5796x9JA=
github.com/rancher/kubernetes/staging/src/k8s.io/kube-scheduler v1.16.9-k3s1/go.mod h1:jqwAYW696VyYRvVNjjqC4MYV0N6SiKdfx+nyfPlIwqM=
github.com/rancher/kubernetes/staging/src/k8s.io/kubectl v1.16.7-k3s1 h1:zx8yA4SBRSD1lp8pnI1q7FjLpZf2FNxGCn2uR7jydTg=
github.com/rancher/kubernetes/staging/src/k8s.io/kubectl v1.16.7-k3s1/go.mod h1:6RX5jlm+srJDUD2pXvwTaygK2GcN7o4cztrKOqoKmiQ=
github.com/rancher/kubernetes/staging/src/k8s.io/kubectl v1.16.9-k3s1 h1:4ssLVPZsivRu1DiGakgVoyFYGNxgOLqrn2UcUD7Fmbo=
github.com/rancher/kubernetes/staging/src/k8s.io/kubectl v1.16.9-k3s1/go.mod h1:6RX5jlm+srJDUD2pXvwTaygK2GcN7o4cztrKOqoKmiQ=
github.com/rancher/kubernetes/staging/src/k8s.io/kubelet v1.16.7-k3s1 h1:qkOQRF0+S4h+GOHm5oRAMgmgB1DjwuJ4+cYw3Qte4Wk=
github.com/rancher/kubernetes/staging/src/k8s.io/kubelet v1.16.7-k3s1/go.mod h1:TYwPJHyAg97PV1XzgDrp/il12tZ5cwWHT6tECzCEwG0=
github.com/rancher/kubernetes/staging/src/k8s.io/kubelet v1.16.9-k3s1 h1:1Obc06vkvjgx1iIDfOg/vOg2kL/n6d+GhxRwzPaZTfI=
github.com/rancher/kubernetes/staging/src/k8s.io/kubelet v1.16.9-k3s1/go.mod h1:TYwPJHyAg97PV1XzgDrp/il12tZ5cwWHT6tECzCEwG0=
github.com/rancher/kubernetes/staging/src/k8s.io/legacy-cloud-providers v1.16.7-k3s1 h1:GMvxU//v0FinwaJR8IpmLxt31aF9sYC5jakGUJiT9Ls=
github.com/rancher/kubernetes/staging/src/k8s.io/legacy-cloud-providers v1.16.7-k3s1/go.mod h1:KIjeTACS7ioxWYG+eqydDWB4aov6ofTCVwHgTRLsTek=
github.com/rancher/kubernetes/staging/src/k8s.io/legacy-cloud-providers v1.16.9-k3s1 h1:XxBA5ytPcGXaSwKiAjR8YBPGpHX/iLNYt2RPGFDVKqc=
github.com/rancher/kubernetes/staging/src/k8s.io/legacy-cloud-providers v1.16.9-k3s1/go.mod h1:tUmOWcMug23gITlfkI8tDjgeDdD7xiNR6ylYS0LavV4=
github.com/rancher/kubernetes/staging/src/k8s.io/metrics v1.16.7-k3s1 h1:m61WTcCTBM/fGfBNkU89Gk9eC1uBzfVBX8NoPlUDLMo=
github.com/rancher/kubernetes/staging/src/k8s.io/metrics v1.16.7-k3s1/go.mod h1:pM/0ywERZODloMTAJKiUWRfmKBEhCf8oWgzBm1N5M/o=
github.com/rancher/kubernetes/staging/src/k8s.io/metrics v1.16.9-k3s1 h1:AOPiP+F3UAdDcMrLE/Q9Zafh8g9PYQpy0ssZy8l6PVg=
github.com/rancher/kubernetes/staging/src/k8s.io/metrics v1.16.9-k3s1/go.mod h1:pM/0ywERZODloMTAJKiUWRfmKBEhCf8oWgzBm1N5M/o=
github.com/rancher/kubernetes/staging/src/k8s.io/sample-apiserver v1.16.7-k3s1/go.mod h1:0UFeNCG39wNOWlDZdmxwT/wvLX8ZjRT3zY1/FYoXctE=
github.com/rancher/kubernetes/staging/src/k8s.io/sample-apiserver v1.16.9-k3s1/go.mod h1:0UFeNCG39wNOWlDZdmxwT/wvLX8ZjRT3zY1/FYoXctE=
github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009 h1:Xsxh7fX3+2wAUJtPy8g2lZh0cYuyifqhBL0vxCIYojs=
github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009/go.mod h1:wpITyDPTi/Na5h73XkbuEf2AP9fbgrIGqqxVzFhYD6U=
@ -810,6 +725,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
github.com/syndtr/gocapability v0.0.0-20160928074757-e7cb7fa329f4/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8 h1:zLV6q4e8Jv9EHjNg/iHfzwDkCve6Ua5jCygptrtXHvI=
github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs=
github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
@ -880,8 +797,6 @@ golang.org/x/crypto v0.0.0-20190424203555-c05e17bb3b2d/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1XfZvZ13m8mub3shuVftRs0=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -962,6 +877,8 @@ golang.org/x/sys v0.0.0-20190730183949-1393eb018365/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 h1:7TYNF4UdlohbFwpNH04CoPMp1cHUZgO1Ebq5r2hIjfo=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9 h1:1/DFK4b7JH8DmkqhUk48onnSfrPzImPoVxuomtbT2nk=
golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1001,6 +918,8 @@ golang.org/x/tools v0.0.0-20190909030654-5b82db07426d/go.mod h1:b+2E5dAYhXwXZwtn
golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72 h1:bw9doJza/SFBEweII/rHQh338oozWyiFsBRHtrflcws=
golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485 h1:OB/uP/Puiu5vS5QMRPrXCDWUPb+kt8f1KW8oQzFejQw=
gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
@ -0,0 +1,207 @@
package ebpf
import (
// MapABI are the attributes of a Map which are available across all supported kernels.
type MapABI struct {
Type MapType
KeySize uint32
ValueSize uint32
MaxEntries uint32
Flags uint32
func newMapABIFromSpec(spec *MapSpec) *MapABI {
return &MapABI{
func newMapABIFromFd(fd *internal.FD) (string, *MapABI, error) {
info, err := bpfGetMapInfoByFD(fd)
if err != nil {
if xerrors.Is(err, syscall.EINVAL) {
abi, err := newMapABIFromProc(fd)
return "", abi, err
return "", nil, err
return "", &MapABI{
}, nil
func newMapABIFromProc(fd *internal.FD) (*MapABI, error) {
var abi MapABI
err := scanFdInfo(fd, map[string]interface{}{
"map_type": &abi.Type,
"key_size": &abi.KeySize,
"value_size": &abi.ValueSize,
"max_entries": &abi.MaxEntries,
"map_flags": &abi.Flags,
if err != nil {
return nil, err
return &abi, nil
// Equal returns true if two ABIs have the same values.
func (abi *MapABI) Equal(other *MapABI) bool {
switch {
case abi.Type != other.Type:
return false
case abi.KeySize != other.KeySize:
return false
case abi.ValueSize != other.ValueSize:
return false
case abi.MaxEntries != other.MaxEntries:
return false
case abi.Flags != other.Flags:
return false
return true
// ProgramABI are the attributes of a Program which are available across all supported kernels.
type ProgramABI struct {
Type ProgramType
func newProgramABIFromSpec(spec *ProgramSpec) *ProgramABI {
return &ProgramABI{
func newProgramABIFromFd(fd *internal.FD) (string, *ProgramABI, error) {
info, err := bpfGetProgInfoByFD(fd)
if err != nil {
if xerrors.Is(err, syscall.EINVAL) {
return newProgramABIFromProc(fd)
return "", nil, err
var name string
if bpfName := internal.CString(info.name[:]); bpfName != "" {
name = bpfName
} else {
name = internal.CString(info.tag[:])
return name, &ProgramABI{
Type: ProgramType(info.progType),
}, nil
func newProgramABIFromProc(fd *internal.FD) (string, *ProgramABI, error) {
var (
abi ProgramABI
name string
err := scanFdInfo(fd, map[string]interface{}{
"prog_type": &abi.Type,
"prog_tag": &name,
if xerrors.Is(err, errMissingFields) {
return "", nil, &internal.UnsupportedFeatureError{
Name: "reading ABI from /proc/self/fdinfo",
MinimumVersion: internal.Version{4, 11, 0},
if err != nil {
return "", nil, err
return name, &abi, nil
func scanFdInfo(fd *internal.FD, fields map[string]interface{}) error {
raw, err := fd.Value()
if err != nil {
return err
fh, err := os.Open(fmt.Sprintf("/proc/self/fdinfo/%d", raw))
if err != nil {
return err
defer fh.Close()
if err := scanFdInfoReader(fh, fields); err != nil {
return xerrors.Errorf("%s: %w", fh.Name(), err)
return nil
var errMissingFields = xerrors.New("missing fields")
func scanFdInfoReader(r io.Reader, fields map[string]interface{}) error {
var (
scanner = bufio.NewScanner(r)
scanned int
for scanner.Scan() {
parts := bytes.SplitN(scanner.Bytes(), []byte("\t"), 2)
if len(parts) != 2 {
name := bytes.TrimSuffix(parts[0], []byte(":"))
field, ok := fields[string(name)]
if !ok {
if n, err := fmt.Fscanln(bytes.NewReader(parts[1]), field); err != nil || n != 1 {
return xerrors.Errorf("can't parse field %s: %v", name, err)
if err := scanner.Err(); err != nil {
return err
if scanned != len(fields) {
return errMissingFields
return nil
// Equal returns true if two ABIs have the same values.
func (abi *ProgramABI) Equal(other *ProgramABI) bool {
switch {
case abi.Type != other.Type:
return false
return true
@ -0,0 +1,149 @@
package asm
//go:generate stringer -output alu_string.go -type=Source,Endianness,ALUOp
// Source of ALU / ALU64 / Branch operations
// msb lsb
// +----+-+---+
// |op |S|cls|
// +----+-+---+
type Source uint8
const sourceMask OpCode = 0x08
// Source bitmask
const (
// InvalidSource is returned by getters when invoked
// on non ALU / branch OpCodes.
InvalidSource Source = 0xff
// ImmSource src is from constant
ImmSource Source = 0x00
// RegSource src is from register
RegSource Source = 0x08
// The Endianness of a byte swap instruction.
type Endianness uint8
const endianMask = sourceMask
// Endian flags
const (
InvalidEndian Endianness = 0xff
// Convert to little endian
LE Endianness = 0x00
// Convert to big endian
BE Endianness = 0x08
// ALUOp are ALU / ALU64 operations
// msb lsb
// +----+-+---+
// |OP |s|cls|
// +----+-+---+
type ALUOp uint8
const aluMask OpCode = 0xf0
const (
// InvalidALUOp is returned by getters when invoked
// on non ALU OpCodes
InvalidALUOp ALUOp = 0xff
// Add - addition
Add ALUOp = 0x00
// Sub - subtraction
Sub ALUOp = 0x10
// Mul - multiplication
Mul ALUOp = 0x20
// Div - division
Div ALUOp = 0x30
// Or - bitwise or
Or ALUOp = 0x40
// And - bitwise and
And ALUOp = 0x50
// LSh - bitwise shift left
LSh ALUOp = 0x60
// RSh - bitwise shift right
RSh ALUOp = 0x70
// Neg - sign/unsign signing bit
Neg ALUOp = 0x80
// Mod - modulo
Mod ALUOp = 0x90
// Xor - bitwise xor
Xor ALUOp = 0xa0
// Mov - move value from one place to another
Mov ALUOp = 0xb0
// ArSh - arithmatic shift
ArSh ALUOp = 0xc0
// Swap - endian conversions
Swap ALUOp = 0xd0
// HostTo converts from host to another endianness.
func HostTo(endian Endianness, dst Register, size Size) Instruction {
var imm int64
switch size {
case Half:
imm = 16
case Word:
imm = 32
case DWord:
imm = 64
return Instruction{OpCode: InvalidOpCode}
return Instruction{
OpCode: OpCode(ALUClass).SetALUOp(Swap).SetSource(Source(endian)),
Dst: dst,
Constant: imm,
// Op returns the OpCode for an ALU operation with a given source.
func (op ALUOp) Op(source Source) OpCode {
return OpCode(ALU64Class).SetALUOp(op).SetSource(source)
// Reg emits `dst (op) src`.
func (op ALUOp) Reg(dst, src Register) Instruction {
return Instruction{
OpCode: op.Op(RegSource),
Dst: dst,
Src: src,
// Imm emits `dst (op) value`.
func (op ALUOp) Imm(dst Register, value int32) Instruction {
return Instruction{
OpCode: op.Op(ImmSource),
Dst: dst,
Constant: int64(value),
// Op32 returns the OpCode for a 32-bit ALU operation with a given source.
func (op ALUOp) Op32(source Source) OpCode {
return OpCode(ALUClass).SetALUOp(op).SetSource(source)
// Reg32 emits `dst (op) src`, zeroing the upper 32 bit of dst.
func (op ALUOp) Reg32(dst, src Register) Instruction {
return Instruction{
OpCode: op.Op32(RegSource),
Dst: dst,
Src: src,
// Imm32 emits `dst (op) value`, zeroing the upper 32 bit of dst.
func (op ALUOp) Imm32(dst Register, value int32) Instruction {
return Instruction{
OpCode: op.Op32(ImmSource),
Dst: dst,
Constant: int64(value),
@ -0,0 +1,2 @@
// Package asm is an assembler for eBPF bytecode.
package asm
@ -0,0 +1,143 @@
package asm
//go:generate stringer -output func_string.go -type=BuiltinFunc
// BuiltinFunc is a built-in eBPF function.
type BuiltinFunc int32
// eBPF built-in functions
// You can renegerate this list using the following gawk script:
// /FN\(.+\),/ {
// match($1, /\((.+)\)/, r)
// split(r[1], p, "_")
// printf "Fn"
// for (i in p) {
// printf "%s%s", toupper(substr(p[i], 1, 1)), substr(p[i], 2)
// }
// print ""
// }
// The script expects include/uapi/linux/bpf.h as it's input.
const (
FnUnspec BuiltinFunc = iota
// Call emits a function call.
func (fn BuiltinFunc) Call() Instruction {
return Instruction{
OpCode: OpCode(JumpClass).SetJumpOp(Call),
Constant: int64(fn),
@ -0,0 +1,460 @@
package asm
import (
// InstructionSize is the size of a BPF instruction in bytes
const InstructionSize = 8
// Instruction is a single eBPF instruction.
type Instruction struct {
OpCode OpCode
Dst Register
Src Register
Offset int16
Constant int64
Reference string
Symbol string
// Sym creates a symbol.
func (ins Instruction) Sym(name string) Instruction {
ins.Symbol = name
return ins
// Unmarshal decodes a BPF instruction.
func (ins *Instruction) Unmarshal(r io.Reader, bo binary.ByteOrder) (uint64, error) {
var bi bpfInstruction
err := binary.Read(r, bo, &bi)
if err != nil {
return 0, err
ins.OpCode = bi.OpCode
ins.Dst = bi.Registers.Dst()
ins.Src = bi.Registers.Src()
ins.Offset = bi.Offset
ins.Constant = int64(bi.Constant)
if !bi.OpCode.isDWordLoad() {
return InstructionSize, nil
var bi2 bpfInstruction
if err := binary.Read(r, bo, &bi2); err != nil {
// No Wrap, to avoid io.EOF clash
return 0, xerrors.New("64bit immediate is missing second half")
if bi2.OpCode != 0 || bi2.Offset != 0 || bi2.Registers != 0 {
return 0, xerrors.New("64bit immediate has non-zero fields")
ins.Constant = int64(uint64(uint32(bi2.Constant))<<32 | uint64(uint32(bi.Constant)))
return 2 * InstructionSize, nil
// Marshal encodes a BPF instruction.
func (ins Instruction) Marshal(w io.Writer, bo binary.ByteOrder) (uint64, error) {
if ins.OpCode == InvalidOpCode {
return 0, xerrors.New("invalid opcode")
isDWordLoad := ins.OpCode.isDWordLoad()
cons := int32(ins.Constant)
if isDWordLoad {
// Encode least significant 32bit first for 64bit operations.
cons = int32(uint32(ins.Constant))
bpfi := bpfInstruction{
newBPFRegisters(ins.Dst, ins.Src),
if err := binary.Write(w, bo, &bpfi); err != nil {
return 0, err
if !isDWordLoad {
return InstructionSize, nil
bpfi = bpfInstruction{
Constant: int32(ins.Constant >> 32),
if err := binary.Write(w, bo, &bpfi); err != nil {
return 0, err
return 2 * InstructionSize, nil
// RewriteMapPtr changes an instruction to use a new map fd.
// Returns an error if the instruction doesn't load a map.
func (ins *Instruction) RewriteMapPtr(fd int) error {
if !ins.OpCode.isDWordLoad() {
return xerrors.Errorf("%s is not a 64 bit load", ins.OpCode)
if ins.Src != PseudoMapFD && ins.Src != PseudoMapValue {
return xerrors.New("not a load from a map")
// Preserve the offset value for direct map loads.
offset := uint64(ins.Constant) & (math.MaxUint32 << 32)
rawFd := uint64(uint32(fd))
ins.Constant = int64(offset | rawFd)
return nil
func (ins *Instruction) mapPtr() uint32 {
return uint32(uint64(ins.Constant) & math.MaxUint32)
// RewriteMapOffset changes the offset of a direct load from a map.
// Returns an error if the instruction is not a direct load.
func (ins *Instruction) RewriteMapOffset(offset uint32) error {
if !ins.OpCode.isDWordLoad() {
return xerrors.Errorf("%s is not a 64 bit load", ins.OpCode)
if ins.Src != PseudoMapValue {
return xerrors.New("not a direct load from a map")
fd := uint64(ins.Constant) & math.MaxUint32
ins.Constant = int64(uint64(offset)<<32 | fd)
return nil
func (ins *Instruction) mapOffset() uint32 {
return uint32(uint64(ins.Constant) >> 32)
func (ins *Instruction) isLoadFromMap() bool {
return ins.OpCode == LoadImmOp(DWord) && (ins.Src == PseudoMapFD || ins.Src == PseudoMapValue)
// Format implements fmt.Formatter.
func (ins Instruction) Format(f fmt.State, c rune) {
if c != 'v' {
fmt.Fprintf(f, "{UNRECOGNIZED: %c}", c)
op := ins.OpCode
if op == InvalidOpCode {
fmt.Fprint(f, "INVALID")
// Omit trailing space for Exit
if op.JumpOp() == Exit {
fmt.Fprint(f, op)
if ins.isLoadFromMap() {
fd := int32(ins.mapPtr())
switch ins.Src {
case PseudoMapFD:
fmt.Fprintf(f, "LoadMapPtr dst: %s fd: %d", ins.Dst, fd)
case PseudoMapValue:
fmt.Fprintf(f, "LoadMapValue dst: %s, fd: %d off: %d", ins.Dst, fd, ins.mapOffset())
goto ref
fmt.Fprintf(f, "%v ", op)
switch cls := op.Class(); cls {
case LdClass, LdXClass, StClass, StXClass:
switch op.Mode() {
case ImmMode:
fmt.Fprintf(f, "dst: %s imm: %d", ins.Dst, ins.Constant)
case AbsMode:
fmt.Fprintf(f, "imm: %d", ins.Constant)
case IndMode:
fmt.Fprintf(f, "dst: %s src: %s imm: %d", ins.Dst, ins.Src, ins.Constant)
case MemMode:
fmt.Fprintf(f, "dst: %s src: %s off: %d imm: %d", ins.Dst, ins.Src, ins.Offset, ins.Constant)
case XAddMode:
fmt.Fprintf(f, "dst: %s src: %s", ins.Dst, ins.Src)
case ALU64Class, ALUClass:
fmt.Fprintf(f, "dst: %s ", ins.Dst)
if op.ALUOp() == Swap || op.Source() == ImmSource {
fmt.Fprintf(f, "imm: %d", ins.Constant)
} else {
fmt.Fprintf(f, "src: %s", ins.Src)
case JumpClass:
switch jop := op.JumpOp(); jop {
case Call:
if ins.Src == PseudoCall {
// bpf-to-bpf call
fmt.Fprint(f, ins.Constant)
} else {
fmt.Fprint(f, BuiltinFunc(ins.Constant))
fmt.Fprintf(f, "dst: %s off: %d ", ins.Dst, ins.Offset)
if op.Source() == ImmSource {
fmt.Fprintf(f, "imm: %d", ins.Constant)
} else {
fmt.Fprintf(f, "src: %s", ins.Src)
if ins.Reference != "" {
fmt.Fprintf(f, " <%s>", ins.Reference)
// Instructions is an eBPF program.
type Instructions []Instruction
func (insns Instructions) String() string {
return fmt.Sprint(insns)
// RewriteMapPtr rewrites all loads of a specific map pointer to a new fd.
// Returns an error if the symbol isn't used, see IsUnreferencedSymbol.
func (insns Instructions) RewriteMapPtr(symbol string, fd int) error {
if symbol == "" {
return xerrors.New("empty symbol")
found := false
for i := range insns {
ins := &insns[i]
if ins.Reference != symbol {
if err := ins.RewriteMapPtr(fd); err != nil {
return err
found = true
if !found {
return &unreferencedSymbolError{symbol}
return nil
// SymbolOffsets returns the set of symbols and their offset in
// the instructions.
func (insns Instructions) SymbolOffsets() (map[string]int, error) {
offsets := make(map[string]int)
for i, ins := range insns {
if ins.Symbol == "" {
if _, ok := offsets[ins.Symbol]; ok {
return nil, xerrors.Errorf("duplicate symbol %s", ins.Symbol)
offsets[ins.Symbol] = i
return offsets, nil
// ReferenceOffsets returns the set of references and their offset in
// the instructions.
func (insns Instructions) ReferenceOffsets() map[string][]int {
offsets := make(map[string][]int)
for i, ins := range insns {
if ins.Reference == "" {
offsets[ins.Reference] = append(offsets[ins.Reference], i)
return offsets
func (insns Instructions) marshalledOffsets() (map[string]int, error) {
symbols := make(map[string]int)
marshalledPos := 0
for _, ins := range insns {
currentPos := marshalledPos
marshalledPos += ins.OpCode.marshalledInstructions()
if ins.Symbol == "" {
if _, ok := symbols[ins.Symbol]; ok {
return nil, xerrors.Errorf("duplicate symbol %s", ins.Symbol)
symbols[ins.Symbol] = currentPos
return symbols, nil
// Format implements fmt.Formatter.
// You can control indentation of symbols by
// specifying a width. Setting a precision controls the indentation of
// instructions.
// The default character is a tab, which can be overriden by specifying
// the ' ' space flag.
func (insns Instructions) Format(f fmt.State, c rune) {
if c != 's' && c != 'v' {
fmt.Fprintf(f, "{UNKNOWN FORMAT '%c'}", c)
// Precision is better in this case, because it allows
// specifying 0 padding easily.
padding, ok := f.Precision()
if !ok {
padding = 1
indent := strings.Repeat("\t", padding)
if f.Flag(' ') {
indent = strings.Repeat(" ", padding)
symPadding, ok := f.Width()
if !ok {
symPadding = padding - 1
if symPadding < 0 {
symPadding = 0
symIndent := strings.Repeat("\t", symPadding)
if f.Flag(' ') {
symIndent = strings.Repeat(" ", symPadding)
// Figure out how many digits we need to represent the highest
// offset.
highestOffset := 0
for _, ins := range insns {
highestOffset += ins.OpCode.marshalledInstructions()
offsetWidth := int(math.Ceil(math.Log10(float64(highestOffset))))
offset := 0
for _, ins := range insns {
if ins.Symbol != "" {
fmt.Fprintf(f, "%s%s:\n", symIndent, ins.Symbol)
fmt.Fprintf(f, "%s%*d: %v\n", indent, offsetWidth, offset, ins)
offset += ins.OpCode.marshalledInstructions()
// Marshal encodes a BPF program into the kernel format.
func (insns Instructions) Marshal(w io.Writer, bo binary.ByteOrder) error {
absoluteOffsets, err := insns.marshalledOffsets()
if err != nil {
return err
num := 0
for i, ins := range insns {
switch {
case ins.OpCode.JumpOp() == Call && ins.Src == PseudoCall && ins.Constant == -1:
// Rewrite bpf to bpf call
offset, ok := absoluteOffsets[ins.Reference]
if !ok {
return xerrors.Errorf("instruction %d: reference to missing symbol %s", i, ins.Reference)
ins.Constant = int64(offset - num - 1)
case ins.OpCode.Class() == JumpClass && ins.Offset == -1:
// Rewrite jump to label
offset, ok := absoluteOffsets[ins.Reference]
if !ok {
return xerrors.Errorf("instruction %d: reference to missing symbol %s", i, ins.Reference)
ins.Offset = int16(offset - num - 1)
n, err := ins.Marshal(w, bo)
if err != nil {
return xerrors.Errorf("instruction %d: %w", i, err)
num += int(n / InstructionSize)
return nil
type bpfInstruction struct {
OpCode OpCode
Registers bpfRegisters
Offset int16
Constant int32
type bpfRegisters uint8
func newBPFRegisters(dst, src Register) bpfRegisters {
return bpfRegisters((src << 4) | (dst & 0xF))
func (r bpfRegisters) Dst() Register {
return Register(r & 0xF)
func (r bpfRegisters) Src() Register {
return Register(r >> 4)
type unreferencedSymbolError struct {
symbol string
func (use *unreferencedSymbolError) Error() string {
return fmt.Sprintf("unreferenced symbol %s", use.symbol)
// IsUnreferencedSymbol returns true if err was caused by
// an unreferenced symbol.
func IsUnreferencedSymbol(err error) bool {
_, ok := err.(*unreferencedSymbolError)
return ok
@ -0,0 +1,109 @@
package asm
//go:generate stringer -output jump_string.go -type=JumpOp
// JumpOp affect control flow.
// msb lsb
// +----+-+---+
// |OP |s|cls|
// +----+-+---+
type JumpOp uint8
const jumpMask OpCode = aluMask
const (
// InvalidJumpOp is returned by getters when invoked
// on non branch OpCodes
InvalidJumpOp JumpOp = 0xff
// Ja jumps by offset unconditionally
Ja JumpOp = 0x00
// JEq jumps by offset if r == imm
JEq JumpOp = 0x10
// JGT jumps by offset if r > imm
JGT JumpOp = 0x20
// JGE jumps by offset if r >= imm
JGE JumpOp = 0x30
// JSet jumps by offset if r & imm
JSet JumpOp = 0x40
// JNE jumps by offset if r != imm
JNE JumpOp = 0x50
// JSGT jumps by offset if signed r > signed imm
JSGT JumpOp = 0x60
// JSGE jumps by offset if signed r >= signed imm
JSGE JumpOp = 0x70
// Call builtin or user defined function from imm
Call JumpOp = 0x80
// Exit ends execution, with value in r0
Exit JumpOp = 0x90
// JLT jumps by offset if r < imm
JLT JumpOp = 0xa0
// JLE jumps by offset if r <= imm
JLE JumpOp = 0xb0
// JSLT jumps by offset if signed r < signed imm
JSLT JumpOp = 0xc0
// JSLE jumps by offset if signed r <= signed imm
JSLE JumpOp = 0xd0
// Return emits an exit instruction.
// Requires a return value in R0.
func Return() Instruction {
return Instruction{
OpCode: OpCode(JumpClass).SetJumpOp(Exit),
// Op returns the OpCode for a given jump source.
func (op JumpOp) Op(source Source) OpCode {
return OpCode(JumpClass).SetJumpOp(op).SetSource(source)
// Imm compares dst to value, and adjusts PC by offset if the condition is fulfilled.
func (op JumpOp) Imm(dst Register, value int32, label string) Instruction {
if op == Exit || op == Call || op == Ja {
return Instruction{OpCode: InvalidOpCode}
return Instruction{
OpCode: OpCode(JumpClass).SetJumpOp(op).SetSource(ImmSource),
Dst: dst,
Offset: -1,
Constant: int64(value),
Reference: label,
// Reg compares dst to src, and adjusts PC by offset if the condition is fulfilled.
func (op JumpOp) Reg(dst, src Register, label string) Instruction {
if op == Exit || op == Call || op == Ja {
return Instruction{OpCode: InvalidOpCode}
return Instruction{
OpCode: OpCode(JumpClass).SetJumpOp(op).SetSource(RegSource),
Dst: dst,
Src: src,
Offset: -1,
Reference: label,
// Label adjusts PC to the address of the label.
func (op JumpOp) Label(label string) Instruction {
if op == Call {
return Instruction{
OpCode: OpCode(JumpClass).SetJumpOp(Call),
Src: PseudoCall,
Constant: -1,
Reference: label,
return Instruction{
OpCode: OpCode(JumpClass).SetJumpOp(op),
Offset: -1,
Reference: label,
@ -0,0 +1,204 @@
package asm
//go:generate stringer -output load_store_string.go -type=Mode,Size
// Mode for load and store operations
// msb lsb
// +---+--+---+
// |MDE|sz|cls|
// +---+--+---+
type Mode uint8
const modeMask OpCode = 0xe0
const (
// InvalidMode is returned by getters when invoked
// on non load / store OpCodes
InvalidMode Mode = 0xff
// ImmMode - immediate value
ImmMode Mode = 0x00
// AbsMode - immediate value + offset
AbsMode Mode = 0x20
// IndMode - indirect (imm+src)
IndMode Mode = 0x40
// MemMode - load from memory
MemMode Mode = 0x60
// XAddMode - add atomically across processors.
XAddMode Mode = 0xc0
// Size of load and store operations
// msb lsb
// +---+--+---+
// |mde|SZ|cls|
// +---+--+---+
type Size uint8
const sizeMask OpCode = 0x18
const (
// InvalidSize is returned by getters when invoked
// on non load / store OpCodes
InvalidSize Size = 0xff
// DWord - double word; 64 bits
DWord Size = 0x18
// Word - word; 32 bits
Word Size = 0x00
// Half - half-word; 16 bits
Half Size = 0x08
// Byte - byte; 8 bits
Byte Size = 0x10
// Sizeof returns the size in bytes.
func (s Size) Sizeof() int {
switch s {
case DWord:
return 8
case Word:
return 4
case Half:
return 2
case Byte:
return 1
return -1
// LoadMemOp returns the OpCode to load a value of given size from memory.
func LoadMemOp(size Size) OpCode {
return OpCode(LdXClass).SetMode(MemMode).SetSize(size)
// LoadMem emits `dst = *(size *)(src + offset)`.
func LoadMem(dst, src Register, offset int16, size Size) Instruction {
return Instruction{
OpCode: LoadMemOp(size),
Dst: dst,
Src: src,
Offset: offset,
// LoadImmOp returns the OpCode to load an immediate of given size.
// As of kernel 4.20, only DWord size is accepted.
func LoadImmOp(size Size) OpCode {
return OpCode(LdClass).SetMode(ImmMode).SetSize(size)
// LoadImm emits `dst = (size)value`.
// As of kernel 4.20, only DWord size is accepted.
func LoadImm(dst Register, value int64, size Size) Instruction {
return Instruction{
OpCode: LoadImmOp(size),
Dst: dst,
Constant: value,
// LoadMapPtr stores a pointer to a map in dst.
func LoadMapPtr(dst Register, fd int) Instruction {
if fd < 0 {
return Instruction{OpCode: InvalidOpCode}
return Instruction{
OpCode: LoadImmOp(DWord),
Dst: dst,
Src: PseudoMapFD,
Constant: int64(fd),
// LoadMapValue stores a pointer to the value at a certain offset of a map.
func LoadMapValue(dst Register, fd int, offset uint32) Instruction {
if fd < 0 {
return Instruction{OpCode: InvalidOpCode}
fdAndOffset := (uint64(offset) << 32) | uint64(uint32(fd))
return Instruction{
OpCode: LoadImmOp(DWord),
Dst: dst,
Src: PseudoMapValue,
Constant: int64(fdAndOffset),
// LoadIndOp returns the OpCode for loading a value of given size from an sk_buff.
func LoadIndOp(size Size) OpCode {
return OpCode(LdClass).SetMode(IndMode).SetSize(size)
// LoadInd emits `dst = ntoh(*(size *)(((sk_buff *)R6)->data + src + offset))`.
func LoadInd(dst, src Register, offset int32, size Size) Instruction {
return Instruction{
OpCode: LoadIndOp(size),
Dst: dst,
Src: src,
Constant: int64(offset),
// LoadAbsOp returns the OpCode for loading a value of given size from an sk_buff.
func LoadAbsOp(size Size) OpCode {
return OpCode(LdClass).SetMode(AbsMode).SetSize(size)
// LoadAbs emits `r0 = ntoh(*(size *)(((sk_buff *)R6)->data + offset))`.
func LoadAbs(offset int32, size Size) Instruction {
return Instruction{
OpCode: LoadAbsOp(size),
Dst: R0,
Constant: int64(offset),
// StoreMemOp returns the OpCode for storing a register of given size in memory.
func StoreMemOp(size Size) OpCode {
return OpCode(StXClass).SetMode(MemMode).SetSize(size)
// StoreMem emits `*(size *)(dst + offset) = src`
func StoreMem(dst Register, offset int16, src Register, size Size) Instruction {
return Instruction{
OpCode: StoreMemOp(size),
Dst: dst,
Src: src,
Offset: offset,
// StoreImmOp returns the OpCode for storing an immediate of given size in memory.
func StoreImmOp(size Size) OpCode {
return OpCode(StClass).SetMode(MemMode).SetSize(size)
// StoreImm emits `*(size *)(dst + offset) = value`.
func StoreImm(dst Register, offset int16, value int64, size Size) Instruction {
return Instruction{
OpCode: StoreImmOp(size),
Dst: dst,
Offset: offset,
Constant: value,
// StoreXAddOp returns the OpCode to atomically add a register to a value in memory.
func StoreXAddOp(size Size) OpCode {
return OpCode(StXClass).SetMode(XAddMode).SetSize(size)
// StoreXAdd atomically adds src to *dst.
func StoreXAdd(dst, src Register, size Size) Instruction {
return Instruction{
OpCode: StoreXAddOp(size),
Dst: dst,
Src: src,
@ -0,0 +1,237 @@
package asm
import (
//go:generate stringer -output opcode_string.go -type=Class
type encoding int
const (
unknownEncoding encoding = iota
// Class of operations
// msb lsb
// +---+--+---+
// | ?? |CLS|
// +---+--+---+
type Class uint8
const classMask OpCode = 0x07
const (
// LdClass load memory
LdClass Class = 0x00
// LdXClass load memory from constant
LdXClass Class = 0x01
// StClass load register from memory
StClass Class = 0x02
// StXClass load register from constant
StXClass Class = 0x03
// ALUClass arithmetic operators
ALUClass Class = 0x04
// JumpClass jump operators
JumpClass Class = 0x05
// ALU64Class arithmetic in 64 bit mode
ALU64Class Class = 0x07
func (cls Class) encoding() encoding {
switch cls {
case LdClass, LdXClass, StClass, StXClass:
return loadOrStore
case ALU64Class, ALUClass, JumpClass:
return jumpOrALU
return unknownEncoding
// OpCode is a packed eBPF opcode.
// Its encoding is defined by a Class value:
// msb lsb
// +----+-+---+
// | ???? |CLS|
// +----+-+---+
type OpCode uint8
// InvalidOpCode is returned by setters on OpCode
const InvalidOpCode OpCode = 0xff
// marshalledInstructions returns the number of BPF instructions required
// to encode this opcode.
func (op OpCode) marshalledInstructions() int {
if op == LoadImmOp(DWord) {
return 2
return 1
func (op OpCode) isDWordLoad() bool {
return op == LoadImmOp(DWord)
// Class returns the class of operation.
func (op OpCode) Class() Class {
return Class(op & classMask)
// Mode returns the mode for load and store operations.
func (op OpCode) Mode() Mode {
if op.Class().encoding() != loadOrStore {
return InvalidMode
return Mode(op & modeMask)
// Size returns the size for load and store operations.
func (op OpCode) Size() Size {
if op.Class().encoding() != loadOrStore {
return InvalidSize
return Size(op & sizeMask)
// Source returns the source for branch and ALU operations.
func (op OpCode) Source() Source {
if op.Class().encoding() != jumpOrALU || op.ALUOp() == Swap {
return InvalidSource
return Source(op & sourceMask)
// ALUOp returns the ALUOp.
func (op OpCode) ALUOp() ALUOp {
if op.Class().encoding() != jumpOrALU {
return InvalidALUOp
return ALUOp(op & aluMask)
// Endianness returns the Endianness for a byte swap instruction.
func (op OpCode) Endianness() Endianness {
if op.ALUOp() != Swap {
return InvalidEndian
return Endianness(op & endianMask)
// JumpOp returns the JumpOp.
func (op OpCode) JumpOp() JumpOp {
if op.Class().encoding() != jumpOrALU {
return InvalidJumpOp
return JumpOp(op & jumpMask)
// SetMode sets the mode on load and store operations.
// Returns InvalidOpCode if op is of the wrong class.
func (op OpCode) SetMode(mode Mode) OpCode {
if op.Class().encoding() != loadOrStore || !valid(OpCode(mode), modeMask) {
return InvalidOpCode
return (op & ^modeMask) | OpCode(mode)
// SetSize sets the size on load and store operations.
// Returns InvalidOpCode if op is of the wrong class.
func (op OpCode) SetSize(size Size) OpCode {
if op.Class().encoding() != loadOrStore || !valid(OpCode(size), sizeMask) {
return InvalidOpCode
return (op & ^sizeMask) | OpCode(size)
// SetSource sets the source on jump and ALU operations.
// Returns InvalidOpCode if op is of the wrong class.
func (op OpCode) SetSource(source Source) OpCode {
if op.Class().encoding() != jumpOrALU || !valid(OpCode(source), sourceMask) {
return InvalidOpCode
return (op & ^sourceMask) | OpCode(source)
// SetALUOp sets the ALUOp on ALU operations.
// Returns InvalidOpCode if op is of the wrong class.
func (op OpCode) SetALUOp(alu ALUOp) OpCode {
class := op.Class()
if (class != ALUClass && class != ALU64Class) || !valid(OpCode(alu), aluMask) {
return InvalidOpCode
return (op & ^aluMask) | OpCode(alu)
// SetJumpOp sets the JumpOp on jump operations.
// Returns InvalidOpCode if op is of the wrong class.
func (op OpCode) SetJumpOp(jump JumpOp) OpCode {
if op.Class() != JumpClass || !valid(OpCode(jump), jumpMask) {
return InvalidOpCode
return (op & ^jumpMask) | OpCode(jump)
func (op OpCode) String() string {
var f strings.Builder
switch class := op.Class(); class {
case LdClass, LdXClass, StClass, StXClass:
f.WriteString(strings.TrimSuffix(class.String(), "Class"))
mode := op.Mode()
f.WriteString(strings.TrimSuffix(mode.String(), "Mode"))
switch op.Size() {
case DWord:
case Word:
case Half:
case Byte:
case ALU64Class, ALUClass:
if op.ALUOp() == Swap {
// Width for Endian is controlled by Constant
} else {
if class == ALUClass {
f.WriteString(strings.TrimSuffix(op.Source().String(), "Source"))
case JumpClass:
if jop := op.JumpOp(); jop != Exit && jop != Call {
f.WriteString(strings.TrimSuffix(op.Source().String(), "Source"))
fmt.Fprintf(&f, "%#x", op)
return f.String()
// valid returns true if all bits in value are covered by mask.
func valid(value, mask OpCode) bool {
return value & ^mask == 0
@ -0,0 +1,49 @@
package asm
import (
// Register is the source or destination of most operations.
type Register uint8
// R0 contains return values.
const R0 Register = 0
// Registers for function arguments.
const (
R1 Register = R0 + 1 + iota
// Callee saved registers preserved by function calls.
const (
R6 Register = R5 + 1 + iota
// Read-only frame pointer to access stack.
const (
R10 Register = R9 + 1
RFP = R10
// Pseudo registers used by 64bit loads and jumps
const (
PseudoMapValue = R2 // BPF_PSEUDO_MAP_VALUE
PseudoCall = R1 // BPF_PSEUDO_CALL
func (r Register) String() string {
v := uint8(r)
if v == 10 {
return "rfp"
return fmt.Sprintf("r%d", v)
@ -0,0 +1,293 @@
package ebpf
import (
// CollectionOptions control loading a collection into the kernel.
type CollectionOptions struct {
Programs ProgramOptions
// CollectionSpec describes a collection.
type CollectionSpec struct {
Maps map[string]*MapSpec
Programs map[string]*ProgramSpec
// Copy returns a recursive copy of the spec.
func (cs *CollectionSpec) Copy() *CollectionSpec {
if cs == nil {
return nil
cpy := CollectionSpec{
Maps: make(map[string]*MapSpec, len(cs.Maps)),
Programs: make(map[string]*ProgramSpec, len(cs.Programs)),
for name, spec := range cs.Maps {
cpy.Maps[name] = spec.Copy()
for name, spec := range cs.Programs {
cpy.Programs[name] = spec.Copy()
return &cpy
// RewriteMaps replaces all references to specific maps.
// Use this function to use pre-existing maps instead of creating new ones
// when calling NewCollection. Any named maps are removed from CollectionSpec.Maps.
// Returns an error if a named map isn't used in at least one program.
func (cs *CollectionSpec) RewriteMaps(maps map[string]*Map) error {
for symbol, m := range maps {
// have we seen a program that uses this symbol / map
seen := false
fd := m.FD()
for progName, progSpec := range cs.Programs {
err := progSpec.Instructions.RewriteMapPtr(symbol, fd)
switch {
case err == nil:
seen = true
case asm.IsUnreferencedSymbol(err):
// Not all programs need to use the map
return xerrors.Errorf("program %s: %w", progName, err)
if !seen {
return xerrors.Errorf("map %s not referenced by any programs", symbol)
// Prevent NewCollection from creating rewritten maps
delete(cs.Maps, symbol)
return nil
// RewriteConstants replaces the value of multiple constants.
// The constant must be defined like so in the C program:
// static volatile const type foobar;
// static volatile const type foobar = default;
// Replacement values must be of the same length as the C sizeof(type).
// If necessary, they are marshalled according to the same rules as
// map values.
// From Linux 5.5 the verifier will use constants to eliminate dead code.
// Returns an error if a constant doesn't exist.
func (cs *CollectionSpec) RewriteConstants(consts map[string]interface{}) error {
rodata := cs.Maps[".rodata"]
if rodata == nil {
return xerrors.New("missing .rodata section")
if rodata.BTF == nil {
return xerrors.New(".rodata section has no BTF")
if n := len(rodata.Contents); n != 1 {
return xerrors.Errorf("expected one key in .rodata, found %d", n)
kv := rodata.Contents[0]
value, ok := kv.Value.([]byte)
if !ok {
return xerrors.Errorf("first value in .rodata is %T not []byte", kv.Value)
buf := make([]byte, len(value))
copy(buf, value)
err := patchValue(buf, btf.MapValue(rodata.BTF), consts)
if err != nil {
return err
rodata.Contents[0] = MapKV{kv.Key, buf}
return nil
// Collection is a collection of Programs and Maps associated
// with their symbols
type Collection struct {
Programs map[string]*Program
Maps map[string]*Map
// NewCollection creates a Collection from a specification.
// Only maps referenced by at least one of the programs are initialized.
func NewCollection(spec *CollectionSpec) (*Collection, error) {
return NewCollectionWithOptions(spec, CollectionOptions{})
// NewCollectionWithOptions creates a Collection from a specification.
// Only maps referenced by at least one of the programs are initialized.
func NewCollectionWithOptions(spec *CollectionSpec, opts CollectionOptions) (coll *Collection, err error) {
var (
maps = make(map[string]*Map)
progs = make(map[string]*Program)
btfs = make(map[*btf.Spec]*btf.Handle)
defer func() {
for _, btf := range btfs {
if err == nil {
for _, m := range maps {
for _, p := range progs {
loadBTF := func(spec *btf.Spec) (*btf.Handle, error) {
if btfs[spec] != nil {
return btfs[spec], nil
handle, err := btf.NewHandle(spec)
if err != nil {
return nil, err
btfs[spec] = handle
return handle, nil
for mapName, mapSpec := range spec.Maps {
var handle *btf.Handle
if mapSpec.BTF != nil {
handle, err = loadBTF(btf.MapSpec(mapSpec.BTF))
if err != nil && !xerrors.Is(err, btf.ErrNotSupported) {
return nil, err
m, err := newMapWithBTF(mapSpec, handle)
if err != nil {
return nil, xerrors.Errorf("map %s: %w", mapName, err)
maps[mapName] = m
for progName, origProgSpec := range spec.Programs {
progSpec := origProgSpec.Copy()
// Rewrite any reference to a valid map.
for i := range progSpec.Instructions {
ins := &progSpec.Instructions[i]
if ins.OpCode != asm.LoadImmOp(asm.DWord) || ins.Reference == "" {
if uint32(ins.Constant) != math.MaxUint32 {
// Don't overwrite maps already rewritten, users can
// rewrite programs in the spec themselves
m := maps[ins.Reference]
if m == nil {
return nil, xerrors.Errorf("program %s: missing map %s", progName, ins.Reference)
fd := m.FD()
if fd < 0 {
return nil, xerrors.Errorf("map %s: %w", ins.Reference, internal.ErrClosedFd)
if err := ins.RewriteMapPtr(m.FD()); err != nil {
return nil, xerrors.Errorf("progam %s: map %s: %w", progName, ins.Reference, err)
var handle *btf.Handle
if progSpec.BTF != nil {
handle, err = loadBTF(btf.ProgramSpec(progSpec.BTF))
if err != nil && !xerrors.Is(err, btf.ErrNotSupported) {
return nil, err
prog, err := newProgramWithBTF(progSpec, handle, opts.Programs)
if err != nil {
return nil, xerrors.Errorf("program %s: %w", progName, err)
progs[progName] = prog
return &Collection{
}, nil
// LoadCollection parses an object file and converts it to a collection.
func LoadCollection(file string) (*Collection, error) {
spec, err := LoadCollectionSpec(file)
if err != nil {
return nil, err
return NewCollection(spec)
// Close frees all maps and programs associated with the collection.
// The collection mustn't be used afterwards.
func (coll *Collection) Close() {
for _, prog := range coll.Programs {
for _, m := range coll.Maps {
// DetachMap removes the named map from the Collection.
// This means that a later call to Close() will not affect this map.
// Returns nil if no map of that name exists.
func (coll *Collection) DetachMap(name string) *Map {
m := coll.Maps[name]
delete(coll.Maps, name)
return m
// DetachProgram removes the named program from the Collection.
// This means that a later call to Close() will not affect this program.
// Returns nil if no program of that name exists.
func (coll *Collection) DetachProgram(name string) *Program {
p := coll.Programs[name]
delete(coll.Programs, name)
return p
@ -0,0 +1,17 @@
// Package ebpf is a toolkit for working with eBPF programs.
// eBPF programs are small snippets of code which are executed directly
// in a VM in the Linux kernel, which makes them very fast and flexible.
// Many Linux subsystems now accept eBPF programs. This makes it possible
// to implement highly application specific logic inside the kernel,
// without having to modify the actual kernel itself.
// This package is designed for long-running processes which
// want to use eBPF to implement part of their application logic. It has no
// run-time dependencies outside of the library and the Linux kernel itself.
// eBPF code should be compiled ahead of time using clang, and shipped with
// your application as any other resource.
// This package doesn't include code required to attach eBPF to Linux
// subsystems, since this varies per subsystem.
package ebpf
@ -0,0 +1,709 @@
package ebpf
import (
type elfCode struct {
symbols []elf.Symbol
symbolsPerSection map[elf.SectionIndex]map[uint64]elf.Symbol
license string
version uint32
// LoadCollectionSpec parses an ELF file into a CollectionSpec.
func LoadCollectionSpec(file string) (*CollectionSpec, error) {
f, err := os.Open(file)
if err != nil {
return nil, err
defer f.Close()
spec, err := LoadCollectionSpecFromReader(f)
if err != nil {
return nil, xerrors.Errorf("file %s: %w", file, err)
return spec, nil
// LoadCollectionSpecFromReader parses an ELF file into a CollectionSpec.
func LoadCollectionSpecFromReader(rd io.ReaderAt) (*CollectionSpec, error) {
f, err := elf.NewFile(rd)
if err != nil {
return nil, err
defer f.Close()
symbols, err := f.Symbols()
if err != nil {
return nil, xerrors.Errorf("load symbols: %v", err)
ec := &elfCode{f, symbols, symbolsPerSection(symbols), "", 0}
var (
licenseSection *elf.Section
versionSection *elf.Section
btfMaps = make(map[elf.SectionIndex]*elf.Section)
progSections = make(map[elf.SectionIndex]*elf.Section)
relSections = make(map[elf.SectionIndex]*elf.Section)
mapSections = make(map[elf.SectionIndex]*elf.Section)
dataSections = make(map[elf.SectionIndex]*elf.Section)
for i, sec := range ec.Sections {
switch {
case strings.HasPrefix(sec.Name, "license"):
licenseSection = sec
case strings.HasPrefix(sec.Name, "version"):
versionSection = sec
case strings.HasPrefix(sec.Name, "maps"):
mapSections[elf.SectionIndex(i)] = sec
case sec.Name == ".maps":
btfMaps[elf.SectionIndex(i)] = sec
case sec.Name == ".bss" || sec.Name == ".rodata" || sec.Name == ".data":
dataSections[elf.SectionIndex(i)] = sec
case sec.Type == elf.SHT_REL:
if int(sec.Info) >= len(ec.Sections) {
return nil, xerrors.Errorf("found relocation section %v for missing section %v", i, sec.Info)
// Store relocations under the section index of the target
idx := elf.SectionIndex(sec.Info)
if relSections[idx] != nil {
return nil, xerrors.Errorf("section %d has multiple relocation sections", sec.Info)
relSections[idx] = sec
case sec.Type == elf.SHT_PROGBITS && (sec.Flags&elf.SHF_EXECINSTR) != 0 && sec.Size > 0:
progSections[elf.SectionIndex(i)] = sec
ec.license, err = loadLicense(licenseSection)
if err != nil {
return nil, xerrors.Errorf("load license: %w", err)
ec.version, err = loadVersion(versionSection, ec.ByteOrder)
if err != nil {
return nil, xerrors.Errorf("load version: %w", err)
btfSpec, err := btf.LoadSpecFromReader(rd)
if err != nil {
return nil, xerrors.Errorf("load BTF: %w", err)
maps := make(map[string]*MapSpec)
if err := ec.loadMaps(maps, mapSections); err != nil {
return nil, xerrors.Errorf("load maps: %w", err)
if len(btfMaps) > 0 {
if err := ec.loadBTFMaps(maps, btfMaps, btfSpec); err != nil {
return nil, xerrors.Errorf("load BTF maps: %w", err)
if len(dataSections) > 0 {
if err := ec.loadDataSections(maps, dataSections, btfSpec); err != nil {
return nil, xerrors.Errorf("load data sections: %w", err)
relocations, err := ec.loadRelocations(relSections)
if err != nil {
return nil, xerrors.Errorf("load relocations: %w", err)
progs, err := ec.loadPrograms(progSections, relocations, btfSpec)
if err != nil {
return nil, xerrors.Errorf("load programs: %w", err)
return &CollectionSpec{maps, progs}, nil
func loadLicense(sec *elf.Section) (string, error) {
if sec == nil {
return "", xerrors.New("missing license section")
data, err := sec.Data()
if err != nil {
return "", xerrors.Errorf("section %s: %v", sec.Name, err)
return string(bytes.TrimRight(data, "\000")), nil
func loadVersion(sec *elf.Section, bo binary.ByteOrder) (uint32, error) {
if sec == nil {
return 0, nil
var version uint32
if err := binary.Read(sec.Open(), bo, &version); err != nil {
return 0, xerrors.Errorf("section %s: %v", sec.Name, err)
return version, nil
func (ec *elfCode) loadPrograms(progSections map[elf.SectionIndex]*elf.Section, relocations map[elf.SectionIndex]map[uint64]elf.Symbol, btf *btf.Spec) (map[string]*ProgramSpec, error) {
var (
progs []*ProgramSpec
libs []*ProgramSpec
for idx, sec := range progSections {
syms := ec.symbolsPerSection[idx]
if len(syms) == 0 {
return nil, xerrors.Errorf("section %v: missing symbols", sec.Name)
funcSym, ok := syms[0]
if !ok {
return nil, xerrors.Errorf("section %v: no label at start", sec.Name)
insns, length, err := ec.loadInstructions(sec, syms, relocations[idx])
if err != nil {
return nil, xerrors.Errorf("program %s: can't unmarshal instructions: %w", funcSym.Name, err)
progType, attachType := getProgType(sec.Name)
spec := &ProgramSpec{
Name: funcSym.Name,
Type: progType,
AttachType: attachType,
License: ec.license,
KernelVersion: ec.version,
Instructions: insns,
if btf != nil {
spec.BTF, err = btf.Program(sec.Name, length)
if err != nil {
return nil, xerrors.Errorf("BTF for section %s (program %s): %w", sec.Name, funcSym.Name, err)
if spec.Type == UnspecifiedProgram {
// There is no single name we can use for "library" sections,
// since they may contain multiple functions. We'll decode the
// labels they contain later on, and then link sections that way.
libs = append(libs, spec)
} else {
progs = append(progs, spec)
res := make(map[string]*ProgramSpec, len(progs))
for _, prog := range progs {
err := link(prog, libs)
if err != nil {
return nil, xerrors.Errorf("program %s: %w", prog.Name, err)
res[prog.Name] = prog
return res, nil
func (ec *elfCode) loadInstructions(section *elf.Section, symbols, relocations map[uint64]elf.Symbol) (asm.Instructions, uint64, error) {
var (
r = section.Open()
insns asm.Instructions
offset uint64
for {
var ins asm.Instruction
n, err := ins.Unmarshal(r, ec.ByteOrder)
if err == io.EOF {
return insns, offset, nil
if err != nil {
return nil, 0, xerrors.Errorf("offset %d: %w", offset, err)
ins.Symbol = symbols[offset].Name
if rel, ok := relocations[offset]; ok {
if err = ec.relocateInstruction(&ins, rel); err != nil {
return nil, 0, xerrors.Errorf("offset %d: can't relocate instruction: %w", offset, err)
insns = append(insns, ins)
offset += n
func (ec *elfCode) relocateInstruction(ins *asm.Instruction, rel elf.Symbol) error {
var (
typ = elf.ST_TYPE(rel.Info)
bind = elf.ST_BIND(rel.Info)
name = rel.Name
if typ == elf.STT_SECTION {
// Symbols with section type do not have a name set. Get it
// from the section itself.
idx := int(rel.Section)
if idx > len(ec.Sections) {
return xerrors.New("out-of-bounds section index")
name = ec.Sections[idx].Name
switch {
case ins.OpCode == asm.LoadImmOp(asm.DWord):
// There are two distinct types of a load from a map:
// a direct one, where the value is extracted without
// a call to map_lookup_elem in eBPF, and an indirect one
// that goes via the helper. They are distinguished by
// different relocations.
switch typ {
case elf.STT_SECTION:
// This is a direct load since the referenced symbol is a
// section. Weirdly, the offset of the real symbol in the
// section is encoded in the instruction stream.
if bind != elf.STB_LOCAL {
return xerrors.Errorf("direct load: %s: unsupported relocation %s", name, bind)
// For some reason, clang encodes the offset of the symbol its
// section in the first basic BPF instruction, while the kernel
// expects it in the second one.
ins.Constant <<= 32
ins.Src = asm.PseudoMapValue
case elf.STT_NOTYPE:
if bind == elf.STB_GLOBAL && rel.Section == elf.SHN_UNDEF {
// This is a relocation generated by inline assembly.
// We can't do more than assigning ins.Reference.
break outer
// This is an ELF generated on clang < 8, which doesn't tag
// relocations appropriately.
case elf.STT_OBJECT:
if bind != elf.STB_GLOBAL {
return xerrors.Errorf("load: %s: unsupported binding: %s", name, bind)
ins.Src = asm.PseudoMapFD
return xerrors.Errorf("load: %s: unsupported relocation: %s", name, typ)
// Mark the instruction as needing an update when creating the
// collection.
if err := ins.RewriteMapPtr(-1); err != nil {
return err
case ins.OpCode.JumpOp() == asm.Call:
if ins.Src != asm.PseudoCall {
return xerrors.Errorf("call: %s: incorrect source register", name)
switch typ {
case elf.STT_NOTYPE, elf.STT_FUNC:
if bind != elf.STB_GLOBAL {
return xerrors.Errorf("call: %s: unsupported binding: %s", name, bind)
case elf.STT_SECTION:
if bind != elf.STB_LOCAL {
return xerrors.Errorf("call: %s: unsupported binding: %s", name, bind)
// The function we want to call is in the indicated section,
// at the offset encoded in the instruction itself. Reverse
// the calculation to find the real function we're looking for.
// A value of -1 references the first instruction in the section.
offset := int64(int32(ins.Constant)+1) * asm.InstructionSize
if offset < 0 {
return xerrors.Errorf("call: %s: invalid offset %d", name, offset)
sym, ok := ec.symbolsPerSection[rel.Section][uint64(offset)]
if !ok {
return xerrors.Errorf("call: %s: no symbol at offset %d", name, offset)
ins.Constant = -1
name = sym.Name
return xerrors.Errorf("call: %s: invalid symbol type %s", name, typ)
return xerrors.Errorf("relocation for unsupported instruction: %s", ins.OpCode)
ins.Reference = name
return nil
func (ec *elfCode) loadMaps(maps map[string]*MapSpec, mapSections map[elf.SectionIndex]*elf.Section) error {
for idx, sec := range mapSections {
syms := ec.symbolsPerSection[idx]
if len(syms) == 0 {
return xerrors.Errorf("section %v: no symbols", sec.Name)
if sec.Size%uint64(len(syms)) != 0 {
return xerrors.Errorf("section %v: map descriptors are not of equal size", sec.Name)
var (
r = sec.Open()
size = sec.Size / uint64(len(syms))
for i, offset := 0, uint64(0); i < len(syms); i, offset = i+1, offset+size {
mapSym, ok := syms[offset]
if !ok {
return xerrors.Errorf("section %s: missing symbol for map at offset %d", sec.Name, offset)
if maps[mapSym.Name] != nil {
return xerrors.Errorf("section %v: map %v already exists", sec.Name, mapSym)
lr := io.LimitReader(r, int64(size))
spec := MapSpec{
Name: SanitizeName(mapSym.Name, -1),
switch {
case binary.Read(lr, ec.ByteOrder, &spec.Type) != nil:
return xerrors.Errorf("map %v: missing type", mapSym)
case binary.Read(lr, ec.ByteOrder, &spec.KeySize) != nil:
return xerrors.Errorf("map %v: missing key size", mapSym)
case binary.Read(lr, ec.ByteOrder, &spec.ValueSize) != nil:
return xerrors.Errorf("map %v: missing value size", mapSym)
case binary.Read(lr, ec.ByteOrder, &spec.MaxEntries) != nil:
return xerrors.Errorf("map %v: missing max entries", mapSym)
case binary.Read(lr, ec.ByteOrder, &spec.Flags) != nil:
return xerrors.Errorf("map %v: missing flags", mapSym)
if _, err := io.Copy(internal.DiscardZeroes{}, lr); err != nil {
return xerrors.Errorf("map %v: unknown and non-zero fields in definition", mapSym)
maps[mapSym.Name] = &spec
return nil
func (ec *elfCode) loadBTFMaps(maps map[string]*MapSpec, mapSections map[elf.SectionIndex]*elf.Section, spec *btf.Spec) error {
if spec == nil {
return xerrors.Errorf("missing BTF")
for idx, sec := range mapSections {
syms := ec.symbolsPerSection[idx]
if len(syms) == 0 {
return xerrors.Errorf("section %v: no symbols", sec.Name)
for _, sym := range syms {
name := sym.Name
if maps[name] != nil {
return xerrors.Errorf("section %v: map %v already exists", sec.Name, sym)
btfMap, btfMapMembers, err := spec.Map(name)
if err != nil {
return xerrors.Errorf("map %v: can't get BTF: %w", name, err)
spec, err := mapSpecFromBTF(btfMap, btfMapMembers)
if err != nil {
return xerrors.Errorf("map %v: %w", name, err)
maps[name] = spec
return nil
func mapSpecFromBTF(btfMap *btf.Map, btfMapMembers []btf.Member) (*MapSpec, error) {
var (
mapType, flags, maxEntries uint32
err error
for _, member := range btfMapMembers {
switch member.Name {
case "type":
mapType, err = uintFromBTF(member.Type)
if err != nil {
return nil, xerrors.Errorf("can't get type: %w", err)
case "map_flags":
flags, err = uintFromBTF(member.Type)
if err != nil {
return nil, xerrors.Errorf("can't get BTF map flags: %w", err)
case "max_entries":
maxEntries, err = uintFromBTF(member.Type)
if err != nil {
return nil, xerrors.Errorf("can't get BTF map max entries: %w", err)
case "key":
case "value":
return nil, xerrors.Errorf("unrecognized field %s in BTF map definition", member.Name)
keySize, err := btf.Sizeof(btf.MapKey(btfMap))
if err != nil {
return nil, xerrors.Errorf("can't get size of BTF key: %w", err)
valueSize, err := btf.Sizeof(btf.MapValue(btfMap))
if err != nil {
return nil, xerrors.Errorf("can't get size of BTF value: %w", err)
return &MapSpec{
Type: MapType(mapType),
KeySize: uint32(keySize),
ValueSize: uint32(valueSize),
MaxEntries: maxEntries,
Flags: flags,
BTF: btfMap,
}, nil
// uintFromBTF resolves the __uint macro, which is a pointer to a sized
// array, e.g. for int (*foo)[10], this function will return 10.
func uintFromBTF(typ btf.Type) (uint32, error) {
ptr, ok := typ.(*btf.Pointer)
if !ok {
return 0, xerrors.Errorf("not a pointer: %v", typ)
arr, ok := ptr.Target.(*btf.Array)
if !ok {
return 0, xerrors.Errorf("not a pointer to array: %v", typ)
return arr.Nelems, nil
func (ec *elfCode) loadDataSections(maps map[string]*MapSpec, dataSections map[elf.SectionIndex]*elf.Section, spec *btf.Spec) error {
if spec == nil {
return xerrors.New("data sections require BTF")
for _, sec := range dataSections {
btfMap, err := spec.Datasec(sec.Name)
if err != nil {
return err
data, err := sec.Data()
if err != nil {
return xerrors.Errorf("data section %s: can't get contents: %w", sec.Name, err)
if uint64(len(data)) > math.MaxUint32 {
return xerrors.Errorf("data section %s: contents exceed maximum size", sec.Name)
mapSpec := &MapSpec{
Name: SanitizeName(sec.Name, -1),
Type: Array,
KeySize: 4,
ValueSize: uint32(len(data)),
MaxEntries: 1,
Contents: []MapKV{{uint32(0), data}},
BTF: btfMap,
switch sec.Name {
case ".rodata":
mapSpec.Flags = unix.BPF_F_RDONLY_PROG
mapSpec.Freeze = true
case ".bss":
// The kernel already zero-initializes the map
mapSpec.Contents = nil
maps[sec.Name] = mapSpec
return nil
func getProgType(v string) (ProgramType, AttachType) {
types := map[string]ProgramType{
// From https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/lib/bpf/libbpf.c#n3568
"socket": SocketFilter,
"seccomp": SocketFilter,
"kprobe/": Kprobe,
"uprobe/": Kprobe,
"kretprobe/": Kprobe,
"uretprobe/": Kprobe,
"tracepoint/": TracePoint,
"raw_tracepoint/": RawTracepoint,
"xdp": XDP,
"perf_event": PerfEvent,
"lwt_in": LWTIn,
"lwt_out": LWTOut,
"lwt_xmit": LWTXmit,
"lwt_seg6local": LWTSeg6Local,
"sockops": SockOps,
"sk_skb": SkSKB,
"sk_msg": SkMsg,
"lirc_mode2": LircMode2,
"flow_dissector": FlowDissector,
"cgroup_skb/": CGroupSKB,
"cgroup/dev": CGroupDevice,
"cgroup/skb": CGroupSKB,
"cgroup/sock": CGroupSock,
"cgroup/post_bind": CGroupSock,
"cgroup/bind": CGroupSockAddr,
"cgroup/connect": CGroupSockAddr,
"cgroup/sendmsg": CGroupSockAddr,
"cgroup/recvmsg": CGroupSockAddr,
"cgroup/sysctl": CGroupSysctl,
"cgroup/getsockopt": CGroupSockopt,
"cgroup/setsockopt": CGroupSockopt,
"classifier": SchedCLS,
"action": SchedACT,
attachTypes := map[string]AttachType{
"cgroup_skb/ingress": AttachCGroupInetIngress,
"cgroup_skb/egress": AttachCGroupInetEgress,
"cgroup/sock": AttachCGroupInetSockCreate,
"cgroup/post_bind4": AttachCGroupInet4PostBind,
"cgroup/post_bind6": AttachCGroupInet6PostBind,
"cgroup/dev": AttachCGroupDevice,
"sockops": AttachCGroupSockOps,
"sk_skb/stream_parser": AttachSkSKBStreamParser,
"sk_skb/stream_verdict": AttachSkSKBStreamVerdict,
"sk_msg": AttachSkSKBStreamVerdict,
"lirc_mode2": AttachLircMode2,
"flow_dissector": AttachFlowDissector,
"cgroup/bind4": AttachCGroupInet4Bind,
"cgroup/bind6": AttachCGroupInet6Bind,
"cgroup/connect4": AttachCGroupInet4Connect,
"cgroup/connect6": AttachCGroupInet6Connect,
"cgroup/sendmsg4": AttachCGroupUDP4Sendmsg,
"cgroup/sendmsg6": AttachCGroupUDP6Sendmsg,
"cgroup/recvmsg4": AttachCGroupUDP4Recvmsg,
"cgroup/recvmsg6": AttachCGroupUDP6Recvmsg,
"cgroup/sysctl": AttachCGroupSysctl,
"cgroup/getsockopt": AttachCGroupGetsockopt,
"cgroup/setsockopt": AttachCGroupSetsockopt,
attachType := AttachNone
for k, t := range attachTypes {
if strings.HasPrefix(v, k) {
attachType = t
for k, t := range types {
if strings.HasPrefix(v, k) {
return t, attachType
return UnspecifiedProgram, AttachNone
func (ec *elfCode) loadRelocations(sections map[elf.SectionIndex]*elf.Section) (map[elf.SectionIndex]map[uint64]elf.Symbol, error) {
result := make(map[elf.SectionIndex]map[uint64]elf.Symbol)
for idx, sec := range sections {
rels := make(map[uint64]elf.Symbol)
if sec.Entsize < 16 {
return nil, xerrors.Errorf("section %s: relocations are less than 16 bytes", sec.Name)
r := sec.Open()
for off := uint64(0); off < sec.Size; off += sec.Entsize {
ent := io.LimitReader(r, int64(sec.Entsize))
var rel elf.Rel64
if binary.Read(ent, ec.ByteOrder, &rel) != nil {
return nil, xerrors.Errorf("can't parse relocation at offset %v", off)
symNo := int(elf.R_SYM64(rel.Info) - 1)
if symNo >= len(ec.symbols) {
return nil, xerrors.Errorf("relocation at offset %d: symbol %v doesnt exist", off, symNo)
rels[rel.Off] = ec.symbols[symNo]
result[idx] = rels
return result, nil
func symbolsPerSection(symbols []elf.Symbol) map[elf.SectionIndex]map[uint64]elf.Symbol {
result := make(map[elf.SectionIndex]map[uint64]elf.Symbol)
for _, sym := range symbols {
switch elf.ST_TYPE(sym.Info) {
case elf.STT_NOTYPE:
// Older versions of LLVM doesn't tag
// symbols correctly.
case elf.STT_OBJECT:
case elf.STT_FUNC:
if sym.Section == elf.SHN_UNDEF || sym.Section >= elf.SHN_LORESERVE {
if sym.Name == "" {
idx := sym.Section
if _, ok := result[idx]; !ok {
result[idx] = make(map[uint64]elf.Symbol)
result[idx][sym.Value] = sym
return result
@ -0,0 +1,8 @@
module github.com/cilium/ebpf
go 1.12
require (
golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
@ -0,0 +1,613 @@
package btf
import (
const btfMagic = 0xeB9F
// Errors returned by BTF functions.
var (
ErrNotSupported = internal.ErrNotSupported
// Spec represents decoded BTF.
type Spec struct {
rawTypes []rawType
strings stringTable
types map[string][]Type
funcInfos map[string]extInfo
lineInfos map[string]extInfo
type btfHeader struct {
Magic uint16
Version uint8
Flags uint8
HdrLen uint32
TypeOff uint32
TypeLen uint32
StringOff uint32
StringLen uint32
// LoadSpecFromReader reads BTF sections from an ELF.
// Returns a nil Spec and no error if no BTF was present.
func LoadSpecFromReader(rd io.ReaderAt) (*Spec, error) {
file, err := elf.NewFile(rd)
if err != nil {
return nil, err
defer file.Close()
var (
btfSection *elf.Section
btfExtSection *elf.Section
sectionSizes = make(map[string]uint32)
for _, sec := range file.Sections {
switch sec.Name {
case ".BTF":
btfSection = sec
case ".BTF.ext":
btfExtSection = sec
if sec.Type != elf.SHT_PROGBITS && sec.Type != elf.SHT_NOBITS {
if sec.Size > math.MaxUint32 {
return nil, xerrors.Errorf("section %s exceeds maximum size", sec.Name)
sectionSizes[sec.Name] = uint32(sec.Size)
if btfSection == nil {
return nil, nil
symbols, err := file.Symbols()
if err != nil {
return nil, xerrors.Errorf("can't read symbols: %v", err)
variableOffsets := make(map[variable]uint32)
for _, symbol := range symbols {
if idx := symbol.Section; idx >= elf.SHN_LORESERVE && idx <= elf.SHN_HIRESERVE {
// Ignore things like SHN_ABS
secName := file.Sections[symbol.Section].Name
if _, ok := sectionSizes[secName]; !ok {
if symbol.Value > math.MaxUint32 {
return nil, xerrors.Errorf("section %s: symbol %s: size exceeds maximum", secName, symbol.Name)
variableOffsets[variable{secName, symbol.Name}] = uint32(symbol.Value)
rawTypes, rawStrings, err := parseBTF(btfSection.Open(), file.ByteOrder)
if err != nil {
return nil, err
err = fixupDatasec(rawTypes, rawStrings, sectionSizes, variableOffsets)
if err != nil {
return nil, err
types, err := inflateRawTypes(rawTypes, rawStrings)
if err != nil {
return nil, err
var (
funcInfos = make(map[string]extInfo)
lineInfos = make(map[string]extInfo)
if btfExtSection != nil {
funcInfos, lineInfos, err = parseExtInfos(btfExtSection.Open(), file.ByteOrder, rawStrings)
if err != nil {
return nil, xerrors.Errorf("can't read ext info: %w", err)
return &Spec{
rawTypes: rawTypes,
types: types,
strings: rawStrings,
funcInfos: funcInfos,
lineInfos: lineInfos,
}, nil
func parseBTF(btf io.ReadSeeker, bo binary.ByteOrder) ([]rawType, stringTable, error) {
rawBTF, err := ioutil.ReadAll(btf)
if err != nil {
return nil, nil, xerrors.Errorf("can't read BTF: %v", err)
rd := bytes.NewReader(rawBTF)
var header btfHeader
if err := binary.Read(rd, bo, &header); err != nil {
return nil, nil, xerrors.Errorf("can't read header: %v", err)
if header.Magic != btfMagic {
return nil, nil, xerrors.Errorf("incorrect magic value %v", header.Magic)
if header.Version != 1 {
return nil, nil, xerrors.Errorf("unexpected version %v", header.Version)
if header.Flags != 0 {
return nil, nil, xerrors.Errorf("unsupported flags %v", header.Flags)
remainder := int64(header.HdrLen) - int64(binary.Size(&header))
if remainder < 0 {
return nil, nil, xerrors.New("header is too short")
if _, err := io.CopyN(internal.DiscardZeroes{}, rd, remainder); err != nil {
return nil, nil, xerrors.Errorf("header padding: %v", err)
if _, err := rd.Seek(int64(header.HdrLen+header.StringOff), io.SeekStart); err != nil {
return nil, nil, xerrors.Errorf("can't seek to start of string section: %v", err)
rawStrings, err := readStringTable(io.LimitReader(rd, int64(header.StringLen)))
if err != nil {
return nil, nil, xerrors.Errorf("can't read type names: %w", err)
if _, err := rd.Seek(int64(header.HdrLen+header.TypeOff), io.SeekStart); err != nil {
return nil, nil, xerrors.Errorf("can't seek to start of type section: %v", err)
rawTypes, err := readTypes(io.LimitReader(rd, int64(header.TypeLen)), bo)
if err != nil {
return nil, nil, xerrors.Errorf("can't read types: %w", err)
return rawTypes, rawStrings, nil
type variable struct {
section string
name string
func fixupDatasec(rawTypes []rawType, rawStrings stringTable, sectionSizes map[string]uint32, variableOffsets map[variable]uint32) error {
for i, rawType := range rawTypes {
if rawType.Kind() != kindDatasec {
name, err := rawStrings.Lookup(rawType.NameOff)
if err != nil {
return err
size, ok := sectionSizes[name]
if !ok {
return xerrors.Errorf("data section %s: missing size", name)
rawTypes[i].SizeType = size
secinfos := rawType.data.([]btfVarSecinfo)
for j, secInfo := range secinfos {
id := int(secInfo.Type - 1)
if id >= len(rawTypes) {
return xerrors.Errorf("data section %s: invalid type id %d for variable %d", name, id, j)
varName, err := rawStrings.Lookup(rawTypes[id].NameOff)
if err != nil {
return xerrors.Errorf("data section %s: can't get name for type %d: %w", name, id, err)
offset, ok := variableOffsets[variable{name, varName}]
if !ok {
return xerrors.Errorf("data section %s: missing offset for variable %s", name, varName)
secinfos[j].Offset = offset
return nil
func (s *Spec) marshal(bo binary.ByteOrder) ([]byte, error) {
var (
buf bytes.Buffer
header = new(btfHeader)
headerLen = binary.Size(header)
// Reserve space for the header. We have to write it last since
// we don't know the size of the type section yet.
_, _ = buf.Write(make([]byte, headerLen))
// Write type section, just after the header.
for _, typ := range s.rawTypes {
if err := typ.Marshal(&buf, bo); err != nil {
return nil, xerrors.Errorf("can't marshal BTF: %w", err)
typeLen := uint32(buf.Len() - headerLen)
// Write string section after type section.
_, _ = buf.Write(s.strings)
// Fill out the header, and write it out.
header = &btfHeader{
Magic: btfMagic,
Version: 1,
Flags: 0,
HdrLen: uint32(headerLen),
TypeOff: 0,
TypeLen: typeLen,
StringOff: typeLen,
StringLen: uint32(len(s.strings)),
raw := buf.Bytes()
err := binary.Write(sliceWriter(raw[:headerLen]), bo, header)
if err != nil {
return nil, xerrors.Errorf("can't write header: %v", err)
return raw, nil
type sliceWriter []byte
func (sw sliceWriter) Write(p []byte) (int, error) {
if len(p) != len(sw) {
return 0, xerrors.New("size doesn't match")
return copy(sw, p), nil
// Program finds the BTF for a specific section.
// Length is the number of bytes in the raw BPF instruction stream.
// Returns an error if there is no BTF.
func (s *Spec) Program(name string, length uint64) (*Program, error) {
if length == 0 {
return nil, xerrors.New("length musn't be zero")
funcInfos, funcOK := s.funcInfos[name]
lineInfos, lineOK := s.lineInfos[name]
if !funcOK && !lineOK {
return nil, xerrors.Errorf("no BTF for program %s", name)
return &Program{s, length, funcInfos, lineInfos}, nil
// Map finds the BTF for a map.
// Returns an error if there is no BTF for the given name.
func (s *Spec) Map(name string) (*Map, []Member, error) {
var mapVar Var
if err := s.FindType(name, &mapVar); err != nil {
return nil, nil, err
mapStruct, ok := mapVar.Type.(*Struct)
if !ok {
return nil, nil, xerrors.Errorf("expected struct, have %s", mapVar.Type)
var key, value Type
for _, member := range mapStruct.Members {
switch member.Name {
case "key":
key = member.Type
case "value":
value = member.Type
if key == nil {
return nil, nil, xerrors.Errorf("map %s: missing 'key' in type", name)
if value == nil {
return nil, nil, xerrors.Errorf("map %s: missing 'value' in type", name)
return &Map{s, key, value}, mapStruct.Members, nil
// Datasec returns the BTF required to create maps which represent data sections.
func (s *Spec) Datasec(name string) (*Map, error) {
var datasec Datasec
if err := s.FindType(name, &datasec); err != nil {
return nil, xerrors.Errorf("data section %s: can't get BTF: %w", name, err)
return &Map{s, &Void{}, &datasec}, nil
var errNotFound = xerrors.New("not found")
// FindType searches for a type with a specific name.
// hint determines the type of the returned Type.
// Returns an error if there is no or multiple matches.
func (s *Spec) FindType(name string, typ Type) error {
var (
wanted = reflect.TypeOf(typ)
candidate Type
for _, typ := range s.types[name] {
if reflect.TypeOf(typ) != wanted {
if candidate != nil {
return xerrors.Errorf("type %s: multiple candidates for %T", name, typ)
candidate = typ
if candidate == nil {
return xerrors.Errorf("type %s: %w", name, errNotFound)
value := reflect.Indirect(reflect.ValueOf(copyType(candidate)))
return nil
// Handle is a reference to BTF loaded into the kernel.
type Handle struct {
fd *internal.FD
// NewHandle loads BTF into the kernel.
// Returns ErrNotSupported if BTF is not supported.
func NewHandle(spec *Spec) (*Handle, error) {
if err := haveBTF(); err != nil {
return nil, err
btf, err := spec.marshal(internal.NativeEndian)
if err != nil {
return nil, xerrors.Errorf("can't marshal BTF: %w", err)
if uint64(len(btf)) > math.MaxUint32 {
return nil, xerrors.New("BTF exceeds the maximum size")
attr := &bpfLoadBTFAttr{
btf: internal.NewSlicePointer(btf),
btfSize: uint32(len(btf)),
fd, err := bpfLoadBTF(attr)
if err != nil {
logBuf := make([]byte, 64*1024)
attr.logBuf = internal.NewSlicePointer(logBuf)
attr.btfLogSize = uint32(len(logBuf))
attr.btfLogLevel = 1
_, logErr := bpfLoadBTF(attr)
return nil, internal.ErrorWithLog(err, logBuf, logErr)
return &Handle{fd}, nil
// Close destroys the handle.
// Subsequent calls to FD will return an invalid value.
func (h *Handle) Close() error {
return h.fd.Close()
// FD returns the file descriptor for the handle.
func (h *Handle) FD() int {
value, err := h.fd.Value()
if err != nil {
return -1
return int(value)
// Map is the BTF for a map.
type Map struct {
spec *Spec
key, value Type
// MapSpec should be a method on Map, but is a free function
// to hide it from users of the ebpf package.
func MapSpec(m *Map) *Spec {
return m.spec
// MapKey should be a method on Map, but is a free function
// to hide it from users of the ebpf package.
func MapKey(m *Map) Type {
return m.key
// MapValue should be a method on Map, but is a free function
// to hide it from users of the ebpf package.
func MapValue(m *Map) Type {
return m.value
// Program is the BTF information for a stream of instructions.
type Program struct {
spec *Spec
length uint64
funcInfos, lineInfos extInfo
// ProgramSpec returns the Spec needed for loading function and line infos into the kernel.
// This is a free function instead of a method to hide it from users
// of package ebpf.
func ProgramSpec(s *Program) *Spec {
return s.spec
// ProgramAppend the information from other to the Program.
// This is a free function instead of a method to hide it from users
// of package ebpf.
func ProgramAppend(s, other *Program) error {
funcInfos, err := s.funcInfos.append(other.funcInfos, s.length)
if err != nil {
return xerrors.Errorf("func infos: %w", err)
lineInfos, err := s.lineInfos.append(other.lineInfos, s.length)
if err != nil {
return xerrors.Errorf("line infos: %w", err)
s.length += other.length
s.funcInfos = funcInfos
s.lineInfos = lineInfos
return nil
// ProgramFuncInfos returns the binary form of BTF function infos.
// This is a free function instead of a method to hide it from users
// of package ebpf.
func ProgramFuncInfos(s *Program) (recordSize uint32, bytes []byte, err error) {
bytes, err = s.funcInfos.MarshalBinary()
if err != nil {
return 0, nil, err
return s.funcInfos.recordSize, bytes, nil
// ProgramLineInfos returns the binary form of BTF line infos.
// This is a free function instead of a method to hide it from users
// of package ebpf.
func ProgramLineInfos(s *Program) (recordSize uint32, bytes []byte, err error) {
bytes, err = s.lineInfos.MarshalBinary()
if err != nil {
return 0, nil, err
return s.lineInfos.recordSize, bytes, nil
type bpfLoadBTFAttr struct {
btf internal.Pointer
logBuf internal.Pointer
btfSize uint32
btfLogSize uint32
btfLogLevel uint32
func bpfLoadBTF(attr *bpfLoadBTFAttr) (*internal.FD, error) {
const _BTFLoad = 18
fd, err := internal.BPF(_BTFLoad, unsafe.Pointer(attr), unsafe.Sizeof(*attr))
if err != nil {
return nil, err
return internal.NewFD(uint32(fd)), nil
func minimalBTF(bo binary.ByteOrder) []byte {
const minHeaderLength = 24
var (
types struct {
Integer btfType
Var btfType
btfVar struct{ Linkage uint32 }
typLen = uint32(binary.Size(&types))
strings = []byte{0, 'a', 0}
header = btfHeader{
Magic: btfMagic,
Version: 1,
HdrLen: minHeaderLength,
TypeOff: 0,
TypeLen: typLen,
StringOff: typLen,
StringLen: uint32(len(strings)),
// We use a BTF_KIND_VAR here, to make sure that
// the kernel understands BTF at least as well as we
// do. BTF_KIND_VAR was introduced ~5.1.
types.Var.NameOff = 1
types.Var.SizeType = 1
buf := new(bytes.Buffer)
_ = binary.Write(buf, bo, &header)
_ = binary.Write(buf, bo, &types)
return buf.Bytes()
var haveBTF = internal.FeatureTest("BTF", "5.1", func() bool {
btf := minimalBTF(internal.NativeEndian)
fd, err := bpfLoadBTF(&bpfLoadBTFAttr{
btf: internal.NewSlicePointer(btf),
btfSize: uint32(len(btf)),
if err == nil {
// Check for EINVAL specifically, rather than err != nil since we
// otherwise misdetect due to insufficient permissions.
return !xerrors.Is(err, unix.EINVAL)
@ -0,0 +1,238 @@
package btf
import (
// btfKind describes a Type.
type btfKind uint8
// Equivalents of the BTF_KIND_* constants.
const (
kindUnknown btfKind = iota
// Added ~4.20
// Added ~5.1
const (
btfTypeKindShift = 24
btfTypeKindLen = 4
btfTypeVlenShift = 0
btfTypeVlenMask = 16
// btfType is equivalent to struct btf_type in Documentation/bpf/btf.rst.
type btfType struct {
NameOff uint32
/* "info" bits arrangement
* bits 0-15: vlen (e.g. # of struct's members)
* bits 16-23: unused
* bits 24-27: kind (e.g. int, ptr, array...etc)
* bits 28-30: unused
* bit 31: kind_flag, currently used by
* struct, union and fwd
Info uint32
/* "size" is used by INT, ENUM, STRUCT and UNION.
* "size" tells the size of the type it is describing.
* "type" is a type_id referring to another type.
SizeType uint32
func (k btfKind) String() string {
switch k {
case kindUnknown:
return "Unknown"
case kindInt:
return "Integer"
case kindPointer:
return "Pointer"
case kindArray:
return "Array"
case kindStruct:
return "Struct"
case kindUnion:
return "Union"
case kindEnum:
return "Enumeration"
case kindForward:
return "Forward"
case kindTypedef:
return "Typedef"
case kindVolatile:
return "Volatile"
case kindConst:
return "Const"
case kindRestrict:
return "Restrict"
case kindFunc:
return "Function"
case kindFuncProto:
return "Function Proto"
case kindVar:
return "Variable"
case kindDatasec:
return "Section"
return fmt.Sprintf("Unknown (%d)", k)
func mask(len uint32) uint32 {
return (1 << len) - 1
func (bt *btfType) info(len, shift uint32) uint32 {
return (bt.Info >> shift) & mask(len)
func (bt *btfType) setInfo(value, len, shift uint32) {
bt.Info &^= mask(len) << shift
bt.Info |= (value & mask(len)) << shift
func (bt *btfType) Kind() btfKind {
return btfKind(bt.info(btfTypeKindLen, btfTypeKindShift))
func (bt *btfType) SetKind(kind btfKind) {
bt.setInfo(uint32(kind), btfTypeKindLen, btfTypeKindShift)
func (bt *btfType) Vlen() int {
return int(bt.info(btfTypeVlenMask, btfTypeVlenShift))
func (bt *btfType) SetVlen(vlen int) {
bt.setInfo(uint32(vlen), btfTypeVlenMask, btfTypeVlenShift)
func (bt *btfType) Type() TypeID {
// TODO: Panic here if wrong kind?
return TypeID(bt.SizeType)
func (bt *btfType) Size() uint32 {
// TODO: Panic here if wrong kind?
return bt.SizeType
type rawType struct {
data interface{}
func (rt *rawType) Marshal(w io.Writer, bo binary.ByteOrder) error {
if err := binary.Write(w, bo, &rt.btfType); err != nil {
return err
if rt.data == nil {
return nil
return binary.Write(w, bo, rt.data)
type btfArray struct {
Type TypeID
IndexType TypeID
Nelems uint32
type btfMember struct {
NameOff uint32
Type TypeID
Offset uint32
type btfVarSecinfo struct {
Type TypeID
Offset uint32
Size uint32
type btfVariable struct {
Linkage uint32
func readTypes(r io.Reader, bo binary.ByteOrder) ([]rawType, error) {
var (
header btfType
types []rawType
for id := TypeID(1); ; id++ {
if err := binary.Read(r, bo, &header); err == io.EOF {
return types, nil
} else if err != nil {
return nil, xerrors.Errorf("can't read type info for id %v: %v", id, err)
var data interface{}
switch header.Kind() {
case kindInt:
// sizeof(uint32)
data = make([]byte, 4)
case kindPointer:
case kindArray:
data = new(btfArray)
case kindStruct:
case kindUnion:
data = make([]btfMember, header.Vlen())
case kindEnum:
// sizeof(struct btf_enum)
data = make([]byte, header.Vlen()*4*2)
case kindForward:
case kindTypedef:
case kindVolatile:
case kindConst:
case kindRestrict:
case kindFunc:
case kindFuncProto:
// sizeof(struct btf_param)
data = make([]byte, header.Vlen()*4*2)
case kindVar:
data = new(btfVariable)
case kindDatasec:
data = make([]btfVarSecinfo, header.Vlen())
return nil, xerrors.Errorf("type id %v: unknown kind: %v", id, header.Kind())
if data == nil {
types = append(types, rawType{header, nil})
if err := binary.Read(r, bo, data); err != nil {
return nil, xerrors.Errorf("type id %d: kind %v: can't read %T: %v", id, header.Kind(), data, err)
types = append(types, rawType{header, data})
// Package btf handles data encoded according to the BPF Type Format.
// The canonical documentation lives in the Linux kernel repository and is
// available at https://www.kernel.org/doc/html/latest/bpf/btf.html
// The API is very much unstable. You should only use this via the main
// ebpf library.
package btf
package btf
import (
type btfExtHeader struct {
Magic uint16
Version uint8
Flags uint8
HdrLen uint32
FuncInfoOff uint32
FuncInfoLen uint32
LineInfoOff uint32
LineInfoLen uint32
func parseExtInfos(r io.ReadSeeker, bo binary.ByteOrder, strings stringTable) (funcInfo, lineInfo map[string]extInfo, err error) {
var header btfExtHeader
if err := binary.Read(r, bo, &header); err != nil {
return nil, nil, xerrors.Errorf("can't read header: %v", err)
if header.Magic != btfMagic {
return nil, nil, xerrors.Errorf("incorrect magic value %v", header.Magic)
if header.Version != 1 {
return nil, nil, xerrors.Errorf("unexpected version %v", header.Version)
if header.Flags != 0 {
return nil, nil, xerrors.Errorf("unsupported flags %v", header.Flags)
remainder := int64(header.HdrLen) - int64(binary.Size(&header))
if remainder < 0 {
return nil, nil, xerrors.New("header is too short")
// Of course, the .BTF.ext header has different semantics than the
// .BTF ext header. We need to ignore non-null values.
_, err = io.CopyN(ioutil.Discard, r, remainder)
if err != nil {
return nil, nil, xerrors.Errorf("header padding: %v", err)
if _, err := r.Seek(int64(header.HdrLen+header.FuncInfoOff), io.SeekStart); err != nil {
return nil, nil, xerrors.Errorf("can't seek to function info section: %v", err)
funcInfo, err = parseExtInfo(io.LimitReader(r, int64(header.FuncInfoLen)), bo, strings)
if err != nil {
return nil, nil, xerrors.Errorf("function info: %w", err)
if _, err := r.Seek(int64(header.HdrLen+header.LineInfoOff), io.SeekStart); err != nil {
return nil, nil, xerrors.Errorf("can't seek to line info section: %v", err)
lineInfo, err = parseExtInfo(io.LimitReader(r, int64(header.LineInfoLen)), bo, strings)
if err != nil {
return nil, nil, xerrors.Errorf("line info: %w", err)
return funcInfo, lineInfo, nil
type btfExtInfoSec struct {
SecNameOff uint32
NumInfo uint32
type extInfoRecord struct {
InsnOff uint64
Opaque []byte
type extInfo struct {
recordSize uint32
records []extInfoRecord
func (ei extInfo) append(other extInfo, offset uint64) (extInfo, error) {
if other.recordSize != ei.recordSize {
return extInfo{}, xerrors.Errorf("ext_info record size mismatch, want %d (got %d)", ei.recordSize, other.recordSize)
records := make([]extInfoRecord, 0, len(ei.records)+len(other.records))
records = append(records, ei.records...)
for _, info := range other.records {
records = append(records, extInfoRecord{
InsnOff: info.InsnOff + offset,
Opaque: info.Opaque,
return extInfo{ei.recordSize, records}, nil
func (ei extInfo) MarshalBinary() ([]byte, error) {
if len(ei.records) == 0 {
return nil, nil
buf := bytes.NewBuffer(make([]byte, 0, int(ei.recordSize)*len(ei.records)))
for _, info := range ei.records {
// The kernel expects offsets in number of raw bpf instructions,
// while the ELF tracks it in bytes.
insnOff := uint32(info.InsnOff / asm.InstructionSize)
if err := binary.Write(buf, internal.NativeEndian, insnOff); err != nil {
return nil, xerrors.Errorf("can't write instruction offset: %v", err)
return buf.Bytes(), nil
func parseExtInfo(r io.Reader, bo binary.ByteOrder, strings stringTable) (map[string]extInfo, error) {
var recordSize uint32
if err := binary.Read(r, bo, &recordSize); err != nil {
return nil, xerrors.Errorf("can't read record size: %v", err)
if recordSize < 4 {
// Need at least insnOff
return nil, xerrors.New("record size too short")
result := make(map[string]extInfo)
for {
var infoHeader btfExtInfoSec
if err := binary.Read(r, bo, &infoHeader); err == io.EOF {
return result, nil
} else if err != nil {
return nil, xerrors.Errorf("can't read ext info header: %v", err)
secName, err := strings.Lookup(infoHeader.SecNameOff)
if err != nil {
return nil, xerrors.Errorf("can't get section name: %w", err)
if infoHeader.NumInfo == 0 {
return nil, xerrors.Errorf("section %s has invalid number of records", secName)
var records []extInfoRecord
for i := uint32(0); i < infoHeader.NumInfo; i++ {
var byteOff uint32
if err := binary.Read(r, bo, &byteOff); err != nil {
return nil, xerrors.Errorf("section %v: can't read extended info offset: %v", secName, err)
buf := make([]byte, int(recordSize-4))
if _, err := io.ReadFull(r, buf); err != nil {
return nil, xerrors.Errorf("section %v: can't read record: %v", secName, err)
if byteOff%asm.InstructionSize != 0 {
return nil, xerrors.Errorf("section %v: offset %v is not aligned with instruction size", secName, byteOff)
records = append(records, extInfoRecord{uint64(byteOff), buf})
result[secName] = extInfo{
package btf
import (
type stringTable []byte
func readStringTable(r io.Reader) (stringTable, error) {
contents, err := ioutil.ReadAll(r)
if err != nil {
return nil, xerrors.Errorf("can't read string table: %v", err)
if len(contents) < 1 {
return nil, xerrors.New("string table is empty")
if contents[0] != '\x00' {
return nil, xerrors.New("first item in string table is non-empty")
if contents[len(contents)-1] != '\x00' {
return nil, xerrors.New("string table isn't null terminated")
return stringTable(contents), nil
func (st stringTable) Lookup(offset uint32) (string, error) {
if int64(offset) > int64(^uint(0)>>1) {
return "", xerrors.Errorf("offset %d overflows int", offset)
pos := int(offset)
if pos >= len(st) {
return "", xerrors.Errorf("offset %d is out of bounds", offset)
if pos > 0 && st[pos-1] != '\x00' {
return "", xerrors.Errorf("offset %d isn't start of a string", offset)
str := st[pos:]
end := bytes.IndexByte(str, '\x00')
if end == -1 {
return "", xerrors.Errorf("offset %d isn't null terminated", offset)
return string(str[:end]), nil
func (st stringTable) LookupName(offset uint32) (Name, error) {
str, err := st.Lookup(offset)
return Name(str), err
package btf
import (
const maxTypeDepth = 32
// TypeID identifies a type in a BTF section.
type TypeID uint32
// ID implements part of the Type interface.
func (tid TypeID) ID() TypeID {
return tid
// Type represents a type described by BTF.
type Type interface {
ID() TypeID
// Make a copy of the type, without copying Type members.
copy() Type
// Name identifies a type.
// Anonymous types have an empty name.
type Name string
func (n Name) name() string {
return string(n)
// Void is the unit type of BTF.
type Void struct{}
func (v Void) ID() TypeID { return 0 }
func (v Void) copy() Type { return Void{} }
func (v Void) walk(*copyStack) {}
// Int is an integer of a given length.
type Int struct {
// The size of the integer in bytes.
Size uint32
func (i *Int) size() uint32 { return i.Size }
func (i *Int) walk(*copyStack) {}
func (i *Int) copy() Type {
cpy := *i
return &cpy
// Pointer is a pointer to another type.
type Pointer struct {
Target Type
func (p *Pointer) size() uint32 { return 8 }
func (p *Pointer) walk(cs *copyStack) { cs.push(&p.Target) }
func (p *Pointer) copy() Type {
cpy := *p
return &cpy
// Array is an array with a fixed number of elements.
type Array struct {
Type Type
Nelems uint32
func (arr *Array) walk(cs *copyStack) { cs.push(&arr.Type) }
func (arr *Array) copy() Type {
cpy := *arr
return &cpy
// Struct is a compound type of consecutive members.
type Struct struct {
// The size of the struct including padding, in bytes
Size uint32
Members []Member
func (s *Struct) size() uint32 { return s.Size }
func (s *Struct) walk(cs *copyStack) {
for i := range s.Members {
func (s *Struct) copy() Type {
cpy := *s
cpy.Members = make([]Member, len(s.Members))
copy(cpy.Members, s.Members)
return &cpy
// Union is a compound type where members occupy the same memory.
type Union struct {
// The size of the union including padding, in bytes.
Size uint32
Members []Member
func (u *Union) size() uint32 { return u.Size }
func (u *Union) walk(cs *copyStack) {
for i := range u.Members {
func (u *Union) copy() Type {
cpy := *u
cpy.Members = make([]Member, len(u.Members))
copy(cpy.Members, u.Members)
return &cpy
// Member is part of a Struct or Union.
// It is not a valid Type.
type Member struct {
Type Type
Offset uint32
// Enum lists possible values.
type Enum struct {
func (e *Enum) size() uint32 { return 4 }
func (e *Enum) walk(*copyStack) {}
func (e *Enum) copy() Type {
cpy := *e
return &cpy
// Fwd is a forward declaration of a Type.
type Fwd struct {
func (f *Fwd) walk(*copyStack) {}
func (f *Fwd) copy() Type {
cpy := *f
return &cpy
// Typedef is an alias of a Type.
type Typedef struct {
Type Type
func (td *Typedef) walk(cs *copyStack) { cs.push(&td.Type) }
func (td *Typedef) copy() Type {
cpy := *td
return &cpy
// Volatile is a modifier.
type Volatile struct {
Type Type
func (v *Volatile) walk(cs *copyStack) { cs.push(&v.Type) }
func (v *Volatile) copy() Type {
cpy := *v
return &cpy
// Const is a modifier.
type Const struct {
Type Type
func (c *Const) walk(cs *copyStack) { cs.push(&c.Type) }
func (c *Const) copy() Type {
cpy := *c
return &cpy
// Restrict is a modifier.
type Restrict struct {
Type Type
func (r *Restrict) walk(cs *copyStack) { cs.push(&r.Type) }
func (r *Restrict) copy() Type {
cpy := *r
return &cpy
// Func is a function definition.
type Func struct {
Type Type
func (f *Func) walk(cs *copyStack) { cs.push(&f.Type) }
func (f *Func) copy() Type {
cpy := *f
return &cpy
// FuncProto is a function declaration.
type FuncProto struct {
Return Type
// Parameters not supported yet
func (fp *FuncProto) walk(cs *copyStack) { cs.push(&fp.Return) }
func (fp *FuncProto) copy() Type {
cpy := *fp
return &cpy
// Var is a global variable.
type Var struct {
Type Type
func (v *Var) walk(cs *copyStack) { cs.push(&v.Type) }
func (v *Var) copy() Type {
cpy := *v
return &cpy
// Datasec is a global program section containing data.
type Datasec struct {
Size uint32
Vars []VarSecinfo
func (ds *Datasec) size() uint32 { return ds.Size }
func (ds *Datasec) walk(cs *copyStack) {
for i := range ds.Vars {
func (ds *Datasec) copy() Type {
cpy := *ds
cpy.Vars = make([]VarSecinfo, len(ds.Vars))
copy(cpy.Vars, ds.Vars)
return &cpy
// VarSecinfo describes variable in a Datasec
type VarSecinfo struct {
Type Type
Offset uint32
Size uint32
type sizer interface {
size() uint32
var (
_ sizer = (*Int)(nil)
_ sizer = (*Pointer)(nil)
_ sizer = (*Struct)(nil)
_ sizer = (*Union)(nil)
_ sizer = (*Enum)(nil)
_ sizer = (*Datasec)(nil)
// Sizeof returns the size of a type in bytes.
// Returns an error if the size can't be computed.
func Sizeof(typ Type) (int, error) {
var (
n = int64(1)
elem int64
for i := 0; i < maxTypeDepth; i++ {
switch v := typ.(type) {
case *Array:
if n > 0 && int64(v.Nelems) > math.MaxInt64/n {
return 0, xerrors.New("overflow")
// Arrays may be of zero length, which allows
// n to be zero as well.
n *= int64(v.Nelems)
typ = v.Type
case sizer:
elem = int64(v.size())
case *Typedef:
typ = v.Type
case *Volatile:
typ = v.Type
case *Const:
typ = v.Type
case *Restrict:
typ = v.Type
return 0, xerrors.Errorf("unrecognized type %T", typ)
if n > 0 && elem > math.MaxInt64/n {
return 0, xerrors.New("overflow")
size := n * elem
if int64(int(size)) != size {
return 0, xerrors.New("overflow")
return int(size), nil
return 0, xerrors.New("exceeded type depth")
// copy a Type recursively.
// typ may form a cycle.
func copyType(typ Type) Type {
var (
copies = make(map[Type]Type)
work copyStack
for t := &typ; t != nil; t = work.pop() {
// *t is the identity of the type.
if cpy := copies[*t]; cpy != nil {
*t = cpy
cpy := (*t).copy()
copies[*t] = cpy
*t = cpy
// Mark any nested types for copying.
return typ
// copyStack keeps track of pointers to types which still
// need to be copied.
type copyStack []*Type
// push adds a type to the stack.
func (cs *copyStack) push(t *Type) {
*cs = append(*cs, t)
// pop returns the topmost Type, or nil.
func (cs *copyStack) pop() *Type {
n := len(*cs)
if n == 0 {
return nil
t := (*cs)[n-1]
*cs = (*cs)[:n-1]
return t
type namer interface {
name() string
var _ namer = Name("")
// inflateRawTypes takes a list of raw btf types linked via type IDs, and turns
// it into a graph of Types connected via pointers.
// Returns a map of named types (so, where NameOff is non-zero). Since BTF ignores
// compilation units, multiple types may share the same name. A Type may form a
// cyclic graph by pointing at itself.
func inflateRawTypes(rawTypes []rawType, rawStrings stringTable) (namedTypes map[string][]Type, err error) {
type fixupDef struct {
id TypeID
expectedKind btfKind
typ *Type
var fixups []fixupDef
fixup := func(id TypeID, expectedKind btfKind, typ *Type) {
fixups = append(fixups, fixupDef{id, expectedKind, typ})
convertMembers := func(raw []btfMember) ([]Member, error) {
// NB: The fixup below relies on pre-allocating this array to
// work, since otherwise append might re-allocate members.
members := make([]Member, 0, len(raw))
for i, btfMember := range raw {
name, err := rawStrings.LookupName(btfMember.NameOff)
if err != nil {
return nil, xerrors.Errorf("can't get name for member %d: %w", i, err)
members = append(members, Member{
Name: name,
Offset: btfMember.Offset,
for i := range members {
fixup(raw[i].Type, kindUnknown, &members[i].Type)
return members, nil
types := make([]Type, 0, len(rawTypes))
types = append(types, Void{})
namedTypes = make(map[string][]Type)
for i, raw := range rawTypes {
var (
// Void is defined to always be type ID 0, and is thus
// omitted from BTF.
id = TypeID(i + 1)
typ Type
name, err := rawStrings.LookupName(raw.NameOff)
if err != nil {
return nil, xerrors.Errorf("can't get name for type id %d: %w", id, err)
switch raw.Kind() {
case kindInt:
typ = &Int{id, name, raw.Size()}
case kindPointer:
ptr := &Pointer{id, nil}
fixup(raw.Type(), kindUnknown, &ptr.Target)
typ = ptr
case kindArray:
btfArr := raw.data.(*btfArray)
// IndexType is unused according to btf.rst.
// Don't make it available right now.
arr := &Array{id, nil, btfArr.Nelems}
fixup(btfArr.Type, kindUnknown, &arr.Type)
typ = arr
case kindStruct:
members, err := convertMembers(raw.data.([]btfMember))
if err != nil {
return nil, xerrors.Errorf("struct %s (id %d): %w", name, id, err)
typ = &Struct{id, name, raw.Size(), members}
case kindUnion:
members, err := convertMembers(raw.data.([]btfMember))
if err != nil {
return nil, xerrors.Errorf("union %s (id %d): %w", name, id, err)
typ = &Union{id, name, raw.Size(), members}
case kindEnum:
typ = &Enum{id, name}
case kindForward:
typ = &Fwd{id, name}
case kindTypedef:
typedef := &Typedef{id, name, nil}
fixup(raw.Type(), kindUnknown, &typedef.Type)
typ = typedef
case kindVolatile:
volatile := &Volatile{id, nil}
fixup(raw.Type(), kindUnknown, &volatile.Type)
typ = volatile
case kindConst:
cnst := &Const{id, nil}
fixup(raw.Type(), kindUnknown, &cnst.Type)
typ = cnst
case kindRestrict:
restrict := &Restrict{id, nil}
fixup(raw.Type(), kindUnknown, &restrict.Type)
typ = restrict
case kindFunc:
fn := &Func{id, name, nil}
fixup(raw.Type(), kindFuncProto, &fn.Type)
typ = fn
case kindFuncProto:
fp := &FuncProto{id, nil}
fixup(raw.Type(), kindUnknown, &fp.Return)
typ = fp
case kindVar:
v := &Var{id, name, nil}
fixup(raw.Type(), kindUnknown, &v.Type)
typ = v
case kindDatasec:
btfVars := raw.data.([]btfVarSecinfo)
vars := make([]VarSecinfo, 0, len(btfVars))
for _, btfVar := range btfVars {
vars = append(vars, VarSecinfo{
Offset: btfVar.Offset,
Size: btfVar.Size,
for i := range vars {
fixup(btfVars[i].Type, kindVar, &vars[i].Type)
typ = &Datasec{id, name, raw.SizeType, vars}
return nil, xerrors.Errorf("type id %d: unknown kind: %v", id, raw.Kind())
types = append(types, typ)
if namer, ok := typ.(namer); ok {
if name := namer.name(); name != "" {
namedTypes[name] = append(namedTypes[name], typ)
for _, fixup := range fixups {
i := int(fixup.id)
if i >= len(types) {
return nil, xerrors.Errorf("reference to invalid type id: %d", fixup.id)
// Default void (id 0) to unknown
rawKind := kindUnknown
if i > 0 {
rawKind = rawTypes[i-1].Kind()
if expected := fixup.expectedKind; expected != kindUnknown && rawKind != expected {
return nil, xerrors.Errorf("expected type id %d to have kind %s, found %s", fixup.id, expected, rawKind)
*fixup.typ = types[i]
return namedTypes, nil
package internal
import (
var sysCPU struct {
once sync.Once
err error
num int
// PossibleCPUs returns the max number of CPUs a system may possibly have
// Logical CPU numbers must be of the form 0-n
func PossibleCPUs() (int, error) {
sysCPU.once.Do(func() {
sysCPU.num, sysCPU.err = parseCPUsFromFile("/sys/devices/system/cpu/possible")
return sysCPU.num, sysCPU.err
func parseCPUsFromFile(path string) (int, error) {
spec, err := ioutil.ReadFile(path)
if err != nil {
return 0, err
n, err := parseCPUs(string(spec))
if err != nil {
return 0, fmt.Errorf("can't parse %s: %v", path, err)
return n, nil
// parseCPUs parses the number of cpus from a string produced
// by bitmap_list_string() in the Linux kernel.
// Multiple ranges are rejected, since they can't be unified
// into a single number.
// This is the format of /sys/devices/system/cpu/possible, it
// is not suitable for /sys/devices/system/cpu/online, etc.
func parseCPUs(spec string) (int, error) {
if strings.Trim(spec, "\n") == "0" {
return 1, nil
var low, high int
n, err := fmt.Sscanf(spec, "%d-%d\n", &low, &high)
if n != 2 || err != nil {
return 0, fmt.Errorf("invalid format: %s", spec)
if low != 0 {
return 0, fmt.Errorf("CPU spec doesn't start at zero: %s", spec)
// cpus is 0 indexed
return high + 1, nil
package internal
import (
// NativeEndian is set to either binary.BigEndian or binary.LittleEndian,
// depending on the host's endianness.
var NativeEndian binary.ByteOrder
func init() {
if isBigEndian() {
NativeEndian = binary.BigEndian
} else {
NativeEndian = binary.LittleEndian
func isBigEndian() (ret bool) {
i := int(0x1)
bs := (*[int(unsafe.Sizeof(i))]byte)(unsafe.Pointer(&i))
return bs[0] == 0
package internal
import (
// ErrorWithLog returns an error that includes logs from the
// kernel verifier.
// logErr should be the error returned by the syscall that generated
// the log. It is used to check for truncation of the output.
func ErrorWithLog(err error, log []byte, logErr error) error {
logStr := strings.Trim(CString(log), "\t\r\n ")
if xerrors.Is(logErr, unix.ENOSPC) {
logStr += " (truncated...)"
return &VerifierError{err, logStr}
// VerifierError includes information from the eBPF verifier.
type VerifierError struct {
cause error
log string
func (le *VerifierError) Error() string {
if le.log == "" {
return le.cause.Error()
return fmt.Sprintf("%s: %s", le.cause, le.log)
// CString turns a NUL / zero terminated byte buffer into a string.
func CString(in []byte) string {
inLen := bytes.IndexByte(in, 0)
if inLen == -1 {
return ""
return string(in[:inLen])
package internal
import (
var ErrClosedFd = xerrors.New("use of closed file descriptor")
type FD struct {
raw int64
func NewFD(value uint32) *FD {
fd := &FD{int64(value)}
runtime.SetFinalizer(fd, (*FD).Close)
return fd
func (fd *FD) String() string {
return strconv.FormatInt(fd.raw, 10)
func (fd *FD) Value() (uint32, error) {
if fd.raw < 0 {
return 0, ErrClosedFd
return uint32(fd.raw), nil
func (fd *FD) Close() error {
if fd.raw < 0 {
return nil
value := int(fd.raw)
fd.raw = -1
return unix.Close(value)
func (fd *FD) Forget() {
runtime.SetFinalizer(fd, nil)
func (fd *FD) Dup() (*FD, error) {
if fd.raw < 0 {
return nil, ErrClosedFd
dup, err := unix.FcntlInt(uintptr(fd.raw), unix.F_DUPFD_CLOEXEC, 0)
if err != nil {
return nil, xerrors.Errorf("can't dup fd: %v", err)
return NewFD(uint32(dup)), nil
package internal
import (
// ErrNotSupported indicates that a feature is not supported by the current kernel.
var ErrNotSupported = xerrors.New("not supported")
// UnsupportedFeatureError is returned by FeatureTest() functions.
type UnsupportedFeatureError struct {
// The minimum Linux mainline version required for this feature.
// Used for the error string, and for sanity checking during testing.
MinimumVersion Version
// The name of the feature that isn't supported.
Name string
func (ufe *UnsupportedFeatureError) Error() string {
return fmt.Sprintf("%s not supported (requires >= %s)", ufe.Name, ufe.MinimumVersion)
// Is indicates that UnsupportedFeatureError is ErrNotSupported.
func (ufe *UnsupportedFeatureError) Is(target error) bool {
return target == ErrNotSupported
// FeatureTest wraps a function so that it is run at most once.
// name should identify the tested feature, while version must be in the
// form Major.Minor[.Patch].
// Returns a descriptive UnsupportedFeatureError if the feature is not available.
func FeatureTest(name, version string, fn func() bool) func() error {
v, err := NewVersion(version)
if err != nil {
return func() error { return err }
var (
once sync.Once
result error
return func() error {
once.Do(func() {
if !fn() {
result = &UnsupportedFeatureError{
MinimumVersion: v,
Name: name,
return result
// A Version in the form Major.Minor.Patch.
type Version [3]uint16
// NewVersion creates a version from a string like "Major.Minor.Patch".
// Patch is optional.
func NewVersion(ver string) (Version, error) {
var major, minor, patch uint16
n, _ := fmt.Sscanf(ver, "%d.%d.%d", &major, &minor, &patch)
if n < 2 {
return Version{}, xerrors.Errorf("invalid version: %s", ver)
return Version{major, minor, patch}, nil
func (v Version) String() string {
if v[2] == 0 {
return fmt.Sprintf("v%d.%d", v[0], v[1])
return fmt.Sprintf("v%d.%d.%d", v[0], v[1], v[2])
// Less returns true if the version is less than another version.
func (v Version) Less(other Version) bool {
for i, a := range v {
if a == other[i] {
return a < other[i]
return false
package internal
import "golang.org/x/xerrors"
// DiscardZeroes makes sure that all written bytes are zero
// before discarding them.
type DiscardZeroes struct{}
func (DiscardZeroes) Write(p []byte) (int, error) {
for _, b := range p {
if b != 0 {
return 0, xerrors.New("encountered non-zero byte")
return len(p), nil
package internal
import "unsafe"
// NewPointer creates a 64-bit pointer from an unsafe Pointer.
func NewPointer(ptr unsafe.Pointer) Pointer {
return Pointer{ptr: ptr}
// NewSlicePointer creates a 64-bit pointer from a byte slice.
func NewSlicePointer(buf []byte) Pointer {
if len(buf) == 0 {
return Pointer{}
return Pointer{ptr: unsafe.Pointer(&buf[0])}
// NewStringPointer creates a 64-bit pointer from a string.
func NewStringPointer(str string) Pointer {
if str == "" {
return Pointer{}
// The kernel expects strings to be zero terminated
buf := make([]byte, len(str)+1)
copy(buf, str)
return Pointer{ptr: unsafe.Pointer(&buf[0])}
// +build armbe mips mips64p32
package internal
import (
// Pointer wraps an unsafe.Pointer to be 64bit to
// conform to the syscall specification.
type Pointer struct {
pad uint32
ptr unsafe.Pointer
// +build 386 amd64p32 arm mipsle mips64p32le
package internal
import (
// Pointer wraps an unsafe.Pointer to be 64bit to
// conform to the syscall specification.
type Pointer struct {
ptr unsafe.Pointer
pad uint32
// +build !386,!amd64p32,!arm,!mipsle,!mips64p32le
// +build !armbe,!mips,!mips64p32
package internal
import (
// Pointer wraps an unsafe.Pointer to be 64bit to
// conform to the syscall specification.
type Pointer struct {
ptr unsafe.Pointer
package internal
import (
// BPF wraps SYS_BPF.
// Any pointers contained in attr must use the Pointer type from this package.
func BPF(cmd int, attr unsafe.Pointer, size uintptr) (uintptr, error) {
r1, _, errNo := unix.Syscall(unix.SYS_BPF, uintptr(cmd), uintptr(attr), size)
var err error
if errNo != 0 {
err = errNo
return r1, err
// +build linux
package unix
import (
linux "golang.org/x/sys/unix"
const (
PerfBitWatermark = linux.PerfBitWatermark
// Statfs_t is a wrapper
type Statfs_t = linux.Statfs_t
// Rlimit is a wrapper
type Rlimit = linux.Rlimit
// Setrlimit is a wrapper
func Setrlimit(resource int, rlim *Rlimit) (err error) {
return linux.Setrlimit(resource, rlim)
// Syscall is a wrapper
func Syscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) {
return linux.Syscall(trap, a1, a2, a3)
// FcntlInt is a wrapper
func FcntlInt(fd uintptr, cmd, arg int) (int, error) {
return linux.FcntlInt(fd, cmd, arg)
// Statfs is a wrapper
func Statfs(path string, buf *Statfs_t) (err error) {
return linux.Statfs(path, buf)
// Close is a wrapper
func Close(fd int) (err error) {
return linux.Close(fd)
// EpollEvent is a wrapper
type EpollEvent = linux.EpollEvent
// EpollWait is a wrapper
func EpollWait(epfd int, events []EpollEvent, msec int) (n int, err error) {
return linux.EpollWait(epfd, events, msec)
// EpollCtl is a wrapper
func EpollCtl(epfd int, op int, fd int, event *EpollEvent) (err error) {
return linux.EpollCtl(epfd, op, fd, event)
// Eventfd is a wrapper
func Eventfd(initval uint, flags int) (fd int, err error) {
return linux.Eventfd(initval, flags)
// Write is a wrapper
func Write(fd int, p []byte) (n int, err error) {
return linux.Write(fd, p)
// EpollCreate1 is a wrapper
func EpollCreate1(flag int) (fd int, err error) {
return linux.EpollCreate1(flag)
// PerfEventMmapPage is a wrapper
type PerfEventMmapPage linux.PerfEventMmapPage
// SetNonblock is a wrapper
func SetNonblock(fd int, nonblocking bool) (err error) {
return linux.SetNonblock(fd, nonblocking)
// Mmap is a wrapper
func Mmap(fd int, offset int64, length int, prot int, flags int) (data []byte, err error) {
return linux.Mmap(fd, offset, length, prot, flags)
// Munmap is a wrapper
func Munmap(b []byte) (err error) {
return linux.Munmap(b)
// PerfEventAttr is a wrapper
type PerfEventAttr = linux.PerfEventAttr
// PerfEventOpen is a wrapper
func PerfEventOpen(attr *PerfEventAttr, pid int, cpu int, groupFd int, flags int) (fd int, err error) {
return linux.PerfEventOpen(attr, pid, cpu, groupFd, flags)
// Utsname is a wrapper
type Utsname = linux.Utsname
// Uname is a wrapper
func Uname(buf *Utsname) (err error) {
return linux.Uname(buf)
// Getpid is a wrapper
func Getpid() int {
return linux.Getpid()
// Gettid is a wrapper
func Gettid() int {
return linux.Gettid()
// Tgkill is a wrapper
func Tgkill(tgid int, tid int, sig syscall.Signal) (err error) {
return linux.Tgkill(tgid, tid, sig)
// +build !linux
package unix
import (
var errNonLinux = fmt.Errorf("unsupported platform %s/%s", runtime.GOOS, runtime.GOARCH)
const (
EINTR = syscall.EINTR
ESRCH = syscall.ESRCH
SYS_BPF = 321
O_CLOEXEC = 0x80000
O_NONBLOCK = 0x800
PerfBitWatermark = 0x4000
RLIM_INFINITY = 0x7fffffffffffffff
// Statfs_t is a wrapper
type Statfs_t struct {
Type int64
Bsize int64
Blocks uint64
Bfree uint64
Bavail uint64
Files uint64
Ffree uint64
Fsid [2]int32
Namelen int64
Frsize int64
Flags int64
Spare [4]int64
// Rlimit is a wrapper
type Rlimit struct {
Cur uint64
Max uint64
// Setrlimit is a wrapper
func Setrlimit(resource int, rlim *Rlimit) (err error) {
return errNonLinux
// Syscall is a wrapper
func Syscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err syscall.Errno) {
return 0, 0, syscall.Errno(1)
// FcntlInt is a wrapper
func FcntlInt(fd uintptr, cmd, arg int) (int, error) {
return -1, errNonLinux
// Statfs is a wrapper
func Statfs(path string, buf *Statfs_t) error {
return errNonLinux
// Close is a wrapper
func Close(fd int) (err error) {
return errNonLinux
// EpollEvent is a wrapper
type EpollEvent struct {
Events uint32
Fd int32
Pad int32
// EpollWait is a wrapper
func EpollWait(epfd int, events []EpollEvent, msec int) (n int, err error) {
return 0, errNonLinux
// EpollCtl is a wrapper
func EpollCtl(epfd int, op int, fd int, event *EpollEvent) (err error) {
return errNonLinux
// Eventfd is a wrapper
func Eventfd(initval uint, flags int) (fd int, err error) {
return 0, errNonLinux
// Write is a wrapper
func Write(fd int, p []byte) (n int, err error) {
return 0, errNonLinux
// EpollCreate1 is a wrapper
func EpollCreate1(flag int) (fd int, err error) {
return 0, errNonLinux
// PerfEventMmapPage is a wrapper
type PerfEventMmapPage struct {
Version uint32
Compat_version uint32
Lock uint32
Index uint32
Offset int64
Time_enabled uint64
Time_running uint64
Capabilities uint64
Pmc_width uint16
Time_shift uint16
Time_mult uint32
Time_offset uint64
Time_zero uint64
Size uint32
Data_head uint64
Data_tail uint64
Data_offset uint64
Data_size uint64
Aux_head uint64
Aux_tail uint64
Aux_offset uint64
Aux_size uint64
// SetNonblock is a wrapper
func SetNonblock(fd int, nonblocking bool) (err error) {
return errNonLinux
// Mmap is a wrapper
func Mmap(fd int, offset int64, length int, prot int, flags int) (data []byte, err error) {
return []byte{}, errNonLinux
// Munmap is a wrapper
func Munmap(b []byte) (err error) {
return errNonLinux
// PerfEventAttr is a wrapper
type PerfEventAttr struct {
Type uint32
Size uint32
Config uint64
Sample uint64
Sample_type uint64
Read_format uint64
Bits uint64
Wakeup uint32
Bp_type uint32
Ext1 uint64
Ext2 uint64
Branch_sample_type uint64
Sample_regs_user uint64
Sample_stack_user uint32
Clockid int32
Sample_regs_intr uint64
Aux_watermark uint32
Sample_max_stack uint16
// PerfEventOpen is a wrapper
func PerfEventOpen(attr *PerfEventAttr, pid int, cpu int, groupFd int, flags int) (fd int, err error) {
return 0, errNonLinux
// Utsname is a wrapper
type Utsname struct {
Release [65]byte
// Uname is a wrapper
func Uname(buf *Utsname) (err error) {
return errNonLinux
// Getpid is a wrapper
func Getpid() int {
return -1
// Gettid is a wrapper
func Gettid() int {
return -1
// Tgkill is a wrapper
func Tgkill(tgid int, tid int, sig syscall.Signal) (err error) {
return errNonLinux
package ebpf
import (
// link resolves bpf-to-bpf calls.
// Each library may contain multiple functions / labels, and is only linked
// if prog references one of these functions.
// Libraries also linked.
func link(prog *ProgramSpec, libs []*ProgramSpec) error {
var (
linked = make(map[*ProgramSpec]bool)
pending = []asm.Instructions{prog.Instructions}
insns asm.Instructions
for len(pending) > 0 {
insns, pending = pending[0], pending[1:]
for _, lib := range libs {
if linked[lib] {
needed, err := needSection(insns, lib.Instructions)
if err != nil {
return xerrors.Errorf("linking %s: %w", lib.Name, err)
if !needed {
linked[lib] = true
prog.Instructions = append(prog.Instructions, lib.Instructions...)
pending = append(pending, lib.Instructions)
if prog.BTF != nil && lib.BTF != nil {
if err := btf.ProgramAppend(prog.BTF, lib.BTF); err != nil {
return xerrors.Errorf("linking BTF of %s: %w", lib.Name, err)
return nil
func needSection(insns, section asm.Instructions) (bool, error) {
// A map of symbols to the libraries which contain them.
symbols, err := section.SymbolOffsets()
if err != nil {
return false, err
for _, ins := range insns {
if ins.Reference == "" {
if ins.OpCode.JumpOp() != asm.Call || ins.Src != asm.PseudoCall {
if ins.Constant != -1 {
// This is already a valid call, no need to link again.
if _, ok := symbols[ins.Reference]; !ok {
// Symbol isn't available in this section
// At this point we know that at least one function in the
// library is called from insns, so we have to link it.
return true, nil
// None of the functions in the section are called.
return false, nil
package ebpf
import (
// Errors returned by Map and MapIterator methods.
var (
ErrKeyNotExist = xerrors.New("key does not exist")
ErrIterationAborted = xerrors.New("iteration aborted")
// MapID represents the unique ID of an eBPF map
type MapID uint32
// MapSpec defines a Map.
type MapSpec struct {
// Name is passed to the kernel as a debug aid. Must only contain
// alpha numeric and '_' characters.
Name string
Type MapType
KeySize uint32
ValueSize uint32
MaxEntries uint32
Flags uint32
// The initial contents of the map. May be nil.
Contents []MapKV
// Whether to freeze a map after setting its initial contents.
Freeze bool
// InnerMap is used as a template for ArrayOfMaps and HashOfMaps
InnerMap *MapSpec
// The BTF associated with this map.
BTF *btf.Map
func (ms *MapSpec) String() string {
return fmt.Sprintf("%s(keySize=%d, valueSize=%d, maxEntries=%d, flags=%d)", ms.Type, ms.KeySize, ms.ValueSize, ms.MaxEntries, ms.Flags)
// Copy returns a copy of the spec.
// MapSpec.Contents is a shallow copy.
func (ms *MapSpec) Copy() *MapSpec {
if ms == nil {
return nil
cpy := *ms
cpy.Contents = make([]MapKV, len(ms.Contents))
copy(cpy.Contents, ms.Contents)
cpy.InnerMap = ms.InnerMap.Copy()
return &cpy
// MapKV is used to initialize the contents of a Map.
type MapKV struct {
Key interface{}
Value interface{}
// Map represents a Map file descriptor.
// It is not safe to close a map which is used by other goroutines.
// Methods which take interface{} arguments by default encode
// them using binary.Read/Write in the machine's native endianness.
// Implement encoding.BinaryMarshaler or encoding.BinaryUnmarshaler
// if you require custom encoding.
type Map struct {
name string
fd *internal.FD
abi MapABI
// Per CPU maps return values larger than the size in the spec
fullValueSize int
// NewMapFromFD creates a map from a raw fd.
// You should not use fd after calling this function.
func NewMapFromFD(fd int) (*Map, error) {
if fd < 0 {
return nil, xerrors.New("invalid fd")
bpfFd := internal.NewFD(uint32(fd))
name, abi, err := newMapABIFromFd(bpfFd)
if err != nil {
return nil, err
return newMap(bpfFd, name, abi)
// NewMap creates a new Map.
// Creating a map for the first time will perform feature detection
// by creating small, temporary maps.
func NewMap(spec *MapSpec) (*Map, error) {
if spec.BTF == nil {
return newMapWithBTF(spec, nil)
handle, err := btf.NewHandle(btf.MapSpec(spec.BTF))
if err != nil && !xerrors.Is(err, btf.ErrNotSupported) {
return nil, xerrors.Errorf("can't load BTF: %w", err)
return newMapWithBTF(spec, handle)
func newMapWithBTF(spec *MapSpec, handle *btf.Handle) (*Map, error) {
if spec.Type != ArrayOfMaps && spec.Type != HashOfMaps {
return createMap(spec, nil, handle)
if spec.InnerMap == nil {
return nil, xerrors.Errorf("%s requires InnerMap", spec.Type)
template, err := createMap(spec.InnerMap, nil, handle)
if err != nil {
return nil, err
defer template.Close()
return createMap(spec, template.fd, handle)
func createMap(spec *MapSpec, inner *internal.FD, handle *btf.Handle) (*Map, error) {
abi := newMapABIFromSpec(spec)
switch spec.Type {
case ArrayOfMaps:
case HashOfMaps:
if err := haveNestedMaps(); err != nil {
return nil, err
if abi.ValueSize != 0 && abi.ValueSize != 4 {
return nil, xerrors.New("ValueSize must be zero or four for map of map")
abi.ValueSize = 4
case PerfEventArray:
if abi.KeySize != 0 && abi.KeySize != 4 {
return nil, xerrors.New("KeySize must be zero or four for perf event array")
abi.KeySize = 4
if abi.ValueSize != 0 && abi.ValueSize != 4 {
return nil, xerrors.New("ValueSize must be zero or four for perf event array")
abi.ValueSize = 4
if abi.MaxEntries == 0 {
n, err := internal.PossibleCPUs()
if err != nil {
return nil, xerrors.Errorf("perf event array: %w", err)
abi.MaxEntries = uint32(n)
if abi.Flags&(unix.BPF_F_RDONLY_PROG|unix.BPF_F_WRONLY_PROG) > 0 || spec.Freeze {
if err := haveMapMutabilityModifiers(); err != nil {
return nil, xerrors.Errorf("map create: %w", err)
attr := bpfMapCreateAttr{
mapType: abi.Type,
keySize: abi.KeySize,
valueSize: abi.ValueSize,
maxEntries: abi.MaxEntries,
flags: abi.Flags,
if inner != nil {
var err error
attr.innerMapFd, err = inner.Value()
if err != nil {
return nil, xerrors.Errorf("map create: %w", err)
if handle != nil && spec.BTF != nil {
attr.btfFd = uint32(handle.FD())
attr.btfKeyTypeID = btf.MapKey(spec.BTF).ID()
attr.btfValueTypeID = btf.MapValue(spec.BTF).ID()
if haveObjName() == nil {
attr.mapName = newBPFObjName(spec.Name)
fd, err := bpfMapCreate(&attr)
if err != nil {
return nil, xerrors.Errorf("map create: %w", err)
m, err := newMap(fd, spec.Name, abi)
if err != nil {
return nil, err
if err := m.populate(spec.Contents); err != nil {
return nil, xerrors.Errorf("map create: can't set initial contents: %w", err)
if spec.Freeze {
if err := m.Freeze(); err != nil {
return nil, xerrors.Errorf("can't freeze map: %w", err)
return m, nil
func newMap(fd *internal.FD, name string, abi *MapABI) (*Map, error) {
m := &Map{
if !abi.Type.hasPerCPUValue() {
return m, nil
possibleCPUs, err := internal.PossibleCPUs()
if err != nil {
return nil, err
m.fullValueSize = align(int(abi.ValueSize), 8) * possibleCPUs
return m, nil
func (m *Map) String() string {
if m.name != "" {
return fmt.Sprintf("%s(%s)#%v", m.abi.Type, m.name, m.fd)
return fmt.Sprintf("%s#%v", m.abi.Type, m.fd)
// ABI gets the ABI of the Map
func (m *Map) ABI() MapABI {
return m.abi
// Lookup retrieves a value from a Map.
// Calls Close() on valueOut if it is of type **Map or **Program,
// and *valueOut is not nil.
// Returns an error if the key doesn't exist, see IsNotExist.
func (m *Map) Lookup(key, valueOut interface{}) error {
valuePtr, valueBytes := makeBuffer(valueOut, m.fullValueSize)
if err := m.lookup(key, valuePtr); err != nil {
return err
if valueBytes == nil {
return nil
if m.abi.Type.hasPerCPUValue() {
return unmarshalPerCPUValue(valueOut, int(m.abi.ValueSize), valueBytes)
switch value := valueOut.(type) {
case **Map:
m, err := unmarshalMap(valueBytes)
if err != nil {
return err
*value = m
return nil
case *Map:
return xerrors.Errorf("can't unmarshal into %T, need %T", value, (**Map)(nil))
case Map:
return xerrors.Errorf("can't unmarshal into %T, need %T", value, (**Map)(nil))
case **Program:
p, err := unmarshalProgram(valueBytes)
if err != nil {
return err
*value = p
return nil
case *Program:
return xerrors.Errorf("can't unmarshal into %T, need %T", value, (**Program)(nil))
case Program:
return xerrors.Errorf("can't unmarshal into %T, need %T", value, (**Program)(nil))
return unmarshalBytes(valueOut, valueBytes)
// LookupAndDelete retrieves and deletes a value from a Map.
// Returns ErrKeyNotExist if the key doesn't exist.
func (m *Map) LookupAndDelete(key, valueOut interface{}) error {
valuePtr, valueBytes := makeBuffer(valueOut, m.fullValueSize)
keyPtr, err := marshalPtr(key, int(m.abi.KeySize))
if err != nil {
return xerrors.Errorf("can't marshal key: %w", err)
if err := bpfMapLookupAndDelete(m.fd, keyPtr, valuePtr); err != nil {
return xerrors.Errorf("lookup and delete failed: %w", err)
return unmarshalBytes(valueOut, valueBytes)
// LookupBytes gets a value from Map.
// Returns a nil value if a key doesn't exist.
func (m *Map) LookupBytes(key interface{}) ([]byte, error) {
valueBytes := make([]byte, m.fullValueSize)
valuePtr := internal.NewSlicePointer(valueBytes)
err := m.lookup(key, valuePtr)
if xerrors.Is(err, ErrKeyNotExist) {
return nil, nil
return valueBytes, err
func (m *Map) lookup(key interface{}, valueOut internal.Pointer) error {
keyPtr, err := marshalPtr(key, int(m.abi.KeySize))
if err != nil {
return xerrors.Errorf("can't marshal key: %w", err)
if err = bpfMapLookupElem(m.fd, keyPtr, valueOut); err != nil {
return xerrors.Errorf("lookup failed: %w", err)
return nil
// MapUpdateFlags controls the behaviour of the Map.Update call.
// The exact semantics depend on the specific MapType.
type MapUpdateFlags uint64
const (
// UpdateAny creates a new element or update an existing one.
UpdateAny MapUpdateFlags = iota
// UpdateNoExist creates a new element.
UpdateNoExist MapUpdateFlags = 1 << (iota - 1)
// UpdateExist updates an existing element.
// Put replaces or creates a value in map.
// It is equivalent to calling Update with UpdateAny.
func (m *Map) Put(key, value interface{}) error {
return m.Update(key, value, UpdateAny)
// Update changes the value of a key.
func (m *Map) Update(key, value interface{}, flags MapUpdateFlags) error {
keyPtr, err := marshalPtr(key, int(m.abi.KeySize))
if err != nil {
return xerrors.Errorf("can't marshal key: %w", err)
var valuePtr internal.Pointer
if m.abi.Type.hasPerCPUValue() {
valuePtr, err = marshalPerCPUValue(value, int(m.abi.ValueSize))
} else {
valuePtr, err = marshalPtr(value, int(m.abi.ValueSize))
if err != nil {
return xerrors.Errorf("can't marshal value: %w", err)
if err = bpfMapUpdateElem(m.fd, keyPtr, valuePtr, uint64(flags)); err != nil {
return xerrors.Errorf("update failed: %w", err)
return nil
// Delete removes a value.
// Returns ErrKeyNotExist if the key does not exist.
func (m *Map) Delete(key interface{}) error {
keyPtr, err := marshalPtr(key, int(m.abi.KeySize))
if err != nil {
return xerrors.Errorf("can't marshal key: %w", err)
if err = bpfMapDeleteElem(m.fd, keyPtr); err != nil {
return xerrors.Errorf("delete failed: %w", err)
return nil
// NextKey finds the key following an initial key.
// See NextKeyBytes for details.
// Returns ErrKeyNotExist if there is no next key.
func (m *Map) NextKey(key, nextKeyOut interface{}) error {
nextKeyPtr, nextKeyBytes := makeBuffer(nextKeyOut, int(m.abi.KeySize))
if err := m.nextKey(key, nextKeyPtr); err != nil {
return err
if nextKeyBytes == nil {
return nil
if err := unmarshalBytes(nextKeyOut, nextKeyBytes); err != nil {
return xerrors.Errorf("can't unmarshal next key: %w", err)
return nil
// NextKeyBytes returns the key following an initial key as a byte slice.
// Passing nil will return the first key.
// Use Iterate if you want to traverse all entries in the map.
// Returns nil if there are no more keys.
func (m *Map) NextKeyBytes(key interface{}) ([]byte, error) {
nextKey := make([]byte, m.abi.KeySize)
nextKeyPtr := internal.NewSlicePointer(nextKey)
err := m.nextKey(key, nextKeyPtr)
if xerrors.Is(err, ErrKeyNotExist) {
return nil, nil
return nextKey, err
func (m *Map) nextKey(key interface{}, nextKeyOut internal.Pointer) error {
var (
keyPtr internal.Pointer
err error
if key != nil {
keyPtr, err = marshalPtr(key, int(m.abi.KeySize))
if err != nil {
return xerrors.Errorf("can't marshal key: %w", err)
if err = bpfMapGetNextKey(m.fd, keyPtr, nextKeyOut); err != nil {
return xerrors.Errorf("next key failed: %w", err)
return nil
// Iterate traverses a map.
// It's safe to create multiple iterators at the same time.
// It's not possible to guarantee that all keys in a map will be
// returned if there are concurrent modifications to the map.
func (m *Map) Iterate() *MapIterator {
return newMapIterator(m)
// Close removes a Map
func (m *Map) Close() error {
if m == nil {
// This makes it easier to clean up when iterating maps
// of maps / programs.
return nil
return m.fd.Close()
// FD gets the file descriptor of the Map.
// Calling this function is invalid after Close has been called.
func (m *Map) FD() int {
fd, err := m.fd.Value()
if err != nil {
// Best effort: -1 is the number most likely to be an
// invalid file descriptor.
return -1
return int(fd)
// Clone creates a duplicate of the Map.
// Closing the duplicate does not affect the original, and vice versa.
// Changes made to the map are reflected by both instances however.
// Cloning a nil Map returns nil.
func (m *Map) Clone() (*Map, error) {
if m == nil {
return nil, nil
dup, err := m.fd.Dup()
if err != nil {
return nil, xerrors.Errorf("can't clone map: %w", err)
return newMap(dup, m.name, &m.abi)
// Pin persists the map past the lifetime of the process that created it.
// This requires bpffs to be mounted above fileName. See http://cilium.readthedocs.io/en/doc-1.0/kubernetes/install/#mounting-the-bpf-fs-optional
func (m *Map) Pin(fileName string) error {
return bpfPinObject(fileName, m.fd)
// Freeze prevents a map to be modified from user space.
// It makes no changes to kernel-side restrictions.
func (m *Map) Freeze() error {
if err := haveMapMutabilityModifiers(); err != nil {
return xerrors.Errorf("can't freeze map: %w", err)
if err := bpfMapFreeze(m.fd); err != nil {
return xerrors.Errorf("can't freeze map: %w", err)
return nil
func (m *Map) populate(contents []MapKV) error {
for _, kv := range contents {
if err := m.Put(kv.Key, kv.Value); err != nil {
return xerrors.Errorf("key %v: %w", kv.Key, err)
return nil
// LoadPinnedMap load a Map from a BPF file.
// The function is not compatible with nested maps.
// Use LoadPinnedMapExplicit in these situations.
func LoadPinnedMap(fileName string) (*Map, error) {
fd, err := bpfGetObject(fileName)
if err != nil {
return nil, err
name, abi, err := newMapABIFromFd(fd)
if err != nil {
_ = fd.Close()
return nil, err
return newMap(fd, name, abi)
// LoadPinnedMapExplicit loads a map with explicit parameters.
func LoadPinnedMapExplicit(fileName string, abi *MapABI) (*Map, error) {
fd, err := bpfGetObject(fileName)
if err != nil {
return nil, err
return newMap(fd, "", abi)
func unmarshalMap(buf []byte) (*Map, error) {
if len(buf) != 4 {
return nil, xerrors.New("map id requires 4 byte value")
// Looking up an entry in a nested map or prog array returns an id,
// not an fd.
id := internal.NativeEndian.Uint32(buf)
return NewMapFromID(MapID(id))
// MarshalBinary implements BinaryMarshaler.
func (m *Map) MarshalBinary() ([]byte, error) {
fd, err := m.fd.Value()
if err != nil {
return nil, err
buf := make([]byte, 4)
internal.NativeEndian.PutUint32(buf, fd)
return buf, nil
func patchValue(value []byte, typ btf.Type, replacements map[string]interface{}) error {
replaced := make(map[string]bool)
replace := func(name string, offset, size int, replacement interface{}) error {
if offset+size > len(value) {
return xerrors.Errorf("%s: offset %d(+%d) is out of bounds", name, offset, size)
buf, err := marshalBytes(replacement, size)
if err != nil {
return xerrors.Errorf("marshal %s: %w", name, err)
copy(value[offset:offset+size], buf)
replaced[name] = true
return nil
switch parent := typ.(type) {
case *btf.Datasec:
for _, secinfo := range parent.Vars {
name := string(secinfo.Type.(*btf.Var).Name)
replacement, ok := replacements[name]
if !ok {
err := replace(name, int(secinfo.Offset), int(secinfo.Size), replacement)
if err != nil {
return err
return xerrors.Errorf("patching %T is not supported", typ)
if len(replaced) == len(replacements) {
return nil
var missing []string
for name := range replacements {
if !replaced[name] {
missing = append(missing, name)
if len(missing) == 1 {
return xerrors.Errorf("unknown field: %s", missing[0])
return xerrors.Errorf("unknown fields: %s", strings.Join(missing, ","))
// MapIterator iterates a Map.
// See Map.Iterate.
type MapIterator struct {
target *Map
prevKey interface{}
prevBytes []byte
count, maxEntries uint32
done bool
err error
func newMapIterator(target *Map) *MapIterator {
return &MapIterator{
target: target,
maxEntries: target.abi.MaxEntries,
prevBytes: make([]byte, int(target.abi.KeySize)),
// Next decodes the next key and value.
// Iterating a hash map from which keys are being deleted is not
// safe. You may see the same key multiple times. Iteration may
// also abort with an error, see IsIterationAborted.
// Returns false if there are no more entries. You must check
// the result of Err afterwards.
// See Map.Get for further caveats around valueOut.
func (mi *MapIterator) Next(keyOut, valueOut interface{}) bool {
if mi.err != nil || mi.done {
return false
for ; mi.count < mi.maxEntries; mi.count++ {
var nextBytes []byte
nextBytes, mi.err = mi.target.NextKeyBytes(mi.prevKey)
if mi.err != nil {
return false
if nextBytes == nil {
mi.done = true
return false
// The user can get access to nextBytes since unmarshalBytes
// does not copy when unmarshaling into a []byte.
// Make a copy to prevent accidental corruption of
// iterator state.
copy(mi.prevBytes, nextBytes)
mi.prevKey = mi.prevBytes
mi.err = mi.target.Lookup(nextBytes, valueOut)
if xerrors.Is(mi.err, ErrKeyNotExist) {
// Even though the key should be valid, we couldn't look up
// its value. If we're iterating a hash map this is probably
// because a concurrent delete removed the value before we
// could get it. This means that the next call to NextKeyBytes
// is very likely to restart iteration.
// If we're iterating one of the fd maps like
// ProgramArray it means that a given slot doesn't have
// a valid fd associated. It's OK to continue to the next slot.
if mi.err != nil {
return false
mi.err = unmarshalBytes(keyOut, nextBytes)
return mi.err == nil
mi.err = xerrors.Errorf("%w", ErrIterationAborted)
return false
// Err returns any encountered error.
// The method must be called after Next returns nil.
// Returns ErrIterationAborted if it wasn't possible to do a full iteration.
func (mi *MapIterator) Err() error {
return mi.err
// MapGetNextID returns the ID of the next eBPF map.
// Returns ErrNotExist, if there is no next eBPF map.
func MapGetNextID(startID MapID) (MapID, error) {
id, err := objGetNextID(_MapGetNextID, uint32(startID))
return MapID(id), err
// NewMapFromID returns the map for a given id.
// Returns ErrNotExist, if there is no eBPF map with the given id.
func NewMapFromID(id MapID) (*Map, error) {
fd, err := bpfObjGetFDByID(_MapGetFDByID, uint32(id))
if err != nil {
return nil, err
name, abi, err := newMapABIFromFd(fd)
if err != nil {
_ = fd.Close()
return nil, err
return newMap(fd, name, abi)
// ID returns the systemwide unique ID of the map.
func (m *Map) ID() (MapID, error) {
info, err := bpfGetMapInfoByFD(m.fd)
if err != nil {
return MapID(0), err
return MapID(info.id), nil
package ebpf
import (
func marshalPtr(data interface{}, length int) (internal.Pointer, error) {
if data == nil {
if length == 0 {
return internal.NewPointer(nil), nil
return internal.Pointer{}, xerrors.New("can't use nil as key of map")
if ptr, ok := data.(unsafe.Pointer); ok {
return internal.NewPointer(ptr), nil
buf, err := marshalBytes(data, length)
if err != nil {
return internal.Pointer{}, err
return internal.NewSlicePointer(buf), nil
func marshalBytes(data interface{}, length int) (buf []byte, err error) {
switch value := data.(type) {
case encoding.BinaryMarshaler:
buf, err = value.MarshalBinary()
case string:
buf = []byte(value)
case []byte:
buf = value
case unsafe.Pointer:
err = xerrors.New("can't marshal from unsafe.Pointer")
var wr bytes.Buffer
err = binary.Write(&wr, internal.NativeEndian, value)
if err != nil {
err = xerrors.Errorf("encoding %T: %v", value, err)
buf = wr.Bytes()
if err != nil {
return nil, err
if len(buf) != length {
return nil, xerrors.Errorf("%T doesn't marshal to %d bytes", data, length)
return buf, nil
func makeBuffer(dst interface{}, length int) (internal.Pointer, []byte) {
if ptr, ok := dst.(unsafe.Pointer); ok {
return internal.NewPointer(ptr), nil
buf := make([]byte, length)
return internal.NewSlicePointer(buf), buf
func unmarshalBytes(data interface{}, buf []byte) error {
switch value := data.(type) {
case unsafe.Pointer:
sh := &reflect.SliceHeader{
Data: uintptr(value),
Len: len(buf),
Cap: len(buf),
dst := *(*[]byte)(unsafe.Pointer(sh))
copy(dst, buf)
return nil
case encoding.BinaryUnmarshaler:
return value.UnmarshalBinary(buf)
case *string:
*value = string(buf)
return nil
case *[]byte:
*value = buf
return nil
case string:
return xerrors.New("require pointer to string")
case []byte:
return xerrors.New("require pointer to []byte")
rd := bytes.NewReader(buf)
if err := binary.Read(rd, internal.NativeEndian, value); err != nil {
return xerrors.Errorf("decoding %T: %v", value, err)
return nil
// marshalPerCPUValue encodes a slice containing one value per
// possible CPU into a buffer of bytes.
// Values are initialized to zero if the slice has less elements than CPUs.
// slice must have a type like []elementType.
func marshalPerCPUValue(slice interface{}, elemLength int) (internal.Pointer, error) {
sliceType := reflect.TypeOf(slice)
if sliceType.Kind() != reflect.Slice {
return internal.Pointer{}, xerrors.New("per-CPU value requires slice")
possibleCPUs, err := internal.PossibleCPUs()
if err != nil {
return internal.Pointer{}, err
sliceValue := reflect.ValueOf(slice)
sliceLen := sliceValue.Len()
if sliceLen > possibleCPUs {
return internal.Pointer{}, xerrors.Errorf("per-CPU value exceeds number of CPUs")
alignedElemLength := align(elemLength, 8)
buf := make([]byte, alignedElemLength*possibleCPUs)
for i := 0; i < sliceLen; i++ {
elem := sliceValue.Index(i).Interface()
elemBytes, err := marshalBytes(elem, elemLength)
if err != nil {
return internal.Pointer{}, err
offset := i * alignedElemLength
copy(buf[offset:offset+elemLength], elemBytes)
return internal.NewSlicePointer(buf), nil
// unmarshalPerCPUValue decodes a buffer into a slice containing one value per
// possible CPU.
// valueOut must have a type like *[]elementType
func unmarshalPerCPUValue(slicePtr interface{}, elemLength int, buf []byte) error {
slicePtrType := reflect.TypeOf(slicePtr)
if slicePtrType.Kind() != reflect.Ptr || slicePtrType.Elem().Kind() != reflect.Slice {
return xerrors.Errorf("per-cpu value requires pointer to slice")
possibleCPUs, err := internal.PossibleCPUs()
if err != nil {
return err
sliceType := slicePtrType.Elem()
slice := reflect.MakeSlice(sliceType, possibleCPUs, possibleCPUs)
sliceElemType := sliceType.Elem()
sliceElemIsPointer := sliceElemType.Kind() == reflect.Ptr
if sliceElemIsPointer {
sliceElemType = sliceElemType.Elem()
step := len(buf) / possibleCPUs
if step < elemLength {
return xerrors.Errorf("per-cpu element length is larger than available data")
for i := 0; i < possibleCPUs; i++ {
var elem interface{}
if sliceElemIsPointer {
newElem := reflect.New(sliceElemType)
elem = newElem.Interface()
} else {
elem = slice.Index(i).Addr().Interface()
// Make a copy, since unmarshal can hold on to itemBytes
elemBytes := make([]byte, elemLength)
copy(elemBytes, buf[:elemLength])
err := unmarshalBytes(elem, elemBytes)
if err != nil {
return xerrors.Errorf("cpu %d: %w", i, err)
buf = buf[step:]
return nil
func align(n, alignment int) int {
return (int(n) + alignment - 1) / alignment * alignment
package ebpf
import (
// ErrNotSupported is returned whenever the kernel doesn't support a feature.
var ErrNotSupported = internal.ErrNotSupported
// ProgramID represents the unique ID of an eBPF program
type ProgramID uint32
const (
// Number of bytes to pad the output buffer for BPF_PROG_TEST_RUN.
// This is currently the maximum of spare space allocated for SKB
// and XDP programs, and equal to XDP_PACKET_HEADROOM + NET_IP_ALIGN.
outputPad = 256 + 2
// DefaultVerifierLogSize is the default number of bytes allocated for the
// verifier log.
const DefaultVerifierLogSize = 64 * 1024
// ProgramOptions control loading a program into the kernel.
type ProgramOptions struct {
// Controls the detail emitted by the kernel verifier. Set to non-zero
// to enable logging.
LogLevel uint32
// Controls the output buffer size for the verifier. Defaults to
// DefaultVerifierLogSize.
LogSize int
// ProgramSpec defines a Program
type ProgramSpec struct {
// Name is passed to the kernel as a debug aid. Must only contain
// alpha numeric and '_' characters.
Name string
Type ProgramType
AttachType AttachType
Instructions asm.Instructions
License string
KernelVersion uint32
// The BTF associated with this program. Changing Instructions
// will most likely invalidate the contained data, and may
// result in errors when attempting to load it into the kernel.
BTF *btf.Program
// Copy returns a copy of the spec.
func (ps *ProgramSpec) Copy() *ProgramSpec {
if ps == nil {
return nil
cpy := *ps
cpy.Instructions = make(asm.Instructions, len(ps.Instructions))
copy(cpy.Instructions, ps.Instructions)
return &cpy
// Program represents BPF program loaded into the kernel.
// It is not safe to close a Program which is used by other goroutines.
type Program struct {
// Contains the output of the kernel verifier if enabled,
// otherwise it is empty.
VerifierLog string
fd *internal.FD
name string
abi ProgramABI
// NewProgram creates a new Program.
// Loading a program for the first time will perform
// feature detection by loading small, temporary programs.
func NewProgram(spec *ProgramSpec) (*Program, error) {
return NewProgramWithOptions(spec, ProgramOptions{})
// NewProgramWithOptions creates a new Program.
// Loading a program for the first time will perform
// feature detection by loading small, temporary programs.
func NewProgramWithOptions(spec *ProgramSpec, opts ProgramOptions) (*Program, error) {
if spec.BTF == nil {
return newProgramWithBTF(spec, nil, opts)
handle, err := btf.NewHandle(btf.ProgramSpec(spec.BTF))
if err != nil && !xerrors.Is(err, btf.ErrNotSupported) {
return nil, xerrors.Errorf("can't load BTF: %w", err)
return newProgramWithBTF(spec, handle, opts)
func newProgramWithBTF(spec *ProgramSpec, btf *btf.Handle, opts ProgramOptions) (*Program, error) {
attr, err := convertProgramSpec(spec, btf)
if err != nil {
return nil, err
logSize := DefaultVerifierLogSize
if opts.LogSize > 0 {
logSize = opts.LogSize
var logBuf []byte
if opts.LogLevel > 0 {
logBuf = make([]byte, logSize)
attr.logLevel = opts.LogLevel
attr.logSize = uint32(len(logBuf))
attr.logBuf = internal.NewSlicePointer(logBuf)
fd, err := bpfProgLoad(attr)
if err == nil {
prog := newProgram(fd, spec.Name, &ProgramABI{spec.Type})
prog.VerifierLog = internal.CString(logBuf)
return prog, nil
logErr := err
if opts.LogLevel == 0 {
// Re-run with the verifier enabled to get better error messages.
logBuf = make([]byte, logSize)
attr.logLevel = 1
attr.logSize = uint32(len(logBuf))
attr.logBuf = internal.NewSlicePointer(logBuf)
_, logErr = bpfProgLoad(attr)
err = internal.ErrorWithLog(err, logBuf, logErr)
return nil, xerrors.Errorf("can't load program: %w", err)
// NewProgramFromFD creates a program from a raw fd.
// You should not use fd after calling this function.
// Requires at least Linux 4.11.
func NewProgramFromFD(fd int) (*Program, error) {
if fd < 0 {
return nil, xerrors.New("invalid fd")
bpfFd := internal.NewFD(uint32(fd))
name, abi, err := newProgramABIFromFd(bpfFd)
if err != nil {
return nil, err
return newProgram(bpfFd, name, abi), nil
func newProgram(fd *internal.FD, name string, abi *ProgramABI) *Program {
return &Program{
name: name,
fd: fd,
abi: *abi,
func convertProgramSpec(spec *ProgramSpec, handle *btf.Handle) (*bpfProgLoadAttr, error) {
if len(spec.Instructions) == 0 {
return nil, xerrors.New("Instructions cannot be empty")
if len(spec.License) == 0 {
return nil, xerrors.New("License cannot be empty")
buf := bytes.NewBuffer(make([]byte, 0, len(spec.Instructions)*asm.InstructionSize))
err := spec.Instructions.Marshal(buf, internal.NativeEndian)
if err != nil {
return nil, err
bytecode := buf.Bytes()
insCount := uint32(len(bytecode) / asm.InstructionSize)
attr := &bpfProgLoadAttr{
progType: spec.Type,
expectedAttachType: spec.AttachType,
insCount: insCount,
instructions: internal.NewSlicePointer(bytecode),
license: internal.NewStringPointer(spec.License),
kernelVersion: spec.KernelVersion,
if haveObjName() == nil {
attr.progName = newBPFObjName(spec.Name)
if handle != nil && spec.BTF != nil {
attr.progBTFFd = uint32(handle.FD())
recSize, bytes, err := btf.ProgramLineInfos(spec.BTF)
if err != nil {
return nil, xerrors.Errorf("can't get BTF line infos: %w", err)
attr.lineInfoRecSize = recSize
attr.lineInfoCnt = uint32(uint64(len(bytes)) / uint64(recSize))
attr.lineInfo = internal.NewSlicePointer(bytes)
recSize, bytes, err = btf.ProgramFuncInfos(spec.BTF)
if err != nil {
return nil, xerrors.Errorf("can't get BTF function infos: %w", err)
attr.funcInfoRecSize = recSize
attr.funcInfoCnt = uint32(uint64(len(bytes)) / uint64(recSize))
attr.funcInfo = internal.NewSlicePointer(bytes)
return attr, nil
func (p *Program) String() string {
if p.name != "" {
return fmt.Sprintf("%s(%s)#%v", p.abi.Type, p.name, p.fd)
return fmt.Sprintf("%s#%v", p.abi.Type, p.fd)
// ABI gets the ABI of the Program
func (p *Program) ABI() ProgramABI {
return p.abi
// FD gets the file descriptor of the Program.
// It is invalid to call this function after Close has been called.
func (p *Program) FD() int {
fd, err := p.fd.Value()
if err != nil {
// Best effort: -1 is the number most likely to be an
// invalid file descriptor.
return -1
return int(fd)
// Clone creates a duplicate of the Program.
// Closing the duplicate does not affect the original, and vice versa.
// Cloning a nil Program returns nil.
func (p *Program) Clone() (*Program, error) {
if p == nil {
return nil, nil
dup, err := p.fd.Dup()
if err != nil {
return nil, xerrors.Errorf("can't clone program: %w", err)
return newProgram(dup, p.name, &p.abi), nil
// Pin persists the Program past the lifetime of the process that created it
// This requires bpffs to be mounted above fileName. See http://cilium.readthedocs.io/en/doc-1.0/kubernetes/install/#mounting-the-bpf-fs-optional
func (p *Program) Pin(fileName string) error {
if err := bpfPinObject(fileName, p.fd); err != nil {
return xerrors.Errorf("can't pin program: %w", err)
return nil
// Close unloads the program from the kernel.
func (p *Program) Close() error {
if p == nil {
return nil
return p.fd.Close()
// Test runs the Program in the kernel with the given input and returns the
// value returned by the eBPF program. outLen may be zero.
// Note: the kernel expects at least 14 bytes input for an ethernet header for
// XDP and SKB programs.
// This function requires at least Linux 4.12.
func (p *Program) Test(in []byte) (uint32, []byte, error) {
ret, out, _, err := p.testRun(in, 1, nil)
if err != nil {
return ret, nil, xerrors.Errorf("can't test program: %w", err)
return ret, out, nil
// Benchmark runs the Program with the given input for a number of times
// and returns the time taken per iteration.
// Returns the result of the last execution of the program and the time per
// run or an error. reset is called whenever the benchmark syscall is
// interrupted, and should be set to testing.B.ResetTimer or similar.
// Note: profiling a call to this function will skew it's results, see
// https://github.com/cilium/ebpf/issues/24
// This function requires at least Linux 4.12.
func (p *Program) Benchmark(in []byte, repeat int, reset func()) (uint32, time.Duration, error) {
ret, _, total, err := p.testRun(in, repeat, reset)
if err != nil {
return ret, total, xerrors.Errorf("can't benchmark program: %w", err)
return ret, total, nil
var haveProgTestRun = internal.FeatureTest("BPF_PROG_TEST_RUN", "4.12", func() bool {
prog, err := NewProgram(&ProgramSpec{
Type: SocketFilter,
Instructions: asm.Instructions{
asm.LoadImm(asm.R0, 0, asm.DWord),
License: "MIT",
if err != nil {
// This may be because we lack sufficient permissions, etc.
return false
defer prog.Close()
fd, err := prog.fd.Value()
if err != nil {
return false
// Programs require at least 14 bytes input
in := make([]byte, 14)
attr := bpfProgTestRunAttr{
fd: fd,
dataSizeIn: uint32(len(in)),
dataIn: internal.NewSlicePointer(in),
_, err = internal.BPF(_ProgTestRun, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
// Check for EINVAL specifically, rather than err != nil since we
// otherwise misdetect due to insufficient permissions.
return !xerrors.Is(err, unix.EINVAL)
func (p *Program) testRun(in []byte, repeat int, reset func()) (uint32, []byte, time.Duration, error) {
if uint(repeat) > math.MaxUint32 {
return 0, nil, 0, fmt.Errorf("repeat is too high")
if len(in) == 0 {
return 0, nil, 0, fmt.Errorf("missing input")
if uint(len(in)) > math.MaxUint32 {
return 0, nil, 0, fmt.Errorf("input is too long")
if err := haveProgTestRun(); err != nil {
return 0, nil, 0, err
// Older kernels ignore the dataSizeOut argument when copying to user space.
// Combined with things like bpf_xdp_adjust_head() we don't really know what the final
// size will be. Hence we allocate an output buffer which we hope will always be large
// enough, and panic if the kernel wrote past the end of the allocation.
// See https://patchwork.ozlabs.org/cover/1006822/
out := make([]byte, len(in)+outputPad)
fd, err := p.fd.Value()
if err != nil {
return 0, nil, 0, err
attr := bpfProgTestRunAttr{
fd: fd,
dataSizeIn: uint32(len(in)),
dataSizeOut: uint32(len(out)),
dataIn: internal.NewSlicePointer(in),
dataOut: internal.NewSlicePointer(out),
repeat: uint32(repeat),
for {
_, err = internal.BPF(_ProgTestRun, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
if err == nil {
if xerrors.Is(err, unix.EINTR) {
if reset != nil {
return 0, nil, 0, xerrors.Errorf("can't run test: %w", err)
if int(attr.dataSizeOut) > cap(out) {
// Houston, we have a problem. The program created more data than we allocated,
// and the kernel wrote past the end of our buffer.
panic("kernel wrote past end of output buffer")
out = out[:int(attr.dataSizeOut)]
total := time.Duration(attr.duration) * time.Nanosecond
return attr.retval, out, total, nil
func unmarshalProgram(buf []byte) (*Program, error) {
if len(buf) != 4 {
return nil, xerrors.New("program id requires 4 byte value")
// Looking up an entry in a nested map or prog array returns an id,
// not an fd.
id := internal.NativeEndian.Uint32(buf)
return NewProgramFromID(ProgramID(id))
// MarshalBinary implements BinaryMarshaler.
func (p *Program) MarshalBinary() ([]byte, error) {
value, err := p.fd.Value()
if err != nil {
return nil, err
buf := make([]byte, 4)
internal.NativeEndian.PutUint32(buf, value)
return buf, nil
// Attach a Program to a container object fd
func (p *Program) Attach(fd int, typ AttachType, flags AttachFlags) error {
if fd < 0 {
return xerrors.New("invalid fd")
pfd, err := p.fd.Value()
if err != nil {
return err
attr := bpfProgAlterAttr{
targetFd: uint32(fd),
attachBpfFd: pfd,
attachType: uint32(typ),
attachFlags: uint32(flags),
return bpfProgAlter(_ProgAttach, &attr)
// Detach a Program from a container object fd
func (p *Program) Detach(fd int, typ AttachType, flags AttachFlags) error {
if fd < 0 {
return xerrors.New("invalid fd")
pfd, err := p.fd.Value()
if err != nil {
return err
attr := bpfProgAlterAttr{
targetFd: uint32(fd),
attachBpfFd: pfd,
attachType: uint32(typ),
attachFlags: uint32(flags),
return bpfProgAlter(_ProgDetach, &attr)
// LoadPinnedProgram loads a Program from a BPF file.
// Requires at least Linux 4.11.
func LoadPinnedProgram(fileName string) (*Program, error) {
fd, err := bpfGetObject(fileName)
if err != nil {
return nil, err
name, abi, err := newProgramABIFromFd(fd)
if err != nil {
_ = fd.Close()
return nil, xerrors.Errorf("can't get ABI for %s: %w", fileName, err)
return newProgram(fd, name, abi), nil
// SanitizeName replaces all invalid characters in name.
// Use this to automatically generate valid names for maps and
// programs at run time.
// Passing a negative value for replacement will delete characters
// instead of replacing them.
func SanitizeName(name string, replacement rune) string {
return strings.Map(func(char rune) rune {
if invalidBPFObjNameChar(char) {
return replacement
return char
}, name)
// ProgramGetNextID returns the ID of the next eBPF program.
// Returns ErrNotExist, if there is no next eBPF program.
func ProgramGetNextID(startID ProgramID) (ProgramID, error) {
id, err := objGetNextID(_ProgGetNextID, uint32(startID))
return ProgramID(id), err
// NewProgramFromID returns the program for a given id.
// Returns ErrNotExist, if there is no eBPF program with the given id.
func NewProgramFromID(id ProgramID) (*Program, error) {
fd, err := bpfObjGetFDByID(_ProgGetFDByID, uint32(id))
if err != nil {
return nil, err
name, abi, err := newProgramABIFromFd(fd)
if err != nil {
_ = fd.Close()
return nil, err
return newProgram(fd, name, abi), nil
// ID returns the systemwide unique ID of the program.
func (p *Program) ID() (ProgramID, error) {
info, err := bpfGetProgInfoByFD(p.fd)
if err != nil {
return ProgramID(0), err
return ProgramID(info.id), nil
eBPF is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and is intended to be used in long running processes.
[ebpf/asm](https://godoc.org/github.com/cilium/ebpf/asm) contains a basic assembler.
The library is maintained by [Cloudflare](https://www.cloudflare.com) and [Cilium](https://www.cilium.io). Feel free to [join](https://cilium.herokuapp.com/) the [libbpf-go](https://cilium.slack.com/messages/libbpf-go) channel on Slack.
## Current status
The package is production ready, but **the API is explicitly unstable
right now**. Expect to update your code if you want to follow along.
## Requirements
* A version of Go that is [supported by upstream](https://golang.org/doc/devel/release.html#policy)
* Linux 4.9, 4.19 or 5.4 (versions in-between should work, but are not tested)
## Useful resources
* [Cilium eBPF documentation](https://cilium.readthedocs.io/en/latest/bpf/#bpf-guide) (recommended)
* [Linux documentation on BPF](http://elixir.free-electrons.com/linux/latest/source/Documentation/networking/filter.txt)
* [eBPF features by Linux version](https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md)
# Test the current package under a different kernel.
# Requires virtme and qemu to be installed.
set -eu
set -o pipefail
if [[ "${1:-}" = "--in-vm" ]]; then
mount -t bpf bpf /sys/fs/bpf
export CGO_ENABLED=0
export GOFLAGS=-mod=readonly
export GOPATH=/run/go-path
export GOPROXY=file:///run/go-root/pkg/mod/cache/download
export GOCACHE=/run/go-cache
echo Running tests...
/usr/local/bin/go test -coverprofile="$1/coverage.txt" -covermode=atomic -v ./...
touch "$1/success"
exit 0
# Pull all dependencies, so that we can run tests without the
# vm having network access.
go mod download
# Use sudo if /dev/kvm isn't accessible by the current user.
if [[ ! -r /dev/kvm || ! -w /dev/kvm ]]; then
readonly sudo
readonly kernel_version="${1:-}"
if [[ -z "${kernel_version}" ]]; then
echo "Expecting kernel version as first argument"
exit 1
readonly kernel="linux-${kernel_version}.bz"
readonly output="$(mktemp -d)"
readonly tmp_dir="${TMPDIR:-$(mktemp -d)}"
test -e "${tmp_dir}/${kernel}" || {
echo Fetching "${kernel}"
curl --fail -L "https://github.com/cilium/ci-kernels/blob/master/${kernel}?raw=true" -o "${tmp_dir}/${kernel}"
echo Testing on "${kernel_version}"
$sudo virtme-run --kimg "${tmp_dir}/${kernel}" --memory 512M --pwd \
--rwdir=/run/output="${output}" \
--rodir=/run/go-path="$(go env GOPATH)" \
--rwdir=/run/go-cache="$(go env GOCACHE)" \
--script-sh "$(realpath "$0") --in-vm /run/output"
if [[ ! -e "${output}/success" ]]; then
echo "Test failed on ${kernel_version}"
exit 1
echo "Test successful on ${kernel_version}"
if [[ -v CODECOV_TOKEN ]]; then
curl --fail -s https://codecov.io/bash > "${tmp_dir}/codecov.sh"
chmod +x "${tmp_dir}/codecov.sh"
"${tmp_dir}/codecov.sh" -f "${output}/coverage.txt"
$sudo rm -r "${output}"
package ebpf
import (
// Generic errors returned by BPF syscalls.
var (
ErrNotExist = xerrors.New("requested object does not exit")
// bpfObjName is a null-terminated string made up of
// 'A-Za-z0-9_' characters.
type bpfObjName [unix.BPF_OBJ_NAME_LEN]byte
// newBPFObjName truncates the result if it is too long.
func newBPFObjName(name string) bpfObjName {
var result bpfObjName
copy(result[:unix.BPF_OBJ_NAME_LEN-1], name)
return result
func invalidBPFObjNameChar(char rune) bool {
dotAllowed := objNameAllowsDot() == nil
switch {
case char >= 'A' && char <= 'Z':
case char >= 'a' && char <= 'z':
case char >= '0' && char <= '9':
case dotAllowed && char == '.':
case char == '_':
return false
return true
type bpfMapCreateAttr struct {
mapType MapType
keySize uint32
valueSize uint32
maxEntries uint32
flags uint32
innerMapFd uint32 // since 4.12 56f668dfe00d
numaNode uint32 // since 4.14 96eabe7a40aa
mapName bpfObjName // since 4.15 ad5b177bd73f
mapIfIndex uint32
btfFd uint32
btfKeyTypeID btf.TypeID
btfValueTypeID btf.TypeID
type bpfMapOpAttr struct {
mapFd uint32
padding uint32
key internal.Pointer
value internal.Pointer
flags uint64
type bpfMapInfo struct {
mapType uint32
id uint32
keySize uint32
valueSize uint32
maxEntries uint32
flags uint32
mapName bpfObjName // since 4.15 ad5b177bd73f
type bpfPinObjAttr struct {
fileName internal.Pointer
fd uint32
padding uint32
type bpfProgLoadAttr struct {
progType ProgramType
insCount uint32
instructions internal.Pointer
license internal.Pointer
logLevel uint32
logSize uint32
logBuf internal.Pointer
kernelVersion uint32 // since 4.1 2541517c32be
progFlags uint32 // since 4.11 e07b98d9bffe
progName bpfObjName // since 4.15 067cae47771c
progIfIndex uint32 // since 4.15 1f6f4cb7ba21
expectedAttachType AttachType // since 4.17 5e43f899b03a
progBTFFd uint32
funcInfoRecSize uint32
funcInfo internal.Pointer
funcInfoCnt uint32
lineInfoRecSize uint32
lineInfo internal.Pointer
lineInfoCnt uint32
type bpfProgInfo struct {
progType uint32
id uint32
tag [unix.BPF_TAG_SIZE]byte
jitedLen uint32
xlatedLen uint32
jited internal.Pointer
xlated internal.Pointer
loadTime uint64 // since 4.15 cb4d2b3f03d8
createdByUID uint32
nrMapIDs uint32
mapIds internal.Pointer
name bpfObjName
type bpfProgTestRunAttr struct {
fd uint32
retval uint32
dataSizeIn uint32
dataSizeOut uint32
dataIn internal.Pointer
dataOut internal.Pointer
repeat uint32
duration uint32
type bpfProgAlterAttr struct {
targetFd uint32
attachBpfFd uint32
attachType uint32
attachFlags uint32
type bpfObjGetInfoByFDAttr struct {
fd uint32
infoLen uint32
info internal.Pointer // May be either bpfMapInfo or bpfProgInfo
type bpfGetFDByIDAttr struct {
id uint32
next uint32
type bpfMapFreezeAttr struct {
mapFd uint32
type bpfObjGetNextIDAttr struct {
startID uint32
nextID uint32
openFlags uint32
func bpfProgLoad(attr *bpfProgLoadAttr) (*internal.FD, error) {
for {
fd, err := internal.BPF(_ProgLoad, unsafe.Pointer(attr), unsafe.Sizeof(*attr))
// As of ~4.20 the verifier can be interrupted by a signal,
// and returns EAGAIN in that case.
if err == unix.EAGAIN {
if err != nil {
return nil, err
return internal.NewFD(uint32(fd)), nil
func bpfProgAlter(cmd int, attr *bpfProgAlterAttr) error {
_, err := internal.BPF(cmd, unsafe.Pointer(attr), unsafe.Sizeof(*attr))
return err
func bpfMapCreate(attr *bpfMapCreateAttr) (*internal.FD, error) {
fd, err := internal.BPF(_MapCreate, unsafe.Pointer(attr), unsafe.Sizeof(*attr))
if err != nil {
return nil, err
return internal.NewFD(uint32(fd)), nil
var haveNestedMaps = internal.FeatureTest("nested maps", "4.12", func() bool {
inner, err := bpfMapCreate(&bpfMapCreateAttr{
mapType: Array,
keySize: 4,
valueSize: 4,
maxEntries: 1,
if err != nil {
return false
defer inner.Close()
innerFd, _ := inner.Value()
nested, err := bpfMapCreate(&bpfMapCreateAttr{
mapType: ArrayOfMaps,
keySize: 4,
valueSize: 4,
maxEntries: 1,
innerMapFd: innerFd,
if err != nil {
return false
_ = nested.Close()
return true
var haveMapMutabilityModifiers = internal.FeatureTest("read- and write-only maps", "5.2", func() bool {
// This checks BPF_F_RDONLY_PROG and BPF_F_WRONLY_PROG. Since
// BPF_MAP_FREEZE appeared in 5.2 as well we don't do a separate check.
m, err := bpfMapCreate(&bpfMapCreateAttr{
mapType: Array,
keySize: 4,
valueSize: 4,
maxEntries: 1,
flags: unix.BPF_F_RDONLY_PROG,
if err != nil {
return false
_ = m.Close()
return true
func bpfMapLookupElem(m *internal.FD, key, valueOut internal.Pointer) error {
fd, err := m.Value()
if err != nil {
return err
attr := bpfMapOpAttr{
mapFd: fd,
key: key,
value: valueOut,
_, err = internal.BPF(_MapLookupElem, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return wrapMapError(err)
func bpfMapLookupAndDelete(m *internal.FD, key, valueOut internal.Pointer) error {
fd, err := m.Value()
if err != nil {
return err
attr := bpfMapOpAttr{
mapFd: fd,
key: key,
value: valueOut,
_, err = internal.BPF(_MapLookupAndDeleteElem, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return wrapMapError(err)
func bpfMapUpdateElem(m *internal.FD, key, valueOut internal.Pointer, flags uint64) error {
fd, err := m.Value()
if err != nil {
return err
attr := bpfMapOpAttr{
mapFd: fd,
key: key,
value: valueOut,
flags: flags,
_, err = internal.BPF(_MapUpdateElem, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return wrapMapError(err)
func bpfMapDeleteElem(m *internal.FD, key internal.Pointer) error {
fd, err := m.Value()
if err != nil {
return err
attr := bpfMapOpAttr{
mapFd: fd,
key: key,
_, err = internal.BPF(_MapDeleteElem, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return wrapMapError(err)
func bpfMapGetNextKey(m *internal.FD, key, nextKeyOut internal.Pointer) error {
fd, err := m.Value()
if err != nil {
return err
attr := bpfMapOpAttr{
mapFd: fd,
key: key,
value: nextKeyOut,
_, err = internal.BPF(_MapGetNextKey, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return wrapMapError(err)
func objGetNextID(cmd int, start uint32) (uint32, error) {
attr := bpfObjGetNextIDAttr{
startID: start,
_, err := internal.BPF(cmd, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return attr.nextID, wrapObjError(err)
func wrapObjError(err error) error {
if err == nil {
return nil
if xerrors.Is(err, unix.ENOENT) {
return xerrors.Errorf("%w", ErrNotExist)
return xerrors.New(err.Error())
func wrapMapError(err error) error {
if err == nil {
return nil
if xerrors.Is(err, unix.ENOENT) {
return ErrKeyNotExist
return xerrors.New(err.Error())
func bpfMapFreeze(m *internal.FD) error {
fd, err := m.Value()
if err != nil {
return err
attr := bpfMapFreezeAttr{
mapFd: fd,
_, err = internal.BPF(_MapFreeze, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return err
const bpfFSType = 0xcafe4a11
func bpfPinObject(fileName string, fd *internal.FD) error {
dirName := filepath.Dir(fileName)
var statfs unix.Statfs_t
if err := unix.Statfs(dirName, &statfs); err != nil {
return err
if uint64(statfs.Type) != bpfFSType {
return xerrors.Errorf("%s is not on a bpf filesystem", fileName)
value, err := fd.Value()
if err != nil {
return err
_, err = internal.BPF(_ObjPin, unsafe.Pointer(&bpfPinObjAttr{
fileName: internal.NewStringPointer(fileName),
fd: value,
}), 16)
if err != nil {
return xerrors.Errorf("pin object %s: %w", fileName, err)
return nil
func bpfGetObject(fileName string) (*internal.FD, error) {
ptr, err := internal.BPF(_ObjGet, unsafe.Pointer(&bpfPinObjAttr{
fileName: internal.NewStringPointer(fileName),
}), 16)
if err != nil {
return nil, xerrors.Errorf("get object %s: %w", fileName, err)
return internal.NewFD(uint32(ptr)), nil
func bpfGetObjectInfoByFD(fd *internal.FD, info unsafe.Pointer, size uintptr) error {
value, err := fd.Value()
if err != nil {
return err
// available from 4.13
attr := bpfObjGetInfoByFDAttr{
fd: value,
infoLen: uint32(size),
info: internal.NewPointer(info),
_, err = internal.BPF(_ObjGetInfoByFD, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
if err != nil {
return xerrors.Errorf("fd %d: %w", fd, err)
return nil
func bpfGetProgInfoByFD(fd *internal.FD) (*bpfProgInfo, error) {
var info bpfProgInfo
if err := bpfGetObjectInfoByFD(fd, unsafe.Pointer(&info), unsafe.Sizeof(info)); err != nil {
return nil, xerrors.Errorf("can't get program info: %w", err)
return &info, nil
func bpfGetMapInfoByFD(fd *internal.FD) (*bpfMapInfo, error) {
var info bpfMapInfo
err := bpfGetObjectInfoByFD(fd, unsafe.Pointer(&info), unsafe.Sizeof(info))
if err != nil {
return nil, xerrors.Errorf("can't get map info: %w", err)
return &info, nil
var haveObjName = internal.FeatureTest("object names", "4.15", func() bool {
attr := bpfMapCreateAttr{
mapType: Array,
keySize: 4,
valueSize: 4,
maxEntries: 1,
mapName: newBPFObjName("feature_test"),
fd, err := bpfMapCreate(&attr)
if err != nil {
return false
_ = fd.Close()
return true
var objNameAllowsDot = internal.FeatureTest("dot in object names", "5.2", func() bool {
if err := haveObjName(); err != nil {
return false
attr := bpfMapCreateAttr{
mapType: Array,
keySize: 4,
valueSize: 4,
maxEntries: 1,
mapName: newBPFObjName(".test"),
fd, err := bpfMapCreate(&attr)
if err != nil {
return false
_ = fd.Close()
return true
func bpfObjGetFDByID(cmd int, id uint32) (*internal.FD, error) {
attr := bpfGetFDByIDAttr{
id: id,
ptr, err := internal.BPF(cmd, unsafe.Pointer(&attr), unsafe.Sizeof(attr))
return internal.NewFD(uint32(ptr)), wrapObjError(err)
@ -0,0 +1,220 @@
package ebpf
//go:generate stringer -output types_string.go -type=MapType,ProgramType
// MapType indicates the type map structure
// that will be initialized in the kernel.
type MapType uint32
// All the various map types that can be created
const (
UnspecifiedMap MapType = iota
// Hash is a hash map
// Array is an array map
// ProgramArray - A program array map is a special kind of array map whose map
// values contain only file descriptors referring to other eBPF
// programs. Thus, both the key_size and value_size must be
// exactly four bytes. This map is used in conjunction with the
// TailCall helper.
// PerfEventArray - A perf event array is used in conjunction with PerfEventRead
// and PerfEventOutput calls, to read the raw bpf_perf_data from the registers.
// PerCPUHash - This data structure is useful for people who have high performance
// network needs and can reconcile adds at the end of some cycle, so that
// hashes can be lock free without the use of XAdd, which can be costly.
// PerCPUArray - This data structure is useful for people who have high performance
// network needs and can reconcile adds at the end of some cycle, so that
// hashes can be lock free without the use of XAdd, which can be costly.
// Each CPU gets a copy of this hash, the contents of all of which can be reconciled
// later.
// StackTrace - This holds whole user and kernel stack traces, it can be retrieved with
// GetStackID
// CGroupArray - This is a very niche structure used to help SKBInCGroup determine
// if an skb is from a socket belonging to a specific cgroup
// LRUHash - This allows you to create a small hash structure that will purge the
// least recently used items rather than thow an error when you run out of memory
// LRUCPUHash - This is NOT like PerCPUHash, this structure is shared among the CPUs,
// it has more to do with including the CPU id with the LRU calculation so that if a
// particular CPU is using a value over-and-over again, then it will be saved, but if
// a value is being retrieved a lot but sparsely across CPUs it is not as important, basically
// giving weight to CPU locality over overall usage.
// LPMTrie - This is an implementation of Longest-Prefix-Match Trie structure. It is useful,
// for storing things like IP addresses which can be bit masked allowing for keys of differing
// values to refer to the same reference based on their masks. See wikipedia for more details.
// ArrayOfMaps - Each item in the array is another map. The inner map mustn't be a map of maps
// itself.
// HashOfMaps - Each item in the hash map is another map. The inner map mustn't be a map of maps
// itself.
// DevMap - Specialized map to store references to network devices.
// SockMap - Specialized map to store references to sockets.
// CPUMap - Specialized map to store references to CPUs.
// XSKMap - Specialized map for XDP programs to store references to open sockets.
// SockHash - Specialized hash to store references to sockets.
// CGroupStorage - Special map for CGroups.
// ReusePortSockArray - Specialized map to store references to sockets that can be reused.
// PerCPUCGroupStorage - Special per CPU map for CGroups.
// Queue - FIFO storage for BPF programs.
// Stack - LIFO storage for BPF programs.
// SkStorage - Specialized map for local storage at SK for BPF programs.
// DevMapHash - Hash-based indexing scheme for references to network devices.
// hasPerCPUValue returns true if the Map stores a value per CPU.
func (mt MapType) hasPerCPUValue() bool {
if mt == PerCPUHash || mt == PerCPUArray {
return true
return false
const (
_MapCreate = iota
// ProgramType of the eBPF program
type ProgramType uint32
// eBPF program types
const (
// Unrecognized program type
UnspecifiedProgram ProgramType = iota
// SocketFilter socket or seccomp filter
// Kprobe program
// SchedCLS traffic control shaper
// SchedACT routing control shaper
// TracePoint program
// XDP program
// PerfEvent program
// CGroupSKB program
// CGroupSock program
// LWTIn program
// LWTOut program
// LWTXmit program
// SockOps program
// SkSKB program
// CGroupDevice program
// SkMsg program
// RawTracepoint program
// CGroupSockAddr program
// LWTSeg6Local program
// LircMode2 program
// SkReuseport program
// FlowDissector program
// CGroupSysctl program
// RawTracepointWritable program
// CGroupSockopt program
// Tracing program
// AttachType of the eBPF program, needed to differentiate allowed context accesses in
// some newer program types like CGroupSockAddr. Should be set to AttachNone if not required.
// Will cause invalid argument (EINVAL) at program load time if set incorrectly.
type AttachType uint32
// AttachNone is an alias for AttachCGroupInetIngress for readability reasons
const AttachNone AttachType = 0
const (
AttachCGroupInetIngress AttachType = iota
// AttachFlags of the eBPF program used in BPF_PROG_ATTACH command
type AttachFlags uint32
@ -0,0 +1,91 @@
// Code generated by "stringer -output types_string.go -type=MapType,ProgramType"; DO NOT EDIT.
package ebpf
import "strconv"
func _() {
// An "invalid array index" compiler error signifies that the constant values have changed.
// Re-run the stringer command to generate them again.
var x [1]struct{}
_ = x[UnspecifiedMap-0]
_ = x[Hash-1]
_ = x[Array-2]
_ = x[ProgramArray-3]
_ = x[PerfEventArray-4]
_ = x[PerCPUHash-5]
_ = x[PerCPUArray-6]
_ = x[StackTrace-7]
_ = x[CGroupArray-8]
_ = x[LRUHash-9]
_ = x[LRUCPUHash-10]
_ = x[LPMTrie-11]
_ = x[ArrayOfMaps-12]
_ = x[HashOfMaps-13]
_ = x[DevMap-14]
_ = x[SockMap-15]
_ = x[CPUMap-16]
_ = x[XSKMap-17]
_ = x[SockHash-18]
_ = x[CGroupStorage-19]
_ = x[ReusePortSockArray-20]
_ = x[PerCPUCGroupStorage-21]
_ = x[Queue-22]
_ = x[Stack-23]
_ = x[SkStorage-24]
_ = x[DevMapHash-25]
const _MapType_name = "UnspecifiedMapHashArrayProgramArrayPerfEventArrayPerCPUHashPerCPUArrayStackTraceCGroupArrayLRUHashLRUCPUHashLPMTrieArrayOfMapsHashOfMapsDevMapSockMapCPUMapXSKMapSockHashCGroupStorageReusePortSockArrayPerCPUCGroupStorageQueueStackSkStorageDevMapHash"
var _MapType_index = [...]uint8{0, 14, 18, 23, 35, 49, 59, 70, 80, 91, 98, 108, 115, 126, 136, 142, 149, 155, 161, 169, 182, 200, 219, 224, 229, 238, 248}
func (i MapType) String() string {
if i >= MapType(len(_MapType_index)-1) {
return "MapType(" + strconv.FormatInt(int64(i), 10) + ")"
return _MapType_name[_MapType_index[i]:_MapType_index[i+1]]
func _() {
// An "invalid array index" compiler error signifies that the constant values have changed.
// Re-run the stringer command to generate them again.
var x [1]struct{}
_ = x[UnspecifiedProgram-0]
_ = x[SocketFilter-1]
_ = x[Kprobe-2]
_ = x[SchedCLS-3]
_ = x[SchedACT-4]
_ = x[TracePoint-5]
_ = x[XDP-6]
_ = x[PerfEvent-7]
_ = x[CGroupSKB-8]
_ = x[CGroupSock-9]
_ = x[LWTIn-10]
_ = x[LWTOut-11]
_ = x[LWTXmit-12]
_ = x[SockOps-13]
_ = x[SkSKB-14]
_ = x[CGroupDevice-15]
_ = x[SkMsg-16]
_ = x[RawTracepoint-17]
_ = x[CGroupSockAddr-18]
_ = x[LWTSeg6Local-19]
_ = x[LircMode2-20]
_ = x[SkReuseport-21]
_ = x[FlowDissector-22]
_ = x[CGroupSysctl-23]
_ = x[RawTracepointWritable-24]
_ = x[CGroupSockopt-25]
_ = x[Tracing-26]
const _ProgramType_name = "UnspecifiedProgramSocketFilterKprobeSchedCLSSchedACTTracePointXDPPerfEventCGroupSKBCGroupSockLWTInLWTOutLWTXmitSockOpsSkSKBCGroupDeviceSkMsgRawTracepointCGroupSockAddrLWTSeg6LocalLircMode2SkReuseportFlowDissectorCGroupSysctlRawTracepointWritableCGroupSockoptTracing"
var _ProgramType_index = [...]uint16{0, 18, 30, 36, 44, 52, 62, 65, 74, 83, 93, 98, 104, 111, 118, 123, 135, 140, 153, 167, 179, 188, 199, 212, 224, 245, 258, 265}
func (i ProgramType) String() string {
if i >= ProgramType(len(_ProgramType_index)-1) {
return "ProgramType(" + strconv.FormatInt(int64(i), 10) + ")"
return _ProgramType_name[_ProgramType_index[i]:_ProgramType_index[i+1]]
dist: xenial
dist: bionic
language: go
- 1.9.x
- 1.10.x
- 1.11.x
- 1.12.x
- tip
- go: 1.11.x
- go: 1.12.x
- sudo PATH="$PATH" make localintegration RUNC_USE_SYSTEMD=1
- go: 1.12.x
- cat /proc/cpuinfo
- wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add - && sudo sh -c "echo deb https://download.virtualbox.org/virtualbox/debian $(lsb_release -cs) contrib >> /etc/apt/sources.list" && sudo apt-get update && sudo apt-get install -yq build-essential gcc make linux-headers-$(uname -r) virtualbox-${VIRTUALBOX_VERSION} && sudo usermod -aG vboxusers $(whoami)
- wget https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}_$(uname -m).deb && sudo dpkg -i vagrant_${VAGRANT_VERSION}_$(uname -m).deb
- vagrant init bento/fedora-${FEDORA_VERSION} && vagrant up && mkdir -p ~/.ssh && vagrant ssh-config >> ~/.ssh/config
- ssh default sudo dnf install -y podman
- ssh default sudo podman build -t test /vagrant
- ssh default sudo podman run --privileged --cgroupns=private test make localunittest
- go: tip
@ -1,4 +1,4 @@
FROM golang:1.10-stretch
FROM golang:1.12-stretch
RUN dpkg --add-architecture armel \
&& dpkg --add-architecture armhf \
@ -45,14 +45,10 @@ RUN cd /tmp \
&& rm -rf /tmp/bats
# install criu
# For CRIU 3.11 one patch is needed for the test 'checkpoint and restore with container specific CRIU config'
# This should be no longer necessary with CRIU 3.12
# See https://github.com/opencontainers/runc/pull/1933
RUN mkdir -p /usr/src/criu \
&& curl -sSL https://github.com/checkpoint-restore/criu/archive/${CRIU_VERSION}.tar.gz | tar -v -C /usr/src/criu/ -xz --strip-components=1 \
&& cd /usr/src/criu \
&& curl https://github.com/checkpoint-restore/criu/commit/bb0b2f2635d71e549851b7c626a1464e42a3b5c7.patch | patch -p1 \
&& make install-criu \
&& rm -rf /usr/src/criu
@ -3,6 +3,7 @@
test unittest integration \
cross localcross
GO := go
SOURCES := $(shell find . 2>&1 | grep -E '.*\.(c|h|go)$$')
@ -40,14 +41,14 @@ contrib/cmd/recvtty/recvtty: $(SOURCES)
$(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
static: $(SOURCES)
CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc .
CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o runc .
CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" -installsuffix netgo -ldflags "-w -extldflags -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
script/release.sh -r release/$(VERSION) -v $(VERSION)
dbuild: runcimage
docker run ${DOCKER_RUN_PROXY} --rm -v $(CURDIR):/go/src/$(PROJECT) --privileged $(RUNC_IMAGE) make clean all
$(CONTAINER_ENGINE) run ${CONTAINER_ENGINE_RUN_FLAGS} --rm -v $(CURDIR):/go/src/$(PROJECT) --privileged $(RUNC_IMAGE) make clean all
$(GO) vet $(allpackages)
@ -57,7 +58,7 @@ man:
docker build ${DOCKER_BUILD_PROXY} -t $(RUNC_IMAGE) .
make unittest integration rootlessintegration
@ -66,25 +67,25 @@ localtest:
make localunittest localintegration localrootlessintegration
unittest: runcimage
docker run ${DOCKER_RUN_PROXY} -t --privileged --rm -v /lib/modules:/lib/modules:ro -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localunittest TESTFLAGS=${TESTFLAGS}
$(CONTAINER_ENGINE) run ${CONTAINER_ENGINE_RUN_FLAGS} -t --privileged --rm -v /lib/modules:/lib/modules:ro -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localunittest TESTFLAGS=${TESTFLAGS}
localunittest: all
$(GO) test -timeout 3m -tags "$(BUILDTAGS)" ${TESTFLAGS} -v $(allpackages)
integration: runcimage
docker run ${DOCKER_RUN_PROXY} -t --privileged --rm -v /lib/modules:/lib/modules:ro -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localintegration TESTPATH=${TESTPATH}
$(CONTAINER_ENGINE) run ${CONTAINER_ENGINE_RUN_FLAGS} -t --privileged --rm -v /lib/modules:/lib/modules:ro -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localintegration TESTPATH=${TESTPATH}
localintegration: all
bats -t tests/integration${TESTPATH}
rootlessintegration: runcimage
docker run ${DOCKER_RUN_PROXY} -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localrootlessintegration
$(CONTAINER_ENGINE) run ${CONTAINER_ENGINE_RUN_FLAGS} -t --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localrootlessintegration
localrootlessintegration: all
shell: runcimage
docker run ${DOCKER_RUN_PROXY} -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) bash
$(CONTAINER_ENGINE) run ${CONTAINER_ENGINE_RUN_FLAGS} -ti --privileged --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) bash
install -D -m0755 runc $(BINDIR)/runc
@ -119,7 +120,7 @@ validate:
ci: validate test release
cross: runcimage
docker run ${DOCKER_RUN_PROXY} -e BUILDTAGS="$(BUILDTAGS)" --rm -v $(CURDIR):/go/src/$(PROJECT) $(RUNC_IMAGE) make localcross
CGO_ENABLED=1 GOARCH=arm GOARM=6 CC=arm-linux-gnueabi-gcc $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" -tags "$(BUILDTAGS)" -o runc-armel .
@ -16,9 +16,13 @@ This means that `runc` 1.0.0 should implement the 1.0 version of the specificati
You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
Currently, the following features are not considered to be production-ready:
* Support for cgroup v2
## Security
Reporting process and disclosure communications are outlined in [/org/security](https://github.com/opencontainers/org/blob/master/security/)
The reporting process and disclosure communications are outlined in [/org/security](https://github.com/opencontainers/org/blob/master/security/).
## Building
@ -229,7 +233,14 @@ runc delete mycontainerid
This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after `create` but before `start`.
#### Rootless containers
`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version. Run the following commands as an ordinary user:
`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version.
**Note:** In order to use this feature, "User Namespaces" must be compiled and enabled in your kernel. There are various ways to do this depending on your distribution:
- Confirm `CONFIG_USER_NS=y` is set in your kernel configuration (normally found in `/proc/config.gz`)
- Arch/Debian: `echo 1 > /proc/sys/kernel/unprivileged_userns_clone`
- RHEL/CentOS 7: `echo 28633 > /proc/sys/user/max_user_namespaces`
Run the following commands as an ordinary user:
# Same as the first example
mkdir ~/mycontainer
@ -0,0 +1,3 @@
# Security
The reporting process and disclosure communications are outlined in [/org/security](https://github.com/opencontainers/org/blob/master/security/).
@ -12,125 +12,12 @@ import (
// event struct for encoding the event data to json.
type event struct {
Type string `json:"type"`
ID string `json:"id"`
Data interface{} `json:"data,omitempty"`
// stats is the runc specific stats structure for stability when encoding and decoding stats.
type stats struct {
CPU cpu `json:"cpu"`
Memory memory `json:"memory"`
Pids pids `json:"pids"`
Blkio blkio `json:"blkio"`
Hugetlb map[string]hugetlb `json:"hugetlb"`
IntelRdt intelRdt `json:"intel_rdt"`
type hugetlb struct {
Usage uint64 `json:"usage,omitempty"`
Max uint64 `json:"max,omitempty"`
Failcnt uint64 `json:"failcnt"`
type blkioEntry struct {
Major uint64 `json:"major,omitempty"`
Minor uint64 `json:"minor,omitempty"`
Op string `json:"op,omitempty"`
Value uint64 `json:"value,omitempty"`
type blkio struct {
IoServiceBytesRecursive []blkioEntry `json:"ioServiceBytesRecursive,omitempty"`
IoServicedRecursive []blkioEntry `json:"ioServicedRecursive,omitempty"`
IoQueuedRecursive []blkioEntry `json:"ioQueueRecursive,omitempty"`
IoServiceTimeRecursive []blkioEntry `json:"ioServiceTimeRecursive,omitempty"`
IoWaitTimeRecursive []blkioEntry `json:"ioWaitTimeRecursive,omitempty"`
IoMergedRecursive []blkioEntry `json:"ioMergedRecursive,omitempty"`
IoTimeRecursive []blkioEntry `json:"ioTimeRecursive,omitempty"`
SectorsRecursive []blkioEntry `json:"sectorsRecursive,omitempty"`
type pids struct {
Current uint64 `json:"current,omitempty"`
Limit uint64 `json:"limit,omitempty"`
type throttling struct {
Periods uint64 `json:"periods,omitempty"`
ThrottledPeriods uint64 `json:"throttledPeriods,omitempty"`
ThrottledTime uint64 `json:"throttledTime,omitempty"`
type cpuUsage struct {
// Units: nanoseconds.
Total uint64 `json:"total,omitempty"`
Percpu []uint64 `json:"percpu,omitempty"`
Kernel uint64 `json:"kernel"`
User uint64 `json:"user"`
type cpu struct {
Usage cpuUsage `json:"usage,omitempty"`
Throttling throttling `json:"throttling,omitempty"`
type memoryEntry struct {
Limit uint64 `json:"limit"`
Usage uint64 `json:"usage,omitempty"`
Max uint64 `json:"max,omitempty"`
Failcnt uint64 `json:"failcnt"`
type memory struct {
Cache uint64 `json:"cache,omitempty"`
Usage memoryEntry `json:"usage,omitempty"`
Swap memoryEntry `json:"swap,omitempty"`
Kernel memoryEntry `json:"kernel,omitempty"`
KernelTCP memoryEntry `json:"kernelTCP,omitempty"`
Raw map[string]uint64 `json:"raw,omitempty"`
type l3CacheInfo struct {
CbmMask string `json:"cbm_mask,omitempty"`
MinCbmBits uint64 `json:"min_cbm_bits,omitempty"`
NumClosids uint64 `json:"num_closids,omitempty"`
type memBwInfo struct {
BandwidthGran uint64 `json:"bandwidth_gran,omitempty"`
DelayLinear uint64 `json:"delay_linear,omitempty"`
MinBandwidth uint64 `json:"min_bandwidth,omitempty"`
NumClosids uint64 `json:"num_closids,omitempty"`
type intelRdt struct {
// The read-only L3 cache information
L3CacheInfo *l3CacheInfo `json:"l3_cache_info,omitempty"`
// The read-only L3 cache schema in root
L3CacheSchemaRoot string `json:"l3_cache_schema_root,omitempty"`
// The L3 cache schema in 'container_id' group
L3CacheSchema string `json:"l3_cache_schema,omitempty"`
// The read-only memory bandwidth information
MemBwInfo *memBwInfo `json:"mem_bw_info,omitempty"`
// The read-only memory bandwidth schema in root
MemBwSchemaRoot string `json:"mem_bw_schema_root,omitempty"`
// The memory bandwidth schema in 'container_id' group
MemBwSchema string `json:"mem_bw_schema,omitempty"`
var eventsCommand = cli.Command{
Name: "events",
Usage: "display container events such as OOM notifications, cpu, memory, and IO usage statistics",
@ -164,7 +51,7 @@ information is displayed once every 5 seconds.`,
var (
stats = make(chan *libcontainer.Stats, 1)
events = make(chan *event, 1024)
events = make(chan *types.Event, 1024)
group = &sync.WaitGroup{}
@ -182,7 +69,7 @@ information is displayed once every 5 seconds.`,
if err != nil {
return err
events <- &event{Type: "stats", ID: container.ID(), Data: convertLibcontainerStats(s)}
events <- &types.Event{Type: "stats", ID: container.ID(), Data: convertLibcontainerStats(s)}
return nil
@ -208,12 +95,12 @@ information is displayed once every 5 seconds.`,
// this means an oom event was received, if it is !ok then
// the channel was closed because the container stopped and
// the cgroups no longer exist.
events <- &event{Type: "oom", ID: container.ID()}
events <- &types.Event{Type: "oom", ID: container.ID()}
} else {
n = nil
case s := <-stats:
events <- &event{Type: "stats", ID: container.ID(), Data: convertLibcontainerStats(s)}
events <- &types.Event{Type: "stats", ID: container.ID(), Data: convertLibcontainerStats(s)}
if n == nil {
@ -225,12 +112,12 @@ information is displayed once every 5 seconds.`,
func convertLibcontainerStats(ls *libcontainer.Stats) *stats {
func convertLibcontainerStats(ls *libcontainer.Stats) *types.Stats {
cg := ls.CgroupStats
if cg == nil {
return nil
var s stats
var s types.Stats
s.Pids.Current = cg.PidsStats.Current
s.Pids.Limit = cg.PidsStats.Limit
@ -258,7 +145,7 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *stats {
s.Blkio.IoTimeRecursive = convertBlkioEntry(cg.BlkioStats.IoTimeRecursive)
s.Blkio.SectorsRecursive = convertBlkioEntry(cg.BlkioStats.SectorsRecursive)
s.Hugetlb = make(map[string]hugetlb)
s.Hugetlb = make(map[string]types.Hugetlb)
for k, v := range cg.HugetlbStats {
s.Hugetlb[k] = convertHugtlb(v)
@ -276,19 +163,20 @@ func convertLibcontainerStats(ls *libcontainer.Stats) *stats {
s.NetworkInterfaces = ls.Interfaces
return &s
func convertHugtlb(c cgroups.HugetlbStats) hugetlb {
return hugetlb{
func convertHugtlb(c cgroups.HugetlbStats) types.Hugetlb {
return types.Hugetlb{
Usage: c.Usage,
Max: c.MaxUsage,
Failcnt: c.Failcnt,
func convertMemoryEntry(c cgroups.MemoryData) memoryEntry {
return memoryEntry{
func convertMemoryEntry(c cgroups.MemoryData) types.MemoryEntry {
return types.MemoryEntry{
Limit: c.Limit,
Usage: c.Usage,
Max: c.MaxUsage,
@ -296,10 +184,10 @@ func convertMemoryEntry(c cgroups.MemoryData) memoryEntry {
func convertBlkioEntry(c []cgroups.BlkioStatEntry) []blkioEntry {
var out []blkioEntry
func convertBlkioEntry(c []cgroups.BlkioStatEntry) []types.BlkioEntry {
var out []types.BlkioEntry
for _, e := range c {
out = append(out, blkioEntry{
out = append(out, types.BlkioEntry{
Major: e.Major,
Minor: e.Minor,
Op: e.Op,
@ -309,16 +197,16 @@ func convertBlkioEntry(c []cgroups.BlkioStatEntry) []blkioEntry {
return out
func convertL3CacheInfo(i *intelrdt.L3CacheInfo) *l3CacheInfo {
return &l3CacheInfo{
func convertL3CacheInfo(i *intelrdt.L3CacheInfo) *types.L3CacheInfo {
return &types.L3CacheInfo{
CbmMask: i.CbmMask,
MinCbmBits: i.MinCbmBits,
NumClosids: i.NumClosids,
func convertMemBwInfo(i *intelrdt.MemBwInfo) *memBwInfo {
return &memBwInfo{
func convertMemBwInfo(i *intelrdt.MemBwInfo) *types.MemBwInfo {
return &types.MemBwInfo{
BandwidthGran: i.BandwidthGran,
DelayLinear: i.DelayLinear,
MinBandwidth: i.MinBandwidth,
@ -261,6 +261,7 @@ process := &libcontainer.Process{
Stdin: os.Stdin,
Stdout: os.Stdout,
Stderr: os.Stderr,
Init: true,
err := container.Run(process)
@ -6,6 +6,8 @@ import (
// IsEnabled returns true if apparmor is enabled for the host.
@ -19,7 +21,7 @@ func IsEnabled() bool {
return false
func setprocattr(attr, value string) error {
func setProcAttr(attr, value string) error {
// Under AppArmor you can only change your own attr, so use /proc/self/
// instead of /proc/<tid>/ like libapparmor does
path := fmt.Sprintf("/proc/self/attr/%s", attr)
@ -30,6 +32,10 @@ func setprocattr(attr, value string) error {
defer f.Close()
if err := utils.EnsureProcHandle(f); err != nil {
return err
_, err = fmt.Fprintf(f, "%s", value)
return err
@ -37,7 +43,7 @@ func setprocattr(attr, value string) error {
// changeOnExec reimplements aa_change_onexec from libapparmor in Go
func changeOnExec(name string) error {
value := "exec " + name
if err := setprocattr("exec", value); err != nil {
if err := setProcAttr("exec", value); err != nil {
return fmt.Errorf("apparmor failed to apply profile: %s", err)
return nil
@ -71,7 +71,11 @@ func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilitie
ambient = append(ambient, v)
pid, err := capability.NewPid(0)
pid, err := capability.NewPid2(0)
if err != nil {
return nil, err
err = pid.Load()
if err != nil {
return nil, err
@ -37,8 +37,18 @@ type Manager interface {
// restore the object later.
GetPaths() map[string]string
// GetUnifiedPath returns the unified path when running in unified mode.
// The value corresponds to the all values of GetPaths() map.
// GetUnifiedPath returns error when running in hybrid mode as well as
// in legacy mode.
GetUnifiedPath() (string, error)
// Sets the cgroup as configured.
Set(container *configs.Config) error
// Gets the cgroup as configured.
GetCgroups() (*configs.Cgroup, error)
type NotFoundError struct {
Normal file
Normal file
@ -0,0 +1,180 @@
// Package devicefilter containes eBPF device filter program
// The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c
// Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author (Giuseppe Scrivano)
// agreed to relicense the file in Apache License 2.0: https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397
package devicefilter
import (
const (
// license string format is same as kernel MODULE_LICENSE macro
license = "Apache"
// DeviceFilter returns eBPF device filter program and its license string
func DeviceFilter(devices []*configs.Device) (asm.Instructions, string, error) {
p := &program{}
for i := len(devices) - 1; i >= 0; i-- {
if err := p.appendDevice(devices[i]); err != nil {
return nil, "", err
insts, err := p.finalize()
return insts, license, err
type program struct {
insts asm.Instructions
hasWildCard bool
blockID int
func (p *program) init() {
// struct bpf_cgroup_dev_ctx: https://elixir.bootlin.com/linux/v5.3.6/source/include/uapi/linux/bpf.h#L3423
u32 access_type
u32 major
u32 minor
// R2 <- type (lower 16 bit of u32 access_type at R1[0])
p.insts = append(p.insts,
asm.LoadMem(asm.R2, asm.R1, 0, asm.Half))
// R3 <- access (upper 16 bit of u32 access_type at R1[0])
p.insts = append(p.insts,
asm.LoadMem(asm.R3, asm.R1, 0, asm.Word),
// RSh: bitwise shift right
asm.RSh.Imm32(asm.R3, 16))
// R4 <- major (u32 major at R1[4])
p.insts = append(p.insts,
asm.LoadMem(asm.R4, asm.R1, 4, asm.Word))
// R5 <- minor (u32 minor at R1[8])
p.insts = append(p.insts,
asm.LoadMem(asm.R5, asm.R1, 8, asm.Word))
// appendDevice needs to be called from the last element of OCI linux.resources.devices to the head element.
func (p *program) appendDevice(dev *configs.Device) error {
if p.blockID < 0 {
return errors.New("the program is finalized")
if p.hasWildCard {
// All entries after wildcard entry are ignored
return nil
bpfType := int32(-1)
hasType := true
switch dev.Type {
case 'c':
bpfType = int32(unix.BPF_DEVCG_DEV_CHAR)
case 'b':
bpfType = int32(unix.BPF_DEVCG_DEV_BLOCK)
case 'a':
hasType = false
// if not specified in OCI json, typ is set to DeviceTypeAll
return errors.Errorf("invalid DeviceType %q", string(dev.Type))
if dev.Major > math.MaxUint32 {
return errors.Errorf("invalid major %d", dev.Major)
if dev.Minor > math.MaxUint32 {
return errors.Errorf("invalid minor %d", dev.Major)
hasMajor := dev.Major >= 0 // if not specified in OCI json, major is set to -1
hasMinor := dev.Minor >= 0
bpfAccess := int32(0)
for _, r := range dev.Permissions {
switch r {
case 'r':
bpfAccess |= unix.BPF_DEVCG_ACC_READ
case 'w':
bpfAccess |= unix.BPF_DEVCG_ACC_WRITE
case 'm':
bpfAccess |= unix.BPF_DEVCG_ACC_MKNOD
return errors.Errorf("unknown device access %v", r)
// If the access is rwm, skip the check.
hasAccess := bpfAccess != (unix.BPF_DEVCG_ACC_READ | unix.BPF_DEVCG_ACC_WRITE | unix.BPF_DEVCG_ACC_MKNOD)
blockSym := fmt.Sprintf("block-%d", p.blockID)
nextBlockSym := fmt.Sprintf("block-%d", p.blockID+1)
prevBlockLastIdx := len(p.insts) - 1
if hasType {
p.insts = append(p.insts,
// if (R2 != bpfType) goto next
asm.JNE.Imm(asm.R2, bpfType, nextBlockSym),
if hasAccess {
p.insts = append(p.insts,
// if (R3 & bpfAccess == 0 /* use R1 as a temp var */) goto next
asm.Mov.Reg32(asm.R1, asm.R3),
asm.And.Imm32(asm.R1, bpfAccess),
asm.JEq.Imm(asm.R1, 0, nextBlockSym),
if hasMajor {
p.insts = append(p.insts,
// if (R4 != major) goto next
asm.JNE.Imm(asm.R4, int32(dev.Major), nextBlockSym),
if hasMinor {
p.insts = append(p.insts,
// if (R5 != minor) goto next
asm.JNE.Imm(asm.R5, int32(dev.Minor), nextBlockSym),
if !hasType && !hasAccess && !hasMajor && !hasMinor {
p.hasWildCard = true
p.insts = append(p.insts, acceptBlock(dev.Allow)...)
// set blockSym to the first instruction we added in this iteration
p.insts[prevBlockLastIdx+1] = p.insts[prevBlockLastIdx+1].Sym(blockSym)
return nil
func (p *program) finalize() (asm.Instructions, error) {
if p.hasWildCard {
// acceptBlock with asm.Return() is already inserted
return p.insts, nil
blockSym := fmt.Sprintf("block-%d", p.blockID)
p.insts = append(p.insts,
// R0 <- 0
asm.Mov.Imm32(asm.R0, 0).Sym(blockSym),
p.blockID = -1
return p.insts, nil
func acceptBlock(accept bool) asm.Instructions {
v := int32(0)
if accept {
v = 1
return []asm.Instruction{
// R0 <- v
asm.Mov.Imm32(asm.R0, v),
Normal file
Normal file
@ -0,0 +1,45 @@
package ebpf
import (
// LoadAttachCgroupDeviceFilter installs eBPF device filter program to /sys/fs/cgroup/<foo> directory.
// Requires the system to be running in cgroup2 unified-mode with kernel >= 4.15 .
// https://github.com/torvalds/linux/commit/ebc614f687369f9df99828572b1d85a7c2de3d92
func LoadAttachCgroupDeviceFilter(insts asm.Instructions, license string, dirFD int) (func() error, error) {
nilCloser := func() error {
return nil
// Increase `ulimit -l` limit to avoid BPF_PROG_LOAD error (#2167).
// This limit is not inherited into the container.
memlockLimit := &unix.Rlimit{
_ = unix.Setrlimit(unix.RLIMIT_MEMLOCK, memlockLimit)
spec := &ebpf.ProgramSpec{
Type: ebpf.CGroupDevice,
Instructions: insts,
License: license,
prog, err := ebpf.NewProgram(spec)
if err != nil {
return nilCloser, err
if err := prog.Attach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
return nilCloser, errors.Wrap(err, "failed to call BPF_PROG_ATTACH (BPF_CGROUP_DEVICE, BPF_F_ALLOW_MULTI)")
closer := func() error {
if err := prog.Detach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
return errors.Wrap(err, "failed to call BPF_PROG_DETACH (BPF_CGROUP_DEVICE, BPF_F_ALLOW_MULTI)")
return nil
return closer, nil
@ -5,7 +5,6 @@ package fs
import (
@ -18,7 +17,7 @@ import (
var (
subsystems = subsystemSet{
subsystemsLegacy = subsystemSet{
@ -129,6 +128,10 @@ func isIgnorableError(rootless bool, err error) bool {
return errno == unix.EROFS || errno == unix.EPERM || errno == unix.EACCES
func (m *Manager) getSubsystems() subsystemSet {
return subsystemsLegacy
func (m *Manager) Apply(pid int) (err error) {
if m.Cgroups == nil {
return nil
@ -158,7 +161,7 @@ func (m *Manager) Apply(pid int) (err error) {
return cgroups.EnterPid(m.Paths, pid)
for _, sys := range subsystems {
for _, sys := range m.getSubsystems() {
// TODO: Apply should, ideally, be reentrant or be broken up into a separate
// create and join phase so that the cgroup hierarchy for a container can be
// created then join consists of writing the process pids to cgroup.procs
@ -209,12 +212,16 @@ func (m *Manager) GetPaths() map[string]string {
return paths
func (m *Manager) GetUnifiedPath() (string, error) {
return "", errors.New("unified path is only supported when running in unified mode")
func (m *Manager) GetStats() (*cgroups.Stats, error) {
defer m.mu.Unlock()
stats := cgroups.NewStats()
for name, path := range m.Paths {
sys, err := subsystems.Get(name)
sys, err := m.getSubsystems().Get(name)
if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
@ -226,14 +233,18 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
func (m *Manager) Set(container *configs.Config) error {
if container.Cgroups == nil {
return nil
// If Paths are set, then we are just joining cgroups paths
// and there is no need to set any values.
if m.Cgroups.Paths != nil {
if m.Cgroups != nil && m.Cgroups.Paths != nil {
return nil
paths := m.GetPaths()
for _, sys := range subsystems {
for _, sys := range m.getSubsystems() {
path := paths[sys.Name()]
if err := sys.Set(path, container.Cgroups); err != nil {
if m.Rootless && sys.Name() == "devices" {
@ -262,11 +273,15 @@ func (m *Manager) Set(container *configs.Config) error {
// Freeze toggles the container's freezer cgroup depending on the state
// provided
func (m *Manager) Freeze(state configs.FreezerState) error {
if m.Cgroups == nil {
return errors.New("cannot toggle freezer: cgroups not configured for container")
paths := m.GetPaths()
dir := paths["freezer"]
prevState := m.Cgroups.Resources.Freezer
m.Cgroups.Resources.Freezer = state
freezer, err := subsystems.Get("freezer")
freezer, err := m.getSubsystems().Get("freezer")
if err != nil {
return err
@ -354,23 +369,6 @@ func (raw *cgroupData) join(subsystem string) (string, error) {
return path, nil
func writeFile(dir, file, data string) error {
// Normally dir should not be empty, one case is that cgroup subsystem
// is not mounted, we will get empty dir, and we want it fail here.
if dir == "" {
return fmt.Errorf("no such directory for %s", file)
if err := ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700); err != nil {
return fmt.Errorf("failed to write %v to %v: %v", data, file, err)
return nil
func readFile(dir, file string) (string, error) {
data, err := ioutil.ReadFile(filepath.Join(dir, file))
return string(data), err
func removePath(p string, err error) error {
if err != nil {
return err
@ -407,3 +405,7 @@ func CheckCpushares(path string, c uint64) error {
return nil
func (m *Manager) GetCgroups() (*configs.Cgroup, error) {
return m.Cgroups, nil
@ -11,6 +11,7 @@ import (
@ -31,41 +32,41 @@ func (s *BlkioGroup) Apply(d *cgroupData) error {
func (s *BlkioGroup) Set(path string, cgroup *configs.Cgroup) error {
if cgroup.Resources.BlkioWeight != 0 {
if err := writeFile(path, "blkio.weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {
if err := fscommon.WriteFile(path, "blkio.weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {
return err
if cgroup.Resources.BlkioLeafWeight != 0 {
if err := writeFile(path, "blkio.leaf_weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioLeafWeight), 10)); err != nil {
if err := fscommon.WriteFile(path, "blkio.leaf_weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioLeafWeight), 10)); err != nil {
return err
for _, wd := range cgroup.Resources.BlkioWeightDevice {
if err := writeFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
if err := fscommon.WriteFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
return err
if err := writeFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
if err := fscommon.WriteFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
return err
for _, td := range cgroup.Resources.BlkioThrottleReadBpsDevice {
if err := writeFile(path, "blkio.throttle.read_bps_device", td.String()); err != nil {
if err := fscommon.WriteFile(path, "blkio.throttle.read_bps_device", td.String()); err != nil {
return err
for _, td := range cgroup.Resources.BlkioThrottleWriteBpsDevice {
if err := writeFile(path, "blkio.throttle.write_bps_device", td.String()); err != nil {
if err := fscommon.WriteFile(path, "blkio.throttle.write_bps_device", td.String()); err != nil {
return err
for _, td := range cgroup.Resources.BlkioThrottleReadIOPSDevice {
if err := writeFile(path, "blkio.throttle.read_iops_device", td.String()); err != nil {
if err := fscommon.WriteFile(path, "blkio.throttle.read_iops_device", td.String()); err != nil {
return err
for _, td := range cgroup.Resources.BlkioThrottleWriteIOPSDevice {
if err := writeFile(path, "blkio.throttle.write_iops_device", td.String()); err != nil {
if err := fscommon.WriteFile(path, "blkio.throttle.write_iops_device", td.String()); err != nil {
return err
@ -9,6 +9,7 @@ import (
@ -51,12 +52,12 @@ func (s *CpuGroup) ApplyDir(path string, cgroup *configs.Cgroup, pid int) error
func (s *CpuGroup) SetRtSched(path string, cgroup *configs.Cgroup) error {
if cgroup.Resources.CpuRtPeriod != 0 {
if err := writeFile(path, "cpu.rt_period_us", strconv.FormatUint(cgroup.Resources.CpuRtPeriod, 10)); err != nil {
if err := fscommon.WriteFile(path, "cpu.rt_period_us", strconv.FormatUint(cgroup.Resources.CpuRtPeriod, 10)); err != nil {
return err
if cgroup.Resources.CpuRtRuntime != 0 {
if err := writeFile(path, "cpu.rt_runtime_us", strconv.FormatInt(cgroup.Resources.CpuRtRuntime, 10)); err != nil {
if err := fscommon.WriteFile(path, "cpu.rt_runtime_us", strconv.FormatInt(cgroup.Resources.CpuRtRuntime, 10)); err != nil {
return err
@ -65,17 +66,17 @@ func (s *CpuGroup) SetRtSched(path string, cgroup *configs.Cgroup) error {
func (s *CpuGroup) Set(path string, cgroup *configs.Cgroup) error {
if cgroup.Resources.CpuShares != 0 {
if err := writeFile(path, "cpu.shares", strconv.FormatUint(cgroup.Resources.CpuShares, 10)); err != nil {
if err := fscommon.WriteFile(path, "cpu.shares", strconv.FormatUint(cgroup.Resources.CpuShares, 10)); err != nil {
return err
if cgroup.Resources.CpuPeriod != 0 {
if err := writeFile(path, "cpu.cfs_period_us", strconv.FormatUint(cgroup.Resources.CpuPeriod, 10)); err != nil {
if err := fscommon.WriteFile(path, "cpu.cfs_period_us", strconv.FormatUint(cgroup.Resources.CpuPeriod, 10)); err != nil {
return err
if cgroup.Resources.CpuQuota != 0 {
if err := writeFile(path, "cpu.cfs_quota_us", strconv.FormatInt(cgroup.Resources.CpuQuota, 10)); err != nil {
if err := fscommon.WriteFile(path, "cpu.cfs_quota_us", strconv.FormatInt(cgroup.Resources.CpuQuota, 10)); err != nil {
return err
@ -98,7 +99,7 @@ func (s *CpuGroup) GetStats(path string, stats *cgroups.Stats) error {
sc := bufio.NewScanner(f)
for sc.Scan() {
t, v, err := getCgroupParamKeyValue(sc.Text())
t, v, err := fscommon.GetCgroupParamKeyValue(sc.Text())
if err != nil {
return err
@ -10,6 +10,7 @@ import (
@ -51,7 +52,7 @@ func (s *CpuacctGroup) GetStats(path string, stats *cgroups.Stats) error {
return err
totalUsage, err := getCgroupParamUint(path, "cpuacct.usage")
totalUsage, err := fscommon.GetCgroupParamUint(path, "cpuacct.usage")
if err != nil {
return err
@ -85,8 +86,8 @@ func getCpuUsageBreakdown(path string) (uint64, uint64, error) {
return 0, 0, err
fields := strings.Fields(string(data))
if len(fields) != 4 {
return 0, 0, fmt.Errorf("failure - %s is expected to have 4 fields", filepath.Join(path, cgroupCpuacctStat))
if len(fields) < 4 {
return 0, 0, fmt.Errorf("failure - %s is expected to have at least 4 fields", filepath.Join(path, cgroupCpuacctStat))
if fields[0] != userField {
return 0, 0, fmt.Errorf("unexpected field %q in %q, expected %q", fields[0], cgroupCpuacctStat, userField)
@ -10,6 +10,7 @@ import (
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
@ -31,12 +32,12 @@ func (s *CpusetGroup) Apply(d *cgroupData) error {
func (s *CpusetGroup) Set(path string, cgroup *configs.Cgroup) error {
if cgroup.Resources.CpusetCpus != "" {
if err := writeFile(path, "cpuset.cpus", cgroup.Resources.CpusetCpus); err != nil {
if err := fscommon.WriteFile(path, "cpuset.cpus", cgroup.Resources.CpusetCpus); err != nil {
return err
if cgroup.Resources.CpusetMems != "" {
if err := writeFile(path, "cpuset.mems", cgroup.Resources.CpusetMems); err != nil {
if err := fscommon.WriteFile(path, "cpuset.mems", cgroup.Resources.CpusetMems); err != nil {
return err
@ -135,12 +136,12 @@ func (s *CpusetGroup) copyIfNeeded(current, parent string) error {
if s.isEmpty(currentCpus) {
if err := writeFile(current, "cpuset.cpus", string(parentCpus)); err != nil {
if err := fscommon.WriteFile(current, "cpuset.cpus", string(parentCpus)); err != nil {
return err
if s.isEmpty(currentMems) {
if err := writeFile(current, "cpuset.mems", string(parentMems)); err != nil {
if err := fscommon.WriteFile(current, "cpuset.mems", string(parentMems)); err != nil {
return err
@ -4,6 +4,7 @@ package fs
import (
@ -37,7 +38,7 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
if dev.Allow {
file = "devices.allow"
if err := writeFile(path, file, dev.CgroupString()); err != nil {
if err := fscommon.WriteFile(path, file, dev.CgroupString()); err != nil {
return err
@ -45,25 +46,25 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
if cgroup.Resources.AllowAllDevices != nil {
if *cgroup.Resources.AllowAllDevices == false {
if err := writeFile(path, "devices.deny", "a"); err != nil {
if err := fscommon.WriteFile(path, "devices.deny", "a"); err != nil {
return err
for _, dev := range cgroup.Resources.AllowedDevices {
if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
if err := fscommon.WriteFile(path, "devices.allow", dev.CgroupString()); err != nil {
return err
return nil
if err := writeFile(path, "devices.allow", "a"); err != nil {
if err := fscommon.WriteFile(path, "devices.allow", "a"); err != nil {
return err
for _, dev := range cgroup.Resources.DeniedDevices {
if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil {
if err := fscommon.WriteFile(path, "devices.deny", dev.CgroupString()); err != nil {
return err
@ -8,6 +8,7 @@ import (
@ -34,11 +35,11 @@ func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error {
// state, let's write again this state, hoping it's going to be properly
// set this time. Otherwise, this loop could run infinitely, waiting for
// a state change that would never happen.
if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
if err := fscommon.WriteFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
return err
state, err := readFile(path, "freezer.state")
state, err := fscommon.ReadFile(path, "freezer.state")
if err != nil {
return err
@ -8,6 +8,7 @@ import (
@ -28,7 +29,7 @@ func (s *HugetlbGroup) Apply(d *cgroupData) error {
func (s *HugetlbGroup) Set(path string, cgroup *configs.Cgroup) error {
for _, hugetlb := range cgroup.Resources.HugetlbLimit {
if err := writeFile(path, strings.Join([]string{"hugetlb", hugetlb.Pagesize, "limit_in_bytes"}, "."), strconv.FormatUint(hugetlb.Limit, 10)); err != nil {
if err := fscommon.WriteFile(path, strings.Join([]string{"hugetlb", hugetlb.Pagesize, "limit_in_bytes"}, "."), strconv.FormatUint(hugetlb.Limit, 10)); err != nil {
return err
@ -44,21 +45,21 @@ func (s *HugetlbGroup) GetStats(path string, stats *cgroups.Stats) error {
hugetlbStats := cgroups.HugetlbStats{}
for _, pageSize := range HugePageSizes {
usage := strings.Join([]string{"hugetlb", pageSize, "usage_in_bytes"}, ".")
value, err := getCgroupParamUint(path, usage)
value, err := fscommon.GetCgroupParamUint(path, usage)
if err != nil {
return fmt.Errorf("failed to parse %s - %v", usage, err)
hugetlbStats.Usage = value
maxUsage := strings.Join([]string{"hugetlb", pageSize, "max_usage_in_bytes"}, ".")
value, err = getCgroupParamUint(path, maxUsage)
value, err = fscommon.GetCgroupParamUint(path, maxUsage)
if err != nil {
return fmt.Errorf("failed to parse %s - %v", maxUsage, err)
hugetlbStats.MaxUsage = value
failcnt := strings.Join([]string{"hugetlb", pageSize, "failcnt"}, ".")
value, err = getCgroupParamUint(path, failcnt)
