expLog

[WIP] Exploring the Linux Kernel

I've been meaning to dive deep into the Kernel: mostly to understand how it works, and if I get the opportunity, also to contribute patches. This particular note is about finding ways to spelunk around in the kernel and verify that I'm actually drawing the right inferences.

eBPF

I hypothesize that the simplest way to explore the kernel would be to get good at eBPF, and then observe the behavior as I run different programs.

Warning: it can take a lot of time to install and set up BCC, particularly on a not-overpowered Macbook Air.

I'm on arch linux, and rely on Yay for AUR package management. After updating the package databases, installing the tools was as simple as

yay -S bcc bcc-tools python-bcc

bcc is installed in /usr/share/bcc.

I also needed to install my kernel headers: my initial reaction on looking at the errors on running eBPF were that I would need to build my own kernel, but that might not actually be necessary.

pacman -S kernel-headers

I had updated my system recently without restarting, so I was on a previous kernel version: which was pretty confusing for a few minutes. Rebooting into the latest kernel helped solve my issues and I could have a working eBPF. I was lucky I checked my current kernel config with a zcat /proc/config.gz | grep -i bpf before heading off and compiling my own kernel.

Seeing execsnoop running successfully was incredibly satisfying.

But opensnoop failed because of a missing kernel config, so I will have to recompile the kernel.

Downloading the kernel for exploration

Downloading the kernel is as simple as navigating to the right repository on github. I'm relying on make cscope and make TAGS to make it comfortable to zoom around the codebase.

References:

view source