#+TITLE: [WIP] Exploring the Linux Kernel
I've been meaning to dive deep into the Kernel: mostly to understand
how it works, and if I get the opportunity, also to contribute
patches. This particular note is about finding ways to spelunk around
in the kernel and verify that I'm actually drawing the right inferences.
I hypothesize that the simplest way to explore the kernel would be to
get good at eBPF, and then observe the behavior as I run different
Warning: it can take a lot of time to install and set up BCC,
particularly on a not-overpowered Macbook Air.
I'm on arch linux, and rely on Yay for AUR package management. After
updating the package databases, installing the tools was as simple as
yay -S bcc bcc-tools python-bcc
bcc is installed in /usr/share/bcc.
I also needed to install my kernel headers: my initial reaction on
looking at the errors on running eBPF were that I would need to build
my own kernel, but that might not actually be necessary.
pacman -S kernel-headers
I had updated my system recently without restarting, so I was on a
previous kernel version: which was pretty confusing for a few
minutes. Rebooting into the latest kernel helped solve my issues and I
could have a working eBPF. I was lucky I checked my current kernel
config with a zcat /proc/config.gz | grep -i bpf before heading off
and compiling my own kernel.
Seeing execsnoop running successfully was incredibly satisfying.
But opensnoop failed because of a missing kernel config, so I will
have to recompile the kernel.
* Downloading the kernel for exploration
Downloading the kernel is as simple as navigating to the right
repository on github. I'm relying on make cscope and make TAGS to make
it comfortable to zoom around the codebase.