Techly NewsGet the app

Get the latest tech news

Bouncing on trampolines to run eBPF programs


This blog post is the second installment in our eBPF blog post series, following our blog post about eBPF selftests. As eBPF is more and more used in the industry, eBPF kernel developers give considerable attention to eBPF performance: some standard use cases like system monitoring involve hundreds of eBPF programs attached to events triggered at high frequencies.

We can develop a small monitoring tool fulfilling this need by hooking an eBPF program to the openat2 system call entry, and retrieve the passed path argument each time the syscall is executed: With a few lines of C and thanks to the bpf tooling developed and maintained by the eBPF community, we managed to very quickly write an eBPF-based monitor. It may not be a big deal when our kprobe/eBPF couple is not triggered so often, but if we hook multiple programs on some frequently called functions, this mechanism will start generating a significant overhead.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Trampolines

Trampolines

Photo of eBPF programs

eBPF programs

Related news:

News photo

Recursion, continuations and trampolines (2017)

« The Chrome VRP Panel has decided to award $250k for this report
The best Nintendo Switch 2 games for 2025 »