[Query] bpftime kernel mode

[nalreddy]

bpftime kernel mode: If a BPF program includes both uprobes and kprobes/tracepoints, the bpftime_daemon loads each program into its appropriate runtime. Uprobes and syscall tracing run in user space, while kernel-related programs—such as kprobes, tracepoints, and XDP—are loaded into the kernel runtime.

bpftime-daemon : traps bpf_syscall and others to redirect program loading to user space or keep them in kernel
base on program type (SEC()).

is my understanding correct ?

Couple of questions :

Step 1: Start the bpftime daemon in separate terminal

sudo bpftime_daemon (can we avoid sudo ??)

Step 2: Load the BPF program

BPFTIME_RUN_WITH_KERNEL=true
LD_PRELOAD=build/runtime/syscall-server/libbpftime-syscall-server.so
example/malloc/malloc

(assume malloc bpf program has some trace point or kprobe)

Step 3: Run the target application with the bpftime agent

LD_PRELOAD=build/runtime/agent/libbpftime-agent.so
example/malloc/victim

[yunwei37]

Step 1 and step 2 here is the same effect, so you can choose one of them: either

sudo bpftime_daemon (we cannot avoid sudo)

Or

BPFTIME_RUN_WITH_KERNEL=true
LD_PRELOAD=build/runtime/syscall-server/libbpftime-syscall-server.so
example/malloc/malloc

No need to use both of them.