Libbpf + CMake + C++ scaffolding/starter project

Minimal eBPF (libbpf) usage example from C/C++

Tracepoint events (src/structs.h) are submitted to the ringbuffer, at which point they can be handled further in userspace (src/handler.c).

To check if you have support bpf, run: sudo bpftool feature

Features

1. CMake project usable from CLion
2. Compiles bpf object/skeleton via CMake
   • and recompiles when src/bpf/execsnoop.bpf.c changes
3. Type completion in *.bpf.c files
4. Uses libbpf/bpftool/vmlinux.h/blazesym from external/ (submodules)

Compilation

# git clone this repository recursively
sudo apt install libelf-dev clang llvm cmake build-essential
# ... and possibly install more stuff

1. libbpf

cd external/libbpf/src/
mkdir -p build output
BUILD_STATIC_ONLY=y OBJDIR=build DESTDIR=output make install

2. CMake

At this point you can load this project in CLion, or just compile with CMake:

cmake -Bbuild .
make -Cbuild -j6

Produces build/bin/execsnoop

Notes

• the two symlinks in src/bpf are present so the IDE has type completion - you can safely remove them.
• official starter project libbpf/libbpf-bootstrap exists, but it's a mess.

Example output

[exec_exit] pid=1313180 ppid=811561 comm=postgres 
[statfs_enter] pid=799678 path=/home/dsc/snap/firefox/common/.mozilla/firefox/tr55fwnp.default/storage/default/https+++www.youtube.com/idb/3235%sC
[statfs_exit] pid=799678 
[exec_enter] pid=1313191 ppid=358186 comm=git path=/usr/bin/git
[exec_exit] pid=1313191 ppid=358186 comm=git 
[exec_enter] pid=1313192 ppid=358186 comm=jspawnhelper path=/home/dsc/apps/clion-2024.3.1/jbr/lib/jspawnhelper
[exec_enter] pid=1313192 ppid=358186 comm=git path=/usr/bin/git
[exec_exit] pid=1313192 ppid=358186 comm=git