xref: /openbmc/linux/tools/bpf/bpftool/feature.c (revision 52cdded0)
1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (c) 2019 Netronome Systems, Inc. */
3 
4 #include <ctype.h>
5 #include <errno.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <net/if.h>
9 #ifdef USE_LIBCAP
10 #include <sys/capability.h>
11 #endif
12 #include <sys/utsname.h>
13 #include <sys/vfs.h>
14 
15 #include <linux/filter.h>
16 #include <linux/limits.h>
17 
18 #include <bpf/bpf.h>
19 #include <bpf/libbpf.h>
20 #include <zlib.h>
21 
22 #include "main.h"
23 
24 #ifndef PROC_SUPER_MAGIC
25 # define PROC_SUPER_MAGIC	0x9fa0
26 #endif
27 
28 enum probe_component {
29 	COMPONENT_UNSPEC,
30 	COMPONENT_KERNEL,
31 	COMPONENT_DEVICE,
32 };
33 
34 #define BPF_HELPER_MAKE_ENTRY(name)	[BPF_FUNC_ ## name] = "bpf_" # name
35 static const char * const helper_name[] = {
36 	__BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
37 };
38 
39 #undef BPF_HELPER_MAKE_ENTRY
40 
41 static bool full_mode;
42 #ifdef USE_LIBCAP
43 static bool run_as_unprivileged;
44 #endif
45 
46 /* Miscellaneous utility functions */
47 
48 static bool check_procfs(void)
49 {
50 	struct statfs st_fs;
51 
52 	if (statfs("/proc", &st_fs) < 0)
53 		return false;
54 	if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
55 		return false;
56 
57 	return true;
58 }
59 
60 static void uppercase(char *str, size_t len)
61 {
62 	size_t i;
63 
64 	for (i = 0; i < len && str[i] != '\0'; i++)
65 		str[i] = toupper(str[i]);
66 }
67 
68 /* Printing utility functions */
69 
70 static void
71 print_bool_feature(const char *feat_name, const char *plain_name,
72 		   const char *define_name, bool res, const char *define_prefix)
73 {
74 	if (json_output)
75 		jsonw_bool_field(json_wtr, feat_name, res);
76 	else if (define_prefix)
77 		printf("#define %s%sHAVE_%s\n", define_prefix,
78 		       res ? "" : "NO_", define_name);
79 	else
80 		printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
81 }
82 
83 static void print_kernel_option(const char *name, const char *value,
84 				const char *define_prefix)
85 {
86 	char *endptr;
87 	int res;
88 
89 	if (json_output) {
90 		if (!value) {
91 			jsonw_null_field(json_wtr, name);
92 			return;
93 		}
94 		errno = 0;
95 		res = strtol(value, &endptr, 0);
96 		if (!errno && *endptr == '\n')
97 			jsonw_int_field(json_wtr, name, res);
98 		else
99 			jsonw_string_field(json_wtr, name, value);
100 	} else if (define_prefix) {
101 		if (value)
102 			printf("#define %s%s %s\n", define_prefix,
103 			       name, value);
104 		else
105 			printf("/* %s%s is not set */\n", define_prefix, name);
106 	} else {
107 		if (value)
108 			printf("%s is set to %s\n", name, value);
109 		else
110 			printf("%s is not set\n", name);
111 	}
112 }
113 
114 static void
115 print_start_section(const char *json_title, const char *plain_title,
116 		    const char *define_comment, const char *define_prefix)
117 {
118 	if (json_output) {
119 		jsonw_name(json_wtr, json_title);
120 		jsonw_start_object(json_wtr);
121 	} else if (define_prefix) {
122 		printf("%s\n", define_comment);
123 	} else {
124 		printf("%s\n", plain_title);
125 	}
126 }
127 
128 static void print_end_section(void)
129 {
130 	if (json_output)
131 		jsonw_end_object(json_wtr);
132 	else
133 		printf("\n");
134 }
135 
136 /* Probing functions */
137 
138 static int read_procfs(const char *path)
139 {
140 	char *endptr, *line = NULL;
141 	size_t len = 0;
142 	FILE *fd;
143 	int res;
144 
145 	fd = fopen(path, "r");
146 	if (!fd)
147 		return -1;
148 
149 	res = getline(&line, &len, fd);
150 	fclose(fd);
151 	if (res < 0)
152 		return -1;
153 
154 	errno = 0;
155 	res = strtol(line, &endptr, 10);
156 	if (errno || *line == '\0' || *endptr != '\n')
157 		res = -1;
158 	free(line);
159 
160 	return res;
161 }
162 
163 static void probe_unprivileged_disabled(void)
164 {
165 	int res;
166 
167 	/* No support for C-style ouptut */
168 
169 	res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
170 	if (json_output) {
171 		jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
172 	} else {
173 		switch (res) {
174 		case 0:
175 			printf("bpf() syscall for unprivileged users is enabled\n");
176 			break;
177 		case 1:
178 			printf("bpf() syscall restricted to privileged users\n");
179 			break;
180 		case -1:
181 			printf("Unable to retrieve required privileges for bpf() syscall\n");
182 			break;
183 		default:
184 			printf("bpf() syscall restriction has unknown value %d\n", res);
185 		}
186 	}
187 }
188 
189 static void probe_jit_enable(void)
190 {
191 	int res;
192 
193 	/* No support for C-style ouptut */
194 
195 	res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
196 	if (json_output) {
197 		jsonw_int_field(json_wtr, "bpf_jit_enable", res);
198 	} else {
199 		switch (res) {
200 		case 0:
201 			printf("JIT compiler is disabled\n");
202 			break;
203 		case 1:
204 			printf("JIT compiler is enabled\n");
205 			break;
206 		case 2:
207 			printf("JIT compiler is enabled with debugging traces in kernel logs\n");
208 			break;
209 		case -1:
210 			printf("Unable to retrieve JIT-compiler status\n");
211 			break;
212 		default:
213 			printf("JIT-compiler status has unknown value %d\n",
214 			       res);
215 		}
216 	}
217 }
218 
219 static void probe_jit_harden(void)
220 {
221 	int res;
222 
223 	/* No support for C-style ouptut */
224 
225 	res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
226 	if (json_output) {
227 		jsonw_int_field(json_wtr, "bpf_jit_harden", res);
228 	} else {
229 		switch (res) {
230 		case 0:
231 			printf("JIT compiler hardening is disabled\n");
232 			break;
233 		case 1:
234 			printf("JIT compiler hardening is enabled for unprivileged users\n");
235 			break;
236 		case 2:
237 			printf("JIT compiler hardening is enabled for all users\n");
238 			break;
239 		case -1:
240 			printf("Unable to retrieve JIT hardening status\n");
241 			break;
242 		default:
243 			printf("JIT hardening status has unknown value %d\n",
244 			       res);
245 		}
246 	}
247 }
248 
249 static void probe_jit_kallsyms(void)
250 {
251 	int res;
252 
253 	/* No support for C-style ouptut */
254 
255 	res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
256 	if (json_output) {
257 		jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
258 	} else {
259 		switch (res) {
260 		case 0:
261 			printf("JIT compiler kallsyms exports are disabled\n");
262 			break;
263 		case 1:
264 			printf("JIT compiler kallsyms exports are enabled for root\n");
265 			break;
266 		case -1:
267 			printf("Unable to retrieve JIT kallsyms export status\n");
268 			break;
269 		default:
270 			printf("JIT kallsyms exports status has unknown value %d\n", res);
271 		}
272 	}
273 }
274 
275 static void probe_jit_limit(void)
276 {
277 	int res;
278 
279 	/* No support for C-style ouptut */
280 
281 	res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
282 	if (json_output) {
283 		jsonw_int_field(json_wtr, "bpf_jit_limit", res);
284 	} else {
285 		switch (res) {
286 		case -1:
287 			printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
288 			break;
289 		default:
290 			printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
291 		}
292 	}
293 }
294 
295 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
296 					   char **value)
297 {
298 	char *sep;
299 
300 	while (gzgets(file, buf, n)) {
301 		if (strncmp(buf, "CONFIG_", 7))
302 			continue;
303 
304 		sep = strchr(buf, '=');
305 		if (!sep)
306 			continue;
307 
308 		/* Trim ending '\n' */
309 		buf[strlen(buf) - 1] = '\0';
310 
311 		/* Split on '=' and ensure that a value is present. */
312 		*sep = '\0';
313 		if (!sep[1])
314 			continue;
315 
316 		*value = sep + 1;
317 		return true;
318 	}
319 
320 	return false;
321 }
322 
323 static void probe_kernel_image_config(const char *define_prefix)
324 {
325 	static const struct {
326 		const char * const name;
327 		bool macro_dump;
328 	} options[] = {
329 		/* Enable BPF */
330 		{ "CONFIG_BPF", },
331 		/* Enable bpf() syscall */
332 		{ "CONFIG_BPF_SYSCALL", },
333 		/* Does selected architecture support eBPF JIT compiler */
334 		{ "CONFIG_HAVE_EBPF_JIT", },
335 		/* Compile eBPF JIT compiler */
336 		{ "CONFIG_BPF_JIT", },
337 		/* Avoid compiling eBPF interpreter (use JIT only) */
338 		{ "CONFIG_BPF_JIT_ALWAYS_ON", },
339 
340 		/* cgroups */
341 		{ "CONFIG_CGROUPS", },
342 		/* BPF programs attached to cgroups */
343 		{ "CONFIG_CGROUP_BPF", },
344 		/* bpf_get_cgroup_classid() helper */
345 		{ "CONFIG_CGROUP_NET_CLASSID", },
346 		/* bpf_skb_{,ancestor_}cgroup_id() helpers */
347 		{ "CONFIG_SOCK_CGROUP_DATA", },
348 
349 		/* Tracing: attach BPF to kprobes, tracepoints, etc. */
350 		{ "CONFIG_BPF_EVENTS", },
351 		/* Kprobes */
352 		{ "CONFIG_KPROBE_EVENTS", },
353 		/* Uprobes */
354 		{ "CONFIG_UPROBE_EVENTS", },
355 		/* Tracepoints */
356 		{ "CONFIG_TRACING", },
357 		/* Syscall tracepoints */
358 		{ "CONFIG_FTRACE_SYSCALLS", },
359 		/* bpf_override_return() helper support for selected arch */
360 		{ "CONFIG_FUNCTION_ERROR_INJECTION", },
361 		/* bpf_override_return() helper */
362 		{ "CONFIG_BPF_KPROBE_OVERRIDE", },
363 
364 		/* Network */
365 		{ "CONFIG_NET", },
366 		/* AF_XDP sockets */
367 		{ "CONFIG_XDP_SOCKETS", },
368 		/* BPF_PROG_TYPE_LWT_* and related helpers */
369 		{ "CONFIG_LWTUNNEL_BPF", },
370 		/* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
371 		{ "CONFIG_NET_ACT_BPF", },
372 		/* BPF_PROG_TYPE_SCHED_CLS, TC filters */
373 		{ "CONFIG_NET_CLS_BPF", },
374 		/* TC clsact qdisc */
375 		{ "CONFIG_NET_CLS_ACT", },
376 		/* Ingress filtering with TC */
377 		{ "CONFIG_NET_SCH_INGRESS", },
378 		/* bpf_skb_get_xfrm_state() helper */
379 		{ "CONFIG_XFRM", },
380 		/* bpf_get_route_realm() helper */
381 		{ "CONFIG_IP_ROUTE_CLASSID", },
382 		/* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
383 		{ "CONFIG_IPV6_SEG6_BPF", },
384 		/* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
385 		{ "CONFIG_BPF_LIRC_MODE2", },
386 		/* BPF stream parser and BPF socket maps */
387 		{ "CONFIG_BPF_STREAM_PARSER", },
388 		/* xt_bpf module for passing BPF programs to netfilter  */
389 		{ "CONFIG_NETFILTER_XT_MATCH_BPF", },
390 		/* bpfilter back-end for iptables */
391 		{ "CONFIG_BPFILTER", },
392 		/* bpftilter module with "user mode helper" */
393 		{ "CONFIG_BPFILTER_UMH", },
394 
395 		/* test_bpf module for BPF tests */
396 		{ "CONFIG_TEST_BPF", },
397 
398 		/* Misc configs useful in BPF C programs */
399 		/* jiffies <-> sec conversion for bpf_jiffies64() helper */
400 		{ "CONFIG_HZ", true, }
401 	};
402 	char *values[ARRAY_SIZE(options)] = { };
403 	struct utsname utsn;
404 	char path[PATH_MAX];
405 	gzFile file = NULL;
406 	char buf[4096];
407 	char *value;
408 	size_t i;
409 
410 	if (!uname(&utsn)) {
411 		snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
412 
413 		/* gzopen also accepts uncompressed files. */
414 		file = gzopen(path, "r");
415 	}
416 
417 	if (!file) {
418 		/* Some distributions build with CONFIG_IKCONFIG=y and put the
419 		 * config file at /proc/config.gz.
420 		 */
421 		file = gzopen("/proc/config.gz", "r");
422 	}
423 	if (!file) {
424 		p_info("skipping kernel config, can't open file: %s",
425 		       strerror(errno));
426 		goto end_parse;
427 	}
428 	/* Sanity checks */
429 	if (!gzgets(file, buf, sizeof(buf)) ||
430 	    !gzgets(file, buf, sizeof(buf))) {
431 		p_info("skipping kernel config, can't read from file: %s",
432 		       strerror(errno));
433 		goto end_parse;
434 	}
435 	if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
436 		p_info("skipping kernel config, can't find correct file");
437 		goto end_parse;
438 	}
439 
440 	while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
441 		for (i = 0; i < ARRAY_SIZE(options); i++) {
442 			if ((define_prefix && !options[i].macro_dump) ||
443 			    values[i] || strcmp(buf, options[i].name))
444 				continue;
445 
446 			values[i] = strdup(value);
447 		}
448 	}
449 
450 end_parse:
451 	if (file)
452 		gzclose(file);
453 
454 	for (i = 0; i < ARRAY_SIZE(options); i++) {
455 		if (define_prefix && !options[i].macro_dump)
456 			continue;
457 		print_kernel_option(options[i].name, values[i], define_prefix);
458 		free(values[i]);
459 	}
460 }
461 
462 static bool probe_bpf_syscall(const char *define_prefix)
463 {
464 	bool res;
465 
466 	bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
467 	res = (errno != ENOSYS);
468 
469 	print_bool_feature("have_bpf_syscall",
470 			   "bpf() syscall",
471 			   "BPF_SYSCALL",
472 			   res, define_prefix);
473 
474 	return res;
475 }
476 
477 static void
478 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
479 		const char *define_prefix, __u32 ifindex)
480 {
481 	char feat_name[128], plain_desc[128], define_name[128];
482 	const char *plain_comment = "eBPF program_type ";
483 	size_t maxlen;
484 	bool res;
485 
486 	if (ifindex)
487 		/* Only test offload-able program types */
488 		switch (prog_type) {
489 		case BPF_PROG_TYPE_SCHED_CLS:
490 		case BPF_PROG_TYPE_XDP:
491 			break;
492 		default:
493 			return;
494 		}
495 
496 	res = bpf_probe_prog_type(prog_type, ifindex);
497 #ifdef USE_LIBCAP
498 	/* Probe may succeed even if program load fails, for unprivileged users
499 	 * check that we did not fail because of insufficient permissions
500 	 */
501 	if (run_as_unprivileged && errno == EPERM)
502 		res = false;
503 #endif
504 
505 	supported_types[prog_type] |= res;
506 
507 	if (!prog_type_name[prog_type]) {
508 		p_info("program type name not found (type %d)", prog_type);
509 		return;
510 	}
511 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
512 	if (strlen(prog_type_name[prog_type]) > maxlen) {
513 		p_info("program type name too long");
514 		return;
515 	}
516 
517 	sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
518 	sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
519 	uppercase(define_name, sizeof(define_name));
520 	sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
521 	print_bool_feature(feat_name, plain_desc, define_name, res,
522 			   define_prefix);
523 }
524 
525 static void
526 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
527 	       __u32 ifindex)
528 {
529 	char feat_name[128], plain_desc[128], define_name[128];
530 	const char *plain_comment = "eBPF map_type ";
531 	size_t maxlen;
532 	bool res;
533 
534 	res = bpf_probe_map_type(map_type, ifindex);
535 
536 	/* Probe result depends on the success of map creation, no additional
537 	 * check required for unprivileged users
538 	 */
539 
540 	if (!map_type_name[map_type]) {
541 		p_info("map type name not found (type %d)", map_type);
542 		return;
543 	}
544 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
545 	if (strlen(map_type_name[map_type]) > maxlen) {
546 		p_info("map type name too long");
547 		return;
548 	}
549 
550 	sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
551 	sprintf(define_name, "%s_map_type", map_type_name[map_type]);
552 	uppercase(define_name, sizeof(define_name));
553 	sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
554 	print_bool_feature(feat_name, plain_desc, define_name, res,
555 			   define_prefix);
556 }
557 
558 static void
559 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
560 			  const char *define_prefix, unsigned int id,
561 			  const char *ptype_name, __u32 ifindex)
562 {
563 	bool res = false;
564 
565 	if (supported_type) {
566 		res = bpf_probe_helper(id, prog_type, ifindex);
567 #ifdef USE_LIBCAP
568 		/* Probe may succeed even if program load fails, for
569 		 * unprivileged users check that we did not fail because of
570 		 * insufficient permissions
571 		 */
572 		if (run_as_unprivileged && errno == EPERM)
573 			res = false;
574 #endif
575 	}
576 
577 	if (json_output) {
578 		if (res)
579 			jsonw_string(json_wtr, helper_name[id]);
580 	} else if (define_prefix) {
581 		printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
582 		       define_prefix, ptype_name, helper_name[id],
583 		       res ? "1" : "0");
584 	} else {
585 		if (res)
586 			printf("\n\t- %s", helper_name[id]);
587 	}
588 }
589 
590 static void
591 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
592 			   const char *define_prefix, __u32 ifindex)
593 {
594 	const char *ptype_name = prog_type_name[prog_type];
595 	char feat_name[128];
596 	unsigned int id;
597 
598 	if (ifindex)
599 		/* Only test helpers for offload-able program types */
600 		switch (prog_type) {
601 		case BPF_PROG_TYPE_SCHED_CLS:
602 		case BPF_PROG_TYPE_XDP:
603 			break;
604 		default:
605 			return;
606 		}
607 
608 	if (json_output) {
609 		sprintf(feat_name, "%s_available_helpers", ptype_name);
610 		jsonw_name(json_wtr, feat_name);
611 		jsonw_start_array(json_wtr);
612 	} else if (!define_prefix) {
613 		printf("eBPF helpers supported for program type %s:",
614 		       ptype_name);
615 	}
616 
617 	for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
618 		/* Skip helper functions which emit dmesg messages when not in
619 		 * the full mode.
620 		 */
621 		switch (id) {
622 		case BPF_FUNC_trace_printk:
623 		case BPF_FUNC_probe_write_user:
624 			if (!full_mode)
625 				continue;
626 			/* fallthrough */
627 		default:
628 			probe_helper_for_progtype(prog_type, supported_type,
629 						  define_prefix, id, ptype_name,
630 						  ifindex);
631 		}
632 	}
633 
634 	if (json_output)
635 		jsonw_end_array(json_wtr);
636 	else if (!define_prefix)
637 		printf("\n");
638 }
639 
640 static void
641 probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
642 {
643 	bool res;
644 
645 	res = bpf_probe_large_insn_limit(ifindex);
646 	print_bool_feature("have_large_insn_limit",
647 			   "Large program size limit",
648 			   "LARGE_INSN_LIMIT",
649 			   res, define_prefix);
650 }
651 
652 static void
653 section_system_config(enum probe_component target, const char *define_prefix)
654 {
655 	switch (target) {
656 	case COMPONENT_KERNEL:
657 	case COMPONENT_UNSPEC:
658 		print_start_section("system_config",
659 				    "Scanning system configuration...",
660 				    "/*** Misc kernel config items ***/",
661 				    define_prefix);
662 		if (!define_prefix) {
663 			if (check_procfs()) {
664 				probe_unprivileged_disabled();
665 				probe_jit_enable();
666 				probe_jit_harden();
667 				probe_jit_kallsyms();
668 				probe_jit_limit();
669 			} else {
670 				p_info("/* procfs not mounted, skipping related probes */");
671 			}
672 		}
673 		probe_kernel_image_config(define_prefix);
674 		print_end_section();
675 		break;
676 	default:
677 		break;
678 	}
679 }
680 
681 static bool section_syscall_config(const char *define_prefix)
682 {
683 	bool res;
684 
685 	print_start_section("syscall_config",
686 			    "Scanning system call availability...",
687 			    "/*** System call availability ***/",
688 			    define_prefix);
689 	res = probe_bpf_syscall(define_prefix);
690 	print_end_section();
691 
692 	return res;
693 }
694 
695 static void
696 section_program_types(bool *supported_types, const char *define_prefix,
697 		      __u32 ifindex)
698 {
699 	unsigned int i;
700 
701 	print_start_section("program_types",
702 			    "Scanning eBPF program types...",
703 			    "/*** eBPF program types ***/",
704 			    define_prefix);
705 
706 	for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
707 		probe_prog_type(i, supported_types, define_prefix, ifindex);
708 
709 	print_end_section();
710 }
711 
712 static void section_map_types(const char *define_prefix, __u32 ifindex)
713 {
714 	unsigned int i;
715 
716 	print_start_section("map_types",
717 			    "Scanning eBPF map types...",
718 			    "/*** eBPF map types ***/",
719 			    define_prefix);
720 
721 	for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
722 		probe_map_type(i, define_prefix, ifindex);
723 
724 	print_end_section();
725 }
726 
727 static void
728 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
729 {
730 	unsigned int i;
731 
732 	print_start_section("helpers",
733 			    "Scanning eBPF helper functions...",
734 			    "/*** eBPF helper functions ***/",
735 			    define_prefix);
736 
737 	if (define_prefix)
738 		printf("/*\n"
739 		       " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
740 		       " * to determine if <helper_name> is available for <prog_type_name>,\n"
741 		       " * e.g.\n"
742 		       " *	#if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
743 		       " *		// do stuff with this helper\n"
744 		       " *	#elif\n"
745 		       " *		// use a workaround\n"
746 		       " *	#endif\n"
747 		       " */\n"
748 		       "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper)	\\\n"
749 		       "	%sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
750 		       define_prefix, define_prefix, define_prefix,
751 		       define_prefix);
752 	for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
753 		probe_helpers_for_progtype(i, supported_types[i], define_prefix,
754 					   ifindex);
755 
756 	print_end_section();
757 }
758 
759 static void section_misc(const char *define_prefix, __u32 ifindex)
760 {
761 	print_start_section("misc",
762 			    "Scanning miscellaneous eBPF features...",
763 			    "/*** eBPF misc features ***/",
764 			    define_prefix);
765 	probe_large_insn_limit(define_prefix, ifindex);
766 	print_end_section();
767 }
768 
769 #ifdef USE_LIBCAP
770 #define capability(c) { c, false, #c }
771 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
772 #endif
773 
774 static int handle_perms(void)
775 {
776 #ifdef USE_LIBCAP
777 	struct {
778 		cap_value_t cap;
779 		bool set;
780 		char name[14];	/* strlen("CAP_SYS_ADMIN") */
781 	} bpf_caps[] = {
782 		capability(CAP_SYS_ADMIN),
783 #ifdef CAP_BPF
784 		capability(CAP_BPF),
785 		capability(CAP_NET_ADMIN),
786 		capability(CAP_PERFMON),
787 #endif
788 	};
789 	cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
790 	unsigned int i, nb_bpf_caps = 0;
791 	bool cap_sys_admin_only = true;
792 	cap_flag_value_t val;
793 	int res = -1;
794 	cap_t caps;
795 
796 	caps = cap_get_proc();
797 	if (!caps) {
798 		p_err("failed to get capabilities for process: %s",
799 		      strerror(errno));
800 		return -1;
801 	}
802 
803 #ifdef CAP_BPF
804 	if (CAP_IS_SUPPORTED(CAP_BPF))
805 		cap_sys_admin_only = false;
806 #endif
807 
808 	for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
809 		const char *cap_name = bpf_caps[i].name;
810 		cap_value_t cap = bpf_caps[i].cap;
811 
812 		if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
813 			p_err("bug: failed to retrieve %s status: %s", cap_name,
814 			      strerror(errno));
815 			goto exit_free;
816 		}
817 
818 		if (val == CAP_SET) {
819 			bpf_caps[i].set = true;
820 			cap_list[nb_bpf_caps++] = cap;
821 		}
822 
823 		if (cap_sys_admin_only)
824 			/* System does not know about CAP_BPF, meaning that
825 			 * CAP_SYS_ADMIN is the only capability required. We
826 			 * just checked it, break.
827 			 */
828 			break;
829 	}
830 
831 	if ((run_as_unprivileged && !nb_bpf_caps) ||
832 	    (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
833 	    (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
834 		/* We are all good, exit now */
835 		res = 0;
836 		goto exit_free;
837 	}
838 
839 	if (!run_as_unprivileged) {
840 		if (cap_sys_admin_only)
841 			p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
842 			      bpf_caps[0].name);
843 		else
844 			p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
845 			      capability_msg(bpf_caps, 0),
846 			      capability_msg(bpf_caps, 1),
847 			      capability_msg(bpf_caps, 2),
848 			      capability_msg(bpf_caps, 3));
849 		goto exit_free;
850 	}
851 
852 	/* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
853 	if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
854 			 CAP_CLEAR)) {
855 		p_err("bug: failed to clear capabilities: %s", strerror(errno));
856 		goto exit_free;
857 	}
858 
859 	if (cap_set_proc(caps)) {
860 		p_err("failed to drop capabilities: %s", strerror(errno));
861 		goto exit_free;
862 	}
863 
864 	res = 0;
865 
866 exit_free:
867 	if (cap_free(caps) && !res) {
868 		p_err("failed to clear storage object for capabilities: %s",
869 		      strerror(errno));
870 		res = -1;
871 	}
872 
873 	return res;
874 #else
875 	/* Detection assumes user has specific privileges.
876 	 * We do not use libpcap so let's approximate, and restrict usage to
877 	 * root user only.
878 	 */
879 	if (geteuid()) {
880 		p_err("full feature probing requires root privileges");
881 		return -1;
882 	}
883 
884 	return 0;
885 #endif /* USE_LIBCAP */
886 }
887 
888 static int do_probe(int argc, char **argv)
889 {
890 	enum probe_component target = COMPONENT_UNSPEC;
891 	const char *define_prefix = NULL;
892 	bool supported_types[128] = {};
893 	__u32 ifindex = 0;
894 	char *ifname;
895 
896 	set_max_rlimit();
897 
898 	while (argc) {
899 		if (is_prefix(*argv, "kernel")) {
900 			if (target != COMPONENT_UNSPEC) {
901 				p_err("component to probe already specified");
902 				return -1;
903 			}
904 			target = COMPONENT_KERNEL;
905 			NEXT_ARG();
906 		} else if (is_prefix(*argv, "dev")) {
907 			NEXT_ARG();
908 
909 			if (target != COMPONENT_UNSPEC || ifindex) {
910 				p_err("component to probe already specified");
911 				return -1;
912 			}
913 			if (!REQ_ARGS(1))
914 				return -1;
915 
916 			target = COMPONENT_DEVICE;
917 			ifname = GET_ARG();
918 			ifindex = if_nametoindex(ifname);
919 			if (!ifindex) {
920 				p_err("unrecognized netdevice '%s': %s", ifname,
921 				      strerror(errno));
922 				return -1;
923 			}
924 		} else if (is_prefix(*argv, "full")) {
925 			full_mode = true;
926 			NEXT_ARG();
927 		} else if (is_prefix(*argv, "macros") && !define_prefix) {
928 			define_prefix = "";
929 			NEXT_ARG();
930 		} else if (is_prefix(*argv, "prefix")) {
931 			if (!define_prefix) {
932 				p_err("'prefix' argument can only be use after 'macros'");
933 				return -1;
934 			}
935 			if (strcmp(define_prefix, "")) {
936 				p_err("'prefix' already defined");
937 				return -1;
938 			}
939 			NEXT_ARG();
940 
941 			if (!REQ_ARGS(1))
942 				return -1;
943 			define_prefix = GET_ARG();
944 		} else if (is_prefix(*argv, "unprivileged")) {
945 #ifdef USE_LIBCAP
946 			run_as_unprivileged = true;
947 			NEXT_ARG();
948 #else
949 			p_err("unprivileged run not supported, recompile bpftool with libcap");
950 			return -1;
951 #endif
952 		} else {
953 			p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
954 			      *argv);
955 			return -1;
956 		}
957 	}
958 
959 	/* Full feature detection requires specific privileges.
960 	 * Let's approximate, and warn if user is not root.
961 	 */
962 	if (handle_perms())
963 		return -1;
964 
965 	if (json_output) {
966 		define_prefix = NULL;
967 		jsonw_start_object(json_wtr);
968 	}
969 
970 	section_system_config(target, define_prefix);
971 	if (!section_syscall_config(define_prefix))
972 		/* bpf() syscall unavailable, don't probe other BPF features */
973 		goto exit_close_json;
974 	section_program_types(supported_types, define_prefix, ifindex);
975 	section_map_types(define_prefix, ifindex);
976 	section_helpers(supported_types, define_prefix, ifindex);
977 	section_misc(define_prefix, ifindex);
978 
979 exit_close_json:
980 	if (json_output)
981 		/* End root object */
982 		jsonw_end_object(json_wtr);
983 
984 	return 0;
985 }
986 
987 static int do_help(int argc, char **argv)
988 {
989 	if (json_output) {
990 		jsonw_null(json_wtr);
991 		return 0;
992 	}
993 
994 	fprintf(stderr,
995 		"Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
996 		"       %1$s %2$s help\n"
997 		"\n"
998 		"       COMPONENT := { kernel | dev NAME }\n"
999 		"",
1000 		bin_name, argv[-2]);
1001 
1002 	return 0;
1003 }
1004 
1005 static const struct cmd cmds[] = {
1006 	{ "probe",	do_probe },
1007 	{ "help",	do_help },
1008 	{ 0 }
1009 };
1010 
1011 int do_feature(int argc, char **argv)
1012 {
1013 	return cmd_select(cmds, argc, argv, do_help);
1014 }
1015