xref: /openbmc/linux/tools/bpf/bpftool/feature.c (revision 77423a62)
1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (c) 2019 Netronome Systems, Inc. */
3 
4 #include <ctype.h>
5 #include <errno.h>
6 #include <fcntl.h>
7 #include <string.h>
8 #include <unistd.h>
9 #include <net/if.h>
10 #ifdef USE_LIBCAP
11 #include <sys/capability.h>
12 #endif
13 #include <sys/utsname.h>
14 #include <sys/vfs.h>
15 
16 #include <linux/filter.h>
17 #include <linux/limits.h>
18 
19 #include <bpf/bpf.h>
20 #include <bpf/libbpf.h>
21 #include <zlib.h>
22 
23 #include "main.h"
24 
25 #ifndef PROC_SUPER_MAGIC
26 # define PROC_SUPER_MAGIC	0x9fa0
27 #endif
28 
29 enum probe_component {
30 	COMPONENT_UNSPEC,
31 	COMPONENT_KERNEL,
32 	COMPONENT_DEVICE,
33 };
34 
35 #define BPF_HELPER_MAKE_ENTRY(name)	[BPF_FUNC_ ## name] = "bpf_" # name
36 static const char * const helper_name[] = {
37 	__BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
38 };
39 
40 #undef BPF_HELPER_MAKE_ENTRY
41 
42 static bool full_mode;
43 #ifdef USE_LIBCAP
44 static bool run_as_unprivileged;
45 #endif
46 
47 /* Miscellaneous utility functions */
48 
49 static bool grep(const char *buffer, const char *pattern)
50 {
51 	return !!strstr(buffer, pattern);
52 }
53 
54 static bool check_procfs(void)
55 {
56 	struct statfs st_fs;
57 
58 	if (statfs("/proc", &st_fs) < 0)
59 		return false;
60 	if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
61 		return false;
62 
63 	return true;
64 }
65 
66 static void uppercase(char *str, size_t len)
67 {
68 	size_t i;
69 
70 	for (i = 0; i < len && str[i] != '\0'; i++)
71 		str[i] = toupper(str[i]);
72 }
73 
74 /* Printing utility functions */
75 
76 static void
77 print_bool_feature(const char *feat_name, const char *plain_name,
78 		   const char *define_name, bool res, const char *define_prefix)
79 {
80 	if (json_output)
81 		jsonw_bool_field(json_wtr, feat_name, res);
82 	else if (define_prefix)
83 		printf("#define %s%sHAVE_%s\n", define_prefix,
84 		       res ? "" : "NO_", define_name);
85 	else
86 		printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
87 }
88 
89 static void print_kernel_option(const char *name, const char *value,
90 				const char *define_prefix)
91 {
92 	char *endptr;
93 	int res;
94 
95 	if (json_output) {
96 		if (!value) {
97 			jsonw_null_field(json_wtr, name);
98 			return;
99 		}
100 		errno = 0;
101 		res = strtol(value, &endptr, 0);
102 		if (!errno && *endptr == '\n')
103 			jsonw_int_field(json_wtr, name, res);
104 		else
105 			jsonw_string_field(json_wtr, name, value);
106 	} else if (define_prefix) {
107 		if (value)
108 			printf("#define %s%s %s\n", define_prefix,
109 			       name, value);
110 		else
111 			printf("/* %s%s is not set */\n", define_prefix, name);
112 	} else {
113 		if (value)
114 			printf("%s is set to %s\n", name, value);
115 		else
116 			printf("%s is not set\n", name);
117 	}
118 }
119 
120 static void
121 print_start_section(const char *json_title, const char *plain_title,
122 		    const char *define_comment, const char *define_prefix)
123 {
124 	if (json_output) {
125 		jsonw_name(json_wtr, json_title);
126 		jsonw_start_object(json_wtr);
127 	} else if (define_prefix) {
128 		printf("%s\n", define_comment);
129 	} else {
130 		printf("%s\n", plain_title);
131 	}
132 }
133 
134 static void print_end_section(void)
135 {
136 	if (json_output)
137 		jsonw_end_object(json_wtr);
138 	else
139 		printf("\n");
140 }
141 
142 /* Probing functions */
143 
144 static int get_vendor_id(int ifindex)
145 {
146 	char ifname[IF_NAMESIZE], path[64], buf[8];
147 	ssize_t len;
148 	int fd;
149 
150 	if (!if_indextoname(ifindex, ifname))
151 		return -1;
152 
153 	snprintf(path, sizeof(path), "/sys/class/net/%s/device/vendor", ifname);
154 
155 	fd = open(path, O_RDONLY | O_CLOEXEC);
156 	if (fd < 0)
157 		return -1;
158 
159 	len = read(fd, buf, sizeof(buf));
160 	close(fd);
161 	if (len < 0)
162 		return -1;
163 	if (len >= (ssize_t)sizeof(buf))
164 		return -1;
165 	buf[len] = '\0';
166 
167 	return strtol(buf, NULL, 0);
168 }
169 
170 static int read_procfs(const char *path)
171 {
172 	char *endptr, *line = NULL;
173 	size_t len = 0;
174 	FILE *fd;
175 	int res;
176 
177 	fd = fopen(path, "r");
178 	if (!fd)
179 		return -1;
180 
181 	res = getline(&line, &len, fd);
182 	fclose(fd);
183 	if (res < 0)
184 		return -1;
185 
186 	errno = 0;
187 	res = strtol(line, &endptr, 10);
188 	if (errno || *line == '\0' || *endptr != '\n')
189 		res = -1;
190 	free(line);
191 
192 	return res;
193 }
194 
195 static void probe_unprivileged_disabled(void)
196 {
197 	int res;
198 
199 	/* No support for C-style ouptut */
200 
201 	res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
202 	if (json_output) {
203 		jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
204 	} else {
205 		switch (res) {
206 		case 0:
207 			printf("bpf() syscall for unprivileged users is enabled\n");
208 			break;
209 		case 1:
210 			printf("bpf() syscall restricted to privileged users (without recovery)\n");
211 			break;
212 		case 2:
213 			printf("bpf() syscall restricted to privileged users (admin can change)\n");
214 			break;
215 		case -1:
216 			printf("Unable to retrieve required privileges for bpf() syscall\n");
217 			break;
218 		default:
219 			printf("bpf() syscall restriction has unknown value %d\n", res);
220 		}
221 	}
222 }
223 
224 static void probe_jit_enable(void)
225 {
226 	int res;
227 
228 	/* No support for C-style ouptut */
229 
230 	res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
231 	if (json_output) {
232 		jsonw_int_field(json_wtr, "bpf_jit_enable", res);
233 	} else {
234 		switch (res) {
235 		case 0:
236 			printf("JIT compiler is disabled\n");
237 			break;
238 		case 1:
239 			printf("JIT compiler is enabled\n");
240 			break;
241 		case 2:
242 			printf("JIT compiler is enabled with debugging traces in kernel logs\n");
243 			break;
244 		case -1:
245 			printf("Unable to retrieve JIT-compiler status\n");
246 			break;
247 		default:
248 			printf("JIT-compiler status has unknown value %d\n",
249 			       res);
250 		}
251 	}
252 }
253 
254 static void probe_jit_harden(void)
255 {
256 	int res;
257 
258 	/* No support for C-style ouptut */
259 
260 	res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
261 	if (json_output) {
262 		jsonw_int_field(json_wtr, "bpf_jit_harden", res);
263 	} else {
264 		switch (res) {
265 		case 0:
266 			printf("JIT compiler hardening is disabled\n");
267 			break;
268 		case 1:
269 			printf("JIT compiler hardening is enabled for unprivileged users\n");
270 			break;
271 		case 2:
272 			printf("JIT compiler hardening is enabled for all users\n");
273 			break;
274 		case -1:
275 			printf("Unable to retrieve JIT hardening status\n");
276 			break;
277 		default:
278 			printf("JIT hardening status has unknown value %d\n",
279 			       res);
280 		}
281 	}
282 }
283 
284 static void probe_jit_kallsyms(void)
285 {
286 	int res;
287 
288 	/* No support for C-style ouptut */
289 
290 	res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
291 	if (json_output) {
292 		jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
293 	} else {
294 		switch (res) {
295 		case 0:
296 			printf("JIT compiler kallsyms exports are disabled\n");
297 			break;
298 		case 1:
299 			printf("JIT compiler kallsyms exports are enabled for root\n");
300 			break;
301 		case -1:
302 			printf("Unable to retrieve JIT kallsyms export status\n");
303 			break;
304 		default:
305 			printf("JIT kallsyms exports status has unknown value %d\n", res);
306 		}
307 	}
308 }
309 
310 static void probe_jit_limit(void)
311 {
312 	int res;
313 
314 	/* No support for C-style ouptut */
315 
316 	res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
317 	if (json_output) {
318 		jsonw_int_field(json_wtr, "bpf_jit_limit", res);
319 	} else {
320 		switch (res) {
321 		case -1:
322 			printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
323 			break;
324 		default:
325 			printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
326 		}
327 	}
328 }
329 
330 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
331 					   char **value)
332 {
333 	char *sep;
334 
335 	while (gzgets(file, buf, n)) {
336 		if (strncmp(buf, "CONFIG_", 7))
337 			continue;
338 
339 		sep = strchr(buf, '=');
340 		if (!sep)
341 			continue;
342 
343 		/* Trim ending '\n' */
344 		buf[strlen(buf) - 1] = '\0';
345 
346 		/* Split on '=' and ensure that a value is present. */
347 		*sep = '\0';
348 		if (!sep[1])
349 			continue;
350 
351 		*value = sep + 1;
352 		return true;
353 	}
354 
355 	return false;
356 }
357 
358 static void probe_kernel_image_config(const char *define_prefix)
359 {
360 	static const struct {
361 		const char * const name;
362 		bool macro_dump;
363 	} options[] = {
364 		/* Enable BPF */
365 		{ "CONFIG_BPF", },
366 		/* Enable bpf() syscall */
367 		{ "CONFIG_BPF_SYSCALL", },
368 		/* Does selected architecture support eBPF JIT compiler */
369 		{ "CONFIG_HAVE_EBPF_JIT", },
370 		/* Compile eBPF JIT compiler */
371 		{ "CONFIG_BPF_JIT", },
372 		/* Avoid compiling eBPF interpreter (use JIT only) */
373 		{ "CONFIG_BPF_JIT_ALWAYS_ON", },
374 		/* Kernel BTF debug information available */
375 		{ "CONFIG_DEBUG_INFO_BTF", },
376 		/* Kernel module BTF debug information available */
377 		{ "CONFIG_DEBUG_INFO_BTF_MODULES", },
378 
379 		/* cgroups */
380 		{ "CONFIG_CGROUPS", },
381 		/* BPF programs attached to cgroups */
382 		{ "CONFIG_CGROUP_BPF", },
383 		/* bpf_get_cgroup_classid() helper */
384 		{ "CONFIG_CGROUP_NET_CLASSID", },
385 		/* bpf_skb_{,ancestor_}cgroup_id() helpers */
386 		{ "CONFIG_SOCK_CGROUP_DATA", },
387 
388 		/* Tracing: attach BPF to kprobes, tracepoints, etc. */
389 		{ "CONFIG_BPF_EVENTS", },
390 		/* Kprobes */
391 		{ "CONFIG_KPROBE_EVENTS", },
392 		/* Uprobes */
393 		{ "CONFIG_UPROBE_EVENTS", },
394 		/* Tracepoints */
395 		{ "CONFIG_TRACING", },
396 		/* Syscall tracepoints */
397 		{ "CONFIG_FTRACE_SYSCALLS", },
398 		/* bpf_override_return() helper support for selected arch */
399 		{ "CONFIG_FUNCTION_ERROR_INJECTION", },
400 		/* bpf_override_return() helper */
401 		{ "CONFIG_BPF_KPROBE_OVERRIDE", },
402 
403 		/* Network */
404 		{ "CONFIG_NET", },
405 		/* AF_XDP sockets */
406 		{ "CONFIG_XDP_SOCKETS", },
407 		/* BPF_PROG_TYPE_LWT_* and related helpers */
408 		{ "CONFIG_LWTUNNEL_BPF", },
409 		/* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
410 		{ "CONFIG_NET_ACT_BPF", },
411 		/* BPF_PROG_TYPE_SCHED_CLS, TC filters */
412 		{ "CONFIG_NET_CLS_BPF", },
413 		/* TC clsact qdisc */
414 		{ "CONFIG_NET_CLS_ACT", },
415 		/* Ingress filtering with TC */
416 		{ "CONFIG_NET_SCH_INGRESS", },
417 		/* bpf_skb_get_xfrm_state() helper */
418 		{ "CONFIG_XFRM", },
419 		/* bpf_get_route_realm() helper */
420 		{ "CONFIG_IP_ROUTE_CLASSID", },
421 		/* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
422 		{ "CONFIG_IPV6_SEG6_BPF", },
423 		/* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
424 		{ "CONFIG_BPF_LIRC_MODE2", },
425 		/* BPF stream parser and BPF socket maps */
426 		{ "CONFIG_BPF_STREAM_PARSER", },
427 		/* xt_bpf module for passing BPF programs to netfilter  */
428 		{ "CONFIG_NETFILTER_XT_MATCH_BPF", },
429 		/* bpfilter back-end for iptables */
430 		{ "CONFIG_BPFILTER", },
431 		/* bpftilter module with "user mode helper" */
432 		{ "CONFIG_BPFILTER_UMH", },
433 
434 		/* test_bpf module for BPF tests */
435 		{ "CONFIG_TEST_BPF", },
436 
437 		/* Misc configs useful in BPF C programs */
438 		/* jiffies <-> sec conversion for bpf_jiffies64() helper */
439 		{ "CONFIG_HZ", true, }
440 	};
441 	char *values[ARRAY_SIZE(options)] = { };
442 	struct utsname utsn;
443 	char path[PATH_MAX];
444 	gzFile file = NULL;
445 	char buf[4096];
446 	char *value;
447 	size_t i;
448 
449 	if (!uname(&utsn)) {
450 		snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
451 
452 		/* gzopen also accepts uncompressed files. */
453 		file = gzopen(path, "r");
454 	}
455 
456 	if (!file) {
457 		/* Some distributions build with CONFIG_IKCONFIG=y and put the
458 		 * config file at /proc/config.gz.
459 		 */
460 		file = gzopen("/proc/config.gz", "r");
461 	}
462 	if (!file) {
463 		p_info("skipping kernel config, can't open file: %s",
464 		       strerror(errno));
465 		goto end_parse;
466 	}
467 	/* Sanity checks */
468 	if (!gzgets(file, buf, sizeof(buf)) ||
469 	    !gzgets(file, buf, sizeof(buf))) {
470 		p_info("skipping kernel config, can't read from file: %s",
471 		       strerror(errno));
472 		goto end_parse;
473 	}
474 	if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
475 		p_info("skipping kernel config, can't find correct file");
476 		goto end_parse;
477 	}
478 
479 	while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
480 		for (i = 0; i < ARRAY_SIZE(options); i++) {
481 			if ((define_prefix && !options[i].macro_dump) ||
482 			    values[i] || strcmp(buf, options[i].name))
483 				continue;
484 
485 			values[i] = strdup(value);
486 		}
487 	}
488 
489 end_parse:
490 	if (file)
491 		gzclose(file);
492 
493 	for (i = 0; i < ARRAY_SIZE(options); i++) {
494 		if (define_prefix && !options[i].macro_dump)
495 			continue;
496 		print_kernel_option(options[i].name, values[i], define_prefix);
497 		free(values[i]);
498 	}
499 }
500 
501 static bool probe_bpf_syscall(const char *define_prefix)
502 {
503 	bool res;
504 
505 	bpf_prog_load(BPF_PROG_TYPE_UNSPEC, NULL, NULL, NULL, 0, NULL);
506 	res = (errno != ENOSYS);
507 
508 	print_bool_feature("have_bpf_syscall",
509 			   "bpf() syscall",
510 			   "BPF_SYSCALL",
511 			   res, define_prefix);
512 
513 	return res;
514 }
515 
516 static bool
517 probe_prog_load_ifindex(enum bpf_prog_type prog_type,
518 			const struct bpf_insn *insns, size_t insns_cnt,
519 			char *log_buf, size_t log_buf_sz,
520 			__u32 ifindex)
521 {
522 	LIBBPF_OPTS(bpf_prog_load_opts, opts,
523 		    .log_buf = log_buf,
524 		    .log_size = log_buf_sz,
525 		    .log_level = log_buf ? 1 : 0,
526 		    .prog_ifindex = ifindex,
527 		   );
528 	int fd;
529 
530 	errno = 0;
531 	fd = bpf_prog_load(prog_type, NULL, "GPL", insns, insns_cnt, &opts);
532 	if (fd >= 0)
533 		close(fd);
534 
535 	return fd >= 0 && errno != EINVAL && errno != EOPNOTSUPP;
536 }
537 
538 static bool probe_prog_type_ifindex(enum bpf_prog_type prog_type, __u32 ifindex)
539 {
540 	/* nfp returns -EINVAL on exit(0) with TC offload */
541 	struct bpf_insn insns[2] = {
542 		BPF_MOV64_IMM(BPF_REG_0, 2),
543 		BPF_EXIT_INSN()
544 	};
545 
546 	return probe_prog_load_ifindex(prog_type, insns, ARRAY_SIZE(insns),
547 				       NULL, 0, ifindex);
548 }
549 
550 static void
551 probe_prog_type(enum bpf_prog_type prog_type, const char *prog_type_str,
552 		bool *supported_types, const char *define_prefix, __u32 ifindex)
553 {
554 	char feat_name[128], plain_desc[128], define_name[128];
555 	const char *plain_comment = "eBPF program_type ";
556 	size_t maxlen;
557 	bool res;
558 
559 	if (ifindex) {
560 		switch (prog_type) {
561 		case BPF_PROG_TYPE_SCHED_CLS:
562 		case BPF_PROG_TYPE_XDP:
563 			break;
564 		default:
565 			return;
566 		}
567 
568 		res = probe_prog_type_ifindex(prog_type, ifindex);
569 	} else {
570 		res = libbpf_probe_bpf_prog_type(prog_type, NULL) > 0;
571 	}
572 
573 #ifdef USE_LIBCAP
574 	/* Probe may succeed even if program load fails, for unprivileged users
575 	 * check that we did not fail because of insufficient permissions
576 	 */
577 	if (run_as_unprivileged && errno == EPERM)
578 		res = false;
579 #endif
580 
581 	supported_types[prog_type] |= res;
582 
583 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
584 	if (strlen(prog_type_str) > maxlen) {
585 		p_info("program type name too long");
586 		return;
587 	}
588 
589 	sprintf(feat_name, "have_%s_prog_type", prog_type_str);
590 	sprintf(define_name, "%s_prog_type", prog_type_str);
591 	uppercase(define_name, sizeof(define_name));
592 	sprintf(plain_desc, "%s%s", plain_comment, prog_type_str);
593 	print_bool_feature(feat_name, plain_desc, define_name, res,
594 			   define_prefix);
595 }
596 
597 static bool probe_map_type_ifindex(enum bpf_map_type map_type, __u32 ifindex)
598 {
599 	LIBBPF_OPTS(bpf_map_create_opts, opts);
600 	int key_size, value_size, max_entries;
601 	int fd;
602 
603 	opts.map_ifindex = ifindex;
604 
605 	key_size = sizeof(__u32);
606 	value_size = sizeof(__u32);
607 	max_entries = 1;
608 
609 	fd = bpf_map_create(map_type, NULL, key_size, value_size, max_entries,
610 			    &opts);
611 	if (fd >= 0)
612 		close(fd);
613 
614 	return fd >= 0;
615 }
616 
617 static void
618 probe_map_type(enum bpf_map_type map_type, char const *map_type_str,
619 	       const char *define_prefix, __u32 ifindex)
620 {
621 	char feat_name[128], plain_desc[128], define_name[128];
622 	const char *plain_comment = "eBPF map_type ";
623 	size_t maxlen;
624 	bool res;
625 
626 	if (ifindex) {
627 		switch (map_type) {
628 		case BPF_MAP_TYPE_HASH:
629 		case BPF_MAP_TYPE_ARRAY:
630 			break;
631 		default:
632 			return;
633 		}
634 
635 		res = probe_map_type_ifindex(map_type, ifindex);
636 	} else {
637 		res = libbpf_probe_bpf_map_type(map_type, NULL) > 0;
638 	}
639 
640 	/* Probe result depends on the success of map creation, no additional
641 	 * check required for unprivileged users
642 	 */
643 
644 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
645 	if (strlen(map_type_str) > maxlen) {
646 		p_info("map type name too long");
647 		return;
648 	}
649 
650 	sprintf(feat_name, "have_%s_map_type", map_type_str);
651 	sprintf(define_name, "%s_map_type", map_type_str);
652 	uppercase(define_name, sizeof(define_name));
653 	sprintf(plain_desc, "%s%s", plain_comment, map_type_str);
654 	print_bool_feature(feat_name, plain_desc, define_name, res,
655 			   define_prefix);
656 }
657 
658 static bool
659 probe_helper_ifindex(enum bpf_func_id id, enum bpf_prog_type prog_type,
660 		     __u32 ifindex)
661 {
662 	struct bpf_insn insns[2] = {
663 		BPF_EMIT_CALL(id),
664 		BPF_EXIT_INSN()
665 	};
666 	char buf[4096] = {};
667 	bool res;
668 
669 	probe_prog_load_ifindex(prog_type, insns, ARRAY_SIZE(insns), buf,
670 				sizeof(buf), ifindex);
671 	res = !grep(buf, "invalid func ") && !grep(buf, "unknown func ");
672 
673 	switch (get_vendor_id(ifindex)) {
674 	case 0x19ee: /* Netronome specific */
675 		res = res && !grep(buf, "not supported by FW") &&
676 			!grep(buf, "unsupported function id");
677 		break;
678 	default:
679 		break;
680 	}
681 
682 	return res;
683 }
684 
685 static bool
686 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
687 			  const char *define_prefix, unsigned int id,
688 			  const char *ptype_name, __u32 ifindex)
689 {
690 	bool res = false;
691 
692 	if (supported_type) {
693 		if (ifindex)
694 			res = probe_helper_ifindex(id, prog_type, ifindex);
695 		else
696 			res = libbpf_probe_bpf_helper(prog_type, id, NULL) > 0;
697 #ifdef USE_LIBCAP
698 		/* Probe may succeed even if program load fails, for
699 		 * unprivileged users check that we did not fail because of
700 		 * insufficient permissions
701 		 */
702 		if (run_as_unprivileged && errno == EPERM)
703 			res = false;
704 #endif
705 	}
706 
707 	if (json_output) {
708 		if (res)
709 			jsonw_string(json_wtr, helper_name[id]);
710 	} else if (define_prefix) {
711 		printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
712 		       define_prefix, ptype_name, helper_name[id],
713 		       res ? "1" : "0");
714 	} else {
715 		if (res)
716 			printf("\n\t- %s", helper_name[id]);
717 	}
718 
719 	return res;
720 }
721 
722 static void
723 probe_helpers_for_progtype(enum bpf_prog_type prog_type,
724 			   const char *prog_type_str, bool supported_type,
725 			   const char *define_prefix, __u32 ifindex)
726 {
727 	char feat_name[128];
728 	unsigned int id;
729 	bool probe_res = false;
730 
731 	if (ifindex)
732 		/* Only test helpers for offload-able program types */
733 		switch (prog_type) {
734 		case BPF_PROG_TYPE_SCHED_CLS:
735 		case BPF_PROG_TYPE_XDP:
736 			break;
737 		default:
738 			return;
739 		}
740 
741 	if (json_output) {
742 		sprintf(feat_name, "%s_available_helpers", prog_type_str);
743 		jsonw_name(json_wtr, feat_name);
744 		jsonw_start_array(json_wtr);
745 	} else if (!define_prefix) {
746 		printf("eBPF helpers supported for program type %s:",
747 		       prog_type_str);
748 	}
749 
750 	for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
751 		/* Skip helper functions which emit dmesg messages when not in
752 		 * the full mode.
753 		 */
754 		switch (id) {
755 		case BPF_FUNC_trace_printk:
756 		case BPF_FUNC_trace_vprintk:
757 		case BPF_FUNC_probe_write_user:
758 			if (!full_mode)
759 				continue;
760 			/* fallthrough */
761 		default:
762 			probe_res |= probe_helper_for_progtype(prog_type, supported_type,
763 						  define_prefix, id, prog_type_str,
764 						  ifindex);
765 		}
766 	}
767 
768 	if (json_output)
769 		jsonw_end_array(json_wtr);
770 	else if (!define_prefix) {
771 		printf("\n");
772 		if (!probe_res) {
773 			if (!supported_type)
774 				printf("\tProgram type not supported\n");
775 			else
776 				printf("\tCould not determine which helpers are available\n");
777 		}
778 	}
779 
780 
781 }
782 
783 static void
784 probe_misc_feature(struct bpf_insn *insns, size_t len,
785 		   const char *define_prefix, __u32 ifindex,
786 		   const char *feat_name, const char *plain_name,
787 		   const char *define_name)
788 {
789 	LIBBPF_OPTS(bpf_prog_load_opts, opts,
790 		.prog_ifindex = ifindex,
791 	);
792 	bool res;
793 	int fd;
794 
795 	errno = 0;
796 	fd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, NULL, "GPL",
797 			   insns, len, &opts);
798 	res = fd >= 0 || !errno;
799 
800 	if (fd >= 0)
801 		close(fd);
802 
803 	print_bool_feature(feat_name, plain_name, define_name, res,
804 			   define_prefix);
805 }
806 
807 /*
808  * Probe for availability of kernel commit (5.3):
809  *
810  * c04c0d2b968a ("bpf: increase complexity limit and maximum program size")
811  */
812 static void probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
813 {
814 	struct bpf_insn insns[BPF_MAXINSNS + 1];
815 	int i;
816 
817 	for (i = 0; i < BPF_MAXINSNS; i++)
818 		insns[i] = BPF_MOV64_IMM(BPF_REG_0, 1);
819 	insns[BPF_MAXINSNS] = BPF_EXIT_INSN();
820 
821 	probe_misc_feature(insns, ARRAY_SIZE(insns),
822 			   define_prefix, ifindex,
823 			   "have_large_insn_limit",
824 			   "Large program size limit",
825 			   "LARGE_INSN_LIMIT");
826 }
827 
828 /*
829  * Probe for bounded loop support introduced in commit 2589726d12a1
830  * ("bpf: introduce bounded loops").
831  */
832 static void
833 probe_bounded_loops(const char *define_prefix, __u32 ifindex)
834 {
835 	struct bpf_insn insns[4] = {
836 		BPF_MOV64_IMM(BPF_REG_0, 10),
837 		BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 1),
838 		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, -2),
839 		BPF_EXIT_INSN()
840 	};
841 
842 	probe_misc_feature(insns, ARRAY_SIZE(insns),
843 			   define_prefix, ifindex,
844 			   "have_bounded_loops",
845 			   "Bounded loop support",
846 			   "BOUNDED_LOOPS");
847 }
848 
849 /*
850  * Probe for the v2 instruction set extension introduced in commit 92b31a9af73b
851  * ("bpf: add BPF_J{LT,LE,SLT,SLE} instructions").
852  */
853 static void
854 probe_v2_isa_extension(const char *define_prefix, __u32 ifindex)
855 {
856 	struct bpf_insn insns[4] = {
857 		BPF_MOV64_IMM(BPF_REG_0, 0),
858 		BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 0, 1),
859 		BPF_MOV64_IMM(BPF_REG_0, 1),
860 		BPF_EXIT_INSN()
861 	};
862 
863 	probe_misc_feature(insns, ARRAY_SIZE(insns),
864 			   define_prefix, ifindex,
865 			   "have_v2_isa_extension",
866 			   "ISA extension v2",
867 			   "V2_ISA_EXTENSION");
868 }
869 
870 /*
871  * Probe for the v3 instruction set extension introduced in commit 092ed0968bb6
872  * ("bpf: verifier support JMP32").
873  */
874 static void
875 probe_v3_isa_extension(const char *define_prefix, __u32 ifindex)
876 {
877 	struct bpf_insn insns[4] = {
878 		BPF_MOV64_IMM(BPF_REG_0, 0),
879 		BPF_JMP32_IMM(BPF_JLT, BPF_REG_0, 0, 1),
880 		BPF_MOV64_IMM(BPF_REG_0, 1),
881 		BPF_EXIT_INSN()
882 	};
883 
884 	probe_misc_feature(insns, ARRAY_SIZE(insns),
885 			   define_prefix, ifindex,
886 			   "have_v3_isa_extension",
887 			   "ISA extension v3",
888 			   "V3_ISA_EXTENSION");
889 }
890 
891 static void
892 section_system_config(enum probe_component target, const char *define_prefix)
893 {
894 	switch (target) {
895 	case COMPONENT_KERNEL:
896 	case COMPONENT_UNSPEC:
897 		print_start_section("system_config",
898 				    "Scanning system configuration...",
899 				    "/*** Misc kernel config items ***/",
900 				    define_prefix);
901 		if (!define_prefix) {
902 			if (check_procfs()) {
903 				probe_unprivileged_disabled();
904 				probe_jit_enable();
905 				probe_jit_harden();
906 				probe_jit_kallsyms();
907 				probe_jit_limit();
908 			} else {
909 				p_info("/* procfs not mounted, skipping related probes */");
910 			}
911 		}
912 		probe_kernel_image_config(define_prefix);
913 		print_end_section();
914 		break;
915 	default:
916 		break;
917 	}
918 }
919 
920 static bool section_syscall_config(const char *define_prefix)
921 {
922 	bool res;
923 
924 	print_start_section("syscall_config",
925 			    "Scanning system call availability...",
926 			    "/*** System call availability ***/",
927 			    define_prefix);
928 	res = probe_bpf_syscall(define_prefix);
929 	print_end_section();
930 
931 	return res;
932 }
933 
934 static void
935 section_program_types(bool *supported_types, const char *define_prefix,
936 		      __u32 ifindex)
937 {
938 	unsigned int prog_type = BPF_PROG_TYPE_UNSPEC;
939 	const char *prog_type_str;
940 
941 	print_start_section("program_types",
942 			    "Scanning eBPF program types...",
943 			    "/*** eBPF program types ***/",
944 			    define_prefix);
945 
946 	while (true) {
947 		prog_type++;
948 		prog_type_str = libbpf_bpf_prog_type_str(prog_type);
949 		/* libbpf will return NULL for variants unknown to it. */
950 		if (!prog_type_str)
951 			break;
952 
953 		probe_prog_type(prog_type, prog_type_str, supported_types, define_prefix,
954 				ifindex);
955 	}
956 
957 	print_end_section();
958 }
959 
960 static void section_map_types(const char *define_prefix, __u32 ifindex)
961 {
962 	unsigned int map_type = BPF_MAP_TYPE_UNSPEC;
963 	const char *map_type_str;
964 
965 	print_start_section("map_types",
966 			    "Scanning eBPF map types...",
967 			    "/*** eBPF map types ***/",
968 			    define_prefix);
969 
970 	while (true) {
971 		map_type++;
972 		map_type_str = libbpf_bpf_map_type_str(map_type);
973 		/* libbpf will return NULL for variants unknown to it. */
974 		if (!map_type_str)
975 			break;
976 
977 		probe_map_type(map_type, map_type_str, define_prefix, ifindex);
978 	}
979 
980 	print_end_section();
981 }
982 
983 static void
984 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
985 {
986 	unsigned int prog_type = BPF_PROG_TYPE_UNSPEC;
987 	const char *prog_type_str;
988 
989 	print_start_section("helpers",
990 			    "Scanning eBPF helper functions...",
991 			    "/*** eBPF helper functions ***/",
992 			    define_prefix);
993 
994 	if (define_prefix)
995 		printf("/*\n"
996 		       " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
997 		       " * to determine if <helper_name> is available for <prog_type_name>,\n"
998 		       " * e.g.\n"
999 		       " *	#if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
1000 		       " *		// do stuff with this helper\n"
1001 		       " *	#elif\n"
1002 		       " *		// use a workaround\n"
1003 		       " *	#endif\n"
1004 		       " */\n"
1005 		       "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper)	\\\n"
1006 		       "	%sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
1007 		       define_prefix, define_prefix, define_prefix,
1008 		       define_prefix);
1009 	while (true) {
1010 		prog_type++;
1011 		prog_type_str = libbpf_bpf_prog_type_str(prog_type);
1012 		/* libbpf will return NULL for variants unknown to it. */
1013 		if (!prog_type_str)
1014 			break;
1015 
1016 		probe_helpers_for_progtype(prog_type, prog_type_str,
1017 					   supported_types[prog_type],
1018 					   define_prefix,
1019 					   ifindex);
1020 	}
1021 
1022 	print_end_section();
1023 }
1024 
1025 static void section_misc(const char *define_prefix, __u32 ifindex)
1026 {
1027 	print_start_section("misc",
1028 			    "Scanning miscellaneous eBPF features...",
1029 			    "/*** eBPF misc features ***/",
1030 			    define_prefix);
1031 	probe_large_insn_limit(define_prefix, ifindex);
1032 	probe_bounded_loops(define_prefix, ifindex);
1033 	probe_v2_isa_extension(define_prefix, ifindex);
1034 	probe_v3_isa_extension(define_prefix, ifindex);
1035 	print_end_section();
1036 }
1037 
1038 #ifdef USE_LIBCAP
1039 #define capability(c) { c, false, #c }
1040 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
1041 #endif
1042 
1043 static int handle_perms(void)
1044 {
1045 #ifdef USE_LIBCAP
1046 	struct {
1047 		cap_value_t cap;
1048 		bool set;
1049 		char name[14];	/* strlen("CAP_SYS_ADMIN") */
1050 	} bpf_caps[] = {
1051 		capability(CAP_SYS_ADMIN),
1052 #ifdef CAP_BPF
1053 		capability(CAP_BPF),
1054 		capability(CAP_NET_ADMIN),
1055 		capability(CAP_PERFMON),
1056 #endif
1057 	};
1058 	cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
1059 	unsigned int i, nb_bpf_caps = 0;
1060 	bool cap_sys_admin_only = true;
1061 	cap_flag_value_t val;
1062 	int res = -1;
1063 	cap_t caps;
1064 
1065 	caps = cap_get_proc();
1066 	if (!caps) {
1067 		p_err("failed to get capabilities for process: %s",
1068 		      strerror(errno));
1069 		return -1;
1070 	}
1071 
1072 #ifdef CAP_BPF
1073 	if (CAP_IS_SUPPORTED(CAP_BPF))
1074 		cap_sys_admin_only = false;
1075 #endif
1076 
1077 	for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
1078 		const char *cap_name = bpf_caps[i].name;
1079 		cap_value_t cap = bpf_caps[i].cap;
1080 
1081 		if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
1082 			p_err("bug: failed to retrieve %s status: %s", cap_name,
1083 			      strerror(errno));
1084 			goto exit_free;
1085 		}
1086 
1087 		if (val == CAP_SET) {
1088 			bpf_caps[i].set = true;
1089 			cap_list[nb_bpf_caps++] = cap;
1090 		}
1091 
1092 		if (cap_sys_admin_only)
1093 			/* System does not know about CAP_BPF, meaning that
1094 			 * CAP_SYS_ADMIN is the only capability required. We
1095 			 * just checked it, break.
1096 			 */
1097 			break;
1098 	}
1099 
1100 	if ((run_as_unprivileged && !nb_bpf_caps) ||
1101 	    (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
1102 	    (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
1103 		/* We are all good, exit now */
1104 		res = 0;
1105 		goto exit_free;
1106 	}
1107 
1108 	if (!run_as_unprivileged) {
1109 		if (cap_sys_admin_only)
1110 			p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
1111 			      bpf_caps[0].name);
1112 		else
1113 			p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
1114 			      capability_msg(bpf_caps, 0),
1115 #ifdef CAP_BPF
1116 			      capability_msg(bpf_caps, 1),
1117 			      capability_msg(bpf_caps, 2),
1118 			      capability_msg(bpf_caps, 3)
1119 #else
1120 				"", "", "", "", "", ""
1121 #endif /* CAP_BPF */
1122 				);
1123 		goto exit_free;
1124 	}
1125 
1126 	/* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
1127 	if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
1128 			 CAP_CLEAR)) {
1129 		p_err("bug: failed to clear capabilities: %s", strerror(errno));
1130 		goto exit_free;
1131 	}
1132 
1133 	if (cap_set_proc(caps)) {
1134 		p_err("failed to drop capabilities: %s", strerror(errno));
1135 		goto exit_free;
1136 	}
1137 
1138 	res = 0;
1139 
1140 exit_free:
1141 	if (cap_free(caps) && !res) {
1142 		p_err("failed to clear storage object for capabilities: %s",
1143 		      strerror(errno));
1144 		res = -1;
1145 	}
1146 
1147 	return res;
1148 #else
1149 	/* Detection assumes user has specific privileges.
1150 	 * We do not use libpcap so let's approximate, and restrict usage to
1151 	 * root user only.
1152 	 */
1153 	if (geteuid()) {
1154 		p_err("full feature probing requires root privileges");
1155 		return -1;
1156 	}
1157 
1158 	return 0;
1159 #endif /* USE_LIBCAP */
1160 }
1161 
1162 static int do_probe(int argc, char **argv)
1163 {
1164 	enum probe_component target = COMPONENT_UNSPEC;
1165 	const char *define_prefix = NULL;
1166 	bool supported_types[128] = {};
1167 	__u32 ifindex = 0;
1168 	char *ifname;
1169 
1170 	set_max_rlimit();
1171 
1172 	while (argc) {
1173 		if (is_prefix(*argv, "kernel")) {
1174 			if (target != COMPONENT_UNSPEC) {
1175 				p_err("component to probe already specified");
1176 				return -1;
1177 			}
1178 			target = COMPONENT_KERNEL;
1179 			NEXT_ARG();
1180 		} else if (is_prefix(*argv, "dev")) {
1181 			NEXT_ARG();
1182 
1183 			if (target != COMPONENT_UNSPEC || ifindex) {
1184 				p_err("component to probe already specified");
1185 				return -1;
1186 			}
1187 			if (!REQ_ARGS(1))
1188 				return -1;
1189 
1190 			target = COMPONENT_DEVICE;
1191 			ifname = GET_ARG();
1192 			ifindex = if_nametoindex(ifname);
1193 			if (!ifindex) {
1194 				p_err("unrecognized netdevice '%s': %s", ifname,
1195 				      strerror(errno));
1196 				return -1;
1197 			}
1198 		} else if (is_prefix(*argv, "full")) {
1199 			full_mode = true;
1200 			NEXT_ARG();
1201 		} else if (is_prefix(*argv, "macros") && !define_prefix) {
1202 			define_prefix = "";
1203 			NEXT_ARG();
1204 		} else if (is_prefix(*argv, "prefix")) {
1205 			if (!define_prefix) {
1206 				p_err("'prefix' argument can only be use after 'macros'");
1207 				return -1;
1208 			}
1209 			if (strcmp(define_prefix, "")) {
1210 				p_err("'prefix' already defined");
1211 				return -1;
1212 			}
1213 			NEXT_ARG();
1214 
1215 			if (!REQ_ARGS(1))
1216 				return -1;
1217 			define_prefix = GET_ARG();
1218 		} else if (is_prefix(*argv, "unprivileged")) {
1219 #ifdef USE_LIBCAP
1220 			run_as_unprivileged = true;
1221 			NEXT_ARG();
1222 #else
1223 			p_err("unprivileged run not supported, recompile bpftool with libcap");
1224 			return -1;
1225 #endif
1226 		} else {
1227 			p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
1228 			      *argv);
1229 			return -1;
1230 		}
1231 	}
1232 
1233 	/* Full feature detection requires specific privileges.
1234 	 * Let's approximate, and warn if user is not root.
1235 	 */
1236 	if (handle_perms())
1237 		return -1;
1238 
1239 	if (json_output) {
1240 		define_prefix = NULL;
1241 		jsonw_start_object(json_wtr);
1242 	}
1243 
1244 	section_system_config(target, define_prefix);
1245 	if (!section_syscall_config(define_prefix))
1246 		/* bpf() syscall unavailable, don't probe other BPF features */
1247 		goto exit_close_json;
1248 	section_program_types(supported_types, define_prefix, ifindex);
1249 	section_map_types(define_prefix, ifindex);
1250 	section_helpers(supported_types, define_prefix, ifindex);
1251 	section_misc(define_prefix, ifindex);
1252 
1253 exit_close_json:
1254 	if (json_output)
1255 		/* End root object */
1256 		jsonw_end_object(json_wtr);
1257 
1258 	return 0;
1259 }
1260 
1261 static const char *get_helper_name(unsigned int id)
1262 {
1263 	if (id >= ARRAY_SIZE(helper_name))
1264 		return NULL;
1265 
1266 	return helper_name[id];
1267 }
1268 
1269 static int do_list_builtins(int argc, char **argv)
1270 {
1271 	const char *(*get_name)(unsigned int id);
1272 	unsigned int id = 0;
1273 
1274 	if (argc < 1)
1275 		usage();
1276 
1277 	if (is_prefix(*argv, "prog_types")) {
1278 		get_name = (const char *(*)(unsigned int))libbpf_bpf_prog_type_str;
1279 	} else if (is_prefix(*argv, "map_types")) {
1280 		get_name = (const char *(*)(unsigned int))libbpf_bpf_map_type_str;
1281 	} else if (is_prefix(*argv, "attach_types")) {
1282 		get_name = (const char *(*)(unsigned int))libbpf_bpf_attach_type_str;
1283 	} else if (is_prefix(*argv, "link_types")) {
1284 		get_name = (const char *(*)(unsigned int))libbpf_bpf_link_type_str;
1285 	} else if (is_prefix(*argv, "helpers")) {
1286 		get_name = get_helper_name;
1287 	} else {
1288 		p_err("expected 'prog_types', 'map_types', 'attach_types', 'link_types' or 'helpers', got: %s", *argv);
1289 		return -1;
1290 	}
1291 
1292 	if (json_output)
1293 		jsonw_start_array(json_wtr);	/* root array */
1294 
1295 	while (true) {
1296 		const char *name;
1297 
1298 		name = get_name(id++);
1299 		if (!name)
1300 			break;
1301 		if (json_output)
1302 			jsonw_string(json_wtr, name);
1303 		else
1304 			printf("%s\n", name);
1305 	}
1306 
1307 	if (json_output)
1308 		jsonw_end_array(json_wtr);	/* root array */
1309 
1310 	return 0;
1311 }
1312 
1313 static int do_help(int argc, char **argv)
1314 {
1315 	if (json_output) {
1316 		jsonw_null(json_wtr);
1317 		return 0;
1318 	}
1319 
1320 	fprintf(stderr,
1321 		"Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
1322 		"       %1$s %2$s list_builtins GROUP\n"
1323 		"       %1$s %2$s help\n"
1324 		"\n"
1325 		"       COMPONENT := { kernel | dev NAME }\n"
1326 		"       GROUP := { prog_types | map_types | attach_types | link_types | helpers }\n"
1327 		"       " HELP_SPEC_OPTIONS " }\n"
1328 		"",
1329 		bin_name, argv[-2]);
1330 
1331 	return 0;
1332 }
1333 
1334 static const struct cmd cmds[] = {
1335 	{ "probe",		do_probe },
1336 	{ "list_builtins",	do_list_builtins },
1337 	{ "help",		do_help },
1338 	{ 0 }
1339 };
1340 
1341 int do_feature(int argc, char **argv)
1342 {
1343 	return cmd_select(cmds, argc, argv, do_help);
1344 }
1345