xref: /openbmc/linux/tools/bpf/bpftool/feature.c (revision 82df5b73)
1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (c) 2019 Netronome Systems, Inc. */
3 
4 #include <ctype.h>
5 #include <errno.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <net/if.h>
9 #ifdef USE_LIBCAP
10 #include <sys/capability.h>
11 #endif
12 #include <sys/utsname.h>
13 #include <sys/vfs.h>
14 
15 #include <linux/filter.h>
16 #include <linux/limits.h>
17 
18 #include <bpf/bpf.h>
19 #include <bpf/libbpf.h>
20 #include <zlib.h>
21 
22 #include "main.h"
23 
24 #ifndef PROC_SUPER_MAGIC
25 # define PROC_SUPER_MAGIC	0x9fa0
26 #endif
27 
28 enum probe_component {
29 	COMPONENT_UNSPEC,
30 	COMPONENT_KERNEL,
31 	COMPONENT_DEVICE,
32 };
33 
34 #define BPF_HELPER_MAKE_ENTRY(name)	[BPF_FUNC_ ## name] = "bpf_" # name
35 static const char * const helper_name[] = {
36 	__BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
37 };
38 
39 #undef BPF_HELPER_MAKE_ENTRY
40 
41 static bool full_mode;
42 #ifdef USE_LIBCAP
43 static bool run_as_unprivileged;
44 #endif
45 
46 /* Miscellaneous utility functions */
47 
48 static bool check_procfs(void)
49 {
50 	struct statfs st_fs;
51 
52 	if (statfs("/proc", &st_fs) < 0)
53 		return false;
54 	if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
55 		return false;
56 
57 	return true;
58 }
59 
60 static void uppercase(char *str, size_t len)
61 {
62 	size_t i;
63 
64 	for (i = 0; i < len && str[i] != '\0'; i++)
65 		str[i] = toupper(str[i]);
66 }
67 
68 /* Printing utility functions */
69 
70 static void
71 print_bool_feature(const char *feat_name, const char *plain_name,
72 		   const char *define_name, bool res, const char *define_prefix)
73 {
74 	if (json_output)
75 		jsonw_bool_field(json_wtr, feat_name, res);
76 	else if (define_prefix)
77 		printf("#define %s%sHAVE_%s\n", define_prefix,
78 		       res ? "" : "NO_", define_name);
79 	else
80 		printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
81 }
82 
83 static void print_kernel_option(const char *name, const char *value,
84 				const char *define_prefix)
85 {
86 	char *endptr;
87 	int res;
88 
89 	if (json_output) {
90 		if (!value) {
91 			jsonw_null_field(json_wtr, name);
92 			return;
93 		}
94 		errno = 0;
95 		res = strtol(value, &endptr, 0);
96 		if (!errno && *endptr == '\n')
97 			jsonw_int_field(json_wtr, name, res);
98 		else
99 			jsonw_string_field(json_wtr, name, value);
100 	} else if (define_prefix) {
101 		if (value)
102 			printf("#define %s%s %s\n", define_prefix,
103 			       name, value);
104 		else
105 			printf("/* %s%s is not set */\n", define_prefix, name);
106 	} else {
107 		if (value)
108 			printf("%s is set to %s\n", name, value);
109 		else
110 			printf("%s is not set\n", name);
111 	}
112 }
113 
114 static void
115 print_start_section(const char *json_title, const char *plain_title,
116 		    const char *define_comment, const char *define_prefix)
117 {
118 	if (json_output) {
119 		jsonw_name(json_wtr, json_title);
120 		jsonw_start_object(json_wtr);
121 	} else if (define_prefix) {
122 		printf("%s\n", define_comment);
123 	} else {
124 		printf("%s\n", plain_title);
125 	}
126 }
127 
128 static void print_end_section(void)
129 {
130 	if (json_output)
131 		jsonw_end_object(json_wtr);
132 	else
133 		printf("\n");
134 }
135 
136 /* Probing functions */
137 
138 static int read_procfs(const char *path)
139 {
140 	char *endptr, *line = NULL;
141 	size_t len = 0;
142 	FILE *fd;
143 	int res;
144 
145 	fd = fopen(path, "r");
146 	if (!fd)
147 		return -1;
148 
149 	res = getline(&line, &len, fd);
150 	fclose(fd);
151 	if (res < 0)
152 		return -1;
153 
154 	errno = 0;
155 	res = strtol(line, &endptr, 10);
156 	if (errno || *line == '\0' || *endptr != '\n')
157 		res = -1;
158 	free(line);
159 
160 	return res;
161 }
162 
163 static void probe_unprivileged_disabled(void)
164 {
165 	int res;
166 
167 	/* No support for C-style ouptut */
168 
169 	res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
170 	if (json_output) {
171 		jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
172 	} else {
173 		switch (res) {
174 		case 0:
175 			printf("bpf() syscall for unprivileged users is enabled\n");
176 			break;
177 		case 1:
178 			printf("bpf() syscall restricted to privileged users\n");
179 			break;
180 		case -1:
181 			printf("Unable to retrieve required privileges for bpf() syscall\n");
182 			break;
183 		default:
184 			printf("bpf() syscall restriction has unknown value %d\n", res);
185 		}
186 	}
187 }
188 
189 static void probe_jit_enable(void)
190 {
191 	int res;
192 
193 	/* No support for C-style ouptut */
194 
195 	res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
196 	if (json_output) {
197 		jsonw_int_field(json_wtr, "bpf_jit_enable", res);
198 	} else {
199 		switch (res) {
200 		case 0:
201 			printf("JIT compiler is disabled\n");
202 			break;
203 		case 1:
204 			printf("JIT compiler is enabled\n");
205 			break;
206 		case 2:
207 			printf("JIT compiler is enabled with debugging traces in kernel logs\n");
208 			break;
209 		case -1:
210 			printf("Unable to retrieve JIT-compiler status\n");
211 			break;
212 		default:
213 			printf("JIT-compiler status has unknown value %d\n",
214 			       res);
215 		}
216 	}
217 }
218 
219 static void probe_jit_harden(void)
220 {
221 	int res;
222 
223 	/* No support for C-style ouptut */
224 
225 	res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
226 	if (json_output) {
227 		jsonw_int_field(json_wtr, "bpf_jit_harden", res);
228 	} else {
229 		switch (res) {
230 		case 0:
231 			printf("JIT compiler hardening is disabled\n");
232 			break;
233 		case 1:
234 			printf("JIT compiler hardening is enabled for unprivileged users\n");
235 			break;
236 		case 2:
237 			printf("JIT compiler hardening is enabled for all users\n");
238 			break;
239 		case -1:
240 			printf("Unable to retrieve JIT hardening status\n");
241 			break;
242 		default:
243 			printf("JIT hardening status has unknown value %d\n",
244 			       res);
245 		}
246 	}
247 }
248 
249 static void probe_jit_kallsyms(void)
250 {
251 	int res;
252 
253 	/* No support for C-style ouptut */
254 
255 	res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
256 	if (json_output) {
257 		jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
258 	} else {
259 		switch (res) {
260 		case 0:
261 			printf("JIT compiler kallsyms exports are disabled\n");
262 			break;
263 		case 1:
264 			printf("JIT compiler kallsyms exports are enabled for root\n");
265 			break;
266 		case -1:
267 			printf("Unable to retrieve JIT kallsyms export status\n");
268 			break;
269 		default:
270 			printf("JIT kallsyms exports status has unknown value %d\n", res);
271 		}
272 	}
273 }
274 
275 static void probe_jit_limit(void)
276 {
277 	int res;
278 
279 	/* No support for C-style ouptut */
280 
281 	res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
282 	if (json_output) {
283 		jsonw_int_field(json_wtr, "bpf_jit_limit", res);
284 	} else {
285 		switch (res) {
286 		case -1:
287 			printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
288 			break;
289 		default:
290 			printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
291 		}
292 	}
293 }
294 
295 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
296 					   char **value)
297 {
298 	char *sep;
299 
300 	while (gzgets(file, buf, n)) {
301 		if (strncmp(buf, "CONFIG_", 7))
302 			continue;
303 
304 		sep = strchr(buf, '=');
305 		if (!sep)
306 			continue;
307 
308 		/* Trim ending '\n' */
309 		buf[strlen(buf) - 1] = '\0';
310 
311 		/* Split on '=' and ensure that a value is present. */
312 		*sep = '\0';
313 		if (!sep[1])
314 			continue;
315 
316 		*value = sep + 1;
317 		return true;
318 	}
319 
320 	return false;
321 }
322 
323 static void probe_kernel_image_config(const char *define_prefix)
324 {
325 	static const struct {
326 		const char * const name;
327 		bool macro_dump;
328 	} options[] = {
329 		/* Enable BPF */
330 		{ "CONFIG_BPF", },
331 		/* Enable bpf() syscall */
332 		{ "CONFIG_BPF_SYSCALL", },
333 		/* Does selected architecture support eBPF JIT compiler */
334 		{ "CONFIG_HAVE_EBPF_JIT", },
335 		/* Compile eBPF JIT compiler */
336 		{ "CONFIG_BPF_JIT", },
337 		/* Avoid compiling eBPF interpreter (use JIT only) */
338 		{ "CONFIG_BPF_JIT_ALWAYS_ON", },
339 
340 		/* cgroups */
341 		{ "CONFIG_CGROUPS", },
342 		/* BPF programs attached to cgroups */
343 		{ "CONFIG_CGROUP_BPF", },
344 		/* bpf_get_cgroup_classid() helper */
345 		{ "CONFIG_CGROUP_NET_CLASSID", },
346 		/* bpf_skb_{,ancestor_}cgroup_id() helpers */
347 		{ "CONFIG_SOCK_CGROUP_DATA", },
348 
349 		/* Tracing: attach BPF to kprobes, tracepoints, etc. */
350 		{ "CONFIG_BPF_EVENTS", },
351 		/* Kprobes */
352 		{ "CONFIG_KPROBE_EVENTS", },
353 		/* Uprobes */
354 		{ "CONFIG_UPROBE_EVENTS", },
355 		/* Tracepoints */
356 		{ "CONFIG_TRACING", },
357 		/* Syscall tracepoints */
358 		{ "CONFIG_FTRACE_SYSCALLS", },
359 		/* bpf_override_return() helper support for selected arch */
360 		{ "CONFIG_FUNCTION_ERROR_INJECTION", },
361 		/* bpf_override_return() helper */
362 		{ "CONFIG_BPF_KPROBE_OVERRIDE", },
363 
364 		/* Network */
365 		{ "CONFIG_NET", },
366 		/* AF_XDP sockets */
367 		{ "CONFIG_XDP_SOCKETS", },
368 		/* BPF_PROG_TYPE_LWT_* and related helpers */
369 		{ "CONFIG_LWTUNNEL_BPF", },
370 		/* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
371 		{ "CONFIG_NET_ACT_BPF", },
372 		/* BPF_PROG_TYPE_SCHED_CLS, TC filters */
373 		{ "CONFIG_NET_CLS_BPF", },
374 		/* TC clsact qdisc */
375 		{ "CONFIG_NET_CLS_ACT", },
376 		/* Ingress filtering with TC */
377 		{ "CONFIG_NET_SCH_INGRESS", },
378 		/* bpf_skb_get_xfrm_state() helper */
379 		{ "CONFIG_XFRM", },
380 		/* bpf_get_route_realm() helper */
381 		{ "CONFIG_IP_ROUTE_CLASSID", },
382 		/* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
383 		{ "CONFIG_IPV6_SEG6_BPF", },
384 		/* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
385 		{ "CONFIG_BPF_LIRC_MODE2", },
386 		/* BPF stream parser and BPF socket maps */
387 		{ "CONFIG_BPF_STREAM_PARSER", },
388 		/* xt_bpf module for passing BPF programs to netfilter  */
389 		{ "CONFIG_NETFILTER_XT_MATCH_BPF", },
390 		/* bpfilter back-end for iptables */
391 		{ "CONFIG_BPFILTER", },
392 		/* bpftilter module with "user mode helper" */
393 		{ "CONFIG_BPFILTER_UMH", },
394 
395 		/* test_bpf module for BPF tests */
396 		{ "CONFIG_TEST_BPF", },
397 
398 		/* Misc configs useful in BPF C programs */
399 		/* jiffies <-> sec conversion for bpf_jiffies64() helper */
400 		{ "CONFIG_HZ", true, }
401 	};
402 	char *values[ARRAY_SIZE(options)] = { };
403 	struct utsname utsn;
404 	char path[PATH_MAX];
405 	gzFile file = NULL;
406 	char buf[4096];
407 	char *value;
408 	size_t i;
409 
410 	if (!uname(&utsn)) {
411 		snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
412 
413 		/* gzopen also accepts uncompressed files. */
414 		file = gzopen(path, "r");
415 	}
416 
417 	if (!file) {
418 		/* Some distributions build with CONFIG_IKCONFIG=y and put the
419 		 * config file at /proc/config.gz.
420 		 */
421 		file = gzopen("/proc/config.gz", "r");
422 	}
423 	if (!file) {
424 		p_info("skipping kernel config, can't open file: %s",
425 		       strerror(errno));
426 		goto end_parse;
427 	}
428 	/* Sanity checks */
429 	if (!gzgets(file, buf, sizeof(buf)) ||
430 	    !gzgets(file, buf, sizeof(buf))) {
431 		p_info("skipping kernel config, can't read from file: %s",
432 		       strerror(errno));
433 		goto end_parse;
434 	}
435 	if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
436 		p_info("skipping kernel config, can't find correct file");
437 		goto end_parse;
438 	}
439 
440 	while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
441 		for (i = 0; i < ARRAY_SIZE(options); i++) {
442 			if ((define_prefix && !options[i].macro_dump) ||
443 			    values[i] || strcmp(buf, options[i].name))
444 				continue;
445 
446 			values[i] = strdup(value);
447 		}
448 	}
449 
450 end_parse:
451 	if (file)
452 		gzclose(file);
453 
454 	for (i = 0; i < ARRAY_SIZE(options); i++) {
455 		if (define_prefix && !options[i].macro_dump)
456 			continue;
457 		print_kernel_option(options[i].name, values[i], define_prefix);
458 		free(values[i]);
459 	}
460 }
461 
462 static bool probe_bpf_syscall(const char *define_prefix)
463 {
464 	bool res;
465 
466 	bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
467 	res = (errno != ENOSYS);
468 
469 	print_bool_feature("have_bpf_syscall",
470 			   "bpf() syscall",
471 			   "BPF_SYSCALL",
472 			   res, define_prefix);
473 
474 	return res;
475 }
476 
477 static void
478 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
479 		const char *define_prefix, __u32 ifindex)
480 {
481 	char feat_name[128], plain_desc[128], define_name[128];
482 	const char *plain_comment = "eBPF program_type ";
483 	size_t maxlen;
484 	bool res;
485 
486 	if (ifindex)
487 		/* Only test offload-able program types */
488 		switch (prog_type) {
489 		case BPF_PROG_TYPE_SCHED_CLS:
490 		case BPF_PROG_TYPE_XDP:
491 			break;
492 		default:
493 			return;
494 		}
495 
496 	res = bpf_probe_prog_type(prog_type, ifindex);
497 #ifdef USE_LIBCAP
498 	/* Probe may succeed even if program load fails, for unprivileged users
499 	 * check that we did not fail because of insufficient permissions
500 	 */
501 	if (run_as_unprivileged && errno == EPERM)
502 		res = false;
503 #endif
504 
505 	supported_types[prog_type] |= res;
506 
507 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
508 	if (strlen(prog_type_name[prog_type]) > maxlen) {
509 		p_info("program type name too long");
510 		return;
511 	}
512 
513 	sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
514 	sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
515 	uppercase(define_name, sizeof(define_name));
516 	sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
517 	print_bool_feature(feat_name, plain_desc, define_name, res,
518 			   define_prefix);
519 }
520 
521 static void
522 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
523 	       __u32 ifindex)
524 {
525 	char feat_name[128], plain_desc[128], define_name[128];
526 	const char *plain_comment = "eBPF map_type ";
527 	size_t maxlen;
528 	bool res;
529 
530 	res = bpf_probe_map_type(map_type, ifindex);
531 
532 	/* Probe result depends on the success of map creation, no additional
533 	 * check required for unprivileged users
534 	 */
535 
536 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
537 	if (strlen(map_type_name[map_type]) > maxlen) {
538 		p_info("map type name too long");
539 		return;
540 	}
541 
542 	sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
543 	sprintf(define_name, "%s_map_type", map_type_name[map_type]);
544 	uppercase(define_name, sizeof(define_name));
545 	sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
546 	print_bool_feature(feat_name, plain_desc, define_name, res,
547 			   define_prefix);
548 }
549 
550 static void
551 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
552 			  const char *define_prefix, unsigned int id,
553 			  const char *ptype_name, __u32 ifindex)
554 {
555 	bool res = false;
556 
557 	if (supported_type) {
558 		res = bpf_probe_helper(id, prog_type, ifindex);
559 #ifdef USE_LIBCAP
560 		/* Probe may succeed even if program load fails, for
561 		 * unprivileged users check that we did not fail because of
562 		 * insufficient permissions
563 		 */
564 		if (run_as_unprivileged && errno == EPERM)
565 			res = false;
566 #endif
567 	}
568 
569 	if (json_output) {
570 		if (res)
571 			jsonw_string(json_wtr, helper_name[id]);
572 	} else if (define_prefix) {
573 		printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
574 		       define_prefix, ptype_name, helper_name[id],
575 		       res ? "1" : "0");
576 	} else {
577 		if (res)
578 			printf("\n\t- %s", helper_name[id]);
579 	}
580 }
581 
582 static void
583 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
584 			   const char *define_prefix, __u32 ifindex)
585 {
586 	const char *ptype_name = prog_type_name[prog_type];
587 	char feat_name[128];
588 	unsigned int id;
589 
590 	if (ifindex)
591 		/* Only test helpers for offload-able program types */
592 		switch (prog_type) {
593 		case BPF_PROG_TYPE_SCHED_CLS:
594 		case BPF_PROG_TYPE_XDP:
595 			break;
596 		default:
597 			return;
598 		}
599 
600 	if (json_output) {
601 		sprintf(feat_name, "%s_available_helpers", ptype_name);
602 		jsonw_name(json_wtr, feat_name);
603 		jsonw_start_array(json_wtr);
604 	} else if (!define_prefix) {
605 		printf("eBPF helpers supported for program type %s:",
606 		       ptype_name);
607 	}
608 
609 	for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
610 		/* Skip helper functions which emit dmesg messages when not in
611 		 * the full mode.
612 		 */
613 		switch (id) {
614 		case BPF_FUNC_trace_printk:
615 		case BPF_FUNC_probe_write_user:
616 			if (!full_mode)
617 				continue;
618 			/* fallthrough */
619 		default:
620 			probe_helper_for_progtype(prog_type, supported_type,
621 						  define_prefix, id, ptype_name,
622 						  ifindex);
623 		}
624 	}
625 
626 	if (json_output)
627 		jsonw_end_array(json_wtr);
628 	else if (!define_prefix)
629 		printf("\n");
630 }
631 
632 static void
633 probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
634 {
635 	bool res;
636 
637 	res = bpf_probe_large_insn_limit(ifindex);
638 	print_bool_feature("have_large_insn_limit",
639 			   "Large program size limit",
640 			   "LARGE_INSN_LIMIT",
641 			   res, define_prefix);
642 }
643 
644 static void
645 section_system_config(enum probe_component target, const char *define_prefix)
646 {
647 	switch (target) {
648 	case COMPONENT_KERNEL:
649 	case COMPONENT_UNSPEC:
650 		print_start_section("system_config",
651 				    "Scanning system configuration...",
652 				    "/*** Misc kernel config items ***/",
653 				    define_prefix);
654 		if (!define_prefix) {
655 			if (check_procfs()) {
656 				probe_unprivileged_disabled();
657 				probe_jit_enable();
658 				probe_jit_harden();
659 				probe_jit_kallsyms();
660 				probe_jit_limit();
661 			} else {
662 				p_info("/* procfs not mounted, skipping related probes */");
663 			}
664 		}
665 		probe_kernel_image_config(define_prefix);
666 		print_end_section();
667 		break;
668 	default:
669 		break;
670 	}
671 }
672 
673 static bool section_syscall_config(const char *define_prefix)
674 {
675 	bool res;
676 
677 	print_start_section("syscall_config",
678 			    "Scanning system call availability...",
679 			    "/*** System call availability ***/",
680 			    define_prefix);
681 	res = probe_bpf_syscall(define_prefix);
682 	print_end_section();
683 
684 	return res;
685 }
686 
687 static void
688 section_program_types(bool *supported_types, const char *define_prefix,
689 		      __u32 ifindex)
690 {
691 	unsigned int i;
692 
693 	print_start_section("program_types",
694 			    "Scanning eBPF program types...",
695 			    "/*** eBPF program types ***/",
696 			    define_prefix);
697 
698 	for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
699 		probe_prog_type(i, supported_types, define_prefix, ifindex);
700 
701 	print_end_section();
702 }
703 
704 static void section_map_types(const char *define_prefix, __u32 ifindex)
705 {
706 	unsigned int i;
707 
708 	print_start_section("map_types",
709 			    "Scanning eBPF map types...",
710 			    "/*** eBPF map types ***/",
711 			    define_prefix);
712 
713 	for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
714 		probe_map_type(i, define_prefix, ifindex);
715 
716 	print_end_section();
717 }
718 
719 static void
720 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
721 {
722 	unsigned int i;
723 
724 	print_start_section("helpers",
725 			    "Scanning eBPF helper functions...",
726 			    "/*** eBPF helper functions ***/",
727 			    define_prefix);
728 
729 	if (define_prefix)
730 		printf("/*\n"
731 		       " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
732 		       " * to determine if <helper_name> is available for <prog_type_name>,\n"
733 		       " * e.g.\n"
734 		       " *	#if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
735 		       " *		// do stuff with this helper\n"
736 		       " *	#elif\n"
737 		       " *		// use a workaround\n"
738 		       " *	#endif\n"
739 		       " */\n"
740 		       "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper)	\\\n"
741 		       "	%sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
742 		       define_prefix, define_prefix, define_prefix,
743 		       define_prefix);
744 	for (i = BPF_PROG_TYPE_UNSPEC + 1; i < ARRAY_SIZE(prog_type_name); i++)
745 		probe_helpers_for_progtype(i, supported_types[i], define_prefix,
746 					   ifindex);
747 
748 	print_end_section();
749 }
750 
751 static void section_misc(const char *define_prefix, __u32 ifindex)
752 {
753 	print_start_section("misc",
754 			    "Scanning miscellaneous eBPF features...",
755 			    "/*** eBPF misc features ***/",
756 			    define_prefix);
757 	probe_large_insn_limit(define_prefix, ifindex);
758 	print_end_section();
759 }
760 
761 #ifdef USE_LIBCAP
762 #define capability(c) { c, false, #c }
763 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
764 #endif
765 
766 static int handle_perms(void)
767 {
768 #ifdef USE_LIBCAP
769 	struct {
770 		cap_value_t cap;
771 		bool set;
772 		char name[14];	/* strlen("CAP_SYS_ADMIN") */
773 	} bpf_caps[] = {
774 		capability(CAP_SYS_ADMIN),
775 #ifdef CAP_BPF
776 		capability(CAP_BPF),
777 		capability(CAP_NET_ADMIN),
778 		capability(CAP_PERFMON),
779 #endif
780 	};
781 	cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
782 	unsigned int i, nb_bpf_caps = 0;
783 	bool cap_sys_admin_only = true;
784 	cap_flag_value_t val;
785 	int res = -1;
786 	cap_t caps;
787 
788 	caps = cap_get_proc();
789 	if (!caps) {
790 		p_err("failed to get capabilities for process: %s",
791 		      strerror(errno));
792 		return -1;
793 	}
794 
795 #ifdef CAP_BPF
796 	if (CAP_IS_SUPPORTED(CAP_BPF))
797 		cap_sys_admin_only = false;
798 #endif
799 
800 	for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
801 		const char *cap_name = bpf_caps[i].name;
802 		cap_value_t cap = bpf_caps[i].cap;
803 
804 		if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
805 			p_err("bug: failed to retrieve %s status: %s", cap_name,
806 			      strerror(errno));
807 			goto exit_free;
808 		}
809 
810 		if (val == CAP_SET) {
811 			bpf_caps[i].set = true;
812 			cap_list[nb_bpf_caps++] = cap;
813 		}
814 
815 		if (cap_sys_admin_only)
816 			/* System does not know about CAP_BPF, meaning that
817 			 * CAP_SYS_ADMIN is the only capability required. We
818 			 * just checked it, break.
819 			 */
820 			break;
821 	}
822 
823 	if ((run_as_unprivileged && !nb_bpf_caps) ||
824 	    (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
825 	    (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
826 		/* We are all good, exit now */
827 		res = 0;
828 		goto exit_free;
829 	}
830 
831 	if (!run_as_unprivileged) {
832 		if (cap_sys_admin_only)
833 			p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
834 			      bpf_caps[0].name);
835 		else
836 			p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
837 			      capability_msg(bpf_caps, 0),
838 			      capability_msg(bpf_caps, 1),
839 			      capability_msg(bpf_caps, 2),
840 			      capability_msg(bpf_caps, 3));
841 		goto exit_free;
842 	}
843 
844 	/* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
845 	if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
846 			 CAP_CLEAR)) {
847 		p_err("bug: failed to clear capabilities: %s", strerror(errno));
848 		goto exit_free;
849 	}
850 
851 	if (cap_set_proc(caps)) {
852 		p_err("failed to drop capabilities: %s", strerror(errno));
853 		goto exit_free;
854 	}
855 
856 	res = 0;
857 
858 exit_free:
859 	if (cap_free(caps) && !res) {
860 		p_err("failed to clear storage object for capabilities: %s",
861 		      strerror(errno));
862 		res = -1;
863 	}
864 
865 	return res;
866 #else
867 	/* Detection assumes user has specific privileges.
868 	 * We do not use libpcap so let's approximate, and restrict usage to
869 	 * root user only.
870 	 */
871 	if (geteuid()) {
872 		p_err("full feature probing requires root privileges");
873 		return -1;
874 	}
875 
876 	return 0;
877 #endif /* USE_LIBCAP */
878 }
879 
880 static int do_probe(int argc, char **argv)
881 {
882 	enum probe_component target = COMPONENT_UNSPEC;
883 	const char *define_prefix = NULL;
884 	bool supported_types[128] = {};
885 	__u32 ifindex = 0;
886 	char *ifname;
887 
888 	set_max_rlimit();
889 
890 	while (argc) {
891 		if (is_prefix(*argv, "kernel")) {
892 			if (target != COMPONENT_UNSPEC) {
893 				p_err("component to probe already specified");
894 				return -1;
895 			}
896 			target = COMPONENT_KERNEL;
897 			NEXT_ARG();
898 		} else if (is_prefix(*argv, "dev")) {
899 			NEXT_ARG();
900 
901 			if (target != COMPONENT_UNSPEC || ifindex) {
902 				p_err("component to probe already specified");
903 				return -1;
904 			}
905 			if (!REQ_ARGS(1))
906 				return -1;
907 
908 			target = COMPONENT_DEVICE;
909 			ifname = GET_ARG();
910 			ifindex = if_nametoindex(ifname);
911 			if (!ifindex) {
912 				p_err("unrecognized netdevice '%s': %s", ifname,
913 				      strerror(errno));
914 				return -1;
915 			}
916 		} else if (is_prefix(*argv, "full")) {
917 			full_mode = true;
918 			NEXT_ARG();
919 		} else if (is_prefix(*argv, "macros") && !define_prefix) {
920 			define_prefix = "";
921 			NEXT_ARG();
922 		} else if (is_prefix(*argv, "prefix")) {
923 			if (!define_prefix) {
924 				p_err("'prefix' argument can only be use after 'macros'");
925 				return -1;
926 			}
927 			if (strcmp(define_prefix, "")) {
928 				p_err("'prefix' already defined");
929 				return -1;
930 			}
931 			NEXT_ARG();
932 
933 			if (!REQ_ARGS(1))
934 				return -1;
935 			define_prefix = GET_ARG();
936 		} else if (is_prefix(*argv, "unprivileged")) {
937 #ifdef USE_LIBCAP
938 			run_as_unprivileged = true;
939 			NEXT_ARG();
940 #else
941 			p_err("unprivileged run not supported, recompile bpftool with libcap");
942 			return -1;
943 #endif
944 		} else {
945 			p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
946 			      *argv);
947 			return -1;
948 		}
949 	}
950 
951 	/* Full feature detection requires specific privileges.
952 	 * Let's approximate, and warn if user is not root.
953 	 */
954 	if (handle_perms())
955 		return -1;
956 
957 	if (json_output) {
958 		define_prefix = NULL;
959 		jsonw_start_object(json_wtr);
960 	}
961 
962 	section_system_config(target, define_prefix);
963 	if (!section_syscall_config(define_prefix))
964 		/* bpf() syscall unavailable, don't probe other BPF features */
965 		goto exit_close_json;
966 	section_program_types(supported_types, define_prefix, ifindex);
967 	section_map_types(define_prefix, ifindex);
968 	section_helpers(supported_types, define_prefix, ifindex);
969 	section_misc(define_prefix, ifindex);
970 
971 exit_close_json:
972 	if (json_output)
973 		/* End root object */
974 		jsonw_end_object(json_wtr);
975 
976 	return 0;
977 }
978 
979 static int do_help(int argc, char **argv)
980 {
981 	if (json_output) {
982 		jsonw_null(json_wtr);
983 		return 0;
984 	}
985 
986 	fprintf(stderr,
987 		"Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
988 		"       %1$s %2$s help\n"
989 		"\n"
990 		"       COMPONENT := { kernel | dev NAME }\n"
991 		"",
992 		bin_name, argv[-2]);
993 
994 	return 0;
995 }
996 
997 static const struct cmd cmds[] = {
998 	{ "probe",	do_probe },
999 	{ "help",	do_help },
1000 	{ 0 }
1001 };
1002 
1003 int do_feature(int argc, char **argv)
1004 {
1005 	return cmd_select(cmds, argc, argv, do_help);
1006 }
1007