xref: /openbmc/linux/tools/bpf/bpftool/feature.c (revision e2bd6bad)
1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /* Copyright (c) 2019 Netronome Systems, Inc. */
3 
4 #include <ctype.h>
5 #include <errno.h>
6 #include <string.h>
7 #include <unistd.h>
8 #include <net/if.h>
9 #ifdef USE_LIBCAP
10 #include <sys/capability.h>
11 #endif
12 #include <sys/utsname.h>
13 #include <sys/vfs.h>
14 
15 #include <linux/filter.h>
16 #include <linux/limits.h>
17 
18 #include <bpf/bpf.h>
19 #include <bpf/libbpf.h>
20 #include <zlib.h>
21 
22 #include "main.h"
23 
24 #ifndef PROC_SUPER_MAGIC
25 # define PROC_SUPER_MAGIC	0x9fa0
26 #endif
27 
28 enum probe_component {
29 	COMPONENT_UNSPEC,
30 	COMPONENT_KERNEL,
31 	COMPONENT_DEVICE,
32 };
33 
34 #define BPF_HELPER_MAKE_ENTRY(name)	[BPF_FUNC_ ## name] = "bpf_" # name
35 static const char * const helper_name[] = {
36 	__BPF_FUNC_MAPPER(BPF_HELPER_MAKE_ENTRY)
37 };
38 
39 #undef BPF_HELPER_MAKE_ENTRY
40 
41 static bool full_mode;
42 #ifdef USE_LIBCAP
43 static bool run_as_unprivileged;
44 #endif
45 
46 /* Miscellaneous utility functions */
47 
48 static bool check_procfs(void)
49 {
50 	struct statfs st_fs;
51 
52 	if (statfs("/proc", &st_fs) < 0)
53 		return false;
54 	if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
55 		return false;
56 
57 	return true;
58 }
59 
60 static void uppercase(char *str, size_t len)
61 {
62 	size_t i;
63 
64 	for (i = 0; i < len && str[i] != '\0'; i++)
65 		str[i] = toupper(str[i]);
66 }
67 
68 /* Printing utility functions */
69 
70 static void
71 print_bool_feature(const char *feat_name, const char *plain_name,
72 		   const char *define_name, bool res, const char *define_prefix)
73 {
74 	if (json_output)
75 		jsonw_bool_field(json_wtr, feat_name, res);
76 	else if (define_prefix)
77 		printf("#define %s%sHAVE_%s\n", define_prefix,
78 		       res ? "" : "NO_", define_name);
79 	else
80 		printf("%s is %savailable\n", plain_name, res ? "" : "NOT ");
81 }
82 
83 static void print_kernel_option(const char *name, const char *value,
84 				const char *define_prefix)
85 {
86 	char *endptr;
87 	int res;
88 
89 	if (json_output) {
90 		if (!value) {
91 			jsonw_null_field(json_wtr, name);
92 			return;
93 		}
94 		errno = 0;
95 		res = strtol(value, &endptr, 0);
96 		if (!errno && *endptr == '\n')
97 			jsonw_int_field(json_wtr, name, res);
98 		else
99 			jsonw_string_field(json_wtr, name, value);
100 	} else if (define_prefix) {
101 		if (value)
102 			printf("#define %s%s %s\n", define_prefix,
103 			       name, value);
104 		else
105 			printf("/* %s%s is not set */\n", define_prefix, name);
106 	} else {
107 		if (value)
108 			printf("%s is set to %s\n", name, value);
109 		else
110 			printf("%s is not set\n", name);
111 	}
112 }
113 
114 static void
115 print_start_section(const char *json_title, const char *plain_title,
116 		    const char *define_comment, const char *define_prefix)
117 {
118 	if (json_output) {
119 		jsonw_name(json_wtr, json_title);
120 		jsonw_start_object(json_wtr);
121 	} else if (define_prefix) {
122 		printf("%s\n", define_comment);
123 	} else {
124 		printf("%s\n", plain_title);
125 	}
126 }
127 
128 static void print_end_section(void)
129 {
130 	if (json_output)
131 		jsonw_end_object(json_wtr);
132 	else
133 		printf("\n");
134 }
135 
136 /* Probing functions */
137 
138 static int read_procfs(const char *path)
139 {
140 	char *endptr, *line = NULL;
141 	size_t len = 0;
142 	FILE *fd;
143 	int res;
144 
145 	fd = fopen(path, "r");
146 	if (!fd)
147 		return -1;
148 
149 	res = getline(&line, &len, fd);
150 	fclose(fd);
151 	if (res < 0)
152 		return -1;
153 
154 	errno = 0;
155 	res = strtol(line, &endptr, 10);
156 	if (errno || *line == '\0' || *endptr != '\n')
157 		res = -1;
158 	free(line);
159 
160 	return res;
161 }
162 
163 static void probe_unprivileged_disabled(void)
164 {
165 	int res;
166 
167 	/* No support for C-style ouptut */
168 
169 	res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
170 	if (json_output) {
171 		jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
172 	} else {
173 		switch (res) {
174 		case 0:
175 			printf("bpf() syscall for unprivileged users is enabled\n");
176 			break;
177 		case 1:
178 			printf("bpf() syscall restricted to privileged users\n");
179 			break;
180 		case -1:
181 			printf("Unable to retrieve required privileges for bpf() syscall\n");
182 			break;
183 		default:
184 			printf("bpf() syscall restriction has unknown value %d\n", res);
185 		}
186 	}
187 }
188 
189 static void probe_jit_enable(void)
190 {
191 	int res;
192 
193 	/* No support for C-style ouptut */
194 
195 	res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
196 	if (json_output) {
197 		jsonw_int_field(json_wtr, "bpf_jit_enable", res);
198 	} else {
199 		switch (res) {
200 		case 0:
201 			printf("JIT compiler is disabled\n");
202 			break;
203 		case 1:
204 			printf("JIT compiler is enabled\n");
205 			break;
206 		case 2:
207 			printf("JIT compiler is enabled with debugging traces in kernel logs\n");
208 			break;
209 		case -1:
210 			printf("Unable to retrieve JIT-compiler status\n");
211 			break;
212 		default:
213 			printf("JIT-compiler status has unknown value %d\n",
214 			       res);
215 		}
216 	}
217 }
218 
219 static void probe_jit_harden(void)
220 {
221 	int res;
222 
223 	/* No support for C-style ouptut */
224 
225 	res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
226 	if (json_output) {
227 		jsonw_int_field(json_wtr, "bpf_jit_harden", res);
228 	} else {
229 		switch (res) {
230 		case 0:
231 			printf("JIT compiler hardening is disabled\n");
232 			break;
233 		case 1:
234 			printf("JIT compiler hardening is enabled for unprivileged users\n");
235 			break;
236 		case 2:
237 			printf("JIT compiler hardening is enabled for all users\n");
238 			break;
239 		case -1:
240 			printf("Unable to retrieve JIT hardening status\n");
241 			break;
242 		default:
243 			printf("JIT hardening status has unknown value %d\n",
244 			       res);
245 		}
246 	}
247 }
248 
249 static void probe_jit_kallsyms(void)
250 {
251 	int res;
252 
253 	/* No support for C-style ouptut */
254 
255 	res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
256 	if (json_output) {
257 		jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
258 	} else {
259 		switch (res) {
260 		case 0:
261 			printf("JIT compiler kallsyms exports are disabled\n");
262 			break;
263 		case 1:
264 			printf("JIT compiler kallsyms exports are enabled for root\n");
265 			break;
266 		case -1:
267 			printf("Unable to retrieve JIT kallsyms export status\n");
268 			break;
269 		default:
270 			printf("JIT kallsyms exports status has unknown value %d\n", res);
271 		}
272 	}
273 }
274 
275 static void probe_jit_limit(void)
276 {
277 	int res;
278 
279 	/* No support for C-style ouptut */
280 
281 	res = read_procfs("/proc/sys/net/core/bpf_jit_limit");
282 	if (json_output) {
283 		jsonw_int_field(json_wtr, "bpf_jit_limit", res);
284 	} else {
285 		switch (res) {
286 		case -1:
287 			printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n");
288 			break;
289 		default:
290 			printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res);
291 		}
292 	}
293 }
294 
295 static bool read_next_kernel_config_option(gzFile file, char *buf, size_t n,
296 					   char **value)
297 {
298 	char *sep;
299 
300 	while (gzgets(file, buf, n)) {
301 		if (strncmp(buf, "CONFIG_", 7))
302 			continue;
303 
304 		sep = strchr(buf, '=');
305 		if (!sep)
306 			continue;
307 
308 		/* Trim ending '\n' */
309 		buf[strlen(buf) - 1] = '\0';
310 
311 		/* Split on '=' and ensure that a value is present. */
312 		*sep = '\0';
313 		if (!sep[1])
314 			continue;
315 
316 		*value = sep + 1;
317 		return true;
318 	}
319 
320 	return false;
321 }
322 
323 static void probe_kernel_image_config(const char *define_prefix)
324 {
325 	static const struct {
326 		const char * const name;
327 		bool macro_dump;
328 	} options[] = {
329 		/* Enable BPF */
330 		{ "CONFIG_BPF", },
331 		/* Enable bpf() syscall */
332 		{ "CONFIG_BPF_SYSCALL", },
333 		/* Does selected architecture support eBPF JIT compiler */
334 		{ "CONFIG_HAVE_EBPF_JIT", },
335 		/* Compile eBPF JIT compiler */
336 		{ "CONFIG_BPF_JIT", },
337 		/* Avoid compiling eBPF interpreter (use JIT only) */
338 		{ "CONFIG_BPF_JIT_ALWAYS_ON", },
339 		/* Kernel BTF debug information available */
340 		{ "CONFIG_DEBUG_INFO_BTF", },
341 		/* Kernel module BTF debug information available */
342 		{ "CONFIG_DEBUG_INFO_BTF_MODULES", },
343 
344 		/* cgroups */
345 		{ "CONFIG_CGROUPS", },
346 		/* BPF programs attached to cgroups */
347 		{ "CONFIG_CGROUP_BPF", },
348 		/* bpf_get_cgroup_classid() helper */
349 		{ "CONFIG_CGROUP_NET_CLASSID", },
350 		/* bpf_skb_{,ancestor_}cgroup_id() helpers */
351 		{ "CONFIG_SOCK_CGROUP_DATA", },
352 
353 		/* Tracing: attach BPF to kprobes, tracepoints, etc. */
354 		{ "CONFIG_BPF_EVENTS", },
355 		/* Kprobes */
356 		{ "CONFIG_KPROBE_EVENTS", },
357 		/* Uprobes */
358 		{ "CONFIG_UPROBE_EVENTS", },
359 		/* Tracepoints */
360 		{ "CONFIG_TRACING", },
361 		/* Syscall tracepoints */
362 		{ "CONFIG_FTRACE_SYSCALLS", },
363 		/* bpf_override_return() helper support for selected arch */
364 		{ "CONFIG_FUNCTION_ERROR_INJECTION", },
365 		/* bpf_override_return() helper */
366 		{ "CONFIG_BPF_KPROBE_OVERRIDE", },
367 
368 		/* Network */
369 		{ "CONFIG_NET", },
370 		/* AF_XDP sockets */
371 		{ "CONFIG_XDP_SOCKETS", },
372 		/* BPF_PROG_TYPE_LWT_* and related helpers */
373 		{ "CONFIG_LWTUNNEL_BPF", },
374 		/* BPF_PROG_TYPE_SCHED_ACT, TC (traffic control) actions */
375 		{ "CONFIG_NET_ACT_BPF", },
376 		/* BPF_PROG_TYPE_SCHED_CLS, TC filters */
377 		{ "CONFIG_NET_CLS_BPF", },
378 		/* TC clsact qdisc */
379 		{ "CONFIG_NET_CLS_ACT", },
380 		/* Ingress filtering with TC */
381 		{ "CONFIG_NET_SCH_INGRESS", },
382 		/* bpf_skb_get_xfrm_state() helper */
383 		{ "CONFIG_XFRM", },
384 		/* bpf_get_route_realm() helper */
385 		{ "CONFIG_IP_ROUTE_CLASSID", },
386 		/* BPF_PROG_TYPE_LWT_SEG6_LOCAL and related helpers */
387 		{ "CONFIG_IPV6_SEG6_BPF", },
388 		/* BPF_PROG_TYPE_LIRC_MODE2 and related helpers */
389 		{ "CONFIG_BPF_LIRC_MODE2", },
390 		/* BPF stream parser and BPF socket maps */
391 		{ "CONFIG_BPF_STREAM_PARSER", },
392 		/* xt_bpf module for passing BPF programs to netfilter  */
393 		{ "CONFIG_NETFILTER_XT_MATCH_BPF", },
394 		/* bpfilter back-end for iptables */
395 		{ "CONFIG_BPFILTER", },
396 		/* bpftilter module with "user mode helper" */
397 		{ "CONFIG_BPFILTER_UMH", },
398 
399 		/* test_bpf module for BPF tests */
400 		{ "CONFIG_TEST_BPF", },
401 
402 		/* Misc configs useful in BPF C programs */
403 		/* jiffies <-> sec conversion for bpf_jiffies64() helper */
404 		{ "CONFIG_HZ", true, }
405 	};
406 	char *values[ARRAY_SIZE(options)] = { };
407 	struct utsname utsn;
408 	char path[PATH_MAX];
409 	gzFile file = NULL;
410 	char buf[4096];
411 	char *value;
412 	size_t i;
413 
414 	if (!uname(&utsn)) {
415 		snprintf(path, sizeof(path), "/boot/config-%s", utsn.release);
416 
417 		/* gzopen also accepts uncompressed files. */
418 		file = gzopen(path, "r");
419 	}
420 
421 	if (!file) {
422 		/* Some distributions build with CONFIG_IKCONFIG=y and put the
423 		 * config file at /proc/config.gz.
424 		 */
425 		file = gzopen("/proc/config.gz", "r");
426 	}
427 	if (!file) {
428 		p_info("skipping kernel config, can't open file: %s",
429 		       strerror(errno));
430 		goto end_parse;
431 	}
432 	/* Sanity checks */
433 	if (!gzgets(file, buf, sizeof(buf)) ||
434 	    !gzgets(file, buf, sizeof(buf))) {
435 		p_info("skipping kernel config, can't read from file: %s",
436 		       strerror(errno));
437 		goto end_parse;
438 	}
439 	if (strcmp(buf, "# Automatically generated file; DO NOT EDIT.\n")) {
440 		p_info("skipping kernel config, can't find correct file");
441 		goto end_parse;
442 	}
443 
444 	while (read_next_kernel_config_option(file, buf, sizeof(buf), &value)) {
445 		for (i = 0; i < ARRAY_SIZE(options); i++) {
446 			if ((define_prefix && !options[i].macro_dump) ||
447 			    values[i] || strcmp(buf, options[i].name))
448 				continue;
449 
450 			values[i] = strdup(value);
451 		}
452 	}
453 
454 end_parse:
455 	if (file)
456 		gzclose(file);
457 
458 	for (i = 0; i < ARRAY_SIZE(options); i++) {
459 		if (define_prefix && !options[i].macro_dump)
460 			continue;
461 		print_kernel_option(options[i].name, values[i], define_prefix);
462 		free(values[i]);
463 	}
464 }
465 
466 static bool probe_bpf_syscall(const char *define_prefix)
467 {
468 	bool res;
469 
470 	bpf_load_program(BPF_PROG_TYPE_UNSPEC, NULL, 0, NULL, 0, NULL, 0);
471 	res = (errno != ENOSYS);
472 
473 	print_bool_feature("have_bpf_syscall",
474 			   "bpf() syscall",
475 			   "BPF_SYSCALL",
476 			   res, define_prefix);
477 
478 	return res;
479 }
480 
481 static void
482 probe_prog_type(enum bpf_prog_type prog_type, bool *supported_types,
483 		const char *define_prefix, __u32 ifindex)
484 {
485 	char feat_name[128], plain_desc[128], define_name[128];
486 	const char *plain_comment = "eBPF program_type ";
487 	size_t maxlen;
488 	bool res;
489 
490 	if (ifindex)
491 		/* Only test offload-able program types */
492 		switch (prog_type) {
493 		case BPF_PROG_TYPE_SCHED_CLS:
494 		case BPF_PROG_TYPE_XDP:
495 			break;
496 		default:
497 			return;
498 		}
499 
500 	res = bpf_probe_prog_type(prog_type, ifindex);
501 #ifdef USE_LIBCAP
502 	/* Probe may succeed even if program load fails, for unprivileged users
503 	 * check that we did not fail because of insufficient permissions
504 	 */
505 	if (run_as_unprivileged && errno == EPERM)
506 		res = false;
507 #endif
508 
509 	supported_types[prog_type] |= res;
510 
511 	if (!prog_type_name[prog_type]) {
512 		p_info("program type name not found (type %d)", prog_type);
513 		return;
514 	}
515 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
516 	if (strlen(prog_type_name[prog_type]) > maxlen) {
517 		p_info("program type name too long");
518 		return;
519 	}
520 
521 	sprintf(feat_name, "have_%s_prog_type", prog_type_name[prog_type]);
522 	sprintf(define_name, "%s_prog_type", prog_type_name[prog_type]);
523 	uppercase(define_name, sizeof(define_name));
524 	sprintf(plain_desc, "%s%s", plain_comment, prog_type_name[prog_type]);
525 	print_bool_feature(feat_name, plain_desc, define_name, res,
526 			   define_prefix);
527 }
528 
529 static void
530 probe_map_type(enum bpf_map_type map_type, const char *define_prefix,
531 	       __u32 ifindex)
532 {
533 	char feat_name[128], plain_desc[128], define_name[128];
534 	const char *plain_comment = "eBPF map_type ";
535 	size_t maxlen;
536 	bool res;
537 
538 	res = bpf_probe_map_type(map_type, ifindex);
539 
540 	/* Probe result depends on the success of map creation, no additional
541 	 * check required for unprivileged users
542 	 */
543 
544 	if (!map_type_name[map_type]) {
545 		p_info("map type name not found (type %d)", map_type);
546 		return;
547 	}
548 	maxlen = sizeof(plain_desc) - strlen(plain_comment) - 1;
549 	if (strlen(map_type_name[map_type]) > maxlen) {
550 		p_info("map type name too long");
551 		return;
552 	}
553 
554 	sprintf(feat_name, "have_%s_map_type", map_type_name[map_type]);
555 	sprintf(define_name, "%s_map_type", map_type_name[map_type]);
556 	uppercase(define_name, sizeof(define_name));
557 	sprintf(plain_desc, "%s%s", plain_comment, map_type_name[map_type]);
558 	print_bool_feature(feat_name, plain_desc, define_name, res,
559 			   define_prefix);
560 }
561 
562 static void
563 probe_helper_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
564 			  const char *define_prefix, unsigned int id,
565 			  const char *ptype_name, __u32 ifindex)
566 {
567 	bool res = false;
568 
569 	if (supported_type) {
570 		res = bpf_probe_helper(id, prog_type, ifindex);
571 #ifdef USE_LIBCAP
572 		/* Probe may succeed even if program load fails, for
573 		 * unprivileged users check that we did not fail because of
574 		 * insufficient permissions
575 		 */
576 		if (run_as_unprivileged && errno == EPERM)
577 			res = false;
578 #endif
579 	}
580 
581 	if (json_output) {
582 		if (res)
583 			jsonw_string(json_wtr, helper_name[id]);
584 	} else if (define_prefix) {
585 		printf("#define %sBPF__PROG_TYPE_%s__HELPER_%s %s\n",
586 		       define_prefix, ptype_name, helper_name[id],
587 		       res ? "1" : "0");
588 	} else {
589 		if (res)
590 			printf("\n\t- %s", helper_name[id]);
591 	}
592 }
593 
594 static void
595 probe_helpers_for_progtype(enum bpf_prog_type prog_type, bool supported_type,
596 			   const char *define_prefix, __u32 ifindex)
597 {
598 	const char *ptype_name = prog_type_name[prog_type];
599 	char feat_name[128];
600 	unsigned int id;
601 
602 	if (ifindex)
603 		/* Only test helpers for offload-able program types */
604 		switch (prog_type) {
605 		case BPF_PROG_TYPE_SCHED_CLS:
606 		case BPF_PROG_TYPE_XDP:
607 			break;
608 		default:
609 			return;
610 		}
611 
612 	if (json_output) {
613 		sprintf(feat_name, "%s_available_helpers", ptype_name);
614 		jsonw_name(json_wtr, feat_name);
615 		jsonw_start_array(json_wtr);
616 	} else if (!define_prefix) {
617 		printf("eBPF helpers supported for program type %s:",
618 		       ptype_name);
619 	}
620 
621 	for (id = 1; id < ARRAY_SIZE(helper_name); id++) {
622 		/* Skip helper functions which emit dmesg messages when not in
623 		 * the full mode.
624 		 */
625 		switch (id) {
626 		case BPF_FUNC_trace_printk:
627 		case BPF_FUNC_probe_write_user:
628 			if (!full_mode)
629 				continue;
630 			/* fallthrough */
631 		default:
632 			probe_helper_for_progtype(prog_type, supported_type,
633 						  define_prefix, id, ptype_name,
634 						  ifindex);
635 		}
636 	}
637 
638 	if (json_output)
639 		jsonw_end_array(json_wtr);
640 	else if (!define_prefix)
641 		printf("\n");
642 }
643 
644 static void
645 probe_large_insn_limit(const char *define_prefix, __u32 ifindex)
646 {
647 	bool res;
648 
649 	res = bpf_probe_large_insn_limit(ifindex);
650 	print_bool_feature("have_large_insn_limit",
651 			   "Large program size limit",
652 			   "LARGE_INSN_LIMIT",
653 			   res, define_prefix);
654 }
655 
656 static void
657 section_system_config(enum probe_component target, const char *define_prefix)
658 {
659 	switch (target) {
660 	case COMPONENT_KERNEL:
661 	case COMPONENT_UNSPEC:
662 		print_start_section("system_config",
663 				    "Scanning system configuration...",
664 				    "/*** Misc kernel config items ***/",
665 				    define_prefix);
666 		if (!define_prefix) {
667 			if (check_procfs()) {
668 				probe_unprivileged_disabled();
669 				probe_jit_enable();
670 				probe_jit_harden();
671 				probe_jit_kallsyms();
672 				probe_jit_limit();
673 			} else {
674 				p_info("/* procfs not mounted, skipping related probes */");
675 			}
676 		}
677 		probe_kernel_image_config(define_prefix);
678 		print_end_section();
679 		break;
680 	default:
681 		break;
682 	}
683 }
684 
685 static bool section_syscall_config(const char *define_prefix)
686 {
687 	bool res;
688 
689 	print_start_section("syscall_config",
690 			    "Scanning system call availability...",
691 			    "/*** System call availability ***/",
692 			    define_prefix);
693 	res = probe_bpf_syscall(define_prefix);
694 	print_end_section();
695 
696 	return res;
697 }
698 
699 static void
700 section_program_types(bool *supported_types, const char *define_prefix,
701 		      __u32 ifindex)
702 {
703 	unsigned int i;
704 
705 	print_start_section("program_types",
706 			    "Scanning eBPF program types...",
707 			    "/*** eBPF program types ***/",
708 			    define_prefix);
709 
710 	for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
711 		probe_prog_type(i, supported_types, define_prefix, ifindex);
712 
713 	print_end_section();
714 }
715 
716 static void section_map_types(const char *define_prefix, __u32 ifindex)
717 {
718 	unsigned int i;
719 
720 	print_start_section("map_types",
721 			    "Scanning eBPF map types...",
722 			    "/*** eBPF map types ***/",
723 			    define_prefix);
724 
725 	for (i = BPF_MAP_TYPE_UNSPEC + 1; i < map_type_name_size; i++)
726 		probe_map_type(i, define_prefix, ifindex);
727 
728 	print_end_section();
729 }
730 
731 static void
732 section_helpers(bool *supported_types, const char *define_prefix, __u32 ifindex)
733 {
734 	unsigned int i;
735 
736 	print_start_section("helpers",
737 			    "Scanning eBPF helper functions...",
738 			    "/*** eBPF helper functions ***/",
739 			    define_prefix);
740 
741 	if (define_prefix)
742 		printf("/*\n"
743 		       " * Use %sHAVE_PROG_TYPE_HELPER(prog_type_name, helper_name)\n"
744 		       " * to determine if <helper_name> is available for <prog_type_name>,\n"
745 		       " * e.g.\n"
746 		       " *	#if %sHAVE_PROG_TYPE_HELPER(xdp, bpf_redirect)\n"
747 		       " *		// do stuff with this helper\n"
748 		       " *	#elif\n"
749 		       " *		// use a workaround\n"
750 		       " *	#endif\n"
751 		       " */\n"
752 		       "#define %sHAVE_PROG_TYPE_HELPER(prog_type, helper)	\\\n"
753 		       "	%sBPF__PROG_TYPE_ ## prog_type ## __HELPER_ ## helper\n",
754 		       define_prefix, define_prefix, define_prefix,
755 		       define_prefix);
756 	for (i = BPF_PROG_TYPE_UNSPEC + 1; i < prog_type_name_size; i++)
757 		probe_helpers_for_progtype(i, supported_types[i], define_prefix,
758 					   ifindex);
759 
760 	print_end_section();
761 }
762 
763 static void section_misc(const char *define_prefix, __u32 ifindex)
764 {
765 	print_start_section("misc",
766 			    "Scanning miscellaneous eBPF features...",
767 			    "/*** eBPF misc features ***/",
768 			    define_prefix);
769 	probe_large_insn_limit(define_prefix, ifindex);
770 	print_end_section();
771 }
772 
773 #ifdef USE_LIBCAP
774 #define capability(c) { c, false, #c }
775 #define capability_msg(a, i) a[i].set ? "" : a[i].name, a[i].set ? "" : ", "
776 #endif
777 
778 static int handle_perms(void)
779 {
780 #ifdef USE_LIBCAP
781 	struct {
782 		cap_value_t cap;
783 		bool set;
784 		char name[14];	/* strlen("CAP_SYS_ADMIN") */
785 	} bpf_caps[] = {
786 		capability(CAP_SYS_ADMIN),
787 #ifdef CAP_BPF
788 		capability(CAP_BPF),
789 		capability(CAP_NET_ADMIN),
790 		capability(CAP_PERFMON),
791 #endif
792 	};
793 	cap_value_t cap_list[ARRAY_SIZE(bpf_caps)];
794 	unsigned int i, nb_bpf_caps = 0;
795 	bool cap_sys_admin_only = true;
796 	cap_flag_value_t val;
797 	int res = -1;
798 	cap_t caps;
799 
800 	caps = cap_get_proc();
801 	if (!caps) {
802 		p_err("failed to get capabilities for process: %s",
803 		      strerror(errno));
804 		return -1;
805 	}
806 
807 #ifdef CAP_BPF
808 	if (CAP_IS_SUPPORTED(CAP_BPF))
809 		cap_sys_admin_only = false;
810 #endif
811 
812 	for (i = 0; i < ARRAY_SIZE(bpf_caps); i++) {
813 		const char *cap_name = bpf_caps[i].name;
814 		cap_value_t cap = bpf_caps[i].cap;
815 
816 		if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &val)) {
817 			p_err("bug: failed to retrieve %s status: %s", cap_name,
818 			      strerror(errno));
819 			goto exit_free;
820 		}
821 
822 		if (val == CAP_SET) {
823 			bpf_caps[i].set = true;
824 			cap_list[nb_bpf_caps++] = cap;
825 		}
826 
827 		if (cap_sys_admin_only)
828 			/* System does not know about CAP_BPF, meaning that
829 			 * CAP_SYS_ADMIN is the only capability required. We
830 			 * just checked it, break.
831 			 */
832 			break;
833 	}
834 
835 	if ((run_as_unprivileged && !nb_bpf_caps) ||
836 	    (!run_as_unprivileged && nb_bpf_caps == ARRAY_SIZE(bpf_caps)) ||
837 	    (!run_as_unprivileged && cap_sys_admin_only && nb_bpf_caps)) {
838 		/* We are all good, exit now */
839 		res = 0;
840 		goto exit_free;
841 	}
842 
843 	if (!run_as_unprivileged) {
844 		if (cap_sys_admin_only)
845 			p_err("missing %s, required for full feature probing; run as root or use 'unprivileged'",
846 			      bpf_caps[0].name);
847 		else
848 			p_err("missing %s%s%s%s%s%s%s%srequired for full feature probing; run as root or use 'unprivileged'",
849 			      capability_msg(bpf_caps, 0),
850 #ifdef CAP_BPF
851 			      capability_msg(bpf_caps, 1),
852 			      capability_msg(bpf_caps, 2),
853 			      capability_msg(bpf_caps, 3)
854 #else
855 				"", "", "", "", "", ""
856 #endif /* CAP_BPF */
857 				);
858 		goto exit_free;
859 	}
860 
861 	/* if (run_as_unprivileged && nb_bpf_caps > 0), drop capabilities. */
862 	if (cap_set_flag(caps, CAP_EFFECTIVE, nb_bpf_caps, cap_list,
863 			 CAP_CLEAR)) {
864 		p_err("bug: failed to clear capabilities: %s", strerror(errno));
865 		goto exit_free;
866 	}
867 
868 	if (cap_set_proc(caps)) {
869 		p_err("failed to drop capabilities: %s", strerror(errno));
870 		goto exit_free;
871 	}
872 
873 	res = 0;
874 
875 exit_free:
876 	if (cap_free(caps) && !res) {
877 		p_err("failed to clear storage object for capabilities: %s",
878 		      strerror(errno));
879 		res = -1;
880 	}
881 
882 	return res;
883 #else
884 	/* Detection assumes user has specific privileges.
885 	 * We do not use libpcap so let's approximate, and restrict usage to
886 	 * root user only.
887 	 */
888 	if (geteuid()) {
889 		p_err("full feature probing requires root privileges");
890 		return -1;
891 	}
892 
893 	return 0;
894 #endif /* USE_LIBCAP */
895 }
896 
897 static int do_probe(int argc, char **argv)
898 {
899 	enum probe_component target = COMPONENT_UNSPEC;
900 	const char *define_prefix = NULL;
901 	bool supported_types[128] = {};
902 	__u32 ifindex = 0;
903 	char *ifname;
904 
905 	set_max_rlimit();
906 
907 	while (argc) {
908 		if (is_prefix(*argv, "kernel")) {
909 			if (target != COMPONENT_UNSPEC) {
910 				p_err("component to probe already specified");
911 				return -1;
912 			}
913 			target = COMPONENT_KERNEL;
914 			NEXT_ARG();
915 		} else if (is_prefix(*argv, "dev")) {
916 			NEXT_ARG();
917 
918 			if (target != COMPONENT_UNSPEC || ifindex) {
919 				p_err("component to probe already specified");
920 				return -1;
921 			}
922 			if (!REQ_ARGS(1))
923 				return -1;
924 
925 			target = COMPONENT_DEVICE;
926 			ifname = GET_ARG();
927 			ifindex = if_nametoindex(ifname);
928 			if (!ifindex) {
929 				p_err("unrecognized netdevice '%s': %s", ifname,
930 				      strerror(errno));
931 				return -1;
932 			}
933 		} else if (is_prefix(*argv, "full")) {
934 			full_mode = true;
935 			NEXT_ARG();
936 		} else if (is_prefix(*argv, "macros") && !define_prefix) {
937 			define_prefix = "";
938 			NEXT_ARG();
939 		} else if (is_prefix(*argv, "prefix")) {
940 			if (!define_prefix) {
941 				p_err("'prefix' argument can only be use after 'macros'");
942 				return -1;
943 			}
944 			if (strcmp(define_prefix, "")) {
945 				p_err("'prefix' already defined");
946 				return -1;
947 			}
948 			NEXT_ARG();
949 
950 			if (!REQ_ARGS(1))
951 				return -1;
952 			define_prefix = GET_ARG();
953 		} else if (is_prefix(*argv, "unprivileged")) {
954 #ifdef USE_LIBCAP
955 			run_as_unprivileged = true;
956 			NEXT_ARG();
957 #else
958 			p_err("unprivileged run not supported, recompile bpftool with libcap");
959 			return -1;
960 #endif
961 		} else {
962 			p_err("expected no more arguments, 'kernel', 'dev', 'macros' or 'prefix', got: '%s'?",
963 			      *argv);
964 			return -1;
965 		}
966 	}
967 
968 	/* Full feature detection requires specific privileges.
969 	 * Let's approximate, and warn if user is not root.
970 	 */
971 	if (handle_perms())
972 		return -1;
973 
974 	if (json_output) {
975 		define_prefix = NULL;
976 		jsonw_start_object(json_wtr);
977 	}
978 
979 	section_system_config(target, define_prefix);
980 	if (!section_syscall_config(define_prefix))
981 		/* bpf() syscall unavailable, don't probe other BPF features */
982 		goto exit_close_json;
983 	section_program_types(supported_types, define_prefix, ifindex);
984 	section_map_types(define_prefix, ifindex);
985 	section_helpers(supported_types, define_prefix, ifindex);
986 	section_misc(define_prefix, ifindex);
987 
988 exit_close_json:
989 	if (json_output)
990 		/* End root object */
991 		jsonw_end_object(json_wtr);
992 
993 	return 0;
994 }
995 
996 static int do_help(int argc, char **argv)
997 {
998 	if (json_output) {
999 		jsonw_null(json_wtr);
1000 		return 0;
1001 	}
1002 
1003 	fprintf(stderr,
1004 		"Usage: %1$s %2$s probe [COMPONENT] [full] [unprivileged] [macros [prefix PREFIX]]\n"
1005 		"       %1$s %2$s help\n"
1006 		"\n"
1007 		"       COMPONENT := { kernel | dev NAME }\n"
1008 		"",
1009 		bin_name, argv[-2]);
1010 
1011 	return 0;
1012 }
1013 
1014 static const struct cmd cmds[] = {
1015 	{ "probe",	do_probe },
1016 	{ "help",	do_help },
1017 	{ 0 }
1018 };
1019 
1020 int do_feature(int argc, char **argv)
1021 {
1022 	return cmd_select(cmds, argc, argv, do_help);
1023 }
1024