scap-open is a small executable that helps to understand if drivers work correctly.
Right now there are 4 scap sources:
- KERNEL_MODULE
- BPF_PROBE
- MODERN_BPF_PROBE
- SCAP_FILE
You can enable them with the following options:
'--kmod': enable the kernel module.
'--bpf <probe_path>': enable the BPF probe.
'--modern_bpf': enable modern BPF probe.
'--scap_file <file.scap>': read events from scap file.
For each scap source you can set additional configurations:
'--tp <tp_code>': enable only requested tracepoint. Can be passed multiple times. (dafault: all enabled)
'--ppm_sc <ppm_sc_code>': enable only requested syscall (this is our internal ppm syscall code not the system syscall code). Can be passed multiple times. (dafault: all enabled)
'--num_events <num_events>': number of events to catch before terminating. (default: UINT64_MAX)
'--evt_type <event_type>': every event of this type will be printed to console. (default: -1, no print)
Print some information like the supported syscalls or the help menu:
'--print_syscalls': print all supported syscalls with different sources and configurations.
'--help': print this menu.
From the repository root (/libs) type:
mkdir build && cd build
cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_LIBSCAP_GVISOR=OFF -DCREATE_TEST_TARGETS=OFF ..
make scap-openOptional Cmake options:
-DBUILD_BPF=ON: if you want to test the BPF probe.-DBUILD_LIBSCAP_MODERN_BPF=ON: if you want to test the modern BPF probe.-DMODERN_BPF_DEBUG_MODE=ON: if you want to test the modern BPF probe in debug mode. (if you use it you need also the previous one-DBUILD_LIBSCAP_MODERN_BPF=ON).
You have also to build the driver that you want to use:
- Kernel module
make driver- BPF probe
make bpf- Modern BPF probe (if you have already compiled
scap-openthe probe skeleton should be already built)
make ProbeSkeletonTo execute it, you have to pass at least one source. For example in this case we use the bpf source.
sudo ./libscap/examples/01-open/scap-open --bpf driver/bpf/probe.oPlease note: to use the BPF probe you have also to pass the path to the
.ofile.
As soon as you quit (CTRL-C) the scap-open program, you will be prompted with detailed information on the capture:
----------------------------- STATS ------------------------------
[SCAP-OPEN]: General statistics
Events correctly captured (SCAP_SUCCESS): 232471
Seen by driver (kernel side events): 232817
Time elapsed: 3 s
Rate of userspace events (events/second): 77490
Rate of kernel side events (events/second): 77605
Number of timeouts: 123
Number of 'next' calls: 232594
[SCAP-OPEN]: Stats v2.
[SCAP-OPEN]: 41 metrics in total
[SCAP-OPEN]: [1] kernel-side counters
[SCAP-OPEN]: [2] libbpf stats (compare to `bpftool prog show` CLI)
[1] n_evts: 232817
[1] n_drops_buffer_total: 0
[1] n_drops_buffer_clone_fork_enter: 0
[1] n_drops_buffer_clone_fork_exit: 0
[1] n_drops_buffer_execve_enter: 0
[1] n_drops_buffer_execve_exit: 0
[1] n_drops_buffer_connect_enter: 0
[1] n_drops_buffer_connect_exit: 0
[1] n_drops_buffer_open_enter: 0
[1] n_drops_buffer_open_exit: 0
[1] n_drops_buffer_dir_file_enter: 0
[1] n_drops_buffer_dir_file_exit: 0
[1] n_drops_buffer_other_interest_enter: 0
[1] n_drops_buffer_other_interest_exit: 0
[1] n_drops_buffer_close_exit: 0
[1] n_drops_buffer_proc_exit: 0
[1] n_drops_scratch_map: 0
[1] n_drops_page_faults: 0
[1] n_drops_bug: 0
[1] n_drops: 0
[2] sys_enter.run_cnt: 98656
[2] sys_enter.run_time_ns: 81056465
[2] sys_enter.avg_time_ns: 821
[2] sys_exit.run_cnt: 98660
[2] sys_exit.run_time_ns: 85784377
[2] sys_exit.avg_time_ns: 869
[2] sched_process_e.run_cnt: 24
[2] sched_process_e.run_time_ns: 41894
[2] sched_process_e.avg_time_ns: 1745
[2] sched_switch.run_cnt: 24481
[2] sched_switch.run_time_ns: 47855905
[2] sched_switch.avg_time_ns: 1954
[2] page_fault_user.run_cnt: 11605
[2] page_fault_user.run_time_ns: 4440998
[2] page_fault_user.avg_time_ns: 382
[2] page_fault_kern.run_cnt: 5127
[2] page_fault_kern.run_time_ns: 590651
[2] page_fault_kern.avg_time_ns: 115
[2] signal_deliver.run_cnt: 22
[2] signal_deliver.run_time_ns: 20848
[2] signal_deliver.avg_time_ns: 947
------------------------------------------------------------------
To run it with the kernel module, you first have to inject the kernel module into the kernel:
sudo insmod driver/scap.koThen you can type:
sudo ./libscap/examples/01-open/scap-open --kmodRemember to remove the kernel module when you have finished:
sudo rmmod scapTo run it with the modern BPF probe, issue:
sudo ./libscap/examples/01-open/scap-open --modern_bpfYou can look at the other available options by using --help:
sudo ./libscap/examples/01-open/scap-open --helpHere there are just some examples:
- Read from a
scap-file:
sudo ./libscap/examples/01-open/scap-open --scap_file ~/my_scap_file/path- Use BPF probe with only
mkdirsyscall andsys_entertracepoint (on x86_64 architecture)
- Check the
ppm_codeofmkdir, the code is27as you can see:
sudo ./libscap/examples/01-open/scap-open --ppm_sc | grep mkdir
- mkdir system_code: (83) ppm_code: (27)
- mkdirat system_code: (258) ppm_code: (198)- Check the code for
sys_entertracepoint, the code is0as you can see:
sudo ./libscap/examples/01-open/scap-open --tp | grep sys_enter
- sys_enter tp_code: (0)- Run the command with the obtained configuration:
sudo ./libscap/examples/01-open/scap-open --bpf driver/bpf/probe.o --ppm_sc 27 --tp 0The Dockerfile will use runner-image tag to build the final image as you can see here:
FROM runner-image AS runner
...For example, if I build scap-open locally on a un ubuntu:22-04 machine I will instruct docker to use ubuntu:22-04 as a final running image.
docker tag ubuntu:22.04 runner-imagemkdir build && cd build
cmake -DUSE_BUNDLED_DEPS=On -DBUILD_LIBSCAP_GVISOR=Off -DBUILD_BPF=On -DBUILD_LIBSCAP_MODERN_BPF=On -DCREATE_TEST_TARGETS=Off -DMODERN_BPF_DEBUG_MODE=On ..
make scap-open driver bpfFrom the build directory:
docker build --tag scap-open-dev -f ./../userspace/libscap/examples/01-open/Dockerfile .From the build directory:
docker run --rm -i -t --privileged \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
scap-open-dev