Custom CO-RE BPF probe #1320
Description
Implement custom version of CO-RE BPF probe, following the same approach as for
the custom EBPF one. The proposed solution:
-
Restructure current
kernel-modules/probeto contain two subdirectories,
ebpfandcore_bpffor custom ebpf and core_bpf probes correspondingly. -
Construct a cmake configuration, similar to that in Falco, to build
separate probes withmodern_bpfdependencies. -
For each captured syscall introduce one probe with two BPF progs
tp_btf/sys_{enter|exit}_syscall, similar to attached progs from Falco. -
Teach the cmake configuration to assemble the final probe by picking up the
custom bits and the actual tail-called BPF program from the Falco build. -
Verify it's limitations for other architectures.