Kernel Development Learning Pipeline

E1 - Scavenger Hunt 🔎

We will assign you a system call and give you a specially designed program. Your task is to trace invocations of that system call by the program within userspace and kernelspace and document your observations.

Outcomes:

• Strengthen understanding of the interaction between the kernel and userspace

• Learn how to monitor a program's execution of system calls

• Build awareness of, and basic familiarity with, the linux BPF subsystem via bpftrace

• Gain experience with tracing based debugging

What to submit:

• A cover letter following the submission procedures

• Patch 1 adds a directory named E1 to your username directory (username/E1) with an unmodified copy of E1/questions.txt

• Patch 2 adds two logs in your username/E1 directory named strace_user and strace_root

  • Each log contains the full output from running strace on the special program

  • strace_user contains the output from running the program as an unpriveleged user

  • strace_root contains the output from running as root using sudo

• Patch 3 adds your username/E1/trace.bp bpftrace program and a file username/E1/trace.out that shows the expected output of a successful trace of the special program making your system call

• Patch 4 modifies username/E1/questions.txt to answer each question

• Patch 5 adds username/E1/log.txt with the output from all the times you ran the program

• Don't forget a cover letter

• All email code patches are expected to pass checkpatch.pl as described in the policies and procedures

• Submit your patches to exercise1@COURSE_DOMAIN

Procedure:

1. Create an E1 directory in your username directory

2. Copy the provided E1/questions.txt file into your username/E1

   1. You can make the commit for your first patch at this point.

3. Play with the provided program, either program_amd64 or program_arm64 depending on your architecture

   1. Regardless of the location of the binary, the program will create a log.txt file in the directory where the program is invoked

   2. You will need this output for patch 5

4. Disassemble the appropriate binary using a tool like objdump -d <binary>

   1. Identify the lines of code that prepare the arguments for your system call, specify the system call number, and invoke the kernel

   2. Use this to answer question 0 for your architecture

5. Run strace on the provided program

   1. Locate the lines corresponding to call(s) to your system call in the output

   2. Use this to answer question 1

6. Read the manual page for your system call (type man 2 [system call name] e.g. man 2 execve)

   1. Use this to answer questions 2, 3, and 4

7. Analyze the disassembled binary to answer question 5

8. Find the system call definition within the kernel source

   1. Suggested: make use of git grep or elixir or cscope

   2. Use this to answer question 6

9. If you previously made a shallow (--depth=1) local clone, pull the full history of the Linux kernel repository

   1. Use git pull --unshallow (this will take a little while to download)

10. Run git blame on the file containing the definition of the system call

    1. Find the most recently modified line or lines in the system call handler

    2. Use this to answer questions 7, 8, 9, and 10

11. Identify the probe you will use for tracing by searching for available probes that match your system call with sudo bpftrace -l

12. Write the bpf script that inserts a probe triggered by the program running your system call

    1. The program prints the system call arguments, the kernelspace stack, and the userspace stack each time the system call is executed by the program

    2. Ensure that the probe is only triggered on instances of the system call caused by running the provided program

13. Capture the necessary output, and create commits out of your changes as described above

14. Generate patches out of your commits

Tools of interest

• strace

• man

• cscope

• git-blame

• git-grep [ -n ]

• bpftrace and other BPF tooling

Policies & Procedures