feat: inner-map prototype fixup + KubeArmor behavior lane reference#38
Merged
Conversation
…ects Add a manifest `maps[].inner_map` fixup that installs an inner-map template (type/key_size/value_size/max_entries) on a HASH_OF_MAPS / ARRAY_OF_MAPS before load. Objects whose own loader sets up the inner map at runtime (e.g. KubeArmor's kubearmor_visibility) previously failed a generic libbpf load with EINVAL on every kernel; declaring the prototype lets bpfcompat load them faithfully and produce a true per-kernel matrix. The prior fixup only supported an inner ringbuf. This threads a generic inner map through the full chain: manifest schema + validation, runner tuning and applied-note, validator result parsing, the VM command line (--set-map-inner-map <map>=<type>:<key>:<value>:<entries>), and the C validator (bpf_map_create + bpf_map__set_inner_map_fd). Tests cover manifest validation and command-line construction. Verified end-to-end against KubeArmor system_monitor.bpf.o: loads across Ubuntu 5.4/5.15, Debian 6.1, Ubuntu 6.8, and AlmaLinux 8 (4.18). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ErenAri
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two related changes:
BPF_MAP_TYPE_HASH_OF_MAPS/ARRAY_OF_MAPS) whose inner map the artifact's own loader installs at runtime.examples/oss/kubearmor-system-monitor/) that uses (1) and demonstrates the opt-in, non-blockingbehaviorvalidation mode on a real third-party object.1. Inner-map fixup
New manifest field:
Types:
hash,array,lru_hash,percpu_hash,percpu_array,lru_percpu_hash.Why: a generic libbpf load can't create a
HASH_OF_MAPS/ARRAY_OF_MAPSwithout an inner-map fd — it fails withEINVALon every kernel (including the newest with BTF), which is a loader contract, not a compatibility result. The existing fixup only supported an inner ringbuf (Falcomodern_bpf'sringbuf_maps); this generalizes it.How: threaded through
internal/manifest(InnerMapSpec+ validation),internal/runner(tuning + applied-note + JSON parse),internal/vm/qemu.go(--set-map-inner-map <map>=<type>:<key>:<value>:<entries>), andvalidator/c-libbpf/src/main.c(bpf_map_create+bpf_map__set_inner_map_fdbefore load). Tests for manifest validation and CLI construction.2. Behavior lane reference
examples/oss/kubearmor-system-monitor/validates KubeArmor'ssystem_monitor.bpf.oas shipped (object not vendored — built from KubeArmor perUPSTREAM.md). It declares the inner-map contract above, then runs abehavior-mode functional test that exercises the syscallssystem_monitorhooks (execve/openat/close/unlink/uid) under the live monitor and asserts each returned the correct result.required: falsekeeps it non-blocking. README documents the honest scope: this proves load + attach + liveness/correctness, not event capture (Phase 2, which needs KubeArmor's perf reader).Verification
Built KubeArmor's
system_monitor.bpf.ofrom source and ran the VM matrix. As-is it failed all kernels atkubearmor_visibilitymap-create (EINVAL); with the inner-map manifest it loads everywhere, and inbehaviormode load + functional pass on all five:5.4.0-2165.15.0-1816.1.0-496.8.0-1174.18.0-553go test ./...,go vet, andgofmtall clean.🤖 Generated with Claude Code