Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,11 @@ failing.
## Proof: a real Falco probe catches a real regression

`bpfcompat` validates Falco's `modern_bpf` probe (`bpf_probe.o`, ~64 programs)
exactly as Falco's own loader runs it, across a 5-kernel matrix:
**the way Falco's `libpman` loads it** — runtime-sized maps, helper-gated program
variants, and trial-probed BPF iterators, declared in a manifest so a plain
libbpf load doesn't undercount support. (This *mirrors* libpman's loader
contract; it is not Falco's loader binary itself — to run that exact binary, use
[command mode](docs/command-validation.md).) Across a 5-kernel matrix:

| Profile | Host kernel | Status | Why |
|---|---|---|---|
Expand Down Expand Up @@ -248,8 +252,17 @@ not a production runtime loader and it is not a production multi-tenant SaaS.
Implemented:

- VM-backed `.bpf.o` validation through QEMU/KVM cloud images.
- **Command/binary validation** (`bpfcompat test --command`) — run *your own*
loader binary/command inside each kernel VM and take its **exit code** as the
per-kernel verdict. The bundled validator is **not** used in this mode; this
tests the real userspace loader path. See
[docs/command-validation.md](docs/command-validation.md).
- **Library of known-tricky vendor kernels** (`matrices/quirk-library.yaml`) —
the kernels where "version ≠ feature support" bites; run a `.bpf.o` or your
own loader against the whole set. See
[docs/kernel-quirk-library.md](docs/kernel-quirk-library.md).
- C/libbpf validator that records load, attach, BTF, CO-RE, map, program, and
capability evidence.
capability evidence (the default `.bpf.o` flow).
- Failure classification for common compatibility cases such as missing BTF,
CO-RE relocation failures, unsupported map types, unsupported attach types,
and unsupported program types.
Expand Down
9 changes: 6 additions & 3 deletions docs/case-study-falco-modern-bpf.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,12 @@ recognizable artifact: Falco's `modern_bpf` probe (`bpf_probe.o`).
sha256 `4895177ced5618d22fd40c1d69be80c7f16fc28f9552f0eff5fdbf682bbd2722`.
- **Validation mode:** load + attach, inside disposable QEMU/KVM VMs running each
exact kernel.
- **Loaded exactly as libpman does** — runtime-sized maps, helper-gated program
variants, trial-probed BPF iterators (declared in a manifest) — so a generic
libbpf load does not undercount support.
- **Loaded mirroring libpman's loader contract** — runtime-sized maps,
helper-gated program variants, trial-probed BPF iterators (declared in a
manifest) — so a generic libbpf load does not undercount support. This
reproduces *how* libpman loads the object; it is not Falco's loader binary
itself (for that, use command mode — see
[command-validation.md](command-validation.md)).

## Result

Expand Down