2024-05-04 22:55:56 +03:00
|
|
|
// Copyright (c) eBPF for Windows contributors
|
2021-03-02 21:45:34 +03:00
|
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
#pragma once
|
|
|
|
|
2024-04-03 18:44:59 +03:00
|
|
|
#define EBPF_OFFSET_OF(s, m) (((size_t) & ((s*)0)->m))
|
|
|
|
#define EBPF_FIELD_SIZE(s, m) (sizeof(((s*)0)->m))
|
|
|
|
#define EBPF_SIZE_INCLUDING_FIELD(s, m) (EBPF_OFFSET_OF(s, m) + EBPF_FIELD_SIZE(s, m))
|
|
|
|
|
2021-09-15 22:08:18 +03:00
|
|
|
#ifdef _MSC_VER
|
2021-05-10 18:47:54 +03:00
|
|
|
#include <guiddef.h>
|
2021-09-15 22:08:18 +03:00
|
|
|
#else
|
2024-03-30 20:27:09 +03:00
|
|
|
typedef uint8_t GUID[16];
|
|
|
|
#endif
|
|
|
|
|
2023-12-08 00:10:19 +03:00
|
|
|
#if !defined(NO_CRT) && !defined(_NO_CRT_STDIO_INLINE)
|
2024-03-30 20:27:09 +03:00
|
|
|
#include <stdbool.h>
|
|
|
|
#include <stddef.h>
|
2023-02-07 21:32:19 +03:00
|
|
|
#include <stdint.h>
|
|
|
|
#else
|
|
|
|
typedef unsigned char uint8_t;
|
2024-03-30 20:27:09 +03:00
|
|
|
typedef unsigned short uint16_t;
|
|
|
|
typedef unsigned short wchar_t;
|
|
|
|
typedef unsigned int uint32_t;
|
|
|
|
typedef unsigned long long uint64_t;
|
|
|
|
typedef unsigned long long size_t;
|
2024-04-04 03:49:27 +03:00
|
|
|
#define bool _Bool
|
2021-09-15 22:08:18 +03:00
|
|
|
#endif
|
2021-04-26 22:16:20 +03:00
|
|
|
|
2021-03-02 21:45:34 +03:00
|
|
|
// This file contains eBPF definitions needed by eBPF programs as well as
|
2024-03-30 20:27:09 +03:00
|
|
|
// the verifier, execution context and extension drivers.
|
2021-03-02 21:45:34 +03:00
|
|
|
|
2022-07-01 02:53:03 +03:00
|
|
|
#define EBPF_ROOT_REGISTRY_PATH L"\\Registry\\Machine\\Software\\eBPF"
|
|
|
|
#define EBPF_ROOT_RELATIVE_PATH L"Software\\eBPF"
|
|
|
|
#define EBPF_STORE_REGISTRY_PATH L"Software\\eBPF\\Providers"
|
|
|
|
|
2024-03-30 20:27:09 +03:00
|
|
|
#define EBPF_PROVIDERS_REGISTRY_KEY L"Providers"
|
|
|
|
#define EBPF_SECTIONS_REGISTRY_KEY L"SectionData"
|
|
|
|
#define EBPF_PROGRAM_DATA_REGISTRY_KEY L"ProgramData"
|
|
|
|
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_REGISTRY_KEY L"TypeDescriptor"
|
|
|
|
#define EBPF_PROGRAM_DATA_HELPERS_REGISTRY_KEY L"Helpers"
|
|
|
|
#define EBPF_GLOBAL_HELPERS_REGISTRY_KEY L"GlobalHelpers"
|
|
|
|
|
|
|
|
#define EBPF_EXTENSION_HEADER_VERSION L"Version"
|
|
|
|
#define EBPF_EXTENSION_HEADER_SIZE L"Size"
|
2022-07-01 02:53:03 +03:00
|
|
|
|
|
|
|
#define EBPF_SECTION_DATA_PROGRAM_TYPE L"ProgramType"
|
|
|
|
#define EBPF_SECTION_DATA_ATTACH_TYPE L"AttachType"
|
|
|
|
|
|
|
|
#define EBPF_PROGRAM_DATA_NAME L"Name"
|
|
|
|
#define EBPF_PROGRAM_DATA_CONTEXT_DESCRIPTOR L"ContextDescriptor"
|
|
|
|
#define EBPF_PROGRAM_DATA_PLATFORM_SPECIFIC_DATA L"PlatformSpecificData"
|
2022-11-17 00:06:14 +03:00
|
|
|
#define EBPF_PROGRAM_DATA_PRIVILEGED L"IsPrivileged"
|
2022-07-01 02:53:03 +03:00
|
|
|
#define EBPF_PROGRAM_DATA_HELPER_COUNT L"HelperCount"
|
|
|
|
|
|
|
|
#define EBPF_HELPER_DATA_PROTOTYPE L"Prototype"
|
2024-04-04 03:49:27 +03:00
|
|
|
#define EBPF_HELPER_DATA_REALLOCATE_PACKET L"ReallocatePacket"
|
2022-07-01 02:53:03 +03:00
|
|
|
|
2022-07-06 02:54:22 +03:00
|
|
|
#define EBPF_DATA_BPF_PROG_TYPE L"BpfProgType"
|
|
|
|
#define EBPF_DATA_BPF_ATTACH_TYPE L"BpfAttachType"
|
|
|
|
|
2021-05-04 01:17:10 +03:00
|
|
|
typedef GUID ebpf_program_type_t;
|
2021-05-10 18:47:54 +03:00
|
|
|
typedef GUID ebpf_attach_type_t;
|
2021-03-08 19:37:39 +03:00
|
|
|
|
2021-04-20 02:12:08 +03:00
|
|
|
typedef enum _ebpf_helper_function
|
|
|
|
{
|
2021-06-30 19:22:40 +03:00
|
|
|
EBPF_LOOKUP_ELEMENT = 1, ///< Look up a map element.
|
|
|
|
EBPF_UPDATE_ELEMENT = 2, ///< Update map element.
|
|
|
|
EBPF_DELETE_ELEMENT = 3, ///< Delete a map element.
|
2021-03-08 19:37:39 +03:00
|
|
|
} ebpf_helper_function_t;
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
#define EBPF_MAX_GENERAL_HELPER_FUNCTION 0xFFFF
|
|
|
|
|
|
|
|
#define EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION 1
|
|
|
|
#define EBPF_PROGRAM_INFORMATION_CLIENT_DATA_CURRENT_VERSION 1
|
|
|
|
|
2024-04-03 18:44:59 +03:00
|
|
|
// Version 1 of the eBPF extension data structures and their lengths.
|
|
|
|
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION 1
|
|
|
|
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_attach_provider_data_t, link_type)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_attach_provider_data_t)
|
|
|
|
#define EBPF_ATTACH_PROVIDER_DATA_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION, EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-04-03 18:44:59 +03:00
|
|
|
|
2024-03-30 20:27:09 +03:00
|
|
|
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION 1
|
|
|
|
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE \
|
|
|
|
EBPF_SIZE_INCLUDING_FIELD(ebpf_program_type_descriptor_t, is_privileged)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_type_descriptor_t)
|
|
|
|
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION, EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION 1
|
|
|
|
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE \
|
2024-07-19 20:12:08 +03:00
|
|
|
EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_prototype_t, implicit_context)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_helper_function_prototype_t)
|
|
|
|
#define EBPF_HELPER_FUNCTION_PROTOTYPE_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION, EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION 1
|
|
|
|
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE \
|
|
|
|
EBPF_SIZE_INCLUDING_FIELD(ebpf_program_info_t, global_helper_prototype)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_info_t)
|
|
|
|
#define EBPF_PROGRAM_INFORMATION_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_PROGRAM_INFORMATION_CURRENT_VERSION, EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION 1
|
2024-04-03 18:44:59 +03:00
|
|
|
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE \
|
|
|
|
EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_addresses_t, helper_function_address)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_helper_function_addresses_t)
|
|
|
|
#define EBPF_HELPER_FUNCTION_ADDRESSES_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION, EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
#define EBPF_PROGRAM_DATA_CURRENT_VERSION 1
|
2024-07-15 19:23:51 +03:00
|
|
|
#define EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_program_data_t, capabilities)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_data_t)
|
|
|
|
#define EBPF_PROGRAM_DATA_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_PROGRAM_DATA_CURRENT_VERSION, EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION 1
|
|
|
|
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE \
|
|
|
|
EBPF_SIZE_INCLUDING_FIELD(ebpf_program_section_info_t, bpf_attach_type)
|
2024-05-24 04:05:36 +03:00
|
|
|
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_section_info_t)
|
|
|
|
#define EBPF_PROGRAM_SECTION_INFORMATION_HEADER \
|
|
|
|
{ \
|
|
|
|
EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION, EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE, \
|
|
|
|
EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE \
|
|
|
|
}
|
2024-03-30 20:27:09 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Header of an eBPF extension data structure.
|
|
|
|
* Every eBPF extension data structure must start with this header.
|
|
|
|
* New fields can be added to the end of an eBPF extension data structure
|
|
|
|
* without breaking backward compatibility. The version field must be
|
|
|
|
* updated only if the new data structure is not backward compatible.
|
|
|
|
*/
|
|
|
|
typedef struct _ebpf_extension_header
|
|
|
|
{
|
2024-05-24 04:05:36 +03:00
|
|
|
uint16_t version; ///< Version of the extension data structure.
|
|
|
|
size_t size; ///< Size of the extension data structure not including any padding.
|
|
|
|
size_t total_size; ///< Total size of the extension data structure including any padding.
|
2024-03-30 20:27:09 +03:00
|
|
|
} ebpf_extension_header_t;
|