Compilation of ebpf_prog fails - failed to load BTF from vmlinux: Unknown error -2

[Bogdan107]

Describe the bug
I want to use ProcMonitorMethod=ebpf. For this, I need to compile ebpf_prog module.
Compilation fails with an error:

Error: failed to load BTF from /usr/src/linux-5.18.6-gentoo/vmlinux: Unknown error -2

Include the following information:

• OpenSnitch version: 1.5.1
• OS: Gentoo
• Version: default/linux/amd64/17.1/no-multilib/hardened/selinux (getsebool: SELinux is disabled)
• Window Manager: Cinnamon
• Kernel version: Linux win11 5.18.6-gentoo-x86_64 ?1 SMP PREEMPT_DYNAMIC Thu Jun 23 20:37:22 EEST 2022 x86_64 AMD Ryzen 5 4600H with Radeon Graphics AuthenticAMD GNU/Linux

To Reproduce
build script attached.

Post error logs:
Compilation of ebpf_prog fails with an error:

Error: failed to load BTF from /usr/src/linux-5.18.6-gentoo/vmlinux: Unknown error -2

Additional context

1. Option CONFIG_PAHOLE_HAS_SPLIT_BTF automatically resets to "=Y":

$ grep BTF .config
# CONFIG_VIDEO_SONY_BTF_MPX is not set
CONFIG_PAHOLE_HAS_SPLIT_BTF=y

2. I don't use kernel 5.8, because it does not contain Makefile for AMD architecture.

Makefile:599: arch/amd64/Makefile: No such file or directory
make: *** No rule to make target 'arch/amd64/Makefile'.  Stop.

[Bogdan107]

This is build script "build_ebpf_prog.sh":

#!/bin/sh

set -e;

# https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog

KERNDIR="/usr/src/linux";
OTMPDIR="/home/miki/del";
ODIR="${OTMPDIR}/opensnitch";
SAMPLESDIR="${KERNDIR}/samples/bpf";

export CC="/usr/bin/x86_64-pc-linux-gnu-gcc";
export CXX="/usr/bin/x86_64-pc-linux-gnu-g++";

KERNEL_OPTIONS_ENABLE="
    CONFIG_CGROUP_BPF
    CONFIG_BPF
    CONFIG_BPF_SYSCALL
    CONFIG_BPF_EVENTS
    CONFIG_KPROBES
    CONFIG_KPROBE_EVENTS

    CONFIG_FTRACE
    CONFIG_DEBUG_INFO
    CONFIG_DEBUG_INFO_DWARF5
    CONFIG_BPF_SYSCALL
    CONFIG_DEBUG_INFO_BTF
    CONFIG_DEBUG_INFO_REDUCED
";
KERNEL_OPTIONS_DISABLE="
    CONFIG_PAHOLE_HAS_SPLIT_BTF
";

Log() {
    #echo "";
    echo "--------------------------------------------------------";
    echo "$1";
    echo "";
};

Log "Install sources of opensnitch.";
rm -rf "${ODIR}";
cd "${OTMPDIR}";
git clone --depth 1 "https://github.com/evilsocket/opensnitch";

if [ -f "${KERNDIR}"/.config ]; then
    DSTCFG="/var/tmp/kernel-config-$(date +%Y-%m-%d_%H:%M:%M)";
    Log "Backup kernel config to ${DSTCFG}.";
    cp "${KERNDIR}"/.config "${DSTCFG}";
fi;

Log "Remove kernel sources.";
rm -rf "${KERNDIR}";

Log "Install pure kernel sources.";
# This will install kernel sources into /usr/src/linux-5.18.5-gentoo
# and make symlink /usr/src/linux-5.18.5-gentoo -> /usr/src/linux
USE=symlink emerge -1 gentoo-sources;

Log "Configure kernel: ENABLE options";
cd "${KERNDIR}";
for i in ${KERNEL_OPTIONS_ENABLE}; do
    echo "  Enable option: $i";
    /bin/sh scripts/config -e "$i";
done;

Log "Configure kernel: DISABLE options";
for i in ${KERNEL_OPTIONS_DISABLE}; do
    echo "  Disable option: $i";
    ./scripts/config -d "$i";
done;

Log "Patch bpf headers.";
patch "${KERNDIR}"/tools/lib/bpf/bpf_helpers.h < "${ODIR}"/ebpf_prog/file.patch

Log "Copy ebpf_prog sources into kernel tree.";
cd "${ODIR}"/ebpf_prog;
cp Makefile "${SAMPLESDIR}"/Makefile.opensnitch;
cp opensnitch-dns.c opensnitch-procs.c opensnitch.c "${SAMPLESDIR}"/;

Log "Prepare kernel.";
cd "${KERNDIR}" && yes "" | \
    make oldconfig && \
    make -j"$(nproc)" prepare && \
    make headers_install; # (~ 1 min)

Log "Build ebpf_prog.";
cd "${SAMPLESDIR}" && make -j"$(nproc)" -f Makefile.opensnitch CC="$CC" CXX="$CXX";

if [ ! -f "opensnitch.o" ]; then
    Log "File opensnitch.o not compiled. Abort!"
fi;

Log "Prepare module.";
objdump -h opensnitch.o; #you should see many section, number 1 should be called kprobe/tcp_v4_connect
llvm-strip -g opensnitch.o; #remove debug info

DST="/etc/opensnitchd";
Log "Install module into '${DST}' directory.";
cp opensnitch*.o "${DST}";

[Bogdan107]

This is build log for command:

/bin/sh build_ebpf_prog.sh 2>&1 | tee /tmp/opensnitch__ebpf_prog__build.log

opensnitch__ebpf_prog__build.log

--------------------------------------------------------
Install sources of opensnitch.

Клонирование в «opensnitch»…
--------------------------------------------------------
Remove kernel sources.

--------------------------------------------------------
Install pure kernel sources.

>>> Verifying ebuild manifests
>>> Emerging (1 of 1) sys-kernel/gentoo-sources-5.18.6::gentoo
>>> Installing (1 of 1) sys-kernel/gentoo-sources-5.18.6::gentoo
--------------------------------------------------------
Configure kernel: ENABLE options

  Enable option: CONFIG_CGROUP_BPF
  Enable option: CONFIG_BPF
  Enable option: CONFIG_BPF_SYSCALL
  Enable option: CONFIG_BPF_EVENTS
  Enable option: CONFIG_KPROBES
  Enable option: CONFIG_KPROBE_EVENTS
  Enable option: CONFIG_FTRACE
  Enable option: CONFIG_DEBUG_INFO
  Enable option: CONFIG_DEBUG_INFO_DWARF5
  Enable option: CONFIG_BPF_SYSCALL
  Enable option: CONFIG_DEBUG_INFO_BTF
  Enable option: CONFIG_DEBUG_INFO_REDUCED
--------------------------------------------------------
Configure kernel: DISABLE options

  Disable option: CONFIG_PAHOLE_HAS_SPLIT_BTF
--------------------------------------------------------
Patch bpf headers.

patching file /usr/src/linux/tools/lib/bpf/bpf_helpers.h
Hunk #1 succeeded at 127 (offset 73 lines).
--------------------------------------------------------
Copy ebpf_prog sources into kernel tree.

--------------------------------------------------------
Prepare kernel.

#
# configuration written to .config
#
  SYNC    include/config/auto.conf.cmd
  HOSTCC  scripts/selinux/genheaders/genheaders
  HOSTCC  scripts/selinux/mdp/mdp
  HOSTCC  scripts/sign-file
  DESCEND objtool
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/weak.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/check.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/special.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/arch/x86/special.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/orc_gen.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/orc_dump.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/builtin-check.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/arch/x86/decode.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/builtin-orc.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/elf.o
  CC      /usr/src/linux-5.18.6-gentoo/tools/objtool/objtool.o
  CC      scripts/mod/devicetable-offsets.s
  HOSTCC  scripts/mod/modpost.o
  LD      /usr/src/linux-5.18.6-gentoo/tools/objtool/arch/x86/objtool-in.o
  HOSTLD  scripts/mod/modpost
  CC      kernel/bounds.s
  CALL    scripts/atomic/check-atomics.sh
  CC      arch/x86/kernel/asm-offsets.s
  CALL    scripts/checksyscalls.sh
  LD      /usr/src/linux-5.18.6-gentoo/tools/objtool/objtool-in.o
  LINK    /usr/src/linux-5.18.6-gentoo/tools/objtool/objtool
  HDRINST usr/include/asm-generic/siginfo.h
  HDRINST usr/include/linux/android/binder.h
  HDRINST usr/include/linux/xattr.h
  HDRINST usr/include/linux/types.h
  HDRINST usr/include/linux/lirc.h
  HDRINST usr/include/linux/landlock.h
  INSTALL ./usr/include
--------------------------------------------------------
Build ebpf_prog.

make -C ../../ M=/usr/src/linux-5.18.6-gentoo/samples/bpf BPF_SAMPLES_PATH=/usr/src/linux-5.18.6-gentoo/samples/bpf
make[1]: вход в каталог «/usr/src/linux-5.18.6-gentoo»
warning: the compiler differs from the one used to build the kernel
  The kernel was built by: gcc (Gentoo Hardened 11.3.0 p4) 11.3.0
  You are using:           x86_64-pc-linux-gnu-gcc (Gentoo Hardened 11.3.0 p4) 11.3.0
make -C /usr/src/linux-5.18.6-gentoo/samples/bpf/../../tools/lib/bpf RM='rm -rf' EXTRA_CFLAGS="-Wall -O2 -Wmissing-prototypes -Wstrict-prototypes -I./usr/include -I./tools/testing/selftests/bpf/ -I/usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/include -I./tools/include -I./tools/perf -DHAVE_ATTR_TEST=0" \
	LDFLAGS= srctree=/usr/src/linux-5.18.6-gentoo/samples/bpf/../../ \
	O= OUTPUT=/usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/ DESTDIR=/usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf prefix= \
	/usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/libbpf.a install_headers
  INSTALL /usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/include/bpf/bpf_helpers.h
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/staticobjs/libbpf.o
  LD      /usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/staticobjs/libbpf-in.o
  LINK    /usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/libbpf.a
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_lru_dist
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/sock_example
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/../../tools/testing/selftests/bpf/cgroup_helpers.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/../../tools/testing/selftests/bpf/trace_helpers.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/cookie_uid_helper_example.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/cpustat_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/fds_example.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/hbm.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/ibumad_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/lathist_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/lwt_len_hist_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/map_perf_test_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/offwaketime_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/sampleip_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/sockex1_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/sockex2_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/sockex3_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/spintest_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/syscall_tp_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/task_fd_query_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tc_l2_redirect_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_cgrp2_array_pin.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_cgrp2_attach.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_cgrp2_sock.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_cgrp2_sock2.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_current_task_under_cgroup_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_map_in_map_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_overhead_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/test_probe_write_user_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/trace_event_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/trace_output_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex1_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex2_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex3_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex4_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex5_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex6_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/tracex7_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp1_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_adjust_tail_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_fwd_user.o
make -C /usr/src/linux-5.18.6-gentoo/samples/bpf/../../tools/bpf/bpftool srctree=/usr/src/linux-5.18.6-gentoo/samples/bpf/../../ \
	OUTPUT=/usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/ \
	LIBBPF_OUTPUT=/usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/ \
	LIBBPF_DESTDIR=/usr/src/linux-5.18.6-gentoo/samples/bpf/libbpf/
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_router_ipv4_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_rxq_info_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_sample_pkts_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_sample_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdp_tx_iptunnel_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdpsock_ctrl_proc.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xdpsock_user.o
  CC  /usr/src/linux-5.18.6-gentoo/samples/bpf/xsk_fwd.o

Auto-detecting system features:
...                        libbfd: [  on  ]
...        disassembler-four-args: [  on  ]
...                          zlib: [  on  ]
...                        libcap: [  on  ]
...               clang-bpf-co-re: [  on  ]


  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/btf.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/btf_dumper.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/cfg.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/cgroup.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/common.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/feature.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/gen.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/iter.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/json_writer.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/link.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/main.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/map.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/map_perf_ring.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/net.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/netlink_dumper.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/perf.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/struct_ops.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/tracelog.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/xlated_dumper.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/jit_disasm.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/libbpf/staticobjs/libbpf.o
  INSTALL /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/libbpf/include/bpf/bpf_helpers.h
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/disasm.o
  LD      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/libbpf/staticobjs/libbpf-in.o
  LINK    /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/libbpf/libbpf.a
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/main.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/common.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/gen.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/btf.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/xlated_dumper.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/json_writer.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/disasm.o
  CC      /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/btf_dumper.o
  LINK    /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bootstrap/bpftool
  GEN     /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/vmlinux.h
Error: failed to load BTF from /usr/src/linux-5.18.6-gentoo/vmlinux: Unknown error -2
make[3]: *** [Makefile:176: /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/vmlinux.h] Error 254
make[2]: *** [/usr/src/linux-5.18.6-gentoo/samples/bpf/Makefile:296: /usr/src/linux-5.18.6-gentoo/samples/bpf/bpftool/bpftool] Error 2
make[1]: *** [Makefile:1838: /usr/src/linux-5.18.6-gentoo/samples/bpf] Ошибка 2
make[1]: выход из каталога «/usr/src/linux-5.18.6-gentoo»
make: *** [Makefile.opensnitch:94: all] Ошибка 2

[Bogdan107]

This is the kernel config file after build: config.log
File renamed to *.log extension, because system disallows txt files.

$ grep -e BPF -e KPROBES .config | sed '/^#/d' | sort
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_EVENTS=y          #
CONFIG_BPFILTER_UMH=y
CONFIG_BPFILTER=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_BPF_SYSCALL=y         #
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_BPF=y                 #
CONFIG_CGROUP_BPF=y          #
CONFIG_HAVE_EBPF_JIT=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_KPROBES=y             #
CONFIG_LWTUNNEL_BPF=y
CONFIG_NET_ACT_BPF=y
CONFIG_NET_CLS_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=y
CONFIG_TEST_BPF=m

Option CONFIG_KPROBE_EVENTS has no in kernel 5.18.6.

[gustavo-iniguez-goya]

Hi @Bogdan107 ,

Sorry to ask you for this, but please, post the errors (if any) compiling the modules as specified on the https://github.com/evilsocket/opensnitch/blob/master/ebpf_prog/README

Thank you in advance :)

[Bogdan107]

Problem is: I use "Makefile.opensnitch", but must be "Makefile".
While I use "make -f Makefile.opensnitch", the other bpf tools use "Makefile".

When I replace name to Makefile, then compilation success.

I write a ebuild to automatically buld ebpf_prog module of opensnitch in the Gentoo.
This ebuild use hardcoded things. like the kernel version 5.18.6. So, it is a resolution for my special case, but it's works!

Contents of the file /usr/local/portage/app-admin/opensnitch-module/opensnitch-module-9999.ebuild:

# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7

DESCRIPTION="eBPF module for opensnitch - Desktop application firewall"
HOMEPAGE="https://github.com/evilsocket/opensnitch"

KVER=5.18.6
S="${WORKDIR}/linux-${KVER}"

SRC_URI="https://www.kernel.org/pub/linux/kernel/v5.x/linux-${KVER}.tar.xz -> kernel-${KVER}.tar.xz"

inherit linux-info

if [[ ${PV} == *9999 ]]; then
	inherit git-r3
	EGIT_REPO_URI="https://github.com/evilsocket/opensnitch.git"
	RDEPEND="app-admin/opensnitch"
	S_SNITCH="${WORKDIR}/${P}"
else
	SRC_URI="${SRC_URI} mirror://github/evilsocket/opensnitch-${PV}.tar.gz -> opensnitch-${PV}.tar.gz"
	KEYWORDS="~amd64 ~x86"
	RDEPEND=">=app-admin/opensnitch-${PV}"
	S_SNITCH="${WORKDIR}/opensnitch-${PV}"
fi

LICENSE="GPL-2"
SLOT="0"
IUSE=""
RESTRICT="mirror"

#DEPEND="${RDEPEND}"

src_unpack() {
	if [[ "${PV}" == 9999 ]]; then
		git-r3_src_unpack
	fi

	default
}

src_prepare() {
	# Copy source files of ebpf_prog:
	pushd "${S_SNITCH}"/ebpf_prog/ >/dev/null || die
		cp --force Makefile "${S}"/samples/bpf/
		for i in $(find . -type f -name "*.c"); do
			cp "$i" "${S}"/samples/bpf/
		done
	popd >/dev/null || die

	# Patch the kernel:
	patch tools/lib/bpf/bpf_helpers.h "${S_SNITCH}"/ebpf_prog/file.patch

	default
}

src_configure() {
	# Avoid an error: "Makefile:621: arch/amd64/Makefile: No such file or directory"
	# Require "inherit linux-info"
	set_arch_to_kernel
}

src_compile() {
	export CC

	# Prepare kernel:
	emake oldconfig

	# Enable kernel options:
	for opt in "
		CONFIG_CGROUP_BPF
		CONFIG_BPF
		CONFIG_BPF_SYSCALL
		CONFIG_BPF_EVENTS
		CONFIG_KPROBES
		CONFIG_KPROBE_EVENTS
		CONFIG_FTRACE
		CONFIG_DEBUG_INFO
		CONFIG_DEBUG_INFO_DWARF5
		CONFIG_BPF_SYSCALL
		CONFIG_DEBUG_INFO_BTF
		CONFIG_DEBUG_INFO_REDUCED
	"; do
		/bin/sh scripts/config --enable "${opt}"
	done

	# Prepare kernel sources:
	emake prepare && emake headers_install

	# Build opensnitch module:
	pushd samples/bpf >/dev/null || die
	    emake || die
	    [ ! -f opensnitch.o ] && die
	    objdump -h opensnitch.o
	    llvm-strip -g opensnitch.o
	popd >/dev/null || die
}

src_install(){
	insinto /etc/opensnitchd/
	doins samples/bpf/*.o
}

[gustavo-iniguez-goya]

super cool @Bogdan107! 🎉

I remember that other user created a .ebuild file to build the app, maybe you could join forces to help each other.

[Bogdan107]

super cool @Bogdan107! tada

I remember that other user created a .ebuild file to build the app, maybe you could join forces to help each other.

I think, that more stronger way to build module with ebuild - by using eclass "linux-mod". In this way, ebuild automatically use current active kernel source tree, with all gentoo patches, installed in the system, without needs to customize things, like kernel version and SRC_URI in my version.
But I fails to build those variant of ebuild after some hours of tries. The main problem - is data in the Makefile.

My ebuild can be used as -9999 version - as latest, presented in git. So, this variant may satisfy most of my needs in automatize of compiling of ebpf_prog module.

My results of tries to build ebpf_prog as a kernel module:

Success build of ebpf_prog module in portage system as kernel module is possible only if Makefile will be changed.

No reson to play with ebuild, while I can't to do this:

# Get sources:
git clone https://github.com/evilsocket/opensnitch
cd opensnitch/ebpf_prog

# Prepare kernel tree:
# Copy directory, where placed files, which must be changed:
mkdir bpf_tools    && cp -r /usr/src/$(uname -r)/tools/lib/bpf/  $(pwd)/bpf_tools/
mkdir bpf_examples && cp -r /usr/src/$(uname -r)/examples/bpf/   $(pwd)/bpf_examples/
# Patch sources:
patch bpf_tools/bpf_helpers.h < file.patch
# Patch Makefile's under the ./bpf_tools and ./bpf_examples directories:
<do something to allow build tools and examples without the hard linking to relative paths,
which works inside the kernel tree, but doesn't works if tools/examples directories
was moved into another place>

# Build module:
make -j$(nproc) \
    KERNEL_DIR=/usr/src/$(uname -r) \
    BPF_TOOLS_PATH=bpf_tools \
    BPF_EXAMPLES_PATH=bpf_examples \
    CC=/usr/bin/x86_64-pc-linux-gnu-gcc

# Install module:
for i in $(ls "*.o"); do cp $i /etc/opensnitchd/; done

Most desired changes in Makefile:

• produce all build files under the current dir;
• do not write any files into the kernel dir;
• the single change in kernel tree - is patch for tools/lib/bpf/bpf_helpers.h file.