Name: process-snoop Version: 1.0 Release: 1%{?dist} Summary: A pure CO-RE eBPF process monitor License: GPLv2 Source0: %{name}-%{version}.tar.gz # --- BUILD DEPENDENCIES --- # compilers for C and BPF BuildRequires: clang BuildRequires: llvm BuildRequires: gcc # tools to generate vmlinux.h and skeleton BuildRequires: bpftool # library headers BuildRequires: libbpf-devel # THE SECRET SAUCE: Provides BTF for the target distro kernel BuildRequires: kernel-devel BuildRequires: kernel-core # --- RUNTIME DEPENDENCIES --- # Notice: NO clang/llvm here! Just the library. Requires: libbpf %description A demonstration of a Pure CO-RE eBPF tool packaged for Fedora. %prep %setup -q %build # 1. FIND LOCATIONS dynamically # Find the directory containing the vmlinuz file KERNEL_DIR=$(rpm -ql kernel-core | grep '/vmlinuz$' | head -n 1 | xargs dirname) # Find the extract script from kernel-devel EXTRACT_SCRIPT=$(find /usr/src/kernels -name extract-vmlinux | head -n 1) if [ -z "$KERNEL_DIR" ] || [ -z "$EXTRACT_SCRIPT" ]; then echo "Error: Could not locate vmlinuz or extract-vmlinux script" exit 1 fi echo "Using kernel from: $KERNEL_DIR" echo "Using extract script: $EXTRACT_SCRIPT" # 2. DECOMPRESS vmlinuz -> vmlinux # We extract it to a local file 'vmlinux_local' so we don't mess with system files $EXTRACT_SCRIPT "$KERNEL_DIR/vmlinuz" > vmlinux_local # 3. GENERATE HEADER from the uncompressed file bpftool btf dump file vmlinux_local format c > vmlinux.h # 2. COMPILE BPF (KERNEL SIDE) # -g: debug info (needed for BTF) # -O2: required by verifier # -target bpf: output BPF bytecode clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -c agent.bpf.c -o agent.bpf.o # 3. GENERATE SKELETON bpftool gen skeleton agent.bpf.o > agent.skel.h # 4. COMPILE LOADER (USER SIDE) gcc -O2 -g -Wall main.c -o process-snoop -lbpf -lelf -lz %install mkdir -p %{buildroot}%{_bindir} install -m 755 process-snoop %{buildroot}%{_bindir}/ %files %{_bindir}/process-snoop %license LICENSE %changelog * Fri Jan 30 2026 FOSDEM Demo - 1.0.0-1 - Initial CO-RE package