Events: tty_write: properly filter non-echo mode (#147)

mmat11 · web-flow · commit cac3ca46fe06 · 2022-09-26T05:44:12.000-04:00
diff --git a/GPL/Events/EbpfEventProto.h b/GPL/Events/EbpfEventProto.h
@@ -161,11 +161,7 @@ struct ebpf_process_tty_write_event {
     struct ebpf_tty_dev ctty;
     // Destination TTY.
     struct ebpf_tty_dev tty;
-    // The function is not called from
-    // the syscall but from the driver.
-    // If driver is true, events can be dropped
-    // based on terminal flags.
-    bool driver;
+    char comm[TASK_COMM_LEN];
 } __attribute__((packed));
 
 struct ebpf_process_setgid_event {
diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h
@@ -125,7 +125,6 @@ const volatile int consumer_pid = 0;
 #define PTY_TYPE_MASTER 0x0001
 
 // From include/uapi/asm-generic/termbits.h
-#define ICANON 0x00002
 #define ECHO 0x00008
 
 static bool IS_ERR_OR_NULL(const void *ptr)
diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c
@@ -15,7 +15,6 @@
 
 #include "Helpers.h"
 #include "PathResolver.h"
-#include "State.h"
 
 /* tty_write */
 DECL_FUNC_ARG(redirected_tty_write, iter);
@@ -244,19 +243,16 @@ int BPF_KPROBE(kprobe__commit_creds, struct cred *new)
 
 static int tty_write__enter(const char *buf, ssize_t count, struct file *f)
 {
-    bool driver                     = false;
-    struct ebpf_events_state *state = ebpf_events_state__get(EBPF_EVENTS_STATE_TTY_WRITE);
-    if (state) {
-        ebpf_events_state__del(EBPF_EVENTS_STATE_TTY_WRITE);
-        driver = true;
-    }
-
     if (is_consumer())
         goto out;
 
     if (count <= 0)
         goto out;
 
+    struct ebpf_process_tty_write_event *event = bpf_ringbuf_reserve(&ringbuf, sizeof(*event), 0);
+    if (!event)
+        goto out;
+
     struct tty_file_private *tfp = (struct tty_file_private *)BPF_CORE_READ(f, private_data);
     struct tty_struct *tty       = BPF_CORE_READ(tfp, tty);
 
@@ -265,41 +261,43 @@ static int tty_write__enter(const char *buf, ssize_t count, struct file *f)
     // @link: link to another pty (master -> slave and vice versa)
     //
     // https://elixir.bootlin.com/linux/v5.19.9/source/drivers/tty/tty_io.c#L2643
+    bool is_master             = false;
+    struct ebpf_tty_dev master = {};
     if (BPF_CORE_READ(tty, driver, type) == TTY_DRIVER_TYPE_PTY &&
         BPF_CORE_READ(tty, driver, subtype) == PTY_TYPE_MASTER) {
-        tty = BPF_CORE_READ(tty, link);
+        struct tty_struct *tmp = BPF_CORE_READ(tty, link);
+        ebpf_tty_dev__fill(&master, tty);
+        ebpf_tty_dev__fill(&event->tty, tmp);
+        is_master = true;
+    } else {
+        ebpf_tty_dev__fill(&event->tty, tty);
     }
 
-    struct ebpf_process_tty_write_event *event = bpf_ringbuf_reserve(&ringbuf, sizeof(*event), 0);
-    if (!event)
-        goto out;
-
     event->hdr.type = EBPF_EVENT_PROCESS_TTY_WRITE;
     event->hdr.ts   = bpf_ktime_get_ns();
 
     u64 len                  = count > TTY_OUT_MAX ? TTY_OUT_MAX : count;
     event->tty_out_len       = len;
     event->tty_out_truncated = count > TTY_OUT_MAX ? count - TTY_OUT_MAX : 0;
-    event->driver            = driver;
 
     const struct task_struct *task = (struct task_struct *)bpf_get_current_task();
     ebpf_pid_info__fill(&event->pids, task);
     ebpf_ctty__fill(&event->ctty, task);
-    ebpf_tty_dev__fill(&event->tty, tty);
+    bpf_get_current_comm(event->comm, TASK_COMM_LEN);
 
-    if (event->driver && (event->tty.termios.c_lflag & ICANON) &&
-        !(event->tty.termios.c_lflag & ECHO)) {
+    if (event->tty.major == 0 && event->tty.minor == 0) {
         bpf_ringbuf_discard(event, 0);
         goto out;
     }
 
-    if (event->tty.major == 0 && event->tty.minor == 0) {
+    if (bpf_probe_read_user(event->tty_out, len, (void *)buf)) {
+        bpf_printk("tty_write__enter: error reading buf\n");
         bpf_ringbuf_discard(event, 0);
         goto out;
     }
 
-    if (bpf_probe_read_user(event->tty_out, len, (void *)buf)) {
-        bpf_printk("tty_write__enter: error reading buf\n");
+    if ((is_master && !(master.termios.c_lflag & ECHO)) && !(event->tty.termios.c_lflag & ECHO)) {
+        bpf_printk("tty_write__enter: discarding %s\n", event->tty_out);
         bpf_ringbuf_discard(event, 0);
         goto out;
     }
@@ -370,22 +368,3 @@ int BPF_KPROBE(kprobe__tty_write)
 out:
     return 0;
 }
-
-static int n_tty_write__enter()
-{
-    struct ebpf_events_state state = {.tty_write = {}};
-    ebpf_events_state__set(EBPF_EVENTS_STATE_TTY_WRITE, &state);
-    return 0;
-}
-
-SEC("fentry/n_tty_write")
-int BPF_PROG(fentry__n_tty_write)
-{
-    return n_tty_write__enter();
-}
-
-SEC("kprobe/n_tty_write")
-int BPF_KPROBE(kprobe__n_tty_write)
-{
-    return n_tty_write__enter();
-}
diff --git a/GPL/Events/State.h b/GPL/Events/State.h
@@ -16,7 +16,6 @@ enum ebpf_events_state_op {
     EBPF_EVENTS_STATE_RENAME         = 2,
     EBPF_EVENTS_STATE_TCP_V4_CONNECT = 3,
     EBPF_EVENTS_STATE_TCP_V6_CONNECT = 4,
-    EBPF_EVENTS_STATE_TTY_WRITE      = 5,
 };
 
 struct ebpf_events_key {
@@ -51,18 +50,12 @@ struct ebpf_events_tcp_connect_state {
     struct sock *sk;
 };
 
-// Store nothing, this state will be used to filter by
-// execution context.
-struct ebpf_events_tty_write_state {
-};
-
 struct ebpf_events_state {
     union {
         struct ebpf_events_unlink_state unlink;
         struct ebpf_events_rename_state rename;
         struct ebpf_events_tcp_connect_state tcp_v4_connect;
         struct ebpf_events_tcp_connect_state tcp_v6_connect;
-        struct ebpf_events_tty_write_state tty_write;
     };
 };
 
diff --git a/non-GPL/Events/EventsTrace/EventsTrace.c b/non-GPL/Events/EventsTrace/EventsTrace.c
@@ -18,6 +18,7 @@
 #include <sys/time.h>
 
 #include <arpa/inet.h>
+#include <linux/termios.h>
 #include <netinet/in.h>
 
 #include <EbpfEvents.h>
@@ -217,11 +218,6 @@ static void out_int(const char *name, const long value)
     printf("\"%s\":%ld", name, value);
 }
 
-static void out_hex(const char *name, const unsigned int value)
-{
-    printf("\"%s\":\"0x%x\"", name, value);
-}
-
 static void out_bool(const char *name, const bool value)
 {
     printf("\"%s\":\"%s\"", name, value ? "TRUE" : "FALSE");
@@ -274,13 +270,7 @@ static void out_tty_dev(const char *name, struct ebpf_tty_dev *tty_dev)
     out_comma();
     out_int("winsize_cols", tty_dev->winsize.cols);
     out_comma();
-    out_hex("termios_c_iflag", tty_dev->termios.c_iflag);
-    out_comma();
-    out_hex("termios_c_oflag", tty_dev->termios.c_oflag);
-    out_comma();
-    out_hex("termios_c_lflag", tty_dev->termios.c_lflag);
-    out_comma();
-    out_hex("termios_c_cflag", tty_dev->termios.c_cflag);
+    out_bool("ECHO", tty_dev->termios.c_lflag & ECHO);
 
     out_object_end();
 }
@@ -513,13 +503,11 @@ static void out_process_tty_write(struct ebpf_process_tty_write_event *evt)
     out_comma();
     out_uint("tty_out_truncated", evt->tty_out_truncated);
     out_comma();
-    out_tty_dev("ctty", &evt->ctty);
-    out_comma();
     out_tty_dev("tty", &evt->tty);
     out_comma();
     out_string("tty_out", evt->tty_out);
     out_comma();
-    out_bool("driver", evt->driver);
+    out_string("comm", (const char *)&evt->comm);
 
     out_object_end();
     out_newline();
diff --git a/non-GPL/Events/Lib/EbpfEvents.c b/non-GPL/Events/Lib/EbpfEvents.c
@@ -248,12 +248,6 @@ static inline int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj
         err = err ?: bpf_program__set_autoload(obj->progs.fentry__tty_write, false);
     }
 
-    if (has_bpf_tramp && BTF_FUNC_EXISTS(btf, n_tty_write)) {
-        err = err ?: bpf_program__set_autoload(obj->progs.kprobe__n_tty_write, false);
-    } else {
-        err = err ?: bpf_program__set_autoload(obj->progs.fentry__n_tty_write, false);
-    }
-
     // bpf trampolines are only implemented for x86. disable auto-loading of all
     // fentry/fexit progs if EBPF_FEATURE_BPF_TRAMP is not in `features` and
     // enable the k[ret]probe counterpart.
diff --git a/testing/testrunner/tests.go b/testing/testrunner/tests.go
@@ -381,11 +381,6 @@ func TestTtyWrite(et *EventsTraceInstance) {
 	AssertInt64Equal(ev.TtyDev.Major, 4)
 	AssertInt64Equal(ev.TtyDev.WinsizeRows, 0)
 	AssertInt64Equal(ev.TtyDev.WinsizeCols, 0)
-	AssertTrue(ev.TtyDev.Termios_C_Iflag != "")
-	AssertTrue(ev.TtyDev.Termios_C_Oflag != "")
-	AssertTrue(ev.TtyDev.Termios_C_Lflag != "")
-	AssertTrue(ev.TtyDev.Termios_C_Cflag != "")
-	AssertStringsEqual(ev.Driver, "FALSE")
 }
 
 func TestTcpv4ConnectionAttempt(et *EventsTraceInstance) {
diff --git a/testing/testrunner/utils.go b/testing/testrunner/utils.go
@@ -133,7 +133,6 @@ type TtyWriteEvent struct {
 	Truncated int64      `json:"tty_out_truncated"`
 	Out       string     `json:"tty_out"`
 	TtyDev    ttyDevInfo `json:"tty"`
-	Driver    string     `json:"driver"`
 }
 
 type NetConnAttemptEvent struct {

Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,6 @@ type TtyWriteEvent struct {`
`133`	`133`	Truncated int64 `json:"tty_out_truncated"`
`134`	`134`	Out string `json:"tty_out"`
`135`	`135`	TtyDev ttyDevInfo `json:"tty"`
`136`		- Driver string `json:"driver"`
`137`	`136`	`}`
`138`	`137`
`139`	`138`	`type NetConnAttemptEvent struct {`