cleanup

Author: fearful-symmetry

GPL/Events/Helpers.h

@@ -368,8 +368,6 @@ static int get_iovec_nr_segs_or_max(struct iov_iter *from)
 }
 
 struct udp_ctx {
-    // struct sock *sk;
-    // struct msghdr *hdr;
     struct sk_buff *skb;
 } __attribute__((packed));
 

GPL/Events/Network/Probe.bpf.c

@@ -20,110 +20,6 @@
 
 DECL_FUNC_RET(inet_csk_accept);
 
-static int sock_dns_event_handle(struct sock *sk,
-                                 struct msghdr *msg,
-                                 enum ebpf_event_type evt_type,
-                                 size_t size)
-{
-    if (!sk) {
-        return 0;
-    }
-
-    if (ebpf_events_is_trusted_pid())
-        return 0;
-
-    struct ebpf_dns_event *event = bpf_ringbuf_reserve(&ringbuf, sizeof(*event), 0);
-    if (!event)
-        return 0;
-
-    // fill in socket and process metadata
-    if (ebpf_sock_info__fill(&event->net, sk)) {
-        goto out;
-    }
-
-    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
-    ebpf_pid_info__fill(&event->pids, task);
-    bpf_get_current_comm(event->comm, TASK_COMM_LEN);
-    event->hdr.ts = bpf_ktime_get_ns();
-
-    // filter out non-dns packets
-    if (event->net.dport != 53 && event->net.sport != 53) {
-        goto out;
-    }
-
-    // deal with the iovec_iter type
-    // newer kernels added a ubuf type to the iov_iter union,
-    // which post-dates our vmlinux, but also they added ITER_UBUF as the
-    // first value in the iter_type enum, which makes checking it a tad hard.
-    // In theory we should be able to read from both types as long as we're careful
-
-    struct iov_iter *from = &msg->msg_iter;
-
-    u64 nr_segs    = get_iovec_nr_segs_or_max(from);
-    u64 iovec_size = BPF_CORE_READ(from, count);
-
-    const struct iovec *iov;
-    if (FIELD_OFFSET(iov_iter, __iov))
-        iov = (const struct iovec *)((char *)from + FIELD_OFFSET(iov_iter, __iov));
-    else if (bpf_core_field_exists(from->iov))
-        iov = BPF_CORE_READ(from, iov);
-    else {
-        bpf_printk("unknown offset in iovec structure, bug?");
-        goto out;
-    }
-
-    if (nr_segs == 1) {
-        // actually read in raw packet data
-        // use the retvalue of recvmsg/the count value of sendmsg instead of the the iovec count.
-        // The count of the iovec in udp_recvmsg is the size of the buffer, not the size of the
-        // bytes read.
-        void *base         = BPF_CORE_READ(iov, iov_base);
-        event->pkts[0].len = size;
-        // make verifier happy, we can't have an out-of-bounds write
-        if (size > MAX_DNS_PACKET) {
-            bpf_printk("size of packet (%d) exceeds max packet size (%d), skipping", size,
-                       MAX_DNS_PACKET);
-            goto out;
-        }
-        // TODO: This will fail on recvmsg calls where the peek flag has been set.
-        // Changes to the udp_recvmsg function call in 5.18 make it a bit annoying to get the
-        // flags argument portably. So let it fail instead of manually skipping peek calls.
-        long readok = bpf_probe_read(event->pkts[0].pkt, size, base);
-        if (readok != 0) {
-            bpf_printk("invalid read from iovec structure: %d", readok);
-            goto out;
-        }
-    } else {
-        // we have multiple segments.
-        // Can't rely on the size value from the function, revert to the iovec size to read into the
-        // buffer
-        // In practice, I haven't seen a DNS packet with more than one iovec segment;
-        // the size of UDP DNS packet is limited to 512 bytes, so not sure if this is possible?
-        for (int seg = 0; seg < nr_segs; seg++) {
-            if (seg >= MAX_NR_SEGS)
-                goto out;
-
-            struct iovec *cur_iov = (struct iovec *)&iov[seg];
-            void *base            = BPF_CORE_READ(cur_iov, iov_base);
-            size_t bufsize        = BPF_CORE_READ(cur_iov, iov_len);
-            event->pkts[seg].len  = bufsize;
-            if (bufsize > sizeof(event->pkts[seg].pkt)) {
-                goto out;
-            }
-            bpf_probe_read(event->pkts[seg].pkt, bufsize, base);
-        }
-    }
-
-    event->hdr.type = EBPF_EVENT_NETWORK_DNS_PKT;
-    event->udp_evt  = evt_type;
-    bpf_ringbuf_submit(event, 0);
-    return 0;
-
-out:
-    bpf_ringbuf_discard(event, 0);
-    return 0;
-}
-
 static int sock_object_handle(struct sock *sk, enum ebpf_event_type evt_type)
 {
     if (!sk)
@@ -148,9 +44,7 @@ static int sock_object_handle(struct sock *sk, enum ebpf_event_type evt_type)
 }
 
 /*
-=============================== TEST CODE ===============================
-
-Testing alternate code. This section will not be merged, or will be cleaned up.
+=============================== DNS probes ===============================
 */
 
 static int handle_consume(struct sk_buff *skb, int len, enum ebpf_event_type evt_type)
@@ -302,65 +196,6 @@ int BPF_KRETPROBE(kretprobe__skb_consume_udp, int ret)
     return handle_consume(kctx.skb, ret, EBPF_EVENT_NETWORK_UDP_RECVMSG);
 }
 
-/*
-=============================== DNS probes ===============================
-*/
-
-SEC("kprobe/udp_sendmsg")
-int BPF_KPROBE(kprobe__udp_sendmsg, struct sock *sk, struct msghdr *msg, size_t size)
-{
-    return sock_dns_event_handle(sk, msg, EBPF_EVENT_NETWORK_UDP_SENDMSG, size);
-}
-
-// We can't get the arguments from a kretprobe, so instead save off the pointer in
-// in the kprobe, then fetch the pointer from a context map in the kretprobe
-
-// SEC("kprobe/udp_recvmsg")
-// int BPF_KPROBE(kprobe__udp_recvmsg, struct sock *sk, struct msghdr *msg)
-// {
-//     struct udp_ctx kctx;
-
-//     // I suspect that using the PID_TID isn't the most reliable way to map the sockets/iters
-//     // not sure what else we could use that's accessable from the kretprobe, though.
-//     u64 pid_tid = bpf_get_current_pid_tgid();
-
-//     long iter_err = bpf_probe_read(&kctx.hdr, sizeof(kctx.hdr), &msg);
-//     if (iter_err != 0) {
-//         bpf_printk("error reading msg_iter in udp_recvmsg: %d", iter_err);
-//         return 0;
-//     }
-
-//     long sk_err = bpf_probe_read(&kctx.sk, sizeof(kctx.sk), &sk);
-//     if (sk_err != 0) {
-//         bpf_printk("error reading msg_iter in udp_recvmsg: %d", sk_err);
-//         return 0;
-//     }
-
-//     long update_err = bpf_map_update_elem(&pkt_ctx, &pid_tid, &kctx, BPF_ANY);
-//     if (update_err != 0) {
-//         bpf_printk("error updating context map in udp_recvmsg: %d", update_err);
-//         return 0;
-//     }
-
-//     return 0;
-// }
-
-// SEC("kretprobe/udp_recvmsg")
-// int BPF_KRETPROBE(kretprobe__udp_recvmsg, int ret)
-// {
-
-//     u64 pid_tid = bpf_get_current_pid_tgid();
-//     void *vctx  = bpf_map_lookup_elem(&pkt_ctx, &pid_tid);
-
-//     struct udp_ctx kctx;
-//     long read_err = bpf_probe_read(&kctx, sizeof(kctx), vctx);
-//     if (read_err != 0) {
-//         bpf_printk("error reading back context in udp_recvmsg: %d", read_err);
-//     }
-
-//     return sock_dns_event_handle(kctx.sk, kctx.hdr, EBPF_EVENT_NETWORK_UDP_RECVMSG, ret);
-// }
-
 /*
 =============================== TCP probes ===============================
 */