kern: support uid/pid filter in ebpf TC hook.

remove uid/pid filter in kprobe/tcp_sendmsg.

tcp_sendmsg hook all processes are monitored, so there is no need to filter pid and uid, otherwise pid\uid cannot be used in the TC capture_packets function to filter network packets

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>

kern/mysqld_kern.c

@@ -63,12 +63,17 @@ int mysql56_query(struct pt_regs *ctx) {
 
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     u64 len = (u64)PT_REGS_PARM4(ctx);
@@ -111,12 +116,17 @@ int mysql56_query_return(struct pt_regs *ctx) {
 
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     s8 command_return = (u64)PT_REGS_RC(ctx);
@@ -184,12 +194,16 @@ int mysql57_query(struct pt_regs *ctx) {
 
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
-
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid;
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     u64 len = 0;
@@ -223,12 +237,18 @@ SEC("uretprobe/dispatch_command_57")
 int mysql57_query_return(struct pt_regs *ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     u8 command_return = (u64)PT_REGS_RC(ctx);

kern/postgres_kern.c

@@ -36,12 +36,16 @@ SEC("uprobe/exec_simple_query")
 int postgres_query(struct pt_regs *ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
-
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid;
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     struct data_t data = {};

kern/tc.h

@@ -43,6 +43,7 @@ struct net_id_t {
 
 struct net_ctx_t {
     u32 pid;
+    u32 uid;
     char comm[TASK_COMM_LEN];
 //    u8 cmdline[PATH_MAX_LEN];
 };
@@ -236,18 +237,22 @@ static __always_inline int capture_packets(struct __sk_buff *skb, bool is_ingres
 
     // new packet event
     struct skb_data_event_t event = {0};
-//    struct skb_data_event_t *event = make_skb_data_event();
-//    if (event == NULL) {
-//        return TC_ACT_OK;
-//    }
+
     if (net_ctx != NULL) {
+        // pid uid filter
+#ifndef KERNEL_LESS_5_2
+        if (target_pid != 0 && target_pid != net_ctx->pid) {
+            return TC_ACT_OK;
+        }
+        if (target_uid != 0 && target_uid != net_ctx->uid) {
+            return TC_ACT_OK;
+        }
+#endif
         event.pid = net_ctx->pid;
         __builtin_memcpy(event.comm, net_ctx->comm, TASK_COMM_LEN);
-//        __builtin_memcpy(event.cmdline, net_ctx->cmdline, PATH_MAX_LEN);
         debug_bpf_printk("capture packet process found, pid: %d, comm :%s\n", event.pid, event.comm);
-    } else {
-        debug_bpf_printk("capture packet process not found, src_port:%d, dst_port:%d\n", conn_id.src_port, conn_id.dst_port);
     }
+
     event.ts = bpf_ktime_get_ns();
     event.len = skb->len;
     event.ifindex = skb->ifindex;
@@ -285,12 +290,17 @@ int ingress_cls_func(struct __sk_buff *skb) {
 SEC("kprobe/tcp_sendmsg")
 int tcp_sendmsg(struct pt_regs *ctx){
     u32 pid = bpf_get_current_pid_tgid() >> 32;
-// 仅对指定PID的进程发起的connect事件进行捕获
-#ifndef KERNEL_LESS_5_2
-  if (target_pid != 0 && target_pid != pid) {
-      return 0;
-  }
-#endif
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid;
+// 这里需要对所有的进程进行监控，所以不需要对pid和uid进行过滤，否则在TC capture_packets函数里无法使用pid\uid过滤网络包
+//#ifndef KERNEL_LESS_5_2
+//  if (target_pid != 0 && target_pid != pid) {
+//      return 0;
+//  }
+//  if (target_uid != 0 && target_uid != uid) {
+//      return 0;
+//  }
+//#endif
     struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);
     if (sk == NULL) {
         return 0;
@@ -328,6 +338,7 @@ int tcp_sendmsg(struct pt_regs *ctx){
 
     struct net_ctx_t net_ctx;
     net_ctx.pid = pid;
+    net_ctx.uid = uid;
     bpf_get_current_comm(&net_ctx.comm, sizeof(net_ctx.comm));
 
     debug_bpf_printk("tcp_sendmsg pid : %d, comm :%s\n", net_ctx.pid, net_ctx.comm);

user/module/probe_openssl_pcap.go

@@ -76,7 +76,7 @@ func (m *MOpenSSLProbe) setupManagersPcap() error {
 
 	pcapFilter := m.conf.(*config.OpensslConfig).PcapFilter
 	m.logger.Info().Str("binrayPath", binaryPath).Str("IFname", m.ifName).Int("IFindex", m.ifIdex).
-		Str("PcapFilter", pcapFilter).Uint8("ElfType", m.conf.(*config.OpensslConfig).ElfType).Msg("HOOK type:Golang elf")
+		Str("PcapFilter", pcapFilter).Uint8("ElfType", m.conf.(*config.OpensslConfig).ElfType).Msg("HOOK type:Openssl elf")
 	m.logger.Info().Strs("Functions", m.masterHookFuncs).Msg("Hook masterKey function")
 
 	// create pcapng writer