From 71b44e25843fcb5e2d146282af76850a2cc38095 Mon Sep 17 00:00:00 2001 From: CFC4N Date: Sun, 25 Aug 2024 12:07:36 +0800 Subject: [PATCH] kern: support uid/pid filter in ebpf TC hook. remove uid/pid filter in kprobe/tcp_sendmsg. tcp_sendmsg hook all processes are monitored, so there is no need to filter pid and uid, otherwise pid\uid cannot be used in the TC capture_packets function to filter network packets Signed-off-by: CFC4N --- kern/mysqld_kern.c | 22 +++++++++++++++++- kern/postgres_kern.c | 6 ++++- kern/tc.h | 37 ++++++++++++++++++++----------- user/module/probe_openssl_pcap.go | 2 +- 4 files changed, 51 insertions(+), 16 deletions(-) diff --git a/kern/mysqld_kern.c b/kern/mysqld_kern.c index a11bf13bf..1a5d8959d 100644 --- a/kern/mysqld_kern.c +++ b/kern/mysqld_kern.c @@ -63,12 +63,17 @@ int mysql56_query(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; + u64 current_uid_gid = bpf_get_current_uid_gid(); + u32 uid = current_uid_gid; #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids if (target_pid != 0 && target_pid != pid) { return 0; } + if (target_uid != 0 && target_uid != uid) { + return 0; + } #endif u64 len = (u64)PT_REGS_PARM4(ctx); @@ -111,12 +116,17 @@ int mysql56_query_return(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; + u64 current_uid_gid = bpf_get_current_uid_gid(); + u32 uid = current_uid_gid; #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids if (target_pid != 0 && target_pid != pid) { return 0; } + if (target_uid != 0 && target_uid != uid) { + return 0; + } #endif s8 command_return = (u64)PT_REGS_RC(ctx); @@ -184,12 +194,16 @@ int mysql57_query(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - + u64 current_uid_gid = bpf_get_current_uid_gid(); + u32 uid = current_uid_gid; #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids if (target_pid != 0 && target_pid != pid) { return 0; } + if (target_uid != 0 && target_uid != uid) { + return 0; + } #endif u64 len = 0; @@ -223,12 +237,18 @@ SEC("uretprobe/dispatch_command_57") int mysql57_query_return(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; + u64 current_uid_gid = bpf_get_current_uid_gid(); + u32 uid = current_uid_gid; #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids if (target_pid != 0 && target_pid != pid) { return 0; } + + if (target_uid != 0 && target_uid != uid) { + return 0; + } #endif u8 command_return = (u64)PT_REGS_RC(ctx); diff --git a/kern/postgres_kern.c b/kern/postgres_kern.c index 64f1a6137..a6424d479 100644 --- a/kern/postgres_kern.c +++ b/kern/postgres_kern.c @@ -36,12 +36,16 @@ SEC("uprobe/exec_simple_query") int postgres_query(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - + u64 current_uid_gid = bpf_get_current_uid_gid(); + u32 uid = current_uid_gid; #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids if (target_pid != 0 && target_pid != pid) { return 0; } + if (target_uid != 0 && target_uid != uid) { + return 0; + } #endif struct data_t data = {}; diff --git a/kern/tc.h b/kern/tc.h index c5275035e..b860e1a71 100644 --- a/kern/tc.h +++ b/kern/tc.h @@ -43,6 +43,7 @@ struct net_id_t { struct net_ctx_t { u32 pid; + u32 uid; char comm[TASK_COMM_LEN]; // u8 cmdline[PATH_MAX_LEN]; }; @@ -236,18 +237,22 @@ static __always_inline int capture_packets(struct __sk_buff *skb, bool is_ingres // new packet event struct skb_data_event_t event = {0}; -// struct skb_data_event_t *event = make_skb_data_event(); -// if (event == NULL) { -// return TC_ACT_OK; -// } + if (net_ctx != NULL) { + // pid uid filter +#ifndef KERNEL_LESS_5_2 + if (target_pid != 0 && target_pid != net_ctx->pid) { + return TC_ACT_OK; + } + if (target_uid != 0 && target_uid != net_ctx->uid) { + return TC_ACT_OK; + } +#endif event.pid = net_ctx->pid; __builtin_memcpy(event.comm, net_ctx->comm, TASK_COMM_LEN); -// __builtin_memcpy(event.cmdline, net_ctx->cmdline, PATH_MAX_LEN); debug_bpf_printk("capture packet process found, pid: %d, comm :%s\n", event.pid, event.comm); - } else { - debug_bpf_printk("capture packet process not found, src_port:%d, dst_port:%d\n", conn_id.src_port, conn_id.dst_port); } + event.ts = bpf_ktime_get_ns(); event.len = skb->len; event.ifindex = skb->ifindex; @@ -285,12 +290,17 @@ int ingress_cls_func(struct __sk_buff *skb) { SEC("kprobe/tcp_sendmsg") int tcp_sendmsg(struct pt_regs *ctx){ u32 pid = bpf_get_current_pid_tgid() >> 32; -// 仅对指定PID的进程发起的connect事件进行捕获 -#ifndef KERNEL_LESS_5_2 - if (target_pid != 0 && target_pid != pid) { - return 0; - } -#endif + u64 current_uid_gid = bpf_get_current_uid_gid(); + u32 uid = current_uid_gid; +// 这里需要对所有的进程进行监控,所以不需要对pid和uid进行过滤,否则在TC capture_packets函数里无法使用pid\uid过滤网络包 +//#ifndef KERNEL_LESS_5_2 +// if (target_pid != 0 && target_pid != pid) { +// return 0; +// } +// if (target_uid != 0 && target_uid != uid) { +// return 0; +// } +//#endif struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx); if (sk == NULL) { return 0; @@ -328,6 +338,7 @@ int tcp_sendmsg(struct pt_regs *ctx){ struct net_ctx_t net_ctx; net_ctx.pid = pid; + net_ctx.uid = uid; bpf_get_current_comm(&net_ctx.comm, sizeof(net_ctx.comm)); debug_bpf_printk("tcp_sendmsg pid : %d, comm :%s\n", net_ctx.pid, net_ctx.comm); diff --git a/user/module/probe_openssl_pcap.go b/user/module/probe_openssl_pcap.go index 88b9cdfda..799d59033 100644 --- a/user/module/probe_openssl_pcap.go +++ b/user/module/probe_openssl_pcap.go @@ -76,7 +76,7 @@ func (m *MOpenSSLProbe) setupManagersPcap() error { pcapFilter := m.conf.(*config.OpensslConfig).PcapFilter m.logger.Info().Str("binrayPath", binaryPath).Str("IFname", m.ifName).Int("IFindex", m.ifIdex). - Str("PcapFilter", pcapFilter).Uint8("ElfType", m.conf.(*config.OpensslConfig).ElfType).Msg("HOOK type:Golang elf") + Str("PcapFilter", pcapFilter).Uint8("ElfType", m.conf.(*config.OpensslConfig).ElfType).Msg("HOOK type:Openssl elf") m.logger.Info().Strs("Functions", m.masterHookFuncs).Msg("Hook masterKey function") // create pcapng writer