Skip to content

Commit

Permalink
fix: use other hooks to probe 5-tuple
Browse files Browse the repository at this point in the history
`__sys_connect_file` and `do_accept` are not found on v5.4 kernel.

Then, use `inet_stream_connect` and `inet_accept` instead, as they are
found on v4.19 and v5.4 kernels.

Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
  • Loading branch information
Asphaltt committed Dec 17, 2024
1 parent 5a1549e commit b4bf74d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 40 deletions.
45 changes: 13 additions & 32 deletions kern/openssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ struct active_ssl_buf {
};

struct tcp_fd_info {
u64 file;
u64 sock;
int fd;
};

Expand Down Expand Up @@ -474,17 +474,6 @@ static __inline struct tcp_fd_info *lookup_and_delete_fd_info(struct pt_regs *re
return fd_info;
}

static __inline struct sock *tcp_sock_from_file(u64 ptr) {
struct socket *socket;
struct file *file;
struct sock *sk;

file = (struct file *)ptr;
bpf_probe_read_kernel(&socket, sizeof(socket), &file->private_data);
bpf_probe_read_kernel(&sk, sizeof(sk), &socket->sk);
return sk;
}

// libc : int __connect (int fd, __CONST_SOCKADDR_ARG addr, socklen_t len)
// kernel : int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
SEC("kprobe/sys_connect")
Expand All @@ -497,13 +486,13 @@ int probe_connect(struct pt_regs* ctx) {
return 0;
}

SEC("kprobe/__sys_connect_file")
int probe_connect_file(struct pt_regs* ctx) {
SEC("kprobe/inet_stream_connect")
int probe_inet_stream_connect(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;

fd_info = find_fd_info(ctx);
if (fd_info) {
fd_info->file = (u64)(void *) PT_REGS_PARM1(ctx);
fd_info->sock = (u64)(void *) PT_REGS_PARM1(ctx);
}
return 0;
}
Expand All @@ -514,7 +503,6 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid;
u16 address_family = 0;
u16 protocol;
u64 addrs;
u32 ports;

Expand All @@ -533,11 +521,6 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
return 0;
}

bpf_probe_read_kernel(&protocol, sizeof(protocol), &sk->sk_protocol);
if (protocol != IPPROTO_TCP) {
return 0;
}

// if the connection hasn't been established yet, the ports or addrs are 0.
bpf_probe_read_kernel(&addrs, sizeof(addrs), &sk->__sk_common.skc_addrpair);
bpf_probe_read_kernel(&ports, sizeof(ports), &sk->__sk_common.skc_portpair);
Expand Down Expand Up @@ -575,11 +558,13 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
SEC("kretprobe/sys_connect")
int retprobe_connect(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;
struct socket *sock;
struct sock *sk;

fd_info = lookup_and_delete_fd_info(ctx);
if (fd_info) {
sk = tcp_sock_from_file(fd_info->file);
sock = (typeof(sock)) fd_info->sock;
bpf_probe_read_kernel(&sk, sizeof(sk), &sock->sk);
if (sk) {
return kretprobe_connect(ctx, fd_info->fd, sk, true);
}
Expand All @@ -592,26 +577,21 @@ int retprobe_connect(struct pt_regs* ctx) {
#define IS_ERR_VALUE(x) ((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO)
#endif

SEC("kretprobe/do_accept")
int retprobe_do_accept(struct pt_regs* ctx) {
SEC("kprobe/inet_accept")
int probe_inet_accept(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;
struct file *file;

file = (struct file *)PT_REGS_RC(ctx);
if (IS_ERR_VALUE(file)) {
return 0;
}

fd_info = find_fd_info(ctx);
if (fd_info) {
fd_info->file = (u64)file;
fd_info->sock = (u64)(void *) PT_REGS_PARM2(ctx);
}
return 0;
}

SEC("kretprobe/__sys_accept4")
int retprobe_accept4(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;
struct socket *sock;
struct sock *sk;
int fd;

Expand All @@ -622,7 +602,8 @@ int retprobe_accept4(struct pt_regs* ctx) {

fd_info = lookup_and_delete_fd_info(ctx);
if (fd_info) {
sk = tcp_sock_from_file(fd_info->file);
sock = (typeof(sock))(void *) fd_info->sock;
bpf_probe_read_kernel(&sk, sizeof(sk), &sock->sk);
if (sk) {
return kretprobe_connect(ctx, fd, sk, false);
}
Expand Down
16 changes: 8 additions & 8 deletions user/module/probe_openssl_text.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,10 @@ func (m *MOpenSSLProbe) setupManagersText() error {
UID: "kprobe_sys_connect",
},
{
Section: "kprobe/__sys_connect_file",
EbpfFuncName: "probe_connect_file",
AttachToFuncName: "__sys_connect_file",
UID: "kprobe_sys_connect_file",
Section: "kprobe/inet_stream_connect",
EbpfFuncName: "probe_inet_stream_connect",
AttachToFuncName: "inet_stream_connect",
UID: "kprobe_sys_inet_stream_connect",
},
{
Section: "kretprobe/sys_connect",
Expand All @@ -96,10 +96,10 @@ func (m *MOpenSSLProbe) setupManagersText() error {
UID: "kprobe_sys_accept4",
},
{
Section: "kretprobe/do_accept",
EbpfFuncName: "retprobe_do_accept",
AttachToFuncName: "do_accept",
UID: "kretprobe_do_accept",
Section: "kprobe/inet_accept",
EbpfFuncName: "probe_inet_accept",
AttachToFuncName: "inet_accept",
UID: "kprobe_inet_accept",
},
{
Section: "kretprobe/__sys_accept4",
Expand Down

0 comments on commit b4bf74d

Please sign in to comment.