Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use other hooks to probe 5-tuple #695

Merged
merged 1 commit into from
Dec 18, 2024
Merged

fix: use other hooks to probe 5-tuple #695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 13 additions & 32 deletions kern/openssl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ struct active_ssl_buf {
};

struct tcp_fd_info {
u64 file;
u64 sock;
int fd;
};

Expand Down Expand Up @@ -474,17 +474,6 @@ static __inline struct tcp_fd_info *lookup_and_delete_fd_info(struct pt_regs *re
return fd_info;
}

static __inline struct sock *tcp_sock_from_file(u64 ptr) {
struct socket *socket;
struct file *file;
struct sock *sk;

file = (struct file *)ptr;
bpf_probe_read_kernel(&socket, sizeof(socket), &file->private_data);
bpf_probe_read_kernel(&sk, sizeof(sk), &socket->sk);
return sk;
}

// libc : int __connect (int fd, __CONST_SOCKADDR_ARG addr, socklen_t len)
// kernel : int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
SEC("kprobe/sys_connect")
Expand All @@ -497,13 +486,13 @@ int probe_connect(struct pt_regs* ctx) {
return 0;
}

SEC("kprobe/__sys_connect_file")
int probe_connect_file(struct pt_regs* ctx) {
SEC("kprobe/inet_stream_connect")
int probe_inet_stream_connect(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;

fd_info = find_fd_info(ctx);
if (fd_info) {
fd_info->file = (u64)(void *) PT_REGS_PARM1(ctx);
fd_info->sock = (u64)(void *) PT_REGS_PARM1(ctx);
}
return 0;
}
Expand All @@ -514,7 +503,6 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid;
u16 address_family = 0;
u16 protocol;
u64 addrs;
u32 ports;

Expand All @@ -533,11 +521,6 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
return 0;
}

bpf_probe_read_kernel(&protocol, sizeof(protocol), &sk->sk_protocol);
if (protocol != IPPROTO_TCP) {
return 0;
}

// if the connection hasn't been established yet, the ports or addrs are 0.
bpf_probe_read_kernel(&addrs, sizeof(addrs), &sk->__sk_common.skc_addrpair);
bpf_probe_read_kernel(&ports, sizeof(ports), &sk->__sk_common.skc_portpair);
Expand Down Expand Up @@ -575,11 +558,13 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
SEC("kretprobe/sys_connect")
int retprobe_connect(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;
struct socket *sock;
struct sock *sk;

fd_info = lookup_and_delete_fd_info(ctx);
if (fd_info) {
sk = tcp_sock_from_file(fd_info->file);
sock = (typeof(sock)) fd_info->sock;
bpf_probe_read_kernel(&sk, sizeof(sk), &sock->sk);
if (sk) {
return kretprobe_connect(ctx, fd_info->fd, sk, true);
}
Expand All @@ -592,26 +577,21 @@ int retprobe_connect(struct pt_regs* ctx) {
#define IS_ERR_VALUE(x) ((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO)
#endif

SEC("kretprobe/do_accept")
int retprobe_do_accept(struct pt_regs* ctx) {
SEC("kprobe/inet_accept")
int probe_inet_accept(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;
struct file *file;

file = (struct file *)PT_REGS_RC(ctx);
if (IS_ERR_VALUE(file)) {
return 0;
}

fd_info = find_fd_info(ctx);
if (fd_info) {
fd_info->file = (u64)file;
fd_info->sock = (u64)(void *) PT_REGS_PARM2(ctx);
}
return 0;
}

SEC("kretprobe/__sys_accept4")
int retprobe_accept4(struct pt_regs* ctx) {
struct tcp_fd_info *fd_info;
struct socket *sock;
struct sock *sk;
int fd;

Expand All @@ -622,7 +602,8 @@ int retprobe_accept4(struct pt_regs* ctx) {

fd_info = lookup_and_delete_fd_info(ctx);
if (fd_info) {
sk = tcp_sock_from_file(fd_info->file);
sock = (typeof(sock))(void *) fd_info->sock;
bpf_probe_read_kernel(&sk, sizeof(sk), &sock->sk);
if (sk) {
return kretprobe_connect(ctx, fd, sk, false);
}
Expand Down
16 changes: 8 additions & 8 deletions user/module/probe_openssl_text.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,10 @@ func (m *MOpenSSLProbe) setupManagersText() error {
UID: "kprobe_sys_connect",
},
{
Section: "kprobe/__sys_connect_file",
EbpfFuncName: "probe_connect_file",
AttachToFuncName: "__sys_connect_file",
UID: "kprobe_sys_connect_file",
Section: "kprobe/inet_stream_connect",
EbpfFuncName: "probe_inet_stream_connect",
AttachToFuncName: "inet_stream_connect",
UID: "kprobe_sys_inet_stream_connect",
},
{
Section: "kretprobe/sys_connect",
Expand All @@ -96,10 +96,10 @@ func (m *MOpenSSLProbe) setupManagersText() error {
UID: "kprobe_sys_accept4",
},
{
Section: "kretprobe/do_accept",
EbpfFuncName: "retprobe_do_accept",
AttachToFuncName: "do_accept",
UID: "kretprobe_do_accept",
Section: "kprobe/inet_accept",
EbpfFuncName: "probe_inet_accept",
AttachToFuncName: "inet_accept",
UID: "kprobe_inet_accept",
},
{
Section: "kretprobe/__sys_accept4",
Expand Down
Loading