Merge pull request #44 from ehids/mysqld-return-value

ADD mysqld dispatch_command return value.

Makefile

@@ -28,6 +28,7 @@ CMD_GO ?= go
 CMD_GREP ?= grep
 CMD_CAT ?= cat
 CMD_MD5 ?= md5sum
+STYLE    ?= "{BasedOnStyle: Google, IndentWidth: 4}"
 
 .check_%:
 #
@@ -325,3 +326,9 @@ $(KERN_OBJECTS_NOCORE): %.nocore: %.c \
     		-march=bpf \
     		-filetype=obj \
     		-o $(subst kern/,user/bytecode/,$(subst .c,.o,$<))
+
+# Format the code
+format:
+	@echo "  ->  Formatting code"
+	@clang-format -i -style=$(STYLE) kern/*.c
+	@clang-format -i -style=$(STYLE) kern/common.h

kern/bash_kern.c

@@ -1,14 +1,13 @@
-#include "core_type.h"
-#include "common.h"
+#include "ecapture.h"
 
 struct event {
-	u32 pid;
-	u8 line[80];
-	char comm[TASK_COMM_LEN];
+    u32 pid;
+    u8 line[80];
+    char comm[TASK_COMM_LEN];
 };
 
 struct {
-	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 } events SEC(".maps");
 
 // Force emitting struct event into the ELF.
@@ -19,20 +18,21 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
     s64 pid_tgid = bpf_get_current_pid_tgid();
     int pid = pid_tgid >> 32;
 
-    #ifndef KERNEL_LESS_5_2
-        // if target_ppid is 0 then we target all pids
-        if (target_pid != 0 && target_pid != pid) {
-            return 0;
-        }
-    #endif
+#ifndef KERNEL_LESS_5_2
+    // if target_ppid is 0 then we target all pids
+    if (target_pid != 0 && target_pid != pid) {
+        return 0;
+    }
+#endif
 
     struct event event;
     //    bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
     event.pid = pid;
     bpf_probe_read(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx));
 
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
-    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
+                          sizeof(event));
 
     return 0;
 }

kern/common.h

@@ -2,19 +2,22 @@
 #define ECAPTURE_COMMON_H
 
 #ifdef DEBUG_PRINT
-#define debug_bpf_printk(fmt, ...)					\
-	do {							\
-		char s[] = fmt;					\
-		bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__);	\
-	} while (0)
+#define debug_bpf_printk(fmt, ...)                     \
+    do {                                               \
+        char s[] = fmt;                                \
+        bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__); \
+    } while (0)
 #else
 #define debug_bpf_printk(fmt, ...)
 #endif
 
 #define TASK_COMM_LEN 16
 #define MAX_DATA_SIZE_OPENSSL 1024 * 4
 #define MAX_DATA_SIZE_MYSQL 256
-#define COM_QUERY 3 //enum_server_command, via https://dev.mysql.com/doc/internals/en/com-query.html COM_QUERT command 03
+
+// enum_server_command, via
+// https://dev.mysql.com/doc/internals/en/com-query.html COM_QUERT command 03
+#define COM_QUERY 3
 
 #define AF_INET 2
 #define AF_INET6 10
@@ -25,7 +28,7 @@
 #ifndef KERNEL_LESS_5_2
 const volatile u64 target_pid = 0;
 #else
-//u64 target_pid = 0;
+// u64 target_pid = 0;
 #endif
 
 char __license[] SEC("license") = "Dual MIT/GPL";

kern/core_type.h → kern/ecapture.h

@@ -1,3 +1,6 @@
+#ifndef ECAPTURE_H
+#define ECAPTURE_H
+
 #ifndef NOCORE
 //CO:RE is enabled
 #include "vmlinux.h"
@@ -11,4 +14,8 @@
 #include <linux/socket.h>
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
+#endif
+
+#include "common.h"
+
 #endif

kern/gnutls_kern.c

@@ -1,20 +1,18 @@
-#include "core_type.h"
-#include "common.h"
+#include "ecapture.h"
 
 enum ssl_data_event_type { kSSLRead, kSSLWrite };
 
 struct ssl_data_event_t {
-  enum ssl_data_event_type type;
-  u64 timestamp_ns;
-  u32 pid;
-  u32 tid;
-  char data[MAX_DATA_SIZE_OPENSSL];
-  s32 data_len;
-  char comm[TASK_COMM_LEN];
+    enum ssl_data_event_type type;
+    u64 timestamp_ns;
+    u32 pid;
+    u32 tid;
+    char data[MAX_DATA_SIZE_OPENSSL];
+    s32 data_len;
+    char comm[TASK_COMM_LEN];
 };
 
-struct
-{
+struct {
     __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 } gnutls_events SEC(".maps");
 
@@ -23,16 +21,14 @@ struct
  ***********************************************************/
 
 // Key is thread ID (from bpf_get_current_pid_tgid).
-struct
-{
+struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __type(key, u64);
     __type(value, const char*);
     __uint(max_entries, 1024);
 } active_ssl_read_args_map SEC(".maps");
 
-struct
-{
+struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __type(key, u64);
     __type(value, const char*);
@@ -41,8 +37,7 @@ struct
 
 // BPF programs are limited to a 512-byte stack. We store this value per CPU
 // and use it as a heap allocated value.
-struct
-{
+struct {
     __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
     __type(key, u32);
     __type(value, struct ssl_data_event_t);
@@ -53,27 +48,29 @@ struct
  * General helper functions
  ***********************************************************/
 
-static __inline struct ssl_data_event_t* create_ssl_data_event(u64 current_pid_tgid) {
-  u32 kZero = 0;
-  struct ssl_data_event_t* event = bpf_map_lookup_elem(&data_buffer_heap, &kZero);
-  if (event == NULL) {
-    return NULL;
-  }
+static __inline struct ssl_data_event_t* create_ssl_data_event(
+    u64 current_pid_tgid) {
+    u32 kZero = 0;
+    struct ssl_data_event_t* event =
+        bpf_map_lookup_elem(&data_buffer_heap, &kZero);
+    if (event == NULL) {
+        return NULL;
+    }
 
-  const u32 kMask32b = 0xffffffff;
-  event->timestamp_ns = bpf_ktime_get_ns();
-  event->pid = current_pid_tgid >> 32;
-  event->tid = current_pid_tgid & kMask32b;
+    const u32 kMask32b = 0xffffffff;
+    event->timestamp_ns = bpf_ktime_get_ns();
+    event->pid = current_pid_tgid >> 32;
+    event->tid = current_pid_tgid & kMask32b;
 
-  return event;
+    return event;
 }
 
 /***********************************************************
  * BPF syscall processing functions
  ***********************************************************/
 
-static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_type type,
-                            const char* buf) {
+static int process_SSL_data(struct pt_regs* ctx, u64 id,
+                            enum ssl_data_event_type type, const char* buf) {
     int len = (int)PT_REGS_RC(ctx);
     if (len < 0) {
         return 0;
@@ -85,11 +82,15 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_typ
     }
 
     event->type = type;
-    // This is a max function, but it is written in such a way to keep older BPF verifiers happy.
-    event->data_len = (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) : MAX_DATA_SIZE_OPENSSL);
+    // This is a max function, but it is written in such a way to keep older BPF
+    // verifiers happy.
+    event->data_len =
+        (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1))
+                                     : MAX_DATA_SIZE_OPENSSL);
     bpf_probe_read(event->data, event->data_len, buf);
     bpf_get_current_comm(&event->comm, sizeof(event->comm));
-    bpf_perf_event_output(ctx, &gnutls_events, BPF_F_CURRENT_CPU, event,sizeof(struct ssl_data_event_t));
+    bpf_perf_event_output(ctx, &gnutls_events, BPF_F_CURRENT_CPU, event,
+                          sizeof(struct ssl_data_event_t));
     return 0;
 }
 
@@ -99,23 +100,25 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_typ
 
 // http://gnu.ist.utl.pt/software/gnutls/manual/gnutls/gnutls.html#gnutls_record_send
 // Function signature being probed:
-// ssize_t gnutls_record_send (gnutls_session session, const void * data, size_t sizeofdata)
+// ssize_t gnutls_record_send (gnutls_session session, const void * data, size_t
+// sizeofdata)
 
 SEC("uprobe/gnutls_record_send")
 int probe_entry_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
     debug_bpf_printk("gnutls uprobe/gnutls_record_send pid :%d\n", pid);
 
-    #ifndef KERNEL_LESS_5_2
-        // if target_ppid is 0 then we target all pids
-        if (target_pid != 0 && target_pid != pid) {
-            return 0;
-        }
-    #endif
+#ifndef KERNEL_LESS_5_2
+    // if target_ppid is 0 then we target all pids
+    if (target_pid != 0 && target_pid != pid) {
+        return 0;
+    }
+#endif
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
-    bpf_map_update_elem(&active_ssl_write_args_map, &current_pid_tgid, &buf, BPF_ANY);
+    bpf_map_update_elem(&active_ssl_write_args_map, &current_pid_tgid, &buf,
+                        BPF_ANY);
     return 0;
 }
 
@@ -125,14 +128,15 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
     u32 pid = current_pid_tgid >> 32;
     debug_bpf_printk("gnutls uretprobe/gnutls_record_send pid :%d\n", pid);
 
-    #ifndef KERNEL_LESS_5_2
-        // if target_ppid is 0 then we target all pids
-        if (target_pid != 0 && target_pid != pid) {
-            return 0;
-        }
-    #endif
+#ifndef KERNEL_LESS_5_2
+    // if target_ppid is 0 then we target all pids
+    if (target_pid != 0 && target_pid != pid) {
+        return 0;
+    }
+#endif
 
-    const char** buf = bpf_map_lookup_elem(&active_ssl_write_args_map, &current_pid_tgid);
+    const char** buf =
+        bpf_map_lookup_elem(&active_ssl_write_args_map, &current_pid_tgid);
     if (buf != NULL) {
         process_SSL_data(ctx, current_pid_tgid, kSSLWrite, *buf);
     }
@@ -142,24 +146,25 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
 
 // Function signature being probed:
 // int SSL_read(SSL *s, void *buf, int num)
-// ssize_t gnutls_record_recv (gnutls_session session, void * data, size_t sizeofdata)
+// ssize_t gnutls_record_recv (gnutls_session session, void * data, size_t
+// sizeofdata)
 
 SEC("uprobe/gnutls_record_recv")
 int probe_entry_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
     debug_bpf_printk("gnutls uprobe/gnutls_record_recv pid :%d\n", pid);
 
-
-    #ifndef KERNEL_LESS_5_2
-        // if target_ppid is 0 then we target all pids
-        if (target_pid != 0 && target_pid != pid) {
-            return 0;
-        }
-    #endif
+#ifndef KERNEL_LESS_5_2
+    // if target_ppid is 0 then we target all pids
+    if (target_pid != 0 && target_pid != pid) {
+        return 0;
+    }
+#endif
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
-    bpf_map_update_elem(&active_ssl_read_args_map, &current_pid_tgid, &buf, BPF_ANY);
+    bpf_map_update_elem(&active_ssl_read_args_map, &current_pid_tgid, &buf,
+                        BPF_ANY);
     return 0;
 }
 
@@ -169,14 +174,15 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     u32 pid = current_pid_tgid >> 32;
     debug_bpf_printk("gnutls uretprobe/gnutls_record_recv pid :%d\n", pid);
 
-    #ifndef KERNEL_LESS_5_2
-        // if target_ppid is 0 then we target all pids
-        if (target_pid != 0 && target_pid != pid) {
-            return 0;
-        }
-    #endif
+#ifndef KERNEL_LESS_5_2
+    // if target_ppid is 0 then we target all pids
+    if (target_pid != 0 && target_pid != pid) {
+        return 0;
+    }
+#endif
 
-    const char** buf = bpf_map_lookup_elem(&active_ssl_read_args_map, &current_pid_tgid);
+    const char** buf =
+        bpf_map_lookup_elem(&active_ssl_read_args_map, &current_pid_tgid);
     if (buf != NULL) {
         process_SSL_data(ctx, current_pid_tgid, kSSLRead, *buf);
     }