From 021c75106ee8a0a5c8ea6a783ae47d85c37f86f8 Mon Sep 17 00:00:00 2001 From: CFC4N Date: Wed, 27 Apr 2022 23:20:53 +0800 Subject: [PATCH 1/4] * : add mysqld 5.6 (mariad DB) reture value. Signed-off-by: CFC4N --- kern/mysqld_kern.c | 47 ++++++++++++++++++++++++++++++++++++++++++-- user/event_mysqld.go | 33 +++++++++++++++++++++++++++++-- user/probe_mysqld.go | 7 +++++++ 3 files changed, 83 insertions(+), 4 deletions(-) diff --git a/kern/mysqld_kern.c b/kern/mysqld_kern.c index 409cd45b9..7dc7873de 100644 --- a/kern/mysqld_kern.c +++ b/kern/mysqld_kern.c @@ -8,8 +8,17 @@ struct data_t { u64 alllen; u64 len; char comm[TASK_COMM_LEN]; + s8 retval; // dispatch_command return value }; +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, u32); + __type(value, struct data_t); + __uint(max_entries, 1024); +} sql_hash SEC(".maps"); + + struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); @@ -52,17 +61,51 @@ int mysql56_query(struct pt_regs *ctx) { data.pid = pid; // only process id data.alllen = len; // origin query sql length data.timestamp = bpf_ktime_get_ns(); - + data.retval = -1; len = (len < MAX_DATA_SIZE_MYSQL ? (len & (MAX_DATA_SIZE_MYSQL - 1)) : MAX_DATA_SIZE_MYSQL); data.len = len; // only process id bpf_get_current_comm(&data.comm, sizeof(data.comm)); bpf_probe_read_user(&data.query, len, (void*)PT_REGS_PARM3(ctx)); - bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,sizeof(data)); + + bpf_map_update_elem(&sql_hash, &pid, &data, BPF_ANY); +// bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,sizeof(data)); return 0; } +SEC("uretprobe/dispatch_command") +int mysql56_query_return(struct pt_regs *ctx) { + // https://github.com/MariaDB/server/blob/b5852ffbeebc3000982988383daeefb0549e058a/sql/sql_parse.h#L112 + // enum dispatch_command_return + // { + // DISPATCH_COMMAND_SUCCESS=0, + // DISPATCH_COMMAND_CLOSE_CONNECTION= 1, + // DISPATCH_COMMAND_WOULDBLOCK= 2 + // }; + // dispatch_command_return dispatch_command(enum enum_server_command command, THD *thd, + // char* packet, uint packet_length, bool blocking = true); + + u64 current_pid_tgid = bpf_get_current_pid_tgid(); + u32 pid = current_pid_tgid >> 32; + #ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } + #endif + + u64 command_return = (u64)PT_REGS_RC(ctx); + struct data_t *data = bpf_map_lookup_elem(&sql_hash, &pid); + if (!data) { + return 0; // missed start + } + debug_bpf_printk("mysql query:%s\n", data->query); + data->retval = command_return; + debug_bpf_printk("mysql query return :%d\n", command_return); + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data,sizeof(struct data_t)); + return 0; +} // mysql 8.0 /* diff --git a/user/event_mysqld.go b/user/event_mysqld.go index 838b8a1fa..bd6b1f9f9 100644 --- a/user/event_mysqld.go +++ b/user/event_mysqld.go @@ -21,6 +21,31 @@ import ( */ const MYSQLD_MAX_DATA_SIZE = 256 +const ( + //dispatch_command_return + DISPATCH_COMMAND_NOT_CAPTURED = -1 + DISPATCH_COMMAND_SUCCESS = 0 + DISPATCH_COMMAND_CLOSE_CONNECTION = 1 + DISPATCH_COMMAND_WOULDBLOCK = 2 +) + +type dispatch_command_return int8 + +func (this dispatch_command_return) String() string { + var retStr string + switch this { + case DISPATCH_COMMAND_CLOSE_CONNECTION: + retStr = "DISPATCH_COMMAND_CLOSE_CONNECTION" + case DISPATCH_COMMAND_SUCCESS: + retStr = "DISPATCH_COMMAND_SUCCESS" + case DISPATCH_COMMAND_WOULDBLOCK: + retStr = "DISPATCH_COMMAND_WOULDBLOCK" + case DISPATCH_COMMAND_NOT_CAPTURED: + retStr = "DISPATCH_COMMAND_NOT_CAPTURED" + } + return retStr +} + type mysqldEvent struct { module IModule Pid uint64 @@ -29,6 +54,7 @@ type mysqldEvent struct { alllen uint64 len uint64 comm [16]uint8 + retval dispatch_command_return } func (this *mysqldEvent) Decode(payload []byte) (err error) { @@ -51,16 +77,19 @@ func (this *mysqldEvent) Decode(payload []byte) (err error) { if err = binary.Read(buf, binary.LittleEndian, &this.comm); err != nil { return } + if err = binary.Read(buf, binary.LittleEndian, &this.retval); err != nil { + return + } return nil } func (this *mysqldEvent) String() string { - s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), Line:%s", this.Pid, this.comm, this.Timestamp, this.len, this.alllen, unix.ByteSliceToString((this.query[:])))) + s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), return:%s, Line:%s", this.Pid, this.comm, this.Timestamp, this.len, this.alllen, this.retval, unix.ByteSliceToString((this.query[:])))) return s } func (this *mysqldEvent) StringHex() string { - s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), Line:%s", this.Pid, this.comm, this.Timestamp, this.len, this.alllen, unix.ByteSliceToString((this.query[:])))) + s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), return:%s, Line:%s", this.Pid, this.comm, this.Timestamp, this.len, this.alllen, this.retval, unix.ByteSliceToString((this.query[:])))) return s } diff --git a/user/probe_mysqld.go b/user/probe_mysqld.go index f6228aa6c..e3bb2c25f 100644 --- a/user/probe_mysqld.go +++ b/user/probe_mysqld.go @@ -136,6 +136,13 @@ func (this *MMysqldProbe) setupManagers() error { UprobeOffset: offset, BinaryPath: binaryPath, }, + { + Section: "uretprobe/dispatch_command", + EbpfFuncName: "mysql56_query_return", + AttachToFuncName: attachFunc, + UprobeOffset: offset, + BinaryPath: binaryPath, + }, } } From 3d66f1ce142cad6d8144eb16bcb9037ac29ee0c6 Mon Sep 17 00:00:00 2001 From: CFC4N Date: Wed, 27 Apr 2022 23:34:29 +0800 Subject: [PATCH 2/4] * : add mysqld 5.7 reture value or newer. Signed-off-by: CFC4N --- kern/mysqld_kern.c | 41 +++++++++++++++++++++++++++++++++++++++-- user/event_mysqld.go | 3 +++ user/probe_mysqld.go | 14 ++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/kern/mysqld_kern.c b/kern/mysqld_kern.c index 7dc7873de..e9f0ac007 100644 --- a/kern/mysqld_kern.c +++ b/kern/mysqld_kern.c @@ -1,6 +1,8 @@ #include "core_type.h" #include "common.h" +#define DISPATCH_COMMAND_V57_FAILED -2 + struct data_t { u64 pid; u64 timestamp; @@ -95,7 +97,7 @@ int mysql56_query_return(struct pt_regs *ctx) { } #endif - u64 command_return = (u64)PT_REGS_RC(ctx); + s8 command_return = (u64)PT_REGS_RC(ctx); struct data_t *data = bpf_map_lookup_elem(&sql_hash, &pid); if (!data) { return 0; // missed start @@ -181,6 +183,41 @@ int mysql57_query(struct pt_regs *ctx) { data.len = len; bpf_get_current_comm(&data.comm, sizeof(data.comm)); - bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,sizeof(data)); + bpf_map_update_elem(&sql_hash, &pid, &data, BPF_ANY); +// bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,sizeof(data)); + return 0; +} + +//@retval +// 0 ok +// @retval +// 1 request of thread shutdown, i. e. if command is +// COM_QUIT +SEC("uretprobe/dispatch_command_57") +int mysql57_query_return(struct pt_regs *ctx) { + u64 current_pid_tgid = bpf_get_current_pid_tgid(); + u32 pid = current_pid_tgid >> 32; + + #ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } + #endif + + u8 command_return = (u64)PT_REGS_RC(ctx); + struct data_t *data = bpf_map_lookup_elem(&sql_hash, &pid); + if (!data) { + return 0; // missed start + } + debug_bpf_printk("mysql57+ query:%s\n", data->query); + debug_bpf_printk("mysql57+ query return :%d\n", command_return); + if (command_return == 1) { + data->retval = DISPATCH_COMMAND_V57_FAILED; + } else { + data->retval = command_return; + } + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data,sizeof(struct data_t)); + return 0; } \ No newline at end of file diff --git a/user/event_mysqld.go b/user/event_mysqld.go index bd6b1f9f9..4e13644a5 100644 --- a/user/event_mysqld.go +++ b/user/event_mysqld.go @@ -23,6 +23,7 @@ const MYSQLD_MAX_DATA_SIZE = 256 const ( //dispatch_command_return + DISPATCH_COMMAND_V57_FAILED = -2 DISPATCH_COMMAND_NOT_CAPTURED = -1 DISPATCH_COMMAND_SUCCESS = 0 DISPATCH_COMMAND_CLOSE_CONNECTION = 1 @@ -42,6 +43,8 @@ func (this dispatch_command_return) String() string { retStr = "DISPATCH_COMMAND_WOULDBLOCK" case DISPATCH_COMMAND_NOT_CAPTURED: retStr = "DISPATCH_COMMAND_NOT_CAPTURED" + case DISPATCH_COMMAND_V57_FAILED: + retStr = "DISPATCH_COMMAND_V57_FAILED" } return retStr } diff --git a/user/probe_mysqld.go b/user/probe_mysqld.go index e3bb2c25f..06a824e6f 100644 --- a/user/probe_mysqld.go +++ b/user/probe_mysqld.go @@ -116,6 +116,13 @@ func (this *MMysqldProbe) setupManagers() error { UprobeOffset: offset, BinaryPath: binaryPath, }, + { + Section: "uretprobe/dispatch_command_57", + EbpfFuncName: "mysql57_query_return", + AttachToFuncName: attachFunc, + UprobeOffset: offset, + BinaryPath: binaryPath, + }, } case MYSQLD_TYPE_80: probes = []*manager.Probe{ @@ -126,6 +133,13 @@ func (this *MMysqldProbe) setupManagers() error { UprobeOffset: offset, BinaryPath: binaryPath, }, + { + Section: "uretprobe/dispatch_command_57", + EbpfFuncName: "mysql57_query_return", + AttachToFuncName: attachFunc, + UprobeOffset: offset, + BinaryPath: binaryPath, + }, } default: probes = []*manager.Probe{ From 4acad2859989ec89ee6385c49a309f9113ba9a8a Mon Sep 17 00:00:00 2001 From: CFC4N Date: Thu, 28 Apr 2022 00:49:21 +0800 Subject: [PATCH 3/4] * : code format Signed-off-by: CFC4N --- Makefile | 7 ++ kern/bash_kern.c | 25 ++++--- kern/common.h | 17 +++-- kern/gnutls_kern.c | 133 +++++++++++++++++---------------- kern/mysqld_kern.c | 153 +++++++++++++++++++------------------ kern/nspr_kern.c | 115 ++++++++++++++-------------- kern/openssl_kern.c | 178 ++++++++++++++++++++++---------------------- 7 files changed, 334 insertions(+), 294 deletions(-) diff --git a/Makefile b/Makefile index 695a5c8fa..da2bc5542 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,7 @@ CMD_GO ?= go CMD_GREP ?= grep CMD_CAT ?= cat CMD_MD5 ?= md5sum +STYLE ?= "{BasedOnStyle: Google, IndentWidth: 4}" .check_%: # @@ -325,3 +326,9 @@ $(KERN_OBJECTS_NOCORE): %.nocore: %.c \ -march=bpf \ -filetype=obj \ -o $(subst kern/,user/bytecode/,$(subst .c,.o,$<)) + +# Format the code +format: + @echo " -> Formatting code" + @clang-format -i -style=$(STYLE) kern/*.c + @clang-format -i -style=$(STYLE) kern/common.h \ No newline at end of file diff --git a/kern/bash_kern.c b/kern/bash_kern.c index 70c3cfda9..b2d5d0c24 100644 --- a/kern/bash_kern.c +++ b/kern/bash_kern.c @@ -1,14 +1,14 @@ -#include "core_type.h" #include "common.h" +#include "core_type.h" struct event { - u32 pid; - u8 line[80]; - char comm[TASK_COMM_LEN]; + u32 pid; + u8 line[80]; + char comm[TASK_COMM_LEN]; }; struct { - __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); } events SEC(".maps"); // Force emitting struct event into the ELF. @@ -19,12 +19,12 @@ int uretprobe_bash_readline(struct pt_regs *ctx) { s64 pid_tgid = bpf_get_current_pid_tgid(); int pid = pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif struct event event; // bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid ); @@ -32,7 +32,8 @@ int uretprobe_bash_readline(struct pt_regs *ctx) { bpf_probe_read(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx)); bpf_get_current_comm(&event.comm, sizeof(event.comm)); - bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event)); + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, + sizeof(event)); return 0; } diff --git a/kern/common.h b/kern/common.h index 769ce916f..eed0e9be3 100644 --- a/kern/common.h +++ b/kern/common.h @@ -2,11 +2,11 @@ #define ECAPTURE_COMMON_H #ifdef DEBUG_PRINT -#define debug_bpf_printk(fmt, ...) \ - do { \ - char s[] = fmt; \ - bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__); \ - } while (0) +#define debug_bpf_printk(fmt, ...) \ + do { \ + char s[] = fmt; \ + bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__); \ + } while (0) #else #define debug_bpf_printk(fmt, ...) #endif @@ -14,7 +14,10 @@ #define TASK_COMM_LEN 16 #define MAX_DATA_SIZE_OPENSSL 1024 * 4 #define MAX_DATA_SIZE_MYSQL 256 -#define COM_QUERY 3 //enum_server_command, via https://dev.mysql.com/doc/internals/en/com-query.html COM_QUERT command 03 + +// enum_server_command, via +// https://dev.mysql.com/doc/internals/en/com-query.html COM_QUERT command 03 +#define COM_QUERY 3 #define AF_INET 2 #define AF_INET6 10 @@ -25,7 +28,7 @@ #ifndef KERNEL_LESS_5_2 const volatile u64 target_pid = 0; #else -//u64 target_pid = 0; +// u64 target_pid = 0; #endif char __license[] SEC("license") = "Dual MIT/GPL"; diff --git a/kern/gnutls_kern.c b/kern/gnutls_kern.c index ddd4d65c6..bc006748a 100644 --- a/kern/gnutls_kern.c +++ b/kern/gnutls_kern.c @@ -1,20 +1,19 @@ -#include "core_type.h" #include "common.h" +#include "core_type.h" enum ssl_data_event_type { kSSLRead, kSSLWrite }; struct ssl_data_event_t { - enum ssl_data_event_type type; - u64 timestamp_ns; - u32 pid; - u32 tid; - char data[MAX_DATA_SIZE_OPENSSL]; - s32 data_len; - char comm[TASK_COMM_LEN]; + enum ssl_data_event_type type; + u64 timestamp_ns; + u32 pid; + u32 tid; + char data[MAX_DATA_SIZE_OPENSSL]; + s32 data_len; + char comm[TASK_COMM_LEN]; }; -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); } gnutls_events SEC(".maps"); @@ -23,16 +22,14 @@ struct ***********************************************************/ // Key is thread ID (from bpf_get_current_pid_tgid). -struct -{ +struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, u64); __type(value, const char*); __uint(max_entries, 1024); } active_ssl_read_args_map SEC(".maps"); -struct -{ +struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, u64); __type(value, const char*); @@ -41,8 +38,7 @@ struct // BPF programs are limited to a 512-byte stack. We store this value per CPU // and use it as a heap allocated value. -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); __type(key, u32); __type(value, struct ssl_data_event_t); @@ -53,27 +49,29 @@ struct * General helper functions ***********************************************************/ -static __inline struct ssl_data_event_t* create_ssl_data_event(u64 current_pid_tgid) { - u32 kZero = 0; - struct ssl_data_event_t* event = bpf_map_lookup_elem(&data_buffer_heap, &kZero); - if (event == NULL) { - return NULL; - } +static __inline struct ssl_data_event_t* create_ssl_data_event( + u64 current_pid_tgid) { + u32 kZero = 0; + struct ssl_data_event_t* event = + bpf_map_lookup_elem(&data_buffer_heap, &kZero); + if (event == NULL) { + return NULL; + } - const u32 kMask32b = 0xffffffff; - event->timestamp_ns = bpf_ktime_get_ns(); - event->pid = current_pid_tgid >> 32; - event->tid = current_pid_tgid & kMask32b; + const u32 kMask32b = 0xffffffff; + event->timestamp_ns = bpf_ktime_get_ns(); + event->pid = current_pid_tgid >> 32; + event->tid = current_pid_tgid & kMask32b; - return event; + return event; } /*********************************************************** * BPF syscall processing functions ***********************************************************/ -static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_type type, - const char* buf) { +static int process_SSL_data(struct pt_regs* ctx, u64 id, + enum ssl_data_event_type type, const char* buf) { int len = (int)PT_REGS_RC(ctx); if (len < 0) { return 0; @@ -85,11 +83,15 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_typ } event->type = type; - // This is a max function, but it is written in such a way to keep older BPF verifiers happy. - event->data_len = (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) : MAX_DATA_SIZE_OPENSSL); + // This is a max function, but it is written in such a way to keep older BPF + // verifiers happy. + event->data_len = + (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) + : MAX_DATA_SIZE_OPENSSL); bpf_probe_read(event->data, event->data_len, buf); bpf_get_current_comm(&event->comm, sizeof(event->comm)); - bpf_perf_event_output(ctx, &gnutls_events, BPF_F_CURRENT_CPU, event,sizeof(struct ssl_data_event_t)); + bpf_perf_event_output(ctx, &gnutls_events, BPF_F_CURRENT_CPU, event, + sizeof(struct ssl_data_event_t)); return 0; } @@ -99,7 +101,8 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_typ // http://gnu.ist.utl.pt/software/gnutls/manual/gnutls/gnutls.html#gnutls_record_send // Function signature being probed: -// ssize_t gnutls_record_send (gnutls_session session, const void * data, size_t sizeofdata) +// ssize_t gnutls_record_send (gnutls_session session, const void * data, size_t +// sizeofdata) SEC("uprobe/gnutls_record_send") int probe_entry_SSL_write(struct pt_regs* ctx) { @@ -107,15 +110,16 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("gnutls uprobe/gnutls_record_send pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif const char* buf = (const char*)PT_REGS_PARM2(ctx); - bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &buf, BPF_ANY); + bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &buf, + BPF_ANY); return 0; } @@ -125,14 +129,15 @@ int probe_ret_SSL_write(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("gnutls uretprobe/gnutls_record_send pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - const char** buf = bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); + const char** buf = + bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); if (buf != NULL) { process_SSL_data(ctx, current_pid_tgid, kSSLWrite, *buf); } @@ -142,7 +147,8 @@ int probe_ret_SSL_write(struct pt_regs* ctx) { // Function signature being probed: // int SSL_read(SSL *s, void *buf, int num) -// ssize_t gnutls_record_recv (gnutls_session session, void * data, size_t sizeofdata) +// ssize_t gnutls_record_recv (gnutls_session session, void * data, size_t +// sizeofdata) SEC("uprobe/gnutls_record_recv") int probe_entry_SSL_read(struct pt_regs* ctx) { @@ -150,16 +156,16 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("gnutls uprobe/gnutls_record_recv pid :%d\n", pid); - - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif const char* buf = (const char*)PT_REGS_PARM2(ctx); - bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &buf, BPF_ANY); + bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &buf, + BPF_ANY); return 0; } @@ -169,14 +175,15 @@ int probe_ret_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("gnutls uretprobe/gnutls_record_recv pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - const char** buf = bpf_map_lookup_elem(&active_ssl_read_args_map, ¤t_pid_tgid); + const char** buf = + bpf_map_lookup_elem(&active_ssl_read_args_map, ¤t_pid_tgid); if (buf != NULL) { process_SSL_data(ctx, current_pid_tgid, kSSLRead, *buf); } diff --git a/kern/mysqld_kern.c b/kern/mysqld_kern.c index e9f0ac007..2dff18460 100644 --- a/kern/mysqld_kern.c +++ b/kern/mysqld_kern.c @@ -1,5 +1,5 @@ -#include "core_type.h" #include "common.h" +#include "core_type.h" #define DISPATCH_COMMAND_V57_FAILED -2 @@ -10,19 +10,17 @@ struct data_t { u64 alllen; u64 len; char comm[TASK_COMM_LEN]; - s8 retval; // dispatch_command return value + s8 retval; // dispatch_command return value }; struct { - __uint(type, BPF_MAP_TYPE_HASH); - __type(key, u32); - __type(value, struct data_t); - __uint(max_entries, 1024); + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, u32); + __type(value, struct data_t); + __uint(max_entries, 1024); } sql_hash SEC(".maps"); - -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); } events SEC(".maps"); @@ -32,14 +30,17 @@ int mysql56_query(struct pt_regs *ctx) { Trace only packets with enum_server_command == COM_QUERY https://dev.mysql.com/doc/internals/en/com-query.html COM_QUERT command 03 */ - //MYSQL57 - // https://github.com/MariaDB/server/blob/b5852ffbeebc3000982988383daeefb0549e058a/sql/sql_parse.h#L112 - // dispatch_command_return dispatch_command(enum enum_server_command command, THD *thd, - // char* packet, uint packet_length, bool blocking = true); + // MYSQL57 + // https://github.com/MariaDB/server/blob/b5852ffbeebc3000982988383daeefb0549e058a/sql/sql_parse.h#L112 + // dispatch_command_return dispatch_command(enum enum_server_command + // command, THD *thd, + // char* packet, uint + // packet_length, bool + // blocking = true); // https://blog.csdn.net/u010502974/article/details/96362601 - //mysql_parse - u64 command = (u64)PT_REGS_PARM1(ctx); + // mysql_parse + u64 command = (u64)PT_REGS_PARM1(ctx); if (command != COM_QUERY) { return 0; } @@ -47,31 +48,33 @@ int mysql56_query(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - u64 len = (u64)PT_REGS_PARM4(ctx); + u64 len = (u64)PT_REGS_PARM4(ctx); if (len < 0) { return 0; } struct data_t data = {}; - data.pid = pid; // only process id - data.alllen = len; // origin query sql length + data.pid = pid; // only process id + data.alllen = len; // origin query sql length data.timestamp = bpf_ktime_get_ns(); data.retval = -1; - len = (len < MAX_DATA_SIZE_MYSQL ? (len & (MAX_DATA_SIZE_MYSQL - 1)) : MAX_DATA_SIZE_MYSQL); - data.len = len; // only process id + len = (len < MAX_DATA_SIZE_MYSQL ? (len & (MAX_DATA_SIZE_MYSQL - 1)) + : MAX_DATA_SIZE_MYSQL); + data.len = len; // only process id bpf_get_current_comm(&data.comm, sizeof(data.comm)); - bpf_probe_read_user(&data.query, len, (void*)PT_REGS_PARM3(ctx)); + bpf_probe_read_user(&data.query, len, (void *)PT_REGS_PARM3(ctx)); bpf_map_update_elem(&sql_hash, &pid, &data, BPF_ANY); -// bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,sizeof(data)); + // bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, + // &data,sizeof(data)); return 0; } @@ -84,28 +87,32 @@ int mysql56_query_return(struct pt_regs *ctx) { // DISPATCH_COMMAND_CLOSE_CONNECTION= 1, // DISPATCH_COMMAND_WOULDBLOCK= 2 // }; - // dispatch_command_return dispatch_command(enum enum_server_command command, THD *thd, - // char* packet, uint packet_length, bool blocking = true); + // dispatch_command_return dispatch_command(enum enum_server_command + // command, THD *thd, + // char* packet, uint + // packet_length, bool + // blocking = true); u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - s8 command_return = (u64)PT_REGS_RC(ctx); + s8 command_return = (u64)PT_REGS_RC(ctx); struct data_t *data = bpf_map_lookup_elem(&sql_hash, &pid); if (!data) { - return 0; // missed start + return 0; // missed start } debug_bpf_printk("mysql query:%s\n", data->query); data->retval = command_return; debug_bpf_printk("mysql query return :%d\n", command_return); - bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data,sizeof(struct data_t)); + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, + sizeof(struct data_t)); return 0; } @@ -137,23 +144,24 @@ struct COM_QUERY_DATA { }; */ -// mysql 5.7 https://github.com/mysql/mysql-server/blob/5.7/include/mysql/com_data.h +// mysql 5.7 +// https://github.com/mysql/mysql-server/blob/5.7/include/mysql/com_data.h struct COM_QUERY_DATA { - const char *query; - unsigned int length; -// struct PS_PARAM *parameters; TODO -// unsigned long parameter_count; + const char *query; + unsigned int length; + // struct PS_PARAM *parameters; TODO + // unsigned long parameter_count; }; - -//https://github.com/mysql/mysql-server/blob/5.7/sql/sql_parse.h -//bool dispatch_command(THD *thd, const COM_DATA *com_data, -// enum enum_server_command command); -// hook function _Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command at version:8.0.28-0ubuntu0.20.04.3 +// https://github.com/mysql/mysql-server/blob/5.7/sql/sql_parse.h +// bool dispatch_command(THD *thd, const COM_DATA *com_data, +// enum enum_server_command command); +// hook function _Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command at +// version:8.0.28-0ubuntu0.20.04.3 // SEC("uprobe/dispatch_command_57") int mysql57_query(struct pt_regs *ctx) { - u64 command = (u64)PT_REGS_PARM3(ctx); + u64 command = (u64)PT_REGS_PARM3(ctx); if (command != COM_QUERY) { return 0; } @@ -161,30 +169,32 @@ int mysql57_query(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - u64 len = 0; + u64 len = 0; struct data_t data = {}; - data.pid = pid; // only process id + data.pid = pid; // only process id data.timestamp = bpf_ktime_get_ns(); - void* st = (void*) PT_REGS_PARM2(ctx); - struct COM_QUERY_DATA query; + void *st = (void *)PT_REGS_PARM2(ctx); + struct COM_QUERY_DATA query; bpf_probe_read_user(&query, sizeof(query), st); bpf_probe_read_user(&data.query, sizeof(data.query), query.query); bpf_probe_read_user(&data.alllen, sizeof(data.alllen), &query.length); len = data.alllen; - len = (len < MAX_DATA_SIZE_MYSQL ? (len & (MAX_DATA_SIZE_MYSQL - 1)) : MAX_DATA_SIZE_MYSQL); + len = (len < MAX_DATA_SIZE_MYSQL ? (len & (MAX_DATA_SIZE_MYSQL - 1)) + : MAX_DATA_SIZE_MYSQL); data.len = len; bpf_get_current_comm(&data.comm, sizeof(data.comm)); bpf_map_update_elem(&sql_hash, &pid, &data, BPF_ANY); -// bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data,sizeof(data)); + // bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, + // &data,sizeof(data)); return 0; } @@ -198,17 +208,17 @@ int mysql57_query_return(struct pt_regs *ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - u8 command_return = (u64)PT_REGS_RC(ctx); + u8 command_return = (u64)PT_REGS_RC(ctx); struct data_t *data = bpf_map_lookup_elem(&sql_hash, &pid); if (!data) { - return 0; // missed start + return 0; // missed start } debug_bpf_printk("mysql57+ query:%s\n", data->query); debug_bpf_printk("mysql57+ query return :%d\n", command_return); @@ -217,7 +227,8 @@ int mysql57_query_return(struct pt_regs *ctx) { } else { data->retval = command_return; } - bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data,sizeof(struct data_t)); + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, + sizeof(struct data_t)); return 0; } \ No newline at end of file diff --git a/kern/nspr_kern.c b/kern/nspr_kern.c index 053305662..5e9f9a293 100644 --- a/kern/nspr_kern.c +++ b/kern/nspr_kern.c @@ -1,20 +1,19 @@ -#include "core_type.h" #include "common.h" +#include "core_type.h" enum ssl_data_event_type { kSSLRead, kSSLWrite }; struct ssl_data_event_t { - enum ssl_data_event_type type; - u64 timestamp_ns; - u32 pid; - u32 tid; - char data[MAX_DATA_SIZE_OPENSSL]; - s32 data_len; - char comm[TASK_COMM_LEN]; + enum ssl_data_event_type type; + u64 timestamp_ns; + u32 pid; + u32 tid; + char data[MAX_DATA_SIZE_OPENSSL]; + s32 data_len; + char comm[TASK_COMM_LEN]; }; -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); } nspr_events SEC(".maps"); @@ -23,16 +22,14 @@ struct ***********************************************************/ // Key is thread ID (from bpf_get_current_pid_tgid). -struct -{ +struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, u64); __type(value, const char*); __uint(max_entries, 1024); } active_ssl_read_args_map SEC(".maps"); -struct -{ +struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, u64); __type(value, const char*); @@ -41,8 +38,7 @@ struct // BPF programs are limited to a 512-byte stack. We store this value per CPU // and use it as a heap allocated value. -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); __type(key, u32); __type(value, struct ssl_data_event_t); @@ -53,9 +49,11 @@ struct * General helper functions ***********************************************************/ -static __inline struct ssl_data_event_t* create_ssl_data_event(u64 current_pid_tgid) { +static __inline struct ssl_data_event_t* create_ssl_data_event( + u64 current_pid_tgid) { u32 kZero = 0; - struct ssl_data_event_t* event = bpf_map_lookup_elem(&data_buffer_heap, &kZero); + struct ssl_data_event_t* event = + bpf_map_lookup_elem(&data_buffer_heap, &kZero); if (event == NULL) { return NULL; } @@ -71,8 +69,8 @@ static __inline struct ssl_data_event_t* create_ssl_data_event(u64 current_pid_t * BPF syscall processing functions ***********************************************************/ -static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_type type, - const char* buf) { +static int process_SSL_data(struct pt_regs* ctx, u64 id, + enum ssl_data_event_type type, const char* buf) { int len = (int)PT_REGS_RC(ctx); if (len < 0) { return 0; @@ -84,11 +82,15 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_typ } event->type = type; - // This is a max function, but it is written in such a way to keep older BPF verifiers happy. - event->data_len = (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) : MAX_DATA_SIZE_OPENSSL); + // This is a max function, but it is written in such a way to keep older BPF + // verifiers happy. + event->data_len = + (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) + : MAX_DATA_SIZE_OPENSSL); bpf_probe_read(event->data, event->data_len, buf); bpf_get_current_comm(&event->comm, sizeof(event->comm)); - bpf_perf_event_output(ctx, &nspr_events, BPF_F_CURRENT_CPU, event,sizeof(struct ssl_data_event_t)); + bpf_perf_event_output(ctx, &nspr_events, BPF_F_CURRENT_CPU, event, + sizeof(struct ssl_data_event_t)); return 0; } @@ -105,15 +107,16 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("nspr uprobe/PR_Write pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif const char* buf = (const char*)PT_REGS_PARM2(ctx); - bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &buf, BPF_ANY); + bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &buf, + BPF_ANY); return 0; } @@ -123,16 +126,17 @@ int probe_ret_SSL_write(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("nspr uretprobe/PR_Write pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - const char** buf = bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); + const char** buf = + bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); if (buf != NULL) { - process_SSL_data(ctx, current_pid_tgid, kSSLWrite, *buf); + process_SSL_data(ctx, current_pid_tgid, kSSLWrite, *buf); } bpf_map_delete_elem(&active_ssl_write_args_map, ¤t_pid_tgid); @@ -141,7 +145,8 @@ int probe_ret_SSL_write(struct pt_regs* ctx) { // Function signature being probed: // int SSL_read(SSL *s, void *buf, int num) -// ssize_t gnutls_record_recv (gnutls_session session, void * data, size_t sizeofdata) +// ssize_t gnutls_record_recv (gnutls_session session, void * data, size_t +// sizeofdata) SEC("uprobe/PR_Read") int probe_entry_SSL_read(struct pt_regs* ctx) { @@ -149,15 +154,16 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("nspr uprobe/PR_Read pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif const char* buf = (const char*)PT_REGS_PARM2(ctx); - bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &buf, BPF_ANY); + bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &buf, + BPF_ANY); return 0; } @@ -167,16 +173,17 @@ int probe_ret_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("nspr uretprobe/PR_Read pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - const char** buf = bpf_map_lookup_elem(&active_ssl_read_args_map, ¤t_pid_tgid); + const char** buf = + bpf_map_lookup_elem(&active_ssl_read_args_map, ¤t_pid_tgid); if (buf != NULL) { - process_SSL_data(ctx, current_pid_tgid, kSSLRead, *buf); + process_SSL_data(ctx, current_pid_tgid, kSSLRead, *buf); } bpf_map_delete_elem(&active_ssl_read_args_map, ¤t_pid_tgid); diff --git a/kern/openssl_kern.c b/kern/openssl_kern.c index 78a538545..cae75d5cc 100644 --- a/kern/openssl_kern.c +++ b/kern/openssl_kern.c @@ -1,36 +1,34 @@ -#include "core_type.h" #include "common.h" +#include "core_type.h" enum ssl_data_event_type { kSSLRead, kSSLWrite }; const u32 invalidFD = 0; struct ssl_data_event_t { - enum ssl_data_event_type type; - u64 timestamp_ns; - u32 pid; - u32 tid; - char data[MAX_DATA_SIZE_OPENSSL]; - s32 data_len; - char comm[TASK_COMM_LEN]; - u32 fd; + enum ssl_data_event_type type; + u64 timestamp_ns; + u32 pid; + u32 tid; + char data[MAX_DATA_SIZE_OPENSSL]; + s32 data_len; + char comm[TASK_COMM_LEN]; + u32 fd; }; -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); } tls_events SEC(".maps"); struct connect_event_t { - u64 timestamp_ns; - u32 pid; - u32 tid; - u32 fd; - char sa_data[SA_DATA_LEN]; - char comm[TASK_COMM_LEN]; + u64 timestamp_ns; + u32 pid; + u32 tid; + u32 fd; + char sa_data[SA_DATA_LEN]; + char comm[TASK_COMM_LEN]; }; -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); } connect_events SEC(".maps"); @@ -45,16 +43,14 @@ struct active_ssl_buf { // Key is thread ID (from bpf_get_current_pid_tgid). // Value is a pointer to the data buffer argument to SSL_write/SSL_read. -struct -{ +struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, u64); __type(value, struct active_ssl_buf); __uint(max_entries, 1024); } active_ssl_read_args_map SEC(".maps"); -struct -{ +struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, u64); __type(value, struct active_ssl_buf); @@ -63,47 +59,46 @@ struct // BPF programs are limited to a 512-byte stack. We store this value per CPU // and use it as a heap allocated value. -struct -{ +struct { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); __type(key, u32); __type(value, struct ssl_data_event_t); __uint(max_entries, 1); } data_buffer_heap SEC(".maps"); - // OPENSSL struct to offset , via kern/README.md typedef long (*unused_fn)(); -struct unused { -}; +struct unused {}; struct BIO { - const struct unused *method; + const struct unused* method; unused_fn callback; unused_fn callback_ex; - char *cb_arg; /* first argument for the callback */ + char* cb_arg; /* first argument for the callback */ int init; int shutdown; - int flags; /* extra storage */ + int flags; /* extra storage */ int retry_reason; int num; }; struct ssl_st { int version; - struct unused *method; - struct BIO *rbio; //used by SSL_read - struct BIO *wbio; //used by SSL_write + struct unused* method; + struct BIO* rbio; // used by SSL_read + struct BIO* wbio; // used by SSL_write }; /*********************************************************** * General helper functions ***********************************************************/ -static __inline struct ssl_data_event_t* create_ssl_data_event(u64 current_pid_tgid) { +static __inline struct ssl_data_event_t* create_ssl_data_event( + u64 current_pid_tgid) { u32 kZero = 0; - struct ssl_data_event_t* event = bpf_map_lookup_elem(&data_buffer_heap, &kZero); + struct ssl_data_event_t* event = + bpf_map_lookup_elem(&data_buffer_heap, &kZero); if (event == NULL) { return NULL; } @@ -121,8 +116,9 @@ static __inline struct ssl_data_event_t* create_ssl_data_event(u64 current_pid_t * BPF syscall processing functions ***********************************************************/ -static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_type type, - const char* buf, u32 fd) { +static int process_SSL_data(struct pt_regs* ctx, u64 id, + enum ssl_data_event_type type, const char* buf, + u32 fd) { int len = (int)PT_REGS_RC(ctx); if (len < 0) { return 0; @@ -135,11 +131,15 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_typ event->type = type; event->fd = fd; - // This is a max function, but it is written in such a way to keep older BPF verifiers happy. - event->data_len = (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) : MAX_DATA_SIZE_OPENSSL); + // This is a max function, but it is written in such a way to keep older BPF + // verifiers happy. + event->data_len = + (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) + : MAX_DATA_SIZE_OPENSSL); bpf_probe_read(event->data, event->data_len, buf); bpf_get_current_comm(&event->comm, sizeof(event->comm)); - bpf_perf_event_output(ctx, &tls_events, BPF_F_CURRENT_CPU, event,sizeof(struct ssl_data_event_t)); + bpf_perf_event_output(ctx, &tls_events, BPF_F_CURRENT_CPU, event, + sizeof(struct ssl_data_event_t)); return 0; } @@ -154,20 +154,20 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif debug_bpf_printk("openssl uprobe/SSL_write pid :%d\n", pid); - void * ssl = (void *) PT_REGS_PARM1(ctx); + void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h - struct ssl_st ssl_info; + struct ssl_st ssl_info; bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl); - struct BIO bio_w; + struct BIO bio_w; bpf_probe_read_user(&bio_w, sizeof(bio_w), ssl_info.wbio); // get fd ssl->wbio->num @@ -179,7 +179,8 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t)); active_ssl_buf_t.fd = fd; active_ssl_buf_t.buf = buf; - bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); + bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, + &active_ssl_buf_t, BPF_ANY); return 0; } @@ -189,18 +190,19 @@ int probe_ret_SSL_write(struct pt_regs* ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif debug_bpf_printk("openssl uretprobe/SSL_write pid :%d\n", pid); - struct active_ssl_buf* active_ssl_buf_t = bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); + struct active_ssl_buf* active_ssl_buf_t = + bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); if (active_ssl_buf_t != NULL) { const char* buf; u32 fd = active_ssl_buf_t->fd; - bpf_probe_read(&buf, sizeof(const char *), &active_ssl_buf_t->buf); + bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf); process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd); } bpf_map_delete_elem(&active_ssl_write_args_map, ¤t_pid_tgid); @@ -215,31 +217,32 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("openssl uprobe/SSL_read pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - void * ssl = (void *) PT_REGS_PARM1(ctx); + void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h - struct ssl_st ssl_info; + struct ssl_st ssl_info; bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl); - struct BIO bio_r; + struct BIO bio_r; bpf_probe_read_user(&bio_r, sizeof(bio_r), ssl_info.rbio); // get fd ssl->rbio->num u32 fd = bio_r.num; - debug_bpf_printk("openssl uprobe PID:%d, SSL_read FD:%d\n",pid, fd); + debug_bpf_printk("openssl uprobe PID:%d, SSL_read FD:%d\n", pid, fd); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t)); active_ssl_buf_t.fd = fd; active_ssl_buf_t.buf = buf; - bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); + bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, + &active_ssl_buf_t, BPF_ANY); return 0; } @@ -249,25 +252,25 @@ int probe_ret_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; debug_bpf_printk("openssl uretprobe/SSL_read pid :%d\n", pid); - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif - struct active_ssl_buf* active_ssl_buf_t = bpf_map_lookup_elem(&active_ssl_read_args_map, ¤t_pid_tgid); + struct active_ssl_buf* active_ssl_buf_t = + bpf_map_lookup_elem(&active_ssl_read_args_map, ¤t_pid_tgid); if (active_ssl_buf_t != NULL) { const char* buf; u32 fd = active_ssl_buf_t->fd; - bpf_probe_read(&buf, sizeof(const char *), &active_ssl_buf_t->buf); + bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf); process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd); } bpf_map_delete_elem(&active_ssl_read_args_map, ¤t_pid_tgid); return 0; } - // https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/socket/connect.c // int __connect (int fd, __CONST_SOCKADDR_ARG addr, socklen_t len) SEC("uprobe/connect") @@ -275,15 +278,15 @@ int probe_connect(struct pt_regs* ctx) { u64 current_pid_tgid = bpf_get_current_pid_tgid(); u32 pid = current_pid_tgid >> 32; - #ifndef KERNEL_LESS_5_2 - // if target_ppid is 0 then we target all pids - if (target_pid != 0 && target_pid != pid) { - return 0; - } - #endif +#ifndef KERNEL_LESS_5_2 + // if target_ppid is 0 then we target all pids + if (target_pid != 0 && target_pid != pid) { + return 0; + } +#endif u32 fd = (u32)PT_REGS_PARM1(ctx); - struct sockaddr *saddr = (struct sockaddr *)PT_REGS_PARM2(ctx); + struct sockaddr* saddr = (struct sockaddr*)PT_REGS_PARM2(ctx); if (!saddr) { return 0; } @@ -305,6 +308,7 @@ int probe_connect(struct pt_regs* ctx) { bpf_probe_read(&conn.sa_data, SA_DATA_LEN, &saddr->sa_data); bpf_get_current_comm(&conn.comm, sizeof(conn.comm)); - bpf_perf_event_output(ctx, &connect_events, BPF_F_CURRENT_CPU, &conn,sizeof(struct connect_event_t)); + bpf_perf_event_output(ctx, &connect_events, BPF_F_CURRENT_CPU, &conn, + sizeof(struct connect_event_t)); return 0; } \ No newline at end of file From 581596b6d236238065b80ae10382da7d0868dfe4 Mon Sep 17 00:00:00 2001 From: CFC4N Date: Thu, 28 Apr 2022 22:14:57 +0800 Subject: [PATCH 4/4] * : rename header file. Signed-off-by: CFC4N --- kern/bash_kern.c | 3 +-- kern/{core_type.h => ecapture.h} | 7 +++++++ kern/gnutls_kern.c | 3 +-- kern/mysqld_kern.c | 3 +-- kern/nspr_kern.c | 3 +-- kern/openssl_kern.c | 3 +-- 6 files changed, 12 insertions(+), 10 deletions(-) rename kern/{core_type.h => ecapture.h} (81%) diff --git a/kern/bash_kern.c b/kern/bash_kern.c index b2d5d0c24..28bd53d3c 100644 --- a/kern/bash_kern.c +++ b/kern/bash_kern.c @@ -1,5 +1,4 @@ -#include "common.h" -#include "core_type.h" +#include "ecapture.h" struct event { u32 pid; diff --git a/kern/core_type.h b/kern/ecapture.h similarity index 81% rename from kern/core_type.h rename to kern/ecapture.h index bf67f7ab1..67f302b4d 100644 --- a/kern/core_type.h +++ b/kern/ecapture.h @@ -1,3 +1,6 @@ +#ifndef ECAPTURE_H +#define ECAPTURE_H + #ifndef NOCORE //CO:RE is enabled #include "vmlinux.h" @@ -11,4 +14,8 @@ #include #include #include +#endif + +#include "common.h" + #endif \ No newline at end of file diff --git a/kern/gnutls_kern.c b/kern/gnutls_kern.c index bc006748a..c149b99cf 100644 --- a/kern/gnutls_kern.c +++ b/kern/gnutls_kern.c @@ -1,5 +1,4 @@ -#include "common.h" -#include "core_type.h" +#include "ecapture.h" enum ssl_data_event_type { kSSLRead, kSSLWrite }; diff --git a/kern/mysqld_kern.c b/kern/mysqld_kern.c index 2dff18460..cb705cc74 100644 --- a/kern/mysqld_kern.c +++ b/kern/mysqld_kern.c @@ -1,5 +1,4 @@ -#include "common.h" -#include "core_type.h" +#include "ecapture.h" #define DISPATCH_COMMAND_V57_FAILED -2 diff --git a/kern/nspr_kern.c b/kern/nspr_kern.c index 5e9f9a293..f903a5858 100644 --- a/kern/nspr_kern.c +++ b/kern/nspr_kern.c @@ -1,5 +1,4 @@ -#include "common.h" -#include "core_type.h" +#include "ecapture.h" enum ssl_data_event_type { kSSLRead, kSSLWrite }; diff --git a/kern/openssl_kern.c b/kern/openssl_kern.c index cae75d5cc..c2214b22a 100644 --- a/kern/openssl_kern.c +++ b/kern/openssl_kern.c @@ -1,5 +1,4 @@ -#include "common.h" -#include "core_type.h" +#include "ecapture.h" enum ssl_data_event_type { kSSLRead, kSSLWrite }; const u32 invalidFD = 0;