Debug: Check if tcp kprobes are triggered by go programs

2025-05-07 08:08:45 +00:00 · 2022-07-14 12:54:13 +00:00 · 2022-07-14 12:54:13 +00:00 · 4677ed195c
commit 4677ed195c
parent 50286d251c
5 changed files with 24 additions and 2 deletions
--- a/tap/tlstapper/bpf/common.c
+++ b/tap/tlstapper/bpf/common.c
@ -44,6 +44,8 @@ static __always_inline int add_address_to_chunk(struct pt_regs *ctx, struct tls_
    }

    chunk->flags |= (fdinfo->flags & FLAGS_IS_CLIENT_BIT);
+    // Print flags - should see bit #2 set
+    log_error(ctx, LOG_DEBUG, 111, fdinfo->flags, 0);

    return 1;
 }
--- a/tap/tlstapper/bpf/fd_tracepoints.c
+++ b/tap/tlstapper/bpf/fd_tracepoints.c
@ -64,6 +64,12 @@ void sys_enter_write(struct sys_enter_read_write_ctx *ctx) {
 	}
 	
 	struct ssl_info *infoPtr = bpf_map_lookup_elem(&openssl_write_context, &id);
+	// Write fd to a map with key pid+tgid so that it can be retrieved in tcp kprobes
+	__u32 fd = ctx->fd;
+	long err = bpf_map_update_elem(&pid_tgid_to_fd, &id, &fd, BPF_ANY);
+	if (err != 0) {
+		log_error(ctx, LOG_DEBUG, -1, -1, -1);
+	}
 	
 	if (infoPtr == NULL) {
 		return;
--- a/tap/tlstapper/bpf/go_uprobes.c
+++ b/tap/tlstapper/bpf/go_uprobes.c
@ -217,8 +217,6 @@ static __always_inline void go_crypto_tls_uprobe(struct pt_regs *ctx, struct bpf
        log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l);
    }

-    log_error(ctx, LOG_DEBUG, 1, 1, pid_tgid);
-
    return;
 }

--- a/tap/tlstapper/bpf/include/maps.h
+++ b/tap/tlstapper/bpf/include/maps.h
@ -117,5 +117,7 @@ BPF_LRU_HASH(openssl_read_context, __u64, struct ssl_info);
 BPF_HASH(goid_offsets_map, __u32, struct goid_offsets);
 BPF_LRU_HASH(go_write_context, __u64, struct ssl_info);
 BPF_LRU_HASH(go_read_context, __u64, struct ssl_info);
+// New map for debug. Used to pass fd from syscall read/write to tcp send/recieve msg
+BPF_LRU_HASH(pid_tgid_to_fd, __u64, __u32);

 #endif /* __MAPS__ */
--- a/tap/tlstapper/bpf/tcp_kprobes.c
+++ b/tap/tlstapper/bpf/tcp_kprobes.c
@ -11,6 +11,20 @@ static __always_inline void tcp_kprobe(struct pt_regs *ctx, struct bpf_map_def *
 	__u64 id = bpf_get_current_pid_tgid();
 	__u32 pid = id >> 32;

+	// Get fd (from syscall read/write). Use it to flip a bit flag in file_descriptor_to_ipv4
+	// Why? For an unknown reason we don't see debug prints here from Go programs, only from openssl.
+	// However, we do know that the tcp_sendmsg and tcp_recvmsg are used by Go. We saw it with perf and with bpftrace.
+	// Trying to understand if the debug prints are a false negative by making some effect here and printing it
+	// somewhere else. We set a bit in fdinfo.flags and print it in output_ssl_chunk.
+	__u32 *fd = bpf_map_lookup_elem(&pid_tgid_to_fd, &id);
+	if (fd != NULL) {
+		__u64 key = (__u64) pid << 32 | *fd;
+		struct fd_info *fdinfo = bpf_map_lookup_elem(&file_descriptor_to_ipv4, &key);
+		if (fdinfo != NULL) {
+			fdinfo->flags = fdinfo->flags | (1 << 2);
+		}
+	}
+
 	if (!should_tap(id >> 32)) {
 		return;
 	}