github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-07-22 20:13:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make golang_dial_writes key __u64 and include the PID

Browse Source
This commit is contained in:
M. Mert Yildiran 2022-05-31 15:20:38 +03:00
parent 0e5571e156
commit 9314126fb6
No known key found for this signature in database
GPG Key ID: D42ADB236521BF7A
4 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
tap/tlstapper/bpf/golang_uprobes.c
View File

@ -26,6 +26,8 @@ const struct golang_read_write *unused __attribute__((unused));
SEC("uprobe/golang_crypto_tls_write") SEC("uprobe/golang_crypto_tls_write")
static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) { static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
void* stack_addr = (void*)ctx->rsp; void* stack_addr = (void*)ctx->rsp;
__u64 pid_tgid = bpf_get_current_pid_tgid();
__u64 pid = pid_tgid >> 32;
__u32 key_dial; __u32 key_dial;
// Address at ctx->rsp + 0x20 is common between golang_crypto_tls_write_uprobe and golang_net_http_dialconn_uprobe // Address at ctx->rsp + 0x20 is common between golang_crypto_tls_write_uprobe and golang_net_http_dialconn_uprobe
__u32 status = bpf_probe_read(&key_dial, sizeof(key_dial), stack_addr + 0x20); __u32 status = bpf_probe_read(&key_dial, sizeof(key_dial), stack_addr + 0x20);
@ -34,7 +36,8 @@ static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
return 0; return 0;
} }
struct socket *s = bpf_map_lookup_elem(&golang_dial_writes, &key_dial); __u64 key_dial_full = (pid << 32) + key_dial;
struct socket *s = bpf_map_lookup_elem(&golang_dial_writes, &key_dial_full);
if (s == NULL) { if (s == NULL) {
bpf_printk("[golang_crypto_tls_write_uprobe] error getting socket"); bpf_printk("[golang_crypto_tls_write_uprobe] error getting socket");
return 0; return 0;
@ -46,8 +49,7 @@ static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
return 0; return 0;
} }
__u64 pid_tgid = bpf_get_current_pid_tgid(); b->pid = pid;
b->pid = pid_tgid >> 32;
b->fd = s->fd; b->fd = s->fd;
// ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_crypto_tls_read_uprobe // ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_crypto_tls_read_uprobe
b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address
@ -105,7 +107,8 @@ static __always_inline int golang_net_socket_uprobe(struct pt_regs *ctx) {
struct socket b = { .pid = s->pid, .fd = ctx->rax, .key_dial = s->key_dial }; struct socket b = { .pid = s->pid, .fd = ctx->rax, .key_dial = s->key_dial };
__u32 status = bpf_map_update_elem(&golang_dial_writes, &s->key_dial, &b, BPF_ANY); __u64 key_dial_full = (pid << 32) + s->key_dial;
__u32 status = bpf_map_update_elem(&golang_dial_writes, &key_dial_full, &b, BPF_ANY);
if (status != 0) { if (status != 0) {
bpf_printk("[golang_net_socket_uprobe] error updating socket file descriptor: %d", status); bpf_printk("[golang_net_socket_uprobe] error updating socket file descriptor: %d", status);
} }

4
tap/tlstapper/bpf/include/maps.h
View File

@ -56,7 +56,7 @@ struct fd_info {
struct socket { struct socket {
__u32 pid; __u32 pid;
__u32 fd; __u32 fd;
__u32 key_dial; __u64 key_dial;
}; };
#define BPF_MAP(_name, _type, _key_type, _value_type, _max_entries) \ #define BPF_MAP(_name, _type, _key_type, _value_type, _max_entries) \
@ -90,7 +90,7 @@ BPF_PERF_OUTPUT(chunks_buffer);
BPF_PERF_OUTPUT(log_buffer); BPF_PERF_OUTPUT(log_buffer);
BPF_LRU_HASH(golang_socket_dials, __u64, struct socket); BPF_LRU_HASH(golang_socket_dials, __u64, struct socket);
BPF_LRU_HASH(golang_dial_writes, __u32, struct socket); BPF_LRU_HASH(golang_dial_writes, __u64, struct socket);
BPF_RINGBUF(golang_read_writes); BPF_RINGBUF(golang_read_writes);
#endif /* __MAPS__ */ #endif /* __MAPS__ */

BIN
tap/tlstapper/tlstapper_bpfeb.o
View File

Binary file not shown.

BIN
tap/tlstapper/tlstapper_bpfel.o
View File

Binary file not shown.