diff --git a/agent/go.mod b/agent/go.mod index 061bd3502..52b2586a5 100644 --- a/agent/go.mod +++ b/agent/go.mod @@ -85,6 +85,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.14.2 // indirect + github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e // indirect github.com/leodido/go-urn v1.2.1 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/mailru/easyjson v0.7.7 // indirect diff --git a/agent/go.sum b/agent/go.sum index aaeb2dffd..6464e82aa 100644 --- a/agent/go.sum +++ b/agent/go.sum @@ -457,6 +457,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/klauspost/compress v1.9.8/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.14.2 h1:S0OHlFk/Gbon/yauFJ4FfJJF5V0fc5HbBTJazi28pRw= github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e h1:6J5obSn9umEThiYzWzndcPOZR0Qj/sVCZpH6V1G7yNE= +github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e/go.mod h1:1K5hEzsMBLTPdRJKEHqBFJ8Zt2VRqDhomcQ11KH0WW4= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= diff --git a/devops/install-capstone.sh b/devops/install-capstone.sh new file mode 100755 index 000000000..64d1c5056 --- /dev/null +++ b/devops/install-capstone.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +git clone https://github.com/capstone-engine/capstone.git -b 4.0.2 && \ +git checkout capstone && \ +./make.sh && \ +sudo ./make.sh install diff --git a/tap/go.mod b/tap/go.mod index 519c4b8bf..b3390fe0c 100644 --- a/tap/go.mod +++ b/tap/go.mod @@ -8,6 +8,7 @@ require ( github.com/go-errors/errors v1.4.2 github.com/google/gopacket v1.1.19 github.com/hashicorp/golang-lru v0.5.4 + github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e github.com/shirou/gopsutil v3.21.11+incompatible github.com/struCoder/pidusage v0.2.1 github.com/up9inc/mizu/logger v0.0.0 diff --git a/tap/go.sum b/tap/go.sum index b73141db4..d57e92ed0 100644 --- a/tap/go.sum +++ b/tap/go.sum @@ -83,6 +83,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e h1:6J5obSn9umEThiYzWzndcPOZR0Qj/sVCZpH6V1G7yNE= +github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e/go.mod h1:1K5hEzsMBLTPdRJKEHqBFJ8Zt2VRqDhomcQ11KH0WW4= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= diff --git a/tap/tlstapper/bpf/golang_uprobes.c b/tap/tlstapper/bpf/golang_uprobes.c index dbea1751c..de274658b 100644 --- a/tap/tlstapper/bpf/golang_uprobes.c +++ b/tap/tlstapper/bpf/golang_uprobes.c @@ -19,11 +19,12 @@ If stack size exceeds 2Kb, Go runtime reallocates the stack. That causes the return address to become wrong in case of `uretprobe` and probed Go program crashes. Therefore `uretprobe` CAN'T BE USED for a Go program. -`golang_crypto_tls_read_uprobe` suppose to be `uretprobe` is actually a `uprobe` because of the ABI problems -and we probe an arbitrary point in a function body (offset +559): +`_ex_uprobe` suffixed probes suppose to be `uretprobe`(s) are actually `uprobe`(s) +because of the non-standard ABI of Go. Therefore we probe `ret` mnemonics under the symbol +by automatically finding them through reading the ELF binary and disassembling the symbols. +Disassembly related code located in `golang_offsets.go` file. +Example: We probe an arbitrary point in a function body (offset +559): https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1296 -Therefore `golang_crypto_tls_read_uprobe` is fragile any changes in `crypto/tls` library -and it's only tested on x86-64. --- @@ -69,6 +70,31 @@ static int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) { log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l); } + return 0; +} + +SEC("uprobe/golang_crypto_tls_write_ex") +static int golang_crypto_tls_write_ex_uprobe(struct pt_regs *ctx) { + __u64 pid_tgid = bpf_get_current_pid_tgid(); + __u64 pid = pid_tgid >> 32; + if (!should_tap(pid)) { + return 0; + } + + struct ssl_info *info_ptr = bpf_map_lookup_elem(&ssl_write_context, &pid_tgid); + + if (info_ptr == NULL) { + return 0; + } + + struct ssl_info info; + long err = bpf_probe_read(&info, sizeof(struct ssl_info), info_ptr); + + if (err != 0) { + log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_URETPROBE_CODE); + return 0; + } + output_ssl_chunk(ctx, &info, info.buffer_len, pid_tgid, 0); return 0; @@ -82,19 +108,10 @@ static int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) { return 0; } - void* stack_addr = (void*)GO_ABI_INTERNAL_PT_REGS_SP(ctx); - __u64 data_p; - // Address at stack pointer + 0xd8 holds the data (*fragile* and probably specific to x86-64) - __u32 status = bpf_probe_read(&data_p, sizeof(data_p), stack_addr + 0xd8); - if (status < 0) { - log_error(ctx, LOG_ERROR_GOLANG_READ_READING_DATA_POINTER, pid_tgid, status, 0l); - return 0; - } - struct ssl_info info = lookup_ssl_info(ctx, &ssl_read_context, pid_tgid); info.buffer_len = GO_ABI_INTERNAL_PT_REGS_R2(ctx); - info.buffer = (void*)data_p; + info.buffer = (void*)GO_ABI_INTERNAL_PT_REGS_R4(ctx); long err = bpf_map_update_elem(&ssl_read_context, &pid_tgid, &info, BPF_ANY); @@ -102,6 +119,31 @@ static int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) { log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l); } + return 0; +} + +SEC("uprobe/golang_crypto_tls_read_ex") +static int golang_crypto_tls_read_ex_uprobe(struct pt_regs *ctx) { + __u64 pid_tgid = bpf_get_current_pid_tgid(); + __u64 pid = pid_tgid >> 32; + if (!should_tap(pid)) { + return 0; + } + + struct ssl_info *info_ptr = bpf_map_lookup_elem(&ssl_read_context, &pid_tgid); + + if (info_ptr == NULL) { + return 0; + } + + struct ssl_info info; + long err = bpf_probe_read(&info, sizeof(struct ssl_info), info_ptr); + + if (err != 0) { + log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_URETPROBE_CODE); + return 0; + } + output_ssl_chunk(ctx, &info, info.buffer_len, pid_tgid, FLAGS_IS_READ_BIT); return 0; diff --git a/tap/tlstapper/golang_hooks.go b/tap/tlstapper/golang_hooks.go index 25f5ff551..e6ef28be1 100644 --- a/tap/tlstapper/golang_hooks.go +++ b/tap/tlstapper/golang_hooks.go @@ -6,8 +6,10 @@ import ( ) type golangHooks struct { - golangWriteProbe link.Link - golangReadProbe link.Link + golangWriteProbe link.Link + golangWriteExProbes []link.Link + golangReadProbe link.Link + golangReadExProbes []link.Link } func (s *golangHooks) installUprobes(bpfObjects *tlsTapperObjects, filePath string) error { @@ -32,23 +34,45 @@ func (s *golangHooks) installHooks(bpfObjects *tlsTapperObjects, ex *link.Execut // Symbol points to // [`crypto/tls.(*Conn).Write`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1099) s.golangWriteProbe, err = ex.Uprobe(golangWriteSymbol, bpfObjects.GolangCryptoTlsWriteUprobe, &link.UprobeOptions{ - Offset: offsets.GolangWriteOffset, + Offset: offsets.GolangWriteOffset.enter, }) if err != nil { return errors.Wrap(err, 0) } - // Relative offset points to - // [`crypto/tls.(*Conn).Read+559`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1296) - s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, &link.UprobeOptions{ - Offset: offsets.GolangReadOffset + 0x22f, - }) + for _, offset := range offsets.GolangWriteOffset.exits { + probe, err := ex.Uprobe(golangWriteSymbol, bpfObjects.GolangCryptoTlsWriteExUprobe, &link.UprobeOptions{ + Offset: offset, + }) + + if err != nil { + return errors.Wrap(err, 0) + } + + s.golangWriteExProbes = append(s.golangWriteExProbes, probe) + } + + // Symbol points to + // [`crypto/tls.(*Conn).Read`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1263) + s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, nil) if err != nil { return errors.Wrap(err, 0) } + for _, offset := range offsets.GolangReadOffset.exits { + probe, err := ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadExUprobe, &link.UprobeOptions{ + Offset: offset, + }) + + if err != nil { + return errors.Wrap(err, 0) + } + + s.golangReadExProbes = append(s.golangReadExProbes, probe) + } + return nil } @@ -59,9 +83,21 @@ func (s *golangHooks) close() []error { errors = append(errors, err) } + for _, probe := range s.golangWriteExProbes { + if err := probe.Close(); err != nil { + errors = append(errors, err) + } + } + if err := s.golangReadProbe.Close(); err != nil { errors = append(errors, err) } + for _, probe := range s.golangReadExProbes { + if err := probe.Close(); err != nil { + errors = append(errors, err) + } + } + return errors } diff --git a/tap/tlstapper/golang_offsets.go b/tap/tlstapper/golang_offsets.go index 1b46f993f..9b5835e95 100644 --- a/tap/tlstapper/golang_offsets.go +++ b/tap/tlstapper/golang_offsets.go @@ -8,11 +8,17 @@ import ( "github.com/Masterminds/semver" "github.com/cilium/ebpf/link" + "github.com/knightsc/gapstone" ) type golangOffsets struct { - GolangWriteOffset uint64 - GolangReadOffset uint64 + GolangWriteOffset *golangExtendedOffset + GolangReadOffset *golangExtendedOffset +} + +type golangExtendedOffset struct { + enter uint64 + exits []uint64 } const ( @@ -58,8 +64,17 @@ func findGolangOffsets(filePath string) (golangOffsets, error) { }, nil } -func getOffsets(filePath string) (offsets map[string]uint64, err error) { - offsets = make(map[string]uint64) +func getOffsets(filePath string) (offsets map[string]*golangExtendedOffset, err error) { + var engine gapstone.Engine + engine, err = gapstone.New( + gapstone.CS_ARCH_X86, + gapstone.CS_MODE_64, + ) + if err != nil { + return + } + + offsets = make(map[string]*golangExtendedOffset) var fd *os.File fd, err = os.Open(filePath) if err != nil { @@ -70,34 +85,85 @@ func getOffsets(filePath string) (offsets map[string]uint64, err error) { var se *elf.File se, err = elf.NewFile(fd) if err != nil { - return nil, err + return + } + + textSection := se.Section(".text") + if textSection == nil { + err = fmt.Errorf("No text section") + return + } + + // extract the raw bytes from the .text section + var textSectionData []byte + textSectionData, err = textSection.Data() + if err != nil { + return } syms, err := se.Symbols() for _, sym := range syms { offset := sym.Value + var lastProg *elf.Prog for _, prog := range se.Progs { if prog.Vaddr <= sym.Value && sym.Value < (prog.Vaddr+prog.Memsz) { offset = sym.Value - prog.Vaddr + prog.Off + lastProg = prog break } } - offsets[sym.Name] = offset + extendedOffset := &golangExtendedOffset{enter: offset} + + // source: https://gist.github.com/grantseltzer/3efa8ecc5de1fb566e8091533050d608 + // skip over any symbols that aren't functinons/methods + if sym.Info != byte(2) && sym.Info != byte(18) { + offsets[sym.Name] = extendedOffset + continue + } + + // skip over empty symbols + if sym.Size == 0 { + offsets[sym.Name] = extendedOffset + continue + } + + // calculate starting and ending index of the symbol within the text section + symStartingIndex := sym.Value - textSection.Addr + symEndingIndex := symStartingIndex + sym.Size + + // collect the bytes of the symbol + symBytes := textSectionData[symStartingIndex:symEndingIndex] + + // disasemble the symbol + var instructions []gapstone.Instruction + instructions, err = engine.Disasm(symBytes, sym.Value, 0) + if err != nil { + return + } + + // iterate over each instruction and if the mnemonic is `ret` then that's an exit offset + for _, ins := range instructions { + if ins.Mnemonic == "ret" { + extendedOffset.exits = append(extendedOffset.exits, uint64(ins.Address)-lastProg.Vaddr+lastProg.Off) + } + } + + offsets[sym.Name] = extendedOffset } return } -func getOffset(offsets map[string]uint64, symbol string) (uint64, error) { +func getOffset(offsets map[string]*golangExtendedOffset, symbol string) (*golangExtendedOffset, error) { if offset, ok := offsets[symbol]; ok { return offset, nil } - return 0, fmt.Errorf("symbol %s: %w", symbol, link.ErrNoSymbol) + return nil, fmt.Errorf("symbol %s: %w", symbol, link.ErrNoSymbol) } -func checkGoVersion(filePath string, offset uint64) (bool, string, error) { +func checkGoVersion(filePath string, offset *golangExtendedOffset) (bool, string, error) { fd, err := os.Open(filePath) if err != nil { return false, "", err @@ -106,7 +172,7 @@ func checkGoVersion(filePath string, offset uint64) (bool, string, error) { reader := bufio.NewReader(fd) - _, err = reader.Discard(int(offset)) + _, err = reader.Discard(int(offset.enter)) if err != nil { return false, "", err } diff --git a/tap/tlstapper/tls_reader.go b/tap/tlstapper/tls_reader.go index b4b8ba5c2..88c65ee56 100644 --- a/tap/tlstapper/tls_reader.go +++ b/tap/tlstapper/tls_reader.go @@ -42,7 +42,7 @@ func (r *tlsReader) Read(p []byte) (int, error) { } r.data = chunk.getRecordedData() - case <-time.After(time.Second * 3): + case <-time.After(time.Second * 120): r.doneHandler(r) return 0, io.EOF } diff --git a/tap/tlstapper/tlstapper_bpfeb.go b/tap/tlstapper/tlstapper_bpfeb.go index 4abbc728f..f06e78d9f 100644 --- a/tap/tlstapper/tlstapper_bpfeb.go +++ b/tap/tlstapper/tlstapper_bpfeb.go @@ -66,22 +66,24 @@ type tlsTapperSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type tlsTapperProgramSpecs struct { - GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"` - GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"` - SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"` - SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"` - SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"` - SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"` - SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"` - SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"` - SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"` - SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"` - SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"` - SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"` - SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"` - SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"` - SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"` - SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` + GolangCryptoTlsReadExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_ex_uprobe"` + GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"` + GolangCryptoTlsWriteExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_ex_uprobe"` + GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"` + SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"` + SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"` + SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"` + SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"` + SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"` + SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"` + SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"` + SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"` + SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"` + SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"` + SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"` + SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"` + SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"` + SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` } // tlsTapperMapSpecs contains maps before they are loaded into the kernel. @@ -147,27 +149,31 @@ func (m *tlsTapperMaps) Close() error { // // It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign. type tlsTapperPrograms struct { - GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"` - GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"` - SslRead *ebpf.Program `ebpf:"ssl_read"` - SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"` - SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"` - SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"` - SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"` - SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"` - SslWrite *ebpf.Program `ebpf:"ssl_write"` - SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"` - SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"` - SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"` - SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"` - SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"` - SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"` - SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` + GolangCryptoTlsReadExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_ex_uprobe"` + GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"` + GolangCryptoTlsWriteExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_ex_uprobe"` + GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"` + SslRead *ebpf.Program `ebpf:"ssl_read"` + SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"` + SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"` + SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"` + SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"` + SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"` + SslWrite *ebpf.Program `ebpf:"ssl_write"` + SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"` + SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"` + SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"` + SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"` + SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"` + SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"` + SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` } func (p *tlsTapperPrograms) Close() error { return _TlsTapperClose( + p.GolangCryptoTlsReadExUprobe, p.GolangCryptoTlsReadUprobe, + p.GolangCryptoTlsWriteExUprobe, p.GolangCryptoTlsWriteUprobe, p.SslRead, p.SslReadEx, diff --git a/tap/tlstapper/tlstapper_bpfeb.o b/tap/tlstapper/tlstapper_bpfeb.o index 27814d0ea..dc68c18f4 100644 Binary files a/tap/tlstapper/tlstapper_bpfeb.o and b/tap/tlstapper/tlstapper_bpfeb.o differ diff --git a/tap/tlstapper/tlstapper_bpfel.go b/tap/tlstapper/tlstapper_bpfel.go index 6a6a2f836..f1bbebe8d 100644 --- a/tap/tlstapper/tlstapper_bpfel.go +++ b/tap/tlstapper/tlstapper_bpfel.go @@ -66,22 +66,24 @@ type tlsTapperSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type tlsTapperProgramSpecs struct { - GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"` - GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"` - SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"` - SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"` - SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"` - SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"` - SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"` - SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"` - SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"` - SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"` - SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"` - SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"` - SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"` - SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"` - SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"` - SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` + GolangCryptoTlsReadExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_ex_uprobe"` + GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"` + GolangCryptoTlsWriteExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_ex_uprobe"` + GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"` + SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"` + SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"` + SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"` + SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"` + SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"` + SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"` + SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"` + SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"` + SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"` + SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"` + SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"` + SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"` + SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"` + SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` } // tlsTapperMapSpecs contains maps before they are loaded into the kernel. @@ -147,27 +149,31 @@ func (m *tlsTapperMaps) Close() error { // // It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign. type tlsTapperPrograms struct { - GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"` - GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"` - SslRead *ebpf.Program `ebpf:"ssl_read"` - SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"` - SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"` - SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"` - SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"` - SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"` - SslWrite *ebpf.Program `ebpf:"ssl_write"` - SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"` - SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"` - SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"` - SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"` - SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"` - SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"` - SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` + GolangCryptoTlsReadExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_ex_uprobe"` + GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"` + GolangCryptoTlsWriteExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_ex_uprobe"` + GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"` + SslRead *ebpf.Program `ebpf:"ssl_read"` + SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"` + SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"` + SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"` + SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"` + SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"` + SslWrite *ebpf.Program `ebpf:"ssl_write"` + SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"` + SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"` + SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"` + SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"` + SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"` + SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"` + SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` } func (p *tlsTapperPrograms) Close() error { return _TlsTapperClose( + p.GolangCryptoTlsReadExUprobe, p.GolangCryptoTlsReadUprobe, + p.GolangCryptoTlsWriteExUprobe, p.GolangCryptoTlsWriteUprobe, p.SslRead, p.SslReadEx, diff --git a/tap/tlstapper/tlstapper_bpfel.o b/tap/tlstapper/tlstapper_bpfel.o index 7858e50cf..d7ae2eef2 100644 Binary files a/tap/tlstapper/tlstapper_bpfel.o and b/tap/tlstapper/tlstapper_bpfel.o differ