mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-08-05 02:31:07 +00:00
149 lines
4.0 KiB
C
149 lines
4.0 KiB
C
/*
|
|
Note: This file is licenced differently from the rest of the project
|
|
SPDX-License-Identifier: GPL-2.0
|
|
Copyright (C) UP9 Inc.
|
|
*/
|
|
|
|
#include "include/headers.h"
|
|
#include "include/util.h"
|
|
#include "include/maps.h"
|
|
#include "include/log.h"
|
|
#include "include/logger_messages.h"
|
|
#include "include/pids.h"
|
|
#include "include/common.h"
|
|
|
|
|
|
static __always_inline int get_count_bytes(struct pt_regs *ctx, struct ssl_info* info, __u64 id) {
|
|
int returnValue = PT_REGS_RC(ctx);
|
|
|
|
if (info->count_ptr == NULL) {
|
|
// ssl_read and ssl_write return the number of bytes written/read
|
|
//
|
|
return returnValue;
|
|
}
|
|
|
|
// ssl_read_ex and ssl_write_ex return 1 for success
|
|
//
|
|
if (returnValue != 1) {
|
|
return 0;
|
|
}
|
|
|
|
// ssl_read_ex and ssl_write_ex write the number of bytes to an arg named *count
|
|
//
|
|
size_t countBytes;
|
|
long err = bpf_probe_read(&countBytes, sizeof(size_t), (void*) info->count_ptr);
|
|
|
|
if (err != 0) {
|
|
log_error(ctx, LOG_ERROR_READING_BYTES_COUNT, id, err, 0l);
|
|
return 0;
|
|
}
|
|
|
|
return countBytes;
|
|
}
|
|
|
|
static __always_inline void ssl_uprobe(struct pt_regs *ctx, void* ssl, void* buffer, int num, struct bpf_map_def* map_fd, size_t *count_ptr) {
|
|
__u64 id = bpf_get_current_pid_tgid();
|
|
|
|
if (!should_tap(id >> 32)) {
|
|
return;
|
|
}
|
|
|
|
struct ssl_info info = lookup_ssl_info(ctx, map_fd, id);
|
|
|
|
info.count_ptr = count_ptr;
|
|
info.buffer = buffer;
|
|
|
|
long err = bpf_map_update_elem(map_fd, &id, &info, BPF_ANY);
|
|
|
|
if (err != 0) {
|
|
log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, id, err, 0l);
|
|
}
|
|
}
|
|
|
|
static __always_inline void ssl_uretprobe(struct pt_regs *ctx, struct bpf_map_def* map_fd, __u32 flags) {
|
|
__u64 id = bpf_get_current_pid_tgid();
|
|
|
|
if (!should_tap(id >> 32)) {
|
|
return;
|
|
}
|
|
|
|
struct ssl_info *infoPtr = bpf_map_lookup_elem(map_fd, &id);
|
|
|
|
if (infoPtr == NULL) {
|
|
log_error(ctx, LOG_ERROR_GETTING_SSL_CONTEXT, id, 0l, 0l);
|
|
return;
|
|
}
|
|
|
|
struct ssl_info info;
|
|
long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr);
|
|
|
|
// Do not clean map on purpose, sometimes there are two calls to ssl_read in a raw
|
|
// while the first call actually goes to read from socket, and we get the chance
|
|
// to find the fd. The other call already have all the information and we don't
|
|
// have the chance to get the fd.
|
|
//
|
|
// There are two risks keeping the map items
|
|
// 1. It gets full - we solve it by using BPF_MAP_TYPE_LRU_HASH with hard limit
|
|
// 2. We get wrong info of an old call - we solve it by comparing the timestamp
|
|
// info before using it
|
|
//
|
|
// bpf_map_delete_elem(map_fd, &id);
|
|
|
|
if (err != 0) {
|
|
log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, id, err, ORIGIN_SSL_URETPROBE_CODE);
|
|
return;
|
|
}
|
|
|
|
if (info.fd == invalid_fd) {
|
|
log_error(ctx, LOG_ERROR_MISSING_FILE_DESCRIPTOR, id, 0l, 0l);
|
|
return;
|
|
}
|
|
|
|
int count_bytes = get_count_bytes(ctx, &info, id);
|
|
if (count_bytes <= 0) {
|
|
return;
|
|
}
|
|
|
|
output_ssl_chunk(ctx, &info, count_bytes, id, flags);
|
|
}
|
|
|
|
SEC("uprobe/ssl_write")
|
|
void BPF_KPROBE(ssl_write, void* ssl, void* buffer, int num) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_write_context, 0);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_write")
|
|
void BPF_KPROBE(ssl_ret_write) {
|
|
ssl_uretprobe(ctx, &openssl_write_context, 0);
|
|
}
|
|
|
|
SEC("uprobe/ssl_read")
|
|
void BPF_KPROBE(ssl_read, void* ssl, void* buffer, int num) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_read_context, 0);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_read")
|
|
void BPF_KPROBE(ssl_ret_read) {
|
|
ssl_uretprobe(ctx, &openssl_read_context, FLAGS_IS_READ_BIT);
|
|
}
|
|
|
|
SEC("uprobe/ssl_write_ex")
|
|
void BPF_KPROBE(ssl_write_ex, void* ssl, void* buffer, size_t num, size_t *written) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_write_context, written);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_write_ex")
|
|
void BPF_KPROBE(ssl_ret_write_ex) {
|
|
ssl_uretprobe(ctx, &openssl_write_context, 0);
|
|
}
|
|
|
|
SEC("uprobe/ssl_read_ex")
|
|
void BPF_KPROBE(ssl_read_ex, void* ssl, void* buffer, size_t num, size_t *readbytes) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_read_context, readbytes);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_read_ex")
|
|
void BPF_KPROBE(ssl_ret_read_ex) {
|
|
ssl_uretprobe(ctx, &openssl_read_context, FLAGS_IS_READ_BIT);
|
|
}
|