mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-08-19 00:49:35 +00:00
2ad4838cf5
* Run `go generate tls_tapper.go` * Add `golang_uprobes.c` * Add Golang hooks and offsets * Add `golangConnection` struct and implement `pollGolangReadWrite` method * Upgrade `github.com/cilium/ebpf` version to `v0.8.1` * Fix the linter error * Move map related stuff to `maps.h` and run `go generate tls_tapper.go` * Remove unused parameter * Add an environment variable to test Golang locally * Replace `Libssl` occurrences with `Ssllib` for consistency * Fix exe path finding * Temporarily disable OpenSSL * Fix the mixed offsets and dissection preparation * Change the read symbol from `net/http.(*persistConn).Read` to `crypto/tls.(*Conn).Read` * Remove `len` and `cap` fields * Fix the indent * Fix the read data address * Make `golang_dial_writes` key `__u64` and include the PID * Fix the read data address one more time * Temporarily disable the PCAP capture * Add a uprobe for `net/http.(*gzipReader).Read` to read chunked HTTP response body * Cancel `golang_crypto_tls_read_uprobe` if it's a gzip read * Make hash map names more meaningful * Pass the connection address from `write` to `gzip` through a common address between `gzip` and `dial` * Fix the probed line number links * Add `golangReader` struct and implement its `Read` method * Have a single counter pair and request response matcher per Golang connection * Add `MIZU_GLOBAL_GOLANG_PATH` environment variable * `NULL` terminate the bytes with `unix.ByteSliceToString` * Temporarily reject the gzip chunks * Add malformed TODOs * Revert "`NULL` terminate the bytes with `unix.ByteSliceToString`" This reverts commit7ee7ef7e44. * Bring back `len` and `cap` fields * Set `len` and `cap` in `golang_net_http_gzipreader_read_uprobe` as well * Remove two `TODO`s * Fix the `key_gzip` offsets * Compress if it's gzip chunk (probably wrong!) * Revert "Compress if it's gzip chunk (probably wrong!)" This reverts commit094a7c3da4. * Remove `golang_net_http_gzipreader_read_uprobe` * Read constant 4KiB * Use constant read length * Get the correct len of bytes (saw the second entry) * Set all buffer sizes to `CHUNK_SIZE` * Remove a `TODO` * Revert "Temporarily disable the PCAP capture" This reverts commita2da15ef2d. * Update `golang_crypto_tls_read_uprobe` * Set the `reader` field of `tlsStream` to fix a `nil pointer dereference` error * Don't export any fields of `golangConnection` * Close the reader when we drop the connection * Add a tracepoint for `sys_enter_close` to detect socket closes * Rename `socket` struct to `golang_socket` * Call `should_tap` in Golang uprobes * Add `log_error` calls * Revert "Temporarily disable OpenSSL" This reverts commitf54d9a453f. * Fix linter * Revert "Revert "Temporarily disable OpenSSL"" This reverts commit2433d867af. * Change `golang_read_writes` map type from `BPF_RINGBUF` to `BPF_PERF_OUTPUT` * Rename `golang_read_write` to `golang_event` * Define an error * Add comments * Revert "Revert "Revert "Temporarily disable OpenSSL""" This reverts commite5a1de9c71. * Fix `pollGolang` * Revert "Revert "Revert "Revert "Temporarily disable OpenSSL"""" This reverts commit6e1bd5d4f3. * Fix `panic: send on closed channel` * Revert "Revert "Revert "Revert "Revert "Temporarily disable OpenSSL""""" This reverts commit57d0584655. * Use `findLibraryByPid` * Revert "Revert "Revert "Revert "Revert "Revert "Temporarily disable OpenSSL"""""" This reverts commit46f3d290b0. * Revert "Revert "Revert "Revert "Revert "Revert "Revert "Temporarily disable OpenSSL""""""" This reverts commit775c833c06. * Log tapping Golang * Fix `Poll` * Refactor `golang_net_http_dialconn_uprobe` * Remove an excess error check * Fix `can only use path@version syntax with 'go get' and 'go install' in module-aware mode` error in `tap/tlstapper/bpf-builder/build.sh` * Unify Golang and OpenSSL under a single perf event buffer and `tls_chunk` struct * Generate `tlsTapperChunkType` type (enum) as well * Use kernel page size for the `sys_closes` perf buffer * Fix the linter error * Fix `MIZU_GLOBAL_GOLANG_PID` environment variable's functionality * Rely on tracepoints for file descriptor retrieval in Golang implementation * Remove the unnecessary changes * Move common functions into `common.c` * Declare `lookup_ssl_info` function to reduce duplication * Fix linter * Add comments and TODOs * Remove `MIZU_GLOBAL_GOLANG_PATH` environment variable * Update the object files * Fix indentation * Update object files * Add `go_abi_internal.h` * Fix `lookup_ssl_info` * Convert indentation to spaces * Add header guard comment * Add more comments * Find the `ret` instructions using Capstone Engine and `uprobe` the `return` statements * Implement `get_fd_from_tcp_conn` function * Separate SSL contexts to OpenSSL and Go * Move `get_count_bytes` from `common.c` to `openssl_uprobes.c` * Rename everything contains Golang to Go * Reduce duplication in `go_uprobes.c` * Update the comments * Install Capstone in CI and Docker native builds * Update `devops/install-capstone.sh` * Add Capstone to AArch64 cross-compilation target * Fix some of the issues on ARM64 * Delete the map element in `_ex_urpobe` * Remove an unsued `LOG_` macro * Rename `aquynh` to `capstone-engine` * Add comment * Revert "Fix some of the issues on ARM64" This reverts commit0b3eceddf4. * Revert "Revert "Fix some of the issues on ARM64"" This reverts commit681534ada1. * Update object files * Remove unnecessary return * Increase timeout * #run_acceptance_tests * #run_acceptance_tests * Fix the `arm64v8` sourced builds * #run_acceptance_tests
147 lines
4.1 KiB
C
147 lines
4.1 KiB
C
/*
|
|
Note: This file is licenced differently from the rest of the project
|
|
SPDX-License-Identifier: GPL-2.0
|
|
Copyright (C) UP9 Inc.
|
|
*/
|
|
|
|
#include "include/headers.h"
|
|
#include "include/util.h"
|
|
#include "include/maps.h"
|
|
#include "include/log.h"
|
|
#include "include/logger_messages.h"
|
|
#include "include/pids.h"
|
|
#include "include/common.h"
|
|
|
|
|
|
static __always_inline int get_count_bytes(struct pt_regs *ctx, struct ssl_info* info, __u64 id) {
|
|
int returnValue = PT_REGS_RC(ctx);
|
|
|
|
if (info->count_ptr == NULL) {
|
|
// ssl_read and ssl_write return the number of bytes written/read
|
|
//
|
|
return returnValue;
|
|
}
|
|
|
|
// ssl_read_ex and ssl_write_ex return 1 for success
|
|
//
|
|
if (returnValue != 1) {
|
|
return 0;
|
|
}
|
|
|
|
// ssl_read_ex and ssl_write_ex write the number of bytes to an arg named *count
|
|
//
|
|
size_t countBytes;
|
|
long err = bpf_probe_read(&countBytes, sizeof(size_t), (void*) info->count_ptr);
|
|
|
|
if (err != 0) {
|
|
log_error(ctx, LOG_ERROR_READING_BYTES_COUNT, id, err, 0l);
|
|
return 0;
|
|
}
|
|
|
|
return countBytes;
|
|
}
|
|
|
|
static __always_inline void ssl_uprobe(struct pt_regs *ctx, void* ssl, void* buffer, int num, struct bpf_map_def* map_fd, size_t *count_ptr) {
|
|
__u64 id = bpf_get_current_pid_tgid();
|
|
|
|
if (!should_tap(id >> 32)) {
|
|
return;
|
|
}
|
|
|
|
struct ssl_info *infoPtr = bpf_map_lookup_elem(map_fd, &id);
|
|
struct ssl_info info = lookup_ssl_info(ctx, &openssl_write_context, id);
|
|
|
|
info.count_ptr = count_ptr;
|
|
info.buffer = buffer;
|
|
|
|
long err = bpf_map_update_elem(map_fd, &id, &info, BPF_ANY);
|
|
|
|
if (err != 0) {
|
|
log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, id, err, 0l);
|
|
}
|
|
}
|
|
|
|
static __always_inline void ssl_uretprobe(struct pt_regs *ctx, struct bpf_map_def* map_fd, __u32 flags) {
|
|
__u64 id = bpf_get_current_pid_tgid();
|
|
|
|
if (!should_tap(id >> 32)) {
|
|
return;
|
|
}
|
|
|
|
struct ssl_info *infoPtr = bpf_map_lookup_elem(map_fd, &id);
|
|
|
|
if (infoPtr == NULL) {
|
|
log_error(ctx, LOG_ERROR_GETTING_SSL_CONTEXT, id, 0l, 0l);
|
|
return;
|
|
}
|
|
|
|
struct ssl_info info;
|
|
long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr);
|
|
|
|
// Do not clean map on purpose, sometimes there are two calls to ssl_read in a raw
|
|
// while the first call actually goes to read from socket, and we get the chance
|
|
// to find the fd. The other call already have all the information and we don't
|
|
// have the chance to get the fd.
|
|
//
|
|
// There are two risks keeping the map items
|
|
// 1. It gets full - we solve it by using BPF_MAP_TYPE_LRU_HASH with hard limit
|
|
// 2. We get wrong info of an old call - we solve it by comparing the timestamp
|
|
// info before using it
|
|
//
|
|
// bpf_map_delete_elem(map_fd, &id);
|
|
|
|
if (err != 0) {
|
|
log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, id, err, ORIGIN_SSL_URETPROBE_CODE);
|
|
return;
|
|
}
|
|
|
|
if (info.fd == invalid_fd) {
|
|
log_error(ctx, LOG_ERROR_MISSING_FILE_DESCRIPTOR, id, 0l, 0l);
|
|
return;
|
|
}
|
|
|
|
int count_bytes = get_count_bytes(ctx, &info, id);
|
|
|
|
output_ssl_chunk(ctx, &info, count_bytes, id, flags);
|
|
}
|
|
|
|
SEC("uprobe/ssl_write")
|
|
void BPF_KPROBE(ssl_write, void* ssl, void* buffer, int num) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_write_context, 0);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_write")
|
|
void BPF_KPROBE(ssl_ret_write) {
|
|
ssl_uretprobe(ctx, &openssl_write_context, 0);
|
|
}
|
|
|
|
SEC("uprobe/ssl_read")
|
|
void BPF_KPROBE(ssl_read, void* ssl, void* buffer, int num) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_read_context, 0);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_read")
|
|
void BPF_KPROBE(ssl_ret_read) {
|
|
ssl_uretprobe(ctx, &openssl_read_context, FLAGS_IS_READ_BIT);
|
|
}
|
|
|
|
SEC("uprobe/ssl_write_ex")
|
|
void BPF_KPROBE(ssl_write_ex, void* ssl, void* buffer, size_t num, size_t *written) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_write_context, written);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_write_ex")
|
|
void BPF_KPROBE(ssl_ret_write_ex) {
|
|
ssl_uretprobe(ctx, &openssl_write_context, 0);
|
|
}
|
|
|
|
SEC("uprobe/ssl_read_ex")
|
|
void BPF_KPROBE(ssl_read_ex, void* ssl, void* buffer, size_t num, size_t *readbytes) {
|
|
ssl_uprobe(ctx, ssl, buffer, num, &openssl_read_context, readbytes);
|
|
}
|
|
|
|
SEC("uretprobe/ssl_read_ex")
|
|
void BPF_KPROBE(ssl_ret_read_ex) {
|
|
ssl_uretprobe(ctx, &openssl_read_context, FLAGS_IS_READ_BIT);
|
|
}
|