mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-08-18 16:38:38 +00:00
2ad4838cf5
* Run `go generate tls_tapper.go` * Add `golang_uprobes.c` * Add Golang hooks and offsets * Add `golangConnection` struct and implement `pollGolangReadWrite` method * Upgrade `github.com/cilium/ebpf` version to `v0.8.1` * Fix the linter error * Move map related stuff to `maps.h` and run `go generate tls_tapper.go` * Remove unused parameter * Add an environment variable to test Golang locally * Replace `Libssl` occurrences with `Ssllib` for consistency * Fix exe path finding * Temporarily disable OpenSSL * Fix the mixed offsets and dissection preparation * Change the read symbol from `net/http.(*persistConn).Read` to `crypto/tls.(*Conn).Read` * Remove `len` and `cap` fields * Fix the indent * Fix the read data address * Make `golang_dial_writes` key `__u64` and include the PID * Fix the read data address one more time * Temporarily disable the PCAP capture * Add a uprobe for `net/http.(*gzipReader).Read` to read chunked HTTP response body * Cancel `golang_crypto_tls_read_uprobe` if it's a gzip read * Make hash map names more meaningful * Pass the connection address from `write` to `gzip` through a common address between `gzip` and `dial` * Fix the probed line number links * Add `golangReader` struct and implement its `Read` method * Have a single counter pair and request response matcher per Golang connection * Add `MIZU_GLOBAL_GOLANG_PATH` environment variable * `NULL` terminate the bytes with `unix.ByteSliceToString` * Temporarily reject the gzip chunks * Add malformed TODOs * Revert "`NULL` terminate the bytes with `unix.ByteSliceToString`" This reverts commit7ee7ef7e44. * Bring back `len` and `cap` fields * Set `len` and `cap` in `golang_net_http_gzipreader_read_uprobe` as well * Remove two `TODO`s * Fix the `key_gzip` offsets * Compress if it's gzip chunk (probably wrong!) * Revert "Compress if it's gzip chunk (probably wrong!)" This reverts commit094a7c3da4. * Remove `golang_net_http_gzipreader_read_uprobe` * Read constant 4KiB * Use constant read length * Get the correct len of bytes (saw the second entry) * Set all buffer sizes to `CHUNK_SIZE` * Remove a `TODO` * Revert "Temporarily disable the PCAP capture" This reverts commita2da15ef2d. * Update `golang_crypto_tls_read_uprobe` * Set the `reader` field of `tlsStream` to fix a `nil pointer dereference` error * Don't export any fields of `golangConnection` * Close the reader when we drop the connection * Add a tracepoint for `sys_enter_close` to detect socket closes * Rename `socket` struct to `golang_socket` * Call `should_tap` in Golang uprobes * Add `log_error` calls * Revert "Temporarily disable OpenSSL" This reverts commitf54d9a453f. * Fix linter * Revert "Revert "Temporarily disable OpenSSL"" This reverts commit2433d867af. * Change `golang_read_writes` map type from `BPF_RINGBUF` to `BPF_PERF_OUTPUT` * Rename `golang_read_write` to `golang_event` * Define an error * Add comments * Revert "Revert "Revert "Temporarily disable OpenSSL""" This reverts commite5a1de9c71. * Fix `pollGolang` * Revert "Revert "Revert "Revert "Temporarily disable OpenSSL"""" This reverts commit6e1bd5d4f3. * Fix `panic: send on closed channel` * Revert "Revert "Revert "Revert "Revert "Temporarily disable OpenSSL""""" This reverts commit57d0584655. * Use `findLibraryByPid` * Revert "Revert "Revert "Revert "Revert "Revert "Temporarily disable OpenSSL"""""" This reverts commit46f3d290b0. * Revert "Revert "Revert "Revert "Revert "Revert "Revert "Temporarily disable OpenSSL""""""" This reverts commit775c833c06. * Log tapping Golang * Fix `Poll` * Refactor `golang_net_http_dialconn_uprobe` * Remove an excess error check * Fix `can only use path@version syntax with 'go get' and 'go install' in module-aware mode` error in `tap/tlstapper/bpf-builder/build.sh` * Unify Golang and OpenSSL under a single perf event buffer and `tls_chunk` struct * Generate `tlsTapperChunkType` type (enum) as well * Use kernel page size for the `sys_closes` perf buffer * Fix the linter error * Fix `MIZU_GLOBAL_GOLANG_PID` environment variable's functionality * Rely on tracepoints for file descriptor retrieval in Golang implementation * Remove the unnecessary changes * Move common functions into `common.c` * Declare `lookup_ssl_info` function to reduce duplication * Fix linter * Add comments and TODOs * Remove `MIZU_GLOBAL_GOLANG_PATH` environment variable * Update the object files * Fix indentation * Update object files * Add `go_abi_internal.h` * Fix `lookup_ssl_info` * Convert indentation to spaces * Add header guard comment * Add more comments * Find the `ret` instructions using Capstone Engine and `uprobe` the `return` statements * Implement `get_fd_from_tcp_conn` function * Separate SSL contexts to OpenSSL and Go * Move `get_count_bytes` from `common.c` to `openssl_uprobes.c` * Rename everything contains Golang to Go * Reduce duplication in `go_uprobes.c` * Update the comments * Install Capstone in CI and Docker native builds * Update `devops/install-capstone.sh` * Add Capstone to AArch64 cross-compilation target * Fix some of the issues on ARM64 * Delete the map element in `_ex_urpobe` * Remove an unsued `LOG_` macro * Rename `aquynh` to `capstone-engine` * Add comment * Revert "Fix some of the issues on ARM64" This reverts commit0b3eceddf4. * Revert "Revert "Fix some of the issues on ARM64"" This reverts commit681534ada1. * Update object files * Remove unnecessary return * Increase timeout * #run_acceptance_tests * #run_acceptance_tests * Fix the `arm64v8` sourced builds * #run_acceptance_tests
166 lines
3.5 KiB
Go
166 lines
3.5 KiB
Go
package tlstapper
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/url"
|
|
"path"
|
|
"path/filepath"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/go-errors/errors"
|
|
"github.com/up9inc/mizu/logger"
|
|
v1 "k8s.io/api/core/v1"
|
|
)
|
|
|
|
var numberRegex = regexp.MustCompile("[0-9]+")
|
|
|
|
func UpdateTapTargets(tls *TlsTapper, pods *[]v1.Pod, procfs string) error {
|
|
containerIds := buildContainerIdsMap(pods)
|
|
containerPids, err := findContainerPids(procfs, containerIds)
|
|
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tls.ClearPids()
|
|
|
|
for pid, pod := range containerPids {
|
|
if err := tls.AddSsllibPid(procfs, pid, pod.Namespace); err != nil {
|
|
LogError(err)
|
|
}
|
|
|
|
if err := tls.AddGoPid(procfs, pid, pod.Namespace); err != nil {
|
|
LogError(err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func findContainerPids(procfs string, containerIds map[string]v1.Pod) (map[uint32]v1.Pod, error) {
|
|
result := make(map[uint32]v1.Pod)
|
|
|
|
pids, err := ioutil.ReadDir(procfs)
|
|
|
|
if err != nil {
|
|
return result, err
|
|
}
|
|
|
|
logger.Log.Infof("Starting tls auto discoverer %v %v - scanning %v potential pids",
|
|
procfs, containerIds, len(pids))
|
|
|
|
for _, pid := range pids {
|
|
if !pid.IsDir() {
|
|
continue
|
|
}
|
|
|
|
if !numberRegex.MatchString(pid.Name()) {
|
|
continue
|
|
}
|
|
|
|
cgroup, err := getProcessCgroup(procfs, pid.Name())
|
|
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
pod, ok := containerIds[cgroup]
|
|
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
pidNumber, err := strconv.Atoi(pid.Name())
|
|
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
result[uint32(pidNumber)] = pod
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
func buildContainerIdsMap(pods *[]v1.Pod) map[string]v1.Pod {
|
|
result := make(map[string]v1.Pod)
|
|
|
|
for _, pod := range *pods {
|
|
for _, container := range pod.Status.ContainerStatuses {
|
|
url, err := url.Parse(container.ContainerID)
|
|
|
|
if err != nil {
|
|
logger.Log.Warningf("Expecting URL like container ID %v", container.ContainerID)
|
|
continue
|
|
}
|
|
|
|
result[url.Host] = pod
|
|
}
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
func getProcessCgroup(procfs string, pid string) (string, error) {
|
|
filePath := fmt.Sprintf("%s/%s/cgroup", procfs, pid)
|
|
|
|
bytes, err := ioutil.ReadFile(filePath)
|
|
|
|
if err != nil {
|
|
logger.Log.Warningf("Error reading cgroup file %s - %v", filePath, err)
|
|
return "", err
|
|
}
|
|
|
|
lines := strings.Split(string(bytes), "\n")
|
|
cgrouppath := extractCgroup(lines)
|
|
|
|
if cgrouppath == "" {
|
|
return "", errors.Errorf("Cgroup path not found for %s, %s", pid, lines)
|
|
}
|
|
|
|
return normalizeCgroup(cgrouppath), nil
|
|
}
|
|
|
|
func extractCgroup(lines []string) string {
|
|
if len(lines) == 1 {
|
|
parts := strings.Split(lines[0], ":")
|
|
return parts[len(parts)-1]
|
|
} else {
|
|
for _, line := range lines {
|
|
if strings.Contains(line, ":pids:") {
|
|
parts := strings.Split(line, ":")
|
|
return parts[len(parts)-1]
|
|
}
|
|
}
|
|
}
|
|
|
|
return ""
|
|
}
|
|
|
|
// cgroup in the /proc/<pid>/cgroup may look something like
|
|
//
|
|
// /system.slice/docker-<ID>.scope
|
|
// /system.slice/containerd-<ID>.scope
|
|
// /kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod3beae8e0_164d_4689_a087_efd902d8c2ab.slice/docker-<ID>.scope
|
|
// /kubepods/besteffort/pod7709c1d5-447c-428f-bed9-8ddec35c93f4/<ID>
|
|
//
|
|
// This function extract the <ID> out of the cgroup path, the <ID> should match
|
|
// the "Container ID:" field when running kubectl describe pod <POD>
|
|
//
|
|
func normalizeCgroup(cgrouppath string) string {
|
|
basename := strings.TrimSpace(path.Base(cgrouppath))
|
|
|
|
if strings.Contains(basename, "-") {
|
|
basename = basename[strings.Index(basename, "-")+1:]
|
|
}
|
|
|
|
if strings.Contains(basename, ".") {
|
|
return strings.TrimSuffix(basename, filepath.Ext(basename))
|
|
} else {
|
|
return basename
|
|
}
|
|
}
|