introduce syscalls

kubeshark · May 10, 2024 · 823efe1 · 823efe1
1 parent 6653b4b
commit 823efe1
Show file tree

Hide file tree

Showing 26 changed files with 1,275 additions and 595 deletions.
diff --git a/bpf/common.c b/bpf/common.c
@@ -29,7 +29,7 @@ static __always_inline int add_address_to_chunk(struct pt_regs* ctx, struct tls_
     return 1;
 }
 
-static __always_inline void send_chunk_part(struct pt_regs* ctx, __u8* buffer, __u64 id,
+static __always_inline void send_chunk_part(struct pt_regs* ctx, uintptr_t buffer, __u64 id,
     struct tls_chunk* chunk, int start, int end) {
     size_t recorded = MIN(end - start, sizeof(chunk->data));
 
@@ -44,10 +44,10 @@ static __always_inline void send_chunk_part(struct pt_regs* ctx, __u8* buffer, _
     //
     long err = 0;
     if (chunk->recorded == sizeof(chunk->data)) {
-        err = bpf_probe_read(chunk->data, sizeof(chunk->data), buffer + start);
+        err = bpf_probe_read(chunk->data, sizeof(chunk->data), (void*)(buffer + start));
     } else {
         recorded &= (sizeof(chunk->data) - 1); // Buffer must be N^2
-        err = bpf_probe_read(chunk->data, recorded, buffer + start);
+        err = bpf_probe_read(chunk->data, recorded, (void*)(buffer + start));
     }
 
     if (err != 0) {
@@ -58,7 +58,7 @@ static __always_inline void send_chunk_part(struct pt_regs* ctx, __u8* buffer, _
     bpf_perf_event_output(ctx, &chunks_buffer, BPF_F_CURRENT_CPU, chunk, sizeof(struct tls_chunk));
 }
 
-static __always_inline void send_chunk(struct pt_regs* ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk) {
+static __always_inline void send_chunk(struct pt_regs* ctx, uintptr_t buffer, __u64 id, struct tls_chunk* chunk) {
     // ebpf loops must be bounded at compile time, we can't use (i < chunk->len / CHUNK_SIZE)
     //
     // 	https://lwn.net/Articles/794934/
@@ -115,7 +115,7 @@ static __always_inline struct ssl_info new_ssl_info() {
     return info;
 }
 
-static __always_inline struct ssl_info lookup_ssl_info(struct pt_regs* ctx, struct bpf_map_def* map_fd, __u64 pid_tgid) {
+static __always_inline struct ssl_info lookup_ssl_info(struct pt_regs* ctx, void* map_fd, __u64 pid_tgid) {
     struct ssl_info* infoPtr = bpf_map_lookup_elem(map_fd, &pid_tgid);
     struct ssl_info info = new_ssl_info();
 

diff --git a/bpf/fd_to_address_tracepoints.c b/bpf/fd_to_address_tracepoints.c
@@ -13,7 +13,7 @@ Copyright (C) Kubeshark
 #define IPV4_ADDR_LEN (16)
 
 struct accept_info {
-	__u32* addrlen;
+	uintptr_t addrlen;
 };
 
 BPF_HASH(accept_syscall_context, __u64, struct accept_info);
@@ -24,7 +24,7 @@ struct sys_enter_accept4_ctx {
 
 	__u64 fd;
 	__u64* sockaddr;
-	__u32* addrlen;
+	uintptr_t addrlen;
 };
 
 SEC("tracepoint/syscalls/sys_enter_accept4")
@@ -84,7 +84,7 @@ void sys_exit_accept4(struct sys_exit_accept4_ctx* ctx) {
 	}
 
 	__u32 addrlen;
-	bpf_probe_read(&addrlen, sizeof(__u32), info.addrlen);
+	bpf_probe_read(&addrlen, sizeof(__u32), (void*)info.addrlen);
 
 	if (addrlen != IPV4_ADDR_LEN) {
 		// Currently only ipv4 is supported linux-src/include/linux/inet.h

diff --git a/bpf/fd_tracepoints.c b/bpf/fd_tracepoints.c
@@ -27,7 +27,7 @@ struct sys_exit_read_write_ctx {
 	__u64 ret;
 };
 
-static __always_inline void fd_tracepoints_handle_openssl(struct sys_enter_read_write_ctx* ctx, __u64 id, struct ssl_info* infoPtr, struct bpf_map_def* map_fd, __u64 origin_code) {
+static __always_inline void fd_tracepoints_handle_openssl(struct sys_enter_read_write_ctx* ctx, __u64 id, struct ssl_info* infoPtr, void* map_fd, __u64 origin_code) {
 	struct ssl_info info;
 	long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr);
 
@@ -46,7 +46,7 @@ static __always_inline void fd_tracepoints_handle_openssl(struct sys_enter_read_
 	}
 }
 
-static __always_inline void fd_tracepoints_handle_go(struct sys_enter_read_write_ctx* ctx, __u64 id, struct bpf_map_def* map_fd, __u64 origin_code) {
+static __always_inline void fd_tracepoints_handle_go(struct sys_enter_read_write_ctx* ctx, __u64 id, void* map_fd, __u64 origin_code) {
 	__u32 fd = ctx->fd;
 
 	long err = bpf_map_update_elem(map_fd, &id, &fd, BPF_ANY);

diff --git a/bpf/go_uprobes.c b/bpf/go_uprobes.c
@@ -174,7 +174,7 @@ static __always_inline int go_crypto_tls_get_fd_from_tcp_conn(struct pt_regs* ct
     return 0;
 }
 
-static __always_inline void go_crypto_tls_uprobe(struct pt_regs* ctx, struct bpf_map_def* go_context, enum ABI abi) {
+static __always_inline void go_crypto_tls_uprobe(struct pt_regs* ctx, void* go_context, enum ABI abi) {
     __u64 pid_tgid = tracer_get_current_pid_tgid();
     __u64 pid = pid_tgid >> 32;
     if (!should_target(pid)) {
@@ -210,10 +210,10 @@ static __always_inline void go_crypto_tls_uprobe(struct pt_regs* ctx, struct bpf
             return;
         }
         // We basically add 00 suffix to the hex address.
-        info.buffer = (void*)((long)info.buffer << 8);
+        info.buffer = ((long)info.buffer << 8);
     } else {
 #endif
-        info.buffer = (void*)GO_ABI_INTERNAL_PT_REGS_R4(ctx);
+        info.buffer = GO_ABI_INTERNAL_PT_REGS_R4(ctx);
 #if defined(bpf_target_x86)
     }
 #endif
@@ -250,7 +250,7 @@ static __always_inline void go_crypto_tls_uprobe(struct pt_regs* ctx, struct bpf
     return;
 }
 
-static __always_inline void go_crypto_tls_ex_uprobe(struct pt_regs* ctx, struct bpf_map_def* go_context, struct bpf_map_def* go_user_kernel_context, __u32 flags, enum ABI abi) {
+static __always_inline void go_crypto_tls_ex_uprobe(struct pt_regs* ctx, void* go_context, void* go_user_kernel_context, __u32 flags, enum ABI abi) {
     __u64 pid_tgid = tracer_get_current_pid_tgid();
     __u64 pid = pid_tgid >> 32;
     if (!should_target(pid)) {

diff --git a/bpf/include/common.h b/bpf/include/common.h
@@ -11,10 +11,10 @@ Copyright (C) Kubeshark
 const __s32 invalid_fd = -1;
 
 static int add_address_to_chunk(struct pt_regs* ctx, struct tls_chunk* chunk, __u64 id, __u32 fd, struct ssl_info* info);
-static void send_chunk_part(struct pt_regs* ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk, int start, int end);
-static void send_chunk(struct pt_regs* ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk);
+static void send_chunk_part(struct pt_regs* ctx, uintptr_t buffer, __u64 id, struct tls_chunk* chunk, int start, int end);
+static void send_chunk(struct pt_regs* ctx, uintptr_t buffer, __u64 id, struct tls_chunk* chunk);
 static void output_ssl_chunk(struct pt_regs* ctx, struct ssl_info* info, int count_bytes, __u64 id, __u32 flags, __u64 cgroup_id);
 static struct ssl_info new_ssl_info();
-static struct ssl_info lookup_ssl_info(struct pt_regs* ctx, struct bpf_map_def* map_fd, __u64 pid_tgid);
+static struct ssl_info lookup_ssl_info(struct pt_regs* ctx, void* map_fd, __u64 pid_tgid);
 
 #endif /* __COMMON__ */
diff --git a/bpf/include/maps.h b/bpf/include/maps.h
@@ -47,7 +47,7 @@ struct tls_chunk {
 };
 
 struct ssl_info {
-    void* buffer;
+    uintptr_t buffer;
     __u32 buffer_len;
     __u32 fd;
     __u64 created_at_nano;
@@ -56,7 +56,7 @@ struct ssl_info {
     // for ssl_write and ssl_read must be zero
     // for ssl_write_ex and ssl_read_ex save the *written/*readbytes pointer. 
     //
-    size_t* count_ptr;
+    uintptr_t count_ptr;
 };
 
 typedef __u8 conn_flags;
@@ -131,12 +131,12 @@ struct pkt_data {
 };
 
 #define BPF_MAP(_name, _type, _key_type, _value_type, _max_entries)     \
-    struct bpf_map_def SEC("maps") _name = {                            \
-        .type = _type,                                                  \
-        .key_size = sizeof(_key_type),                                  \
-        .value_size = sizeof(_value_type),                              \
-        .max_entries = _max_entries,                                    \
-    };
+    struct {                          \
+        __uint(type, _type);                \
+        __type(key, _key_type);                  \
+        __type(value, _value_type);                \
+        __uint(max_entries, _max_entries); \
+} _name SEC(".maps");
 
 #define BPF_HASH(_name, _key_type, _value_type) \
     BPF_MAP(_name, BPF_MAP_TYPE_HASH, _key_type, _value_type, MAX_ENTRIES_HASH)

diff --git a/bpf/include/pids.h b/bpf/include/pids.h
@@ -6,7 +6,7 @@ Copyright (C) Kubeshark
 #ifndef __PIDS__
 #define __PIDS__
 
-int _pid_in_map(struct bpf_map_def* pmap, __u32 pid) {
+int _pid_in_map(void* pmap, __u32 pid) {
 	__u32* shouldTarget = bpf_map_lookup_elem(pmap, &pid);
 
 	if (shouldTarget != NULL && *shouldTarget == 1) {

diff --git a/bpf/openssl_uprobes.c b/bpf/openssl_uprobes.c
@@ -39,7 +39,7 @@ static __always_inline int get_count_bytes(struct pt_regs* ctx, struct ssl_info*
 	return countBytes;
 }
 
-static __always_inline void ssl_uprobe(struct pt_regs* ctx, void* ssl, void* buffer, int num, struct bpf_map_def* map_fd, size_t* count_ptr) {
+static __always_inline void ssl_uprobe(struct pt_regs* ctx, void* ssl, uintptr_t buffer, int num, void* map_fd, uintptr_t count_ptr) {
 	long err;
 
 	__u64 id = tracer_get_current_pid_tgid();
@@ -60,7 +60,7 @@ static __always_inline void ssl_uprobe(struct pt_regs* ctx, void* ssl, void* buf
 	}
 }
 
-static __always_inline void ssl_uretprobe(struct pt_regs* ctx, struct bpf_map_def* map_fd, __u32 flags) {
+static __always_inline void ssl_uretprobe(struct pt_regs* ctx, void* map_fd, __u32 flags) {
 	__u64 id = tracer_get_current_pid_tgid();
 
 	if (!should_target(id >> 32)) {
@@ -108,7 +108,7 @@ static __always_inline void ssl_uretprobe(struct pt_regs* ctx, struct bpf_map_de
 }
 
 SEC("uprobe/ssl_write")
-void BPF_KPROBE(ssl_write, void* ssl, void* buffer, int num) {
+void BPF_KPROBE(ssl_write, void* ssl, uintptr_t buffer, int num) {
 	ssl_uprobe(ctx, ssl, buffer, num, &openssl_write_context, 0);
 }
 
@@ -118,7 +118,7 @@ void BPF_KPROBE(ssl_ret_write) {
 }
 
 SEC("uprobe/ssl_read")
-void BPF_KPROBE(ssl_read, void* ssl, void* buffer, int num) {
+void BPF_KPROBE(ssl_read, void* ssl, uintptr_t buffer, int num) {
 	ssl_uprobe(ctx, ssl, buffer, num, &openssl_read_context, 0);
 }
 
@@ -128,7 +128,7 @@ void BPF_KPROBE(ssl_ret_read) {
 }
 
 SEC("uprobe/ssl_write_ex")
-void BPF_KPROBE(ssl_write_ex, void* ssl, void* buffer, size_t num, size_t* written) {
+void BPF_KPROBE(ssl_write_ex, void* ssl, uintptr_t buffer, size_t num, uintptr_t written) {
 	ssl_uprobe(ctx, ssl, buffer, num, &openssl_write_context, written);
 }
 
@@ -138,7 +138,7 @@ void BPF_KPROBE(ssl_ret_write_ex) {
 }
 
 SEC("uprobe/ssl_read_ex")
-void BPF_KPROBE(ssl_read_ex, void* ssl, void* buffer, size_t num, size_t* readbytes) {
+void BPF_KPROBE(ssl_read_ex, void* ssl, uintptr_t buffer, size_t num, uintptr_t readbytes) {
 	ssl_uprobe(ctx, ssl, buffer, num, &openssl_read_context, readbytes);
 }
 

diff --git a/bpf/tcp_kprobes.c b/bpf/tcp_kprobes.c
@@ -57,7 +57,7 @@ static __always_inline int tcp_kprobes_get_address_pair_from_ctx(struct pt_regs*
 	return 0;
 }
 
-static __always_inline void tcp_kprobes_forward_go(struct pt_regs* ctx, __u64 id, __u32 fd, struct address_info address_info, struct bpf_map_def* map_fd_go_user_kernel) {
+static __always_inline void tcp_kprobes_forward_go(struct pt_regs* ctx, __u64 id, __u32 fd, struct address_info address_info, void* map_fd_go_user_kernel) {
 	__u32 pid = id >> 32;
 	__u64 key = (__u64)pid << 32 | fd;
 
@@ -76,7 +76,7 @@ static void __always_inline tcp_kprobes_forward_openssl(struct ssl_info* info_pt
 	info_ptr->address_info.sport = address_info.sport;
 }
 
-static __always_inline void tcp_kprobe(struct pt_regs* ctx, struct bpf_map_def* map_fd_openssl, struct bpf_map_def* map_fd_go_kernel, struct bpf_map_def* map_fd_go_user_kernel) {
+static __always_inline void tcp_kprobe(struct pt_regs* ctx, void* map_fd_openssl, void* map_fd_go_kernel, void* map_fd_go_user_kernel) {
 	long err;
 
 	__u64 id = tracer_get_current_pid_tgid();