初步支持syscall黑白名单过滤

SeeFlowerX · Aug 31, 2023 · 254e36c · 254e36c
1 parent b8f0b94
commit 254e36c
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 36 deletions.
diff --git a/src/common/arguments.h b/src/common/arguments.h
@@ -34,6 +34,7 @@ static __always_inline int load_args(args_t *args, u32 event_id)
     args->args[3] = saved_args->args[3];
     args->args[4] = saved_args->args[4];
     args->args[5] = saved_args->args[5];
+    args->flag = saved_args->flag;
 
     return 0;
 }

diff --git a/src/syscall.c b/src/syscall.c
@@ -126,6 +126,7 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) {
     args.args[2] = READ_KERN(regs->regs[2]);
     args.args[3] = READ_KERN(regs->regs[3]);
     args.args[4] = READ_KERN(regs->regs[4]);
+    args.args[5] = READ_KERN(regs->regs[5]);
     save_args(&args, SYSCALL_ENTER);
 
     // event->context 已经有进程的信息了
@@ -208,11 +209,12 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) {
             read_count = point_arg->read_count;
         }
         next_arg_index = read_arg(p, point_arg, arg_ptr, read_count, next_arg_index);
-        // argument list too long
-        // 加下面这句话之后就出现上面这个错误了 机理未知
-        // if (next_arg_index == FILTER_INDEX_SKIP) {
-        //     return 0;
-        // }
+        if (point_arg->tmp_index == FILTER_INDEX_SKIP) {
+            point_arg->tmp_index = 0;
+            args.flag = 1;
+            save_args(&args, SYSCALL_ENTER);
+            return 0;
+        }
     }
     events_perf_submit(&p, SYSCALL_ENTER);
     if (filter->signal > 0) {
@@ -251,6 +253,9 @@ int raw_syscalls_sys_exit(struct bpf_raw_tracepoint_args* ctx) {
         return 0;
     }
     del_args(SYSCALL_ENTER);
+    if (saved_args.flag == 1) {
+        return 0;
+    }
 
     if (filter->trace_mode == TRACE_COMMON) {
         // 非 追踪全部syscall模式

diff --git a/src/types.h b/src/types.h
@@ -12,6 +12,7 @@ typedef struct common_filter {
 
 typedef struct args {
     unsigned long args[6];
+    u32 flag;
 } args_t;
 
 typedef struct thread_name {

diff --git a/src/utils.h b/src/utils.h
@@ -27,6 +27,7 @@ typedef struct point_arg_t {
     u32 read_count;
 	u32 item_persize;
 	u32 item_countindex;
+	u32 tmp_index;
 } point_arg;
 
 static __always_inline u32 save_bytes_with_len(program_data_t p, u64 ptr, u32 read_len, u32 next_arg_index) {
@@ -115,34 +116,40 @@ static __always_inline u32 read_arg(program_data_t p, struct point_arg_t* point_
             // MTE 其实也正常读取到了
             bpf_probe_read_user_str(&string_p->buf[buf_off], MAX_STRING_SIZE, (void *)ptr);
         }
-        // if (point_arg->filter_idx != FILTER_INDEX_NONE) {
-        //     arg_filter_t* filter_config = bpf_map_lookup_elem(&arg_filter, &point_arg->filter_idx);
-        //     // 按照设计这里必须不为NULL
-        //     if (filter_config == NULL) {
-        //         return next_arg_index;
-        //     }
-        //     u32 startswith = 0;
-        //     // 设置到256会出现 bad address
-        //     // 似乎是程序的指令数达到上限了
-        //     for (int i = 0; i < 128; i++) {
-        //         char c1 = string_p->buf[buf_off + i];
-        //         char c2 = filter_config->oldstr_val[i];
-        //         if (i != 0 && c2 == 0) {
-        //             startswith = 1;
-        //             break;
-        //         }
-        //         if (c1 == 0 || c2 == 0) {
-        //             break;
-        //         }
-        //     }
-        //     if (filter_config->filter_type == WHITELIST_FILTER && startswith == 0){
-        //         // 不匹配白名单的都跳过
-        //         return FILTER_INDEX_SKIP;
-        //     } else if (filter_config->filter_type == BLACKLIST_FILTER && startswith == 1){
-        //         // 匹配黑名单的都跳过
-        //         return FILTER_INDEX_SKIP;
-        //     }
-        // }
+        if (point_arg->filter_idx != FILTER_INDEX_NONE) {
+            // 后续改为借助map进行比较
+            arg_filter_t* filter_config = bpf_map_lookup_elem(&arg_filter, &point_arg->filter_idx);
+            // 按照设计这里必须不为NULL
+            if (filter_config == NULL) {
+                return next_arg_index;
+            }
+            u32 startswith = 0;
+            // 设置到256会出现 bad address
+            // 似乎是程序的指令数达到上限了
+            for (int i = 0; i < 128; i++) {
+                char c1 = string_p->buf[buf_off + i];
+                char c2 = filter_config->oldstr_val[i];
+                if (i != 0 && c2 == 0) {
+                    startswith = 1;
+                    break;
+                }
+                if (c1 == 0 || c2 == 0) {
+                    break;
+                }
+                if (c1 != c2) {
+                    break;
+                }
+            }
+            if (filter_config->filter_type == WHITELIST_FILTER && startswith == 0){
+                // 不匹配白名单的都跳过
+                point_arg->tmp_index = FILTER_INDEX_SKIP;
+                return next_arg_index;
+            } else if (filter_config->filter_type == BLACKLIST_FILTER && startswith == 1){
+                // 匹配黑名单的都跳过
+                point_arg->tmp_index = FILTER_INDEX_SKIP;
+                return next_arg_index;
+            }
+        }
         save_str_to_buf(p.event, &string_p->buf[buf_off], next_arg_index);
         next_arg_index += 1;
         return next_arg_index;

diff --git a/user/config/config_watchpoint.go b/user/config/config_watchpoint.go
@@ -31,6 +31,7 @@ type ArgType struct {
 	ReadCount      uint32
 	ItemPerSize    uint32
 	ItemCountIndex uint32
+	tmp_index      uint32
 }
 
 type IWatchPoint interface {
@@ -198,11 +199,12 @@ func (this *ArgType) Clone() ArgType {
 	at.ReadCount = this.ReadCount
 	at.ItemPerSize = this.ItemPerSize
 	at.ItemCountIndex = this.ItemCountIndex
+	at.tmp_index = this.tmp_index
 	return at
 }
 
 func AT(arg_alias_type, arg_base_type, read_count uint32) ArgType {
-	return ArgType{FILTER_INDEX_NONE, READ_INDEX_REG, 0, arg_base_type, arg_alias_type, read_count, 1, READ_INDEX_SKIP}
+	return ArgType{FILTER_INDEX_NONE, READ_INDEX_REG, 0, arg_base_type, arg_alias_type, read_count, 1, READ_INDEX_SKIP, 0}
 }
 
 func PA(nr string, args []PArg) PArgs {

diff --git a/user/module/stack.go b/user/module/stack.go
@@ -359,7 +359,7 @@ func (this *MStack) update_arg_filter() {
         panic(fmt.Sprintf("find [%s] failed, err:%v", map_name, err))
     }
     // w/white b/black
-    // ./stackplz -n com.starbucks.cn -s openat:f0 -f w:/data/data/com.starbucks.cn/files -o tmp.log
+    // ./stackplz -n com.starbucks.cn -s openat:f0 -f w:/system/framework/oat -o tmp.log
     // ./stackplz -n com.starbucks.cn -w strstr[str:x1:f0] -f w:/data/local/tmp -o tmp.log
     // ./stackplz -n com.starbucks.cn -w strstr[str:f0,str:f1] -f w:/data/local/tmp -r w:/data/local/tmp -o tmp.log
     // r/replace 文本替换逻辑会比较复杂 应该考虑分离
@@ -449,7 +449,7 @@ func (this *MStack) updateFilter() (err error) {
     this.update_common_filter()
     this.update_child_parent()
     this.update_thread_filter()
-    // this.update_arg_filter()
+    this.update_arg_filter()
     this.update_stack_config()
     this.update_syscall_config()
     return nil