diff --git a/bpf/events.c b/bpf/events.c index fc0518c..b9ec4dc 100644 --- a/bpf/events.c +++ b/bpf/events.c @@ -8,6 +8,8 @@ Copyright (C) Kubeshark "kprobe/security_*" tracepoints are not used here as soon as they can not be implemented in some platforms (for example arm64 M1) */ +#ifndef EBPF_FALLBACK + #include "events.h" SEC("kprobe/tcp_connect") @@ -167,4 +169,6 @@ static __always_inline int read_addrs_ports(struct pt_regs* ctx, struct sock* sk } return 0; -} \ No newline at end of file +} + +#endif \ No newline at end of file diff --git a/bpf/fd_to_address_tracepoints.c b/bpf/fd_to_address_tracepoints.c index 49ea172..99a3eba 100644 --- a/bpf/fd_to_address_tracepoints.c +++ b/bpf/fd_to_address_tracepoints.c @@ -31,10 +31,6 @@ SEC("tracepoint/syscalls/sys_enter_accept4") void sys_enter_accept4(struct sys_enter_accept4_ctx* ctx) { __u64 id = tracer_get_current_pid_tgid(); - if (!should_watch(id >> 32)) { - return; - } - struct accept_info info = {}; info.addrlen = ctx->addrlen; @@ -57,10 +53,6 @@ SEC("tracepoint/syscalls/sys_exit_accept4") void sys_exit_accept4(struct sys_exit_accept4_ctx* ctx) { __u64 id = tracer_get_current_pid_tgid(); - if (!should_watch(id >> 32)) { - return; - } - if (ctx->ret < 0) { bpf_map_delete_elem(&accept_syscall_context, &id); return; @@ -124,10 +116,6 @@ SEC("tracepoint/syscalls/sys_enter_connect") void sys_enter_connect(struct sys_enter_connect_ctx* ctx) { __u64 id = tracer_get_current_pid_tgid(); - if (!should_watch(id >> 32)) { - return; - } - struct connect_info info = {}; info.addrlen = ctx->addrlen; @@ -151,10 +139,6 @@ SEC("tracepoint/syscalls/sys_exit_connect") void sys_exit_connect(struct sys_exit_connect_ctx* ctx) { __u64 id = tracer_get_current_pid_tgid(); - if (!should_watch(id >> 32)) { - return; - } - // Commented because of async connect which set errno to EINPROGRESS // // if (ctx->ret != 0) { diff --git a/go.mod b/go.mod index 5a2a72d..f4b41c5 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/hashicorp/golang-lru/v2 v2.0.2 github.com/jinzhu/copier v0.4.0 github.com/knightsc/gapstone v0.0.0-20191231144527-6fa5afaf11a9 - github.com/kubeshark/api v1.1.15 + github.com/kubeshark/api v1.1.16 github.com/kubeshark/gopacket v1.1.30 github.com/kubeshark/tracerproto v1.0.3-0.20240730073449-de3a99a3719c github.com/moby/moby v25.0.4+incompatible diff --git a/go.sum b/go.sum index 41b6b27..adbd3fb 100644 --- a/go.sum +++ b/go.sum @@ -264,8 +264,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kubeshark/api v1.1.15 h1:btr8X9QIdwLPQ/3peQRD8QkDmkAn3ieOjaA/3Hi1438= -github.com/kubeshark/api v1.1.15/go.mod h1:13xpBdys1s9gozDtv29njdT3Rx3xl2ZICgdsFXwqk40= +github.com/kubeshark/api v1.1.16 h1:E9MlBpc4zpCE2847+/myEBmug+q6zn4y1nMSUMCKYwI= +github.com/kubeshark/api v1.1.16/go.mod h1:13xpBdys1s9gozDtv29njdT3Rx3xl2ZICgdsFXwqk40= github.com/kubeshark/gopacket v1.1.30 h1:Dz6eo7b6+NdVCrgiyKxlGEVTm0L6PwgbVvSomsuwIyU= github.com/kubeshark/gopacket v1.1.30/go.mod h1:Qo8/i/tdT74CCT7/pjO0L55Pktv5dQfj7M/Arv8MKm8= github.com/kubeshark/tracerproto v1.0.0/go.mod h1:+efDYkwXxwakmHRpxHVEekyXNtg/aFx0uSo/I0lGV9k= diff --git a/pkg/health/health.go b/pkg/health/health.go index b81cd15..64592f9 100644 --- a/pkg/health/health.go +++ b/pkg/health/health.go @@ -94,6 +94,7 @@ func initTracerHealth() { var tracerResources v1.ResourceRequirements var tracerRestarts int var tracerLastRestartReason string + var tracerLastRestartTimestamp string currentPod, err := getCurrentPod(clientSet) if err != nil { @@ -109,16 +110,18 @@ func initTracerHealth() { tracerRestarts = int(containerStatus.RestartCount) if containerStatus.LastTerminationState.Terminated != nil { tracerLastRestartReason = containerStatus.LastTerminationState.Terminated.Reason + tracerLastRestartTimestamp = containerStatus.LastTerminationState.Terminated.FinishedAt.Format(time.RFC3339) } } } } tracerHealth = &api.HealthWorkerComponent{ - Resources: tracerResources, - Restarts: tracerRestarts, - LastRestartReason: tracerLastRestartReason, - Timestamp: time.Now().Format(time.RFC3339), + Resources: tracerResources, + Restarts: tracerRestarts, + LastRestartReason: tracerLastRestartReason, + LastRestartTimestamp: tracerLastRestartTimestamp, + Timestamp: time.Now().Format(time.RFC3339), } } diff --git a/tcp_kprobe_hooks.go b/tcp_kprobe_hooks.go index 052929e..4f7a0e5 100644 --- a/tcp_kprobe_hooks.go +++ b/tcp_kprobe_hooks.go @@ -5,6 +5,8 @@ import ( "github.com/go-errors/errors" ) +var CompatibleMode = false + type tcpKprobeHooks struct { tcpSendmsg link.Link tcpRecvmsg link.Link @@ -26,19 +28,21 @@ func (s *tcpKprobeHooks) installTcpKprobeHooks(bpfObjects *tracerObjects) error return errors.Wrap(err, 0) } - s.tcp4Connect, err = link.Kprobe("tcp_connect", bpfObjects.TcpConnect, nil) - if err != nil { - return errors.Wrap(err, 0) - } + if !CompatibleMode { + s.tcp4Connect, err = link.Kprobe("tcp_connect", bpfObjects.TcpConnect, nil) + if err != nil { + return errors.Wrap(err, 0) + } - s.accept, err = link.Kretprobe("sys_accept4", bpfObjects.SyscallAccept4Ret, nil) - if err != nil { - return errors.Wrap(err, 0) - } + s.accept, err = link.Kretprobe("sys_accept4", bpfObjects.SyscallAccept4Ret, nil) + if err != nil { + return errors.Wrap(err, 0) + } - s.accept4, err = link.Kretprobe("do_accept", bpfObjects.DoAccept, nil) - if err != nil { - return errors.Wrap(err, 0) + s.accept4, err = link.Kretprobe("do_accept", bpfObjects.DoAccept, nil) + if err != nil { + return errors.Wrap(err, 0) + } } return nil diff --git a/tracer.go b/tracer.go index 644dcff..7ea77cc 100644 --- a/tracer.go +++ b/tracer.go @@ -160,7 +160,8 @@ func (t *Tracer) Init( t.bpfObjects = *objs.bpfObjs.(*tracerObjects) } else if err != nil && errors.As(err, &ve) { t.pktSnifDisabled = true - log.Warn().Msg(fmt.Sprintf("eBPF packets capture is disabled")) + CompatibleMode = true + log.Warn().Msg(fmt.Sprintf("eBPF packets capture and syscall events are disabled")) objsNoSniff := &BpfObjectsImpl{ bpfObjs: &tracerNoSniffObjects{}, @@ -247,17 +248,19 @@ func (t *Tracer) Init( log.Error().Err(err).Msg("System events tracer start failed") } } + } - syscallEventsTracer, err := newSyscallEventsTracer(t.bpfObjects.SyscallEvents, os.Getpagesize(), socket.NewSocketEvent(misc.GetSyscallEventSocketPath())) - if err != nil { - log.Error().Err(err).Msg("Syscall events tracer create failed") - } else { - if err = syscallEventsTracer.start(); err != nil { - log.Error().Err(err).Msg("Syscall events tracer start failed") + if !CompatibleMode { + syscallEventsTracer, err := newSyscallEventsTracer(t.bpfObjects.SyscallEvents, os.Getpagesize(), socket.NewSocketEvent(misc.GetSyscallEventSocketPath())) + if err != nil { + log.Error().Err(err).Msg("Syscall events tracer create failed") + } else { + if err = syscallEventsTracer.start(); err != nil { + log.Error().Err(err).Msg("Syscall events tracer start failed") + } } } - return nil } diff --git a/tracernosniff_bpfel_x86.go b/tracernosniff_bpfel_x86.go index d332e3e..cdc85cc 100644 --- a/tracernosniff_bpfel_x86.go +++ b/tracernosniff_bpfel_x86.go @@ -12,8 +12,6 @@ import ( "github.com/cilium/ebpf" ) -type tracerNoSniffAcceptData struct{ Sock uint64 } - type tracerNoSniffAcceptInfo struct{ Addrlen uint64 } type tracerNoSniffAddressInfo struct { @@ -132,7 +130,6 @@ type tracerNoSniffSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type tracerNoSniffProgramSpecs struct { - DoAccept *ebpf.ProgramSpec `ebpf:"do_accept"` GoCryptoTlsAbi0Read *ebpf.ProgramSpec `ebpf:"go_crypto_tls_abi0_read"` GoCryptoTlsAbi0ReadEx *ebpf.ProgramSpec `ebpf:"go_crypto_tls_abi0_read_ex"` GoCryptoTlsAbi0Write *ebpf.ProgramSpec `ebpf:"go_crypto_tls_abi0_write"` @@ -157,18 +154,14 @@ type tracerNoSniffProgramSpecs struct { SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` SysExitRead *ebpf.ProgramSpec `ebpf:"sys_exit_read"` SysExitWrite *ebpf.ProgramSpec `ebpf:"sys_exit_write"` - SyscallAccept4Ret *ebpf.ProgramSpec `ebpf:"syscall__accept4_ret"` - TcpConnect *ebpf.ProgramSpec `ebpf:"tcp_connect"` TcpRecvmsg *ebpf.ProgramSpec `ebpf:"tcp_recvmsg"` TcpSendmsg *ebpf.ProgramSpec `ebpf:"tcp_sendmsg"` - TraceCgroupConnect4 *ebpf.ProgramSpec `ebpf:"trace_cgroup_connect4"` } // tracerNoSniffMapSpecs contains maps before they are loaded into the kernel. // // It can be passed ebpf.CollectionSpec.Assign. type tracerNoSniffMapSpecs struct { - AcceptContext *ebpf.MapSpec `ebpf:"accept_context"` AcceptSyscallContext *ebpf.MapSpec `ebpf:"accept_syscall_context"` CgroupIds *ebpf.MapSpec `ebpf:"cgroup_ids"` ChunksBuffer *ebpf.MapSpec `ebpf:"chunks_buffer"` @@ -191,7 +184,6 @@ type tracerNoSniffMapSpecs struct { PktId *ebpf.MapSpec `ebpf:"pkt_id"` PktsBuffer *ebpf.MapSpec `ebpf:"pkts_buffer"` Settings *ebpf.MapSpec `ebpf:"settings"` - SyscallEvents *ebpf.MapSpec `ebpf:"syscall_events"` TargetPidsMap *ebpf.MapSpec `ebpf:"target_pids_map"` WatchPidsMap *ebpf.MapSpec `ebpf:"watch_pids_map"` } @@ -215,7 +207,6 @@ func (o *tracerNoSniffObjects) Close() error { // // It can be passed to loadTracerNoSniffObjects or ebpf.CollectionSpec.LoadAndAssign. type tracerNoSniffMaps struct { - AcceptContext *ebpf.Map `ebpf:"accept_context"` AcceptSyscallContext *ebpf.Map `ebpf:"accept_syscall_context"` CgroupIds *ebpf.Map `ebpf:"cgroup_ids"` ChunksBuffer *ebpf.Map `ebpf:"chunks_buffer"` @@ -238,14 +229,12 @@ type tracerNoSniffMaps struct { PktId *ebpf.Map `ebpf:"pkt_id"` PktsBuffer *ebpf.Map `ebpf:"pkts_buffer"` Settings *ebpf.Map `ebpf:"settings"` - SyscallEvents *ebpf.Map `ebpf:"syscall_events"` TargetPidsMap *ebpf.Map `ebpf:"target_pids_map"` WatchPidsMap *ebpf.Map `ebpf:"watch_pids_map"` } func (m *tracerNoSniffMaps) Close() error { return _TracerNoSniffClose( - m.AcceptContext, m.AcceptSyscallContext, m.CgroupIds, m.ChunksBuffer, @@ -268,7 +257,6 @@ func (m *tracerNoSniffMaps) Close() error { m.PktId, m.PktsBuffer, m.Settings, - m.SyscallEvents, m.TargetPidsMap, m.WatchPidsMap, ) @@ -278,7 +266,6 @@ func (m *tracerNoSniffMaps) Close() error { // // It can be passed to loadTracerNoSniffObjects or ebpf.CollectionSpec.LoadAndAssign. type tracerNoSniffPrograms struct { - DoAccept *ebpf.Program `ebpf:"do_accept"` GoCryptoTlsAbi0Read *ebpf.Program `ebpf:"go_crypto_tls_abi0_read"` GoCryptoTlsAbi0ReadEx *ebpf.Program `ebpf:"go_crypto_tls_abi0_read_ex"` GoCryptoTlsAbi0Write *ebpf.Program `ebpf:"go_crypto_tls_abi0_write"` @@ -303,16 +290,12 @@ type tracerNoSniffPrograms struct { SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` SysExitRead *ebpf.Program `ebpf:"sys_exit_read"` SysExitWrite *ebpf.Program `ebpf:"sys_exit_write"` - SyscallAccept4Ret *ebpf.Program `ebpf:"syscall__accept4_ret"` - TcpConnect *ebpf.Program `ebpf:"tcp_connect"` TcpRecvmsg *ebpf.Program `ebpf:"tcp_recvmsg"` TcpSendmsg *ebpf.Program `ebpf:"tcp_sendmsg"` - TraceCgroupConnect4 *ebpf.Program `ebpf:"trace_cgroup_connect4"` } func (p *tracerNoSniffPrograms) Close() error { return _TracerNoSniffClose( - p.DoAccept, p.GoCryptoTlsAbi0Read, p.GoCryptoTlsAbi0ReadEx, p.GoCryptoTlsAbi0Write, @@ -337,11 +320,8 @@ func (p *tracerNoSniffPrograms) Close() error { p.SysExitConnect, p.SysExitRead, p.SysExitWrite, - p.SyscallAccept4Ret, - p.TcpConnect, p.TcpRecvmsg, p.TcpSendmsg, - p.TraceCgroupConnect4, ) }