Initial short-living openss process support

Makefile

@@ -33,7 +33,7 @@ build-race: ## Build the program with -race flag.
 	$(GOBUILD) -race -ldflags="-extldflags=-s -w" -o tracer .
 
 bpf: ## Compile the object files for eBPF
-	BPF_TARGET="$(BPF_TARGET)" BPF_CFLAGS="-O2 -g -D__TARGET_ARCH_$(BPF_ARCH_SUFFIX)" $(GOGENERATE) tracer.go
+	BPF_TARGET="$(BPF_TARGET)" BPF_CFLAGS="-O2 -g -D__TARGET_ARCH_$(BPF_ARCH_SUFFIX)" $(GOGENERATE) pkg/bpf/bpf.go
 
 lint: ## Lint the source code.
 	golangci-lint run

bpf/common.c

@@ -9,6 +9,7 @@ Copyright (C) Kubeshark
 #include "include/log.h"
 #include "include/logger_messages.h"
 #include "include/common.h"
+#include "include/probes.h"
 
 
 static __always_inline int add_address_to_chunk(struct pt_regs* ctx, struct tls_chunk* chunk, __u64 id, __u32 fd, struct ssl_info* info) {
@@ -95,11 +96,7 @@ static __always_inline void output_ssl_chunk(struct pt_regs* ctx, struct ssl_inf
     }
 
     chunk->flags = flags;
-#ifndef EBPF_FALLBACK
-    chunk->timestamp = bpf_ktime_get_tai_ns();
-#else
-    chunk->timestamp = 0;
-#endif
+    chunk->timestamp = compat_get_uprobe_timestamp();
     chunk->cgroup_id = cgroup_id;
     chunk->pid = id >> 32;
     chunk->tgid = id;

bpf/events.c

@@ -8,16 +8,16 @@ Copyright (C) Kubeshark
 "kprobe/security_*" tracepoints are not used here as soon as they can not be implemented in some platforms (for example arm64 M1)
 */
 
-#include "events.h"
+#include "include/events.h"
 
 SEC("kprobe/tcp_connect")
 void BPF_KPROBE(tcp_connect) {
     if (capture_disabled())
         return;
 
     long err;
-    __u64 cgroup_id = bpf_get_current_cgroup_id();
-    if (!bpf_map_lookup_elem(&cgroup_ids, &cgroup_id)) {
+    __u64 cgroup_id = compat_get_current_cgroup_id(NULL);
+    if (!should_target_cgroup(cgroup_id)) {
         return;
     }
     __u64 id = tracer_get_current_pid_tgid();
@@ -63,7 +63,7 @@ void BPF_KRETPROBE(syscall__accept4_ret) {
 
     long err;
     __u64 id = tracer_get_current_pid_tgid();
-    __u64 cgroup_id = bpf_get_current_cgroup_id();
+    __u64 cgroup_id = compat_get_current_cgroup_id(NULL);
     struct accept_data* data = bpf_map_lookup_elem(&accept_context, &id);
     if (!data) {
         return;
@@ -112,8 +112,8 @@ void BPF_KRETPROBE(do_accept) {
     if (capture_disabled())
         return;
 
-    __u64 cgroup_id = bpf_get_current_cgroup_id();
-    if (!bpf_map_lookup_elem(&cgroup_ids, &cgroup_id)) {
+    __u64 cgroup_id = compat_get_current_cgroup_id(NULL);
+    if (!should_target_cgroup(cgroup_id)) {
         return;
     }
     struct file* f = (struct file*)PT_REGS_RC(ctx);

bpf/fd_to_address_tracepoints.c

@@ -31,10 +31,6 @@ SEC("tracepoint/syscalls/sys_enter_accept4")
 void sys_enter_accept4(struct sys_enter_accept4_ctx* ctx) {
 	__u64 id = tracer_get_current_pid_tgid();
 
-	if (!should_watch(id >> 32)) {
-		return;
-	}
-
 	struct accept_info info = {};
 
 	info.addrlen = ctx->addrlen;
@@ -57,10 +53,6 @@ SEC("tracepoint/syscalls/sys_exit_accept4")
 void sys_exit_accept4(struct sys_exit_accept4_ctx* ctx) {
 	__u64 id = tracer_get_current_pid_tgid();
 
-	if (!should_watch(id >> 32)) {
-		return;
-	}
-
 	if (ctx->ret < 0) {
 		bpf_map_delete_elem(&accept_syscall_context, &id);
 		return;
@@ -124,10 +116,6 @@ SEC("tracepoint/syscalls/sys_enter_connect")
 void sys_enter_connect(struct sys_enter_connect_ctx* ctx) {
 	__u64 id = tracer_get_current_pid_tgid();
 
-	if (!should_watch(id >> 32)) {
-		return;
-	}
-
 	struct connect_info info = {};
 
 	info.addrlen = ctx->addrlen;
@@ -151,10 +139,6 @@ SEC("tracepoint/syscalls/sys_exit_connect")
 void sys_exit_connect(struct sys_exit_connect_ctx* ctx) {
 	__u64 id = tracer_get_current_pid_tgid();
 
-	if (!should_watch(id >> 32)) {
-		return;
-	}
-
 	// Commented because of async connect which set errno to EINPROGRESS
 	//
 	// if (ctx->ret != 0) {

bpf/fd_tracepoints.c

@@ -27,7 +27,19 @@ struct sys_exit_read_write_ctx {
 	__u64 ret;
 };
 
-static __always_inline void fd_tracepoints_handle_openssl(struct sys_enter_read_write_ctx* ctx, __u64 id, struct ssl_info* infoPtr, void* map_fd, __u64 origin_code) {
+struct sys_enter_recvfrom_sendto_ctx {
+	__u64 __unused_syscall_header;
+	__u32 __unused_syscall_nr;
+
+	__u64 fd;      // at offset 16, size 4 (signed)
+	void* buf;     // at offset 24, size 8 (unsigned)
+	__u64 count;   // at offset 32, size 8 (unsigned)
+	__u32 flags;   // at offset 40, size 4 (signed)
+	void* addr;    // at offset 48, size 8 (unsigned)
+	void* addrlen; // at offset 56, size 8 (unsigned)
+};
+
+static __always_inline void fd_tracepoints_handle_openssl(void* ctx, __u32 fd, __u64 id, struct ssl_info* infoPtr, void* map_fd, __u64 origin_code) {
 	struct ssl_info info;
 	long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr);
 
@@ -36,7 +48,7 @@ static __always_inline void fd_tracepoints_handle_openssl(struct sys_enter_read_
 		return;
 	}
 
-	info.fd = ctx->fd;
+	info.fd = fd;
 
 	err = bpf_map_update_elem(map_fd, &id, &info, BPF_ANY);
 
@@ -46,9 +58,7 @@ static __always_inline void fd_tracepoints_handle_openssl(struct sys_enter_read_
 	}
 }
 
-static __always_inline void fd_tracepoints_handle_go(struct sys_enter_read_write_ctx* ctx, __u64 id, void* map_fd, __u64 origin_code) {
-	__u32 fd = ctx->fd;
-
+static __always_inline void fd_tracepoints_handle_go(void* ctx, __u32 fd, __u64 id, void* map_fd, __u64 origin_code) {
 	long err = bpf_map_update_elem(map_fd, &id, &fd, BPF_ANY);
 
 	if (err != 0) {
@@ -57,40 +67,55 @@ static __always_inline void fd_tracepoints_handle_go(struct sys_enter_read_write
 	}
 }
 
-SEC("tracepoint/syscalls/sys_enter_read")
-void sys_enter_read(struct sys_enter_read_write_ctx* ctx) {
+static __always_inline void handle_read(void* ctx, __u64 fd) {
 	__u64 id = tracer_get_current_pid_tgid();
 
-	if (!should_watch(id >> 32)) {
-		return;
-	}
-
 	struct ssl_info* infoPtr = bpf_map_lookup_elem(&openssl_read_context, &id);
 
 	if (infoPtr != NULL) {
-		fd_tracepoints_handle_openssl(ctx, id, infoPtr, &openssl_read_context, ORIGIN_SYS_ENTER_READ_CODE);
+		fd_tracepoints_handle_openssl(ctx, fd, id, infoPtr, &openssl_read_context, ORIGIN_SYS_ENTER_READ_CODE);
 	}
 
-	fd_tracepoints_handle_go(ctx, id, &go_kernel_read_context, ORIGIN_SYS_ENTER_READ_CODE);
+	fd_tracepoints_handle_go(ctx, fd, id, &go_kernel_read_context, ORIGIN_SYS_ENTER_READ_CODE);
+
 }
 
-SEC("tracepoint/syscalls/sys_enter_write")
-void sys_enter_write(struct sys_enter_read_write_ctx* ctx) {
+static __always_inline void handle_write(void* ctx, __u64 fd) {
 	__u64 id = tracer_get_current_pid_tgid();
 
-	if (!should_watch(id >> 32)) {
-		return;
-	}
-
 	struct ssl_info* infoPtr = bpf_map_lookup_elem(&openssl_write_context, &id);
 
 	if (infoPtr != NULL) {
-		fd_tracepoints_handle_openssl(ctx, id, infoPtr, &openssl_write_context, ORIGIN_SYS_ENTER_WRITE_CODE);
+		fd_tracepoints_handle_openssl(ctx, fd, id, infoPtr, &openssl_write_context, ORIGIN_SYS_ENTER_WRITE_CODE);
 	}
 
-	fd_tracepoints_handle_go(ctx, id, &go_kernel_write_context, ORIGIN_SYS_ENTER_WRITE_CODE);
+	fd_tracepoints_handle_go(ctx, fd, id, &go_kernel_write_context, ORIGIN_SYS_ENTER_WRITE_CODE);
+
+}
+
+SEC("tracepoint/syscalls/sys_enter_read")
+void sys_enter_read(struct sys_enter_read_write_ctx* ctx) {
+	handle_read(ctx, ctx->fd);
+}
+
+SEC("tracepoint/syscalls/sys_enter_write")
+void sys_enter_write(struct sys_enter_read_write_ctx* ctx) {
+	handle_write(ctx, ctx->fd);
+}
+
+SEC("tracepoint/syscalls/sys_enter_recvfrom")
+void sys_enter_recvfrom(struct sys_enter_recvfrom_sendto_ctx* ctx) {
+	handle_read(ctx, ctx->fd);
 }
 
+
+SEC("tracepoint/syscalls/sys_enter_sendto")
+void sys_enter_sendto(struct sys_enter_recvfrom_sendto_ctx* ctx) {
+	handle_write(ctx, ctx->fd);
+}
+//TODO: sys_exit_recvfrom and sys_exit_sendto
+
+
 SEC("tracepoint/syscalls/sys_exit_read")
 void sys_exit_read(struct sys_exit_read_write_ctx* ctx) {
 	__u64 id = tracer_get_current_pid_tgid();