Skip to content

Generic syscall kprobes #4256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 22, 2024
Merged

Generic syscall kprobes #4256

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
72bc472
feat: Add syscall kprobe support
yanivagman Aug 18, 2024
b57ce07
chore: Sort arm64 syscalls by id
yanivagman Aug 19, 2024
62b1dbf
perf: Use kprobe for ptrace
yanivagman Aug 18, 2024
ed64efa
pref: Use kprobe for process_vm_writev
yanivagman Aug 19, 2024
30447d4
pref: Use kprobe for arch_prctl
yanivagman Aug 19, 2024
ff26d07
feat: add support for generic syscall tailcalls
yanivagman Aug 20, 2024
642f3f4
perf: Use kprobe for dup,dup2,dup3,socket_dup
yanivagman Aug 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 72 additions & 66 deletions pkg/ebpf/c/common/arch.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,9 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
#define SYSCALL_FCHDIR 81
#define SYSCALL_FCHMOD 91
#define SYSCALL_FCHOWN 93
#define SYSCALL_PTRACE 101
#define SYSCALL_FSTATFS 138
#define SYSCALL_ARCH_PRCTL 158
#define SYSCALL_READAHEAD 187
#define SYSCALL_FSETXATTR 190
#define SYSCALL_FGETXATTR 193
Expand Down Expand Up @@ -171,6 +173,7 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
#define SYSCALL_SYNCFS 306
#define SYSCALL_SENDMMSG 307
#define SYSCALL_SETNS 308
#define SYSCALL_PROCESS_VM_WRITEV 311
#define SYSCALL_FINIT_MODULE 313
#define SYSCALL_EXECVEAT 322
#define SYSCALL_PREADV2 327
Expand All @@ -196,92 +199,87 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
#define SYSCALL_SOCKETCALL 473

#elif defined(bpf_target_arm64)
#define SYSCALL_READ 63
#define SYSCALL_WRITE 64
#define SYSCALL_OPEN UNDEFINED_SYSCALL
#define SYSCALL_CLOSE 57
#define SYSCALL_FSTAT 80
#define SYSCALL_LSEEK 62
#define SYSCALL_MMAP 222
#define SYSCALL_MPROTECT 226
#define SYSCALL_RT_SIGRETURN 139
#define SYSCALL_IOCTL 29
#define SYSCALL_PREAD64 67
#define SYSCALL_PWRITE64 68
#define SYSCALL_READV 65
#define SYSCALL_WRITEV 66
#define SYSCALL_DUP 23
#define SYSCALL_DUP2 UNDEFINED_SYSCALL
#define SYSCALL_SOCKET 198
#define SYSCALL_CONNECT 203
#define SYSCALL_ACCEPT 202
#define SYSCALL_SENDTO 206
#define SYSCALL_RECVFROM 207
#define SYSCALL_SENDMSG 211
#define SYSCALL_RECVMSG 212
#define SYSCALL_SHUTDOWN 210
#define SYSCALL_BIND 200
#define SYSCALL_LISTEN 201
#define SYSCALL_GETSOCKNAME 204
#define SYSCALL_GETPEERNAME 205
#define SYSCALL_SETSOCKOPT 208
#define SYSCALL_GETSOCKOPT 209
#define SYSCALL_EXECVE 221
#define SYSCALL_EXIT 93
#define SYSCALL_FCNTL 25
#define SYSCALL_FLOCK 32
#define SYSCALL_FSYNC 82
#define SYSCALL_FDATASYNC 83
#define SYSCALL_FTRUNCATE 46
#define SYSCALL_GETDENTS UNDEFINED_SYSCALL
#define SYSCALL_CHDIR 49
#define SYSCALL_FCHDIR 50
#define SYSCALL_FCHMOD 52
#define SYSCALL_FCHOWN 55
#define SYSCALL_FSTATFS 44
#define SYSCALL_READAHEAD 213
#define SYSCALL_FSETXATTR 7
#define SYSCALL_FGETXATTR 10
#define SYSCALL_FLISTXATTR 13
#define SYSCALL_FREMOVEXATTR 16
#define SYSCALL_GETDENTS64 61
#define SYSCALL_FADVISE64 223
#define SYSCALL_EXIT_GROUP 94
#define SYSCALL_EPOLL_WAIT UNDEFINED_SYSCALL
#define SYSCALL_EPOLL_CTL 21
#define SYSCALL_EPOLL_PWAIT 22
#define SYSCALL_DUP 23
#define SYSCALL_DUP3 24
#define SYSCALL_FCNTL 25
#define SYSCALL_INOTIFY_ADD_WATCH 27
#define SYSCALL_INOTIFY_RM_WATCH 28
#define SYSCALL_OPENAT 56
#define SYSCALL_MKDIRAT 34
#define SYSCALL_IOCTL 29
#define SYSCALL_FLOCK 32
#define SYSCALL_MKNODAT 33
#define SYSCALL_FCHOWNAT 54
#define SYSCALL_FUTIMESAT UNDEFINED_SYSCALL
#define SYSCALL_NEWFSTATAT UNDEFINED_SYSCALL
#define SYSCALL_MKDIRAT 34
#define SYSCALL_UNLINKAT 35
#define SYSCALL_SYMLINKAT 36
#define SYSCALL_READLINKAT 78
#define SYSCALL_FCHMODAT 53
#define SYSCALL_FSTATFS 44
#define SYSCALL_FTRUNCATE 46
#define SYSCALL_FALLOCATE 47
#define SYSCALL_FACCESSAT 48
#define SYSCALL_SYNC_FILE_RANGE 84
#define SYSCALL_CHDIR 49
#define SYSCALL_FCHDIR 50
#define SYSCALL_FCHMOD 52
#define SYSCALL_FCHMODAT 53
#define SYSCALL_FCHOWNAT 54
#define SYSCALL_FCHOWN 55
#define SYSCALL_OPENAT 56
#define SYSCALL_CLOSE 57
#define SYSCALL_GETDENTS64 61
#define SYSCALL_LSEEK 62
#define SYSCALL_READ 63
#define SYSCALL_WRITE 64
#define SYSCALL_READV 65
#define SYSCALL_WRITEV 66
#define SYSCALL_PREAD64 67
#define SYSCALL_PWRITE64 68
#define SYSCALL_PREADV 69
#define SYSCALL_PWRITEV 70
#define SYSCALL_SIGNALFD4 74
#define SYSCALL_VMSPLICE 75
#define SYSCALL_UTIMENSAT 88
#define SYSCALL_EPOLL_PWAIT 22
#define SYSCALL_SIGNALFD UNDEFINED_SYSCALL
#define SYSCALL_FALLOCATE 47
#define SYSCALL_READLINKAT 78
#define SYSCALL_FSTAT 80
#define SYSCALL_FSYNC 82
#define SYSCALL_FDATASYNC 83
#define SYSCALL_SYNC_FILE_RANGE 84
#define SYSCALL_TIMERFD_SETTIME 86
#define SYSCALL_TIMERFD_GETTIME 87
#define SYSCALL_ACCEPT4 242
#define SYSCALL_SIGNALFD4 74
#define SYSCALL_DUP3 24
#define SYSCALL_PREADV 69
#define SYSCALL_PWRITEV 70
#define SYSCALL_UTIMENSAT 88
#define SYSCALL_EXIT 93
#define SYSCALL_EXIT_GROUP 94
#define SYSCALL_PTRACE 117
#define SYSCALL_RT_SIGRETURN 139
#define SYSCALL_SOCKET 198
#define SYSCALL_BIND 200
#define SYSCALL_LISTEN 201
#define SYSCALL_ACCEPT 202
#define SYSCALL_CONNECT 203
#define SYSCALL_GETSOCKNAME 204
#define SYSCALL_GETPEERNAME 205
#define SYSCALL_SENDTO 206
#define SYSCALL_RECVFROM 207
#define SYSCALL_SETSOCKOPT 208
#define SYSCALL_GETSOCKOPT 209
#define SYSCALL_SHUTDOWN 210
#define SYSCALL_SENDMSG 211
#define SYSCALL_RECVMSG 212
#define SYSCALL_READAHEAD 213
#define SYSCALL_EXECVE 221
#define SYSCALL_MMAP 222
#define SYSCALL_FADVISE64 223
#define SYSCALL_MPROTECT 226
#define SYSCALL_PERF_EVENT_OPEN 241
#define SYSCALL_ACCEPT4 242
#define SYSCALL_RECVMMSG 243
#define SYSCALL_NAME_TO_HANDLE_AT 264
#define SYSCALL_OPEN_BY_HANDLE_AT 265
#define SYSCALL_SYNCFS 267
#define SYSCALL_SENDMMSG 269
#define SYSCALL_SETNS 268
#define SYSCALL_SENDMMSG 269
#define SYSCALL_PROCESS_VM_WRITEV 271
#define SYSCALL_FINIT_MODULE 273
#define SYSCALL_EXECVEAT 281
#define SYSCALL_PREADV2 286
Expand All @@ -305,6 +303,14 @@ statfunc struct pt_regs *get_current_task_pt_regs(void)
#define SYSCALL_LANDLOCK_RESTRICT_SELF 446
#define SYSCALL_PROCESS_MRELEASE 448
#define SYSCALL_SOCKETCALL UNDEFINED_SYSCALL
#define SYSCALL_OPEN UNDEFINED_SYSCALL
#define SYSCALL_DUP2 UNDEFINED_SYSCALL
#define SYSCALL_GETDENTS UNDEFINED_SYSCALL
#define SYSCALL_FUTIMESAT UNDEFINED_SYSCALL
#define SYSCALL_NEWFSTATAT UNDEFINED_SYSCALL
#define SYSCALL_EPOLL_WAIT UNDEFINED_SYSCALL
#define SYSCALL_SIGNALFD UNDEFINED_SYSCALL
#define SYSCALL_ARCH_PRCTL UNDEFINED_SYSCALL
#endif

statfunc bool has_syscall_fd_arg(uint syscall_id)
Expand Down
1 change: 1 addition & 0 deletions pkg/ebpf/c/common/context.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ statfunc int init_program_data(program_data_t *p, void *ctx, u32 event_id)
p->event->config.submit_for_policies = ~0ULL;

if (event_id != NO_EVENT_SUBMIT) {
p->event->config.submit_for_policies = 0;
Copy link
Member

@geyslan geyslan Aug 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

silent bug?

Copy link
Collaborator Author

@yanivagman yanivagman Aug 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep

event_config_t *event_config = get_event_config(event_id, p->event->context.policies_version);
if (event_config != NULL) {
p->event->config.param_types = event_config->param_types;
Expand Down
13 changes: 9 additions & 4 deletions pkg/ebpf/c/common/probes.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,27 +186,32 @@ get_syscall_args(struct task_struct *task, struct pt_regs *sys_regs, syscall_dat
\
get_syscall_args(task, ctx, sys); \
\
bpf_tail_call(ctx, &generic_sys_enter_tails, _id); \
\
return 0; \
}

#define TRACE_SYS_RET_FUNC(name, id) \
#define TRACE_SYS_RET_FUNC(name, _id) \
int trace_ret_##name(struct pt_regs *ctx) \
{ \
program_data_t p = {}; \
if (!init_program_data(&p, ctx, id)) \
if (!init_program_data(&p, ctx, _id)) \
return 0; \
\
p.task_info->syscall_traced = false; \
\
if (!evaluate_scope_filters(&p)) \
return 0; \
goto out; \
\
syscall_data_t *sys = &p.task_info->syscall_data; \
sys->ret = PT_REGS_RC(ctx); \
\
save_args_to_submit_buf(p.event, &sys->args); \
p.event->context.ts = sys->ts; \
events_perf_submit(&p, PT_REGS_RC(ctx)); \
events_perf_submit(&p, sys->ret); \
\
out: \
bpf_tail_call(ctx, &generic_sys_exit_tails, _id); \
return 0; \
}

Expand Down
20 changes: 20 additions & 0 deletions pkg/ebpf/c/maps.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,26 @@ struct sys_exit_tails {

typedef struct sys_exit_tails sys_exit_tails_t;

// store syscall specific programs for tail calls from the syscall handler
struct generic_sys_enter_tails {
__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
__uint(max_entries, MAX_EVENT_ID);
__type(key, u32);
__type(value, u32);
} generic_sys_enter_tails SEC(".maps");

typedef struct generic_sys_enter_tails generic_sys_enter_tails_t;

// store syscall specific programs for tail calls from the syscall handler
struct generic_sys_exit_tails {
__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
__uint(max_entries, MAX_EVENT_ID);
__type(key, u32);
__type(value, u32);
} generic_sys_exit_tails SEC(".maps");

typedef struct generic_sys_exit_tails generic_sys_exit_tails_t;

// store program for submitting syscalls from sys_enter
struct sys_enter_submit_tail {
__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
Expand Down
10 changes: 9 additions & 1 deletion pkg/ebpf/c/tracee.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,14 @@ int trace_sys_exit(struct bpf_raw_tracepoint_args *ctx)
return 0;
}

// macros for syscall kprobes
TRACE_SYSCALL(ptrace, SYSCALL_PTRACE)
TRACE_SYSCALL(process_vm_writev, SYSCALL_PROCESS_VM_WRITEV)
TRACE_SYSCALL(arch_prctl, SYSCALL_ARCH_PRCTL)
TRACE_SYSCALL(dup, SYSCALL_DUP)
TRACE_SYSCALL(dup2, SYSCALL_DUP2)
TRACE_SYSCALL(dup3, SYSCALL_DUP3)

SEC("raw_tracepoint/sys_execve")
int syscall__execve_enter(void *ctx)
{
Expand Down Expand Up @@ -531,7 +539,7 @@ statfunc int send_socket_dup(program_data_t *p, u64 oldfd, u64 newfd)
return events_perf_submit(p, 0);
}

SEC("raw_tracepoint/sys_dup")
SEC("kprobe/sys_dup")
int sys_dup_exit_tail(void *ctx)
{
program_data_t p = {};
Expand Down
8 changes: 8 additions & 0 deletions pkg/ebpf/probes/arch_amd64.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
//go:build amd64
// +build amd64

package probes

const SyscallPrefix = "__x64_sys_"
const SyscallPrefixCompat = "__ia32_sys_"
const SyscallPrefixCompat2 = "__ia32_compat_sys_"
8 changes: 8 additions & 0 deletions pkg/ebpf/probes/arch_arm64.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
//go:build arm64
// +build arm64

package probes

const SyscallPrefix = "__arm64_sys_"
const SyscallPrefixCompat = "NOT_SUPPORTED"
const SyscallPrefixCompat2 = "NOT_SUPPORTED"
12 changes: 12 additions & 0 deletions pkg/ebpf/probes/probe_group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,18 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
SecurityTaskSetrlimit: NewTraceProbe(KProbe, "security_task_setrlimit", "trace_security_task_setrlimit"),
SecuritySettime64: NewTraceProbe(KProbe, "security_settime64", "trace_security_settime64"),
Ptrace: NewTraceProbe(SyscallEnter, "ptrace", "trace_ptrace"),
PtraceRet: NewTraceProbe(SyscallExit, "ptrace", "trace_ret_ptrace"),
ProcessVmWritev: NewTraceProbe(SyscallEnter, "process_vm_writev", "trace_process_vm_writev"),
ProcessVmWritevRet: NewTraceProbe(SyscallExit, "process_vm_writev", "trace_ret_process_vm_writev"),
ArchPrctl: NewTraceProbe(SyscallEnter, "arch_prctl", "trace_arch_prctl"),
ArchPrctlRet: NewTraceProbe(SyscallExit, "arch_prctl", "trace_ret_arch_prctl"),
Dup: NewTraceProbe(SyscallEnter, "dup", "trace_dup"),
DupRet: NewTraceProbe(SyscallExit, "dup", "trace_ret_dup"),
Dup2: NewTraceProbe(SyscallEnter, "dup2", "trace_dup2"),
Dup2Ret: NewTraceProbe(SyscallExit, "dup2", "trace_ret_dup2"),
Dup3: NewTraceProbe(SyscallEnter, "dup3", "trace_dup3"),
Dup3Ret: NewTraceProbe(SyscallExit, "dup3", "trace_ret_dup3"),

TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
ExecTest: NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),
Expand Down
12 changes: 12 additions & 0 deletions pkg/ebpf/probes/probes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,18 @@ const (
ExecuteAtFinishedCompatARM
SecurityTaskSetrlimit
SecuritySettime64
Ptrace
PtraceRet
ProcessVmWritev
ProcessVmWritevRet
ArchPrctl
ArchPrctlRet
Dup
DupRet
Dup2
Dup2Ret
Dup3
Dup3Ret
)

// Test probe handles
Expand Down
Loading