use offsets

DataDog · Nov 13, 2024 · 9e2c1f4 · 9e2c1f4
1 parent b9d7d00
commit 9e2c1f4
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 24 deletions.
diff --git a/pkg/ebpf/c/bpf_helpers.h b/pkg/ebpf/c/bpf_helpers.h
@@ -266,6 +266,10 @@ enum libbpf_tristate {
 		     ___param, sizeof(___param));		\
 })
 
+#ifndef BPF_NO_GLOBAL_DATA
+#define BPF_NO_GLOBAL_DATA 1
+#endif
+
 #ifdef BPF_NO_GLOBAL_DATA
 #define BPF_PRINTK_FMT_MOD
 #else

diff --git a/pkg/security/ebpf/c/include/hooks/network/connect.h b/pkg/security/ebpf/c/include/hooks/network/connect.h
@@ -65,6 +65,19 @@ int hook_security_socket_connect(ctx_t *ctx) {
     struct pid_route_t key = {};
     u16 family = 0;
     u16 protocol = 0;
+
+    u64 socket_sock_offset;
+    u64 sk_protocol_offset;
+    u64 sk_protocol_size;
+
+
+    LOAD_CONSTANT("socket_sock_offset", socket_sock_offset);
+    LOAD_CONSTANT("sock_sk_protocol_offset", sk_protocol_offset);
+    LOAD_CONSTANT("sk_protocol_size", sk_protocol_size);
+
+    __bpf_printk("-------------------- sk_protocol_offset: %d", socket_sock_offset);
+    __bpf_printk("-------------------- sk_protocol_offset: %d", sk_protocol_offset);
+    __bpf_printk("-------------------- sk_protocol_size: %d", sk_protocol_size);
 
 
     // Extract IP and port from the sockaddr structure
@@ -80,9 +93,10 @@ int hook_security_socket_connect(ctx_t *ctx) {
         bpf_probe_read(&key.addr, sizeof(u64) * 2, (char *)addr_in6 + offsetof(struct sockaddr_in6, sin6_addr));
     }
 
-    struct sock *sk_sock;
-    bpf_probe_read(&sk_sock, sizeof(sk_sock), &sk->sk);
-    bpf_probe_read(&protocol, sizeof(protocol), &sk_sock->sk_protocol);
+    struct sock *sk_sock = NULL;
+    bpf_probe_read(&sk_sock, sizeof(sk_sock),(void *) sk + socket_sock_offset);
+    bpf_probe_read(&protocol, sk_protocol_size, (void *) sk_sock + sk_protocol_offset);
+    // bpf_probe_read(&protocol, sizeof(protocol), &sk_sock->sk_protocol);
 
     // fill syscall_cache if necessary
     struct syscall_cache_t *syscall = peek_syscall(EVENT_CONNECT);
@@ -99,27 +113,6 @@ int hook_security_socket_connect(ctx_t *ctx) {
         return 0;
     }
 
-    // Register service PID
-    if (key.port != 0) {
-        u64 id = bpf_get_current_pid_tgid();
-        u32 tid = (u32)id;
-
-        // add netns information
-        key.netns = get_netns_from_socket(sk);
-        if (key.netns != 0) {
-            bpf_map_update_elem(&netns_cache, &tid, &key.netns, BPF_ANY);
-        }
-
-#ifndef DO_NOT_USE_TC
-        u32 pid = id >> 32;
-        bpf_map_update_elem(&flow_pid, &key, &pid, BPF_ANY);
-#endif
-
-#if defined(DEBUG_CONNECT)
-        __bpf_printk("------------# registered (connect) pid:%d", pid);
-        __bpf_printk("------------# p:%d a:%d a:%d", key.port, key.addr[0], key.addr[1]);
-#endif
-    }
     return 0;
 }
 

diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go
@@ -79,6 +79,7 @@ const (
 	OffsetNameDeviceStructNdNet         = "device_nd_net_net_offset"
 	OffsetNameSockCommonStructSKCNet    = "sock_common_skc_net_offset"
 	OffsetNameSocketStructSK            = "socket_sock_offset"
+	OffsetNameSocketProtocol            = "sock_sk_protocol_offset"
 	OffsetNameNFConnStructCTNet         = "nf_conn_ct_net_offset"
 	OffsetNameSockCommonStructSKCFamily = "sock_common_skc_family_offset"
 	OffsetNameFlowI4StructSADDR         = "flowi4_saddr_offset"

diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go
@@ -109,6 +109,8 @@ func (f *FallbackConstantFetcher) appendRequest(id string) {
 		value = getSockCommonSKCNetOffset(f.kernelVersion)
 	case OffsetNameSocketStructSK:
 		value = getSocketSockOffset(f.kernelVersion)
+	case OffsetNameSocketProtocol:
+		value = getSocketProtocolOffset(f.kernelVersion)
 	case OffsetNameNFConnStructCTNet:
 		value = getNFConnCTNetOffset(f.kernelVersion)
 	case OffsetNameSockCommonStructSKCFamily:
@@ -789,6 +791,14 @@ func getSocketSockOffset(kv *kernel.Version) uint64 {
 	return offset
 }
 
+func getSocketProtocolOffset(kv *kernel.Version) uint64 {
+	offset := uint64(548)
+	if kv.Code < kernel.Kernel5_6 {
+		// offset =
+	}
+	return offset
+}
+
 func getNFConnCTNetOffset(kv *kernel.Version) uint64 {
 	switch {
 	case kv.IsCOSKernel():

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -1965,6 +1965,10 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, telemetry tele
 			Name:  "imds_ip",
 			Value: uint64(config.RuntimeSecurity.IMDSIPv4),
 		},
+		manager.ConstantEditor{
+			Name:  "sk_protocol_size",
+			Value: getSkProtocolSize(p.kernelVersion),
+		},
 	)
 
 	p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, DiscarderConstants...)
@@ -2189,6 +2193,14 @@ func getOvlPathInOvlInode(kernelVersion *kernel.Version) uint64 {
 	return 0
 }
 
+func getSkProtocolSize(kernelVersion *kernel.Version) uint64 {
+	if kernelVersion.Code != 0 && kernelVersion.Code < kernel.Kernel5_6 {
+		return 2
+	} else {
+		return 1
+	}
+}
+
 // getCGroupWriteConstants returns the value of the constant used to determine how cgroups should be captured in kernel
 // space
 func getCGroupWriteConstants() manager.ConstantEditor {
@@ -2307,6 +2319,7 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher,
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructSADDR, "struct flowi6", "saddr", "net/flow.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructULI, "struct flowi6", "uli", "net/flow.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketStructSK, "struct socket", "sk", "linux/net.h")
+	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketProtocol, "struct sock", "sk_protocol", "net/sock.h")
 
 	// Interpreter constants
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmStructFile, "struct linux_binprm", "file", "linux/binfmts.h")