diff --git a/pkg/ebpf/c/bpf_helpers.h b/pkg/ebpf/c/bpf_helpers.h index 62b646df0d12d..95d638988b847 100644 --- a/pkg/ebpf/c/bpf_helpers.h +++ b/pkg/ebpf/c/bpf_helpers.h @@ -266,6 +266,10 @@ enum libbpf_tristate { ___param, sizeof(___param)); \ }) +#ifndef BPF_NO_GLOBAL_DATA +#define BPF_NO_GLOBAL_DATA 1 +#endif + #ifdef BPF_NO_GLOBAL_DATA #define BPF_PRINTK_FMT_MOD #else diff --git a/pkg/security/ebpf/c/include/hooks/network/connect.h b/pkg/security/ebpf/c/include/hooks/network/connect.h index 0d07f22c21f6b..3263b46ea3b93 100644 --- a/pkg/security/ebpf/c/include/hooks/network/connect.h +++ b/pkg/security/ebpf/c/include/hooks/network/connect.h @@ -65,6 +65,19 @@ int hook_security_socket_connect(ctx_t *ctx) { struct pid_route_t key = {}; u16 family = 0; u16 protocol = 0; + + u64 socket_sock_offset; + u64 sk_protocol_offset; + u64 sk_protocol_size; + + + LOAD_CONSTANT("socket_sock_offset", socket_sock_offset); + LOAD_CONSTANT("sock_sk_protocol_offset", sk_protocol_offset); + LOAD_CONSTANT("sk_protocol_size", sk_protocol_size); + + __bpf_printk("-------------------- sk_protocol_offset: %d", socket_sock_offset); + __bpf_printk("-------------------- sk_protocol_offset: %d", sk_protocol_offset); + __bpf_printk("-------------------- sk_protocol_size: %d", sk_protocol_size); // Extract IP and port from the sockaddr structure @@ -80,9 +93,10 @@ int hook_security_socket_connect(ctx_t *ctx) { bpf_probe_read(&key.addr, sizeof(u64) * 2, (char *)addr_in6 + offsetof(struct sockaddr_in6, sin6_addr)); } - struct sock *sk_sock; - bpf_probe_read(&sk_sock, sizeof(sk_sock), &sk->sk); - bpf_probe_read(&protocol, sizeof(protocol), &sk_sock->sk_protocol); + struct sock *sk_sock = NULL; + bpf_probe_read(&sk_sock, sizeof(sk_sock),(void *) sk + socket_sock_offset); + bpf_probe_read(&protocol, sk_protocol_size, (void *) sk_sock + sk_protocol_offset); + // bpf_probe_read(&protocol, sizeof(protocol), &sk_sock->sk_protocol); // fill syscall_cache if necessary struct syscall_cache_t *syscall = peek_syscall(EVENT_CONNECT); @@ -99,27 +113,6 @@ int hook_security_socket_connect(ctx_t *ctx) { return 0; } - // Register service PID - if (key.port != 0) { - u64 id = bpf_get_current_pid_tgid(); - u32 tid = (u32)id; - - // add netns information - key.netns = get_netns_from_socket(sk); - if (key.netns != 0) { - bpf_map_update_elem(&netns_cache, &tid, &key.netns, BPF_ANY); - } - -#ifndef DO_NOT_USE_TC - u32 pid = id >> 32; - bpf_map_update_elem(&flow_pid, &key, &pid, BPF_ANY); -#endif - -#if defined(DEBUG_CONNECT) - __bpf_printk("------------# registered (connect) pid:%d", pid); - __bpf_printk("------------# p:%d a:%d a:%d", key.port, key.addr[0], key.addr[1]); -#endif - } return 0; } diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go index c5ee88a4452f6..4d79af7adc1de 100644 --- a/pkg/security/probe/constantfetch/constant_names.go +++ b/pkg/security/probe/constantfetch/constant_names.go @@ -79,6 +79,7 @@ const ( OffsetNameDeviceStructNdNet = "device_nd_net_net_offset" OffsetNameSockCommonStructSKCNet = "sock_common_skc_net_offset" OffsetNameSocketStructSK = "socket_sock_offset" + OffsetNameSocketProtocol = "sock_sk_protocol_offset" OffsetNameNFConnStructCTNet = "nf_conn_ct_net_offset" OffsetNameSockCommonStructSKCFamily = "sock_common_skc_family_offset" OffsetNameFlowI4StructSADDR = "flowi4_saddr_offset" diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go index 468a5f54c84d4..5f6cb36bfcd6c 100644 --- a/pkg/security/probe/constantfetch/fallback.go +++ b/pkg/security/probe/constantfetch/fallback.go @@ -109,6 +109,8 @@ func (f *FallbackConstantFetcher) appendRequest(id string) { value = getSockCommonSKCNetOffset(f.kernelVersion) case OffsetNameSocketStructSK: value = getSocketSockOffset(f.kernelVersion) + case OffsetNameSocketProtocol: + value = getSocketProtocolOffset(f.kernelVersion) case OffsetNameNFConnStructCTNet: value = getNFConnCTNetOffset(f.kernelVersion) case OffsetNameSockCommonStructSKCFamily: @@ -789,6 +791,14 @@ func getSocketSockOffset(kv *kernel.Version) uint64 { return offset } +func getSocketProtocolOffset(kv *kernel.Version) uint64 { + offset := uint64(548) + if kv.Code < kernel.Kernel5_6 { + // offset = + } + return offset +} + func getNFConnCTNetOffset(kv *kernel.Version) uint64 { switch { case kv.IsCOSKernel(): diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go index fa8600bf245e9..9db85facf6d7f 100644 --- a/pkg/security/probe/probe_ebpf.go +++ b/pkg/security/probe/probe_ebpf.go @@ -1965,6 +1965,10 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, telemetry tele Name: "imds_ip", Value: uint64(config.RuntimeSecurity.IMDSIPv4), }, + manager.ConstantEditor{ + Name: "sk_protocol_size", + Value: getSkProtocolSize(p.kernelVersion), + }, ) p.managerOptions.ConstantEditors = append(p.managerOptions.ConstantEditors, DiscarderConstants...) @@ -2189,6 +2193,14 @@ func getOvlPathInOvlInode(kernelVersion *kernel.Version) uint64 { return 0 } +func getSkProtocolSize(kernelVersion *kernel.Version) uint64 { + if kernelVersion.Code != 0 && kernelVersion.Code < kernel.Kernel5_6 { + return 2 + } else { + return 1 + } +} + // getCGroupWriteConstants returns the value of the constant used to determine how cgroups should be captured in kernel // space func getCGroupWriteConstants() manager.ConstantEditor { @@ -2307,6 +2319,7 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructSADDR, "struct flowi6", "saddr", "net/flow.h") constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFlowI6StructULI, "struct flowi6", "uli", "net/flow.h") constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketStructSK, "struct socket", "sk", "linux/net.h") + constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSocketProtocol, "struct sock", "sk_protocol", "net/sock.h") // Interpreter constants constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameLinuxBinprmStructFile, "struct linux_binprm", "file", "linux/binfmts.h")