Merge pull request #11 from ehids/master

Merge pull request ehids#58 from ehids/event-dispatcher
fengjixuchui · May 10, 2022 · 0c44327 · 0c44327
2 parents 6c15bc9 + 87f5fbd
commit 0c44327
Show file tree

Hide file tree

Showing 30 changed files with 677 additions and 135 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -36,9 +36,17 @@ jobs:
     - name: Build Changelog
       id: github_release
       uses: mikepenz/release-changelog-builder-action@v1
+      with:
+        configuration: "configuration.json"
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Write File
+      uses: DamianReeves/write-file-action@v1.0
+      with:
+        path: ./bin/release_notes.txt
+        contents: |
+          ${{ steps.github_release.outputs.changelog }}
+        write-mode: append
     - name: Release
       run: |
-        echo ${{ steps.github_release.outputs.changelog }} | tee ./bin/release_notes.txt
         make -f builder/Makefile.release release SNAPSHOT_VERSION=${{ steps.get_tags.outputs.VERSION }}
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,6 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 /assets/ebpf_probe.go
+
+# VSCode
+.vscode/settings.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,22 @@
 <hr>
 
+## v0.1.8 (2022-05-08)
+## What's Changed
+* ADD mysqld dispatch_command return value. by @cfc4n in https://github.com/ehids/ecapture/pull/44
+* autogen  vmlinux header file to compatible current OS by @cfc4n in https://github.com/ehids/ecapture/pull/50
+* feat: support postgres query hook by @yihong0618 in https://github.com/ehids/ecapture/pull/51
+* added return value of bash module. by @huzai9527 in https://github.com/ehids/ecapture/pull/52
+* change bash line size to 256 bytes by @yindex in https://github.com/ehids/ecapture/pull/55
+* add errnumber flag for command bash by @huzai9527 in https://github.com/ehids/ecapture/pull/56
+
+## New Contributors
+* @huzai9527 made their first contribution in https://github.com/ehids/ecapture/pull/52
+* @yindex made their first contribution in https://github.com/ehids/ecapture/pull/55
+
+**Full Changelog**: https://github.com/ehids/ecapture/compare/v0.1.7...v0.1.8
+
+<hr>
+
 ## v0.1.7 (2022-04-22)
 
 ### What's Changed

diff --git a/Makefile b/Makefile
@@ -196,6 +196,7 @@ TARGETS += kern/bash
 TARGETS += kern/gnutls
 TARGETS += kern/nspr
 TARGETS += kern/mysqld
+TARGETS += kern/postgres
 
 # Generate file name-scheme based on TARGETS
 KERN_SOURCES = ${TARGETS:=_kern.c}

diff --git a/README.md b/README.md
@@ -1,13 +1,13 @@
 ![](./images/ecapture-logo-400x400.png)
 
-[简体中文介绍](./README_CN.md)
+[简体中文介绍](./README_CN.md) | English
 
 [![GitHub stars](https://img.shields.io/github/stars/ehids/ecapture.svg?label=Stars&logo=github)](https://github.com/ehids/ecapture)
 [![GitHub forks](https://img.shields.io/github/forks/ehids/ecapture?label=Forks&logo=github)](https://github.com/ehids/ecapture)
 [![CI](https://github.com/ehids/ecapture/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/ehids/ecapture/actions/workflows/code-analysis.yml)
 [![Github Version](https://img.shields.io/github/v/release/ehids/ecapture?display_name=tag&include_prereleases&sort=semver)](https://github.com/ehids/ecapture/releases)
 
-### eCapture:  capture SSL/TLS text content without CA cert by eBPF.
+### eCapture:  capture SSL/TLS text content without CA cert Using eBPF.
 
 ----
 
@@ -99,18 +99,16 @@ Probes: []*manager.Probe{
 },
 ```
 ### bash readline.so hook
-hook `/bin/bash` `readline` symbol name.
+hook `/bin/bash` symbol name `readline`.
 
 # How to compile
 Linux Kernel: >= 4.18.
 
 ## Tools 
 * golang 1.16
-* gcc 10.3.0
 * clang 9.0.0  
 * cmake 3.18.4
 * clang backend: llvm 9.0.0   
-* pahole >= v1.13
 * kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)
 
 ## command

diff --git a/README_CN.md b/README_CN.md
@@ -1,6 +1,6 @@
 ![](./images/ecapture-logo-400x400.png)
 
-[English](./README.md)
+[English](./README.md) | 简体中文
 
 [![GitHub stars](https://img.shields.io/github/stars/ehids/ecapture.svg?label=Stars&logo=github)](https://github.com/ehids/ecapture)
 [![GitHub forks](https://img.shields.io/github/forks/ehids/ecapture?label=Forks&logo=github)](https://github.com/ehids/ecapture)
@@ -116,11 +116,9 @@ hook了`/bin/bash`的`readline`函数。
 
 ## 工具链版本
 * golang 1.16
-* gcc 10.3.0
 * clang 9.0.0
 * cmake 3.18.4
 * clang backend: llvm 9.0.0
-* pahole >= v1.13
 * kernel config:CONFIG_DEBUG_INFO_BTF=y (可选，2022-04-17增加)
 
 

diff --git a/builder/Makefile.release b/builder/Makefile.release
@@ -26,6 +26,8 @@ CMD_GIT ?= git
 CMD_RM ?= rm
 CMD_TOUCH ?= touch
 CMD_MKDIR ?= mkdir
+CMD_MV ?= mv
+CMD_CP ?= cp
 
 .ONESHELL:
 .check_%:
@@ -112,6 +114,7 @@ help:
 #
 
 OUTPUT_DIR = ./bin
+TAR_DIR = ecapture-$(SNAPSHOT_VERSION)
 
 # from CLI args.
 RELEASE_NOTES ?= $(OUTPUT_DIR)/release_notes.txt
@@ -127,12 +130,6 @@ $(OUTPUT_DIR):
 
 SNAPSHOT_VERSION ?= $(shell git rev-parse HEAD)
 
-RELEASE_FILES = LICENSE
-RELEASE_FILES += README.md
-RELEASE_FILES += README_CN.md
-RELEASE_FILES += $(OUTPUT_DIR)/ecapture
-RELEASE_FILES += $(OUTPUT_DIR)/release_notes.txt
-
 OUT_ARCHIVE := $(OUTPUT_DIR)/ecapture-$(SNAPSHOT_VERSION).tar.gz
 OUT_CHECKSUMS := $(OUTPUT_DIR)/checksum-$(SNAPSHOT_VERSION).txt
 
@@ -147,7 +144,11 @@ snapshot: \
 	# build binaries
 	$(MAKE) ARG="all"
 	# create the tar ball and checksum files
-	$(CMD_TAR)  -czf $(OUT_ARCHIVE) $(RELEASE_FILES)
+	$(CMD_MKDIR) -p $(TAR_DIR)
+	$(CMD_CP) LICENSE $(TAR_DIR)/LICENSE
+	$(CMD_MV) $(OUTPUT_DIR)/ecapture $(TAR_DIR)/ecapture
+	$(CMD_MV) $(OUTPUT_DIR)/release_notes.txt $(TAR_DIR)/release_notes.txt
+	$(CMD_TAR)  -czf $(OUT_ARCHIVE) $(TAR_DIR)
 	$(CMD_CHECKSUM) $(OUT_ARCHIVE) > $(OUT_CHECKSUMS)
 
 .PHONY: publish

diff --git a/cli/cmd/bash.go b/cli/cmd/bash.go
@@ -28,6 +28,7 @@ Auto find the bash of the current env as the capture target.`,
 func init() {
 	bashCmd.PersistentFlags().StringVar(&bc.Bashpath, "bash", "", "$SHELL file path, eg: /bin/bash , will automatically find it from $ENV default.")
 	bashCmd.PersistentFlags().StringVar(&bc.Readline, "readlineso", "", "readline.so file path, will automatically find it from $BASH_PATH default.")
+	bashCmd.Flags().IntVarP(&bc.ErrNo, "errnumber", "e", user.BASH_ERRNO_DEFAULT, "only show the command which exec reulst equals err number.")
 	rootCmd.AddCommand(bashCmd)
 
 	// Here you will define your flags and configuration settings.

diff --git a/cli/cmd/postgres.go b/cli/cmd/postgres.go
@@ -0,0 +1,78 @@
+/*
+Copyright © 2022 CFC4N <cfc4n.cs@gmail.com>
+
+*/
+package cmd
+
+import (
+	"context"
+	"ecapture/user"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/spf13/cobra"
+)
+
+var postgresConfig = user.NewPostgresConfig()
+
+//postgres Cmd represents the postgres command
+var postgresCmd = &cobra.Command{
+	Use:   "postgres",
+	Short: "capture sql queries from postgres 10+.",
+	Run:   postgresCommandFunc,
+}
+
+func init() {
+	postgresCmd.PersistentFlags().StringVarP(&postgresConfig.PostgresPath, "postgres", "m", "/usr/bin/postgres", "postgres binary file path, use to hook")
+	postgresCmd.PersistentFlags().StringVarP(&postgresConfig.FuncName, "funcname", "f", "", "function name to hook")
+	rootCmd.AddCommand(postgresCmd)
+}
+
+// postgres CommandFunc executes the "psql" command.
+func postgresCommandFunc(command *cobra.Command, args []string) {
+	stopper := make(chan os.Signal, 1)
+	signal.Notify(stopper, os.Interrupt, syscall.SIGTERM)
+	ctx, cancelFun := context.WithCancel(context.TODO())
+
+	mod := user.GetModuleByName(user.MODULE_NAME_POSTGRES)
+
+	logger := log.Default()
+
+	logger.Printf("start to run %s module", mod.Name())
+
+	// save global config
+	gConf, e := getGlobalConf(command)
+	if e != nil {
+		logger.Fatal(e)
+		os.Exit(1)
+	}
+	postgresConfig.Pid = gConf.Pid
+	postgresConfig.Debug = gConf.Debug
+	postgresConfig.IsHex = gConf.IsHex
+
+	log.Printf("pid info: %d", os.Getpid())
+	//bc.Pid = globalFlags.Pid
+	if e := postgresConfig.Check(); e != nil {
+		logger.Fatal(e)
+		os.Exit(1)
+	}
+	// init
+	err := mod.Init(ctx, logger, postgresConfig)
+	if err != nil {
+		logger.Fatal(err)
+		os.Exit(1)
+	}
+
+	// 加载ebpf，挂载到hook点上，开始监听
+	go func(module user.IModule) {
+		err := module.Run()
+		if err != nil {
+			logger.Fatalf("%v", err)
+		}
+	}(mod)
+	<-stopper
+	cancelFun()
+	os.Exit(0)
+}
diff --git a/configuration.json b/configuration.json
@@ -0,0 +1,22 @@
+{
+  "categories": [
+    {
+      "title": "## 🚀 Features",
+      "labels": ["feature", "enhancement"]
+    },
+    {
+      "title": "## 🐛 Fixes",
+      "labels": ["fix", "bug"]
+    },
+    {
+      "title": "## 🧪 Tests",
+      "labels": ["test"]
+    }
+  ],
+  "sort": "ASC",
+  "template": "${{CHANGELOG}}",
+  "pr_template": "- ${{TITLE}}\n   - PR: #${{NUMBER}}",
+  "empty_template": "- no changes",
+  "max_pull_requests": 1000,
+  "max_back_track_time_days": 1000
+}
diff --git a/kern/bash_kern.c b/kern/bash_kern.c
@@ -2,14 +2,21 @@
 
 struct event {
     u32 pid;
-    u8 line[80];
+    u8 line[MAX_DATA_SIZE_BASH];
+    u32 retval;
     char comm[TASK_COMM_LEN];
 };
 
 struct {
     __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 } events SEC(".maps");
 
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, u32);
+    __type(value, struct event);
+    __uint(max_entries, 1024);
+} events_t SEC(".maps");
 // Force emitting struct event into the ELF.
 const struct event *unused __attribute__((unused));
 
@@ -25,14 +32,43 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
     }
 #endif
 
-    struct event event;
-    //    bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
+    struct event event = {};
     event.pid = pid;
+    // bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
     bpf_probe_read(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx));
-
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
-    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
-                          sizeof(event));
+    bpf_map_update_elem(&events_t, &pid, &event, BPF_ANY);
 
     return 0;
 }
+SEC("uretprobe/bash_retval")
+int uretprobe_bash_retval(struct pt_regs *ctx) {
+    s64 pid_tgid = bpf_get_current_pid_tgid();
+    int pid = pid_tgid >> 32;
+    int retval = (int)PT_REGS_RC(ctx);
+
+#ifndef KERNEL_LESS_5_2
+    // if target_ppid is 0 then we target all pids
+    if (target_pid != 0 && target_pid != pid) {
+        return 0;
+    }
+#endif
+
+    struct event *event_p = bpf_map_lookup_elem(&events_t, &pid);
+
+#ifndef KERNEL_LESS_5_2
+    // if target_errno is 128 then we target all
+    if (target_errno != BASH_ERRNO_DEFAULT && target_errno != retval) {
+        if (event_p) bpf_map_delete_elem(&events_t, &pid);
+        return 0;
+    }
+#endif
+
+    if (event_p) {
+        event_p->retval = retval;
+        bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
+        bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event_p,
+                              sizeof(struct event));
+    }
+    return 0;
+}
diff --git a/kern/common.h b/kern/common.h
@@ -14,6 +14,8 @@
 #define TASK_COMM_LEN 16
 #define MAX_DATA_SIZE_OPENSSL 1024 * 4
 #define MAX_DATA_SIZE_MYSQL 256
+#define MAX_DATA_SIZE_POSTGRES 256
+#define MAX_DATA_SIZE_BASH 256
 
 // enum_server_command, via
 // https://dev.mysql.com/doc/internals/en/com-query.html COM_QUERT command 03
@@ -22,16 +24,18 @@
 #define AF_INET 2
 #define AF_INET6 10
 #define SA_DATA_LEN 14
+#define BASH_ERRNO_DEFAULT 128
 
 // Optional Target PID
 // .rodata section bug via : https://github.com/ehids/ecapture/issues/39
 #ifndef KERNEL_LESS_5_2
 const volatile u64 target_pid = 0;
+const volatile int target_errno = BASH_ERRNO_DEFAULT;
 #else
 // u64 target_pid = 0;
 #endif
 
 char __license[] SEC("license") = "Dual MIT/GPL";
 __u32 _version SEC("version") = 0xFFFFFFFE;
 
-#endif
+#endif