From 4f7a72bcfa72061e6587ec001dea4667142959a0 Mon Sep 17 00:00:00 2001
From: CFC4N <cfc4n.cs@gmail.com>
Date: Fri, 17 Jun 2022 23:17:04 +0800
Subject: [PATCH] New feature: #85 event filter by uid

event filter by uid for tls module #85

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
---
 cli/cmd/tls.go        |  1 +
 kern/bash_kern.c      |  2 +-
 kern/gnutls_kern.c    | 20 ++++++++++++++++++++
 kern/nspr_kern.c      | 20 ++++++++++++++++++++
 kern/openssl_kern.c   | 25 +++++++++++++++++++++++++
 user/probe_openssl.go | 11 +++++++++++
 6 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/cli/cmd/tls.go b/cli/cmd/tls.go
index 1c66717a3..cd3eede56 100644
--- a/cli/cmd/tls.go
+++ b/cli/cmd/tls.go
@@ -85,6 +85,7 @@ func openSSLCommandFunc(command *cobra.Command, args []string) {
 		}
 
 		conf.SetPid(gConf.Pid)
+		conf.SetUid(gConf.Uid)
 		conf.SetDebug(gConf.Debug)
 		conf.SetHex(gConf.IsHex)
 		conf.SetNoSearch(gConf.NoSearch)
diff --git a/kern/bash_kern.c b/kern/bash_kern.c
index 1aeb0a306..f4b6d33ef 100644
--- a/kern/bash_kern.c
+++ b/kern/bash_kern.c
@@ -34,7 +34,7 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
         return 0;
     }
     if (target_uid != 0 && target_uid != uid) {
-            return 0;
+        return 0;
     }
 #endif
 
diff --git a/kern/gnutls_kern.c b/kern/gnutls_kern.c
index c149b99cf..9f1510065 100644
--- a/kern/gnutls_kern.c
+++ b/kern/gnutls_kern.c
@@ -107,6 +107,8 @@ SEC("uprobe/gnutls_record_send")
 int probe_entry_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("gnutls uprobe/gnutls_record_send pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -114,6 +116,9 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
@@ -126,6 +131,8 @@ SEC("uretprobe/gnutls_record_send")
 int probe_ret_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("gnutls uretprobe/gnutls_record_send pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -133,6 +140,9 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char** buf =
@@ -153,6 +163,8 @@ SEC("uprobe/gnutls_record_recv")
 int probe_entry_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("gnutls uprobe/gnutls_record_recv pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -160,6 +172,9 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
@@ -172,6 +187,8 @@ SEC("uretprobe/gnutls_record_recv")
 int probe_ret_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("gnutls uretprobe/gnutls_record_recv pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -179,6 +196,9 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char** buf =
diff --git a/kern/nspr_kern.c b/kern/nspr_kern.c
index f903a5858..5e41ae182 100644
--- a/kern/nspr_kern.c
+++ b/kern/nspr_kern.c
@@ -104,6 +104,8 @@ SEC("uprobe/PR_Write")
 int probe_entry_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("nspr uprobe/PR_Write pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -111,6 +113,9 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
@@ -123,6 +128,8 @@ SEC("uretprobe/PR_Write")
 int probe_ret_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("nspr uretprobe/PR_Write pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -130,6 +137,9 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char** buf =
@@ -151,6 +161,8 @@ SEC("uprobe/PR_Read")
 int probe_entry_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("nspr uprobe/PR_Read pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -158,6 +170,9 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
@@ -170,6 +185,8 @@ SEC("uretprobe/PR_Read")
 int probe_ret_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("nspr uretprobe/PR_Read pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -177,6 +194,9 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     const char** buf =
diff --git a/kern/openssl_kern.c b/kern/openssl_kern.c
index 1467b1505..f9c66d1f2 100644
--- a/kern/openssl_kern.c
+++ b/kern/openssl_kern.c
@@ -160,12 +160,17 @@ SEC("uprobe/SSL_write")
 int probe_entry_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
     debug_bpf_printk("openssl uprobe/SSL_write pid :%d\n", pid);
 
@@ -197,12 +202,17 @@ SEC("uretprobe/SSL_write")
 int probe_ret_SSL_write(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
     debug_bpf_printk("openssl uretprobe/SSL_write pid :%d\n", pid);
     struct active_ssl_buf* active_ssl_buf_t =
@@ -224,6 +234,8 @@ SEC("uprobe/SSL_read")
 int probe_entry_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("openssl uprobe/SSL_read pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -231,6 +243,9 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     void* ssl = (void*)PT_REGS_PARM1(ctx);
@@ -260,6 +275,8 @@ SEC("uretprobe/SSL_read")
 int probe_ret_SSL_read(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
     debug_bpf_printk("openssl uretprobe/SSL_read pid :%d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
@@ -267,6 +284,9 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     struct active_ssl_buf* active_ssl_buf_t =
@@ -288,12 +308,17 @@ SEC("uprobe/connect")
 int probe_connect(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;
+    u64 current_uid_gid = bpf_get_current_uid_gid();
+    u32 uid = current_uid_gid >> 32;
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
     if (target_pid != 0 && target_pid != pid) {
         return 0;
     }
+    if (target_uid != 0 && target_uid != uid) {
+        return 0;
+    }
 #endif
 
     u32 fd = (u32)PT_REGS_PARM1(ctx);
diff --git a/user/probe_openssl.go b/user/probe_openssl.go
index 58436b93a..6f811441b 100644
--- a/user/probe_openssl.go
+++ b/user/probe_openssl.go
@@ -93,6 +93,10 @@ func (this *MOpenSSLProbe) constantEditor() []manager.ConstantEditor {
 			Value: uint64(this.conf.GetPid()),
 			//FailOnMissing: true,
 		},
+		{
+			Name:  "target_uid",
+			Value: uint64(this.conf.GetUid()),
+		},
 	}
 
 	if this.conf.GetPid() <= 0 {
@@ -100,6 +104,13 @@ func (this *MOpenSSLProbe) constantEditor() []manager.ConstantEditor {
 	} else {
 		this.logger.Printf("target PID:%d \n", this.conf.GetPid())
 	}
+
+	if this.conf.GetUid() <= 0 {
+		this.logger.Printf("target all users. \n")
+	} else {
+		this.logger.Printf("target UID:%d \n", this.conf.GetUid())
+	}
+
 	return editor
 }