Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New feature: #85 event filter by uid for module tls #86

Merged
merged 1 commit into from
Jun 17, 2022
Merged

New feature: #85 event filter by uid for module tls #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cli/cmd/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ func openSSLCommandFunc(command *cobra.Command, args []string) {
}

conf.SetPid(gConf.Pid)
conf.SetUid(gConf.Uid)
conf.SetDebug(gConf.Debug)
conf.SetHex(gConf.IsHex)
conf.SetNoSearch(gConf.NoSearch)
Expand Down
2 changes: 1 addition & 1 deletion kern/bash_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
return 0;
}
#endif

Expand Down
20 changes: 20 additions & 0 deletions kern/gnutls_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,13 +107,18 @@ SEC("uprobe/gnutls_record_send")
int probe_entry_SSL_write(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("gnutls uprobe/gnutls_record_send pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char* buf = (const char*)PT_REGS_PARM2(ctx);
Expand All @@ -126,13 +131,18 @@ SEC("uretprobe/gnutls_record_send")
int probe_ret_SSL_write(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("gnutls uretprobe/gnutls_record_send pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char** buf =
Expand All @@ -153,13 +163,18 @@ SEC("uprobe/gnutls_record_recv")
int probe_entry_SSL_read(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("gnutls uprobe/gnutls_record_recv pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char* buf = (const char*)PT_REGS_PARM2(ctx);
Expand All @@ -172,13 +187,18 @@ SEC("uretprobe/gnutls_record_recv")
int probe_ret_SSL_read(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("gnutls uretprobe/gnutls_record_recv pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char** buf =
Expand Down
20 changes: 20 additions & 0 deletions kern/nspr_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,18 @@ SEC("uprobe/PR_Write")
int probe_entry_SSL_write(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("nspr uprobe/PR_Write pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char* buf = (const char*)PT_REGS_PARM2(ctx);
Expand All @@ -123,13 +128,18 @@ SEC("uretprobe/PR_Write")
int probe_ret_SSL_write(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("nspr uretprobe/PR_Write pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char** buf =
Expand All @@ -151,13 +161,18 @@ SEC("uprobe/PR_Read")
int probe_entry_SSL_read(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("nspr uprobe/PR_Read pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char* buf = (const char*)PT_REGS_PARM2(ctx);
Expand All @@ -170,13 +185,18 @@ SEC("uretprobe/PR_Read")
int probe_ret_SSL_read(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("nspr uretprobe/PR_Read pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

const char** buf =
Expand Down
25 changes: 25 additions & 0 deletions kern/openssl_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,12 +160,17 @@ SEC("uprobe/SSL_write")
int probe_entry_SSL_write(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif
debug_bpf_printk("openssl uprobe/SSL_write pid :%d\n", pid);

Expand Down Expand Up @@ -197,12 +202,17 @@ SEC("uretprobe/SSL_write")
int probe_ret_SSL_write(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif
debug_bpf_printk("openssl uretprobe/SSL_write pid :%d\n", pid);
struct active_ssl_buf* active_ssl_buf_t =
Expand All @@ -224,13 +234,18 @@ SEC("uprobe/SSL_read")
int probe_entry_SSL_read(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("openssl uprobe/SSL_read pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

void* ssl = (void*)PT_REGS_PARM1(ctx);
Expand Down Expand Up @@ -260,13 +275,18 @@ SEC("uretprobe/SSL_read")
int probe_ret_SSL_read(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;
debug_bpf_printk("openssl uretprobe/SSL_read pid :%d\n", pid);

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

struct active_ssl_buf* active_ssl_buf_t =
Expand All @@ -288,12 +308,17 @@ SEC("uprobe/connect")
int probe_connect(struct pt_regs* ctx) {
u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;
u64 current_uid_gid = bpf_get_current_uid_gid();
u32 uid = current_uid_gid >> 32;

#ifndef KERNEL_LESS_5_2
// if target_ppid is 0 then we target all pids
if (target_pid != 0 && target_pid != pid) {
return 0;
}
if (target_uid != 0 && target_uid != uid) {
return 0;
}
#endif

u32 fd = (u32)PT_REGS_PARM1(ctx);
Expand Down
11 changes: 11 additions & 0 deletions user/probe_openssl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,24 @@ func (this *MOpenSSLProbe) constantEditor() []manager.ConstantEditor {
Value: uint64(this.conf.GetPid()),
//FailOnMissing: true,
},
{
Name: "target_uid",
Value: uint64(this.conf.GetUid()),
},
}

if this.conf.GetPid() <= 0 {
this.logger.Printf("target all process. \n")
} else {
this.logger.Printf("target PID:%d \n", this.conf.GetPid())
}

if this.conf.GetUid() <= 0 {
this.logger.Printf("target all users. \n")
} else {
this.logger.Printf("target UID:%d \n", this.conf.GetUid())
}

return editor
}

Expand Down