diff --git a/Dockerfile b/Dockerfile index 7998e49..032e960 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,12 @@ -FROM golang:1.20-alpine as builder +FROM golang:1.22.1-bullseye as builder WORKDIR /app COPY . ./ -RUN apk update && apk add gcc musl-dev +RUN apt update + ARG VERSION -RUN GOOS=linux go build -ldflags="-X 'github.com/ddosify/alaz/datastore.tag=$VERSION'" -o alaz +ENV GOCACHE=/root/.cache/go-build +RUN go mod tidy -v +RUN --mount=type=cache,target="/root/.cache/go-build" GOOS=linux go build -ldflags="-X 'github.com/ddosify/alaz/datastore.tag=$VERSION'" -o alaz FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3-1552 RUN microdnf update -y && microdnf install procps ca-certificates -y && microdnf clean all diff --git a/README.md b/README.md index d3ffa7d..6249734 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

alaz license - Anteon discord server + Anteon discord server alaz docker image

@@ -204,7 +204,7 @@ Contributions to Alaz are welcome! To contribute, please follow these steps: ## Communication -You can join our [Discord Server](https://discord.gg/9KdnrSUZQg) for issues, feature requests, feedbacks or anything else. +You can join our [Discord Server](https://discord.com/invite/9KdnrSUZQg) for issues, feature requests, feedbacks or anything else. ## License diff --git a/ebpf/c/bpf_bpfeb.o b/ebpf/c/bpf_bpfeb.o index 59b9203..88a06fb 100644 Binary files a/ebpf/c/bpf_bpfeb.o and b/ebpf/c/bpf_bpfeb.o differ diff --git a/ebpf/c/bpf_bpfel.o b/ebpf/c/bpf_bpfel.o index 2b994b8..a8b1662 100644 Binary files a/ebpf/c/bpf_bpfel.o and b/ebpf/c/bpf_bpfel.o differ diff --git a/ebpf/c/l7.c b/ebpf/c/l7.c index 5c7cbb4..d97f521 100644 --- a/ebpf/c/l7.c +++ b/ebpf/c/l7.c @@ -167,6 +167,16 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha __u64 timestamp = bpf_ktime_get_ns(); unsigned char func_name[] = "process_enter_of_syscalls_write_sendto"; __u64 id = bpf_get_current_pid_tgid(); + __u32 pid = id >> 32; + + #ifdef FILTER_OUT_NON_CONTAINER + __u8 *val = bpf_map_lookup_elem(&container_pids, &pid); + if (!val) + { + return 0; // not a container process, ignore + } + #endif + __u32 tid = id & 0xFFFFFFFF; __u32 seq = process_for_dist_trace_write(ctx,fd); @@ -250,15 +260,6 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha e->payload_read_complete = 1; } - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - return 0; // not a container process, ignore - } - #endif long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); if (r < 0) { @@ -306,8 +307,18 @@ int process_enter_of_syscalls_write_sendto(void* ctx, __u64 fd, __u8 is_tls, cha static __always_inline int process_enter_of_syscalls_read_recvfrom(void *ctx, struct read_enter_args * params) { unsigned char func_name[] = "process_enter_of_syscalls_read_recvfrom"; - // __u64 id = bpf_get_current_pid_tgid(); - + __u64 id = bpf_get_current_pid_tgid(); + __u32 pid = id >> 32; + #ifdef FILTER_OUT_NON_CONTAINER + __u8 *val = bpf_map_lookup_elem(&container_pids, &pid); + if (!val) + { + // unsigned char func_name[] = "process_enter_of_syscalls_read_recvfrom"; + // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; + // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); + return 0; // not a container process, ignore + } + #endif // struct socket_key k = {}; // k.pid = pid; // k.fd = fd; @@ -340,12 +351,21 @@ int process_enter_of_syscalls_read_recvfrom(void *ctx, struct read_enter_args * return 0; } - static __always_inline int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){ __u64 timestamp = bpf_ktime_get_ns(); __u64 id = bpf_get_current_pid_tgid(); - + __u32 pid = id >> 32; + #ifdef FILTER_OUT_NON_CONTAINER + __u8 *val = bpf_map_lookup_elem(&container_pids, &pid); + if (!val) + { + // unsigned char func_name[] = "process_exit_of_syscalls_write_sendto"; + // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; + // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); + return 0; // not a container process, ignore + } + #endif // we only used this func for amqp, others will only be in active_l7_requests // used active_writes for cases that only depends on writes, like amqp publish // + postgres statement close, terminate @@ -373,6 +393,7 @@ int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){ struct l7_event *e = bpf_map_lookup_elem(&l7_event_heap, &zero); if (!e) { bpf_map_delete_elem(&active_writes, &id); + bpf_map_delete_elem(&active_l7_requests, &k); return 0; } @@ -404,17 +425,6 @@ int process_exit_of_syscalls_write_sendto(void* ctx, __s64 ret){ e->seq = active_req->seq; e->tid = active_req->tid; - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char func_name[] = "process_exit_of_syscalls_write_sendto"; - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - return 0; // not a container process, ignore - } - #endif - bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); }else{ // write failed @@ -428,6 +438,17 @@ static __always_inline int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 ret, __u8 is_tls) { __u64 timestamp = bpf_ktime_get_ns(); unsigned char func_name[] = "process_exit_of_syscalls_read_recvfrom"; + #ifdef FILTER_OUT_NON_CONTAINER + __u8 *val = bpf_map_lookup_elem(&container_pids, &pid); + if (!val) + { + // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; + // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); + bpf_map_delete_elem(&active_reads, &id); + return 0; // not a container process, ignore + } + #endif + if (ret < 0) { // read failed // -ERRNO // __u64 id = bpf_get_current_pid_tgid(); @@ -459,8 +480,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 } - - // __u64 id = bpf_get_current_pid_tgid(); struct read_args *read_info = bpf_map_lookup_elem(&active_reads, &id); if (!read_info) { @@ -476,6 +495,7 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 int zero = 0; struct l7_event *e = bpf_map_lookup_elem(&l7_event_heap, &zero); if (!e) { + bpf_map_delete_elem(&active_l7_requests, &k); bpf_map_delete_elem(&active_reads, &id); return 0; } @@ -507,16 +527,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 bpf_map_delete_elem(&active_reads, &id); - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - return 0; // not a container process, ignore - } - #endif - bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); return 0; } @@ -544,23 +554,12 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 e->payload_read_complete = 1; } - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - - return 0; // not a container process, ignore - } - #endif - long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); if (r < 0) { unsigned char log_msg[] = "failed write to l7_events h2 -- res|fd|psize"; log_to_userspace(ctx, WARN, func_name, log_msg, r, e->fd, e->payload_size); } - bpf_map_delete_elem(&go_active_reads, &k); + bpf_map_delete_elem(&active_reads, &id); return 0; } @@ -600,6 +599,7 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 if (r < 0) { bpf_map_delete_elem(&active_reads, &id); + bpf_map_delete_elem(&active_l7_requests, &k); // TODO: check this line, should we delete the request here? return 0; } @@ -635,15 +635,6 @@ int process_exit_of_syscalls_read_recvfrom(void* ctx, __u64 id, __u32 pid, __s64 bpf_map_delete_elem(&active_reads, &id); bpf_map_delete_elem(&active_l7_requests, &k); - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - return 0; // not a container process, ignore - } - #endif long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); if (r < 0) { @@ -980,6 +971,17 @@ int process_enter_of_go_conn_write(void *ctx, __u32 pid, __u32 fd, char *buf_ptr __u64 timestamp = bpf_ktime_get_ns(); unsigned char func_name[] = "process_enter_of_go_conn_write"; // parse and write to go_active_l7_req map + #ifdef FILTER_OUT_NON_CONTAINER + __u8 *val = bpf_map_lookup_elem(&container_pids, &pid); + if (!val) + { + // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; + // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); + + return 0; // not a container process, ignore + } + #endif + struct go_req_key k = {}; k.pid = pid; k.fd = fd; @@ -1032,16 +1034,6 @@ int process_enter_of_go_conn_write(void *ctx, __u32 pid, __u32 fd, char *buf_ptr e->payload_read_complete = 1; } - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - - return 0; // not a container process, ignore - } - #endif long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); if (r < 0) { unsigned char log_msg[] = "failed write to l7_events -- res|fd|psize"; @@ -1165,6 +1157,20 @@ int BPF_UPROBE(go_tls_conn_read_exit) { unsigned char func_name[] = "go_tls_conn_read_exit"; // can't access to register we've access on read_enter here, // registers are changed. + __u64 id = bpf_get_current_pid_tgid(); + __u32 pid = id >> 32; + + #ifdef FILTER_OUT_NON_CONTAINER + __u8 *val = bpf_map_lookup_elem(&container_pids, &pid); + if (!val) + { + // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; + // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); + + return 0; // not a container process, ignore + } + #endif + long int ret = GO_PARAM1(ctx); struct go_read_key k = {}; @@ -1206,17 +1212,6 @@ int BPF_UPROBE(go_tls_conn_read_exit) { e->payload_size = ret; e->payload_read_complete = 1; } - - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - - return 0; // not a container process, ignore - } - #endif long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); if (r < 0) { @@ -1309,17 +1304,6 @@ int BPF_UPROBE(go_tls_conn_read_exit) { bpf_map_delete_elem(&go_active_reads, &k); bpf_map_delete_elem(&go_active_l7_requests, &req_k); - #ifdef FILTER_OUT_NON_CONTAINER - __u8 *val = bpf_map_lookup_elem(&container_pids, &(e->pid)); - if (!val) - { - // unsigned char log_msg[] = "filter out l7 event -- pid|fd|psize"; - // log_to_userspace(ctx, DEBUG, func_name, log_msg, e->pid, e->fd, 0); - - return 0; // not a container process, ignore - } - #endif - long r = bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, e, sizeof(*e)); if (r < 0) { unsigned char log_msg[] = "write failed to l7_events -- r|fd|method"; diff --git a/ebpf/c/tcp.c b/ebpf/c/tcp.c index 3a59321..0d85ce5 100644 --- a/ebpf/c/tcp.c +++ b/ebpf/c/tcp.c @@ -2,7 +2,7 @@ SEC("tracepoint/sock/inet_sock_set_state") int inet_sock_set_state(void *ctx) { - unsigned char func_name[] = "inet_sock_set_state"; + // unsigned char func_name[] = "inet_sock_set_state"; __u64 timestamp = bpf_ktime_get_ns(); struct trace_event_raw_inet_sock_set_state args = {}; if (bpf_core_read(&args, sizeof(args), ctx) < 0) @@ -130,9 +130,6 @@ int inet_sock_set_state(void *ctx) __u8 *val = bpf_map_lookup_elem(&container_pids, &e.pid); if (!val) { - unsigned char log_msg[] = "tcp connect event for plain second -- pid|fd|psize"; - log_to_userspace(ctx, DEBUG, func_name, log_msg, pid, 0, 0); - return 0; // not a container process, ignore } diff --git a/ebpf/headers/log.h b/ebpf/headers/log.h index 5b43fc5..b96b999 100644 --- a/ebpf/headers/log.h +++ b/ebpf/headers/log.h @@ -38,11 +38,25 @@ struct { __uint(max_entries, 1); } log_heap SEC(".maps"); +// use while development +// struct log_message l = {}; +// l.level = DEBUG; +// BPF_SNPRINTF(l.payload, sizeof(l.payload),"process_enter_of_syscalls_write_sendto %d %s\n", 1, "cakir"); +// log_to_trace_pipe(l.payload, sizeof(l.payload)); +static __always_inline +void log_to_trace_pipe(char *msg, __u32 size) { + long res = bpf_trace_printk(msg, size); + if(res < 0){ + bpf_printk("bpf_trace_printk failed %d\n", res); + } +} + static __always_inline void log_to_userspace(void *ctx, __u32 level, unsigned char *func_name, unsigned char * log_msg, __u64 arg1, __u64 arg2, __u64 arg3){ int zero = 0; struct log_message *l = bpf_map_lookup_elem(&log_heap, &zero); if (!l) { + bpf_printk("log_to_userspace failed, %s %s\n",func_name, log_msg); return; } @@ -57,15 +71,4 @@ void log_to_userspace(void *ctx, __u32 level, unsigned char *func_name, unsigned bpf_perf_event_output(ctx, &log_map, BPF_F_CURRENT_CPU, l, sizeof(*l)); } -// use while development -// struct log_message l = {}; -// l.level = DEBUG; -// BPF_SNPRINTF(l.payload, sizeof(l.payload),"process_enter_of_syscalls_write_sendto %d %s\n", 1, "cakir"); -// log_to_trace_pipe(l.payload, sizeof(l.payload)); -static __always_inline -void log_to_trace_pipe(const char *msg, __u32 size) { - long res = bpf_trace_printk(msg, size); - if(res < 0){ - bpf_printk("bpf_trace_printk failed %d\n", res); - } -} +