opensnitch/daemon/procmon/watcher.go

package procmon

import (
	"io/ioutil"
	"strconv"
	"sync"

	"github.com/evilsocket/ftrace"
	"github.com/evilsocket/opensnitch/daemon/log"
)

const (
	probeName   = "opensnitch_exec_probe"
	syscallName = "do_execve"
)

type procData struct {
	path string
	args []string
}

var (
	subEvents = []string{
		"sched/sched_process_fork",
		"sched/sched_process_exec",
		"sched/sched_process_exit",
	}

	watcher       = ftrace.NewProbe(probeName, syscallName, subEvents)
	isAvailable   = false
	monitorMethod = MethodProc

	index = make(map[int]*procData)
	lock  = sync.RWMutex{}
)

func forEachProcess(cb func(pid int, path string, args []string) bool) {
	lock.RLock()
	defer lock.RUnlock()

	for pid, data := range index {
		if cb(pid, data.path, data.args) == true {
			break
		}
	}
}

func trackProcess(pid int) {
	lock.Lock()
	defer lock.Unlock()
	if _, found := index[pid]; found == false {
		index[pid] = &procData{}
	}
}

func trackProcessArgs(e ftrace.Event) {
	lock.Lock()
	defer lock.Unlock()

	if d, found := index[e.PID]; found == false {
		index[e.PID] = &procData{
			args: e.Argv(),
			path: "",
		}
	} else {
		d.args = e.Argv()
	}
}

func trackProcessPath(e ftrace.Event) {
	lock.Lock()
	defer lock.Unlock()
	if d, found := index[e.PID]; found == false {
		index[e.PID] = &procData{
			path: e.Args["filename"],
		}
	} else {
		d.path = e.Args["filename"]
	}
}

func trackProcessExit(e ftrace.Event) {
	lock.Lock()
	defer lock.Unlock()
	delete(index, e.PID)
}

func eventConsumer() {
	for event := range watcher.Events() {
		if event.IsSyscall == true {
			trackProcessArgs(event)
		} else if _, ok := event.Args["filename"]; ok && event.Name == "sched_process_exec" {
			trackProcessPath(event)
		} else if event.Name == "sched_process_exit" {
			trackProcessExit(event)
		}
	}
}

// Start enables the ftrace monitor method.
// This method configures a kprobe to intercept execve() syscalls.
// The kernel must have configured and enabled debugfs.
func Start() (err error) {
	// start from a clean state
	if err := watcher.Reset(); err != nil && watcher.Enabled() {
		log.Warning("ftrace.Reset() error: %v", err)
	}

	if err = watcher.Enable(); err == nil {
		isAvailable = true

		go eventConsumer()
		// track running processes
		if ls, err := ioutil.ReadDir("/proc/"); err == nil {
			for _, f := range ls {
				if pid, err := strconv.Atoi(f.Name()); err == nil && f.IsDir() {
					trackProcess(pid)
				}
			}
		}
	} else {
		isAvailable = false
	}
	return
}

// Stop disables ftrace monitor method, removing configured kprobe.
func Stop() error {
	isAvailable = false
	return watcher.Disable()
}

// IsWatcherAvailable checks if ftrace (debugfs) is
func IsWatcherAvailable() bool {
	return isAvailable
}
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`package procmon`

			`import (`
			`"io/ioutil"`
			`"strconv"`
			`"sync"`

			`"github.com/evilsocket/ftrace"`
updated import paths 2020-12-09 18:18:42 +01:00			`"github.com/evilsocket/opensnitch/daemon/log"`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`)`

			`const (`
			`probeName = "opensnitch_exec_probe"`
Update probed function sys_execve to do_execve 2018-08-12 13:02:33 -07:00			`syscallName = "do_execve"`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`)`

			`type procData struct {`
			`path string`
			`args []string`
			`}`

			`var (`
			`subEvents = []string{`
			`"sched/sched_process_fork",`
			`"sched/sched_process_exec",`
			`"sched/sched_process_exit",`
			`}`

Added new processes monitor method: audit Use auditd events to keep a list of PIDs which open sockets, reading them from the audisp af_unix plugin. - Install auditd and audisp-plugins - Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes) - Start opensnitch with -process-monitor-method audit. If the choosen method is audit but it's not active or not installed, it'll fallback to /proc anyway. If it's properly configured, a debug trace will be written to the logs: "PID found via audit events ..." 2020-03-03 23:51:25 +01:00			`watcher = ftrace.NewProbe(probeName, syscallName, subEvents)`
			`isAvailable = false`
fixed race conditions setting log level and monitor methods 2020-06-14 20:14:24 +02:00			`monitorMethod = MethodProc`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00
			`index = make(map[int]*procData)`
			`lock = sync.RWMutex{}`
			`)`

			`func forEachProcess(cb func(pid int, path string, args []string) bool) {`
			`lock.RLock()`
			`defer lock.RUnlock()`

			`for pid, data := range index {`
			`if cb(pid, data.path, data.args) == true {`
			`break`
			`}`
			`}`
			`}`

			`func trackProcess(pid int) {`
			`lock.Lock()`
			`defer lock.Unlock()`
			`if _, found := index[pid]; found == false {`
			`index[pid] = &procData{}`
			`}`
			`}`

			`func trackProcessArgs(e ftrace.Event) {`
			`lock.Lock()`
			`defer lock.Unlock()`

			`if d, found := index[e.PID]; found == false {`
			`index[e.PID] = &procData{`
			`args: e.Argv(),`
			`path: "",`
			`}`
			`} else {`
			`d.args = e.Argv()`
			`}`
			`}`

			`func trackProcessPath(e ftrace.Event) {`
			`lock.Lock()`
			`defer lock.Unlock()`
			`if d, found := index[e.PID]; found == false {`
			`index[e.PID] = &procData{`
			`path: e.Args["filename"],`
			`}`
			`} else {`
			`d.path = e.Args["filename"]`
			`}`
			`}`

			`func trackProcessExit(e ftrace.Event) {`
			`lock.Lock()`
			`defer lock.Unlock()`
			`delete(index, e.PID)`
			`}`

			`func eventConsumer() {`
			`for event := range watcher.Events() {`
			`if event.IsSyscall == true {`
			`trackProcessArgs(event)`
			`} else if _, ok := event.Args["filename"]; ok && event.Name == "sched_process_exec" {`
			`trackProcessPath(event)`
			`} else if event.Name == "sched_process_exit" {`
			`trackProcessExit(event)`
			`}`
			`}`
			`}`

ftrace: report if Reset() has failed + added funcs comments 2020-10-24 19:15:42 +02:00			`// Start enables the ftrace monitor method.`
			`// This method configures a kprobe to intercept execve() syscalls.`
			`// The kernel must have configured and enabled debugfs.`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`func Start() (err error) {`
fix: calling ftrace probe Reset in order to start from a clean state (fixes #159) 2018-04-18 02:00:12 +02:00			`// start from a clean state`
ftrace: report if Reset() has failed + added funcs comments 2020-10-24 19:15:42 +02:00			`if err := watcher.Reset(); err != nil && watcher.Enabled() {`
			`log.Warning("ftrace.Reset() error: %v", err)`
			`}`
fix: calling ftrace probe Reset in order to start from a clean state (fixes #159) 2018-04-18 02:00:12 +02:00
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`if err = watcher.Enable(); err == nil {`
Find pid of a process in /proc if debugfs is unavailable debugfs is not always available due to different reasons: https://github.com/evilsocket/opensnitch/issues/214 https://github.com/evilsocket/opensnitch/issues/276 Fallback to /proc parsing, although procfs could also be not available. Easily testable by unmounting debugfs (umount debugfs) and launch opensnitchd. It should work as expected. 2020-02-13 23:08:58 +01:00			`isAvailable = true`

using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`go eventConsumer()`
			`// track running processes`
			`if ls, err := ioutil.ReadDir("/proc/"); err == nil {`
			`for _, f := range ls {`
			`if pid, err := strconv.Atoi(f.Name()); err == nil && f.IsDir() {`
			`trackProcess(pid)`
			`}`
			`}`
			`}`
ftrace: report if Reset() has failed + added funcs comments 2020-10-24 19:15:42 +02:00			`} else {`
			`isAvailable = false`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`}`
			`return`
			`}`

ftrace: report if Reset() has failed + added funcs comments 2020-10-24 19:15:42 +02:00			`// Stop disables ftrace monitor method, removing configured kprobe.`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`func Stop() error {`
Find pid of a process in /proc if debugfs is unavailable debugfs is not always available due to different reasons: https://github.com/evilsocket/opensnitch/issues/214 https://github.com/evilsocket/opensnitch/issues/276 Fallback to /proc parsing, although procfs could also be not available. Easily testable by unmounting debugfs (umount debugfs) and launch opensnitchd. It should work as expected. 2020-02-13 23:08:58 +01:00			`isAvailable = false`
using ftrace in order to track pids in realtime 2018-04-17 18:08:03 +02:00			`return watcher.Disable()`
			`}`
Find pid of a process in /proc if debugfs is unavailable debugfs is not always available due to different reasons: https://github.com/evilsocket/opensnitch/issues/214 https://github.com/evilsocket/opensnitch/issues/276 Fallback to /proc parsing, although procfs could also be not available. Easily testable by unmounting debugfs (umount debugfs) and launch opensnitchd. It should work as expected. 2020-02-13 23:08:58 +01:00
ftrace: report if Reset() has failed + added funcs comments 2020-10-24 19:15:42 +02:00			`// IsWatcherAvailable checks if ftrace (debugfs) is`
Find pid of a process in /proc if debugfs is unavailable debugfs is not always available due to different reasons: https://github.com/evilsocket/opensnitch/issues/214 https://github.com/evilsocket/opensnitch/issues/276 Fallback to /proc parsing, although procfs could also be not available. Easily testable by unmounting debugfs (umount debugfs) and launch opensnitchd. It should work as expected. 2020-02-13 23:08:58 +01:00			`func IsWatcherAvailable() bool {`
			`return isAvailable`
			`}`