removed ftrace monitor method

deprecated, was not in use.

daemon/go.mod

@@ -3,7 +3,6 @@ module github.com/evilsocket/opensnitch/daemon
 go 1.14
 
 require (
-	github.com/evilsocket/ftrace v1.2.0
 	github.com/fsnotify/fsnotify v1.4.7
 	github.com/golang/protobuf v1.5.0
 	github.com/google/gopacket v1.1.14

daemon/procmon/monitor/init.go

@@ -40,12 +40,6 @@ func End() {
 		audit.Stop()
 	} else if procmon.MethodIsEbpf() {
 		ebpf.Stop()
-	} else if procmon.MethodIsFtrace() {
-		go func() {
-			if err := procmon.Stop(); err != nil {
-				log.Warning("procmon.End() stop ftrace error: %v", err)
-			}
-		}()
 	}
 }
 
@@ -67,14 +61,6 @@ func Init() (err error) {
 		// It helps with the error "cannot write...kprobe_events: file exists".
 		ebpf.Stop()
 		log.Warning("error starting ebpf monitor method: %v", err)
-	} else if procmon.MethodIsFtrace() {
-		err = procmon.Start()
-		if err == nil {
-			log.Info("Process monitor method ftrace")
-			return nil
-		}
-		log.Warning("error starting ftrace monitor method: %v", err)
-
 	} else if procmon.MethodIsAudit() {
 		var auditConn net.Conn
 		auditConn, err = audit.Start()

daemon/procmon/parse.go

@@ -34,7 +34,6 @@ func getPIDFromAuditEvents(inode int, inodeKey string, expect string) (int, int)
 // 1. Get the PID from the cache of Inodes.
 // 2. Get the PID from the cache of PIDs.
 // 3. Look for the PID using one of these methods:
-//    - ftrace: listening processes execs/exits from /sys/kernel/debug/tracing/
 //    - audit:  listening for socket creation from auditd.
 //    - proc:   search /proc
 //
@@ -65,15 +64,6 @@ func GetPIDFromINode(inode int, inodeKey string) int {
 			log.Debug("PID found via audit events: %v, position: %d", time.Since(start), pos)
 			return aPid
 		}
-	} else if MethodIsFtrace() && IsWatcherAvailable() {
-		forEachProcess(func(pid int, path string, args []string) bool {
-			if inodeFound("/proc/", expect, inodeKey, inode, pid) {
-				found = pid
-				return true
-			}
-			// keep looping
-			return false
-		})
 	}
 	if found == -1 || methodIsProc() {
 		found = lookupPidInProc("/proc/", expect, inodeKey, inode)

daemon/procmon/process.go

@@ -1,16 +1,18 @@
 package procmon
 
 import (
+	"sync"
 	"time"
 )
 
 var (
 	cacheMonitorsRunning = false
+	lock                 = sync.RWMutex{}
+	monitorMethod        = MethodProc
 )
 
 // monitor method supported types
 const (
-	MethodFtrace = "ftrace"
 	MethodProc  = "proc"
 	MethodAudit = "audit"
 	MethodEbpf  = "ebpf"
@@ -94,14 +96,6 @@ func MethodIsEbpf() bool {
 	return monitorMethod == MethodEbpf
 }
 
-// MethodIsFtrace returns if the process monitor method is eBPF.
-func MethodIsFtrace() bool {
-	lock.RLock()
-	defer lock.RUnlock()
-
-	return monitorMethod == MethodFtrace
-}
-
 // MethodIsAudit returns if the process monitor method is eBPF.
 func MethodIsAudit() bool {
 	lock.RLock()

daemon/procmon/watcher.go

@@ -1,136 +0,0 @@
-package procmon
-
-import (
-	"io/ioutil"
-	"strconv"
-	"sync"
-
-	"github.com/evilsocket/ftrace"
-	"github.com/evilsocket/opensnitch/daemon/log"
-)
-
-const (
-	probeName   = "opensnitch_exec_probe"
-	syscallName = "do_execve"
-)
-
-type procData struct {
-	path string
-	args []string
-}
-
-var (
-	subEvents = []string{
-		"sched/sched_process_fork",
-		"sched/sched_process_exec",
-		"sched/sched_process_exit",
-	}
-
-	watcher       = ftrace.NewProbe(probeName, syscallName, subEvents)
-	isAvailable   = false
-	monitorMethod = MethodProc
-
-	index = make(map[int]*procData)
-	lock  = sync.RWMutex{}
-)
-
-func forEachProcess(cb func(pid int, path string, args []string) bool) {
-	lock.RLock()
-	defer lock.RUnlock()
-
-	for pid, data := range index {
-		if cb(pid, data.path, data.args) == true {
-			break
-		}
-	}
-}
-
-func trackProcess(pid int) {
-	lock.Lock()
-	defer lock.Unlock()
-	if _, found := index[pid]; found == false {
-		index[pid] = &procData{}
-	}
-}
-
-func trackProcessArgs(e ftrace.Event) {
-	lock.Lock()
-	defer lock.Unlock()
-
-	if d, found := index[e.PID]; found == false {
-		index[e.PID] = &procData{
-			args: e.Argv(),
-			path: "",
-		}
-	} else {
-		d.args = e.Argv()
-	}
-}
-
-func trackProcessPath(e ftrace.Event) {
-	lock.Lock()
-	defer lock.Unlock()
-	if d, found := index[e.PID]; found == false {
-		index[e.PID] = &procData{
-			path: e.Args["filename"],
-		}
-	} else {
-		d.path = e.Args["filename"]
-	}
-}
-
-func trackProcessExit(e ftrace.Event) {
-	lock.Lock()
-	defer lock.Unlock()
-	delete(index, e.PID)
-}
-
-func eventConsumer() {
-	for event := range watcher.Events() {
-		if event.IsSyscall == true {
-			trackProcessArgs(event)
-		} else if _, ok := event.Args["filename"]; ok && event.Name == "sched_process_exec" {
-			trackProcessPath(event)
-		} else if event.Name == "sched_process_exit" {
-			trackProcessExit(event)
-		}
-	}
-}
-
-// Start enables the ftrace monitor method.
-// This method configures a kprobe to intercept execve() syscalls.
-// The kernel must have configured and enabled debugfs.
-func Start() (err error) {
-	// start from a clean state
-	if err := watcher.Reset(); err != nil && watcher.Enabled() {
-		log.Warning("ftrace.Reset() error: %v", err)
-	}
-
-	if err = watcher.Enable(); err == nil {
-		isAvailable = true
-
-		go eventConsumer()
-		// track running processes
-		if ls, err := ioutil.ReadDir("/proc/"); err == nil {
-			for _, f := range ls {
-				if pid, err := strconv.Atoi(f.Name()); err == nil && f.IsDir() {
-					trackProcess(pid)
-				}
-			}
-		}
-	} else {
-		isAvailable = false
-	}
-	return
-}
-
-// Stop disables ftrace monitor method, removing configured kprobe.
-func Stop() error {
-	isAvailable = false
-	return watcher.Disable()
-}
-
-// IsWatcherAvailable checks if ftrace (debugfs) is
-func IsWatcherAvailable() bool {
-	return isAvailable
-}

ui/opensnitch/res/preferences.ui

@@ -872,11 +872,6 @@
            <string notr="true">audit</string>
           </property>
          </item>
-         <item>
-          <property name="text">
-           <string notr="true">ftrace</string>
-          </property>
-         </item>
         </widget>
        </item>
        <item row="7" column="2">