mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

removed ftrace monitor method

Browse source 
deprecated, was not in use.
This commit is contained in:
Gustavo Iñiguez Goia 2023-01-20 15:38:39 +01:00
parent c35577053d
commit cf9ecb80d3
Failed to generate hash of commit
6 changed files with 6 additions and 178 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
daemon/go.mod
View file

@ -3,7 +3,6 @@ module github.com/evilsocket/opensnitch/daemon
go 1.14
require (
github.com/evilsocket/ftrace v1.2.0
github.com/fsnotify/fsnotify v1.4.7
github.com/golang/protobuf v1.5.0
github.com/google/gopacket v1.1.14

14
daemon/procmon/monitor/init.go
View file

@ -40,12 +40,6 @@ func End() {
audit.Stop()
} else if procmon.MethodIsEbpf() {
ebpf.Stop()
} else if procmon.MethodIsFtrace() {
go func() {
if err := procmon.Stop(); err != nil {
log.Warning("procmon.End() stop ftrace error: %v", err)
}
}()
}
}
@ -67,14 +61,6 @@ func Init() (err error) {
// It helps with the error "cannot write...kprobe_events: file exists".
ebpf.Stop()
log.Warning("error starting ebpf monitor method: %v", err)
} else if procmon.MethodIsFtrace() {
err = procmon.Start()
if err == nil {
log.Info("Process monitor method ftrace")
return nil
}
log.Warning("error starting ftrace monitor method: %v", err)
} else if procmon.MethodIsAudit() {
var auditConn net.Conn
auditConn, err = audit.Start()

10
daemon/procmon/parse.go
View file

@ -34,7 +34,6 @@ func getPIDFromAuditEvents(inode int, inodeKey string, expect string) (int, int)
// 1. Get the PID from the cache of Inodes.
// 2. Get the PID from the cache of PIDs.
// 3. Look for the PID using one of these methods:
// - ftrace: listening processes execs/exits from /sys/kernel/debug/tracing/
// - audit: listening for socket creation from auditd.
// - proc: search /proc
//
@ -65,15 +64,6 @@ func GetPIDFromINode(inode int, inodeKey string) int {
log.Debug("PID found via audit events: %v, position: %d", time.Since(start), pos)
return aPid
}
} else if MethodIsFtrace() && IsWatcherAvailable() {
forEachProcess(func(pid int, path string, args []string) bool {
if inodeFound("/proc/", expect, inodeKey, inode, pid) {
found = pid
return true
}
// keep looping
return false
})
}
if found == -1 || methodIsProc() {
found = lookupPidInProc("/proc/", expect, inodeKey, inode)

18
daemon/procmon/process.go
View file

@ -1,19 +1,21 @@
package procmon
import (
"sync"
"time"
)
var (
cacheMonitorsRunning = false
lock = sync.RWMutex{}
monitorMethod = MethodProc
)
// monitor method supported types
const (
MethodFtrace = "ftrace"
MethodProc = "proc"
MethodAudit = "audit"
MethodEbpf = "ebpf"
MethodProc = "proc"
MethodAudit = "audit"
MethodEbpf = "ebpf"
)
// man 5 proc; man procfs
@ -94,14 +96,6 @@ func MethodIsEbpf() bool {
return monitorMethod == MethodEbpf
}
// MethodIsFtrace returns if the process monitor method is eBPF.
func MethodIsFtrace() bool {
lock.RLock()
defer lock.RUnlock()
return monitorMethod == MethodFtrace
}
// MethodIsAudit returns if the process monitor method is eBPF.
func MethodIsAudit() bool {
lock.RLock()

136
daemon/procmon/watcher.go
View file

@ -1,136 +0,0 @@
package procmon
import (
"io/ioutil"
"strconv"
"sync"
"github.com/evilsocket/ftrace"
"github.com/evilsocket/opensnitch/daemon/log"
)
const (
probeName = "opensnitch_exec_probe"
syscallName = "do_execve"
)
type procData struct {
path string
args []string
}
var (
subEvents = []string{
"sched/sched_process_fork",
"sched/sched_process_exec",
"sched/sched_process_exit",
}
watcher = ftrace.NewProbe(probeName, syscallName, subEvents)
isAvailable = false
monitorMethod = MethodProc
index = make(map[int]*procData)
lock = sync.RWMutex{}
)
func forEachProcess(cb func(pid int, path string, args []string) bool) {
lock.RLock()
defer lock.RUnlock()
for pid, data := range index {
if cb(pid, data.path, data.args) == true {
break
}
}
}
func trackProcess(pid int) {
lock.Lock()
defer lock.Unlock()
if _, found := index[pid]; found == false {
index[pid] = &procData{}
}
}
func trackProcessArgs(e ftrace.Event) {
lock.Lock()
defer lock.Unlock()
if d, found := index[e.PID]; found == false {
index[e.PID] = &procData{
args: e.Argv(),
path: "",
}
} else {
d.args = e.Argv()
}
}
func trackProcessPath(e ftrace.Event) {
lock.Lock()
defer lock.Unlock()
if d, found := index[e.PID]; found == false {
index[e.PID] = &procData{
path: e.Args["filename"],
}
} else {
d.path = e.Args["filename"]
}
}
func trackProcessExit(e ftrace.Event) {
lock.Lock()
defer lock.Unlock()
delete(index, e.PID)
}
func eventConsumer() {
for event := range watcher.Events() {
if event.IsSyscall == true {
trackProcessArgs(event)
} else if _, ok := event.Args["filename"]; ok && event.Name == "sched_process_exec" {
trackProcessPath(event)
} else if event.Name == "sched_process_exit" {
trackProcessExit(event)
}
}
}
// Start enables the ftrace monitor method.
// This method configures a kprobe to intercept execve() syscalls.
// The kernel must have configured and enabled debugfs.
func Start() (err error) {
// start from a clean state
if err := watcher.Reset(); err != nil && watcher.Enabled() {
log.Warning("ftrace.Reset() error: %v", err)
}
if err = watcher.Enable(); err == nil {
isAvailable = true
go eventConsumer()
// track running processes
if ls, err := ioutil.ReadDir("/proc/"); err == nil {
for _, f := range ls {
if pid, err := strconv.Atoi(f.Name()); err == nil && f.IsDir() {
trackProcess(pid)
}
}
}
} else {
isAvailable = false
}
return
}
// Stop disables ftrace monitor method, removing configured kprobe.
func Stop() error {
isAvailable = false
return watcher.Disable()
}
// IsWatcherAvailable checks if ftrace (debugfs) is
func IsWatcherAvailable() bool {
return isAvailable
}

5
ui/opensnitch/res/preferences.ui
View file

@ -872,11 +872,6 @@
<string notr="true">audit</string>
</property>
</item>
<item>
<property name="text">
<string notr="true">ftrace</string>
</property>
</item>
</widget>
</item>
<item row="7" column="2">