mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 16:44:46 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
1324 commits 11 branches 43 tags 36 MiB
Commit graph

7 commits

Author SHA1 Message Date
Gustavo Iñiguez Goia
210e843aab
moved basic ebpf definitions to its own file 
BPF_MAP_TYPE_PERCPU_ARRAY was introduced in kernel version 4.6, so with
latest changes to intercept processes we lost support for older kernels
< 4.6.

Now we work again for example on kernels 4.4.
 2022-12-21 21:11:40 +01:00
Gustavo Iñiguez Goia
9e630d009d
ebpf: fixed loading modules on arm32 arch 
Make use of kernel macros to decide for what architectures we compile
the modules.

On armv7l the connections module was failing due to iptunnel_xmit, so
exclude it from being compiled.

One can export ARCH=arm, ARCH=i386 or ARCH=arm64 to compile the modules
for these architectures, instead of hacing to edit the source files.
 2022-12-13 23:59:54 +01:00
Gustavo Iñiguez Goia
72483bdcde improved process detection 
latest changes to detect short-lived processes caused undesired
behaviour (#694)

Closes #685
 2022-07-08 17:15:57 +02:00
Gustavo Iñiguez Goia
e7024e3fe0 ebpf: support for long paths 
Added support to report absolute path to a binary up to 4096 characters,
defined here:

https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/limits.h#L13
 2022-06-27 14:42:54 +02:00
Gustavo Iñiguez Goia
4ce8b0e57c ebpf: improved process detection/new events module 
Improved process detections by monitoring new processes execution.
It allow us to know the path of a process before a socket is opened.

Closes #617

Other improvements:
 - If we fail to retrieve the path of a process, then we'll use the comm
   name of the connection/process.
 - Better kernel connections detection.
 - If debugfs is not loaded, we'll try to mount it, to allow to use
   eBPF monitor method.

Future work (help wanted):
 - Extract command line arguments from the kernel (sys_execve, or mm
   struct).
 - Monitor other functions (execveat, clone*, fork, etc).
 - Send these events to the server (GUI), and display all the commands
   an application has executed.
 2022-06-24 01:09:45 +02:00
Gustavo Iñiguez Goia
0526b84309
Allow to intercept more kernel connections (#513) 
* Allow to intercept some kernel connections

Some connections are initiated from kernel space, like WireGuard
VPNs (#454), NFS or SMB connections (#502) and ip tunnels (#500).

Note: This feature is complete for x86_64, WIP for aarch64, and not supported for armhf and i386
https://github.com/evilsocket/opensnitch/pull/513#issuecomment-924400824

More information regarding this change: #493
 2021-09-23 01:44:12 +02:00
themighty1
9497cf8394
Use ebpf program to find PID of new connections. (#397) 
* Use ebpf program to find PID of new connections.

    before running the branch you have to compile ebpf_prog/opensnitch.c
    opensnitch.c is an eBPF program. Compilation requires getting kernel source.

    cd opensnitch
    wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
    tar -xf v5.8.tar.gz
    patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
    cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf
    cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
    cd samples/bpf && make
    objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
    llvm-strip -g opensnitch.o #remove debug info
    sudo cp opensnitch.o /etc/opensnitchd
    cd ../../../daemon

    --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/
    --start opensnitchd with:

    opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf

Co-authored-by: themighty1 <you@example.com>
Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
 2021-04-05 11:28:16 +02:00