mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 00:24:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/ebpf_prog
History
Exact
Rasmus Moorats ff28230b75
use uname -m instead of the arch command 
The `arch` command is deprecated on modern systems, and indeed,
many distros do not provide it (one of those being Arch Linux,
ironically). Since `uname` is already used in the Makefile, prefer
its `-m` flag equivalent instead.
2023-06-12 16:01:18 +03:00
..
bpf_headers ebpf: new way of compiling the modules 2023-06-07 01:23:01 +02:00
arm-clang-asm-fix.patch ebpf: added patch to compile ebpf module for arm 2021-04-21 20:49:31 +02:00
common_defs.h ebpf: switched to CO:RE compilation 2023-06-10 18:12:26 +02:00
Makefile use uname -m instead of the arch command 2023-06-12 16:01:18 +03:00
opensnitch.c ebpf: switched to CO:RE compilation 2023-06-10 18:12:26 +02:00
README ebpf: new way of compiling the modules 2023-06-07 01:23:01 +02:00
vmlinux-6.1.0-8.h ebpf: switched to CO:RE compilation 2023-06-10 18:12:26 +02:00

README 

The basic steps to compile the modules are:

  sudo apt install clang llvm linux-headers-amd64 libelf-dev libzip-dev flex bison libssl-dev bc rsync python3
  cd opensnitch/ebpf_prog/
  make
  objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
  llvm-strip -g opensnitch*.o # remove debug info
  sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x
  cd ../../../daemon

Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
 /usr/local/lib/opensnitchd/ebpf/
 /usr/lib/opensnitchd/ebpf/
 /etc/opensnitchd/ # deprecated, only on < v1.5.x

start opensnitchd with:

  opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf

---

### Compiling for Fedora (and others rpm based systems)

You need to install the kernel-devel, clang and llvm packages.

Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`

(or just pass the kernel version you want)

### Notes

The kernel where you intend to run it must have some options activated:

 $ grep BPF /boot/config-$(uname -r)
  CONFIG_CGROUP_BPF=y
  CONFIG_BPF=y
  CONFIG_BPF_SYSCALL=y
  CONFIG_BPF_EVENTS=y
  CONFIG_KPROBES=y
  CONFIG_KPROBE_EVENTS=y

For the opensnitch-procs.o module to work, this option must be enabled:

 $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
  CONFIG_FTRACE_SYSCALLS=y

(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)

Also, in some distributions debugfs is not mounted automatically.
Since v1.6.0 we try to mount it automatically. If you're running
a lower version so you'll need to mount it manually:

 $ sudo mount -t debugfs none /sys/kernel/debug

In order to make it permanent add it to /etc/fstab:

debugfs    /sys/kernel/debug      debugfs  defaults  0 0


opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
bpf_probe_read_user*() were added on that kernel on:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers