mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/ebpf_prog/README
Gustavo Iñiguez Goia 63e996d7bb
ebpf: new way of compiling the modules 
- Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf
  headers.
  The bpf_map_def struct has been deprecated for quite some time now,
  and it was been removed on >= 6.2 anyway.
  We still need it, because we use gobpf.
- Improved compilation behaviour:
  - We don't require the kernel sources anymore. We can just use the
    kernel headers from the distribution.
  - There's no need to copy the sources to the kernel tree, the modules
    can be compiled from the ebpf_prog/ dir.
- Compiling against kernels 6.x seems to solve the problem we had with
  VPNs, where connections were not intercepted with modules compiled
  against 5.8, on kernels >= 5.19.

The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and
6.2 (kernel connections included).
2023-06-07 01:23:01 +02:00

62 lines
2 KiB
Text
Raw Permalink Blame History

The basic steps to compile the modules are:
sudo apt install clang llvm linux-headers-amd64 libelf-dev libzip-dev flex bison libssl-dev bc rsync python3
cd opensnitch/ebpf_prog/
make
objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
llvm-strip -g opensnitch*.o # remove debug info
sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x
cd ../../../daemon
Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
/usr/local/lib/opensnitchd/ebpf/
/usr/lib/opensnitchd/ebpf/
/etc/opensnitchd/ # deprecated, only on < v1.5.x
start opensnitchd with:
opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
---
### Compiling for Fedora (and others rpm based systems)
You need to install the kernel-devel, clang and llvm packages.
Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`
(or just pass the kernel version you want)
### Notes
The kernel where you intend to run it must have some options activated:
$ grep BPF /boot/config-$(uname -r)
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_EVENTS=y
CONFIG_KPROBES=y
CONFIG_KPROBE_EVENTS=y
For the opensnitch-procs.o module to work, this option must be enabled:
$ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
CONFIG_FTRACE_SYSCALLS=y
(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)
Also, in some distributions debugfs is not mounted automatically.
Since v1.6.0 we try to mount it automatically. If you're running
a lower version so you'll need to mount it manually:
$ sudo mount -t debugfs none /sys/kernel/debug
In order to make it permanent add it to /etc/fstab:
debugfs /sys/kernel/debug debugfs defaults 0 0
opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
bpf_probe_read_user*() were added on that kernel on:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers
Reference in a new issue View git blame Copy permalink