mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-03 16:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
opensnitch/ebpf_prog
History
Exact
Gustavo Iñiguez Goia 63a3b4e446
ebpf improvements 
- changed formatting.
 - extract source IPs from UDP packets from ancillary messages.
 - hook inet_dgram_connect to solve intercepting some apps (parsec).
 - remove debugging / unused code.

More info on these changes:
fbdef1673d
20a03e11fe
f44d3e896b
93d1cefbc2

Closes: #1246.
2025-01-21 23:57:01 +01:00
..
bpf_headers ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00
arm-clang-asm-fix.patch ebpf: added patch to compile ebpf module for arm 2021-04-21 20:49:31 +02:00
common.h ebpf: fixed getting ppid, skip failed execve's 2023-12-26 14:04:19 +01:00
common_defs.h ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00
Makefile ebpf_prog/Makefile: removed useless LLVM_STRIP 2024-09-13 19:28:18 +02:00
opensnitch-dns.c ebpf,dns: initialized structs 2024-01-26 20:50:50 +01:00
opensnitch-procs.c ebpf: performance improvement for opensnitch-procs 2024-04-29 01:06:39 +02:00
opensnitch.c ebpf improvements 2025-01-21 23:57:01 +01:00
README Updated ebpf compilation instructions 2024-02-06 00:30:44 +01:00

README 

Compilation requires getting kernel sources for now.

There's a helper script to automate this process:
 https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh

 (example to compile the modules for kernel 6.0: bash build_modules.sh 6.0)

---

The basic steps to manually compile the modules are:

  sudo apt install -y wget flex bison ca-certificates wget python3 rsync bc libssl-dev clang llvm libelf-dev libzip-dev git libpcap-dev
  cd opensnitch
  wget https://github.com/torvalds/linux/archive/v6.0.tar.gz
  tar -xf v6.0.tar.gz
  cd linux-6.0 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
  cd ../ebpf_prog/
  make KERNEL_DIR=../linux-6.0/ KERNEL_HEADERS=../linux-6.0/
  objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
  llvm-strip -g opensnitch*.o # remove debug info
  sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x

Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
 /usr/local/lib/opensnitchd/ebpf/
 /usr/lib/opensnitchd/ebpf/
 /etc/opensnitchd/ # deprecated, only on < v1.5.x

start opensnitchd with:

  opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf

---

### Compiling for Fedora (and others rpm based systems)

You need to install the kernel-devel, clang and llvm packages.

Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`

(or just pass the kernel version you want)

### Notes

The kernel where you intend to run it must have some options activated:

 $ grep BPF /boot/config-$(uname -r)
  CONFIG_CGROUP_BPF=y
  CONFIG_BPF=y
  CONFIG_BPF_SYSCALL=y
  CONFIG_BPF_EVENTS=y
  CONFIG_KPROBES=y
  CONFIG_KPROBE_EVENTS=y

For the opensnitch-procs.o module to work, this option must be enabled:

 $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
  CONFIG_FTRACE_SYSCALLS=y

(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)

Also, in some distributions debugfs is not mounted automatically.
Since v1.6.0 we try to mount it automatically. If you're running
a lower version so you'll need to mount it manually:

 $ sudo mount -t debugfs none /sys/kernel/debug

In order to make it permanent add it to /etc/fstab:

debugfs    /sys/kernel/debug      debugfs  defaults  0 0


opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
bpf_probe_read_user*() were added on that kernel on:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers