mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 00:24:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/ebpf_prog
History
Gustavo Iñiguez Goia 1518cb39de
ebpf: fixed dns uprobes 
We were not deleting DNS entries from the hash map, so when it reached
the maximum capacity (12k entries), we couldn't allocate new entries,
resulting in events not being sent to userspace.
2024-01-05 13:33:56 +01:00
..
bpf_headers ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00
arm-clang-asm-fix.patch ebpf: added patch to compile ebpf module for arm 2021-04-21 20:49:31 +02:00
common.h ebpf: fixed getting ppid, skip failed execve's 2023-12-26 14:04:19 +01:00
common_defs.h ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00
Makefile use temporary files instead of piping in ebpf Makefile 2023-07-07 13:28:58 +03:00
opensnitch-dns.c ebpf: fixed dns uprobes 2024-01-05 13:33:56 +01:00
opensnitch-procs.c ebpf: fixed getting ppid, skip failed execve's 2023-12-26 14:04:19 +01:00
opensnitch.c ebpf modules compilation fixes 2023-05-28 15:24:33 +02:00
README ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00

README 

Compilation requires getting kernel sources for now.

There's a helper script to automate this process:
 https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh

The basic steps to compile the modules are:

  sudo apt install clang llvm libelf-dev libzip-dev flex bison libssl-dev bc rsync python3
  cd opensnitch
  wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
  tar -xf v5.8.tar.gz
  cp ebpf_prog/opensnitch*.c ebpf_prog/common* ebpf_prog/Makefile linux-5.8/samples/bpf/
  cp -r ebpf_prog/bpf_headers/ linux-5.8/samples/bpf/
  cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
  cd samples/bpf && make KERNEL_DIR=../../linux-5.8/
  objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
  llvm-strip -g opensnitch*.o # remove debug info
  sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x
  cd ../../../daemon

Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
 /usr/local/lib/opensnitchd/ebpf/
 /usr/lib/opensnitchd/ebpf/
 /etc/opensnitchd/ # deprecated, only on < v1.5.x

start opensnitchd with:

  opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf

---

### Compiling for Fedora (and others rpm based systems)

You need to install the kernel-devel, clang and llvm packages.

Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`

(or just pass the kernel version you want)

### Notes

The kernel where you intend to run it must have some options activated:

 $ grep BPF /boot/config-$(uname -r)
  CONFIG_CGROUP_BPF=y
  CONFIG_BPF=y
  CONFIG_BPF_SYSCALL=y
  CONFIG_BPF_EVENTS=y
  CONFIG_KPROBES=y
  CONFIG_KPROBE_EVENTS=y

For the opensnitch-procs.o module to work, this option must be enabled:

 $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
  CONFIG_FTRACE_SYSCALLS=y

(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)

Also, in some distributions debugfs is not mounted automatically.
Since v1.6.0 we try to mount it automatically. If you're running
a lower version so you'll need to mount it manually:

 $ sudo mount -t debugfs none /sys/kernel/debug

In order to make it permanent add it to /etc/fstab:

debugfs    /sys/kernel/debug      debugfs  defaults  0 0


opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
bpf_probe_read_user*() were added on that kernel on:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers