mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/ebpf_prog/README
Gustavo Iñiguez Goia c3ec54efaf
Updated ebpf compilation instructions 
kudos to @planetoryd for reporting it (#1080).
2024-02-06 00:30:44 +01:00

74 lines
2.5 KiB
Text
Raw Blame History

Compilation requires getting kernel sources for now.
There's a helper script to automate this process:
https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh
(example to compile the modules for kernel 6.0: bash build_modules.sh 6.0)
---
The basic steps to manually compile the modules are:
sudo apt install -y wget flex bison ca-certificates wget python3 rsync bc libssl-dev clang llvm libelf-dev libzip-dev git libpcap-dev
cd opensnitch
wget https://github.com/torvalds/linux/archive/v6.0.tar.gz
tar -xf v6.0.tar.gz
cd linux-6.0 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
cd ../ebpf_prog/
make KERNEL_DIR=../linux-6.0/ KERNEL_HEADERS=../linux-6.0/
objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
llvm-strip -g opensnitch*.o # remove debug info
sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x
Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
/usr/local/lib/opensnitchd/ebpf/
/usr/lib/opensnitchd/ebpf/
/etc/opensnitchd/ # deprecated, only on < v1.5.x
start opensnitchd with:
opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
---
### Compiling for Fedora (and others rpm based systems)
You need to install the kernel-devel, clang and llvm packages.
Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`
(or just pass the kernel version you want)
### Notes
The kernel where you intend to run it must have some options activated:
$ grep BPF /boot/config-$(uname -r)
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_EVENTS=y
CONFIG_KPROBES=y
CONFIG_KPROBE_EVENTS=y
For the opensnitch-procs.o module to work, this option must be enabled:
$ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
CONFIG_FTRACE_SYSCALLS=y
(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)
Also, in some distributions debugfs is not mounted automatically.
Since v1.6.0 we try to mount it automatically. If you're running
a lower version so you'll need to mount it manually:
$ sudo mount -t debugfs none /sys/kernel/debug
In order to make it permanent add it to /etc/fstab:
debugfs /sys/kernel/debug debugfs defaults 0 0
opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
bpf_probe_read_user*() were added on that kernel on:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers
Reference in a new issue View git blame Copy permalink