mirror of
https://github.com/evilsocket/opensnitch.git
synced 2025-03-04 00:24:40 +01:00
cfd267a56a
* `%.bc` are autoremoved: these LLVM IR files are intermediate [1] * `%.o` are now produced by a wildcard search * introduced `.SUFFIXES:` for cleaning up the implicit rules [2] * else Makefile would have generated `%.o` from its own database. [1] https://www.gnu.org/software/make/manual/html_node/Chained-Rules.html [2] https://www.gnu.org/software/make/manual/html_node/Suffix-Rules.html Signed-off-by: Ariel Otilibili <otilibil@eurecom.fr> |
||
|---|---|---|
| .. | ||
| bpf_headers | ||
| arm-clang-asm-fix.patch | ||
| common.h | ||
| common_defs.h | ||
| Makefile | ||
| opensnitch-dns.c | ||
| opensnitch-procs.c | ||
| opensnitch.c | ||
| README | ||
Compilation requires getting kernel sources for now. There's a helper script to automate this process: https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh (example to compile the modules for kernel 6.0: bash build_modules.sh 6.0) --- The basic steps to manually compile the modules are: sudo apt install -y wget flex bison ca-certificates wget python3 rsync bc libssl-dev clang llvm libelf-dev libzip-dev git libpcap-dev cd opensnitch wget https://github.com/torvalds/linux/archive/v6.0.tar.gz tar -xf v6.0.tar.gz cd linux-6.0 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd ../ebpf_prog/ make KERNEL_DIR=../linux-6.0/ KERNEL_HEADERS=../linux-6.0/ objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch*.o # remove debug info sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under: /usr/local/lib/opensnitchd/ebpf/ /usr/lib/opensnitchd/ebpf/ /etc/opensnitchd/ # deprecated, only on < v1.5.x start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf --- ### Compiling for Fedora (and others rpm based systems) You need to install the kernel-devel, clang and llvm packages. Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/` (or just pass the kernel version you want) ### Notes The kernel where you intend to run it must have some options activated: $ grep BPF /boot/config-$(uname -r) CONFIG_CGROUP_BPF=y CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_EVENTS=y CONFIG_KPROBES=y CONFIG_KPROBE_EVENTS=y For the opensnitch-procs.o module to work, this option must be enabled: $ grep FTRACE_SYSCALLS /boot/config-$(uname -r) CONFIG_FTRACE_SYSCALLS=y (https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md) Also, in some distributions debugfs is not mounted automatically. Since v1.6.0 we try to mount it automatically. If you're running a lower version so you'll need to mount it manually: $ sudo mount -t debugfs none /sys/kernel/debug In order to make it permanent add it to /etc/fstab: debugfs /sys/kernel/debug debugfs defaults 0 0 opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5, bpf_probe_read_user*() were added on that kernel on: https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers