mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/ebpf_prog
History
Gustavo Iñiguez Goia 9446d191f0
ebpf: delete pid from exec maps if it exists 
We track new processes execution by intercepting the enter and exit
of the functions, but sometimes the exit hook is not called, so the
corresponding entry was not being removed from the map.
In this situation the map becomes full and accepts no new entries.

Now the entry is deleted from the map once the process exits, if it
still exists in the map.
2024-01-08 01:33:54 +01:00
..
bpf_headers ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00
arm-clang-asm-fix.patch ebpf: added patch to compile ebpf module for arm 2021-04-21 20:49:31 +02:00
common.h ebpf: fixed getting ppid, skip failed execve's 2023-12-26 14:04:19 +01:00
common_defs.h ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00
Makefile use temporary files instead of piping in ebpf Makefile 2023-07-07 13:28:58 +03:00
opensnitch-dns.c ebpf: fixed dns uprobes 2024-01-05 13:33:56 +01:00
opensnitch-procs.c ebpf: delete pid from exec maps if it exists 2024-01-08 01:33:54 +01:00
opensnitch.c ebpf modules compilation fixes 2023-05-28 15:24:33 +02:00
README ebpf: new way of compiling the modules 2023-05-17 01:20:53 +02:00

README 

Compilation requires getting kernel sources for now.

There's a helper script to automate this process:
 https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh

The basic steps to compile the modules are:

  sudo apt install clang llvm libelf-dev libzip-dev flex bison libssl-dev bc rsync python3
  cd opensnitch
  wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
  tar -xf v5.8.tar.gz
  cp ebpf_prog/opensnitch*.c ebpf_prog/common* ebpf_prog/Makefile linux-5.8/samples/bpf/
  cp -r ebpf_prog/bpf_headers/ linux-5.8/samples/bpf/
  cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
  cd samples/bpf && make KERNEL_DIR=../../linux-5.8/
  objdump -h opensnitch.o # you should see many sections, number 1 should be called kprobe/tcp_v4_connect
  llvm-strip -g opensnitch*.o # remove debug info
  sudo cp opensnitch*.o /usr/lib/opensnitchd/ebpf/ # or /etc/opensnitchd for < v1.6.x
  cd ../../../daemon

Since v1.6.0, opensnitchd expects to find the opensnitch*.o modules under:
 /usr/local/lib/opensnitchd/ebpf/
 /usr/lib/opensnitchd/ebpf/
 /etc/opensnitchd/ # deprecated, only on < v1.5.x

start opensnitchd with:

  opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf

---

### Compiling for Fedora (and others rpm based systems)

You need to install the kernel-devel, clang and llvm packages.

Then: `cd ebpf_prog/ ; make KERNEL_DIR=/usr/src/kernels/$(uname -r)/`

(or just pass the kernel version you want)

### Notes

The kernel where you intend to run it must have some options activated:

 $ grep BPF /boot/config-$(uname -r)
  CONFIG_CGROUP_BPF=y
  CONFIG_BPF=y
  CONFIG_BPF_SYSCALL=y
  CONFIG_BPF_EVENTS=y
  CONFIG_KPROBES=y
  CONFIG_KPROBE_EVENTS=y

For the opensnitch-procs.o module to work, this option must be enabled:

 $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
  CONFIG_FTRACE_SYSCALLS=y

(https://github.com/iovisor/bcc/blob/master/docs/kernel_config.md)

Also, in some distributions debugfs is not mounted automatically.
Since v1.6.0 we try to mount it automatically. If you're running
a lower version so you'll need to mount it manually:

 $ sudo mount -t debugfs none /sys/kernel/debug

In order to make it permanent add it to /etc/fstab:

debugfs    /sys/kernel/debug      debugfs  defaults  0 0


opensnitch-procs.o and opensnitch-dns.o are only compatible with kernels >= 5.5,
bpf_probe_read_user*() were added on that kernel on:
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers