From 49c4061cc9a3040ab185ed90f77ebdfc8943d75c Mon Sep 17 00:00:00 2001 From: chenjingwen Date: Sat, 11 Nov 2023 17:12:17 +0800 Subject: [PATCH 1/2] ebpf: add ebpf bootstrap add ebpf bootstrap Signed-off-by: chenjingwen --- observer_agent/CMakeLists.txt | 1 + observer_agent/ebpf/CMakeLists.txt | 14 +++++++ observer_agent/ebpf/fentry.bpf.c | 40 +++++++++++++++++++ observer_agent/ebpf/fentry.c | 64 ++++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+) create mode 100644 observer_agent/ebpf/CMakeLists.txt create mode 100644 observer_agent/ebpf/fentry.bpf.c create mode 100644 observer_agent/ebpf/fentry.c diff --git a/observer_agent/CMakeLists.txt b/observer_agent/CMakeLists.txt index 1610084..60be81b 100644 --- a/observer_agent/CMakeLists.txt +++ b/observer_agent/CMakeLists.txt @@ -1,5 +1,6 @@ cmake_minimum_required(VERSION 3.1) +add_subdirectory(ebpf) set(CMAKE_CXX_STANDARD 11) project(observer_agent VERSION 1.0 LANGUAGES CXX) set(GRPC_PATH ${CMAKE_CURRENT_SOURCE_DIR}/grpc_comm) diff --git a/observer_agent/ebpf/CMakeLists.txt b/observer_agent/ebpf/CMakeLists.txt new file mode 100644 index 0000000..dab70e5 --- /dev/null +++ b/observer_agent/ebpf/CMakeLists.txt @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + +cmake_minimum_required(VERSION 3.16) +project(ebpf) +add_custom_target(ebpf ALL + COMMAND mkdir -p ${CMAKE_CURRENT_BINARY_DIR}/.output + COMMAND bpftool btf dump file /sys/kernel/btf/vmlinux format c > ${CMAKE_CURRENT_BINARY_DIR}/.output/vmlinux.h + COMMAND clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -c ${CMAKE_CURRENT_SOURCE_DIR}/fentry.bpf.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.bpf.o + COMMAND bpftool gen skeleton ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.bpf.o > ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.skel.h + COMMAND cc -g -Wall -I${CMAKE_CURRENT_BINARY_DIR}/.output -I${CMAKE_CURRENT_SOURCE_DIR} -c ${CMAKE_CURRENT_SOURCE_DIR}/fentry.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.o + COMMAND cc -g -Wall ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.o /usr/lib64/libbpf.a -lelf -lz -o fentry +) + + diff --git a/observer_agent/ebpf/fentry.bpf.c b/observer_agent/ebpf/fentry.bpf.c new file mode 100644 index 0000000..d999881 --- /dev/null +++ b/observer_agent/ebpf/fentry.bpf.c @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause +/* Copyright (c) 2021 Sartura */ +#include "vmlinux.h" +#include +#include + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +SEC("lsm/task_free") +int BPF_PROG(do_bprm_check, struct task_struct *task) +{ + char buf[16]; + __u32 pid = bpf_get_current_pid_tgid() >> 32; + bpf_get_current_comm(buf, sizeof(buf)); + bpf_printk("bprm_check: pid = %d, comm = %d", pid, buf); + + return 0; +} + +SEC("fentry/do_unlinkat") +int BPF_PROG(do_unlinkat, int dfd, struct filename *name) +{ + pid_t pid; + + pid = bpf_get_current_pid_tgid() >> 32; + bpf_printk("fentry: pid = %d, filename = %s\n", pid, name->name); + return 0; +} + +SEC("fexit/do_unlinkat") +int BPF_PROG(do_unlinkat_exit, int dfd, struct filename *name, long ret) +{ + pid_t pid; + + pid = bpf_get_current_pid_tgid() >> 32; + bpf_printk("fexit: pid = %d, filename = %s, ret = %ld\n", pid, name->name, ret); + return 0; +} + + diff --git a/observer_agent/ebpf/fentry.c b/observer_agent/ebpf/fentry.c new file mode 100644 index 0000000..9daa67f --- /dev/null +++ b/observer_agent/ebpf/fentry.c @@ -0,0 +1,64 @@ +// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +/* Copyright (c) 2021 Sartura + * Based on minimal.c by Facebook */ + +#include +#include +#include +#include +#include +#include +#include +#include "fentry.skel.h" + +static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) +{ + return vfprintf(stderr, format, args); +} + +static volatile sig_atomic_t stop; + +void sig_int(int signo) +{ + stop = 1; +} + +int main(int argc, char **argv) +{ + struct fentry_bpf *skel; + int err; + + /* Set up libbpf errors and debug info callback */ + libbpf_set_print(libbpf_print_fn); + + /* Open load and verify BPF application */ + skel = fentry_bpf__open_and_load(); + if (!skel) { + fprintf(stderr, "Failed to open BPF skeleton\n"); + return 1; + } + + /* Attach tracepoint handler */ + err = fentry_bpf__attach(skel); + if (err) { + fprintf(stderr, "Failed to attach BPF skeleton\n"); + goto cleanup; + } + + if (signal(SIGINT, sig_int) == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + goto cleanup; + } + + printf("Successfully started! Please run `sudo cat /sys/kernel/debug/tracing/trace_pipe` " + "to see output of the BPF programs.\n"); + + while (!stop) { + fprintf(stderr, "."); + sleep(1); + } + +cleanup: + fentry_bpf__destroy(skel); + return -err; +} -- Gitee From dc79338e7300a3f587a3686739283cad511bd8db Mon Sep 17 00:00:00 2001 From: chenjingwen Date: Sat, 11 Nov 2023 17:09:06 +0800 Subject: [PATCH 2/2] README: add install dependencies add install dependencies Signed-off-by: chenjingwen --- README.md | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 2b533a0..2efc2b6 100644 --- a/README.md +++ b/README.md @@ -71,16 +71,9 @@ secDetector在架构上分为四个部分:SDK、Service、检测特性集合ca ## 安装教程 - - - -\1. xxxx - -\2. xxxx - -\3. xxxx - - +1. yum install clang libbpf-devel bpftool grpc-devel cmake +2. mkdir -p observer_agent/build && cd observer_agent/build +3. cmake .. && make ## 使用说明 @@ -161,4 +154,4 @@ secDetector在架构上分为四个部分:SDK、Service、检测特性集合ca \5. Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -\6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) \ No newline at end of file +\6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) -- Gitee