From a7389cdee8bd38e4e6d24cbdb75c2cd3e4dda4b7 Mon Sep 17 00:00:00 2001 From: qjerome Date: Mon, 29 Jan 2024 11:14:39 +0100 Subject: [PATCH 1/3] xtask cli options to build choose bpf-linker to build Signed-off-by: qjerome --- xtask/src/git.rs | 7 +++++-- xtask/src/main.rs | 31 +++++++++++++++++++++---------- xtask/src/tools.rs | 13 +++++++++++++ 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/xtask/src/git.rs b/xtask/src/git.rs index e3fc6d05..53222acb 100644 --- a/xtask/src/git.rs +++ b/xtask/src/git.rs @@ -1,7 +1,9 @@ use anyhow::anyhow; use std::path::Path; -pub fn last_commit_id(repo: &str, branch: &str) -> Result { +pub fn last_commit_id>(repo: S, branch: S) -> Result { + let repo = repo.as_ref(); + let branch = branch.as_ref(); let output = std::process::Command::new("git") .arg("ls-remote") .arg(repo) @@ -17,7 +19,8 @@ pub fn last_commit_id(repo: &str, branch: &str) -> Result Ok(s.split_whitespace().collect::>()[0].into()) } -pub fn reset>(repo: &str, outdir: P) -> Result<(), anyhow::Error> { +pub fn reset, P: AsRef>(repo: S, outdir: P) -> Result<(), anyhow::Error> { + let repo = repo.as_ref(); let status = std::process::Command::new("git") .current_dir(outdir) .arg("reset") diff --git a/xtask/src/main.rs b/xtask/src/main.rs index 7207a4fd..4e4b49c1 100644 --- a/xtask/src/main.rs +++ b/xtask/src/main.rs @@ -83,13 +83,16 @@ fn main() -> Result<(), anyhow::Error> { // bpf-linker related variables let linker_dir = bt_root.join("bpf-linker"); - // linker branch supporting Debug Information (DI) - // it is here a fork of Aya's bpf-linker, it is the only way to be sure - // commit id is valid as Aya's repos are often rebased - let linker_repo = "https://github.com/0xrawsec/bpf-linker"; - let linker_branch = "feature/fix-di"; - // be carefull of rebased repository while taking commits - let linker_commit = "ef91ad89c0ce8a66d998bde1e97526eb46501e36"; + + // handling specific linker commit + let linker_commit = { + // if bpf_linker_commit == last we fetch last commit + if opts.bpf_linker_commit.as_str() == "last" { + git::last_commit_id(&opts.bpf_linker_repo, &opts.bpf_linker_branch)? + } else { + opts.bpf_linker_commit.clone() + } + }; if opts.action_cache_key { print!( @@ -131,12 +134,20 @@ fn main() -> Result<(), anyhow::Error> { if linker_dir.is_dir() { println!("Resetting linker directory"); // we hacked Cargo.toml so we don't want this to block our git command - git::reset(linker_repo, &linker_dir)?; + git::reset(&opts.bpf_linker_repo, &linker_dir)?; } - println!("Synchronizing repo:{linker_repo} branch:{linker_branch}"); + println!( + "Synchronizing repo:{} branch:{}", + &opts.bpf_linker_repo, &opts.bpf_linker_branch + ); // we should rarely need more than 10 commits back - git::sync(linker_branch, linker_repo, &linker_dir, 10)?; + git::sync( + &opts.bpf_linker_branch, + &opts.bpf_linker_repo, + &linker_dir, + 10, + )?; println!("Checking out to commit: {linker_commit}"); git::checkout(&linker_dir, linker_commit)?; diff --git a/xtask/src/tools.rs b/xtask/src/tools.rs index 96e34e49..7c3a01ea 100644 --- a/xtask/src/tools.rs +++ b/xtask/src/tools.rs @@ -18,6 +18,19 @@ pub struct Options { /// update bpf-linker #[clap(long)] pub update: bool, + /// fetch bpf-linker from this repo + #[clap(default_value = "https://github.com/0xrawsec/bpf-linker", long)] + pub bpf_linker_repo: String, + /// fetch this branch of bpf-linker repo + // linker branch supporting Debug Information (DI) + #[clap(default_value = "feature/fix-di", long)] + pub bpf_linker_branch: String, + /// fetch this commit of bpf-linker, specify "last" to fetch + /// the last commit + // be carefull of rebased repository while taking commits + #[clap(default_value = "ef91ad89c0ce8a66d998bde1e97526eb46501e36", long)] + pub bpf_linker_commit: String, + /// target to build the build-tools for #[clap(default_value = "x86_64-unknown-linux-gnu", long)] pub target: String, From 9d7abf473660cb2059b569ea952da6785df6c4df Mon Sep 17 00:00:00 2001 From: qjerome Date: Mon, 29 Jan 2024 16:05:19 +0100 Subject: [PATCH 2/3] fix #35 bug in schedule probe Signed-off-by: qjerome --- kunai-common/src/co_re/core_mm_struct.rs | 11 ++++++++++- kunai-ebpf/src/probes/schedule.rs | 5 ++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/kunai-common/src/co_re/core_mm_struct.rs b/kunai-common/src/co_re/core_mm_struct.rs index 4582ce33..931d56fb 100644 --- a/kunai-common/src/co_re/core_mm_struct.rs +++ b/kunai-common/src/co_re/core_mm_struct.rs @@ -8,8 +8,17 @@ impl mm_struct { rust_shim_kernel_impl!(mm_struct, arg_start, u64); #[inline(always)] + // inspired from: https://elixir.bootlin.com/linux/v6.6.13/source/fs/proc/base.c#L256 pub unsafe fn arg_len(&self) -> Option { - Some(self.arg_end()? - self.arg_start()?) + let start = self.arg_start()?; + let end = self.arg_end()?; + Some({ + if end == 0 || start >= end { + 0 + } else { + end - start + } + }) } rust_shim_kernel_impl!(mm_struct, arg_end, u64); diff --git a/kunai-ebpf/src/probes/schedule.rs b/kunai-ebpf/src/probes/schedule.rs index a19c13de..0c12623c 100644 --- a/kunai-ebpf/src/probes/schedule.rs +++ b/kunai-ebpf/src/probes/schedule.rs @@ -64,7 +64,10 @@ unsafe fn try_schedule(ctx: &ProbeContext) -> ProbeResult<()> { .data .argv .read_user_at(arg_start as *const u8, arg_len as u32), - |_| error!(ctx, "failed to read argv") + |_| error!( + ctx, + "failed to read argv: arg_start=0x{:x} arg_len={}", arg_start, arg_len + ) )); } From 48751585d506f6561f8be160cd0f1ed31568618f Mon Sep 17 00:00:00 2001 From: qjerome Date: Mon, 29 Jan 2024 16:24:48 +0100 Subject: [PATCH 3/3] fix #36 error in prctl probe Signed-off-by: qjerome --- kunai-ebpf/src/probes/prctl.rs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/kunai-ebpf/src/probes/prctl.rs b/kunai-ebpf/src/probes/prctl.rs index 4dfbcd16..3ce3b841 100644 --- a/kunai-ebpf/src/probes/prctl.rs +++ b/kunai-ebpf/src/probes/prctl.rs @@ -4,7 +4,7 @@ use aya_bpf::{maps::LruHashMap, programs::TracePointContext}; #[map] static mut PRCTL_ARGS: LruHashMap> = - LruHashMap::with_max_entries(256, 0); + LruHashMap::with_max_entries(1024, 0); #[repr(C)] struct PrctlArgs { @@ -30,7 +30,7 @@ pub fn sys_enter_prctl(ctx: TracePointContext) -> u32 { unsafe fn try_enter_prctl(ctx: &TracePointContext) -> ProbeResult<()> { let args = SysEnterArgs::::from_context(ctx)?; - // we ignore result as we can check something went wrong when we try to get argument + // we ignore result as we can check something went wrong when we try to insert argument ignore_result!(PRCTL_ARGS.insert(&bpf_task_tracking_id(), &args, 0)); return Ok(()); @@ -50,10 +50,9 @@ pub fn sys_exit_prctl(ctx: TracePointContext) -> u32 { #[inline(always)] unsafe fn try_exit_prctl(ctx: &TracePointContext) -> ProbeResult<()> { let exit_args = SysExitArgs::from_context(ctx)?; + let key = bpf_task_tracking_id(); - let entry_args = PRCTL_ARGS - .get(&bpf_task_tracking_id()) - .ok_or(error::MapError::GetFailure)?; + let entry_args = PRCTL_ARGS.get(&key).ok_or(error::MapError::GetFailure)?; alloc::init()?; let event = alloc::alloc_zero::()?; @@ -70,5 +69,8 @@ unsafe fn try_exit_prctl(ctx: &TracePointContext) -> ProbeResult<()> { pipe_event(ctx, event); + // cleanup prctl arguments no need to handle failure + ignore_result!(PRCTL_ARGS.remove(&key)); + return Ok(()); }