elastic · fearful-symmetry · Sep 23, 2024 · Aug 30, 2024 · Aug 30, 2024 · Sep 6, 2024
@@ -11,6 +11,8 @@
 #define EBPF_EVENTPROBE_EBPFEVENTPROTO_H
 
 #define TASK_COMM_LEN 16
+#define MAX_DNS_PACKET 512
+#define MAX_NR_SEGS 8
 
 #ifndef __KERNEL__
 #include <stdint.h>
@@ -40,6 +42,9 @@ enum ebpf_event_type {
     EBPF_EVENT_PROCESS_SHMGET               = (1 << 17),
     EBPF_EVENT_PROCESS_PTRACE               = (1 << 18),
     EBPF_EVENT_PROCESS_LOAD_MODULE          = (1 << 19),
+    EBPF_EVENT_NETWORK_UDP_SEND             = (1 << 20),
+    EBPF_EVENT_NETWORK_UDP_RECV             = (1 << 21),
+    EBPF_EVENT_NETWORK_DNS_PKT              = (1 << 22),
 };
 
 struct ebpf_event_header {
@@ -341,6 +346,7 @@ struct ebpf_process_load_module_event {
 
 enum ebpf_net_info_transport {
     EBPF_NETWORK_EVENT_TRANSPORT_TCP = 1,
+    EBPF_NETWORK_EVENT_TRANSPORT_UDP = 2,
 };
 
 enum ebpf_net_info_af {
@@ -379,6 +385,44 @@ struct ebpf_net_event {
     char comm[TASK_COMM_LEN];
 } __attribute__((packed));
 
+struct dns_pkt_header {
+    uint16_t transaction_id;
+    uint16_t flags;
+    uint16_t num_questions;
+    uint16_t num_answers;
+    uint16_t num_auth_rrs;
+    uint16_t num_additional_rrs;
+} __attribute__((packed));
+
+struct dns_body {
+    size_t len;
+    uint8_t pkt[MAX_DNS_PACKET];
+} __attribute((packed));
+
+// from vmlinux.h, modified to make the ip addrs u8 arrays
+struct skb_iphdr {
+    uint8_t ihl : 4;
+    uint8_t version : 4;
+    uint8_t tos;
+    uint16_t tot_len;
+    uint16_t id;
+    uint16_t frag_off;
+    uint8_t ttl;
+    uint8_t protocol;
+    uint16_t check;
+    uint8_t saddr[4];
+    uint8_t daddr[4];
+};
+
+struct ebpf_dns_event {
+    struct ebpf_event_header hdr;
+    struct ebpf_pid_info pids;
+    struct ebpf_net_info net;
+    char comm[TASK_COMM_LEN];
+    enum ebpf_event_type udp_evt;
+    struct dns_body pkts[MAX_NR_SEGS];
+} __attribute__((packed));
+
 // Basic event statistics
 struct ebpf_event_stats {
     uint64_t lost; // lost events due to a full ringbuffer

diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h
@@ -138,6 +138,9 @@ const volatile int consumer_pid = 0;
 // From include/uapi/asm-generic/termbits.h
 #define ECHO 0x00008
 
+/* tty_write */
+DECL_FIELD_OFFSET(iov_iter, __iov);
+
 static bool IS_ERR_OR_NULL(const void *ptr)
 {
     return (!ptr) || (unsigned long)ptr >= (unsigned long)-MAX_ERRNO;
@@ -357,4 +360,23 @@ static int is_equal_prefix(const char *str1, const char *str2, int len)
     return !strncmp(str1, str2, len);
 }
 
+static int get_iovec_nr_segs_or_max(struct iov_iter *from)
+{
+    u64 nr_segs = BPF_CORE_READ(from, nr_segs);
+    nr_segs     = nr_segs > MAX_NR_SEGS ? MAX_NR_SEGS : nr_segs;
+    return nr_segs;
+}
+
+struct udp_ctx {
+    struct sk_buff *skb;
+} __attribute__((packed));
+
+// scratchspace map for fetching the arguments from a kretprobe
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, u64);
+    __type(value, struct udp_ctx);
+    __uint(max_entries, 1024);
+} pkt_ctx SEC(".maps");
+
 #endif // EBPF_EVENTPROBE_HELPERS_H
diff --git a/GPL/Events/Network/Network.h b/GPL/Events/Network/Network.h
@@ -14,6 +14,14 @@
 #define AF_INET 2
 #define AF_INET6 10
 
+#define MSG_PEEK 2
+
+// See RFC1035
+#define DNS_QR_BIT 1 << 15
+
+// I have made this number up to make the verifier happy
+#define DNS_MAX_LABELS 255
+
 static int ebpf_sock_info__fill(struct ebpf_net_info *net, struct sock *sk)
 {
     int err = 0;
@@ -67,6 +75,9 @@ static int ebpf_sock_info__fill(struct ebpf_net_info *net, struct sock *sk)
     case IPPROTO_TCP:
         net->transport = EBPF_NETWORK_EVENT_TRANSPORT_TCP;
         break;
+    case IPPROTO_UDP:
+        net->transport = EBPF_NETWORK_EVENT_TRANSPORT_UDP;
+        break;
     default:
         err = -1;
         goto out;

@@ -20,7 +20,7 @@
 
 DECL_FUNC_RET(inet_csk_accept);
 
-static int inet_csk_accept__exit(struct sock *sk)
+static int sock_object_handle(struct sock *sk, enum ebpf_event_type evt_type)
 {
     if (!sk)
         goto out;
@@ -36,24 +36,181 @@ static int inet_csk_accept__exit(struct sock *sk)
         goto out;
     }
 
-    event->hdr.type = EBPF_EVENT_NETWORK_CONNECTION_ACCEPTED;
+    event->hdr.type = evt_type;
     bpf_ringbuf_submit(event, 0);
 
 out:
     return 0;
 }
 
+/*
+=============================== DNS probes ===============================
+*/
+
+static int handle_consume(struct sk_buff *skb, int len, enum ebpf_event_type evt_type)
+{
+
+    if (ebpf_events_is_trusted_pid())
+        return 0;
+
+    struct ebpf_dns_event *event = bpf_ringbuf_reserve(&ringbuf, sizeof(*event), 0);
+    if (!event)
+        return 0;
+
+    // read from skbuf
+    unsigned char *data = BPF_CORE_READ(skb, head);
+    // get lengths
+    u16 net_header_offset       = BPF_CORE_READ(skb, network_header);
+    u16 transport_header_offset = BPF_CORE_READ(skb, transport_header);
+
+    u8 iphdr_first_byte = 0;
+    bpf_core_read(&iphdr_first_byte, 1, data + net_header_offset);
+    iphdr_first_byte = iphdr_first_byte >> 4;
+
+    u8 proto = 0;
+    if (iphdr_first_byte == 4) {
+        struct iphdr ip_hdr;
+        bpf_core_read(&ip_hdr, sizeof(struct iphdr), data + net_header_offset);
+
+        proto = ip_hdr.protocol;
+        bpf_probe_read(event->net.saddr, 4, (void *)&ip_hdr.saddr);
+        bpf_probe_read(event->net.daddr, 4, (void *)&ip_hdr.daddr);
+
+    } else if (iphdr_first_byte == 6) {
+        struct ipv6hdr ip6_hdr;
+        bpf_core_read(&ip6_hdr, sizeof(struct ipv6hdr), data + net_header_offset);
+        proto = ip6_hdr.nexthdr;
+
+        bpf_probe_read(event->net.saddr6, 16, ip6_hdr.saddr.in6_u.u6_addr8);
+        bpf_probe_read(event->net.daddr6, 16, ip6_hdr.daddr.in6_u.u6_addr8);
+    }
+
+    if (proto != IPPROTO_UDP) {
+        goto out;
+    }
+
+    struct udphdr udp_hdr;
+    bpf_core_read(&udp_hdr, sizeof(struct udphdr), data + transport_header_offset);
+    event->net.dport = bpf_ntohs(udp_hdr.dest);
+    event->net.sport = bpf_ntohs(udp_hdr.source);
+
+    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
+    ebpf_pid_info__fill(&event->pids, task);
+    bpf_get_current_comm(event->comm, TASK_COMM_LEN);
+    event->hdr.ts = bpf_ktime_get_ns();
+
+    // filter out non-dns packets
+    if (event->net.sport != 53 && event->net.dport != 53) {
+        bpf_printk("not a dns packet...");
+        goto out;
+    }
+
+    // constrain the read size to make the verifier happy
+    long readsize = BPF_CORE_READ(skb, len);
+    if (readsize > MAX_DNS_PACKET) {
+        readsize = MAX_DNS_PACKET;
+    }
+
+    // udp_send_skb includes the IP and UDP header, so offset
+    long offset = transport_header_offset + sizeof(struct udphdr);
+
+    long ret = bpf_probe_read_kernel(event->pkts[0].pkt, readsize, data + offset);
+    if (ret != 0) {
+        bpf_printk("error reading in data buffer: %d", ret);
+        goto out;
+    }
+
+    event->hdr.type = EBPF_EVENT_NETWORK_DNS_PKT;
+    event->udp_evt  = evt_type;
+    bpf_ringbuf_submit(event, 0);
+
+    return 0;
+
+out:
+    bpf_ringbuf_discard(event, 0);
+    return 0;
+}
+
+SEC("fentry/ip_send_skb")
+int BPF_PROG(fentry__ip_send_skb, struct net *net, struct sk_buff *skb)
+{
+    return handle_consume(skb, skb->len, EBPF_EVENT_NETWORK_UDP_SEND);
+}
+
+SEC("fexit/skb_consume_udp")
+int BPF_PROG(fexit__skb_consume_udp, struct sock *sk, struct sk_buff *skb, int len)
+{
+    // skip peek operations
+    bpf_printk("consume len: %d", len);
+    if (len < 0) {
+        return 0;
+    }
+    return handle_consume(skb, len, EBPF_EVENT_NETWORK_UDP_RECV);
+}
+
+SEC("kprobe/ip_send_skb")
+int BPF_KPROBE(kprobe__ip_send_udp, struct net *net, struct sk_buff *skb)
+{
+    long len = BPF_CORE_READ(skb, len);
+    return handle_consume(skb, len, EBPF_EVENT_NETWORK_UDP_SEND);
+}
+
+SEC("kprobe/skb_consume_udp")
+int BPF_KPROBE(kprobe__skb_consume_udp, struct net *net, struct sk_buff *skb)
+{
+    // return handle_consume(skb, len, EBPF_EVENT_NETWORK_UDP_SENDMSG);
+    struct udp_ctx kctx;
+
+    // I suspect that using the PID_TID isn't the most reliable way to map the sockets/iters
+    // not sure what else we could use that's accessable from the kretprobe, though.
+    u64 pid_tid = bpf_get_current_pid_tgid();
+
+    long iter_err = bpf_probe_read(&kctx.skb, sizeof(kctx.skb), &skb);
+    if (iter_err != 0) {
+        bpf_printk("error reading skb in skb_consume_skb: %d", iter_err);
+        return 0;
+    }
+
+    long update_err = bpf_map_update_elem(&pkt_ctx, &pid_tid, &kctx, BPF_ANY);
+    if (update_err != 0) {
+        bpf_printk("error updating context map in udp_recvmsg: %d", update_err);
+        return 0;
+    }
+
+    return 0;
+}
+
+SEC("kretprobe/skb_consume_udp")
+int BPF_KRETPROBE(kretprobe__skb_consume_udp, int ret)
+{
+    u64 pid_tid = bpf_get_current_pid_tgid();
+    void *vctx  = bpf_map_lookup_elem(&pkt_ctx, &pid_tid);
+
+    struct udp_ctx kctx;
+    long read_err = bpf_probe_read(&kctx, sizeof(kctx), vctx);
+    if (read_err != 0) {
+        bpf_printk("error reading back context in skb_consume_skb: %d", read_err);
+        return 0;
+    }
+
+    return handle_consume(kctx.skb, ret, EBPF_EVENT_NETWORK_UDP_RECV);
+}
+
+/*
+=============================== TCP probes ===============================
+*/
+
 SEC("fexit/inet_csk_accept")
 int BPF_PROG(fexit__inet_csk_accept)
 {
     struct sock *ret = FUNC_RET_READ(___type(ret), inet_csk_accept);
-    return inet_csk_accept__exit(ret);
+    return sock_object_handle(ret, EBPF_EVENT_NETWORK_CONNECTION_ACCEPTED);
 }
 
 SEC("kretprobe/inet_csk_accept")
 int BPF_KRETPROBE(kretprobe__inet_csk_accept, struct sock *ret)
 {
-    return inet_csk_accept__exit(ret);
+    return sock_object_handle(ret, EBPF_EVENT_NETWORK_CONNECTION_ACCEPTED);
 }
 
 static int tcp_connect(struct sock *sk, int ret)

diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c
@@ -18,9 +18,6 @@
 #include "State.h"
 #include "Varlen.h"
 
-/* tty_write */
-DECL_FIELD_OFFSET(iov_iter, __iov);
-
 // Limits on large things we send up as variable length parameters.
 //
 // These should be kept _well_ under half the size of the event_buffer_map or
@@ -526,8 +523,6 @@ int BPF_KPROBE(kprobe__commit_creds, struct cred *new)
     return commit_creds__enter(new);
 }
 
-#define MAX_NR_SEGS 8
-
 static int output_tty_event(struct ebpf_tty_dev *slave, const void *base, size_t base_len)
 {
     struct ebpf_process_tty_write_event *event;
@@ -611,8 +606,7 @@ static int tty_write__enter(struct kiocb *iocb, struct iov_iter *from)
     else
         goto out;
 
-    u64 nr_segs = BPF_CORE_READ(from, nr_segs);
-    nr_segs     = nr_segs > MAX_NR_SEGS ? MAX_NR_SEGS : nr_segs;
+    u64 nr_segs = get_iovec_nr_segs_or_max(from);
 
     if (nr_segs == 0) {
         u64 count = BPF_CORE_READ(from, count);