[kprobe] add support for kprobes (dropbox#33)

Co-authored-by: Konstantin Belyalov <[email protected]>

Author: jcramb

.gitignore

@@ -5,6 +5,7 @@
 *.so
 *.dylib
 *.elf
+*.swp
 itest_test
 
 # Test binary, built with `go test -c`

.travis.yml

@@ -12,8 +12,13 @@ go:
 before_install:
   - sudo apt-get update
   - sudo apt-get install -y clang llvm
+  - export GO111MODULE=on
 
 script:
+  # ad-hoc for golang versions < 1.11
+  # testify now uses go 1.13 features like errors.Is(), so switching to last supported version
+  - rm -rf $GOPATH/src/github.com/stretchr/testify
+  - git clone -b v1.6.1 https://github.com/stretchr/testify.git $GOPATH/src/github.com/stretchr/testify
   # Verify for formatting issues
   - if [ -n "$(gofmt -s -l .)" ]; then echo "Please fix source formatting by 'go fmt ./...'"; false; fi
   # Run unit tests

README.md

@@ -81,6 +81,52 @@ And the `go` part:
 ```
 Simple? Check [full XDP dump example](https://github.com/dropbox/goebpf/tree/master/examples/xdp/xdp_dump)
 
+## Kprobes
+Library currently has support for `kprobes` and `kretprobes`.
+It can be as simple as:
+
+```c
+    // kprobe handler function
+    SEC("kprobe/SyS_execve")
+    int execve_entry(struct pt_regs *ctx) {
+
+        // read comm
+        char comm[32];
+        bpf_get_current_comm(&e.comm, sizeof(e.comm));
+
+        // read first argument of execve
+        char filename[64];
+        bpf_probe_read(filename, sizeof(filename), PT_REGS_PARM1(ctx));
+
+        // display execve call details
+        bpf_printk("[exec] comm: '%s', filename: '%s'\n", comm, filename);
+
+        return 0;
+    }
+```
+
+And the `go` part:
+```go
+    // cleanup old probes
+	if err := goebpf.CleanupProbes(); err != nil {
+		log.Println(err)
+	}
+
+	// load ebpf program
+	p, err := LoadProgram("ebpf_prog/kprobe.elf")
+	if err != nil {
+		log.Fatal(err)
+	}
+	p.ShowInfo()
+
+	// attach ebpf kprobes
+	if err := p.AttachProbes(); err != nil {
+		log.Fatal(err)
+	}
+	defer p.DetachProbes()
+```
+Simple? Check [exec dump example](https://github.com/dropbox/goebpf/tree/master/examples/kprobe/exec_dump)
+
 ## Good readings
 - [Cilium BPF and XDP Reference Guide](https://docs.cilium.io/en/latest/bpf/)
 - [Prototype Kernel: XDP](https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/index.html)

bpf_helpers.h

@@ -50,16 +50,16 @@ enum bpf_map_type {
 };
 
 /* flags for BPF_MAP_UPDATE_ELEM command */
-#define BPF_ANY     0 /* create new element or update existing */
+#define BPF_ANY 0     /* create new element or update existing */
 #define BPF_NOEXIST 1 /* create new element if it didn't exist */
-#define BPF_EXIST   2 /* update existing element */
-#define BPF_F_LOCK  4 /* spin_lock-ed map_lookup/map_update */
+#define BPF_EXIST 2   /* update existing element */
+#define BPF_F_LOCK 4  /* spin_lock-ed map_lookup/map_update */
 
 /* BPF_FUNC_perf_event_output, BPF_FUNC_perf_event_read and
  * BPF_FUNC_perf_event_read_value flags.
  */
-#define BPF_F_INDEX_MASK    0xffffffffULL
-#define BPF_F_CURRENT_CPU   BPF_F_INDEX_MASK
+#define BPF_F_INDEX_MASK 0xffffffffULL
+#define BPF_F_CURRENT_CPU BPF_F_INDEX_MASK
 
 // A helper structure used by eBPF C program
 // to describe map attributes to BPF program loader
@@ -96,6 +96,44 @@ enum socket_filter_action {
   SOCKET_FILTER_ALLOW,
 };
 
+// Kprobe required constants / structs
+// (arch/x86/include/asm/ptrace.h)
+#define PT_REGS_PARM1(x) ((x)->di)
+#define PT_REGS_PARM2(x) ((x)->si)
+#define PT_REGS_PARM3(x) ((x)->dx)
+#define PT_REGS_PARM4(x) ((x)->r10)
+#define PT_REGS_PARM5(x) ((x)->r8)
+#define PT_REGS_PARM6(x) ((x)->r9)
+#define PT_REGS_RET(x) ((x)->sp)
+#define PT_REGS_FP(x) ((x)->bp)
+#define PT_REGS_RC(x) ((x)->ax)
+#define PT_REGS_SP(x) ((x)->sp)
+#define PT_REGS_IP(x) ((x)->ip)
+
+struct pt_regs {
+  unsigned long r15;
+  unsigned long r14;
+  unsigned long r13;
+  unsigned long r12;
+  unsigned long bp;
+  unsigned long bx;
+  unsigned long r11;
+  unsigned long r10;
+  unsigned long r9;
+  unsigned long r8;
+  unsigned long ax;
+  unsigned long cx;
+  unsigned long dx;
+  unsigned long si;
+  unsigned long di;
+  unsigned long orig_ax;
+  unsigned long ip;
+  unsigned long cs;
+  unsigned long flags;
+  unsigned long sp;
+  unsigned long ss;
+};
+
 #define bpf_likely(X) __builtin_expect(!!(X), 1)
 #define bpf_unlikely(X) __builtin_expect(!!(X), 0)
 #define UNUSED __attribute__((unused))
@@ -157,45 +195,45 @@ struct __sk_buff {
 
   /* Accessed by BPF_PROG_TYPE_sk_skb types from here to ... */
   __u32 family;
-  __u32 remote_ip4;  /* Stored in network byte order */
-  __u32 local_ip4;  /* Stored in network byte order */
-  __u32 remote_ip6[4];  /* Stored in network byte order */
+  __u32 remote_ip4;    /* Stored in network byte order */
+  __u32 local_ip4;     /* Stored in network byte order */
+  __u32 remote_ip6[4]; /* Stored in network byte order */
   __u32 local_ip6[4];  /* Stored in network byte order */
-  __u32 remote_port;  /* Stored in network byte order */
-  __u32 local_port;  /* stored in host byte order */
+  __u32 remote_port;   /* Stored in network byte order */
+  __u32 local_port;    /* stored in host byte order */
   /* ... here. */
 
   __u32 data_meta;
 };
 
 struct bpf_sock_tuple {
-	union {
-		struct {
-			__be32 saddr;
-			__be32 daddr;
-			__be16 sport;
-			__be16 dport;
-		} ipv4;
-		struct {
-			__be32 saddr[4];
-			__be32 daddr[4];
-			__be16 sport;
-			__be16 dport;
-		} ipv6;
-	};
+  union {
+    struct {
+      __be32 saddr;
+      __be32 daddr;
+      __be16 sport;
+      __be16 dport;
+    } ipv4;
+    struct {
+      __be32 saddr[4];
+      __be32 daddr[4];
+      __be16 sport;
+      __be16 dport;
+    } ipv6;
+  };
 };
 
 struct bpf_spin_lock {
-	__u32	val;
+  __u32 val;
 };
 
 struct bpf_sysctl {
-	__u32	write;		/* Sysctl is being read (= 0) or written (= 1).
-				 * Allows 1,2,4-byte read, but no write.
-				 */
-	__u32	file_pos;	/* Sysctl file position to read from, write to.
-				 * Allows 1,2,4-byte read an 4-byte write.
-				 */
+  __u32 write;    /* Sysctl is being read (= 0) or written (= 1).
+                   * Allows 1,2,4-byte read, but no write.
+                   */
+  __u32 file_pos; /* Sysctl file position to read from, write to.
+                   * Allows 1,2,4-byte read an 4-byte write.
+                   */
 };
 
 // BPF helper functions supported on linux kernel 5.2+
@@ -801,8 +839,8 @@ UNUSED static int bpf_xdp_adjust_head(struct xdp_md *ctx, int offset) {
   return 0;
 }
 
-UNUSED static int bpf_perf_event_output(void *ctx, void *map, __u64 index, void *data, __u32 size)
-{
+UNUSED static int bpf_perf_event_output(void *ctx, void *map, __u64 index,
+                                        void *data, __u32 size) {
   return 0;
 }
 

doc.go

@@ -119,5 +119,57 @@ A simple example could be to log all TCP SYN packets into user space from XDP pr
 		}
 	}
 
+Kprobes
+
+There are currently two types of supported probes: kprobes, and kretprobes
+(also called return probes). A kprobe can be inserted on virtually
+any instruction in the kernel. A return probe fires when a specified
+function returns.
+
+For example, you can trigger eBPF code to run when a kernel function starts
+by attaching the program to a “kprobe” event. Because it runs in the kernel,
+eBPF code is extremely high performance.
+
+A simple example could be to log all process execution events into user space
+from Kprobe program:
+
+	BPF_MAP_DEF(events) = {
+		.map_type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
+		.max_entries = 1024,
+	};
+	BPF_MAP_ADD(events);
+
+	SEC("kprobe/guess_execve")
+	int execve_entry(struct pt_regs *ctx) {
+		// ...
+
+		event_t e = {0};
+		e.ktime_ns = bpf_ktime_get_ns();
+		e.pid = bpf_get_current_pid_tgid() >> 32;
+		e.uid = bpf_get_current_uid_gid() >> 32;
+		e.gid = bpf_get_current_uid_gid();
+		bpf_get_current_comm(&e.comm, sizeof(e.comm));
+
+		buf_write(buf, (void *)&e, sizeof(e));
+		buf_strcat(buf, (void *)args[0]);
+		buf_strcat_argv(buf, (void *)args[1]);
+		buf_perf_output(ctx);
+
+		return 0;
+	}
+
+
+	// Cleanup old probes
+	err := goebpf.CleanupProbes()
+
+	// Load eBPF compiled binary
+	bpf := goebpf.NewDefaultEbpfSystem()
+	bpf.LoadElf("kprobe.elf")
+	program := bpf.GetProgramByName("kprobe") // name matches function name in C
+
+	// Attach kprobes
+	err = p.AttachProbes()
+	// Detach them once done
+	defer p.DetachProbes()
 */
 package goebpf

ebpf.go

@@ -39,6 +39,8 @@ type Program interface {
 	Detach() error
 	// Returns program name as it defined in C code
 	GetName() string
+	// Returns section name for the program
+	GetSection() string
 	// Returns program file descriptor (given by kernel)
 	GetFd() int
 	// Returns size of program in bytes

examples/README.md

@@ -7,6 +7,7 @@ Please note that `eBPF` is supported only by Linux, it will not work on `MacOS`!
 - *XDP*: [Simple packets protocol counter](https://github.com/dropbox/goebpf/tree/master/examples/xdp/packet_counter)
 - *XDP*: [Basic Firewall](https://github.com/dropbox/goebpf/tree/master/examples/xdp/basic_firewall)
 - *PerfEvents*: [XDP Dump](https://github.com/dropbox/goebpf/tree/master/examples/xdp/xdp_dump)
+- *Kprobes*: [Exec Dump](https://github.com/dropbox/goebpf/tree/master/examples/kprobe/exec_dump)
 
 ## How to run
 All examples actually contain 2 parts:

examples/kprobe/exec_dump/Makefile

@@ -0,0 +1,31 @@
+# Copyright (c) 2020 Dropbox, Inc.
+# Full license can be found in the LICENSE file.
+
+GOCMD := go
+GOBUILD := $(GOCMD) build
+GOCLEAN := $(GOCMD) clean
+CLANG := clang
+CLANG_INCLUDE := -I../../.. 
+
+GO_SOURCE := main.go
+GO_BINARY := main
+
+EBPF_SOURCE := ebpf_prog/kprobe.c
+EBPF_BINARY := ebpf_prog/kprobe.elf
+
+all: build_bpf build_go
+
+build_bpf: $(EBPF_BINARY)
+
+build_go: $(GO_BINARY)
+
+clean:
+	$(GOCLEAN)
+	rm -f $(GO_BINARY)
+	rm -f $(EBPF_BINARY)
+
+$(EBPF_BINARY): $(EBPF_SOURCE)
+	$(CLANG) $(CLANG_INCLUDE) -O2 -target bpf -c $^  -o $@
+
+$(GO_BINARY): $(GO_SOURCE)
+	$(GOBUILD) -v -o $@