Ebpfmanager - A golang ebpf libary base on cilium/ebpf and datadog/ebpf

Related tags

Network golang ebpf
Overview

介绍

HoneyGopher

ebpfmanager参照datadog/ebpf/manager包的思想,基于cilium/ebpf实现的ebpf类库封装。

相比cilium/ebpf实现配置化,自动加载,更具备面向对象思想,且实现了probe颗粒的卡开启关闭功能。 相比datadog/ebpf,实现了依赖包方式加载cilium/ebpf,而非fork方式,这点与其期望走的方向一致。且依赖cilium/ebpf版本更新到最新v0.7.0。

Work is underway to convert this library to wrap the upstream library, rather than forking.

依赖

go get -d github.com/shuLhan/go-bindata/cmd/go-bindata

说明

manager与probe是一对多关系。每个probe必须配置SectionEbpfFuncName两个属性。如果是k(ret)probeu(ret)probe,则还需要配置AttachToFuncName属性。

    // UID 可选自定义的唯一字符串
    UID string
    
    // Section elf字节码的Section名字,比如SEC("[section]"). 用于识别probe的类型[ku](ret)?probe/xdp/(raw_)?tracepoint/tc等
    // 早期datadog/ebpf类库用于manager的collectionSpec.Programs的索引。
    // 但cilium/ebpf v0.7.0中,不被返回作为programSpec map作为索引。索引改用MatchFuncName
    Section string
    
    // AttachToFuncName 被HOOK的syscall名字,忽略系统内核版本、CPU位数,比如 mkdirat 会被转换为__x64_sys_mkdirat、__ia32_sys_mkdirat等
    // Uprobe时,直接作为挂载的函数名。
    // 若不填写,则自动获取  Section 字段的最后一段作为挂载函数名   
    AttachToFuncName string
    
    // EbpfFuncName 表示字节码内内核态C函数的名字,取自字节码elf的符号表
    EbpfFuncName string
    
    // funcName 目标hook对象的函数名;私有属性,会自动计算赋值。uprobe中,若为空,则使用offset。
    funcName  string

使用方法

参考examples目录下例子,比如uprobe

package main

import (
	"github.com/ehids/ebpfmanager"
	"github.com/sirupsen/logrus"
)

var m = &manager.Manager{
	Probes: []*manager.Probe{
		{
			Section:          "uprobe/readline",
			EbpfFuncName:     "uprobe_readline",
			AttachToFuncName: "readline",
			BinaryPath:       "/usr/bin/bash",
		},
	},
}

func main() {
	// Initialize the manager
	if err := m.Init(recoverAssets()); err != nil {
		logrus.Fatal(err)
	}

	// Start the manager
	if err := m.Start(); err != nil {
		logrus.Fatal(err)
	}

	logrus.Println("successfully started, head over to /sys/kernel/debug/tracing/trace_pipe")

	// Spawn a bash and right a command to trigger the probe
	if err := trigger(); err != nil {
		logrus.Error(err)
	}

	// Close the manager
	if err := m.Stop(manager.CleanAll); err != nil {
		logrus.Fatal(err)
	}
}

注意

  1. v0.7.0 版本的ebpf在loadProgram函数返回的progs map中,索引已经改为C代码中函数名。 见elf_reader.go312行res[prog.Name] = prog ,这点不同于老版本。(老版本是以section名字作为索引)
  2. datadog/ebpf af587081 Nov 17, 2021 版本上实现本类库。
Comments
  • there has not ringbuffer reader

    there has not ringbuffer reader

    hi,i‘s want to use ringbuffer to read data. but i hav't find it. So, can you support this features quickly?

    or, if you already support it,but i hav't find how to use it. please tell me, how to use it.

    thanks!

    opened by rockingl 6
  • CPU high when probe init

    CPU high when probe init

    Describe the bug

    CPU is high when my program loaded and goes low after few seconds.

    image

    Details

    manager.go L549 m.loadCollection()
    manager.go L1339 probe.Init(m)
    ...
    probe.go L357 GetSyscallFnNameWithSymFile
    utils.go L125 getSyscallName
    

    In my situation, I hook multiple kprobes, and call getSyscallName multiple times. And every time, we read /proc/kallsyms, which is 5.5M in my machine, and do a regex for the whole string.

    opened by chriskaliX 4
  • Testcase failed

    Testcase failed

    image

    code:

    	if err := m3.UpdateActivatedProbes([]manager.ProbesSelector{
    		&manager.ProbeSelector{
    			ProbeIdentificationPair: mkdirID,
    		},
    	}); err != nil {
    		logrus.Error(err)
    	}
    
    opened by chriskaliX 2
  • 关于clang编译的问题

    关于clang编译的问题

    example下面Makefile中编译ebpf程序的命令感觉挺复杂的

    	clang -D__KERNEL__ -D__ASM_SYSREG_H \
    		-Wno-unused-value \
    		-Wno-pointer-sign \
    		-Wno-compare-distinct-pointer-types \
    		-Wunused \
    		-Wall \
    		-Werror \
    		-I/lib/modules/$$(uname -r)/build/include \
    		-I/lib/modules/$$(uname -r)/build/include/uapi \
    		-I/lib/modules/$$(uname -r)/build/include/generated/uapi \
    		-I/lib/modules/$$(uname -r)/build/arch/x86/include \
    		-I/lib/modules/$$(uname -r)/build/arch/x86/include/uapi \
    		-I/lib/modules/$$(uname -r)/build/arch/x86/include/generated \
    		-O2 -emit-llvm \
    		ebpf/main.c \
    		-c -o - | llc -march=bpf -filetype=obj -o ebpf/bin/probe.o
    

    我直接替换成一句

    clang -g -O2 -c -I./ebpf/headers -target bpf -D__TARGET_ARCH_x86 -o ebpf/bin/probe.o ebpf/kp.c
    

    好像也可以,不知道有什么差异呢?

    opened by JamesYYang 1
  • fix #issue16

    fix #issue16

    I've look into the code of both bcc and data-dog's. Here is the summary:

    1. In data-dog‘s way, if a kprobe function name is specific(which means no prefix is needed), it won't be added a prefix dynamically.
    2. In bcc, a cache of the text section and weak symbol is used.

    In order to not change the way we use(no extra field for kprobe function name specification), I choose the second way(bcc), which will cache data for about 1M, and for sure, we have to run an extra loop to cache the symfile, which I think is acceptable.

    enhancement 
    opened by chriskaliX 0
  • couldn't stop manager error:error:map already initialized

    couldn't stop manager error:error:map already initialized

    error return value.

    unabled map do not need to close.

    https://github.com/ehids/ebpfmanager/blob/6fa7cc88421b00e6b39cd6763e35bd428d974114/map.go#L135-L142

    tls_2022/08/01 20:36:40 stop Module:EBPFProbeOPENSSL error:couldn't stop manager error:error:map already initialized , couldn't gracefully close map mastersecret_events, error2:error:map already initialized , couldn't gracefully close map skb_events ..
    
    opened by cfc4n 0
  • go test run failed.

    go test run failed.

    === RUN   TestEditorRewriteConstant
        editor_test.go:52: file testdata/rewrite.elf: load BTF: parsing CO-RE relocation info: record size too short
    --- FAIL: TestEditorRewriteConstant (0.00s)
    === RUN   TestEditorIssue59
        editor_test.go:112: load program: operation not permitted (MEMLOCK may be too low, consider rlimit.RemoveMemlock)
    --- FAIL: TestEditorIssue59 (0.00s)
    === RUN   TestGenerateEventName
    --- PASS: TestGenerateEventName (0.00s)
    === RUN   ExampleEditor_rewriteConstant
    --- PASS: ExampleEditor_rewriteConstant (0.00s)
    FAIL
    FAIL	github.com/ehids/ebpfmanager	0.007s
    ?   	github.com/ehids/ebpfmanager/examples/activated_probes	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/clone_vs_add_hook	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/map_rewrite_vs_map_router	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/mapspec_editor	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/object_pinning	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/program_router	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/cgroup	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/kprobe	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/lsm	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/socket	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/tc	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/tracepoint	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/uprobe	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/programs/xdp	[no test files]
    ?   	github.com/ehids/ebpfmanager/examples/tests_and_benchmarks	[no test files]
    FAIL
    
    opened by cfc4n 0
  • fix #7. unsatisfied map reference

    fix #7. unsatisfied map reference

    cannot load program without loading its whole collection: instruction 27: map my_constants: unsatisfied map reference

    Signed-off-by: CFC4N [email protected]

    bug 
    opened by cfc4n 0
  • tests failed : examples/clone_vs_add_hook  unsatisfied map reference

    tests failed : examples/clone_vs_add_hook unsatisfied map reference

    [email protected]:~/project/ebpfmanager/examples/clone_vs_add_hook$ make
    mkdir -p ebpf/bin
    clang -D__KERNEL__ -D__ASM_SYSREG_H \
    	-Wno-unused-value \
    	-Wno-pointer-sign \
    	-Wno-compare-distinct-pointer-types \
    	-Wunused \
    	-Wall \
    	-Werror \
    	-I/lib/modules/$(uname -r)/build/include \
    	-I/lib/modules/$(uname -r)/build/include/uapi \
    	-I/lib/modules/$(uname -r)/build/include/generated/uapi \
    	-I/lib/modules/$(uname -r)/build/arch/x86/include \
    	-I/lib/modules/$(uname -r)/build/arch/x86/include/uapi \
    	-I/lib/modules/$(uname -r)/build/arch/x86/include/generated \
    	-O2 -emit-llvm \
    	ebpf/main.c \
    	-c -o - | llc -march=bpf -filetype=obj -o ebpf/bin/probe.o
    go-bindata -pkg main -prefix "ebpf/bin" -o "probe.go" "ebpf/bin/probe.o"
    go build -o bin/main .
    sudo bin/main
    INFO[0000] eBPF programs running, head over to /sys/kernel/debug/tracing/trace_pipe to see them in action.
    INFO[0000] INITIAL PROGRAMS
    INFO[0000] Generating events to trigger the probes ...
    INFO[0000] creating /tmp/test_folder
    INFO[0000] received: CPU:1 my_constant:100
    INFO[0001] removing /tmp/test_folder
    INFO[0001] CLONE DEMO
    FATA[0002] error:error:cannot load program without loading its whole collection: instruction 27: map my_constants: unsatisfied map reference , couldn't load new probe {UID:MySeconHook, EbpfFuncName:kprobe_vfs_mkdir} , failed to initialize new probe {UID:MySeconHook, EbpfFuncName:kprobe_vfs_mkdir}
    
    bug 
    opened by cfc4n 0
Releases(v0.3.0)
  • v0.3.0(Jun 15, 2022)

    What's Changed

    • format type error. by @cfc4n in https://github.com/ehids/ebpfmanager/pull/4
    • update cilium ebpf lib to v0.9.0 by @cfc4n in https://github.com/ehids/ebpfmanager/pull/6
    • fix #7. unsatisfied map reference by @cfc4n in https://github.com/ehids/ebpfmanager/pull/8
    • fixed #10 type 'Probe' contains 'sync.RWMutex' which is 'sync.Locker' by @cfc4n in https://github.com/ehids/ebpfmanager/pull/11
    • fix #9 go test run failed. by @cfc4n in https://github.com/ehids/ebpfmanager/pull/12

    New Contributors

    • @cfc4n made their first contribution in https://github.com/ehids/ebpfmanager/pull/4

    Full Changelog: https://github.com/ehids/ebpfmanager/compare/v0.2.3...v0.3.0

    Source code(tar.gz)
    Source code(zip)
  • v0.2.3(Apr 9, 2022)

    v0.2.3 (2022-04-09)

    • Fix. #1
    • Fix format type error.

    What's Changed

    • issue #1 fix (GetSyscallFnNameWithSymFile memory leak) by @chriskaliX in https://github.com/ehids/ebpfmanager/pull/2

    New Contributors

    • @chriskaliX made their first contribution in https://github.com/ehids/ebpfmanager/pull/2

    Full Changelog: https://github.com/ehids/ebpfmanager/compare/v0.2.2...v0.2.3

    Source code(tar.gz)
    Source code(zip)
  • v0.2.2(Mar 14, 2022)

  • v0.2.1(Mar 1, 2022)

  • v0.2.0(Jan 27, 2022)

Owner
null
Diameter stack and Base Protocol (RFC 6733) for the Go programming language

Diameter Base Protocol Package go-diameter is an implementation of the Diameter Base Protocol RFC 6733 and a stack for the Go programming language. St

Alexandre Fiori 213 Nov 10, 2022
A base library defines interfaces and modules of aBFT Lachesis consensus protocol

Lachesis base A base library defines interfaces and modules of aBFT Lachesis consensus protocol. Part of galaxy' s Consensus-as-a-Service for distribu

Galaxy developer Team 10 Oct 25, 2021
Gogrok is a self hosted, easy to use alternative to ngrok. It uses SSH as a base protocol, using channels and existing functionality to tunnel requests to an endpoint.

gogrok A simple, easy to use ngrok alternative (self hosted!) The server and client can also be easily embedded into your applications, see the 'serve

Tyler Stuyfzand 5 Jun 15, 2022
Open source 5G core network base on 3GPP R15

What is free5GC The free5GC is an open-source project for 5th generation (5G) mobile core networks. The ultimate goal of this project is to implement

free5GC 1.5k Nov 21, 2022
A rule based proxy For Mac base on Clash.

ClashX A rule based proxy For Mac base on Clash. ClashX 旨在提供一个简单轻量化的代理客户端,如果需要更多的定制化,可以考虑使用 CFW Mac 版 Features HTTP/HTTPS and SOCKS protocol Surge lik

Yicheng 20.9k Nov 24, 2022
go stomp server base on net/http

stompserver go stomp server base on "net/http" base on "net/http" and "golang.org/x/net/websocket" so use one port, you can be WebServer or StompServe

0xAAFF 1 Sep 22, 2022
A base gui tool for xray/v2ray/hysteria/trojan-go without system proxy

A base gui tool for xray/v2ray/hysteria/trojan-go without system proxy

youlika 15 Nov 11, 2022
Trace Go program execution with uprobes and eBPF

Weaver PLEASE READ! - I am currently refactoring Weaver to use libbpf instead of bcc which would include various other major improvements. If you're c

grantseltzer 261 Nov 9, 2022
A tool based on eBPF, prometheus and grafana to monitor network connectivity.

Connectivity Monitor Tracks the connectivity of a kubernetes cluster to its api server and exposes meaningful connectivity metrics. Uses ebpf to obser

Gardener 27 Nov 11, 2022
SailFirewall - Linux firewall powered by eBPF and XDP

SailFirewall Linux firewall powered by eBPF and XDP Requirements Go 1.16+ Linux

Hevienz 0 May 4, 2022
eBPF based TCP observability.

TCPDog is a total solution from exporting TCP statistics from Linux kernel by eBPF very efficiently to store them at your Elasticsearch or InfluxDB da

Mehrdad Arshad Rad 213 Nov 26, 2022
Library to work with eBPF programs from Go

Go eBPF A nice and convenient way to work with eBPF programs / perf events from Go. Requirements Go 1.10+ Linux Kernel 4.15+ Supported eBPF features e

Dropbox 961 Nov 17, 2022
eBPF library for Go based on Linux libbpf

libbpfgo libbpfgo is a Go library for working with Linux's eBPF. It was created for Tracee, our open source Runtime Security and eBPF tracing tools wr

Aqua Security 377 Nov 22, 2022
eBPF Library for Go

eBPF eBPF is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and i

Cilium 3.6k Nov 27, 2022
A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF

VC5 A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF This is very much a proof of concept at this stage - mos

David Coles 38 Nov 12, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Nov 9, 2022
Edb - An eBPF program debugger

EDB (eBPF debugger) edb is a debugger(like gdb and dlv) for eBPF programs. Norma

null 145 Nov 17, 2022
An ebpf's tool to watch traffic

watch-dog watch-dog利用ebpf的能力,监听指定网卡的流量来达到旁路检测流量的目的,并使用图数据库neo4j保存节点之间的流量关系。 Get go get github.com/TomatoMr/watch-dog Install make build Usage sudo ./w

null 0 Feb 5, 2022
A golang library about socks5, supports all socks5 commands. That Provides server and client and easy to use. Compatible with socks4 and socks4a.

socks5 This is a Golang implementation of the Socks5 protocol library. To see in this SOCKS Protocol Version 5. This library is also compatible with S

chenhao zhang 40 Nov 22, 2022