diff --git a/GPL/Events/Network/Probe.bpf.c b/GPL/Events/Network/Probe.bpf.c index 177039fc..b8f6f53e 100644 --- a/GPL/Events/Network/Probe.bpf.c +++ b/GPL/Events/Network/Probe.bpf.c @@ -85,6 +85,9 @@ static int sock_dns_event_handle(struct sock *sk, MAX_DNS_PACKET); goto out; } + // TODO: This will fail on recvmsg calls where the peek flag has been set. + // Changes to the udp_recvmsg function call in 5.18 make it a bit annoying to get the + // flags argument portably. So let it fail instead of manually skipping peek calls. long readok = bpf_probe_read(event->pkts[0].pkt, size, base); if (readok != 0) { bpf_printk("invalid read from iovec structure: %d", readok); @@ -148,43 +151,6 @@ static int sock_object_handle(struct sock *sk, enum ebpf_event_type evt_type) =============================== DNS probes =============================== */ -SEC("fentry/udp_sendmsg") -int BPF_PROG(fentry__udp_sendmsg, struct sock *sk, struct msghdr *msg, size_t size) -{ - return sock_dns_event_handle(sk, msg, EBPF_EVENT_NETWORK_UDP_SENDMSG, size); -} - -SEC("fexit/udp_recvmsg") -int BPF_PROG(fexit__udp_recvmsg) -{ - - // 5.18 changed the function args for udp_recvmsg, - // so we have to do this to fetch the value of the `flags` arg. - // obviously if the args change again this can fail. - u64 flags = 0; - u64 nr_args = bpf_get_func_arg_cnt(ctx); - if (nr_args == 5) { - bpf_get_func_arg(ctx, 3, &flags); - } else if (nr_args == 6) { - bpf_get_func_arg(ctx, 4, &flags); - } - // check the peeking flag; if set to peek, the msghdr won't contain any data - // Still trying to get this to work portably. - if (flags & MSG_PEEK) { - return 0; - } - // bpf_get_func_arg_cnt() - struct sock *sk = (void *)ctx[0]; - struct msghdr *msg = (void *)ctx[1]; - u64 ret = 0; - bpf_get_func_ret(ctx, &ret); - u16 family = BPF_CORE_READ(sk, __sk_common.skc_family); - // struct msghdr* msg = (struct msghdr*)PT_REGS_PARM2(regs); - bpf_printk("retval: %d", regs_ret); - // return 0; - return sock_dns_event_handle(sk, msg, EBPF_EVENT_NETWORK_UDP_RECVMSG, ret); -} - SEC("kprobe/udp_sendmsg") int BPF_KPROBE(kprobe__udp_sendmsg, struct sock *sk, struct msghdr *msg, size_t size) { diff --git a/non-GPL/Events/Lib/EbpfEvents.c b/non-GPL/Events/Lib/EbpfEvents.c index b325a262..3daeb8e9 100644 --- a/non-GPL/Events/Lib/EbpfEvents.c +++ b/non-GPL/Events/Lib/EbpfEvents.c @@ -386,9 +386,6 @@ static inline int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__vfs_write, false); err = err ?: bpf_program__set_autoload(obj->progs.kprobe__chown_common, false); err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__chown_common, false); - err = err ?: bpf_program__set_autoload(obj->progs.kprobe__udp_sendmsg, false); - err = err ?: bpf_program__set_autoload(obj->progs.kprobe__udp_recvmsg, false); - err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__udp_recvmsg, false); } else { err = err ?: bpf_program__set_autoload(obj->progs.fentry__do_unlinkat, false); err = err ?: bpf_program__set_autoload(obj->progs.fentry__mnt_want_write, false); @@ -406,8 +403,6 @@ static inline int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj err = err ?: bpf_program__set_autoload(obj->progs.fexit__do_truncate, false); err = err ?: bpf_program__set_autoload(obj->progs.fexit__vfs_write, false); err = err ?: bpf_program__set_autoload(obj->progs.fexit__chown_common, false); - err = err ?: bpf_program__set_autoload(obj->progs.fentry__udp_sendmsg, false); - err = err ?: bpf_program__set_autoload(obj->progs.fexit__udp_recvmsg, false); } return err;