eBPF:挂接到 security_socket_connect 时如何读取 sockaddr 结构
eBPF: How can the sockaddr struct be read when hooking into security_socket_connect
如演示文稿中所提议的那样 Security Monitoring with eBPF I'm trying to hook into security_socket_connect。
虽然我的基于 gobpf/bcc 的代码部分有效,但我似乎无法读取 sockaddr 结构中的 IP 地址。
相关部分如下所示:
int security_socket_connect_entry(struct pt_regs *ctx, struct socket *sock, struct sockaddr *address, int addrlen)
{
u32 address_family = address->sa_family;
if (address_family == AF_INET) {
struct ipv4_data_t data4 = {.pid = pid};
struct sockaddr_in *addr2 = (struct sockaddr_in *)address;
之后我尝试读取addr2 中的IP 地址。第一次尝试是:
data4.daddr = addr2->sin_addr.s_addr;
第二次尝试 bpf_probe_read:
bpf_probe_read(&data4.daddr, sizeof(data4.daddr), (void *)((long)addr2->sin_addr.s_addr));
两个选项都出现相同的错误:
R9 invalid mem access 'inv'
HINT: The invalid mem access 'inv' error can happen if you try to dereference memory without first using bpf_probe_read() to copy it to the BPF stack. Sometimes the bpf_probe_read is automatic by the bcc rewriter, other times you'll need to be explicit.
可在此处找到包含可构建示例的存储库:socket-connect-bpf
多亏了 an answer to issue #1858 in the bcc repo 我弄明白了。
我们要对指针进行操作,所以IP地址可以这样读:
bpf_probe_read(&data4.daddr, sizeof(data4.daddr), &addr2->sin_addr.s_addr);
如演示文稿中所提议的那样 Security Monitoring with eBPF I'm trying to hook into security_socket_connect。
虽然我的基于 gobpf/bcc 的代码部分有效,但我似乎无法读取 sockaddr 结构中的 IP 地址。
相关部分如下所示:
int security_socket_connect_entry(struct pt_regs *ctx, struct socket *sock, struct sockaddr *address, int addrlen)
{
u32 address_family = address->sa_family;
if (address_family == AF_INET) {
struct ipv4_data_t data4 = {.pid = pid};
struct sockaddr_in *addr2 = (struct sockaddr_in *)address;
之后我尝试读取addr2 中的IP 地址。第一次尝试是:
data4.daddr = addr2->sin_addr.s_addr;
第二次尝试 bpf_probe_read:
bpf_probe_read(&data4.daddr, sizeof(data4.daddr), (void *)((long)addr2->sin_addr.s_addr));
两个选项都出现相同的错误:
R9 invalid mem access 'inv'
HINT: The invalid mem access 'inv' error can happen if you try to dereference memory without first using bpf_probe_read() to copy it to the BPF stack. Sometimes the bpf_probe_read is automatic by the bcc rewriter, other times you'll need to be explicit.
可在此处找到包含可构建示例的存储库:socket-connect-bpf
多亏了 an answer to issue #1858 in the bcc repo 我弄明白了。
我们要对指针进行操作,所以IP地址可以这样读:
bpf_probe_read(&data4.daddr, sizeof(data4.daddr), &addr2->sin_addr.s_addr);