feat: adapted to latest aya and kernel version

Author: jornfranke

.github/workflows/build-net-tc-filter.yml

@@ -1,7 +1,7 @@
 name: rust-net-tc-filter
 on: [push]
 env:
-    RUSTUP_TOOLCHAIN: "1.79.0"
+    RUSTUP_TOOLCHAIN: "1.82.0"
     RUSTUP_HOME: "./rust/rustup"
     CARGO_HOME: "./rust/cargo"
 

.github/workflows/build-sock-filter.yml

@@ -1,7 +1,7 @@
 name: rust-sock-filter
 on: [push]
 env:
-    RUSTUP_TOOLCHAIN: "1.79.0"
+    RUSTUP_TOOLCHAIN: "1.82.0"
     RUSTUP_HOME: "./rust/rustup"
     CARGO_HOME: "./rust/cargo"
 

.github/workflows/build-uprobe-libcall-filter.yml

@@ -1,7 +1,7 @@
 name: rust-uprobe-libcall-filter
 on: [push]
 env:
-    RUSTUP_TOOLCHAIN: "1.79.0"
+    RUSTUP_TOOLCHAIN: "1.82.0"
     RUSTUP_HOME: "./rust/rustup"
     CARGO_HOME: "./rust/cargo"
 

conf/uprobe-libcall-filter.yml

@@ -1,5 +1,5 @@
 applications: 
         filter:
              openssl3.1:
-                openssl_lib: "/lib64/glibc-hwcaps/x86-64-v3/libssl.so.3.1.2"
+                openssl_lib: "/lib64/glibc-hwcaps/x86-64-v3/libssl.so.3.1.4"
 

uprobe-libcall-filter/uprobe-libcall-filter-app/Cargo.toml

@@ -6,21 +6,22 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-anyhow = "1.0.68"
+anyhow = "1.0.86"
 # TODO: change to the stable version by the next release = 0.12
 aya = { git = "https://github.com/aya-rs/aya", branch = "main", features = [
     "async_tokio",
 ] }
 aya-log = { git = "https://github.com/aya-rs/aya", branch = "main" }
 bytes = {version = "1"}
 clap = { version = "4.1.1", features = ["derive"] }
-env_logger = "0.10"
+env_logger = "0.11"
 uprobe-libcall-filter-common = { path = "../uprobe-libcall-filter-common", features=["user"] }
 log = {version="0.4"}
-serde = {version="1.0.152", features = ["derive"] }
+serde = {version="1.0.204", features = ["derive"] }
 serde_yaml = {version = "0.9.16"}
 tokio = { version = "1.25", features = ["macros", "rt", "rt-multi-thread", "net", "signal"] }
 
+
 [dev-dependencies]
 rand = {version="0.8.5", features = ["small_rng"]}
 

uprobe-libcall-filter/uprobe-libcall-filter-app/src/main.rs

@@ -7,7 +7,6 @@ use aya::{
     Ebpf,
 };
 use aya_log::EbpfLogger;
-
 use bytes::BytesMut;
 use clap::Parser;
 use log::{info, warn};
@@ -68,6 +67,7 @@ async fn main() -> Result<(), anyhow::Error> {
                 &application_definition.openssl_lib,
                 None,
             )?;
+
             let program_ossreadprobe_ret: &mut UProbe =
                 bpf.program_mut("osslreadretprobe").unwrap().try_into()?;
             program_ossreadprobe_ret.load()?;
@@ -103,7 +103,7 @@ async fn main() -> Result<(), anyhow::Error> {
     let mut ssl_read_perf_array =
         AsyncPerfEventArray::try_from(bpf.take_map("SSLREADDATA").unwrap())?;
 
-    for cpu_id in online_cpus()? {
+    for cpu_id in online_cpus().map_err(|(_, error)| error)? {
         let mut buf = ssl_read_perf_array.open(cpu_id, None)?;
         task::spawn(async move {
             let mut buffers = (0..10)
@@ -123,11 +123,11 @@ async fn main() -> Result<(), anyhow::Error> {
     }
 
     // Get feedback from eBPF module of calls to SSL_write with unecrypted data
-    let mut ssl_read_perf_array =
+    let mut ssl_write_perf_array =
         AsyncPerfEventArray::try_from(bpf.take_map("SSLWRITEDATA").unwrap())?;
 
-    for cpu_id in online_cpus()? {
-        let mut buf = ssl_read_perf_array.open(cpu_id, None)?;
+    for cpu_id in online_cpus().map_err(|(_, error)| error)? {
+        let mut buf = ssl_write_perf_array.open(cpu_id, None)?;
         task::spawn(async move {
             let mut buffers = (0..10)
                 .map(|_| BytesMut::with_capacity(uprobe_libcall_filter_common::DATA_BUF_CAPACITY))

uprobe-libcall-filter/uprobe-libcall-filter-common/src/lib.rs

@@ -1,10 +1,6 @@
 #![no_std]
 
-
-
-
-
 // how much data can be exchanged in a buffer between eBPF and user space application in one go
 pub const DATA_BUF_CAPACITY: usize = 16384;
-// note: per SSL_read/SSL_write call OpenSSL supports up to 16 KB (cf. https://www.openssl.org/docs/man1.1.1/man3/SSL_read.html), ie it does not make sense to configure here much more
-// this is also according to the TLS specification: https://www.rfc-editor.org/rfc/rfc8446
+// note: per SSL_read/SSL_write call OpenSSL supports up to 16 KB (cf. https://docs.openssl.org/3.0/man3/SSL_read/), ie it does not make sense to configure here much more
+// this is also according to the TLS specification: https://www.rfc-editor.org/rfc/rfc8446

uprobe-libcall-filter/uprobe-libcall-filter-ebpf/Cargo.toml

@@ -11,7 +11,7 @@ aya-ebpf = { git = "https://github.com/aya-rs/aya", branch = "main" }
 aya-ebpf-bindings = { git = "https://github.com/aya-rs/aya", branch = "main" }
 aya-log-ebpf = { git = "https://github.com/aya-rs/aya", branch = "main" }
 uprobe-libcall-filter-common = { path = "../uprobe-libcall-filter-common" }
-memoffset = "0.8"
+memoffset = "0.9"
 
 [[bin]]
 name = "uprobe-libcall-filter"

uprobe-libcall-filter/uprobe-libcall-filter-ebpf/src/main.rs

@@ -6,14 +6,15 @@
 #![no_main]
 
 use aya_ebpf::{
+    bindings::__u32,
     macros::map,
     macros::uprobe,
     macros::uretprobe,
     maps::{HashMap, PerCpuArray, PerfEventByteArray},
     programs::ProbeContext,
     programs::RetProbeContext,
 };
-use aya_ebpf_bindings::helpers::{bpf_get_current_pid_tgid, bpf_probe_read};
+use aya_ebpf_bindings::helpers::{bpf_get_current_pid_tgid, bpf_probe_read_user};
 use aya_log_ebpf::warn;
 #[allow(non_upper_case_globals)]
 #[allow(non_snake_case)]
@@ -26,10 +27,10 @@ pub struct DataBuf {
 
 // Data structures for exchanging SSL_read data with user space
 #[map]
-pub static mut SSL_READ_DATA_BUF: PerCpuArray<DataBuf> = PerCpuArray::with_max_entries(1, 0);
+static SSLREADDATABUF: PerCpuArray<DataBuf> = PerCpuArray::with_max_entries(1, 0);
 
 #[map]
-pub static mut SSLREADDATA: PerfEventByteArray = PerfEventByteArray::new(0);
+static SSLREADDATA: PerfEventByteArray = PerfEventByteArray::new(0);
 
 #[map] // contains the pointer to the read buffer containing the decrypted data provided by OpenSSL
        // key is the tgid_pid of the process
@@ -39,10 +40,10 @@ static mut SSLREADARGSMAP: HashMap<u64, *const core::ffi::c_void> =
 
 // Data structures for exchanging SSL_write data with user space
 #[map]
-pub static mut SSL_WRITE_DATA_BUF: PerCpuArray<DataBuf> = PerCpuArray::with_max_entries(1, 0);
+static SSLWRITEDATABUF: PerCpuArray<DataBuf> = PerCpuArray::with_max_entries(1, 0);
 
 #[map]
-pub static mut SSLWRITEDATA: PerfEventByteArray = PerfEventByteArray::new(0);
+static SSLWRITEDATA: PerfEventByteArray = PerfEventByteArray::new(0);
 
 #[map] // contains the pointer to the read buffer containing the decrypted data provided by OpenSSL
        // key is the tgid_pid of the process
@@ -60,13 +61,15 @@ pub fn osslreadprobe(ctx: ProbeContext) -> u32 {
     // get the current process id
     let current_pid_tgid = unsafe { bpf_get_current_pid_tgid() };
 
-    // get the parameter containing the read buffer, cf. https://www.openssl.org/docs/man1.1.1/man3/SSL_read.html, Note: aya starts from 0 (ie Parameter 2 = arg(1))
-    let buffer_ptr: *const core::ffi::c_void = *&ctx.arg(1).unwrap();
-
+    // get the parameter containing the read buffer, cf. https://docs.openssl.org/3.0/man3/SSL_read/, Note: aya starts from 0 (ie Parameter 2 = arg(1))
+    let buffer_ptr: *const core::ffi::c_void = match *&ctx.arg(1) {
+        Some(ptr) => ptr,
+        None => return 0,
+    };
     unsafe {
-        SSLREADARGSMAP
-            .insert(&current_pid_tgid, &buffer_ptr, 0)
-            .unwrap();
+        match SSLREADARGSMAP.insert(&current_pid_tgid, &buffer_ptr, 0) {
+            _ => (),
+        };
     }
     return 0;
 }
@@ -83,31 +86,31 @@ pub fn osslreadretprobe(ctx: RetProbeContext) -> u32 {
     let current_pid_tgid = unsafe { bpf_get_current_pid_tgid() };
 
     // get return value (is the length of data read)
-    let ret_value_len: i32 = ctx.ret().unwrap();
+    // get return value (is the length of data read)
+    let ret_value_len: i32 = match ctx.ret() {
+        Some(ret) => ret,
+        None => return 0,
+    };
     if ret_value_len > 0 {
         // only if there was actually sth. to read.
-
-        if ret_value_len
-            > uprobe_libcall_filter_common::DATA_BUF_CAPACITY
-                .try_into()
-                .unwrap()
-        {
+        if ret_value_len as usize > uprobe_libcall_filter_common::DATA_BUF_CAPACITY {
             warn!(
                 &ctx,
-                "Read Buffer is larger than Buffer Capacity - data is not processed"
+                "Read Buffer {} is larger than Buffer Capacity {} - data is not processed",
+                ret_value_len,
+                uprobe_libcall_filter_common::DATA_BUF_CAPACITY
             );
         } else {
             // get pointer stored when the read function was called
-
             unsafe {
                 match SSLREADARGSMAP.get(&current_pid_tgid) {
                     Some(src_buffer_ptr) => {
-                        if let Some(output_buf_ptr) = SSL_READ_DATA_BUF.get_ptr_mut(0) {
+                        if let Some(output_buf_ptr) = SSLREADDATABUF.get_ptr_mut(0) {
                             let output_buf = &mut *output_buf_ptr;
-
-                            bpf_probe_read(
+                            bpf_probe_read_user(
                                 output_buf.buf.as_mut_ptr() as *mut core::ffi::c_void,
-                                (&ret_value_len).clone().try_into().unwrap(),
+                                ret_value_len as u32
+                                    & (uprobe_libcall_filter_common::DATA_BUF_CAPACITY - 1) as u32, // needed by eBPF verifier to be able to ensure that not more than necessary is read
                                 *src_buffer_ptr,
                             );
 
@@ -122,7 +125,9 @@ pub fn osslreadretprobe(ctx: RetProbeContext) -> u32 {
 
     // clean up map
     unsafe {
-        SSLREADARGSMAP.remove(&current_pid_tgid).unwrap();
+        match SSLREADARGSMAP.remove(&current_pid_tgid) {
+            _ => (),
+        }
     }
     return 0;
 }
@@ -137,15 +142,16 @@ pub fn osslwriteprobe(ctx: ProbeContext) -> u32 {
     // get the current process id
     let current_pid_tgid = unsafe { bpf_get_current_pid_tgid() };
 
-    // get the parameter containing the write buffer, cf. https://www.openssl.org/docs/man1.1.1/man3/SSL_write.html, Note: aya starts from 0 (ie Parameter 2 = arg(1))
-    let buffer_ptr: *const core::ffi::c_void = *&ctx.arg(1).unwrap();
-
+    // get the parameter containing the write buffer, cf. https://docs.openssl.org/3.0/man3/SSL_write/, Note: aya starts from 0 (ie Parameter 2 = arg(1))
+    let buffer_ptr: *const core::ffi::c_void = match *&ctx.arg(1) {
+        Some(ptr) => ptr,
+        None => return 0,
+    };
     unsafe {
-        SSLWRITEARGSMAP
-            .insert(&current_pid_tgid, &buffer_ptr, 0)
-            .unwrap();
+        match SSLWRITEARGSMAP.insert(&current_pid_tgid, &buffer_ptr, 0) {
+            _ => (),
+        };
     }
-
     return 0;
 }
 
@@ -161,15 +167,14 @@ pub fn osslwriteretprobe(ctx: RetProbeContext) -> u32 {
     let current_pid_tgid = unsafe { bpf_get_current_pid_tgid() };
 
     // get return value (is the length of data read)
-    let ret_value_len: i32 = ctx.ret().unwrap();
+    let ret_value_len: i32 = match ctx.ret() {
+        Some(ret) => ret,
+        None => return 0,
+    };
     if ret_value_len > 0 {
         // only if there was actually sth. to read.
 
-        if ret_value_len
-            > uprobe_libcall_filter_common::DATA_BUF_CAPACITY
-                .try_into()
-                .unwrap()
-        {
+        if ret_value_len as usize > uprobe_libcall_filter_common::DATA_BUF_CAPACITY {
             warn!(
                 &ctx,
                 "Write Buffer is larger than Buffer Capacity - data is not processed"
@@ -180,12 +185,12 @@ pub fn osslwriteretprobe(ctx: RetProbeContext) -> u32 {
             unsafe {
                 match SSLWRITEARGSMAP.get(&current_pid_tgid) {
                     Some(src_buffer_ptr) => {
-                        if let Some(output_buf_ptr) = SSL_WRITE_DATA_BUF.get_ptr_mut(0) {
+                        if let Some(output_buf_ptr) = SSLWRITEDATABUF.get_ptr_mut(0) {
                             let output_buf = &mut *output_buf_ptr;
-
-                            bpf_probe_read(
+                            bpf_probe_read_user(
                                 output_buf.buf.as_mut_ptr() as *mut core::ffi::c_void,
-                                (&ret_value_len).clone().try_into().unwrap(),
+                                ret_value_len as u32
+                                    & (uprobe_libcall_filter_common::DATA_BUF_CAPACITY - 1) as u32, // needed by eBPF verifier to be able to ensure that not more than necessary is read
                                 *src_buffer_ptr,
                             );
 
@@ -200,12 +205,14 @@ pub fn osslwriteretprobe(ctx: RetProbeContext) -> u32 {
 
     // clean up map
     unsafe {
-        SSLWRITEARGSMAP.remove(&current_pid_tgid).unwrap();
+        match SSLWRITEARGSMAP.remove(&current_pid_tgid) {
+            _ => (),
+        }
     }
     return 0;
 }
 
 #[panic_handler]
 fn panic(_info: &core::panic::PanicInfo) -> ! {
-    unsafe { core::hint::unreachable_unchecked() }
+    loop {}
 }