added ssl test

rileyfiretail · rileyfiretail · commit d582f8249013 · 2025-05-15T10:29:16.000+01:00
diff --git a/.github/workflows/sandbox2.yaml b/.github/workflows/sandbox2.yaml
@@ -0,0 +1,45 @@
+name: Deploy to Sandbox
+run-name: "@${{ github.triggering_actor }}: ${{ github.ref_name }}: ${{ github.event_name }}"
+on:
+  push:
+    branches:
+      - test-build
+defaults:
+  run:
+    shell: bash
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+permissions:
+  packages: write
+  contents: read
+  pull-requests: read
+jobs:
+  deploy-sandbox:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 2
+      - name: Build Docker image
+        run: |
+          shopt -s nocasematch
+          [[ ${GITHUB_REF_TYPE} == "tag" ]] &&
+            VERSION=${GITHUB_REF_NAME} ||
+            VERSION=$(git rev-parse --short "${COMMIT_SHA}")
+          IMAGE_NAME=ghcr.io/firetail-io/kubernetes-sensor:tb-${VERSION}
+          IMAGE_NAME=$(echo "$IMAGE_NAME" | tr '[:upper:]' '[:lower:]')
+          echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
+        env:
+          # pull-requests don't use github.sha for some reason
+          COMMIT_SHA: ${{github.event.pull_request.head.sha || github.sha}}
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker image
+        run: |
+          docker build --platform linux/amd64 -f build_setup/Dockerfile2 -t $IMAGE_NAME .
+          docker push $IMAGE_NAME
diff --git a/build_setup/Dockerfile2 b/build_setup/Dockerfile2
@@ -0,0 +1,11 @@
+FROM golang:1.24-bullseye
+WORKDIR /src
+RUN apt-get update && apt-get install -y --no-install-recommends libpcap-dev
+RUN apt-get install linux-headers-$(uname -r) libc6-dev
+COPY ./src2/go.* ./
+RUN go mod download
+COPY ./src2/ ./
+RUN go build -o /dist/main .
+RUN rm -rf /src/*
+RUN chmod +x /dist/main
+CMD ["/dist/main"]
diff --git a/src2/go.mod b/src2/go.mod
@@ -0,0 +1,3 @@
+module github.com/cilium/ebpf
+
+go 1.18
diff --git a/src2/main.go b/src2/main.go
@@ -0,0 +1,84 @@
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"encoding/binary"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+	"golang.org/x/sys/unix"
+)
+
+//go:embed ssl_read.o
+var bpfBytecode []byte
+
+type sslEvent struct {
+	PidTgid uint64
+	SslPtr  uint64
+	Buffer  uint64
+	Num     int32
+	_       [4]byte // padding
+}
+
+func main() {
+	spec, err := ebpf.LoadCollectionSpecFromReader(bytes.NewReader(bpfBytecode))
+	if err != nil {
+		log.Fatalf("loading spec: %v", err)
+	}
+
+	objs := struct {
+		SslReadEnterV3 *ebpf.Program `ebpf:"ssl_read_enter_v3"`
+		Events         *ebpf.Map     `ebpf:"events"`
+	}{}
+
+	if err := spec.LoadAndAssign(&objs, nil); err != nil {
+		log.Fatalf("loading objects: %v", err)
+	}
+	defer objs.SslReadEnterV3.Close()
+	defer objs.Events.Close()
+
+	// Change this path based on your system's OpenSSL path
+	libssl := "/usr/lib/x86_64-linux-gnu/libssl.so.1.1"
+
+	up, err := link.OpenExecutable(libssl)
+	if err != nil {
+		log.Fatalf("open executable: %v", err)
+	}
+
+	// Attach uprobe to SSL_read
+	uprober, err := up.Uprobe("SSL_read", objs.SslReadEnterV3, nil)
+	if err != nil {
+		log.Fatalf("attach uprobe: %v", err)
+	}
+	defer uprober.Close()
+
+	// Read events
+	rd, err := ringbuf.NewReader(objs.Events)
+	if err != nil {
+		log.Fatalf("create ringbuf reader: %v", err)
+	}
+	defer rd.Close()
+
+	log.Println("Waiting for SSL_read calls...")
+
+	for {
+		record, err := rd.Read()
+		if err != nil {
+			log.Fatalf("read ringbuf: %v", err)
+		}
+
+		var evt sslEvent
+		if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &evt); err != nil {
+			log.Printf("decode event: %v", err)
+			continue
+		}
+
+		pid := evt.PidTgid >> 32
+		fmt.Printf("SSL_read: pid=%d ssl=0x%x buf=0x%x num=%d\n", pid, evt.SslPtr, evt.Buffer, evt.Num)
+	}
+}
diff --git a/src2/ssl_read.c b/src2/ssl_read.c
@@ -0,0 +1,33 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+#define TLS_MASK 0x100000000ULL
+
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 1 << 24);
+} events SEC(".maps");
+
+struct ssl_event_t {
+    __u64 pid_tgid;
+    __u64 ssl_ptr;
+    __u64 buffer;
+    int num;
+};
+
+SEC("uprobe/SSL_read")
+int BPF_UPROBE(ssl_read_enter_v3, void* ssl, void* buffer, int num) {
+    struct ssl_event_t *event;
+    event = bpf_ringbuf_reserve(&events, sizeof(*event), 0);
+    if (!event) return 0;
+
+    event->pid_tgid = bpf_get_current_pid_tgid();
+    event->ssl_ptr = (unsigned long)ssl;
+    event->buffer = (unsigned long)buffer;
+    event->num = num;
+
+    bpf_ringbuf_submit(event, 0);
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+module github.com/cilium/ebpf`
	`2`	`+`
	`3`	`+go 1.18`