Driver-eBPF: remove debug in make and Docs update

chriskaliX · chriskaliX · commit 6676bad727a2 · 2022-08-14T21:33:23.000+08:00
diff --git a/plugin/driver/README.md b/plugin/driver/README.md
@@ -1,17 +1,20 @@
-# Hades Driver
+# Hades eBPF-Driver
 
-## 为何独立出 Driver 模块
+> Hades eBPF-Driver 是基于 eBPF 编写的 Hook 数据获取，是整个 Hades 最关键的部分。基于 tracee 做了大量的改造和修复，执行方式参考 Elkeid
 
-在一段时间的 eBPF 尝试之后, 发现了一些小问题：由于 BPF 的一些原因，我们无法像 LKM 一样任意操作锁等，导致其数据准确性会存在一定程度的偏差，同时在不同版本下的限制，让 BPF 在较低内核版本下会存在一定的兼容性问题。单独 driver 的原因，是希望 driver 这个模块的通用化，甚至可以作为插件直接下发到 Elkeid 中。
-
-同样的，因为后续可能也会尝试去做 LKM 的方案，将 eBPF 从中剥离，而不是放在 Collector 模块中，我觉得会更加合理
+> Hades eBPF-Driver is a eBPF-driven kernel hooker which is the most important part of Hades. Driver is based on tracee and I do a lot of modification. Draw on Elkeid.
 
 ## eBPF 快速启动 (eBPF quick start)
 
 > 环境要求：内核版本高于 4.18, golang 版本 >= 1.17。非常建议使用 ubuntu 21.04 或者以上版本, 可以减少环境配置的时间成本
 
+> kernel version over 4.18 and >= 1.17 is required. OS like ubuntu 21.04 is recommanded since it's easier for testing
+
 1. 下载 Hades 项目 (Download Hades)
-   `git clone --recursive https://github.com/chriskaliX/Hades.git`
+
+   ```bash
+   git clone --recursive https://github.com/chriskaliX/Hades.git`
+   ```
 
 2. 下载 Header，如果内核支持 BTF 可以跳过 (Download kernel header, skip if BTF is supported)
 
@@ -30,21 +33,18 @@
 
    - CORE 编译
 
-     `make core-debug`(结果输出至终端)
+     `make core`
 
    - 非 CO-RE 编译(从 kernel-header)
 
-     `make debug`(结果输出至终端)
+     `make`
 
 4. 运行(Run)
 
-   在 driver 目录下，会看见对应的 driver 文件，启动即可
-   (driver file is generated in `Hades/plugin/driver`, or you can run `../driver`)
-
-5. 过滤 id (Event filter)
+   在 driver 目录下，会看见对应的 driver 文件，启动即可。
 
-   cmdline 支持 `-f` 选项，根据下面的 ID 可以指定 filter
-   例如: `./driver -f 1031`， 只运行 `kprobe/security_file_ioctl` 即 anti_rootkit hook
+   默认情况下不会有输出，指定 **`--env debug`** 可以看到输出
+   (driver file is generated in `Hades/plugin/driver`, or you can run `../driver`, `--env debug` to get the output)
 
 ## 目前支持 Hook
 
diff --git a/plugin/driver/eBPF/Makefile b/plugin/driver/eBPF/Makefile
@@ -3,7 +3,6 @@ EBPF_CO-RE_FLAG := core
 EBPF_SOURCE_PATH = kern/hades_ebpf_driver.bpf.o
 EBPF_SOURCE_CO-RE_PATH = kern/hades_ebpf_driver.bpf.core.o
 EBPF_TARGET_PATH = user/hades_ebpf_driver.o
-GO_DEBUG_FLAG := -ldflags="-X hades-ebpf/user.Env=debug"
 GO_TARGET_PATH := -o ../driver
 
 no-core:
@@ -13,12 +12,4 @@ no-core:
 core:
 	$(EBPF_BUILD) $(EBPF_CO-RE_FLAG)
 	mv $(EBPF_SOURCE_CO-RE_PATH) $(EBPF_TARGET_PATH)
-	go build $(GO_TARGET_PATH) .
-debug:
-	$(EBPF_BUILD)
-	mv $(EBPF_SOURCE_PATH) $(EBPF_TARGET_PATH)
-	go build $(GO_DEBUG_FLAG) $(GO_TARGET_PATH) .
-core-debug:
-	$(EBPF_BUILD) $(EBPF_CO-RE_FLAG)
-	mv $(EBPF_SOURCE_CO-RE_PATH) $(EBPF_TARGET_PATH)
-	go build $(GO_DEBUG_FLAG) $(GO_TARGET_PATH) .
+	go build $(GO_TARGET_PATH) .
diff --git a/plugin/driver/eBPF/main.go b/plugin/driver/eBPF/main.go
@@ -16,7 +16,8 @@ import (
 )
 
 func main() {
-	share.EventFilter = flag.String("filter", "0", "set filter to specific the event id")
+	flag.StringVar(&share.EventFilter, "filter", "0", "set filter to specific the event id")
+	flag.StringVar(&share.Env, "env", "prod", "specific the env, debug print the output to console")
 	// parse the log
 	flag.Parse()
 	// zap configuration pre-set
@@ -37,7 +38,7 @@ func main() {
 	zap.ReplaceGlobals(logger)
 	zap.S().Info("Hades eBPF driver start")
 	// allow init
-	decoder.SetAllowList(*share.EventFilter)
+	decoder.SetAllowList(share.EventFilter)
 	// generate the main driver and run
 	driver, err := user.NewDriver()
 	if err != nil {
@@ -64,7 +65,7 @@ func main() {
 			<-time.After(time.Second * 5)
 			return
 		case <-share.GContext.Done():
-			if user.Env == "debug" {
+			if share.Env == "debug" {
 				// just for testing
 				time.Sleep(5 * time.Second)
 				continue
diff --git a/plugin/driver/eBPF/user/driver.go b/plugin/driver/eBPF/user/driver.go
@@ -167,8 +167,8 @@ func (d *Driver) dataHandler(cpu int, data []byte, perfmap *manager.PerfMap, man
 		return
 	}
 	rawdata["data"] = result
-	// TODO: just for debug
-	if Env == "debug" {
+	// for debug
+	if share.Env == "debug" {
 		fmt.Println(rawdata["data"])
 	}
 	// send the record
diff --git a/plugin/driver/eBPF/user/share/client.go b/plugin/driver/eBPF/user/share/client.go
@@ -21,7 +21,8 @@ var (
 )
 
 var (
-	EventFilter *string
+	EventFilter string
+	Env         string
 )
 
 func gtimeCron() {
@@ -36,8 +37,10 @@ func gtimeCron() {
 	}
 }
 
-// TODO: TEST FOR NOW
 func taskCron() {
+	if Env == "debug" {
+		return
+	}
 	for {
 		task, err := Client.ReceiveTask()
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -167,8 +167,8 @@ func (d Driver) dataHandler(cpu int, data []byte, perfmap manager.PerfMap, man`
`167`	`167`	`return`
`168`	`168`	`}`
`169`	`169`	`rawdata["data"] = result`
`170`		`- // TODO: just for debug`
`171`		`- if Env == "debug" {`
	`170`	`+ // for debug`
	`171`	`+ if share.Env == "debug" {`
`172`	`172`	`fmt.Println(rawdata["data"])`
`173`	`173`	`}`
`174`	`174`	`// send the record`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ var (`
`21`	`21`	`)`
`22`	`22`
`23`	`23`	`var (`
`24`		`- EventFilter *string`
	`24`	`+ EventFilter string`
	`25`	`+ Env string`
`25`	`26`	`)`
`26`	`27`
`27`	`28`	`func gtimeCron() {`
`@@ -36,8 +37,10 @@ func gtimeCron() {`
`36`	`37`	`}`
`37`	`38`	`}`
`38`	`39`
`39`		`-// TODO: TEST FOR NOW`
`40`	`40`	`func taskCron() {`
	`41`	`+ if Env == "debug" {`
	`42`	`+ return`
	`43`	`+ }`
`41`	`44`	`for {`
`42`	`45`	`task, err := Client.ReceiveTask()`
`43`	`46`	`if err != nil {`