migrated ebpf lib from gobpf to cilium

Up until now we've been using https://github.com/iovisor/gobpf/ for
intercepting events from the kernel, and it has worked very well.

Unfortunately it's deprecated since 2021 (iovisor/gobpf#304), which means
that some of the known issues and limitations won't be fixed.

After evaluating some options, I've migrated the code from gobpf to
github.com/cilium/ebpf.

More info: #1222, #1312

Author: gustavo-iniguez-goya

daemon/core/ebpf.go

@@ -3,13 +3,13 @@ package core
 import (
 	"fmt"
 
+	"github.com/cilium/ebpf"
 	"github.com/evilsocket/opensnitch/daemon/log"
-	"github.com/iovisor/gobpf/elf"
 )
 
 // LoadEbpfModule loads the given eBPF module, from the given path if specified.
 // Otherwise t'll try to load the module from several default paths.
-func LoadEbpfModule(module, path string) (m *elf.Module, err error) {
+func LoadEbpfModule(module, path string) (m *ebpf.Collection, err error) {
 	var (
 		modulesDir = "/opensnitchd/ebpf"
 		paths      = []string{
@@ -28,22 +28,37 @@ func LoadEbpfModule(module, path string) (m *elf.Module, err error) {
 	moduleError := fmt.Errorf(`Module not found (%s) in any of the paths.
 You may need to install the corresponding package`, module)
 
+	logLevel := ebpf.LogLevel(0)
+	if log.GetLogLevel() == log.DEBUG {
+		logLevel = (ebpf.LogLevelBranch | ebpf.LogLevelInstruction | ebpf.LogLevelStats)
+	}
+	collOpts := ebpf.CollectionOptions{
+		Programs: ebpf.ProgramOptions{LogLevel: logLevel},
+	}
+
 	for _, p := range paths {
 		modulePath = fmt.Sprint(p, "/", module)
 		log.Debug("[eBPF] trying to load %s", modulePath)
 		if !Exists(modulePath) {
 			continue
 		}
-		m = elf.NewModule(modulePath)
-
-		if m.Load(nil) == nil {
-			log.Info("[eBPF] module loaded: %s", modulePath)
-			return m, nil
+		specs, err := ebpf.LoadCollectionSpec(modulePath)
+		if err != nil {
+			log.Error("[eBPF] module specs error: %s", err)
+			continue
 		}
-		moduleError = fmt.Errorf(`
+		m, err := ebpf.NewCollectionWithOptions(specs, collOpts)
+		if err != nil {
+			log.Error("[eBPF] module collection error: %s", err)
+			continue
+		}
+
+		log.Info("[eBPF] module loaded: %s", modulePath)
+		return m, nil
+	}
+	moduleError = fmt.Errorf(`
 unable to load eBPF module (%s). Your kernel version (%s) might not be compatible.
 If this error persists, change process monitor method to 'proc'`, module, GetKernelVersion())
-	}
 
 	return m, moduleError
 }

daemon/dns/ebpfhook.go

@@ -9,13 +9,15 @@ import (
 	"net"
 	"os"
 	"os/signal"
-	"strings"
+	"runtime"
 	"syscall"
 	"time"
 
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
 	"github.com/evilsocket/opensnitch/daemon/core"
 	"github.com/evilsocket/opensnitch/daemon/log"
-	bpf "github.com/iovisor/gobpf/elf"
 )
 
 /*
@@ -49,6 +51,7 @@ char* find_libc() {
             break;
         }
 
+        //printf("map->l_name: %s\n", map->l_name);
         if(strstr(map->l_name, "libc.so")){
             fprintf(stderr,"found %s\n", map->l_name);
             return map->l_name;
@@ -57,8 +60,6 @@ char* find_libc() {
     }
     return NULL;
 }
-
-
 */
 import "C"
 
@@ -68,6 +69,25 @@ type nameLookupEvent struct {
 	Host     [252]byte
 }
 
+// ProbeDefs holds the hooks defined in the module
+type ProbeDefs struct {
+	URProbeGethostByname *ebpf.Program `ebpf:"uretprobe__gethostbyname"`
+	UProbeGetAddrinfo    *ebpf.Program `ebpf:"uprobe__getaddrinfo"`
+	URProbeGetAddrinfo   *ebpf.Program `ebpf:"uretprobe__getaddrinfo"`
+}
+
+// MapDefs holds the maps defined in the module
+type MapDefs struct {
+	// BPF_MAP_TYPE_RINGBUF
+	PerfEvents *ebpf.Map `ebpf:"events"`
+}
+
+// container of hooks and maps
+type dnsDefsT struct {
+	ProbeDefs
+	MapDefs
+}
+
 func findLibc() (string, error) {
 	ret := C.find_libc()
 
@@ -95,83 +115,120 @@ func lookupSymbol(elffile *elf.File, symbolName string) (uint64, error) {
 
 // ListenerEbpf starts listening for DNS events.
 func ListenerEbpf(ebpfModPath string) error {
+	probesAttached := 0
 	m, err := core.LoadEbpfModule("opensnitch-dns.o", ebpfModPath)
 	if err != nil {
-		log.Warning("[eBPF DNS]: %s", err)
 		return err
 	}
 	defer m.Close()
 
+	ebpfMod := dnsDefsT{}
+	if err := m.Assign(&ebpfMod); err != nil {
+		return err
+	}
+
+	// --------------
+
 	// libbcc resolves the offsets for us. without bcc the offset for uprobes must parsed from the elf files
 	// some how 0 must be replaced with the offset of getaddrinfo bcc does this using bcc_resolve_symname
 
 	// Attaching to uprobe using perf open might be a better aproach requires https://github.com/iovisor/gobpf/pull/277
-	libcFile, err := findLibc()
 
+	libcFile, err := findLibc()
 	if err != nil {
-		log.Error("[eBPF DNS]: Failed to find libc.so: %v", err)
+		log.Error("[eBPF DNS] Failed to find libc.so: %v", err)
 		return err
 	}
+	ex, err := link.OpenExecutable(libcFile)
+	if err != nil {
+		return err
+	}
+
+	// --------------
 
-	libcElf, err := elf.Open(libcFile)
+	// User space needs to call perf_event_open() (...) before eBPF program can send data into it.
+	rd, err := ringbuf.NewReader(ebpfMod.PerfEvents)
 	if err != nil {
-		log.Error("[eBPF DNS]: Failed to open %s: %v", libcFile, err)
 		return err
 	}
-	probesAttached := 0
-	for uprobe := range m.IterUprobes() {
-		probeFunction := strings.Replace(uprobe.Name, "uretprobe/", "", 1)
-		probeFunction = strings.Replace(probeFunction, "uprobe/", "", 1)
-		offset, err := lookupSymbol(libcElf, probeFunction)
-		if err != nil {
-			log.Warning("[eBPF DNS]: Failed to find symbol for uprobe %s (offset: %d): %s\n", uprobe.Name, offset, err)
-			continue
-		}
-		err = bpf.AttachUprobe(uprobe, libcFile, offset)
-		if err != nil {
-			log.Warning("[eBPF DNS]: Failed to attach uprobe %s : %s, (%s, %d)\n", uprobe.Name, err, libcFile, offset)
-			continue
-		}
-		probesAttached++
+	defer rd.Close()
+
+	// --------------
+
+	urg, err := ex.Uretprobe("gethostbyname", ebpfMod.URProbeGethostByname, nil)
+	if err != nil {
+		log.Error("[eBPF DNS] uretprobe__gethostbyname: %s", err)
+	}
+	defer urg.Close()
+	probesAttached++
+
+	up, err := ex.Uprobe("getaddrinfo", ebpfMod.UProbeGetAddrinfo, nil)
+	if err != nil {
+		log.Error("[eBPF DNS] uprobe__getaddrinfo: %s", err)
+	}
+	defer up.Close()
+	probesAttached++
+
+	urp, err := ex.Uretprobe("getaddrinfo", ebpfMod.URProbeGetAddrinfo, nil)
+	if err != nil {
+		log.Error("[eBPF-DNS] uretprobe__getaddrinfo: %s", err)
 	}
+	defer urp.Close()
+	probesAttached++
 
 	if probesAttached == 0 {
 		log.Warning("[eBPF DNS]: Failed to find symbols for uprobes.")
 		return errors.New("Failed to find symbols for uprobes")
 	}
 
-	// Reading Events
-	channel := make(chan []byte)
-	//log.Warning("EBPF-DNS: %+v\n", m)
-	perfMap, err := bpf.InitPerfMap(m, "events", channel, nil)
-	if err != nil {
-		log.Error("[eBPF DNS]: Failed to init perf map: %s\n", err)
-		return err
+	// --------------
+
+	exitChannel := make(chan struct{})
+	perfChan := make(chan []byte, 0)
+
+	for i := 0; i < runtime.NumCPU(); i++ {
+		go spawnDNSWorker(i, perfChan, exitChannel)
 	}
+
+	go func(perfChan chan []byte, rd *ringbuf.Reader) {
+		for {
+			select {
+			case <-exitChannel:
+				goto Exit
+			default:
+				record, err := rd.Read()
+				if err != nil {
+					if errors.Is(err, ringbuf.ErrClosed) {
+						goto Exit
+					}
+					log.Debug("[eBPF DNS] reader error: %s", err)
+					continue
+				}
+				perfChan <- record.RawSample
+			}
+		}
+	Exit:
+		log.Debug("[eBPF DNS] reader closed")
+	}(perfChan, rd)
+
 	sig := make(chan os.Signal, 1)
-	exitChannel := make(chan bool)
 	signal.Notify(sig,
 		syscall.SIGHUP,
 		syscall.SIGINT,
 		syscall.SIGTERM,
 		syscall.SIGKILL,
 		syscall.SIGQUIT)
 
-	for i := 0; i < 5; i++ {
-		go spawnDNSWorker(i, channel, exitChannel)
-	}
-
-	perfMap.PollStart()
 	<-sig
 	log.Info("[eBPF DNS]: Received signal: terminating ebpf dns hook.")
-	perfMap.PollStop()
-	for i := 0; i < 5; i++ {
-		exitChannel <- true
+	exitChannel <- struct{}{}
+	for i := 0; i < runtime.NumCPU(); i++ {
+		exitChannel <- struct{}{}
 	}
 	return nil
 }
 
-func spawnDNSWorker(id int, channel chan []byte, exitChannel chan bool) {
+func spawnDNSWorker(id int, channel chan []byte, exitChannel chan struct{}) {
 
 	log.Debug("[eBPF DNS] worker initialized #%d", id)
 	var event nameLookupEvent

daemon/go.mod

@@ -2,20 +2,20 @@ module github.com/evilsocket/opensnitch/daemon
 
 go 1.21
 
-//toolchain go1.23.6
+//toolchain go1.23.1
 
 require (
+	github.com/cilium/ebpf v0.16.0
 	github.com/fsnotify/fsnotify v1.4.7
 	github.com/golang/protobuf v1.5.0
 	github.com/google/gopacket v1.1.19
 	github.com/google/nftables v0.2.0
 	github.com/google/uuid v1.3.0
-	github.com/iovisor/gobpf v0.2.0
 	github.com/varlink/go v0.4.0
 	github.com/vishvananda/netlink v1.3.0
 	github.com/vishvananda/netns v0.0.4
-	golang.org/x/net v0.22.0
-	golang.org/x/sys v0.18.0
+	golang.org/x/net v0.23.0
+	golang.org/x/sys v0.20.0
 	google.golang.org/grpc v1.32.0
 	google.golang.org/protobuf v1.26.0
 )
@@ -25,6 +25,7 @@ require (
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/mdlayher/netlink v1.7.2 // indirect
 	github.com/mdlayher/socket v0.5.0 // indirect
+	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 // indirect

daemon/go.sum

@@ -1,13 +1,17 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok=
+github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -26,15 +30,21 @@ github.com/google/nftables v0.2.0 h1:PbJwaBmbVLzpeldoeUKGkE2RjstrjPKMl6oLrfEJ6/8
 github.com/google/nftables v0.2.0/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/iovisor/gobpf v0.2.0 h1:34xkQxft+35GagXBk3n23eqhm0v7q0ejeVirb8sqEOQ=
-github.com/iovisor/gobpf v0.2.0/go.mod h1:WSY9Jj5RhdgC3ci1QaacvbFdQ8cbrEjrpiZbLHLt2s4=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
+github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
 github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/varlink/go v0.4.0 h1:+/BQoUO9eJK/+MTSHwFcJch7TMsb6N6Dqp6g0qaXXRo=
 github.com/varlink/go v0.4.0/go.mod h1:DKg9Y2ctoNkesREGAEak58l+jOC6JU2aqZvUYs5DynU=
 github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
@@ -44,6 +54,8 @@ github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZla
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -55,8 +67,8 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -68,8 +80,8 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=