Add Java TLS bpf support (#891)

Author: grcevski

bpf/common/connection_info.h

@@ -208,3 +208,7 @@ static __always_inline void populate_ephemeral_info(connection_info_part_t *part
     part->type = type;
     part->pid = pid;
 }
+
+static __always_inline u8 is_empty_connection_info(const connection_info_t *conn) {
+    return conn->s_port == 0 && conn->d_port == 0;
+}

bpf/generictracer/generictracer.c

@@ -7,5 +7,6 @@
 #include "libssl.c"
 #include "nginx.c"
 #include "nodejs.c"
+#include "java_tls.c"
 
 char __license[] SEC("license") = "Dual MIT/GPL";

bpf/generictracer/java_tls.c

@@ -0,0 +1,106 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build obi_bpf_ignore
+
+#include <bpfcore/vmlinux.h>
+#include <bpfcore/bpf_helpers.h>
+#include <bpfcore/bpf_tracing.h>
+
+#include <common/connection_info.h>
+#include <common/protocol_defs.h>
+
+#include <generictracer/k_tracer_defs.h>
+#include <generictracer/maps/pid_tid_to_conn.h>
+
+#include <logger/bpf_dbg.h>
+
+#include <pid/pid.h>
+
+enum { k_ioctl_magic_id = 0x0b10b1 };
+enum {
+    k_ioctl_java_send = 1,
+    k_ioctl_java_recv = 2,
+};
+
+enum { k_ioctl_invalid_op = 0xff };
+
+static __always_inline u8 cmd_to_op(u8 cmd) {
+    switch (cmd) {
+    case k_ioctl_java_send:
+        return TCP_SEND;
+    case k_ioctl_java_recv:
+        return TCP_RECV;
+    default:
+        return k_ioctl_invalid_op;
+    }
+}
+
+SEC("kprobe/do_vfs_ioctl")
+int BPF_KPROBE(
+    beyla_kprobe_do_vfs_ioctl, void *filp, unsigned int fd, unsigned int cmd, void *arg) {
+    (void)ctx;
+    (void)filp;
+
+    u64 id = bpf_get_current_pid_tgid();
+
+    if (!valid_pid(id)) {
+        return 0;
+    }
+
+    bpf_dbg_printk("=== do_vfs_ioctl id=%d ===", id);
+
+    // it must be fd == 0 if we are considering this request
+    if (fd) {
+        return 0;
+    }
+
+    // some other IOCTL by the app
+    if (cmd != k_ioctl_magic_id) {
+        return 0;
+    }
+
+    bpf_dbg_printk("data %llx", arg);
+
+    if (!arg) {
+        return 0;
+    }
+
+    u8 op_cmd = 0;
+    bpf_probe_read(&op_cmd, sizeof(u8), arg);
+
+    u8 op = cmd_to_op(op_cmd);
+
+    if (op == k_ioctl_invalid_op) {
+        bpf_dbg_printk("unknown cmd = %d", op_cmd);
+        return 0;
+    }
+
+    bpf_dbg_printk("op = %d, cmd = %d", op, op_cmd);
+
+    pid_connection_info_t p_conn = {0};
+    bpf_probe_read(&p_conn.conn, sizeof(connection_info_t), arg + 1);
+    u16 orig_dport = p_conn.conn.d_port;
+    sort_connection_info(&p_conn.conn);
+    p_conn.pid = pid_from_pid_tgid(id);
+
+    if (is_empty_connection_info(&p_conn.conn)) {
+        ssl_pid_connection_info_t *l = bpf_map_lookup_elem(&pid_tid_to_conn, &id);
+        bpf_dbg_printk("lookup for empty connection info %llx", l);
+        if (l) {
+            p_conn = l->p_conn;
+        }
+    }
+
+    u32 len = 0;
+    bpf_probe_read(&len, sizeof(u32), arg + 1 + sizeof(connection_info_t));
+
+    bpf_dbg_printk("payload len %d", len);
+
+    if (len > 0) {
+        void *buf = arg + 1 + sizeof(connection_info_t) + sizeof(u32);
+        handle_buf_with_connection(ctx, &p_conn, buf, len, WITH_SSL, op, orig_dport);
+    }
+
+    return 0;
+}

internal/test/integration/k8s/manifests/05-uninstrumented-server-client-different-nodes.yml

@@ -31,7 +31,8 @@ spec:
 
   containers:
     - name: httppinger
-      image: httppinger:dev
+      image: ghcr.io/open-telemetry/obi-testimg:httppinger-net
+      imagePullPolicy: IfNotPresent       
       env:
         - name: TARGET_URL
           value: "http://otherinstance:8080"
@@ -88,8 +89,8 @@ spec:
             claimName: testoutput
       containers:
         - name: otherinstance
-          image: testserver:dev
-          imagePullPolicy: Never # loaded into Kind from localhost
+          image: ghcr.io/open-telemetry/obi-testimg:gotestserver-net
+          imagePullPolicy: IfNotPresent 
           ports:
             # exposing hostports to enable operation from tests
             - containerPort: 8080

internal/test/integration/k8s/restrict_local_node/restrict_local_node_main_test.go

@@ -31,8 +31,6 @@ var cluster *kube.Kind
 
 func TestMain(m *testing.M) {
 	if err := docker.Build(os.Stdout, tools.ProjectDir(),
-		docker.ImageBuild{Tag: "testserver:dev", Dockerfile: k8s.DockerfileTestServer},
-		docker.ImageBuild{Tag: "httppinger:dev", Dockerfile: k8s.DockerfileHTTPPinger},
 		docker.ImageBuild{Tag: "obi:dev", Dockerfile: k8s.DockerfileOBI},
 		docker.ImageBuild{Tag: "quay.io/prometheus/prometheus:v2.55.1"},
 		docker.ImageBuild{Tag: "otel/opentelemetry-collector-contrib:0.103.0"},
@@ -43,8 +41,6 @@ func TestMain(m *testing.M) {
 
 	cluster = kube.NewKind("test-kind-cluster-restrict-local-node",
 		kube.KindConfig(testpath.Manifests+"/00-kind-multi-node.yml"),
-		kube.LocalImage("testserver:dev"),
-		kube.LocalImage("httppinger:dev"),
 		kube.LocalImage("obi:dev"),
 		kube.LocalImage("quay.io/prometheus/prometheus:v2.55.1"),
 		kube.LocalImage("otel/opentelemetry-collector-contrib:0.103.0"),

pkg/internal/ebpf/generictracer/generictracer.go

@@ -324,6 +324,10 @@ func (p *Tracer) KProbes() map[string]ebpfcommon.ProbeDesc {
 			Required: true,
 			Start:    p.bpfObjects.ObiKprobeInetCskListenStop,
 		},
+		"do_vfs_ioctl": {
+			Required: true,
+			Start:    p.bpfObjects.BeylaKprobeDoVfsIoctl,
+		},
 	}
 
 	if p.cfg.EBPF.ContextPropagation != config.ContextPropagationDisabled {