vivarium 0.3.0 → 0.3.2

data/lib/vivarium.rb

@@ -2,6 +2,7 @@
 
 require "fiddle"
 require "fileutils"
+require "net/http"
 require "optparse"
 require "pathname"
 require "rbbcc"
@@ -23,13 +24,45 @@ module Vivarium
   EVENT_TS_SIZE = 8
   PROC_EXEC_SLOT_SIZE = 64
   PROC_EXEC_SLOT_COUNT = 4
-  EVENT_STRUCT_SIZE = 288
+  EVENT_STRUCT_SIZE = 296
   EVENT_TS_OFFSET = 0
   EVENT_PID_OFFSET = 8
   EVENT_TID_OFFSET = 12
   EVENT_NAME_OFFSET = 16
   EVENT_PAYLOAD_OFFSET = 32
+  EVENT_DROPPED_OFFSET = 288
   EVENTS_RINGBUF_PAGES = 256
+
+  SSL_WRITE_PAYLOAD_DATA_LEN_OFFSET = 0
+  SSL_WRITE_PAYLOAD_CAP_LEN_OFFSET = 4
+  SSL_WRITE_PAYLOAD_DATA_OFFSET = 8
+  SSL_WRITE_PAYLOAD_DATA_MAX = EVENT_PAYLOAD_SIZE - SSL_WRITE_PAYLOAD_DATA_OFFSET
+
+  LIBSSL_SEARCH_PATHS = [
+    "/lib/x86_64-linux-gnu/libssl.so.3",
+    "/lib/x86_64-linux-gnu/libssl.so.1.1",
+    "/lib/aarch64-linux-gnu/libssl.so.3",
+    "/lib/aarch64-linux-gnu/libssl.so.1.1",
+    "/usr/lib/x86_64-linux-gnu/libssl.so.3",
+    "/usr/lib/x86_64-linux-gnu/libssl.so.1.1",
+    "/usr/lib/aarch64-linux-gnu/libssl.so.3",
+    "/usr/lib/aarch64-linux-gnu/libssl.so.1.1",
+    "/usr/lib64/libssl.so.3",
+    "/usr/lib64/libssl.so.1.1",
+    "/usr/lib/libssl.so.3",
+    "/usr/lib/libssl.so.1.1"
+  ].freeze
+
+  LIBC_SEARCH_PATHS = [
+    "/lib/x86_64-linux-gnu/libc.so.6",
+    "/lib/aarch64-linux-gnu/libc.so.6",
+    "/usr/lib/x86_64-linux-gnu/libc.so.6",
+    "/usr/lib/aarch64-linux-gnu/libc.so.6",
+    "/lib64/libc.so.6",
+    "/usr/lib64/libc.so.6",
+    "/lib/libc.so.6",
+  ].freeze
+
   SPAN_ALLOWCLASSES = [
     Socket,
     BasicSocket,
@@ -43,6 +76,7 @@ module Vivarium
     Process,
     Process::UID,
     Process::GID,
+    Net::HTTP,
   ]
   SPAN_ALLOWLIST = [
     "Kernel#system",
@@ -56,6 +90,7 @@ module Vivarium
   EVENT_SEVERITY_HIGH = %w[
     capable_check bprm_creds setid_change task_kill
     ptrace_check sb_mount kernel_read_file
+    dlopen
   ].freeze
 
   CAPABILITY_NAMES = {
@@ -342,6 +377,17 @@ module Vivarium
     result
   end
 
+  def self.decode_ssl_write_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return { data_len: 0, cap_len: 0, data: "".b } if bytes.bytesize < SSL_WRITE_PAYLOAD_DATA_OFFSET
+
+    data_len = bytes[SSL_WRITE_PAYLOAD_DATA_LEN_OFFSET, 4].unpack1("L<")
+    cap_len = bytes[SSL_WRITE_PAYLOAD_CAP_LEN_OFFSET, 4].unpack1("L<")
+    cap_len = SSL_WRITE_PAYLOAD_DATA_MAX if cap_len > SSL_WRITE_PAYLOAD_DATA_MAX
+    data = bytes[SSL_WRITE_PAYLOAD_DATA_OFFSET, cap_len] || "".b
+    { data_len: data_len, cap_len: cap_len, data: data }
+  end
+
   def self.decode_span_raise_payload(raw_payload)
     bytes = raw_payload.to_s.b
     return "" if bytes.bytesize < 8
@@ -426,6 +472,11 @@ module Vivarium
     when "file_getdents"
       decoded = decode_file_getdents_payload(event.payload)
       decoded.empty? ? event.payload.inspect : decoded
+    when "ssl_write"
+      decoded = decode_ssl_write_payload(event.payload)
+      "data_len=#{decoded[:data_len]} cap_len=#{decoded[:cap_len]}"
+    when "dlopen", "mmap_exec"
+      strip_to_first_null(event.payload).inspect
     else
       strip_to_first_null(event.payload).inspect
     end
@@ -582,12 +633,14 @@ module Vivarium
         u32 tid;
         char event_name[16];
         char payload[#{EVENT_PAYLOAD_SIZE}];
+        u64 dropped_since_last;
       };
 
       BPF_HASH(config_root_targets, u32, u8, 1024);
       BPF_HASH(config_spawned_targets, u32, u8, 8192);
       BPF_HASH(dns_connected_tids, u32, u8, 8192);
       BPF_RINGBUF_OUTPUT(events, #{EVENTS_RINGBUF_PAGES});
+      BPF_ARRAY(drop_counter, u64, 1);
 
       static __always_inline int target_enabled(u32 pid, u32 tid)
       {
@@ -629,14 +682,27 @@ module Vivarium
 
       static __always_inline void submit_event(struct event_t *src)
       {
+        u32 key = 0;
+        u64 *cnt;
+
         struct event_t *ev = events.ringbuf_reserve(sizeof(struct event_t));
         if (!ev) {
+          cnt = drop_counter.lookup(&key);
+          if (cnt) {
+            __sync_fetch_and_add(cnt, 1);
+          }
           return;
         }
 
         __builtin_memcpy(ev, src, sizeof(*ev));
         ev->ktime_ns = bpf_ktime_get_ns();
         ev->tid = (u32)bpf_get_current_pid_tgid();
+        ev->dropped_since_last = 0;
+
+        cnt = drop_counter.lookup(&key);
+        if (cnt && *cnt > 0) {
+          ev->dropped_since_last = __sync_lock_test_and_set(cnt, 0);
+        }
 
         events.ringbuf_submit(ev, 0);
       }
@@ -770,6 +836,39 @@ module Vivarium
         return 0;
       }
 
+      LSM_PROBE(mmap_file, struct file *file, unsigned long reqprot,
+                unsigned long prot, unsigned long flags)
+      {
+        if (!file) {
+          return 0;
+        }
+        if (!((prot | reqprot) & 0x04)) {   /* PROT_EXEC */
+          return 0;
+        }
+
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        int path_ret;
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "mmap_exec", 10);
+
+        path_ret = bpf_d_path(&file->f_path, ev.payload, sizeof(ev.payload));
+        if (path_ret < 0) {
+          if (ev.payload[0] == 0) {
+            __builtin_memcpy(ev.payload, "<path_error>", 13);
+          }
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
       LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1339,6 +1438,68 @@ module Vivarium
         return 0;
       }
 
+      int on_ssl_write(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        const char *buf = (const char *)PT_REGS_PARM2(ctx);
+        int num = (int)PT_REGS_PARM3(ctx);
+        if (!buf || num <= 0) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "ssl_write", 10);
+
+        u32 data_len = (u32)num;
+        u32 cap = data_len;
+        if (cap > #{SSL_WRITE_PAYLOAD_DATA_MAX}) {
+          cap = #{SSL_WRITE_PAYLOAD_DATA_MAX};
+        }
+        __builtin_memcpy(&ev.payload[#{SSL_WRITE_PAYLOAD_DATA_LEN_OFFSET}], &data_len, sizeof(data_len));
+        __builtin_memcpy(&ev.payload[#{SSL_WRITE_PAYLOAD_CAP_LEN_OFFSET}], &cap, sizeof(cap));
+        if (bpf_probe_read_user(&ev.payload[#{SSL_WRITE_PAYLOAD_DATA_OFFSET}], cap, buf) < 0) {
+          u32 zero = 0;
+          __builtin_memcpy(&ev.payload[#{SSL_WRITE_PAYLOAD_CAP_LEN_OFFSET}], &zero, sizeof(zero));
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
+      int on_dlopen(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        const char *filename = (const char *)PT_REGS_PARM1(ctx);
+        if (!filename) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "dlopen", 7);
+
+        if (bpf_probe_read_user_str(ev.payload, sizeof(ev.payload), filename) < 0) {
+          __builtin_memcpy(ev.payload, "<path_error>", 13);
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
       int on_span_raise(struct pt_regs *ctx)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1370,8 +1531,13 @@ module Vivarium
       }
     CLANG
 
-    def initialize(pin_dir: Vivarium.bpf_pin_dir)
-      @pin_dir = pin_dir
+    def initialize(pin_dir: Vivarium.bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                   dlopen_trace: true, libc_path: nil)
+      @pin_dir      = pin_dir
+      @ssl_trace    = ssl_trace
+      @libssl_path  = libssl_path
+      @dlopen_trace = dlopen_trace
+      @libc_path    = libc_path
     end
 
     def run
@@ -1384,6 +1550,7 @@ module Vivarium
         .gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
         .gsub("__VIVARIUM_DENTRY_D_NAME_OFFSET__", d_name_offset.to_s)
 
+      require "vivarium_usdt"
       usdt_so_path = ENV.fetch("VIVARIUM_USDT_SO_PATH") { Vivarium.locate_vivarium_usdt_so }
       usdt = RbBCC::USDT.new(path: usdt_so_path)
       usdt.enable_probe(probe: "start_probe", fn_name: "on_span_start")
@@ -1392,6 +1559,9 @@ module Vivarium
 
       bpf = RbBCC::BCC.new(text: program, usdt_contexts: [usdt])
 
+      attach_ssl_write_uprobe(bpf) if @ssl_trace
+      attach_dlopen_uprobe(bpf) if @dlopen_trace
+
       config_root_targets = bpf["config_root_targets"]
       config_spawned_targets = bpf["config_spawned_targets"]
       events_ringbuf = bpf["events"]
@@ -1416,6 +1586,72 @@ module Vivarium
 
     private
 
+    def attach_ssl_write_uprobe(bpf)
+      path = resolve_libssl_path
+      unless path
+        warn "[vivariumd] libssl not found; SSL_write uprobe disabled " \
+             "(set --libssl PATH or VIVARIUM_LIBSSL_PATH to override)"
+        return
+      end
+
+      bpf.attach_uprobe(name: path, sym: "SSL_write", fn_name: "on_ssl_write")
+      puts "[vivariumd] SSL_write uprobe attached via #{path}"
+    rescue StandardError => e
+      warn "[vivariumd] SSL_write uprobe attach failed: #{e.class}: #{e.message}"
+    end
+
+    def resolve_libssl_path
+      if @libssl_path
+        return @libssl_path if File.exist?(@libssl_path)
+
+        warn "[vivariumd] --libssl path does not exist: #{@libssl_path}"
+        return nil
+      end
+
+      env_path = ENV["VIVARIUM_LIBSSL_PATH"]
+      if env_path && !env_path.empty?
+        return env_path if File.exist?(env_path)
+
+        warn "[vivariumd] VIVARIUM_LIBSSL_PATH does not exist: #{env_path}"
+        return nil
+      end
+
+      LIBSSL_SEARCH_PATHS.find { |p| File.exist?(p) }
+    end
+
+    def attach_dlopen_uprobe(bpf)
+      path = resolve_libc_path
+      unless path
+        warn "[vivariumd] libc not found; dlopen uprobe disabled " \
+             "(set --libc PATH or VIVARIUM_LIBC_PATH to override)"
+        return
+      end
+
+      bpf.attach_uprobe(name: path, sym: "dlopen", fn_name: "on_dlopen")
+      puts "[vivariumd] dlopen uprobe attached via #{path}"
+    rescue StandardError => e
+      warn "[vivariumd] dlopen uprobe attach failed: #{e.class}: #{e.message}"
+    end
+
+    def resolve_libc_path
+      if @libc_path
+        return @libc_path if File.exist?(@libc_path)
+
+        warn "[vivariumd] --libc path does not exist: #{@libc_path}"
+        return nil
+      end
+
+      env_path = ENV["VIVARIUM_LIBC_PATH"]
+      if env_path && !env_path.empty?
+        return env_path if File.exist?(env_path)
+
+        warn "[vivariumd] VIVARIUM_LIBC_PATH does not exist: #{env_path}"
+        return nil
+      end
+
+      LIBC_SEARCH_PATHS.find { |p| File.exist?(p) }
+    end
+
     def ensure_root!
       return if Process.uid.zero?
 
@@ -1557,13 +1793,13 @@ module Vivarium
     end
   end
 
-  def self.observe(pin_dir: bpf_pin_dir, dest: $stdout, &block)
-    return scoped_observe(pin_dir: pin_dir, dest: dest, &block) if block_given?
+  def self.observe(pin_dir: bpf_pin_dir, dest: $stdout, filter: nil, &block)
+    return scoped_observe(pin_dir: pin_dir, dest: dest, filter: filter, &block) if block_given?
 
-    top_observe(pin_dir: pin_dir, dest: dest)
+    top_observe(pin_dir: pin_dir, dest: dest, filter: filter)
   end
 
-  def self.top_observe(pin_dir: bpf_pin_dir, dest: $stdout)
+  def self.top_observe(pin_dir: bpf_pin_dir, dest: $stdout, filter: nil)
     require "vivarium_usdt"
 
     store = MapStore.new(pin_dir: pin_dir)
@@ -1578,6 +1814,7 @@ module Vivarium
       observer_pid: pid,
       main_tid: main_tid,
       method_id_queue: method_id_queue,
+      filter: filter,
       dest: dest
     )
     correlator.start
@@ -1592,7 +1829,7 @@ module Vivarium
     session
   end
 
-  def self.scoped_observe(pin_dir:, dest:)
+  def self.scoped_observe(pin_dir:, dest:, filter: nil)
     require "vivarium_usdt"
 
     store = MapStore.new(pin_dir: pin_dir)
@@ -1607,6 +1844,7 @@ module Vivarium
       observer_pid: pid,
       main_tid: main_tid,
       method_id_queue: method_id_queue,
+      filter: filter,
       dest: dest
     )
     correlator.start
@@ -1626,6 +1864,11 @@ module Vivarium
     allowlist = SPAN_ALLOWLIST
     TracePoint.new(:call, :c_call, :return, :c_return, :raise) do |tp|
       if tp.event == :raise
+        # FIXME: handle threaded events in the future
+        if tp.raised_exception.kind_of?(ThreadError)
+          next
+        end
+
         Vivarium::Usdt.raise(
           tp.raised_exception.class.to_s,
           tp.raised_exception.message.to_s,
@@ -1677,15 +1920,36 @@ module Vivarium
   end
 
   def self.run_daemon!(argv = ARGV)
-    options = { pin_dir: bpf_pin_dir }
+    options = { pin_dir: bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                dlopen_trace: true, libc_path: nil }
     OptionParser.new do |opts|
-      opts.banner = "Usage: vivariumd [--pin-dir PATH]"
+      opts.banner = "Usage: vivariumd [--pin-dir PATH] [--no-ssl-trace] [--libssl PATH] " \
+                    "[--no-dlopen-trace] [--libc PATH]"
       opts.on("--pin-dir PATH", "Pinned map directory") { |v| options[:pin_dir] = v }
+      opts.on("--[no-]ssl-trace", "Attach OpenSSL SSL_write uprobe (default: enabled)") do |v|
+        options[:ssl_trace] = v
+      end
+      opts.on("--libssl PATH", "Path to libssl.so to attach SSL_write to") do |v|
+        options[:libssl_path] = v
+      end
+      opts.on("--[no-]dlopen-trace", "Attach libc dlopen uprobe (default: enabled)") do |v|
+        options[:dlopen_trace] = v
+      end
+      opts.on("--libc PATH", "Path to libc.so for dlopen uprobe") do |v|
+        options[:libc_path] = v
+      end
     end.parse!(argv)
 
-    Daemon.new(pin_dir: options[:pin_dir]).run
+    Daemon.new(
+      pin_dir: options[:pin_dir],
+      ssl_trace: options[:ssl_trace],
+      libssl_path: options[:libssl_path],
+      dlopen_trace: options[:dlopen_trace],
+      libc_path: options[:libc_path]
+    ).run
   end
 end
 
 require_relative "vivarium/correlator"
+require_relative "vivarium/display_filter"
 require_relative "vivarium/tree_renderer"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vivarium
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.2
 platform: ruby
 authors:
 - Uchio Kondo
@@ -64,12 +64,15 @@ files:
 - CONTEXT.md
 - README.md
 - Rakefile
+- examples/dlopen_demo.rb
+- examples/drop_demo.rb
 - examples/execve_demo.rb
 - examples/file_operation_demo.rb
 - examples/network_client_demo.rb
 - examples/privilege_event_demo.rb
 - examples/raise_demo.rb
 - examples/signal_kill_demo.rb
+- examples/ssl_write_demo.rb
 - examples/sudo_attempt_demo.rb
 - exe/vivarium
 - exe/vivariumd
@@ -77,6 +80,8 @@ files:
 - lib/vivarium.rb
 - lib/vivarium/cli.rb
 - lib/vivarium/correlator.rb
+- lib/vivarium/display_filter.rb
+- lib/vivarium/http_decoder.rb
 - lib/vivarium/tree_renderer.rb
 - lib/vivarium/version.rb
 - logo-simple.png