yonghong-song
commented
4 years ago could you try latest bcc trunk? The issue can be workaround by adding
#define bpf_probe_read_user bpf_probe_readWhat is your kernel version?
Open xxradar opened 4 years ago
yonghong-song
commented
4 years ago could you try latest bcc trunk? The issue can be workaround by adding
#define bpf_probe_read_user bpf_probe_readWhat is your kernel version?
xxradar
commented
4 years ago $ uname -srm Linux 5.3.0-1023-aws x86_64
Also tried Linux 4.15.0-66-generic x86_64
yonghong-song
commented
4 years ago Could you paste the rewriter output here for 5.3 and 4.15?
diff --git a/tools/sslsniff.py b/tools/sslsniff.py
index 8c027fe3..0fe742a5 100755
--- a/tools/sslsniff.py
+++ b/tools/sslsniff.py
@@ -129,7 +129,7 @@ if args.debug or args.ebpf:
exit()
-b = BPF(text=prog)
+b = BPF(text=prog, debug=4)This will help check what is the problem?
kmille
commented
3 years ago I have the same problem on Debian 10 (4.19.0-13-cloud-amd64):
EDIT: fixed by adding --no-nss as command line parameter
root@debian10-dev:/etc/postfix# sslsniff-bpfcc
Running from kernel directory at: /lib/modules/4.19.0-13-cloud-amd64/source
clang -cc1 -triple x86_64-unknown-linux-gnu -emit-llvm-bc -emit-llvm-uselists -disable-free -disable-llvm-verifier -discard-value-names -main-file-name main.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -coverage-notes-file /usr/src/linux-headers-4.19.0-13-common/main.gcno -nostdsysteminc -nobuiltininc -resource-dir lib/clang/7.0.1 -isystem /virtual/lib/clang/include -include ./include/linux/kconfig.h -include /virtual/include/bcc/bpf.h -include /virtual/include/bcc/helpers.h -isystem /virtual/include -I /etc/postfix -D __BPF_TRACING__ -I /lib/modules/4.19.0-13-cloud-amd64/build/arch/x86/include -I /lib/modules/4.19.0-13-cloud-amd64/build/arch/x86/include/generated/uapi -I /lib/modules/4.19.0-13-cloud-amd64/build/arch/x86/include/generated -I /lib/modules/4.19.0-13-cloud-amd64/build/include -I /lib/modules/4.19.0-13-cloud-amd64/build/./arch/x86/include/uapi -I /lib/modules/4.19.0-13-cloud-amd64/build/arch/x86/include/generated/uapi -I /lib/modules/4.19.0-13-cloud-amd64/build/include/uapi -I /lib/modules/4.19.0-13-cloud-amd64/build/include/generated -I /lib/modules/4.19.0-13-cloud-amd64/build/include/generated/uapi -I ./arch/x86/include -I arch/x86/include/generated/uapi -I arch/x86/include/generated -I include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi -I ./include/uapi -I include/generated/uapi -D __KERNEL__ -D __HAVE_BUILTIN_BSWAP16__ -D __HAVE_BUILTIN_BSWAP32__ -D __HAVE_BUILTIN_BSWAP64__ -O2 -Wno-deprecated-declarations -Wno-gnu-variable-sized-type-not-at-end -Wno-pragma-once-outside-header -Wno-address-of-packed-member -Wno-unknown-warning-option -Wno-unused-value -Wno-pointer-sign -fdebug-compilation-dir /usr/src/linux-headers-4.19.0-13-common -ferror-limit 19 -fmessage-length 478 -fobjc-runtime=gcc -fdiagnostics-show-option -vectorize-loops -vectorize-slp -o main.bc -x c /virtual/main.c -faddrsig
#if defined(BPF_LICENSE)
#error BPF_LICENSE cannot be specified through cflags
#endif
#if !defined(CONFIG_CC_STACKPROTECTOR)
#if defined(CONFIG_CC_STACKPROTECTOR_AUTO) \
|| defined(CONFIG_CC_STACKPROTECTOR_REGULAR) \
|| defined(CONFIG_CC_STACKPROTECTOR_STRONG)
#define CONFIG_CC_STACKPROTECTOR
#endif
#endif
#include <linux/ptrace.h>
#include <linux/sched.h> /* For TASK_COMM_LEN */
struct probe_SSL_data_t {
u64 timestamp_ns;
u32 pid;
char comm[TASK_COMM_LEN];
char v0[464];
u32 len;
};
BPF_PERF_OUTPUT(perf_SSL_write);
__attribute__((section(".bpf.fn.probe_SSL_write")))
int probe_SSL_write(struct pt_regs *ctx) {
void *ssl = ctx->di; void *buf = ctx->si; int num = ctx->dx;
u32 pid = bpf_get_current_pid_tgid();
struct probe_SSL_data_t __data = {0};
__data.timestamp_ns = bpf_ktime_get_ns();
__data.pid = pid;
__data.len = num;
bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
if ( buf != 0) {
bpf_probe_read(&__data.v0, sizeof(__data.v0), buf);
}
bpf_perf_event_output(ctx, bpf_pseudo_fd(1, 3), CUR_CPU_IDENTIFIER, &__data, sizeof(__data));
return 0;
}
BPF_PERF_OUTPUT(perf_SSL_read);
BPF_HASH(bufs, u32, u64);
__attribute__((section(".bpf.fn.probe_SSL_read_enter")))
int probe_SSL_read_enter(struct pt_regs *ctx) {
void *ssl = ctx->di; void *buf = ctx->si; int num = ctx->dx;
u32 pid = bpf_get_current_pid_tgid();
bpf_map_update_elem((void *)bpf_pseudo_fd(1, 5), &pid, (u64*)&buf, BPF_ANY);
return 0;
}
__attribute__((section(".bpf.fn.probe_SSL_read_exit")))
int probe_SSL_read_exit(struct pt_regs *ctx) {
void *ssl = ctx->di; void *buf = ctx->si; int num = ctx->dx;
u32 pid = bpf_get_current_pid_tgid();
u64 *bufp = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, 5), &pid);
if (bufp == 0) {
return 0;
}
struct probe_SSL_data_t __data = {0};
__data.timestamp_ns = bpf_ktime_get_ns();
__data.pid = pid;
__data.len = PT_REGS_RC(ctx);
bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
if (bufp != 0) {
bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp);
}
bpf_map_delete_elem((void *)bpf_pseudo_fd(1, 5), &pid);
bpf_perf_event_output(ctx, bpf_pseudo_fd(1, 4), CUR_CPU_IDENTIFIER, &__data, sizeof(__data));
return 0;
}
#include <bcc/footer.h>
Traceback (most recent call last):
File "/usr/sbin/sslsniff-bpfcc", line 158, in <module>
pid=args.pid or -1)
File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 982, in attach_uprobe
(path, addr) = BPF._check_path_symbol(name, sym, addr, pid)
File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 727, in _check_path_symbol
raise Exception("could not determine address of symbol %s" % symname)
Exception: could not determine address of symbol PR_Write
Hi everyone,
Very interested to get this working, but have some errors ... any way I can proceed ?