1

正如演示文稿Security Monitoring with eBPF中所建议的那样,我正在尝试连接security_socket_connect

虽然我的基于gobpf / bcc的代码部分有效,但我似乎无法读取sockaddr结构中的 IP 地址。

相关部分如下所示:

int security_socket_connect_entry(struct pt_regs *ctx, struct socket *sock, struct sockaddr *address, int addrlen)
{    
    u32 address_family = address->sa_family;
    if (address_family == AF_INET) {
        struct ipv4_data_t data4 = {.pid = pid};

        struct sockaddr_in *addr2 = (struct sockaddr_in *)address;

之后,我尝试读取 addr2 中的 IP 地址。第一次尝试是:

data4.daddr = addr2->sin_addr.s_addr;

第二次尝试是bpf_probe_read

bpf_probe_read(&data4.daddr, sizeof(data4.daddr), (void *)((long)addr2->sin_addr.s_addr));

两个选项都出现相同的错误:

R9 invalid mem access 'inv'

HINT: The invalid mem access 'inv' error can happen if you try to dereference memory without first using bpf_probe_read() to copy it to the BPF stack. Sometimes the bpf_probe_read is automatic by the bcc rewriter, other times you'll need to be explicit.

可以在此处找到带有可构建示例的 repo:socket-connect-bpf

4

1 回答 1

2

感谢bcc repo中对 issue #1858的回答,我明白了这一点。

我们必须对指针进行操作,所以 IP 地址可以这样读取:

bpf_probe_read(&data4.daddr, sizeof(data4.daddr), &addr2->sin_addr.s_addr);
于 2019-06-11T16:44:14.857 回答