diff --git a/pkg/network/ebpf/c/protocols/flush.h b/pkg/network/ebpf/c/protocols/flush.h index cf040a66dc83f5..484143fd43ee67 100644 --- a/pkg/network/ebpf/c/protocols/flush.h +++ b/pkg/network/ebpf/c/protocols/flush.h @@ -8,6 +8,7 @@ #include "protocols/kafka/kafka-parsing.h" #include "protocols/postgres/decoding.h" #include "protocols/redis/decoding.h" +#include "protocols/tls/native-tls-maps.h" // flush all batched events to userspace for all protocols. // because perf events can't be sent from socket filter programs. @@ -28,4 +29,15 @@ int tracepoint__net__netif_receive_skb(void *ctx) { return 0; } +SEC("tracepoint/sched/sched_process_exit") +int tracepoint__sched__sched_process_exit(void *ctx) { + CHECK_BPF_PROGRAM_BYPASSED() + u64 pid_tgid = bpf_get_current_pid_tgid(); + + bpf_map_delete_elem(&ssl_read_args, &pid_tgid); + bpf_map_delete_elem(&ssl_read_ex_args, &pid_tgid); + + return 0; +} + #endif diff --git a/pkg/network/protocols/http/types.go b/pkg/network/protocols/http/types.go index 3f0eb5c9639377..21bf1e91e8010f 100644 --- a/pkg/network/protocols/http/types.go +++ b/pkg/network/protocols/http/types.go @@ -17,6 +17,7 @@ import "C" type ConnTuple = C.conn_tuple_t type SslSock C.ssl_sock_t type SslReadArgs C.ssl_read_args_t +type SslReadExArgs C.ssl_read_ex_args_t type EbpfEvent C.http_event_t type EbpfTx C.http_transaction_t diff --git a/pkg/network/protocols/http/types_linux.go b/pkg/network/protocols/http/types_linux.go index e4b3a976234573..a227e08a2717bd 100644 --- a/pkg/network/protocols/http/types_linux.go +++ b/pkg/network/protocols/http/types_linux.go @@ -23,6 +23,11 @@ type SslReadArgs struct { Ctx *byte Buf *byte } +type SslReadExArgs struct { + Ctx *byte + Buf *byte + Out_param *uint64 +} type EbpfEvent struct { Tuple ConnTuple diff --git a/pkg/network/usm/ebpf_main.go b/pkg/network/usm/ebpf_main.go index e44ae89e8868ac..26396a70f7568c 100644 --- a/pkg/network/usm/ebpf_main.go +++ b/pkg/network/usm/ebpf_main.go @@ -126,6 +126,12 @@ func newEBPFProgram(c *config.Config, connectionProtocolMap *ebpf.Map) (*ebpfPro UID: probeUID, }, }, + { + ProbeIdentificationPair: manager.ProbeIdentificationPair{ + EBPFFuncName: "tracepoint__sched__sched_process_exit", + UID: probeUID, + }, + }, }, } diff --git a/pkg/network/usm/ebpf_ssl.go b/pkg/network/usm/ebpf_ssl.go index 4a7800de41d4b2..a849d399ad48cf 100644 --- a/pkg/network/usm/ebpf_ssl.go +++ b/pkg/network/usm/ebpf_ssl.go @@ -534,9 +534,27 @@ func (o *sslProgram) DumpMaps(w io.Writer, mapName string, currentMap *ebpf.Map) io.WriteString(w, "Map: '"+mapName+"', key: 'C.__u64', value: 'C.ssl_read_args_t'\n") iter := currentMap.Iterate() var key uint64 - var value http.SslReadArgs - for iter.Next(unsafe.Pointer(&key), unsafe.Pointer(&value)) { - spew.Fdump(w, key, value) + // The wrapper array prevents access to pointer contents, as pointers are invalid in user mode. + a := [2]unsafe.Pointer{ + unsafe.Pointer(http.SslReadArgs{}.Ctx), + unsafe.Pointer(http.SslReadArgs{}.Buf), + } + for iter.Next(unsafe.Pointer(&key), unsafe.Pointer(&a)) { + spew.Fdump(w, key, a) + } + + case "ssl_read_ex_args": // maps/ssl_read_args (BPF_MAP_TYPE_HASH), key C.__u64, value C.ssl_read_args_t + io.WriteString(w, "Map: '"+mapName+"', key: 'C.__u64', value: 'C.ssl_read_ex_args_t'\n") + iter := currentMap.Iterate() + var key uint64 + // The wrapper array prevents access to pointer contents, as pointers are invalid in user mode. + a := [3]unsafe.Pointer{ + unsafe.Pointer(http.SslReadExArgs{}.Ctx), + unsafe.Pointer(http.SslReadExArgs{}.Buf), + unsafe.Pointer(http.SslReadExArgs{}.Out_param), + } + for iter.Next(unsafe.Pointer(&key), unsafe.Pointer(&a)) { + spew.Fdump(w, key, a) } case "bio_new_socket_args": // maps/bio_new_socket_args (BPF_MAP_TYPE_HASH), key C.__u64, value C.__u32