allow to configure ebpf modules path

Now it's possible to configure eBPF modules path from the
default-config.json file:
 "Ebpf": {
   "ModulesPath": "..."
 }

If the option is not provided, or if it's empty, we'll keep loading from
the default directories:

 - /usr/local/lib/opensnitchd/ebpf
 - /usr/lib/opensnitchd/ebpf
 - /etc/opensnitchd/ebpf (deprecated, will be removed in the future).

Closes #928

(cherry picked from commit ffb7668)

Author: gustavo-iniguez-goya

daemon/core/ebpf.go

@@ -7,9 +7,9 @@ import (
 	"github.com/iovisor/gobpf/elf"
 )
 
-// LoadEbpfModule loads the given eBPF module
-// It'll try to load from several paths.
-func LoadEbpfModule(module string) (m *elf.Module, err error) {
+// LoadEbpfModule loads the given eBPF module, from the given path if specified.
+// Otherwise t'll try to load the module from several default paths.
+func LoadEbpfModule(module, path string) (m *elf.Module, err error) {
 	var (
 		modulesDir = "/opensnitchd/ebpf"
 		paths      = []string{
@@ -18,6 +18,12 @@ func LoadEbpfModule(module string) (m *elf.Module, err error) {
 			fmt.Sprint("/etc/opensnitchd"), // Deprecated: will be removed in future versions.
 		}
 	)
+
+	// if path has been specified, try to load the module from there.
+	if path != "" {
+		paths = []string{path}
+	}
+
 	modulePath := ""
 	moduleError := fmt.Errorf(`Module not found (%s) in any of the paths.
 You may need to install the corresponding package`, module)

daemon/dns/ebpfhook.go

@@ -93,8 +93,8 @@ func lookupSymbol(elffile *elf.File, symbolName string) (uint64, error) {
 }
 
 // ListenerEbpf starts listening for DNS events.
-func ListenerEbpf() error {
-	m, err := core.LoadEbpfModule("opensnitch-dns.o")
+func ListenerEbpf(ebpfModPath string) error {
+	m, err := core.LoadEbpfModule("opensnitch-dns.o", ebpfModPath)
 	if err != nil {
 		log.Error("[eBPF DNS]: %s", err)
 		return err

daemon/main.go

@@ -63,6 +63,7 @@ var (
 	logMicro          = false
 	rulesPath         = "/etc/opensnitchd/rules/"
 	configFile        = "/etc/opensnitchd/default-config.json"
+	ebpfModPath       = "" // /usr/lib/opensnitchd/ebpf
 	noLiveReload      = false
 	queueNum          = 0
 	repeatQueueNum    int //will be set later to queueNum + 1
@@ -99,12 +100,13 @@ func init() {
 
 	flag.StringVar(&procmonMethod, "process-monitor-method", procmonMethod, "How to search for processes path. Options: ftrace, audit (experimental), ebpf (experimental), proc (default)")
 	flag.StringVar(&uiSocket, "ui-socket", uiSocket, "Path the UI gRPC service listener (https://github.com/grpc/grpc/blob/master/doc/naming.md).")
-	flag.StringVar(&rulesPath, "rules-path", rulesPath, "Path to load JSON rules from.")
 	flag.IntVar(&queueNum, "queue-num", queueNum, "Netfilter queue number.")
 	flag.IntVar(&workers, "workers", workers, "Number of concurrent workers.")
 	flag.BoolVar(&noLiveReload, "no-live-reload", debug, "Disable rules live reloading.")
 
+	flag.StringVar(&rulesPath, "rules-path", rulesPath, "Path to load JSON rules from.")
 	flag.StringVar(&configFile, "config-file", configFile, "Path to the daemon configuration file.")
+	//flag.StringVar(&ebpfModPath, "ebpf-modules-path", ebpfModPath, "Path to the directory with the eBPF modules.")
 	flag.StringVar(&logFile, "log-file", logFile, "Write logs to this file instead of the standard output.")
 	flag.BoolVar(&logUTC, "log-utc", logUTC, "Write logs output with UTC timezone (enabled by default).")
 	flag.BoolVar(&logMicro, "log-micro", logMicro, "Write logs output with microsecond timestamp (disabled by default).")
@@ -571,15 +573,15 @@ func main() {
 	// overwrite monitor method from configuration if the user has passed
 	// the option via command line.
 	if procmonMethod != "" {
-		if err := monitor.ReconfigureMonitorMethod(procmonMethod); err != nil {
+		if err := monitor.ReconfigureMonitorMethod(procmonMethod, cfg.Ebpf.ModulesPath); err != nil {
 			msg := fmt.Sprintf("Unable to set process monitor method via parameter: %v", err)
 			uiClient.SendWarningAlert(msg)
 			log.Warning(msg)
 		}
 	}
 
-	go func(uiClient *ui.Client) {
-		if err := dns.ListenerEbpf(); err != nil {
+	go func(uiClient *ui.Client, ebpfPath string) {
+		if err := dns.ListenerEbpf(ebpfPath); err != nil {
 			msg := fmt.Sprintf("EBPF-DNS: Unable to attach ebpf listener: %s", err)
 			log.Warning(msg)
 			// don't display an alert, since this module is not critical
@@ -591,7 +593,7 @@ func main() {
 				msg)
 
 		}
-	}(uiClient)
+	}(uiClient, ebpfModPath)
 
 	initSystemdResolvedMonitor()
 

daemon/procmon/ebpf/ebpf.go

@@ -38,11 +38,26 @@ type alreadyEstablishedConns struct {
 	sync.RWMutex
 }
 
+// list of returned errors
+const (
+	NoError = iota
+	NotAvailable
+	EventsNotAvailable
+)
+
+// Error returns the error type and a message with the explanation
+type Error struct {
+	What int // 1 global error, 2 events error, 3 ...
+	Msg  error
+}
+
 var (
-	m, perfMod *elf.Module
-	lock       = sync.RWMutex{}
-	mapSize    = uint(12000)
-	ebpfMaps   map[string]*ebpfMapsForProto
+	m, perfMod  *elf.Module
+	lock        = sync.RWMutex{}
+	mapSize     = uint(12000)
+	ebpfMaps    map[string]*ebpfMapsForProto
+	modulesPath string
+
 	//connections which were established at the time when opensnitch started
 	alreadyEstablished = alreadyEstablishedConns{
 		TCP:   make(map[*daemonNetlink.Socket]int),
@@ -62,18 +77,24 @@ var (
 )
 
 //Start installs ebpf kprobes
-func Start() error {
+func Start(modPath string) *Error {
+	modulesPath = modPath
+
 	setRunning(false)
 	if err := mountDebugFS(); err != nil {
 		log.Error("ebpf.Start -> mount debugfs error. Report on github please: %s", err)
-		return err
+		return &Error{
+			NotAvailable,
+			fmt.Errorf("ebpf.Start: mount debugfs error. Report on github please: %s", err),
+		}
+
 	}
 	var err error
-	m, err = core.LoadEbpfModule("opensnitch.o")
+	m, err = core.LoadEbpfModule("opensnitch.o", modulesPath)
 	if err != nil {
 		log.Error("%s", err)
 		dispatchErrorEvent(fmt.Sprint("[eBPF]: ", err.Error()))
-		return err
+		return &Error{NotAvailable, fmt.Errorf("[eBPF] Error loading opensnitch.o: %s", err.Error())}
 	}
 	m.EnableOptionCompatProbe()
 
@@ -83,12 +104,10 @@ func Start() error {
 	if err := m.EnableKprobes(0); err != nil {
 		m.Close()
 		if err := m.Load(nil); err != nil {
-			log.Error("eBPF failed to load /etc/opensnitchd/opensnitch.o (2): %v", err)
-			return err
+			return &Error{NotAvailable, fmt.Errorf("eBPF failed to load /etc/opensnitchd/opensnitch.o (2): %v", err)}
 		}
 		if err := m.EnableKprobes(0); err != nil {
-			log.Error("eBPF error when enabling kprobes: %v", err)
-			return err
+			return &Error{NotAvailable, fmt.Errorf("eBPF error when enabling kprobes: %v", err)}
 		}
 	}
 	determineHostByteOrder()
@@ -105,7 +124,7 @@ func Start() error {
 	}
 	for prot, mfp := range ebpfMaps {
 		if mfp.bpfmap == nil {
-			return fmt.Errorf("eBPF module opensnitch.o malformed, bpfmap[%s] nil", prot)
+			return &Error{NotAvailable, fmt.Errorf("eBPF module opensnitch.o malformed, bpfmap[%s] nil", prot)}
 		}
 	}
 

daemon/procmon/ebpf/events.go

@@ -75,7 +75,7 @@ func initEventsStreamer() {
 	elfOpts := make(map[string]elf.SectionParams)
 	elfOpts["maps/"+perfMapName] = elf.SectionParams{PerfRingBufferPageCount: ringBuffSize}
 	var err error
-	perfMod, err = core.LoadEbpfModule("opensnitch-procs.o")
+	perfMod, err = core.LoadEbpfModule("opensnitch-procs.o", modulesPath)
 	if err != nil {
 		dispatchErrorEvent(fmt.Sprint("[eBPF events]: ", err))
 		return

daemon/procmon/monitor/init.go

@@ -1,8 +1,6 @@
 package monitor
 
 import (
-	"net"
-
 	"github.com/evilsocket/opensnitch/daemon/log"
 	"github.com/evilsocket/opensnitch/daemon/procmon"
 	"github.com/evilsocket/opensnitch/daemon/procmon/audit"
@@ -13,20 +11,39 @@ var (
 	cacheMonitorsRunning = false
 )
 
-// ReconfigureMonitorMethod configures a new method for parsing connections.
-func ReconfigureMonitorMethod(newMonitorMethod string) error {
+// List of errors that this package may return.
+const (
+	NoError = iota
+	ProcFsErr
+	AuditdErr
+	EbpfErr
+	EbpfEventsErr
+)
 
+// Error wraps the type of error with its message
+type Error struct {
+	What int
+	Msg  error
+}
+
+// ReconfigureMonitorMethod configures a new method for parsing connections.
+func ReconfigureMonitorMethod(newMonitorMethod, ebpfModulesPath string) *Error {
 	if procmon.GetMonitorMethod() == newMonitorMethod {
 		return nil
 	}
 
 	oldMethod := procmon.GetMonitorMethod()
+	if oldMethod == "" {
+		oldMethod = procmon.MethodProc
+	}
 	End()
 	procmon.SetMonitorMethod(newMonitorMethod)
 	// if the new monitor method fails to start, rollback the change and exit
 	// without saving the configuration. Otherwise we can end up with the wrong
 	// monitor method configured and saved to file.
-	if err := Init(); err != nil {
+	err := Init(ebpfModulesPath)
+	if err.What > NoError {
+		log.Error("Reconf() -> Init() error: %v", err)
 		procmon.SetMonitorMethod(oldMethod)
 		return err
 	}
@@ -44,36 +61,52 @@ func End() {
 }
 
 // Init starts parsing connections using the method specified.
-func Init() (err error) {
+func Init(ebpfModulesPath string) (errm *Error) {
+	errm = &Error{}
+
 	if cacheMonitorsRunning == false {
 		go procmon.MonitorActivePids()
 		go procmon.CacheCleanerTask()
 		cacheMonitorsRunning = true
 	}
 
 	if procmon.MethodIsEbpf() {
-		err = ebpf.Start()
+		err := ebpf.Start(ebpfModulesPath)
 		if err == nil {
 			log.Info("Process monitor method ebpf")
-			return nil
+			return errm
 		}
+		// ebpf main module loaded, we can use ebpf
+
+		// XXX: this will have to be rewritten when we'll have more events (bind, listen, etc)
+		if err.What == ebpf.EventsNotAvailable {
+			log.Info("Process monitor method ebpf")
+			log.Warning("opensnitch-procs.o not available: %s", err.Msg)
+
+			return errm
+		}
+
 		// we need to stop this method even if it has failed to start, in order to clean up the kprobes
 		// It helps with the error "cannot write...kprobe_events: file exists".
 		ebpf.Stop()
+		errm.What = err.What
+		errm.Msg = err.Msg
 		log.Warning("error starting ebpf monitor method: %v", err)
+
 	} else if procmon.MethodIsAudit() {
-		var auditConn net.Conn
-		auditConn, err = audit.Start()
+		auditConn, err := audit.Start()
 		if err == nil {
 			log.Info("Process monitor method audit")
 			go audit.Reader(auditConn, (chan<- audit.Event)(audit.EventChan))
-			return nil
+			return &Error{AuditdErr, err}
 		}
+		errm.What = AuditdErr
+		errm.Msg = err
 		log.Warning("error starting audit monitor method: %v", err)
 	}
 
 	// if any of the above methods have failed, fallback to proc
 	log.Info("Process monitor method /proc")
 	procmon.SetMonitorMethod(procmon.MethodProc)
-	return err
+	return errm
 }

daemon/ui/config/config.go

@@ -13,52 +13,59 @@ import (
 	"github.com/evilsocket/opensnitch/daemon/statistics"
 )
 
-type serverTLSOptions struct {
-	CACert     string `json:"CACert"`
-	ServerCert string `json:"ServerCert"`
-	ServerKey  string `json:"ServerKey"`
-	ClientCert string `json:"ClientCert"`
-	ClientKey  string `json:"ClientKey"`
-	// https://pkg.go.dev/crypto/tls#Config
-	SkipVerify bool `json:"SkipVerify"`
-	//https://pkg.go.dev/crypto/tls#ClientAuthType
-	ClientAuthType string `json:"ClientAuthType"`
+type (
+	serverTLSOptions struct {
+		CACert     string `json:"CACert"`
+		ServerCert string `json:"ServerCert"`
+		ServerKey  string `json:"ServerKey"`
+		ClientCert string `json:"ClientCert"`
+		ClientKey  string `json:"ClientKey"`
+		// https://pkg.go.dev/crypto/tls#Config
+		SkipVerify bool `json:"SkipVerify"`
+		// https://pkg.go.dev/crypto/tls#ClientAuthType
+		ClientAuthType string `json:"ClientAuthType"`
 
-	// https://pkg.go.dev/crypto/tls#Conn.VerifyHostname
-	//VerifyHostname bool
-	// https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
-	// VerifyConnection bool
-	// VerifyPeerCertificate bool
-}
+		// https://pkg.go.dev/crypto/tls#Conn.VerifyHostname
+		// VerifyHostname bool
+		// https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
+		// VerifyConnection bool
+		// VerifyPeerCertificate bool
+	}
 
-type serverAuth struct {
-	// token?, google?, simple-tls, mutual-tls
-	Type       string           `json:"Type"`
-	TLSOptions serverTLSOptions `json:"TLSOptions"`
-}
+	serverAuth struct {
+		// token?, google?, simple-tls, mutual-tls
+		Type       string           `json:"Type"`
+		TLSOptions serverTLSOptions `json:"TLSOptions"`
+	}
 
-type serverConfig struct {
-	Address        string                 `json:"Address"`
-	Authentication serverAuth             `json:"Authentication"`
-	LogFile        string                 `json:"LogFile"`
-	Loggers        []loggers.LoggerConfig `json:"Loggers"`
-}
+	serverConfig struct {
+		Address        string                 `json:"Address"`
+		Authentication serverAuth             `json:"Authentication"`
+		LogFile        string                 `json:"LogFile"`
+		Loggers        []loggers.LoggerConfig `json:"Loggers"`
+	}
 
-type rulesOptions struct {
-	Path string `json:"Path"`
-}
+	rulesOptions struct {
+		Path string `json:"Path"`
+	}
+
+	ebpfOptions struct {
+		ModulesPath string `json:"ModulesPath"`
+	}
+)
 
 // Config holds the values loaded from configFile
 type Config struct {
 	sync.RWMutex
 	Server            serverConfig           `json:"Server"`
 	Stats             statistics.StatsConfig `json:"Stats"`
 	Rules             rulesOptions           `json:"Rules"`
+	Ebpf              ebpfOptions            `json:"Ebpf"`
 	DefaultAction     string                 `json:"DefaultAction"`
 	DefaultDuration   string                 `json:"DefaultDuration"`
 	ProcMonitorMethod string                 `json:"ProcMonitorMethod"`
 	Firewall          string                 `json:"Firewall"`
-	LogLevel          *uint32                `json:"LogLevel"`
+	LogLevel          *int32                 `json:"LogLevel"`
 	InterceptUnknown  bool                   `json:"InterceptUnknown"`
 	LogUTC            bool                   `json:"LogUTC"`
 	LogMicro          bool                   `json:"LogMicro"`

daemon/ui/config_utils.go

@@ -109,8 +109,9 @@ func (c *Client) loadConfiguration(rawConfig []byte) bool {
 		clientErrorRule.Duration = rule.Duration(clientConfig.DefaultDuration)
 	}
 	if clientConfig.ProcMonitorMethod != "" {
-		if err := monitor.ReconfigureMonitorMethod(clientConfig.ProcMonitorMethod); err != nil {
-			msg := fmt.Sprintf("Unable to set new process monitor (%s) method from disk: %v", clientConfig.ProcMonitorMethod, err)
+		err := monitor.ReconfigureMonitorMethod(clientConfig.ProcMonitorMethod, clientConfig.Ebpf.ModulesPath)
+		if err != nil {
+			msg := fmt.Sprintf("Unable to set new process monitor (%s) method from disk: %v", clientConfig.ProcMonitorMethod, err.Msg)
 			log.Warning(msg)
 			c.SendWarningAlert(msg)
 		}