mirror of
https://github.com/springzfx/cgproxy.git
synced 2026-03-15 09:32:09 +08:00
add execsnoop
This commit is contained in:
springzfx
@@ -11,7 +11,8 @@ using namespace CGPROXY::CONFIG;
|
||||
namespace CGPROXY::CGPROXY {
|
||||
|
||||
bool print_help = false, proxy = true;
|
||||
bool attach_pid=false; string arg_pid;
|
||||
bool attach_pid = false;
|
||||
string arg_pid;
|
||||
inline void print_usage() {
|
||||
if (proxy) {
|
||||
cout << "Run program with proxy" << endl;
|
||||
@@ -29,8 +30,8 @@ bool processArgs(const int argc, char *argv[], int &shift) {
|
||||
if (strcmp(argv[i], "--pid") == 0) {
|
||||
attach_pid = true;
|
||||
i++;
|
||||
if (i==argc) return false;
|
||||
arg_pid=argv[i];
|
||||
if (i == argc) return false;
|
||||
arg_pid = argv[i];
|
||||
if (!validPid(arg_pid)) return false;
|
||||
continue;
|
||||
}
|
||||
@@ -52,7 +53,7 @@ void send_pid(const pid_t pid, bool proxy, int &status) {
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
int shift = -1;
|
||||
if (!processArgs(argc, argv, shift)){
|
||||
if (!processArgs(argc, argv, shift)) {
|
||||
error("parameter error");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
@@ -68,10 +69,10 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
|
||||
int status = -1;
|
||||
send_pid(attach_pid?stoi(arg_pid):getpid(), proxy, status);
|
||||
send_pid(attach_pid ? stoi(arg_pid) : getpid(), proxy, status);
|
||||
if (status != 0) {
|
||||
error("attach process failed");
|
||||
if (status==1) error("maybe cgproxy.service not running");
|
||||
if (status == 1) error("maybe cgproxy.service not running");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
#include <csignal>
|
||||
#include <fstream>
|
||||
#include <nlohmann/json.hpp>
|
||||
#include <sched.h>
|
||||
#include <sys/file.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@@ -19,10 +20,14 @@ using namespace ::CGPROXY::CGROUP;
|
||||
|
||||
namespace CGPROXY::CGPROXYD {
|
||||
|
||||
bool print_help = false;
|
||||
bool enable_execsnoop = false;
|
||||
|
||||
class cgproxyd {
|
||||
thread_arg arg_t;
|
||||
Config config;
|
||||
pthread_t socket_thread_id = -1;
|
||||
pid_t exec_snoop_pid = -1;
|
||||
|
||||
static cgproxyd *instance;
|
||||
static int handle_msg_static(char *msg) {
|
||||
@@ -40,7 +45,7 @@ class cgproxyd {
|
||||
} else {
|
||||
instance->stop();
|
||||
}
|
||||
exit(signum);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
// single process instance
|
||||
@@ -113,6 +118,22 @@ class cgproxyd {
|
||||
return thread_id;
|
||||
}
|
||||
|
||||
void startExecSnoopProc() {
|
||||
if (exec_snoop_pid != -1){
|
||||
kill(exec_snoop_pid, SIGINT);
|
||||
exec_snoop_pid=-1;
|
||||
}
|
||||
pid_t pid = fork();
|
||||
if (pid == 0) {
|
||||
execl(BPF_EXEC_SNOOP_START, (char *) NULL);
|
||||
exit(0);
|
||||
} else if (pid<0){
|
||||
error("fork precess failed");
|
||||
}else {
|
||||
exec_snoop_pid = pid;
|
||||
}
|
||||
}
|
||||
|
||||
void assignStaticInstance() { instance = this; }
|
||||
|
||||
public:
|
||||
@@ -134,6 +155,7 @@ public:
|
||||
system(TPROXY_IPTABLS_CLEAN);
|
||||
c->toEnv();
|
||||
system(TPROXY_IPTABLS_START);
|
||||
if (enable_execsnoop) startExecSnoopProc();
|
||||
// no need to track running status
|
||||
return 0;
|
||||
}
|
||||
@@ -141,6 +163,7 @@ public:
|
||||
void stop() {
|
||||
debug("stopping");
|
||||
system(TPROXY_IPTABLS_CLEAN);
|
||||
// if (exec_snoop_pid != -1) kill(exec_snoop_pid, SIGINT);
|
||||
unlock();
|
||||
}
|
||||
|
||||
@@ -149,8 +172,6 @@ public:
|
||||
|
||||
cgproxyd *cgproxyd::instance = NULL;
|
||||
|
||||
bool print_help = false;
|
||||
|
||||
void print_usage() {
|
||||
cout << "Start a daemon with unix socket to accept control" << endl;
|
||||
cout << "Usage: cgproxyd [--help] [--debug]" << endl;
|
||||
@@ -161,6 +182,7 @@ void processArgs(const int argc, char *argv[]) {
|
||||
for (int i = 1; i < argc; i++) {
|
||||
if (strcmp(argv[i], "--debug") == 0) { enable_debug = true; }
|
||||
if (strcmp(argv[i], "--help") == 0) { print_help = true; }
|
||||
if (strcmp(argv[i], "--execsnoop") == 0) { enable_execsnoop = true; }
|
||||
if (argv[i][0] != '-') { break; }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,8 +7,9 @@
|
||||
#include <vector>
|
||||
using namespace std;
|
||||
|
||||
#define TPROXY_IPTABLS_START "sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh"
|
||||
#define TPROXY_IPTABLS_CLEAN "sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh stop"
|
||||
#define TPROXY_IPTABLS_START "/usr/share/cgproxy/scripts/cgroup-tproxy.sh"
|
||||
#define TPROXY_IPTABLS_CLEAN "/usr/share/cgproxy/scripts/cgroup-tproxy.sh stop"
|
||||
#define BPF_EXEC_SNOOP_START "/usr/share/cgproxy/scripts/execsnoop.py"
|
||||
|
||||
#define PID_LOCK_FILE "/var/run/cgproxyd.pid"
|
||||
#define SOCKET_PATH "/tmp/cgproxy_unix_socket"
|
||||
|
||||
@@ -21,6 +21,8 @@ namespace CGPROXY::CONFIG {
|
||||
|
||||
void Config::toEnv() {
|
||||
mergeReserved();
|
||||
setenv("program_proxy", join2str(program_proxy, ':').c_str(), 1);
|
||||
setenv("program_noproxy", join2str(program_noproxy, ':').c_str(), 1);
|
||||
setenv("cgroup_proxy", join2str(cgroup_proxy, ':').c_str(), 1);
|
||||
setenv("cgroup_noproxy", join2str(cgroup_noproxy, ':').c_str(), 1);
|
||||
setenv("enable_gateway", to_str(enable_gateway).c_str(), 1);
|
||||
@@ -43,6 +45,8 @@ int Config::saveToFile(const string f) {
|
||||
|
||||
string Config::toJsonStr() {
|
||||
json j;
|
||||
add2json(program_proxy);
|
||||
add2json(program_noproxy);
|
||||
add2json(cgroup_proxy);
|
||||
add2json(cgroup_noproxy);
|
||||
add2json(enable_gateway);
|
||||
@@ -74,6 +78,8 @@ int Config::loadFromJsonStr(const string js) {
|
||||
return PARAM_ERROR;
|
||||
}
|
||||
json j = json::parse(js);
|
||||
tryassign(program_proxy);
|
||||
tryassign(program_noproxy);
|
||||
tryassign(cgroup_proxy);
|
||||
tryassign(cgroup_noproxy);
|
||||
tryassign(enable_gateway);
|
||||
@@ -96,6 +102,7 @@ bool Config::validateJsonStr(const string js) {
|
||||
bool status = true;
|
||||
const set<string> boolset = {"enable_gateway", "enable_dns", "enable_tcp",
|
||||
"enable_udp", "enable_ipv4", "enable_ipv6"};
|
||||
const set<string> allowset = {"program_proxy", "program_noproxy"};
|
||||
for (auto &[key, value] : j.items()) {
|
||||
if (key == "cgroup_proxy" || key == "cgroup_noproxy") {
|
||||
if (value.is_string() && !validCgroup((string)value)) status = false;
|
||||
@@ -106,6 +113,8 @@ bool Config::validateJsonStr(const string js) {
|
||||
if (!validPort(value)) status = false;
|
||||
} else if (boolset.find(key) != boolset.end()) {
|
||||
if (!value.is_boolean()) status = false;
|
||||
} else if (allowset.find(key) != allowset.end()) {
|
||||
|
||||
} else {
|
||||
error("unknown key: %s", key.c_str());
|
||||
return false;
|
||||
|
||||
@@ -13,6 +13,8 @@ public:
|
||||
const string cgroup_proxy_preserved = CGROUP_PROXY_PRESVERED;
|
||||
const string cgroup_noproxy_preserved = CGROUP_NOPROXY_PRESVERED;
|
||||
|
||||
vector<string> program_proxy;
|
||||
vector<string> program_noproxy;
|
||||
vector<string> cgroup_proxy;
|
||||
vector<string> cgroup_noproxy;
|
||||
bool enable_gateway = false;
|
||||
|
||||
Reference in New Issue
Block a user