bump version

CMakeLists.txt

@@ -2,11 +2,12 @@ cmake_minimum_required(VERSION 3.10)
 set(CMAKE_CXX_STANDARD 17)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
-project(cgproxy VERSION 0.12)
+project(cgproxy VERSION 0.14)
 set(CMAKE_CXX_FLAGS  "${CMAKE_CXX_FLAGS} -Wno-unused-result")
 
-set(build_tools OFF)
-set(build_test  OFF)
+option(with_execsnoop "enable program level proxy control feature, need bcc installed" ON)
+option(build_tools OFF)
+option(build_test  OFF)
 
 set(basic_permission OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
 
@@ -23,5 +24,19 @@ install(FILES cgproxyd DESTINATION /usr/bin PERMISSIONS ${basic_permission})
 install(FILES cgnoproxy DESTINATION /usr/bin PERMISSIONS ${basic_permission})
 install(FILES cgproxy.service DESTINATION /usr/lib/systemd/system/)
 install(FILES config.json DESTINATION /etc/cgproxy/)
-install(FILES cgroup-tproxy.sh DESTINATION /usr/share/cgproxy/scripts/)
+install(FILES cgroup-tproxy.sh DESTINATION /usr/share/cgproxy/scripts/ PERMISSIONS ${basic_permission})
 install(FILES readme.md DESTINATION /usr/share/doc/cgproxy/)
+
+# man pages
+set(man_gz
+${PROJECT_BINARY_DIR}/cgproxyd.1.gz
+${PROJECT_BINARY_DIR}/cgproxy.1.gz
+${PROJECT_BINARY_DIR}/cgnoproxy.1.gz
+)
+add_custom_target(man
+    COMMAND gzip -fk cgproxyd.1 cgproxy.1 cgnoproxy.1
+    COMMAND mv *.gz ${PROJECT_BINARY_DIR}
+    WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/man
+)
+add_dependencies(main man)
+install(FILES ${man_gz} DESTINATION /usr/share/man/man1/)

cgnoproxy

@@ -1,2 +1,2 @@
 #!/bin/sh
-/usr/bin/cgproxy --noproxy $@
+exec /usr/bin/cgproxy --noproxy $@

cgproxy.service

@@ -4,7 +4,7 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/cgproxyd
+ExecStart=/usr/bin/cgproxyd --execsnoop
 
 [Install]
 WantedBy=multi-user.target

cgproxyd

@@ -1,2 +1,2 @@
 #!/bin/sh
-/usr/bin/cgproxy --daemon $@
+exec /usr/bin/cgproxy --daemon $@

config.json

@@ -1,11 +1,13 @@
 {
+    "port": 12345,
+    "program_noproxy": ["v2ray", "qv2ray"],
+    "program_proxy": [],
     "cgroup_noproxy": ["/system.slice/v2ray.service"],
     "cgroup_proxy": [],
-    "enable_dns": true,
     "enable_gateway": false,
-    "enable_ipv4": true,
-    "enable_ipv6": true,
-    "enable_tcp": true,
+    "enable_dns": true,
     "enable_udp": true,
-    "port": 12345
+    "enable_tcp": true,
+    "enable_ipv4": true,
+    "enable_ipv6": true
 }

man/cgnoproxy.1

@@ -0,0 +1,16 @@
+.\" Manpage for cgproxyd
+.TH man 1 "19 May 2020" "1.0" "cgnoproxy man page"
+.SH NAME
+cgnoproxy \- Run program without proxy
+.SH SYNOPSIS
+cgnoproxy --help
+cgnoproxy [--debug] <CMD>
+cgnoproxy [--debug] --pid <PID>
+.SH ALIAS
+cgnoproxy = cgproxy --noproxy
+.SH DESCRIPTION
+cgnoproxy send current running process pid or specified pid to cgproxyd through unix socket, then pid is attached to non-proxied cgroup 
+.SH EXAMPLES
+cgnoproxy sudo v2ray -config config_file
+.SH SEE ALSO
+cgproxyd(1), cgproxy(1), cgnoproxy(1)

man/cgproxy.1

@@ -0,0 +1,14 @@
+.\" Manpage for cgproxyd
+.TH man 1 "19 May 2020" "1.0" "cgproxy man page"
+.SH NAME
+cgproxy \- Run program with proxy
+.SH SYNOPSIS
+cgproxy --help
+cgproxy [--debug] <CMD>
+cgproxy [--debug] --pid <PID>
+.SH DESCRIPTION
+cgproxy send current running process pid or specified pid to cgproxyd through unix socket, then pid is attached to proxied cgroup 
+.SH EXAMPLES
+cgproxy curl -vI https://www.google.com
+.SH SEE ALSO
+cgproxyd(1), cgproxy(1), cgnoproxy(1)

man/cgproxyd.1

@@ -0,0 +1,54 @@
+.\" Manpage for cgproxyd
+.TH man 1 "19 May 2020" "1.0" "cgproxyd man page"
+.SH NAME
+cgproxyd \- Start a daemon with unix socket to accept control from cgproxy/cgnoproxy
+.SH SYNOPSIS
+cgproxyd [--help] [--debug] [--execsnoop]
+.SH ALIAS
+cgproxyd = cgproxy --daemon
+.SH OPTIONS
+.B  --execsnoop
+enable execsnoop to support program level proxy, need python-bcc installed to actually work
+.SH CONFIGURATION
+.I /etc/cgproxy/config.json
+.br
+.B port 
+tproxy listenning port
+.br
+program level proxy controll, need `python-bcc` installed to work:
+.br
+.RS
+.B program_proxy
+program need to be proxied
+.br
+.B program_noproxy
+program that won't be proxied
+.RE
+.br
+cgroup level proxy control:
+.br
+.RS
+.B cgroup_noproxy
+cgroup array that no need to proxy, /noproxy.slice is preserved.
+.br
+.B cgroup_proxy
+cgroup array that need to proxy, /proxy.slice is preserved.
+.RE
+.br
+.B enable_gateway
+enable gateway proxy for local devices.
+.br
+.B enable_dns
+enable dns to go to proxy.
+.br
+.B enable_tcp
+.br
+.B enable_udp
+.br
+.B enable_ipv4 
+.br
+.B enable_ipv6
+.br
+.SH SEE ALSO
+cgproxyd(1), cgproxy(1), cgnoproxy(1)
+

pack/CMakeLists.txt

@@ -7,6 +7,7 @@ set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "cgproxy will transparent proxy anything r
 set(CPACK_DEBIAN_PACKAGE_NAME "cgproxy")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "x86_64")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "systemd")
+set(CPACK_DEBIAN_PACKAGE_SUGGESTS "python-bcc")
 set(CPACK_DEBIAN_PACKAGE_SECTION "network")
 set(CPACK_DEBIAN_PACKAGE_PRIORITY "Optional")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://github.com/springzfx/cgproxy")
@@ -16,6 +17,7 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_CURRENT_SOURCE_DIR}/postinst;${C
 ## rpm pack
 set(CPACK_RPM_PACKAGE_ARCHITECTURE, "x86_64")
 set(CPACK_RPM_PACKAGE_REQUIRES "systemd")
+set(CPACK_RPM_PACKAGE_SUGGESTS "python-bcc")
 set(CPACK_RPM_PACKAGE_GROUP "network")
 set(CPACK_RPM_PACKAGE_URL "https://github.com/springzfx/cgproxy")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/postinst")

readme.md

@@ -1,16 +1,22 @@
 
 
-# Transparent Proxy with cgroup v2
+# Transparent Proxy powered with cgroup v2
 
 
 
 ## Introduction
 
-cgproxy will transparent proxy anything running in specific cgroup. It resembles with *proxychains* and *tsock*, but without their disadvantages, and more powerfull.
+cgproxy will transparent proxy anything running in specific cgroup. It resembles with *proxychains* and *tsock*s in default setting. 
 
-It aslo supports global transparent proxy and gateway proxy. See [Global transparent proxy](#global-transparent-proxy) and  [Gateway proxy](#gateway-proxy).
+Main feature:
+
+- supports cgroup/program level proxy control. 
+- supports global transparent proxy and gateway proxy. 
+
+## Contents
 
 <!--ts-->
+
    * [Transparent Proxy with cgroup v2](#transparent-proxy-with-cgroup-v2)
       * [Introduction](#introduction)
       * [Prerequest](#prerequest)
@@ -40,6 +46,12 @@ It aslo supports global transparent proxy and gateway proxy. See [Global transpa
 
   A process listening on port (e.g.  12345)  to accept iptables TPROXY, for example v2ray's dokodemo-door in tproxy mode.
 
+- Iptables
+
+  Iptables version should be at least 1.6.0, run `iptables --version` to check.
+
+  ubuntu 16.04, debian 9, fedora 27 and later are desired
+
 ## How to install
 
 ```bash
@@ -81,28 +93,51 @@ Config file: **/etc/cgproxy/config.json**
 
 ```json
 {
+    "port": 12345,
+    "program_noproxy": ["v2ray", "qv2ray"],
+    "program_proxy": [ ],
     "cgroup_noproxy": ["/system.slice/v2ray.service"],
-    "cgroup_proxy": [],
-    "enable_dns": true,
+    "cgroup_proxy": [ ],
     "enable_gateway": false,
-    "enable_ipv4": true,
-    "enable_ipv6": true,
-    "enable_tcp": true,
+    "enable_dns": true,
     "enable_udp": true,
-    "port": 12345
+    "enable_tcp": true,
+    "enable_ipv4": true,
+    "enable_ipv6": true
 }
 ```
 
 - **port** tproxy listenning port
-- **cgroup_noproxy** cgroup array that no need to proxy, `/noproxy.slice` is preserved
-- **cgroup_proxy** cgroup array that need to proxy, `/proxy.slice` is preserved
+
+- program level proxy control, need `python-bcc` installed to work
+
+  - **program_proxy**  program need to be proxied
+  - **program_noproxy** program that won't be proxied
+
+- cgroup level proxy control:
+
+  - **cgroup_noproxy** cgroup array that no need to proxy, `/noproxy.slice` is preserved
+  - **cgroup_proxy** cgroup array that need to proxy, `/proxy.slice` is preserved
+
 - **enable_gateway** enable gateway proxy for local devices
+
 - **enable_dns** enable dns to go to proxy
+
 - **enable_tcp**
+
 - **enable_udp**
+
 - **enable_ipv4**
+
 - **enable_ipv6**
 
+- options priority
+
+  ```
+  program_noproxy > program_proxy > cgroup_noproxy > cgroup_proxy
+  enable_ipv6 > enable_ipv4 > enable_tcp > enable_udp > enable_dns
+  ```
+
 **Note**: cgroup in configuration need to be exist, otherwise ignored
 
 If you changed config, remember to restart service
@@ -123,8 +158,10 @@ sudo systemctl restart cgproxy.service
     
     example: `cgnoproxy qv2ray`
     
-  - passive way,  set it's cgroup in configuration,  very useful for service
+  - passive way,  persistent config
   
+      example:  `"program_noproxy":["v2ray" ,"qv2ray"]`
+      
       example:  `"cgroup_noproxy":["/system.slice/v2ray.service"]`
   
 - Finally, restart cgproxy service, that's all
@@ -140,16 +177,21 @@ sudo systemctl restart cgproxy.service
 - `cgnoproxy` run program wihout proxy, very useful in global transparent proxy
 
   ```bash
-  cgnoproxy [--debug] <CMD> 
+  cgnoproxy [--debug] <CMD>
+  cgnoproxy [--debug] --pid <PID>
   ```
   
-- `cgattach` attach specific process pid to specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail.
+- `cgattach` attach specific process pid to specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail. 
 
+  You need to set `set(build_tools ON)` in *CmakeLists.txt* to build this.
+  
   ```bash
   cgattch <pid> <cgroup>
   # example
   cgattch 9999 /proxy.slice
   ```
+  
+- For more detail command usage, see `man cgproxyd`  `man cgproxy`  `man cgnoproxy` 
 
 ## NOTES
 

src/CMakeLists.txt

@@ -3,12 +3,17 @@ find_package(nlohmann_json REQUIRED)
 include_directories(${PROJECT_SOURCE_DIR})
 include_directories(${CMAKE_CURRENT_SOURCE_DIR})
 
+if (with_execsnoop)
+add_library(execsnoop MODULE execsnoop.cpp common.cpp)
+target_link_libraries(execsnoop bcc)
+install(TARGETS execsnoop DESTINATION /usr/lib/cgproxy/ PERMISSIONS ${basic_permission})
+endif()
+
 add_executable(main main.cpp
-                    common.cpp config.cpp cgroup_attach.cpp 
+                    common.cpp config.cpp cgroup_attach.cpp
                     socket_client.cpp socket_server.cpp)
- 
-target_link_libraries(main nlohmann_json::nlohmann_json Threads::Threads)
+target_link_libraries(main PRIVATE nlohmann_json::nlohmann_json Threads::Threads dl)
 set_target_properties(main PROPERTIES LINKER_LANGUAGE CXX)
 set_target_properties(main PROPERTIES OUTPUT_NAME cgproxy)
 
-install(TARGETS main   DESTINATION /usr/bin PERMISSIONS ${basic_permission})
+install(TARGETS main DESTINATION /usr/bin PERMISSIONS ${basic_permission})

src/cgproxy.hpp

@@ -11,6 +11,8 @@ using namespace CGPROXY::CONFIG;
 namespace CGPROXY::CGPROXY {
 
 bool print_help = false, proxy = true;
+bool attach_pid = false;
+string arg_pid;
 inline void print_usage() {
   if (proxy) {
     cout << "Run program with proxy" << endl;
@@ -22,14 +24,24 @@ inline void print_usage() {
   }
 }
 
-void processArgs(const int argc, char *argv[], int &shift) {
-  for (int i = 1; i < argc; i++) {
+bool processArgs(const int argc, char *argv[], int &shift) {
+  int i;
+  for (i = 1; i < argc; i++) {
+    if (strcmp(argv[i], "--pid") == 0) {
+      attach_pid = true;
+      i++;
+      if (i == argc) return false;
+      arg_pid = argv[i];
+      if (!validPid(arg_pid)) return false;
+      continue;
+    }
     if (strcmp(argv[i], "--noproxy") == 0) { proxy = false; }
     if (strcmp(argv[i], "--debug") == 0) { enable_debug = true; }
     if (strcmp(argv[i], "--help") == 0) { print_help = true; }
     if (argv[i][0] != '-') { break; }
-    shift += 1;
   }
+  shift = i;
+  return true;
 }
 
 void send_pid(const pid_t pid, bool proxy, int &status) {
@@ -40,25 +52,31 @@ void send_pid(const pid_t pid, bool proxy, int &status) {
 }
 
 int main(int argc, char *argv[]) {
-  int shift = 1;
-  processArgs(argc, argv, shift);
+  int shift = -1;
+  if (!processArgs(argc, argv, shift)) {
+    error("parameter error");
+    exit(EXIT_FAILURE);
+  }
 
   if (print_help) {
     print_usage();
     exit(0);
   }
 
-  if (argc == shift) {
+  if (!attach_pid && argc == shift) {
     error("no program specified");
     exit(EXIT_FAILURE);
   }
 
   int status = -1;
-  send_pid(getpid(), proxy, status);
+  send_pid(attach_pid ? stoi(arg_pid) : getpid(), proxy, status);
   if (status != 0) {
     error("attach process failed");
+    if (status == 1) error("maybe cgproxy.service not running");
     exit(EXIT_FAILURE);
   }
+  // if just attach pid, return here
+  if (attach_pid) return 0;
 
   string s = join2str(argc - shift, argv + shift, ' ');
   return system(s.c_str());

src/cgproxyd.hpp

@@ -4,10 +4,18 @@
 #include "cgroup_attach.h"
 #include "common.h"
 #include "config.h"
+#include "execsnoop.h"
 #include "socket_server.h"
+#include <algorithm>
 #include <csignal>
+#include <cstdlib>
+#include <dlfcn.h>
+#include <exception>
 #include <fstream>
+#include <functional>
 #include <nlohmann/json.hpp>
+#include <pthread.h>
+#include <sched.h>
 #include <sys/file.h>
 #include <unistd.h>
 
@@ -16,13 +24,44 @@ using json = nlohmann::json;
 using namespace ::CGPROXY::SOCKET;
 using namespace ::CGPROXY::CONFIG;
 using namespace ::CGPROXY::CGROUP;
+// using namespace ::CGPROXY::EXECSNOOP;
+
+namespace CGPROXY::EXECSNOOP {
+typedef void *(*startThread_t)(void *arg);
+startThread_t _startThread;
+bool loadExecsnoopLib() {
+  try {
+    info("loading %s", LIBEXECSNOOP_SO);
+    void *handle_dl = dlopen(LIBEXECSNOOP_SO, RTLD_NOW);
+    if (handle_dl == NULL) {
+      error("dlopen %s failed: %s", LIBEXECSNOOP_SO, dlerror());
+      return false;
+    }
+    _startThread = reinterpret_cast<startThread_t>(dlsym(handle_dl, "_startThread"));
+    if (_startThread == NULL) {
+      error("dlsym startThread failed: %s", dlerror());
+      return false;
+    }
+    info("dlsym startThread success");
+    return true;
+  } catch (exception &e) { return false; }
+}
+} // namespace CGPROXY::EXECSNOOP
 
 namespace CGPROXY::CGPROXYD {
 
+bool print_help = false;
+bool enable_socketserver = true;
+bool enable_execsnoop = false;
+
 class cgproxyd {
-  thread_arg arg_t;
+  SOCKET::thread_arg socketserver_thread_arg;
+  pthread_t socket_thread_id = THREAD_UNDEF;
+
+  EXECSNOOP::thread_arg execsnoop_thread_arg;
+  pthread_t execsnoop_thread_id = THREAD_UNDEF;
+
   Config config;
-  pthread_t socket_thread_id = -1;
 
   static cgproxyd *instance;
   static int handle_msg_static(char *msg) {
@@ -33,6 +72,40 @@ class cgproxyd {
     return instance->handle_msg(msg);
   }
 
+  static int handle_pid_static(int pid) {
+    if (!instance) {
+      error("no cgproxyd instance assigned");
+      return ERROR;
+    }
+    return instance->handle_pid(pid);
+  }
+
+  int handle_pid(int pid) {
+    auto path = realpath(to_str("/proc/", pid, "/exe").c_str(), NULL);
+    if (path == NULL) {
+      debug("pid %d live life too short", pid);
+      return 0;
+    }
+    debug("execsnoop: %d %s", pid, path);
+
+    vector<string> v;
+
+    v = config.program_noproxy;
+    if (find(v.begin(), v.end(), path) != v.end()) {
+      info("execsnoop noproxy: %d %s", pid, path);
+      free(path);
+      return attach(pid, config.cgroup_noproxy_preserved);
+    }
+    v = config.program_proxy;
+    if (find(v.begin(), v.end(), path) != v.end()) {
+      info("execsnoop proxied: %d %s", pid, path);
+      free(path);
+      return attach(pid, config.cgroup_proxy_preserved);
+    }
+    free(path);
+    return 0;
+  }
+
   static void signalHandler(int signum) {
     debug("Signal %d received.", signum);
     if (!instance) {
@@ -40,7 +113,7 @@ class cgproxyd {
     } else {
       instance->stop();
     }
-    exit(signum);
+    exit(0);
   }
 
   // single process instance
@@ -80,12 +153,12 @@ class cgproxyd {
       switch (type) {
       case MSG_TYPE_CONFIG_JSON:
         status = config.loadFromJsonStr(j.at("data").dump());
-        if (status == SUCCESS) status = applyConfig(&config);
+        if (status == SUCCESS) status = applyConfig();
         return status;
         break;
       case MSG_TYPE_CONFIG_PATH:
         status = config.loadFromFile(j.at("data").get<string>());
-        if (status == SUCCESS) status = applyConfig(&config);
+        if (status == SUCCESS) status = applyConfig();
         return status;
         break;
       case MSG_TYPE_PROXY_PID:
@@ -106,13 +179,48 @@ class cgproxyd {
   }
 
   pthread_t startSocketListeningThread() {
-    arg_t.handle_msg = &handle_msg_static;
+    socketserver_thread_arg.handle_msg = &handle_msg_static;
     pthread_t thread_id;
-    int status = pthread_create(&thread_id, NULL, &SocketServer::startThread, &arg_t);
-    if (status != 0) error("socket thread create failed");
+    int status =
+        pthread_create(&thread_id, NULL, &SOCKET::startThread, &socketserver_thread_arg);
+    if (status != 0) {
+      error("socket thread create failed");
+      return THREAD_UNDEF;
+    }
     return thread_id;
   }
 
+  pthread_t startExecsnoopThread() {
+    if (!EXECSNOOP::loadExecsnoopLib() || EXECSNOOP::_startThread == NULL) {
+      error("execsnoop start failed, maybe bcc not installed");
+      return THREAD_UNDEF;
+    }
+
+    execsnoop_thread_arg.handle_pid = &handle_pid_static;
+    pthread_t thread_id;
+    int status =
+        pthread_create(&thread_id, NULL, EXECSNOOP::_startThread, &execsnoop_thread_arg);
+    if (status != 0) {
+      error("execsnoop thread create failed");
+      return THREAD_UNDEF;
+    }
+    return thread_id;
+  }
+
+  void processRunningProgram() {
+    debug("process running program") for (auto &path :
+                                          config.program_noproxy) for (auto &pid :
+                                                                       bash_pidof(path)) {
+      int status = attach(pid, config.cgroup_noproxy_preserved);
+      if (status == 0) info("noproxy running process %d %s", pid, path.c_str());
+    }
+    for (auto &path : config.program_proxy)
+      for (auto &pid : bash_pidof(path)) {
+        int status = attach(pid, config.cgroup_proxy_preserved);
+        if (status == 0) info("proxied running process %d %s", pid, path.c_str());
+      }
+  }
+
   void assignStaticInstance() { instance = this; }
 
 public:
@@ -122,17 +230,30 @@ public:
     signal(SIGTERM, &signalHandler);
     signal(SIGHUP, &signalHandler);
 
-    config.loadFromFile(DEFAULT_CONFIG_FILE);
-    applyConfig(&config);
-
     assignStaticInstance();
-    socket_thread_id = startSocketListeningThread();
+
+    config.loadFromFile(DEFAULT_CONFIG_FILE);
+    applyConfig();
+    processRunningProgram();
+
+    if (enable_socketserver) {
+      socket_thread_id = startSocketListeningThread();
+      if (socket_thread_id > 0) info("socket server listening thread started");
+    }
+    if (enable_execsnoop) {
+      execsnoop_thread_id = startExecsnoopThread();
+      if (execsnoop_thread_id > 0) info("execsnoop thread started");
+    }
+    cout << flush;
+
     pthread_join(socket_thread_id, NULL);
+    pthread_join(execsnoop_thread_id, NULL);
     return 0;
   }
-  int applyConfig(Config *c) {
+  int applyConfig() {
     system(TPROXY_IPTABLS_CLEAN);
-    c->toEnv();
+    config.print_summary();
+    config.toEnv();
     system(TPROXY_IPTABLS_START);
     // no need to track running status
     return 0;
@@ -149,8 +270,6 @@ public:
 
 cgproxyd *cgproxyd::instance = NULL;
 
-bool print_help = false;
-
 void print_usage() {
   cout << "Start a daemon with unix socket to accept control" << endl;
   cout << "Usage: cgproxyd [--help] [--debug]" << endl;
@@ -161,11 +280,13 @@ void processArgs(const int argc, char *argv[]) {
   for (int i = 1; i < argc; i++) {
     if (strcmp(argv[i], "--debug") == 0) { enable_debug = true; }
     if (strcmp(argv[i], "--help") == 0) { print_help = true; }
+    if (strcmp(argv[i], "--execsnoop") == 0) { enable_execsnoop = true; }
     if (argv[i][0] != '-') { break; }
   }
 }
 
 int main(int argc, char *argv[]) {
+  setbuf(stdout, NULL);
   processArgs(argc, argv);
   if (print_help) {
     print_usage();

src/cgroup_attach.cpp

@@ -13,48 +13,47 @@
 
 namespace CGPROXY::CGROUP {
 
+string cgroup2_mount_point = get_cgroup2_mount_point();
+
 bool exist(string path) {
   struct stat st;
   if (stat(path.c_str(), &st) != -1) { return S_ISDIR(st.st_mode); }
   return false;
 }
 
+string get_cgroup2_mount_point() {
+  stringstream buffer;
+  FILE *fp = popen("findmnt -t cgroup2 -n -o TARGET", "r");
+  if (!fp) return "";
+  char buf[64];
+  while (fgets(buf, 64, fp) != NULL) { buffer << buf; }
+  pclose(fp);
+  string s = buffer.str();
+  s.pop_back(); // remove newline character
+  return s;
+}
+
 bool validate(string pid, string cgroup) {
   bool pid_v = validPid(pid);
   bool cg_v = validCgroup(cgroup);
   if (pid_v && cg_v) return true;
 
   error("attach paramater validate error");
-  return_error
-}
-
-string get_cgroup2_mount_point(int &status) {
-  char cgroup2_mount_point[100] = "";
-  FILE *fp = popen("findmnt -t cgroup2 -n -o TARGET", "r");
-  int count = fscanf(fp, "%s", cgroup2_mount_point);
-  fclose(fp);
-  if (count == 0) {
-    error("cgroup2 not supported");
-    status = -1;
-    return NULL;
-  }
-  status = 0;
-  return cgroup2_mount_point;
+  return_error;
 }
 
 int attach(const string pid, const string cgroup_target) {
   if (getuid() != 0) {
     error("need root to attach cgroup");
-    return_error
+    return_error;
   }
 
   debug("attaching %s to %s", pid.c_str(), cgroup_target.c_str());
 
   int status;
-  if (!validate(pid, cgroup_target))
-    return_error string cgroup_mount_point = get_cgroup2_mount_point(status);
-  if (status != 0)
-    return_error string cgroup_target_path = cgroup_mount_point + cgroup_target;
+  if (!validate(pid, cgroup_target)) return_error;
+  if (cgroup2_mount_point.empty()) return_error;
+  string cgroup_target_path = cgroup2_mount_point + cgroup_target;
   string cgroup_target_procs = cgroup_target_path + "/cgroup.procs";
 
   // check if exist, we will create it if not exist
@@ -64,7 +63,7 @@ int attach(const string pid, const string cgroup_target) {
       debug("created cgroup %s success", cgroup_target.c_str());
     } else {
       error("created cgroup %s failed, errno %d", cgroup_target.c_str(), errno);
-      return_error
+      return_error;
     }
     // error("cgroup %s not exist",cgroup_target.c_str());
     // return_error
@@ -74,7 +73,7 @@ int attach(const string pid, const string cgroup_target) {
   ofstream procs(cgroup_target_procs, ofstream::app);
   if (!procs.is_open()) {
     error("open file %s failed", cgroup_target_procs.c_str());
-    return_error
+    return_error;
   }
   procs << pid.c_str() << endl;
   procs.close();
@@ -83,9 +82,9 @@ int attach(const string pid, const string cgroup_target) {
   if (!procs) {
     error("write %s to %s failed, maybe process %s not exist", pid.c_str(),
           cgroup_target_procs.c_str(), pid.c_str());
-    return_error
+    return_error;
   }
-  return_success
+  return_success;
 }
 
 int attach(const int pid, const string cgroup_target) {

src/cgroup_attach.h

@@ -6,10 +6,10 @@
 using namespace std;
 
 namespace CGPROXY::CGROUP {
-
+extern string cgroup2_mount_point;
 bool exist(string path);
 bool validate(string pid, string cgroup);
-string get_cgroup2_mount_point(int &status);
+string get_cgroup2_mount_point();
 int attach(const string pid, const string cgroup_target);
 int attach(const int pid, const string cgroup_target);
 

src/common.cpp

@@ -1,7 +1,13 @@
 #include "common.h"
+#include <fstream>
+#include <limits.h>
+#include <linux/limits.h>
 #include <regex>
+#include <sys/stat.h>
+#include <unistd.h>
 
 bool enable_debug = false;
+bool enable_info = true;
 
 string join2str(const vector<string> t, const char delm) {
   string s;
@@ -32,3 +38,58 @@ bool validCgroup(const vector<string> cgroup) {
 bool validPid(const string pid) { return regex_match(pid, regex("^[0-9]+$")); }
 
 bool validPort(const int port) { return port > 0; }
+
+bool fileExist(const string &path) {
+  struct stat st;
+  return (stat(path.c_str(), &st) == 0 && S_ISREG(st.st_mode));
+}
+
+bool dirExist(const string &path) {
+  struct stat st;
+  return (stat(path.c_str(), &st) == 0 && S_ISDIR(st.st_mode));
+}
+
+vector<int> bash_pidof(const string &path) {
+  vector<int> pids;
+  FILE *fp = popen(to_str("pidof ", path).c_str(), "r");
+  if (!fp) return pids;
+  int pid;
+  char buf[64];
+  while (fscanf(fp, "%d", &pid) != EOF) { pids.push_back(pid); }
+  pclose(fp);
+  return pids;
+}
+
+string bash_which(const string &name) {
+  stringstream buffer;
+  FILE *fp = popen(to_str("which ", name).c_str(), "r");
+  if (!fp) return "";
+  char buf[64];
+  while (fgets(buf, 64, fp) != NULL) { buffer << buf; }
+  pclose(fp);
+  string s = buffer.str();
+  s.pop_back(); // remove newline character
+  return s;
+}
+
+string bash_readlink(const string &path) {
+  stringstream buffer;
+  FILE *fp = popen(to_str("readlink -e ", path).c_str(), "r");
+  if (!fp) return "";
+  char buf[64];
+  while (fgets(buf, 64, fp) != NULL) { buffer << buf; }
+  pclose(fp);
+  string s = buffer.str();
+  s.pop_back(); // remove newline character
+  return s;
+}
+
+string getRealExistPath(const string &name) {
+  if (name[0] == '/' && fileExist(name)) return name;
+  string path;
+  path = bash_which(name);
+  if (path.empty()) return "";
+  path = bash_readlink(path);
+  if (!fileExist(path)) return "";
+  return path;
+}

src/common.h

@@ -7,9 +7,10 @@
 #include <vector>
 using namespace std;
 
-#define TPROXY_IPTABLS_START "sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh"
-#define TPROXY_IPTABLS_CLEAN "sh /usr/share/cgproxy/scripts/cgroup-tproxy.sh stop"
+#define TPROXY_IPTABLS_START "/usr/share/cgproxy/scripts/cgroup-tproxy.sh"
+#define TPROXY_IPTABLS_CLEAN "/usr/share/cgproxy/scripts/cgroup-tproxy.sh stop"
 
+#define LIBEXECSNOOP_SO "/usr/lib/cgproxy/libexecsnoop.so"
 #define PID_LOCK_FILE "/var/run/cgproxyd.pid"
 #define SOCKET_PATH "/tmp/cgproxy_unix_socket"
 #define LISTEN_BACKLOG 64
@@ -18,6 +19,8 @@ using namespace std;
 #define CGROUP_PROXY_PRESVERED "/proxy.slice"
 #define CGROUP_NOPROXY_PRESVERED "/noproxy.slice"
 
+#define THREAD_UNDEF 0
+
 #define MSG_TYPE_CONFIG_JSON 1
 #define MSG_TYPE_CONFIG_PATH 2
 #define MSG_TYPE_PROXY_PID 3
@@ -35,6 +38,7 @@ using namespace std;
 #define FILE_ERROR 7
 
 extern bool enable_debug;
+extern bool enable_info;
 
 #define error(...)                                                                       \
   {                                                                                      \
@@ -45,13 +49,20 @@ extern bool enable_debug;
 
 #define debug(...)                                                                       \
   if (enable_debug) {                                                                    \
-    fprintf(stderr, "debug: ");                                                          \
+    fprintf(stdout, "debug: ");                                                          \
     fprintf(stdout, __VA_ARGS__);                                                        \
     fprintf(stdout, "\n");                                                               \
   }
 
-#define return_error return -1;
-#define return_success return 0;
+#define info(...)                                                                        \
+  if (enable_info) {                                                                     \
+    fprintf(stdout, "info: ");                                                           \
+    fprintf(stdout, __VA_ARGS__);                                                        \
+    fprintf(stdout, "\n");                                                               \
+  }
+
+#define return_error return -1
+#define return_success return 0
 
 template <typename... T> string to_str(T... args) {
   stringstream ss;
@@ -69,4 +80,11 @@ bool validCgroup(const vector<string> cgroup);
 bool validPid(const string pid);
 bool validPort(const int port);
 
+bool fileExist(const string &path);
+bool dirExist(const string &path);
+vector<int> bash_pidof(const string &path);
+string bash_which(const string &name);
+string bash_readlink(const string &path);
+string getRealExistPath(const string &name);
+
 #endif

src/config.cpp

@@ -4,6 +4,7 @@
 #include <iomanip>
 #include <nlohmann/json.hpp>
 #include <set>
+#include <vector>
 using json = nlohmann::json;
 
 #define add2json(v) j[#v] = v;
@@ -21,6 +22,8 @@ namespace CGPROXY::CONFIG {
 
 void Config::toEnv() {
   mergeReserved();
+  setenv("program_proxy", join2str(program_proxy, ':').c_str(), 1);
+  setenv("program_noproxy", join2str(program_noproxy, ':').c_str(), 1);
   setenv("cgroup_proxy", join2str(cgroup_proxy, ':').c_str(), 1);
   setenv("cgroup_noproxy", join2str(cgroup_noproxy, ':').c_str(), 1);
   setenv("enable_gateway", to_str(enable_gateway).c_str(), 1);
@@ -43,6 +46,8 @@ int Config::saveToFile(const string f) {
 
 string Config::toJsonStr() {
   json j;
+  add2json(program_proxy);
+  add2json(program_noproxy);
   add2json(cgroup_proxy);
   add2json(cgroup_noproxy);
   add2json(enable_gateway);
@@ -74,6 +79,8 @@ int Config::loadFromJsonStr(const string js) {
     return PARAM_ERROR;
   }
   json j = json::parse(js);
+  tryassign(program_proxy);
+  tryassign(program_noproxy);
   tryassign(cgroup_proxy);
   tryassign(cgroup_noproxy);
   tryassign(enable_gateway);
@@ -83,6 +90,11 @@ int Config::loadFromJsonStr(const string js) {
   tryassign(enable_udp);
   tryassign(enable_ipv4);
   tryassign(enable_ipv6);
+
+  // e.g. v2ray -> /usr/bin/v2ray -> /usr/lib/v2ray/v2ray
+  toRealProgramPath(program_noproxy);
+  toRealProgramPath(program_proxy);
+
   return 0;
 }
 
@@ -96,6 +108,7 @@ bool Config::validateJsonStr(const string js) {
   bool status = true;
   const set<string> boolset = {"enable_gateway", "enable_dns",  "enable_tcp",
                                "enable_udp",     "enable_ipv4", "enable_ipv6"};
+  const set<string> allowset = {"program_proxy", "program_noproxy"};
   for (auto &[key, value] : j.items()) {
     if (key == "cgroup_proxy" || key == "cgroup_noproxy") {
       if (value.is_string() && !validCgroup((string)value)) status = false;
@@ -106,6 +119,8 @@ bool Config::validateJsonStr(const string js) {
       if (!validPort(value)) status = false;
     } else if (boolset.find(key) != boolset.end()) {
       if (!value.is_boolean()) status = false;
+    } else if (allowset.find(key) != allowset.end()) {
+
     } else {
       error("unknown key: %s", key.c_str());
       return false;
@@ -118,4 +133,22 @@ bool Config::validateJsonStr(const string js) {
   return true;
 }
 
+void Config::print_summary() {
+  info("noproxy program: %s", join2str(program_noproxy).c_str());
+  info("proxied program: %s", join2str(program_proxy).c_str());
+  info("noproxy cgroup: %s", join2str(cgroup_noproxy).c_str());
+  info("proxied cgroup: %s", join2str(cgroup_proxy).c_str());
+}
+
+void Config::toRealProgramPath(vector<string> &v) {
+  vector<string> tmp;
+  for (auto &p : v) {
+    auto rpath = getRealExistPath(p);
+    if (!rpath.empty()) tmp.push_back(rpath);
+    else
+      error("%s not exist or broken link", p.c_str());
+  }
+  v = tmp;
+}
+
 } // namespace CGPROXY::CONFIG

src/config.h

@@ -13,6 +13,8 @@ public:
   const string cgroup_proxy_preserved = CGROUP_PROXY_PRESVERED;
   const string cgroup_noproxy_preserved = CGROUP_NOPROXY_PRESVERED;
 
+  vector<string> program_proxy;
+  vector<string> program_noproxy;
   vector<string> cgroup_proxy;
   vector<string> cgroup_noproxy;
   bool enable_gateway = false;
@@ -28,10 +30,12 @@ public:
   string toJsonStr();
   int loadFromFile(const string f);
   int loadFromJsonStr(const string js);
+  void print_summary();
 
 private:
   void mergeReserved();
   bool validateJsonStr(const string js);
+  void toRealProgramPath(vector<string> &v);
 };
 
 } // namespace CGPROXY::CONFIG

src/execsnoop.cpp

@@ -0,0 +1,102 @@
+#include "execsnoop.h"
+#include "bcc/BPF.h"
+#include "common.h"
+#include <bcc/libbpf.h>
+#include <fstream>
+#include <functional>
+#include <iostream>
+#include <string>
+#include <unistd.h>
+using namespace std;
+
+namespace CGPROXY::EXECSNOOP {
+
+const string BPF_PROGRAM = R"(
+#include <linux/fs.h>
+#include <linux/sched.h>
+#include <uapi/linux/ptrace.h>
+
+struct data_t {
+    int pid;
+};
+
+BPF_PERF_OUTPUT(events);
+
+int syscall_execve(struct pt_regs *ctx,
+    const char __user *filename,
+    const char __user *const __user *__argv,
+    const char __user *const __user *__envp)
+{
+    struct data_t data = {};
+    data.pid = bpf_get_current_pid_tgid();
+    events.perf_submit(ctx, &data, sizeof(struct data_t));
+    return 0;
+}
+
+int ret_syscall_execve(struct pt_regs *ctx){
+    struct data_t data = {};
+    data.pid = bpf_get_current_pid_tgid();
+    int retval = PT_REGS_RC(ctx);
+    if (retval==0)
+      events.perf_submit(ctx, &data, sizeof(struct data_t));
+    return 0;
+}
+)";
+
+struct data_t {
+  int pid;
+};
+
+function<int(int)> callback = NULL;
+
+void handle_events(void *cb_cookie, void *data, int data_size) {
+  auto event = static_cast<data_t *>(data);
+  int pid = event->pid;
+
+  if (callback) callback(pid);
+}
+
+int execsnoop() {
+  debug("starting execsnoop");
+  ebpf::BPF bpf;
+  auto init_res = bpf.init(BPF_PROGRAM);
+  if (init_res.code() != 0) {
+    std::cerr << init_res.msg() << std::endl;
+    return 1;
+  }
+
+  string execve_fnname = bpf.get_syscall_fnname("execve");
+  // auto attach_res = bpf.attach_kprobe(execve_fnname, "syscall_execve");
+  auto attach_res =
+      bpf.attach_kprobe(execve_fnname, "ret_syscall_execve", 0, BPF_PROBE_RETURN);
+  if (attach_res.code() != 0) {
+    std::cerr << attach_res.msg() << std::endl;
+    return 1;
+  }
+
+  auto open_res = bpf.open_perf_buffer("events", &handle_events);
+  if (open_res.code() != 0) {
+    std::cerr << open_res.msg() << std::endl;
+    return 1;
+  }
+
+  if (bpf.free_bcc_memory()) {
+    std::cerr << "Failed to free llvm/clang memory" << std::endl;
+    return 1;
+  }
+
+  while (true) bpf.poll_perf_buffer("events");
+
+  return 0;
+}
+
+void *startThread(void *arg) {
+  thread_arg *p = (thread_arg *)arg;
+  callback = p->handle_pid;
+  execsnoop();
+  return (void *)0;
+}
+
+} // namespace CGPROXY::EXECSNOOP
+
+extern "C" void *_startThread(void *arg) { return CGPROXY::EXECSNOOP::startThread(arg); }

src/execsnoop.h

@@ -0,0 +1,22 @@
+#ifndef EXECSNOOP_HPP
+#define EXECSNOOP_HPP 1
+
+#include <functional>
+#include <string>
+using namespace std;
+
+namespace CGPROXY::EXECSNOOP {
+
+extern const string BPF_PROGRAM;
+struct data_t;
+extern function<int(int)> callback;
+void handle_events(void *cb_cookie, void *data, int data_size);
+int execsnoop();
+
+struct thread_arg {
+  function<int(int)> handle_pid;
+};
+void *startThread(void *arg);
+
+} // namespace CGPROXY::EXECSNOOP
+#endif

src/socket_server.cpp

@@ -49,7 +49,7 @@ void SocketServer::socketListening(function<int(char *)> callback) {
   }
 }
 
-void *SocketServer::startThread(void *arg) {
+void *startThread(void *arg) {
   thread_arg *p = (thread_arg *)arg;
   SocketServer server;
   server.socketListening(p->handle_msg);

src/socket_server.h

@@ -17,6 +17,7 @@ namespace CGPROXY::SOCKET {
 struct thread_arg {
   function<int(char *)> handle_msg;
 };
+void *startThread(void *arg);
 
 class SocketServer {
 public:
@@ -25,7 +26,6 @@ public:
 
   void socketListening(function<int(char *)> callback);
   ~SocketServer();
-  static void *startThread(void *arg);
 };
 
 } // namespace CGPROXY::SOCKET

tools/CMakeLists.txt

@@ -1,4 +1,12 @@
 include_directories(${PROJECT_SOURCE_DIR})
 include_directories(${PROJECT_SOURCE_DIR}/src)
-add_executable(cgattach cgattach.cpp ../src/cgroup_attach.cpp ../src/common.cpp) 
-install(TARGETS cgattach  DESTINATION /usr/bin PERMISSIONS ${basic_permission})
+
+add_executable(cgattach cgattach.cpp ../src/cgroup_attach.cpp ../src/common.cpp)
+install(TARGETS cgattach  DESTINATION /usr/bin PERMISSIONS ${basic_permission})
+
+if (with_execsnoop)
+add_executable(execsnoop_exec execsnoop.cpp ../src/common.cpp ../src/execsnoop.cpp)
+set_target_properties(execsnoop_exec PROPERTIES OUTPUT_NAME execsnoop)
+target_link_libraries(execsnoop_exec bcc)
+install(TARGETS execsnoop_exec  DESTINATION /usr/bin PERMISSIONS ${basic_permission})
+endif()

tools/execsnoop.cpp

@@ -0,0 +1,24 @@
+#include "execsnoop.h"
+#include "common.h"
+#include <unistd.h>
+using namespace std;
+using namespace CGPROXY::EXECSNOOP;
+
+#define PATH_MAX_LEN 128
+
+int handle_pid(int pid) {
+  char path[PATH_MAX_LEN];
+  auto size = readlink(to_str("/proc/", pid, "/exe").c_str(), path, PATH_MAX_LEN);
+  if (size == -1) error("readlink: %s", to_str("/proc/", pid, "/exe").c_str());
+  path[size] = '\0';
+  info("%d %s", pid, path);
+  return 0;
+}
+
+int main() {
+  enable_debug = true;
+  enable_info = true;
+  callback = handle_pid;
+  execsnoop();
+  return 0;
+}

v2ray_config/v2ray.service

@@ -7,7 +7,7 @@ Wants=network-online.target
 [Service]
 Type=exec
 ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
-User=nobody
+DynamicUser=yes
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
 Restart=on-failure
@@ -15,4 +15,4 @@ Restart=on-failure
 RestartPreventExitStatus=23
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target