in_ebpf: Generate mostly monotonic event id for increasing traceability

plugins/in_ebpf/CMakeLists.txt

@@ -27,6 +27,38 @@ target_include_directories(gadget INTERFACE ${CMAKE_SOURCE_DIR}/plugins/in_ebpf/
 
 set(LIBC_PATH "/lib64/libc.so.6")
 
+set(FLB_IN_EBPF_LIBSSL_PATH "" CACHE FILEPATH
+    "Path to libssl shared object used by eBPF OpenSSL uprobes")
+
+if (FLB_IN_EBPF_LIBSSL_PATH)
+  set(LIBSSL_PATH "${FLB_IN_EBPF_LIBSSL_PATH}")
+else()
+  find_package(OpenSSL QUIET)
+
+  if (OPENSSL_SSL_LIBRARY)
+    set(LIBSSL_PATH "${OPENSSL_SSL_LIBRARY}")
+  elseif (TARGET OpenSSL::SSL)
+    get_target_property(_libssl_path OpenSSL::SSL IMPORTED_LOCATION)
+    if (_libssl_path)
+      set(LIBSSL_PATH "${_libssl_path}")
+    endif()
+  endif()
+
+  if (NOT LIBSSL_PATH)
+    find_library(LIBSSL_PATH NAMES ssl libssl.so libssl.so.3 libssl.so.1.1)
+  endif()
+
+  if (NOT LIBSSL_PATH)
+    set(LIBSSL_PATH "/lib64/libssl.so.3")
+  endif()
+endif()
+
+if (LIBSSL_PATH MATCHES "\\.(a|lib)$")
+  message(WARNING
+          "eBPF OpenSSL uprobes resolved a static OpenSSL library: ${LIBSSL_PATH}. "
+          "Set FLB_IN_EBPF_LIBSSL_PATH to the target host libssl shared object.")
+endif()
+
 find_program(LSB_RELEASE_EXEC lsb_release)
 if (LSB_RELEASE_EXEC)
   execute_process(COMMAND ${LSB_RELEASE_EXEC} -i
@@ -50,12 +82,19 @@ if (LSB_RELEASE_EXEC)
   endif()
 endif()
 
+message(STATUS "eBPF OpenSSL uprobes libssl path: ${LIBSSL_PATH}")
+
 # Generate the malloc trace from the template
 configure_file(
   "${CMAKE_SOURCE_DIR}/plugins/in_ebpf/traces/malloc/bpf.c.in"
   "${CMAKE_SOURCE_DIR}/plugins/in_ebpf/traces/malloc/bpf.c"
   )
 
+configure_file(
+  "${CMAKE_SOURCE_DIR}/plugins/in_ebpf/traces/openssl/bpf.c.in"
+  "${CMAKE_SOURCE_DIR}/plugins/in_ebpf/traces/openssl/bpf.c"
+  )
+
 # Find all bpf.c files in the traces directory
 file(GLOB_RECURSE TRACE_C_FILES ${CMAKE_SOURCE_DIR}/plugins/in_ebpf/traces/*/bpf.c)
 

plugins/in_ebpf/traces/bind/bpf.c

@@ -20,6 +20,7 @@
 #include <gadget/types.h>
 
 #include "common/events.h"
+#include "common/event_id.bpf.h"
 
 #define MAX_ENTRIES 10240
 
@@ -75,6 +76,7 @@ static int handle_bind_exit(struct pt_regs *ctx, short ver) {
     event->common.gid = (u32)(uid_gid >> 32);
     event->common.mntns_id = mntns_id;
     event->type = EVENT_TYPE_BIND;
+    generate_event_id(&event->common.event_id);
     event->common.timestamp_raw = bpf_ktime_get_boot_ns();
     bpf_get_current_comm(&event->common.comm, sizeof(event->common.comm));
 

plugins/in_ebpf/traces/dns/bpf.c

@@ -14,6 +14,7 @@
 #include <gadget/types.h>
 
 #include "common/events.h"
+#include "common/event_id.bpf.h"
 
 #ifndef AF_INET
 #define AF_INET 2
@@ -96,6 +97,7 @@ static __always_inline void fill_common(struct event *event, __u64 mntns_id)
     pid_tgid = bpf_get_current_pid_tgid();
     uid_gid = bpf_get_current_uid_gid();
 
+    generate_event_id(&event->common.event_id);
     event->common.timestamp_raw = bpf_ktime_get_boot_ns();
     event->common.pid = (__u32) (pid_tgid >> 32);
     event->common.tid = (__u32) pid_tgid;

plugins/in_ebpf/traces/exec/bpf.c

@@ -14,6 +14,7 @@
 #include <gadget/types.h>
 
 #include "common/events.h"
+#include "common/event_id.bpf.h"
 
 #define MAX_ENTRIES 10240
 #define ARGV_MAX_SCAN 20
@@ -71,6 +72,7 @@ static __always_inline int submit_exec_event(void *ctx,
     pid_tgid = bpf_get_current_pid_tgid();
     uid_gid = bpf_get_current_uid_gid();
 
+    generate_event_id(&event->common.event_id);
     event->common.timestamp_raw = bpf_ktime_get_boot_ns();
     event->common.pid = (__u32) (pid_tgid >> 32);
     event->common.tid = (__u32) pid_tgid;

plugins/in_ebpf/traces/includes/common/encoder.h

@@ -29,6 +29,14 @@ static inline char *event_type_to_string(enum event_type type) {
             return "dns";
         case EVENT_TYPE_SCHED:
             return "sched";
+        case EVENT_TYPE_TLS_HANDSHAKE:
+            return "tls_handshake";
+        case EVENT_TYPE_TLS_READ:
+            return "tls_read";
+        case EVENT_TYPE_TLS_WRITE:
+            return "tls_write";
+        case EVENT_TYPE_TLS_SHUTDOWN:
+            return "tls_shutdown";
         default:
             return "unknown";
     }
@@ -58,6 +66,16 @@ static inline int encode_common_fields(struct flb_log_event_encoder *log_encoder
         return -1;
     }
 
+    /* Encode event ID */
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "event_id");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_uint64(log_encoder, e->common.event_id);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        return -1;
+    }
+
     /* Encode process ID */
     ret = flb_log_event_encoder_append_body_cstring(log_encoder, "pid");
     if (ret != FLB_EVENT_ENCODER_SUCCESS) {

plugins/in_ebpf/traces/includes/common/event_id.bpf.h

@@ -0,0 +1,27 @@
+#ifndef EBPF_EVENT_ID_H
+#define EBPF_EVENT_ID_H
+
+#include <bpf/bpf_helpers.h>
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+    __type(key, __u32);
+    __type(value, __u64);
+    __uint(max_entries, 1);
+} seq_counter SEC(".maps");
+
+static __always_inline void generate_event_id(__u64 *event_id)
+{
+    __u32 key = 0;
+    __u64 *counter = bpf_map_lookup_elem(&seq_counter, &key);
+    if (counter) {
+        /* ID is CPU shifted left by 48 bits, OR'd with per-CPU counter */
+        *event_id = ((__u64)bpf_get_smp_processor_id() << 48) | (*counter);
+        (*counter)++;
+    }
+    else {
+        *event_id = 0;
+    }
+}
+
+#endif /* EBPF_EVENT_ID_H */

plugins/in_ebpf/traces/includes/common/events.h

@@ -22,6 +22,10 @@ enum event_type {
     EVENT_TYPE_CONNECT,
     EVENT_TYPE_DNS,
     EVENT_TYPE_SCHED,
+    EVENT_TYPE_TLS_HANDSHAKE,
+    EVENT_TYPE_TLS_READ,
+    EVENT_TYPE_TLS_WRITE,
+    EVENT_TYPE_TLS_SHUTDOWN,
 };
 
 enum vfs_op {
@@ -45,6 +49,7 @@ enum memop {
 };
 
 struct event_common {
+    __u64 event_id;
     __u64 timestamp_raw;
     __u32 pid;
     __u32 tid;
@@ -163,6 +168,18 @@ struct sched_sample {
     struct sched_event details;
 };
 
+struct tls_handshake_event {
+    __u64 ssl_ptr;
+    __s64 latency_ns;
+    int ret;
+};
+
+struct tls_io_event {
+    __u64 ssl_ptr;
+    __s64 latency_ns;
+    int ret;
+};
+
 struct event {
     enum event_type type;           // Type of event (execve, signal, mem, bind)
     struct event_common common;     // Common fields for all events
@@ -177,6 +194,8 @@ struct event {
         struct connect_event connect;
         struct dns_event dns;
         struct sched_event sched;
+        struct tls_handshake_event tls_handshake;
+        struct tls_io_event tls_io;
     } details;
 };
 

plugins/in_ebpf/traces/malloc/bpf.c.in

@@ -15,6 +15,7 @@
 #include <gadget/types.h>
 
 #include "common/events.h"
+#include "common/event_id.bpf.h"
 
 #define MAX_ENTRIES 10240
 
@@ -72,6 +73,7 @@ static int gen_alloc_exit(struct pt_regs *ctx, enum memop op, u64 addr) {
 
     u64 uid_gid = bpf_get_current_uid_gid();
 
+    generate_event_id(&eventp->common.event_id);
     eventp->common.timestamp_raw = bpf_ktime_get_ns();
     eventp->common.pid = tid >> 32;
     eventp->common.tid = tid;
@@ -102,6 +104,7 @@ static int gen_free_enter(struct pt_regs *ctx, enum memop op, u64 addr) {
 
     u32 tid = (u32)bpf_get_current_pid_tgid();
 
+    generate_event_id(&eventp->common.event_id);
     eventp->common.timestamp_raw = bpf_ktime_get_ns();
     eventp->common.pid = tid >> 32;
     eventp->common.tid = tid;