在内核模块中获取NFS客户端IP地址 [英] Get NFS client IP address in a kernel module

问题描述

我正在研究内核模块，以跟踪服务器上NFS客户端执行的操作. 我可以使用黑客方式(劫持vfs层)来拦截文件操作，但无法获取客户端的IP地址.

I'm working on a kernel module to track the operations performed by NFS clients on my server. I can intercept the file operations using a hacky way (hijacking the vfs layer) but I can't retrieve the IP address of the client.

current任务中是否可以存储任何信息，我可以使用这些信息来获取执行操作的NFS客户端的IP地址?

Is there any information that might be stored in the current task that I can use to obtain the IP address of the NFS client performing an operation?

通过深入研究源代码，我知道nfsd在struct super_block的s_fs_info字段中存储了struct nfsd_net，但是我只能将其作为struct net指针进行检索.在nfsd的实现中，正在使用net_generic方法来获取struct nfsd_net指针(使用nfsd_net_id，它是pernet_operations的id).

I know from digging into the source code that nfsd stores a struct nfsd_net in the struct super_block's s_fs_info field, but I can only retrieve it as a struct net pointer. And in nfsd's implementation net_generic method is being used to get the struct nfsd_net pointer (using nfsd_net_id which is the pernet_operations's id).

我可以通过某种方式获取此ID吗?如果可以，我可以在内核模块中使用struct nfsd_net吗?它是在fs/nfsd/netns.h之外的其他地方定义的吗?

Can I obtain this id somehow? and if yes, can I use the struct nfsd_net in my kernel module? Is it defined somewhere other than the fs/nfsd/netns.h?

修改

我正在使用此方法劫持打开功能.我正在为内核版本4.15.0编写此代码.这是内核模块的代码:

I'm using this approach to hijack the open function. I'm writing this for kernel version 4.15.0. Here's the code of the kernel module:

#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/kobject.h>
#include <linux/string.h>
#include <linux/slab.h>
#include <linux/version.h>
#include <linux/proc_fs.h>
#include <linux/cred.h>
#include <linux/sched.h>
#include <linux/preempt.h>
#include <linux/uaccess.h>
#include <linux/xattr.h>

MODULE_LICENSE("GPL");

#if defined(__i386__)
    #define POFF 1
    #define CSIZE 6
    // push address, addr, ret
    char *jmp_code="\x68\x00\x00\x00\x00\xc3";
    typedef unsigned int PSIZE;
#else
    #define POFF 2
    #define CSIZE 12
    // mov address to register rax, jmp rax. for normal x64 convention
    char *jmp_code="\x48\xb8\x00\x00\x00\x00\x00\x00\x00\x00\xff\xe0";
    typedef unsigned long PSIZE;
#endif

DEFINE_SPINLOCK(root_open_lock);

int (*orig_root_open) (struct inode *, struct file *);
void *orig_root_open_code;

void hook(void *src_func,void *dst_addr){
  barrier();
  write_cr0(read_cr0() & (~0x10000));
  memcpy(src_func,jmp_code,CSIZE);
  *(PSIZE *)&(((unsigned char*)src_func)[POFF])=(PSIZE)dst_addr;
  write_cr0(read_cr0() | 0x10000);
  barrier();
}

void save_and_hook(void **p_reserve,void *src_func,void *dst_addr){
  barrier();
  write_cr0(read_cr0() & (~0x10000));
  *p_reserve=kmalloc(CSIZE,GFP_KERNEL);
  // save origin code
  memcpy(*p_reserve,src_func,CSIZE);
  hook(src_func,dst_addr);
  write_cr0(read_cr0() | 0x10000);
  barrier();
}

void fix(void **p_reserve,void *src_func){
  barrier();
  write_cr0(read_cr0() & (~0x10000));
  memcpy(src_func,*p_reserve,CSIZE);
  write_cr0(read_cr0() | 0x10000);
  barrier();
}

int fake_root_open(struct inode *x, struct file *fp)
{
  int ret;

  printk("vfshijack: hijacked open\n"); // I need to find the client ip here.

  barrier();
  spin_lock(&root_open_lock);
  fix(&orig_root_open_code, orig_root_open);
  ret = orig_root_open(x, fp);
  hook(orig_root_open, fake_root_open);
  spin_unlock(&root_open_lock);
  barrier();
  return ret;
}

int vfs_init(void)
{
  struct file *fp = filp_open("/", O_DIRECTORY|O_RDONLY, 0);
  if (IS_ERR(fp))
    return -1;

  orig_root_open = fp->f_op->open;
  if(orig_root_open)
  {
    save_and_hook(&orig_root_open_code, orig_root_open, fake_root_open);
  }

  filp_close(fp, NULL);

  printk("vfshijack: vfshijack loaded\n");
  return 0;
}

void vfs_exit(void)
{
  if(orig_root_open)
  {
    fix(&orig_root_open_code, orig_root_open);
  }
  printk("vfshijack: vfshijack unloaded\n");
}

module_init(vfs_init);
module_exit(vfs_exit);

推荐答案

您可以尝试从linux内核跟踪工具中获取所需的信息，而无需将内核二进制文件与某些自定义程序挂钩.对于大多数内核版本，有perf，ftrace，trace-cmd，对于更多自定义版本有stap和lttng.开始的一些文档: https://www.kernel.org /doc/html/v4.18/trace/index.html "Linux跟踪技术"

You can try to get needed information from linux kernel tracing tools without hooking kernel binary with some custom assembly. There are perf, ftrace, trace-cmd for most kernel versions, and stap and lttng for more custom versions. Some documentation to start: https://www.kernel.org/doc/html/v4.18/trace/index.html "Linux Tracing Technologies"

nfsd中定义了几个跟踪点:

There are several tracepoints defined in nfsd:

# modprobe nfsd
# modprobe nfs
# perf list tracepoint|grep nfs
# find /sys/kernel/debug/tracing/events -type d|grep nfsd
# trace-cmd list -e nfsd:read_start -F

nfsd/read_start和nfsd/write_start跟踪点是很好的起点.两者都应该可以访问地址为 https://elixir.bootlin.com/linux/v4.15/source/fs/nfsd/vfs.c#L1020

nfsd/read_start and nfsd/write_start tracepoints are good places to start. Both should have access to request structure rqstp with address rq_addr and fh pointer (but some eBPF or stap scripting may be useful) https://elixir.bootlin.com/linux/v4.15/source/fs/nfsd/vfs.c#L1020

__be32 nfsd_read(struct svc_rqst *rqstp, struct svc_fh *fhp,...)

    trace_read_start(rqstp, fhp, offset, vlen);

    trace_read_opened(rqstp, fhp, offset, vlen);

    trace_read_io_done(rqstp, fhp, offset, vlen);

    trace_read_done(rqstp, fhp, offset, vlen);

对于nfs守护程序跟踪，我没有trace-cmd或stap用法的完整示例.

I have no complete example of trace-cmd or stap usage for nfs daemon tracing.

Systemtap(stap)包含一些nfsd统计信息的示例: https://github.com/jav/systemtap/blob/master/testsuite/systemtap.examples/index.txt

Systemtap (stap) has some examples of nfsd statistics: https://github.com/jav/systemtap/blob/master/testsuite/systemtap.examples/index.txt

# stap nfsd_unlink.stp -c "sleep 0.2"
The nfsdtop.stp script gathers and displays NFS lookups

https://github.com /larytet/SystemTap/blob/master/testsuite/systemtap.examples/network/nfsdtop.stp

这篇关于在内核模块中获取NFS客户端IP地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！