feat: agent - eBPF Support unix domain sockets

Author: yinjiping

agent/src/ebpf/kernel/include/protocol_inference.h

@@ -111,6 +111,9 @@ __protocol_port_check(enum traffic_protocol proto,
 		return false;
 	}
 
+	if (conn_info->sk_type == SOCK_UNIX)
+		return true;
+
 	__u32 key = proto;
 	ports_bitmap_t *ports = proto_ports_bitmap__lookup(&key);
 	if (ports) {
@@ -426,7 +429,7 @@ static __inline enum message_type parse_http2_headers_frame(const char
 #if defined(LINUX_VER_KFUNC) || defined(LINUX_VER_5_2_PLUS)
 #define HTTPV2_LOOP_MAX 8
 #else
-#define HTTPV2_LOOP_MAX 6
+#define HTTPV2_LOOP_MAX 5
 #endif
 /*
  *  HTTPV2_FRAME_READ_SZ取值考虑以下3部分：
@@ -3802,10 +3805,6 @@ infer_protocol_1(struct ctx_info_s *ctx,
 	if (conn_info->sk == NULL)
 		return inferred_message;
 
-	if (conn_info->tuple.dport == 0 || conn_info->tuple.num == 0) {
-		return inferred_message;
-	}
-
 	/*
 	 * The socket that is indeed determined to be a protocol does not
 	 * enter drop_msg_by_comm().
@@ -3884,7 +3883,8 @@ infer_protocol_1(struct ctx_info_s *ctx,
 	 * If the data source comes from kernel system calls, it is discarded
 	 * directly because some kernel probes do not handle TLS data.
 	 */
-	if (protocol_port_check_1(PROTO_TLS, conn_info) &&
+	if (conn_info->sk_type != SOCK_UNIX &&
+	    protocol_port_check_1(PROTO_TLS, conn_info) &&
 	    extra->source == DATA_SOURCE_SYSCALL) {
 		/*
 		 * TLS first performs handshake protocol inference and discards the data

agent/src/ebpf/kernel/include/socket_trace.h

@@ -34,6 +34,8 @@
 #define INFER_CONTINUE	1
 #define INFER_TERMINATE	2
 
+#define SOCK_UNIX	11 // Used to identify UNIX domain sockets. 
+
 #define MAX_PUSH_DELAY_TIME_NS 100000000ULL // 100ms
 
 typedef long unsigned int __kernel_size_t;
@@ -85,6 +87,7 @@ struct mmsghdr {
 #define SOCK_CHECK_TYPE_ERROR           0
 #define SOCK_CHECK_TYPE_UDP             1
 #define SOCK_CHECK_TYPE_TCP_ES          2
+#define SOCK_CHECK_TYPE_UNIX		3
 
 #include "socket_trace_common.h"
 

agent/src/ebpf/kernel/socket_trace.bpf.c

@@ -618,10 +618,11 @@ static __inline int is_tcp_udp_data(void *sk,
 	bpf_probe_read_kernel(&conn_info->skc_family,
 			      sizeof(conn_info->skc_family),
 			      sk + offset->struct_sock_family_offset);
-	/*
-	 * Without thinking about PF_UNIX.
-	 */
+
 	switch (conn_info->skc_family) {
+	case PF_UNIX:
+		// Handle UNIX domain sockets, tracing local IPC
+		return SOCK_CHECK_TYPE_UNIX;
 	case PF_INET:
 		break;
 	case PF_INET6:
@@ -691,6 +692,11 @@ static __inline void init_conn_info(__u32 tgid, __u32 fd,
 static __inline bool get_socket_info(struct __socket_data *v, void *sk,
 				     struct conn_info_s *conn_info)
 {
+	if (conn_info->sk_type == SOCK_UNIX) {
+		v->tuple.addr_len = 4;
+		return true;
+	}
+
 	if (v == NULL || sk == NULL)
 		return false;
 
@@ -732,6 +738,11 @@ static __inline bool get_socket_info(struct __socket_data *v, void *sk,
 static __inline bool get_socket_info(struct __tuple_t *tuple, void *sk,
 				     struct conn_info_s *conn_info)
 {
+	if (conn_info->sk_type == SOCK_UNIX) {
+		tuple->addr_len = 4;
+		return true;
+	}
+
 	if (sk == NULL)
 		return false;
 
@@ -1704,7 +1715,7 @@ static __inline int process_data(struct pt_regs *ctx, __u64 id,
 #endif
 	struct conn_info_s *conn_info, __conn_info = { 0 };
 	conn_info = &__conn_info;
-	__u8 sock_state;
+	__u8 sock_state = 0;
 	if (!(sk != NULL &&
 	      ((sock_state = is_tcp_udp_data(sk, offset, conn_info))
 	       != SOCK_CHECK_TYPE_ERROR))) {
@@ -1715,6 +1726,9 @@ static __inline int process_data(struct pt_regs *ctx, __u64 id,
 #endif
 	}
 
+	if (sock_state == SOCK_CHECK_TYPE_UNIX)
+		conn_info->sk_type = SOCK_UNIX;
+
 	init_conn_info(id >> 32, args->fd, conn_info, sk, direction,
 		       bytes_count, offset);
 	if (conn_info->tuple.l4_protocol == IPPROTO_UDP