From 89ca2e699b6c5ffb35a06994bd10df25eb77a89f Mon Sep 17 00:00:00 2001
From: Jiping Yin <jiping@yunshan.net>
Date: Tue, 14 Oct 2025 15:32:08 +0800
Subject: [PATCH] feat: agent - eBPF istio envoy support (#10589)

* feat: agent - eBPF istio envoy support

* update codes

* remove config
---
 agent/src/ebpf/mod.rs             |  1 +
 agent/src/ebpf/user/proc.c        |  9 +++-
 agent/src/ebpf/user/symbol.h      | 88 +++++++++++++++++--------------
 agent/src/ebpf_dispatcher.rs      |  6 +++
 server/agent_config/template.yaml |  6 ++-
 5 files changed, 66 insertions(+), 44 deletions(-)

diff --git a/agent/src/ebpf/mod.rs b/agent/src/ebpf/mod.rs
index 681ff2f75d6..5d98aced079 100644
--- a/agent/src/ebpf/mod.rs
+++ b/agent/src/ebpf/mod.rs
@@ -825,6 +825,7 @@ extern "C" {
                * @return 0 on success, -1 on failure.
                */
                pub fn set_socket_fanout_ebpf(socket: c_int, group_id: c_int) -> c_int;
+               pub fn envoy_trace_start() -> c_int;
         }
     }
 }
diff --git a/agent/src/ebpf/user/proc.c b/agent/src/ebpf/user/proc.c
index b724973341d..987c05a562d 100644
--- a/agent/src/ebpf/user/proc.c
+++ b/agent/src/ebpf/user/proc.c
@@ -1289,8 +1289,14 @@ int add_probe_sym_to_tracer_probes(int pid, const char *path,
 		 * address to a physical address.
 		 * For shared library binary files (ET_DYN), no conversion is needed.
 		 * ref: https://refspecs.linuxbase.org/elf/gabi4+/ch5.pheader.html
+		 *
+		 * ET_DYN indicates a position-independent loadable file.
+		 * It can be either a shared library (.so) or a PIE (Position Independent Executable).
+		 * - PIE executables use random load addresses (ASLR) for better security (modern default).
+		 * - Shared libraries are also ET_DYN but usually lack the executable bit.
+		 *   To distinguish between them, check if the file has executable permissions.
 		 */
-		if (bcc_elf_get_type(probe_sym->binary_path) == ET_EXEC) {
+		if (bcc_elf_is_exe(probe_sym->binary_path)) {
 			struct load_addr_t addr = {
 				.target_addr = probe_sym->entry,
 				.binary_addr = 0x0,
@@ -1303,6 +1309,7 @@ int add_probe_sym_to_tracer_probes(int pid, const char *path,
 			if (!addr.binary_addr) {
 				goto invalid;
 			}
+
 			probe_sym->entry = addr.binary_addr;
 		}
 
diff --git a/agent/src/ebpf/user/symbol.h b/agent/src/ebpf/user/symbol.h
index 1a4978b9cc1..5c75c8d0ca2 100644
--- a/agent/src/ebpf/user/symbol.h
+++ b/agent/src/ebpf/user/symbol.h
@@ -28,75 +28,81 @@
 struct tracer_probes_conf;
 
 enum uprobe_type {
-    GO_UPROBE = 0,
-    OPENSSL_UPROBE,
-    MEMPROF_UPROBE,
-    PYTHON_UPROBE,
-    OTHER_UPROBE
+	GO_UPROBE = 0,
+	OPENSSL_UPROBE,
+	MEMPROF_UPROBE,
+	PYTHON_UPROBE,
+	ENVOY_UPROBE,
+	OTHER_UPROBE
 };
 
 enum proc_act_type {
-    PROC_EXEC = 0,
-    PROC_EXIT
+	PROC_EXEC = 0,
+	PROC_EXIT
 };
 
 struct symbol {
-    enum uprobe_type type;
-    const char *symbol;
-    const char *symbol_prefix;
-    const char *probe_func;
-    bool is_probe_ret;
+	enum uprobe_type type;
+	const char *symbol;
+	const char *symbol_prefix;
+	const char *probe_func;
+	bool is_probe_ret;
 };
 
 struct version_info {
-    int major;
-    int minor;
-    int revision;
+	int major;
+	int minor;
+	int revision;
 };
 
 struct load_addr_t {
-    uint64_t target_addr;
-    uint64_t binary_addr;
+	uint64_t target_addr;
+	uint64_t binary_addr;
 };
 
 struct symbol_uprobe {
-    struct list_head list;
-    enum uprobe_type type;
-    int pid;
-    unsigned long long starttime; // process start time.
-    const char *name; // symbol名字
-    const char *binary_path; // so或目标可执行文件全路径
-    const char *probe_func;
-    size_t entry;  //入口地址
-    uint64_t size; //函数块大小
-    struct version_info ver;
-    size_t rets[FUNC_RET_MAX];
-    int rets_count; // 返回数量 可用来判断是否attch rets
-    bool isret;
-    bool in_probe; // already in probe, if or not ?
+	struct list_head list;
+	enum uprobe_type type;
+	int pid;
+	unsigned long long starttime;	// process start time.
+	const char *name;	// symbol名字
+	const char *binary_path;	// so或目标可执行文件全路径
+	const char *probe_func;
+	size_t entry;		//入口地址
+	uint64_t size;		//函数块大小
+	struct version_info ver;
+	size_t rets[FUNC_RET_MAX];
+	int rets_count;		// 返回数量 可用来判断是否attch rets
+	bool isret;
+	bool in_probe;		// already in probe, if or not ?
 };
 
 struct symbol_kprobe {
-    bool isret;   // only use kprobe
-    char *symbol; // only use uprobe
-    char *func;
+	bool isret;		// only use kprobe
+	char *symbol;		// only use uprobe
+	char *func;
 };
 
 struct symbol_tracepoint {
-    char *name;
+	char *name;
 };
 
 struct symbol_kfunc {
-    char *name;
+	char *name;
 };
 
-void free_uprobe_symbol(struct symbol_uprobe *u_sym, struct tracer_probes_conf *conf);
-void add_uprobe_symbol(int pid, struct symbol_uprobe *u_sym, struct tracer_probes_conf *conf);
+void free_uprobe_symbol(struct symbol_uprobe *u_sym,
+			struct tracer_probes_conf *conf);
+void add_uprobe_symbol(int pid, struct symbol_uprobe *u_sym,
+		       struct tracer_probes_conf *conf);
 int copy_uprobe_symbol(struct symbol_uprobe *src, struct symbol_uprobe *dst);
 char *get_elf_path_by_pid(int pid);
-struct symbol_uprobe *resolve_and_gen_uprobe_symbol(const char *bin_file, struct symbol *sym, const uint64_t addr,
-                                                    int pid);
-uint64_t get_symbol_addr_from_binary(int pid, const char *bin, const char *symname);
+struct symbol_uprobe *resolve_and_gen_uprobe_symbol(const char *bin_file,
+						    struct symbol *sym,
+						    const uint64_t addr,
+						    int pid);
+uint64_t get_symbol_addr_from_binary(int pid, const char *bin,
+				     const char *symname);
 int find_load(uint64_t v_addr, uint64_t mem_sz, uint64_t file_offset,
 	      void *payload);
 #endif /* _USER_SYMBOL_H_ */
diff --git a/agent/src/ebpf_dispatcher.rs b/agent/src/ebpf_dispatcher.rs
index 751bbcf166b..395b91db13a 100644
--- a/agent/src/ebpf_dispatcher.rs
+++ b/agent/src/ebpf_dispatcher.rs
@@ -1192,6 +1192,12 @@ impl EbpfCollector {
             ebpf::dpdk_trace_start();
         }
 
+        // Istio envoy mtls
+        #[cfg(feature = "extended_observability")]
+        if config.ebpf.socket.uprobe.tls.enabled {
+            ebpf::envoy_trace_start();
+        }
+
         ebpf::bpf_tracer_finish();
 
         Ok(handle)
diff --git a/server/agent_config/template.yaml b/server/agent_config/template.yaml
index 0ae8289f9be..9eb814dc85e 100644
--- a/server/agent_config/template.yaml
+++ b/server/agent_config/template.yaml
@@ -2684,7 +2684,8 @@ inputs:
           #     [eBPF] INFO openssl uprobe, pid:1005, path:/proc/1005/root/usr/lib64/libssl.so.1.0.2k
           #     ```
           #
-          #     Note: When enabling this feature, the specific process list must also be specified in `inputs.proc.process_matcher`,
+          #     Note: When this feature is enabled, Envoy mTLS traffic can be automatically traced.
+          #     For non-Envoy traffic, the specific process list must also be specified in `inputs.proc.process_matcher`,
           #     i.e., `ebpf.socket.uprobe.tls` must be included in `inputs.proc.process_matcher.[*].enabled_features`.
           #   ch: |-
           #     是否启用使用 openssl 库的进程以支持 HTTPS 协议数据采集。
@@ -2699,7 +2700,8 @@ inputs:
           #     [eBPF] INFO openssl uprobe, pid:1005, path:/proc/1005/root/usr/lib64/libssl.so.1.0.2k
           #     ```
           #
-          #     注意：开启此功能时，需要同时在 `inputs.proc.process_matcher` 中进一步指定具体的进程列表，
+          #     注意：开启此功能后，Envoy mTLS 流量可自动完成追踪；
+          #     若为非 Envoy 流量，则需要同时在 `inputs.proc.process_matcher` 中进一步指定具体的进程列表，
           #     即 `inputs.proc.process_matcher.[*].enabled_features` 中需要包含 `ebpf.socket.uprobe.tls`。
           # upgrade_from: static_config.ebpf.uprobe-openssl-trace-enabled, static_config.ebpf.uprobe-process-name-regexs.openssl
           enabled: false