add dentry_d_sb_offset constant

DataDog · Dec 10, 2024 · c55b11c · c55b11c
1 parent 27d7ef8
commit c55b11c
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/pkg/security/ebpf/c/include/constants/offsets/filesystem.h b/pkg/security/ebpf/c/include/constants/offsets/filesystem.h
@@ -23,9 +23,12 @@ dev_t __attribute__((always_inline)) get_inode_dev(struct inode *inode) {
 }
 
 dev_t __attribute__((always_inline)) get_dentry_dev(struct dentry *dentry) {
+    u64 offset;
+    LOAD_CONSTANT("dentry_d_sb_offset", offset);
+
     dev_t dev;
     struct super_block *sb;
-    bpf_probe_read(&sb, sizeof(sb), &dentry->d_sb);
+    bpf_probe_read(&sb, sizeof(sb), (char *)dentry + offset);
     bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
     return dev;
 }

diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go
@@ -28,6 +28,7 @@ const (
 	OffsetNameKernelCloneArgsExitSignal = "kernel_clone_args_exit_signal_offset"
 	OffsetNameFileFinode                = "file_f_inode_offset"
 	OffsetNameFileFpath                 = "file_f_path_offset"
+	OffsetNameDentryDSb                 = "dentry_d_sb_offset"
 	OffsetNameMountMntID                = "mount_id_offset"
 
 	// inode times

diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go
@@ -139,6 +139,8 @@ func (f *FallbackConstantFetcher) appendRequest(id string) {
 		value = getFileFinodeOffset(f.kernelVersion)
 	case OffsetNameFileFpath:
 		value = getFileFpathOffset(f.kernelVersion)
+	case OffsetNameDentryDSb:
+		value = getDentryDsbOffset(f.kernelVersion)
 	case OffsetNameMountMntID:
 		value = getMountIDOffset(f.kernelVersion)
 	case OffsetNameRenameStructOldDentry:
@@ -1013,6 +1015,10 @@ func getFileFpathOffset(kv *kernel.Version) uint64 {
 	}
 }
 
+func getDentryDsbOffset(_ *kernel.Version) uint64 {
+	return 112
+}
+
 func getMountIDOffset(kv *kernel.Version) uint64 {
 	switch {
 	case kv.IsSuseKernel() || kv.Code >= kernel.Kernel5_12:

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -2408,6 +2408,7 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher,
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVMAreaStructFlags, "struct vm_area_struct", "vm_flags", "linux/mm_types.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFinode, "struct file", "f_inode", "linux/fs.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFpath, "struct file", "f_path", "linux/fs.h")
+	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameDentryDSb, "struct dentry", "d_sb", "linux/dcache.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameMountMntID, "struct mount", "mnt_id", "")
 	if kv.Code >= kernel.Kernel5_3 {
 		constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameKernelCloneArgsExitSignal, "struct kernel_clone_args", "exit_signal", "linux/sched/task.h")