diff --git a/pkg/security/ebpf/c/include/constants/offsets/filesystem.h b/pkg/security/ebpf/c/include/constants/offsets/filesystem.h index 496927e2fd8eb..24b2d5f769af1 100644 --- a/pkg/security/ebpf/c/include/constants/offsets/filesystem.h +++ b/pkg/security/ebpf/c/include/constants/offsets/filesystem.h @@ -23,9 +23,12 @@ dev_t __attribute__((always_inline)) get_inode_dev(struct inode *inode) { } dev_t __attribute__((always_inline)) get_dentry_dev(struct dentry *dentry) { + u64 offset; + LOAD_CONSTANT("dentry_d_sb_offset", offset); + dev_t dev; struct super_block *sb; - bpf_probe_read(&sb, sizeof(sb), &dentry->d_sb); + bpf_probe_read(&sb, sizeof(sb), (char *)dentry + offset); bpf_probe_read(&dev, sizeof(dev), &sb->s_dev); return dev; } diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go index c5ee88a4452f6..2feab9c5e0402 100644 --- a/pkg/security/probe/constantfetch/constant_names.go +++ b/pkg/security/probe/constantfetch/constant_names.go @@ -28,6 +28,7 @@ const ( OffsetNameKernelCloneArgsExitSignal = "kernel_clone_args_exit_signal_offset" OffsetNameFileFinode = "file_f_inode_offset" OffsetNameFileFpath = "file_f_path_offset" + OffsetNameDentryDSb = "dentry_d_sb_offset" OffsetNameMountMntID = "mount_id_offset" // inode times diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go index 468a5f54c84d4..34f581a2d97ab 100644 --- a/pkg/security/probe/constantfetch/fallback.go +++ b/pkg/security/probe/constantfetch/fallback.go @@ -139,6 +139,8 @@ func (f *FallbackConstantFetcher) appendRequest(id string) { value = getFileFinodeOffset(f.kernelVersion) case OffsetNameFileFpath: value = getFileFpathOffset(f.kernelVersion) + case OffsetNameDentryDSb: + value = getDentryDsbOffset(f.kernelVersion) case OffsetNameMountMntID: value = getMountIDOffset(f.kernelVersion) case OffsetNameRenameStructOldDentry: @@ -1013,6 +1015,10 @@ func getFileFpathOffset(kv *kernel.Version) uint64 { } } +func getDentryDsbOffset(_ *kernel.Version) uint64 { + return 112 +} + func getMountIDOffset(kv *kernel.Version) uint64 { switch { case kv.IsSuseKernel() || kv.Code >= kernel.Kernel5_12: diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go index c51e920adf851..f93605ac53282 100644 --- a/pkg/security/probe/probe_ebpf.go +++ b/pkg/security/probe/probe_ebpf.go @@ -2408,6 +2408,7 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVMAreaStructFlags, "struct vm_area_struct", "vm_flags", "linux/mm_types.h") constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFinode, "struct file", "f_inode", "linux/fs.h") constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameFileFpath, "struct file", "f_path", "linux/fs.h") + constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameDentryDSb, "struct dentry", "d_sb", "linux/dcache.h") constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameMountMntID, "struct mount", "mnt_id", "") if kv.Code >= kernel.Kernel5_3 { constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameKernelCloneArgsExitSignal, "struct kernel_clone_args", "exit_signal", "linux/sched/task.h")