diff options
| author | Rong Tao <rongtao@cestc.cn> | 2023-08-23 22:17:51 +0800 |
|---|---|---|
| committer | yonghong-song <ys114321@gmail.com> | 2023-08-31 08:10:59 -0400 |
| commit | 176fc2eceaa3c0c6679a2e18b3a99183522b0778 (patch) | |
| tree | 0c983d2596af0ec1dc6ccfc4dd9c08e67459e8b2 | |
| parent | 442f658dc22d70bb024cac448932e27090d4a965 (diff) | |
| download | bcc-176fc2eceaa3c0c6679a2e18b3a99183522b0778.tar.gz | |
tools/{filegone.py,filelife.py}: Check btf struct field for CO-RE
Since kernel commit abf08576afe3("fs: port vfs_*() helpers to struct
mnt_idmap"), the vfs_unlink/create function use 'struct mnt_idmap' instead
of 'struct user_namespace'.
Signed-off-by: Rong Tao <rongtao@cestc.cn>
| -rwxr-xr-x | tools/filegone.py | 16 | ||||
| -rwxr-xr-x | tools/filelife.py | 29 |
2 files changed, 31 insertions, 14 deletions
diff --git a/tools/filegone.py b/tools/filegone.py index 16df5b5e..dee3f642 100755 --- a/tools/filegone.py +++ b/tools/filegone.py @@ -106,12 +106,15 @@ int trace_rename(struct pt_regs *ctx, struct renamedata *rd) struct dentry *new_dentry = rd->new_dentry; """ -bpf_vfs_unlink_text_old=""" +bpf_vfs_unlink_text_1=""" int trace_unlink(struct pt_regs *ctx, struct inode *dir, struct dentry *dentry) """ -bpf_vfs_unlink_text_new=""" +bpf_vfs_unlink_text_2=""" int trace_unlink(struct pt_regs *ctx, struct user_namespace *ns, struct inode *dir, struct dentry *dentry) """ +bpf_vfs_unlink_text_3=""" +int trace_unlink(struct pt_regs *ctx, struct mnt_idmap *idmap, struct inode *dir, struct dentry *dentry) +""" def action2str(action): if chr(action) == 'D': @@ -132,12 +135,15 @@ if debug or args.ebpf: exit() # check 'struct renamedata' exist or not -if BPF.kernel_struct_has_field("renamedata", "old_mnt_userns") == 1: +if BPF.kernel_struct_has_field(b'renamedata', b'new_mnt_idmap') == 1: + bpf_text = bpf_text.replace('TRACE_VFS_RENAME_FUNC', bpf_vfs_rename_text_new) + bpf_text = bpf_text.replace('TRACE_VFS_UNLINK_FUNC', bpf_vfs_unlink_text_3) +elif BPF.kernel_struct_has_field("renamedata", "old_mnt_userns") == 1: bpf_text = bpf_text.replace('TRACE_VFS_RENAME_FUNC', bpf_vfs_rename_text_new) - bpf_text = bpf_text.replace('TRACE_VFS_UNLINK_FUNC', bpf_vfs_unlink_text_new) + bpf_text = bpf_text.replace('TRACE_VFS_UNLINK_FUNC', bpf_vfs_unlink_text_2) else: bpf_text = bpf_text.replace('TRACE_VFS_RENAME_FUNC', bpf_vfs_rename_text_old) - bpf_text = bpf_text.replace('TRACE_VFS_UNLINK_FUNC', bpf_vfs_unlink_text_old) + bpf_text = bpf_text.replace('TRACE_VFS_UNLINK_FUNC', bpf_vfs_unlink_text_1) # initialize BPF b = BPF(text=bpf_text) diff --git a/tools/filelife.py b/tools/filelife.py index 852695d6..ae0279e3 100755 --- a/tools/filelife.py +++ b/tools/filelife.py @@ -124,21 +124,29 @@ TRACE_UNLINK_FUNC } """ -trace_create_text_old=""" +trace_create_text_1=""" int trace_create(struct pt_regs *ctx, struct inode *dir, struct dentry *dentry) """ -trace_create_text_new=""" +trace_create_text_2=""" int trace_create(struct pt_regs *ctx, struct user_namespace *mnt_userns, struct inode *dir, struct dentry *dentry) """ +trace_create_text_3=""" +int trace_create(struct pt_regs *ctx, struct mnt_idmap *idmap, + struct inode *dir, struct dentry *dentry) +""" -trace_unlink_text_old=""" +trace_unlink_text_1=""" int trace_unlink(struct pt_regs *ctx, struct inode *dir, struct dentry *dentry) """ -trace_unlink_text_new=""" +trace_unlink_text_2=""" int trace_unlink(struct pt_regs *ctx, struct user_namespace *mnt_userns, struct inode *dir, struct dentry *dentry) """ +trace_unlink_text_3=""" +int trace_unlink(struct pt_regs *ctx, struct mnt_idmap *idmap, + struct inode *dir, struct dentry *dentry) +""" if args.pid: bpf_text = bpf_text.replace('FILTER', @@ -150,12 +158,15 @@ if debug or args.ebpf: if args.ebpf: exit() -if BPF.kernel_struct_has_field(b'renamedata', b'old_mnt_userns') == 1: - bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_new) - bpf_text = bpf_text.replace('TRACE_UNLINK_FUNC', trace_unlink_text_new) +if BPF.kernel_struct_has_field(b'renamedata', b'new_mnt_idmap') == 1: + bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_3) + bpf_text = bpf_text.replace('TRACE_UNLINK_FUNC', trace_unlink_text_3) +elif BPF.kernel_struct_has_field(b'renamedata', b'old_mnt_userns') == 1: + bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_2) + bpf_text = bpf_text.replace('TRACE_UNLINK_FUNC', trace_unlink_text_2) else: - bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_old) - bpf_text = bpf_text.replace('TRACE_UNLINK_FUNC', trace_unlink_text_old) + bpf_text = bpf_text.replace('TRACE_CREATE_FUNC', trace_create_text_1) + bpf_text = bpf_text.replace('TRACE_UNLINK_FUNC', trace_unlink_text_1) # initialize BPF b = BPF(text=bpf_text) |