add constant for vfsmount_mnt_sb_offset

DataDog · Jan 7, 2025 · b3744f2 · b3744f2
1 parent 327d1fa
commit b3744f2
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/pkg/security/ebpf/c/include/constants/offsets/filesystem.h b/pkg/security/ebpf/c/include/constants/offsets/filesystem.h
@@ -163,8 +163,11 @@ struct file_system_type *__attribute__((always_inline)) get_super_block_fs(struc
 }
 
 struct super_block *__attribute__((always_inline)) get_vfsmount_sb(struct vfsmount *mnt) {
+	u64 offset;
+	LOAD_CONSTANT("vfsmount_mnt_sb_offset", offset);
+
     struct super_block *sb;
-    bpf_probe_read(&sb, sizeof(sb), &mnt->mnt_sb);
+    bpf_probe_read(&sb, sizeof(sb), (void *)mnt + offset);
     return sb;
 }
 
@@ -213,7 +216,7 @@ unsigned long __attribute__((always_inline)) get_path_ino(struct path *path) {
 
 void __attribute__((always_inline)) get_dentry_name(struct dentry *dentry, void *buffer, size_t n) {
 	u64 dentry_d_name_offset;
-	LOAD_CONSTANT*("dentry_d_name_offset", dentry_d_name_offset);
+	LOAD_CONSTANT("dentry_d_name_offset", dentry_d_name_offset);
 
     struct qstr qstr;
     bpf_probe_read(&qstr, sizeof(qstr), (void *)dentry + dentry_d_name_offset);

diff --git a/pkg/security/probe/constantfetch/constant_names.go b/pkg/security/probe/constantfetch/constant_names.go
@@ -39,6 +39,7 @@ const (
 	OffsetNameMountpointDentry          = "mountpoint_dentry_offset"
 	OffsetNameVfsmountMntFlags          = "vfsmount_mnt_flags_offset"
 	OffsetNameVfsmountMntRoot           = "vfsmount_mnt_root_offset"
+	OffsetNameVfsmountMntSb             = "vfsmount_mnt_sb_offset"
 	OffsetNameSuperblockSType           = "super_block_s_type_offset"
 	OffsetNameDentryDName               = "dentry_d_name_offset"
 

diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go
@@ -179,6 +179,8 @@ func (f *FallbackConstantFetcher) appendRequest(id string) {
 		value = getVfsmountMntRootOffset(f.kernelVersion)
 	case OffsetNameDentryDName:
 		value = getDentryDNameOffset(f.kernelVersion)
+	case OffsetNameVfsmountMntSb:
+		value = getVfsmountMntSbOffset(f.kernelVersion)
 	}
 	f.res[id] = value
 }
@@ -1137,3 +1139,7 @@ func getVfsmountMntRootOffset(_ *kernel.Version) uint64 {
 func getDentryDNameOffset(_ *kernel.Version) uint64 {
 	return 32
 }
+
+func getVfsmountMntSbOffset(_ *kernel.Version) uint64 {
+	return 8
+}
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -2543,6 +2543,7 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher,
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameMountMntMountpoint, "struct mountpoint", "m_dentry")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVfsmountMntFlags, "struct vfsmount", "mnt_flags")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVfsmountMntRoot, "struct vfsmount", "mnt_root")
+	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameVfsmountMntSb, "struct vfsmount", "mnt_sb")
 }
 
 // HandleActions handles the rule actions