DataDog · dd-mergequeue · Jan 6, 2025 · Jan 6, 2025 · Jan 6, 2025 · Jan 6, 2025
@@ -17,23 +17,37 @@ unsigned long __attribute__((always_inline)) get_inode_ino(struct inode *inode)
     return ino;
 }
 
-dev_t __attribute__((always_inline)) get_inode_dev(struct inode *inode) {
+struct inode* get_dentry_inode(struct dentry *dentry) {
+    u64 offset;
+    LOAD_CONSTANT("dentry_d_inode_offset", offset);
+
+    struct inode *inode;
+    bpf_probe_read(&inode, sizeof(inode), (void *)dentry + offset);
+    return inode;
+}
+
+dev_t __attribute__((always_inline)) get_sb_dev(struct super_block *sb) {
+    u64 sb_dev_offset;
+    LOAD_CONSTANT("sb_dev_offset", sb_dev_offset);
+
     dev_t dev;
+    bpf_probe_read(&dev, sizeof(dev), (void *)sb + sb_dev_offset);
+    return dev;
+}
+
+dev_t __attribute__((always_inline)) get_inode_dev(struct inode *inode) {
     struct super_block *sb;
     bpf_probe_read(&sb, sizeof(sb), &inode->i_sb);
-    bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
-    return dev;
+    return get_sb_dev(sb);
 }
 
 dev_t __attribute__((always_inline)) get_dentry_dev(struct dentry *dentry) {
     u64 offset;
     LOAD_CONSTANT("dentry_d_sb_offset", offset);
 
-    dev_t dev;
     struct super_block *sb;
     bpf_probe_read(&sb, sizeof(sb), (char *)dentry + offset);
-    bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
-    return dev;
+    return get_sb_dev(sb);
 }
 
 void *__attribute__((always_inline)) get_file_f_inode_addr(struct file *file) {
@@ -134,12 +148,6 @@ struct super_block *__attribute__((always_inline)) get_vfsmount_sb(struct vfsmou
     return sb;
 }
 
-dev_t __attribute__((always_inline)) get_sb_dev(struct super_block *sb) {
-    dev_t dev;
-    bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
-    return dev;
-}
-
 struct dentry *__attribute__((always_inline)) get_mountpoint_dentry(void *mntpoint) {
     struct dentry *dentry;
 
@@ -156,31 +164,25 @@ dev_t __attribute__((always_inline)) get_mount_dev(void *mnt) {
     return get_vfsmount_dev(get_mount_vfsmount(mnt));
 }
 
-struct inode *__attribute__((always_inline)) get_dentry_inode(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
-    return d_inode;
-}
-
 unsigned long __attribute__((always_inline)) get_dentry_ino(struct dentry *dentry) {
     return get_inode_ino(get_dentry_inode(dentry));
 }
 
-struct dentry *__attribute__((always_inline)) get_file_dentry(struct file *file) {
-    struct dentry *file_dentry;
-    bpf_probe_read(&file_dentry, sizeof(file_dentry), &get_file_f_path_addr(file)->dentry);
-    return file_dentry;
-}
-
 struct dentry *__attribute__((always_inline)) get_path_dentry(struct path *path) {
+    u64 offset;
+    LOAD_CONSTANT("path_dentry_offset", offset);
+
     struct dentry *dentry;
-    bpf_probe_read(&dentry, sizeof(dentry), &path->dentry);
+    bpf_probe_read(&dentry, sizeof(dentry), (void *)path + offset);
     return dentry;
 }
 
+struct dentry *__attribute__((always_inline)) get_file_dentry(struct file *file) {
+    return get_path_dentry(get_file_f_path_addr(file));
+}
+
 unsigned long __attribute__((always_inline)) get_path_ino(struct path *path) {
-    struct dentry *dentry;
-    bpf_probe_read(&dentry, sizeof(dentry), &path->dentry);
+    struct dentry *dentry = get_path_dentry(path);
 
     if (dentry) {
         return get_dentry_ino(dentry);
@@ -247,8 +249,7 @@ static __attribute__((always_inline)) int is_overlayfs(struct dentry *dentry) {
 }
 
 int __attribute__((always_inline)) get_ovl_lower_ino_direct(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     // escape from the embedded vfs_inode to reach ovl_inode
     struct inode *lower;
@@ -258,8 +259,7 @@ int __attribute__((always_inline)) get_ovl_lower_ino_direct(struct dentry *dentr
 }
 
 int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_path(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     // escape from the embedded vfs_inode to reach ovl_inode
     struct dentry *lower;
@@ -269,8 +269,7 @@ int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_path(struct dentry
 }
 
 int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_entry(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     void *oe;
     bpf_probe_read(&oe, sizeof(oe), (char *)d_inode + get_sizeof_inode() + 8);
@@ -283,8 +282,7 @@ int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_entry(struct dentr
 }
 
 int __attribute__((always_inline)) get_ovl_upper_ino(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     // escape from the embedded vfs_inode to reach ovl_inode
     struct dentry *upper;

@@ -30,6 +30,9 @@ const (
 	OffsetNameFileFpath                 = "file_f_path_offset"
 	OffsetNameDentryDSb                 = "dentry_d_sb_offset"
 	OffsetNameMountMntID                = "mount_id_offset"
+	OffsetNameSbDev                     = "sb_dev_offset"
+	OffsetNameDentryDInode              = "dentry_d_inode_offset"
+	OffsetNamePathDentry                = "path_dentry_offset"
 
 	// inode
 	OffsetInodeIno   = "inode_ino_offset"

@@ -157,6 +157,12 @@ func (f *FallbackConstantFetcher) appendRequest(id string) {
 		value = getInodeMtimeOffset(f.kernelVersion)
 	case OffsetInodeCtime:
 		value = getInodeCtimeOffset(f.kernelVersion)
+	case OffsetNameSbDev:
+		value = getSuperBlockDevOffset(f.kernelVersion)
+	case OffsetNameDentryDInode:
+		value = getDentryDInodeOffset(f.kernelVersion)
+	case OffsetNamePathDentry:
+		value = getPathDentryOffset(f.kernelVersion)
 	}
 	f.res[id] = value
 }
@@ -1071,3 +1077,15 @@ func getRenameStructOldDentryOffset(_ *kernel.Version) uint64 {
 func getRenameStructNewDentryOffset(_ *kernel.Version) uint64 {
 	return 40
 }
+
+func getSuperBlockDevOffset(_ *kernel.Version) uint64 {
+	return 16
+}
+
+func getDentryDInodeOffset(_ *kernel.Version) uint64 {
+	return 48
+}
+
+func getPathDentryOffset(_ *kernel.Version) uint64 {
+	return 8
+}
@@ -2525,6 +2525,11 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher,
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeNlink, "struct inode", "i_nlink")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeMtime, "struct inode", "i_mtime", "__i_mtime")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeCtime, "struct inode", "i_ctime", "__i_ctime")
+
+	// fs
+	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameSbDev, "struct super_block", "s_dev")
+	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNameDentryDInode, "struct dentry", "d_inode")
+	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetNamePathDentry, "struct path", "dentry")
 }
 
 // HandleActions handles the rule actions