diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 25185298dc8..aebee43ed55 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -2877,7 +2877,11 @@ FILLER(execve_extra_tail_1, true) CHECK_RES(res); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + time = _READ(inode->__i_mtime); +#else time = _READ(inode->i_mtime); +#endif res = bpf_push_u64_to_ring(data, bpf_epoch_ns_from_time(time)); CHECK_RES(res); @@ -6745,7 +6749,11 @@ FILLER(sched_prog_exec_4, false) CHECK_RES(res); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + time = _READ(inode->__i_mtime); +#else time = _READ(inode->i_mtime); +#endif res = bpf_push_u64_to_ring(data, bpf_epoch_ns_from_time(time)); CHECK_RES(res); diff --git a/driver/modern_bpf/definitions/struct_flavors.h b/driver/modern_bpf/definitions/struct_flavors.h index 21b81deb3f7..341a2b05973 100644 --- a/driver/modern_bpf/definitions/struct_flavors.h +++ b/driver/modern_bpf/definitions/struct_flavors.h @@ -48,6 +48,10 @@ struct inode___v6_6 { struct timespec64 __i_ctime; }; +struct inode___v6_7 { + struct timespec64 __i_mtime; +}; + struct ovl_entry___before_v6_5 { long unsigned int flags; diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c index 0e90989d793..87e1370e3d5 100644 --- a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c +++ b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c @@ -226,7 +226,15 @@ int BPF_PROG(t1_sched_p_exec, auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ - BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + if(bpf_core_field_exists(exe_inode->i_mtime)) + { + BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + } + else + { + struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode; + BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime); + } auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 27: euid (type: PT_UID) */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c index 80b8c2affd0..46c14ce70c9 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c @@ -290,7 +290,15 @@ int BPF_PROG(t1_execve_x, auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ - BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + if(bpf_core_field_exists(exe_inode->i_mtime)) + { + BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + } + else + { + struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode; + BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime); + } auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 27: euid (type: PT_UID) */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c index f690f57af6e..5442b97a09c 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c @@ -306,7 +306,15 @@ int BPF_PROG(t1_execveat_x, auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ - BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + if(bpf_core_field_exists(exe_inode->i_mtime)) + { + BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + } + else + { + struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode; + BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime); + } auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 27: euid (type: PT_UID) */ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index b9b0357dab2..e4ccb95cf35 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -1421,7 +1421,15 @@ int f_proc_startupdate(struct event_filler_arguments *args) * During kernel versions `i_mtime` changed from `struct timespec` to `struct timespec64` * but fields names should be always the same. */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + { + struct timespec64 inode_mtime; + inode_mtime = inode_get_mtime(file_inode(exe_file)); + mtime = inode_mtime.tv_sec * (uint64_t)1000000000 + inode_mtime.tv_nsec; + } +#else mtime = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec; +#endif } #endif /* Before freeing the exefile we catch the resolved path for symlink resolution */ @@ -7439,7 +7447,15 @@ int f_sched_prog_exec(struct event_filler_arguments *args) * During kernel versions `i_mtime` changed from `struct timespec` to `struct timespec64` * but fields names should be always the same. */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + { + struct timespec64 inode_mtime; + inode_mtime = inode_get_mtime(file_inode(exe_file)); + mtime = inode_mtime.tv_sec * (uint64_t)1000000000 + inode_mtime.tv_nsec; + } +#else mtime = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec; +#endif } /* Before free the exefile we catch the resolved path for symlink resolution */ trusted_exepath = d_path(&exe_file->f_path, buf, PAGE_SIZE);