Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Overlay FS: Add fields proc.is_exe_lower_layer, fd.is_upper_layer and fd.is_lower_layer #1936

Merged
merged 7 commits into from
Aug 28, 2024
Merged

Overlay FS: Add fields proc.is_exe_lower_layer, fd.is_upper_layer and fd.is_lower_layer #1936

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1f10fe4
Overlay FS: Add fields proc.is_exe_lower_layer, fd.is_upper_layer and…
eddyduer-sysdig Aug 7, 2024
b3bebd5
Changes after code review
eddyduer-sysdig Aug 8, 2024
80256d5
Overlay FS flags are now sent in existing flags parameter in the open…
eddyduer-sysdig Aug 8, 2024
59c4e62
Changes after code review #2
eddyduer-sysdig Aug 13, 2024
4d8a96c
fix(scap): fix scap-file support
Andreagit97 Aug 27, 2024
4a6a0a0
docs: add a comment
Andreagit97 Aug 27, 2024
a332c03
fix(tests): fix e2e sinsp tests
Andreagit97 Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion driver/SCHEMA_VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.21.2
2.22.0
68 changes: 67 additions & 1 deletion driver/bpf/filler_helpers.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ enum read_memory
KERNEL = 1,
};

static __always_inline struct inode *get_file_inode(struct file *file)
{
if (file) {
return _READ(file->f_inode);
}
return NULL;
}

static __always_inline bool in_port_range(uint16_t port, uint16_t min, uint16_t max)
{
return port >= min && port <= max;
Expand Down Expand Up @@ -280,7 +288,7 @@ static __always_inline unsigned long bpf_encode_dev(dev_t dev)
return (minor & 0xff) | (major << 8) | ((minor & ~0xff) << 12);
}

static __always_inline void bpf_get_fd_dev_ino(int fd, unsigned long *dev, unsigned long *ino)
static __always_inline void bpf_get_ino_from_fd(int fd, unsigned long *ino)
{
struct super_block *sb;
struct inode *inode;
Expand All @@ -294,6 +302,64 @@ static __always_inline void bpf_get_fd_dev_ino(int fd, unsigned long *dev, unsig
if (!file)
return;

inode = _READ(file->f_inode);
if (!inode)
return;

*ino = _READ(inode->i_ino);
}

static __always_inline enum ppm_overlay get_overlay_layer(struct file *file)
{
if (!file)
{
return PPM_NOT_OVERLAY_FS;
}
struct dentry* dentry = NULL;
bpf_probe_read_kernel(&dentry, sizeof(dentry), &file->f_path.dentry);
struct super_block* sb = (struct super_block*)_READ(dentry->d_sb);
unsigned long sb_magic = _READ(sb->s_magic);

if(sb_magic != PPM_OVERLAYFS_SUPER_MAGIC)
{
return PPM_NOT_OVERLAY_FS;
}

char *vfs_inode = (char *)_READ(dentry->d_inode);
struct dentry *upper_dentry = NULL;
bpf_probe_read_kernel(&upper_dentry, sizeof(upper_dentry), (char *)vfs_inode + sizeof(struct inode));
if(!upper_dentry)
{
return PPM_OVERLAY_LOWER;
}

struct inode *upper_ino = _READ(upper_dentry->d_inode);
if(_READ(upper_ino->i_ino) != 0)
{
return PPM_OVERLAY_UPPER;
}
else
{
return PPM_OVERLAY_LOWER;
}
}

static __always_inline void bpf_get_dev_ino_overlay_from_fd(int fd, unsigned long *dev, unsigned long *ino, enum ppm_overlay *ol)
{
struct super_block *sb;
struct inode *inode;
dev_t kdev;
struct file *file;

if (fd < 0)
return;

file = bpf_fget(fd);
if (!file)
return;

*ol = get_overlay_layer(file);

inode = _READ(file->f_inode);
if (!inode)
return;
Expand Down
Loading
Loading