From 6b6d46dd73d781930d625f98785358cb8998424f Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Sun, 12 May 2024 22:27:06 +0200 Subject: [PATCH] manual offset --- pkg/security/probe/constantfetch/quirks.go | 25 ++++++++++++++++++++++ pkg/security/probe/probe_ebpf.go | 8 +++---- 2 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 pkg/security/probe/constantfetch/quirks.go diff --git a/pkg/security/probe/constantfetch/quirks.go b/pkg/security/probe/constantfetch/quirks.go new file mode 100644 index 0000000000000..a52b989625b9d --- /dev/null +++ b/pkg/security/probe/constantfetch/quirks.go @@ -0,0 +1,25 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build linux + +// Package constantfetch holds constantfetch related files +package constantfetch + +import "github.com/DataDog/datadog-agent/pkg/security/ebpf/kernel" + +// GetRHEL93MMapDelta returns the potential offset in `sys_enter_mmap` fields when reading from the tracepoint +// format +func GetRHEL93MMapDelta(kv *kernel.Version) uint64 { + switch { + // rh 9.3 is completely buggy.. the tracepoint format of `sys_enter_mmap` is not the actual format.. + // bpftrace is as confused as us on this + // this check is to fix this manually + case kv.IsInRangeCloseOpen(kernel.Kernel5_14, kernel.Kernel5_15) && kv.IsRH9_3Kernel(): + return 8 + default: + return 0 + } +} diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go index d93fbe9b85399..a54995db6d83d 100644 --- a/pkg/security/probe/probe_ebpf.go +++ b/pkg/security/probe/probe_ebpf.go @@ -1560,19 +1560,19 @@ func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, wmeta optional }, manager.ConstantEditor{ Name: constantfetch.OffsetNameSysMmapOff, - Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "off", 56), + Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "off", 56) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion), }, manager.ConstantEditor{ Name: constantfetch.OffsetNameSysMmapLen, - Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "len", 24), + Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "len", 24) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion), }, manager.ConstantEditor{ Name: constantfetch.OffsetNameSysMmapProt, - Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "prot", 32), + Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "prot", 32) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion), }, manager.ConstantEditor{ Name: constantfetch.OffsetNameSysMmapFlags, - Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "flags", 40), + Value: constantfetch.ReadTracepointFieldOffsetWithFallback("syscalls/sys_enter_mmap", "flags", 40) + constantfetch.GetRHEL93MMapDelta(p.kernelVersion), }, )