Skip to content

Commit

Permalink
feat(ebpf): add file info to module_load event
Browse files Browse the repository at this point in the history
  • Loading branch information
@OriGlassman @randomname21
OriGlassman authored and randomname21 committed Aug 14, 2024
1 parent 30f16f8 commit f32c410
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
16 changes: 16 additions & 0 deletions pkg/ebpf/c/tracee.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4320,6 +4320,22 @@ int tracepoint__module__module_load(struct bpf_raw_tracepoint_args *ctx)
if (!evaluate_scope_filters(&p))
return 0;

if (p.event->context.syscall == SYSCALL_FINIT_MODULE) {
struct pt_regs *task_regs = get_current_task_pt_regs();
int fd = get_syscall_arg1(p.event->task, task_regs, false);
struct file *file = get_struct_file_from_fd(fd);
void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path));
dev_t dev = get_dev_from_file(file);
unsigned long inode = get_inode_nr_from_file(file);
u64 ctime = get_ctime_nanosec_from_file(file);

// add file related info
save_str_to_buf(&p.event->args_buf, file_path, 3);
save_to_submit_buf(&p.event->args_buf, &dev, sizeof(dev_t), 4);
save_to_submit_buf(&p.event->args_buf, &inode, sizeof(unsigned long), 5);
save_to_submit_buf(&p.event->args_buf, &ctime, sizeof(u64), 6);
}

const char *version = BPF_CORE_READ(mod, version);
const char *srcversion = BPF_CORE_READ(mod, srcversion);
save_str_to_buf(&p.event->args_buf, &mod->name, 0);
Expand Down
6 changes: 5 additions & 1 deletion pkg/events/core.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11367,7 +11367,7 @@ var CoreEvents = map[ID]Definition{
{Type: "const char*", Name: "pathname"},
{Type: "dev_t", Name: "dev"},
{Type: "unsigned long", Name: "inode"},
{Type: "u64", Name: "ctime"},
{Type: "unsigned long", Name: "ctime"},
},
},
CommitCreds: {
Expand Down Expand Up @@ -12499,6 +12499,10 @@ var CoreEvents = map[ID]Definition{
{Type: "const char*", Name: "name"},
{Type: "const char*", Name: "version"},
{Type: "const char*", Name: "src_version"},
{Type: "const char*", Name: "pathname"},
{Type: "dev_t", Name: "dev"},
{Type: "unsigned long", Name: "inode"},
{Type: "u64", Name: "ctime"},
},
},
ModuleFree: {
Expand Down

0 comments on commit f32c410

Please sign in to comment.