Skip to content

Fix rhel8 file create #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Fix rhel8 file create #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
64ffca5
Rename btf.c to btf_helper.c
nicholasberlin Jun 27, 2025
f8d0fa1
Add new func to count op func params
nicholasberlin Jun 27, 2025
09a965a
Probe fsnotify_create
nicholasberlin Jun 27, 2025
342ad7d
Re-enable file creation tests in CI
nicholasberlin Jun 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added .buildkite/.pipeline.yml.swp
View file
Open in desktop
Binary file not shown.
12 changes: 6 additions & 6 deletions .buildkite/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,9 +220,9 @@ steps:
machineType: n2-standard-2
enableNestedVirtualization: true

- label: "quark-test on rhel 8 (file creation broken)"
- label: "quark-test on rhel 8"
key: test_rhel_8
command: "./.buildkite/runtest_distro.sh rhel 8 -x t_file"
command: "./.buildkite/runtest_distro.sh rhel 8"
depends_on:
- make_docker
agents:
Expand Down Expand Up @@ -286,9 +286,9 @@ steps:
machineType: n2-standard-2
enableNestedVirtualization: true

- label: "quark-test on rhel 8.8 (file creation broken)"
- label: "quark-test on rhel 8.8"
key: test_rhel_8_8
command: "./.buildkite/runtest_distro.sh rhel 8.8 -x t_file"
command: "./.buildkite/runtest_distro.sh rhel 8.8"
depends_on:
- make_docker
agents:
Expand All @@ -297,9 +297,9 @@ steps:
machineType: n2-standard-2
enableNestedVirtualization: true

- label: "quark-test on rhel 8.9 (file creation broken)"
- label: "quark-test on rhel 8.9"
key: test_rhel_8_9
command: "./.buildkite/runtest_distro.sh rhel 8.9 -x t_file"
command: "./.buildkite/runtest_distro.sh rhel 8.9"
depends_on:
- make_docker
agents:
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ endif
LIBQUARK_DEPS:= $(filter-out manpages.h, $(LIBQUARK_DEPS))
LIBQUARK_SRCS:= \
bpf_queue.c \
btf.c \
btf_helper.c \
btfhub.c \
compat.c \
kprobe_queue.c \
Expand Down
7 changes: 7 additions & 0 deletions bpf_queue.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -667,9 +667,14 @@ bpf_queue_open1(struct quark_queue *qq, int use_fentry)
}

if (qq->flags & QQ_FILE) {
int use_fsnotify =
(6 == btf_number_of_params_op_ptr(btf, "inode_operations", "atomic_open"));

if (use_fentry) {
bpf_program__set_autoload(p->progs.fentry__do_renameat2, 1);
bpf_program__set_autoload(p->progs.fentry__do_unlinkat, 1);
if (use_fsnotify)
bpf_program__set_autoload(p->progs.fentry__fsnotify, 1);
bpf_program__set_autoload(p->progs.fentry__mnt_want_write, 1);
bpf_program__set_autoload(p->progs.fentry__vfs_rename, 1);
bpf_program__set_autoload(p->progs.fentry__vfs_unlink, 1);
Expand All @@ -688,6 +693,8 @@ bpf_queue_open1(struct quark_queue *qq, int use_fentry)
bpf_program__set_autoload(p->progs.kretprobe__chown_common, 1);
bpf_program__set_autoload(p->progs.kprobe__do_truncate, 1);
bpf_program__set_autoload(p->progs.kretprobe__do_truncate, 1);
if (use_fsnotify)
bpf_program__set_autoload(p->progs.kprobe__fsnotify, 1);
bpf_program__set_autoload(p->progs.kprobe__vfs_writev, 1);
bpf_program__set_autoload(p->progs.kretprobe__vfs_writev, 1);
bpf_program__set_autoload(p->progs.kprobe__vfs_rename, 1);
Expand Down
44 changes: 44 additions & 0 deletions btf.c → btf_helper.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,50 @@ btf_enum_value(struct btf *btf, const char *dotname, ssize_t *uv)
return (-1);
}

int
btf_number_of_params_op_ptr(struct btf *btf, const char *ops_struct, const char* op_name)
{
const char *name;
struct btf_type const *ops_t;
struct btf_member *m;
int i;

ops_t = btf_type_by_name_kind(btf, NULL, ops_struct, BTF_KIND_STRUCT);

if (!btf_is_struct(ops_t)) {
errno = EINVAL;
goto fail;
}

m = btf_members(ops_t);

for (i = 0; i < btf_vlen(ops_t); i++, m++) {
name = btf__name_by_offset(btf, m->name_off);
if (name == NULL)
continue;

if (!strcmp(op_name, name)) {
const struct btf_type *t;

t = btf__type_by_id(btf, m->type);
if (t == NULL)
return (-1);

t = btf__type_by_id(btf, t->type);
if (t == NULL)
return (-1);

if (!btf_is_func_proto(t))
return (-1);

return (btf_vlen(t));
}
}

fail:
return (-1);
}

int
btf_number_of_params(struct btf *btf, const char *func)
{
Expand Down
38 changes: 38 additions & 0 deletions elastic-ebpf/GPL/Events/File/Probe.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,10 @@ static int do_filp_open__exit(struct file *f)
if (fmode & (fmode_t)0x100000) { // FMODE_CREATED
// generate a file creation event
prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0);
} else if (ebpf_events_state__get(EBPF_EVENTS_STATE_FS_CREATE) != NULL) {
// generate a file creation event
prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0);
ebpf_events_state__del(EBPF_EVENTS_STATE_FS_CREATE);
} else {
// check if memfd file is being opened
struct path p = BPF_CORE_READ(f, f_path);
Expand Down Expand Up @@ -333,6 +337,40 @@ static int do_filp_open__exit(struct file *f)
return 0;
}

static int fsnotify__enter(u32 mask)
{
if (mask & 0x100) { // FS_CREATE
struct ebpf_events_state state = {};
ebpf_events_state__set(EBPF_EVENTS_STATE_FS_CREATE, &state);
}

return 0;
}

SEC("kprobe/fsnotify")
int BPF_KPROBE(kprobe__fsnotify,
struct inode *to_tell,
u32 mask,
const void *data,
int data_is,
const unsigned char *file_name,
u32 cookie)
{
return fsnotify__enter(mask);
}

SEC("fentry/fsnotify")
int BPF_PROG(fentry__fsnotify,
struct inode *to_tell,
u32 mask,
const void *data,
int data_is,
const unsigned char *file_name,
u32 cookie)
{
return fsnotify__enter(mask);
}

SEC("fexit/do_filp_open")
int BPF_PROG(fexit__do_filp_open,
int dfd,
Expand Down
2 changes: 2 additions & 0 deletions elastic-ebpf/GPL/Events/State.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ enum ebpf_events_state_op {
EBPF_EVENTS_STATE_WRITEV = 8,
EBPF_EVENTS_STATE_CHOWN = 9,
EBPF_EVENTS_STATE_GROUP_DEAD = 10,
EBPF_EVENTS_STATE_FS_CREATE = 11,
};

struct ebpf_events_key {
Expand Down Expand Up @@ -93,6 +94,7 @@ struct ebpf_events_state {
struct ebpf_events_writev_state writev;
struct ebpf_events_chown_state chown;
/* struct ebpf_events_group_dead group_dead; nada */
/* struct ebpf_events_fs_create fs_create; nada */
};
};

Expand Down
1 change: 1 addition & 0 deletions quark.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ ssize_t quark_btf_offset(struct quark_btf *, const char *);
struct btf;
s32 btf_root_offset(struct btf *, const char *, int);
int btf_number_of_params(struct btf *, const char *);
int btf_number_of_params_op_ptr(struct btf *, const char *, const char *);
int btf_index_of_param(struct btf *, const char *, const char *);

/* bpf_queue.c */
Expand Down