Skip to content

RHEL-8 file create #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 30, 2025
Merged

RHEL-8 file create #199

merged 3 commits into from
Jun 30, 2025

Conversation

@nicholasberlin
Copy link
Contributor

@nicholasberlin nicholasberlin commented Jun 30, 2025
edited
Loading

On RHEL kernels where ebpf has been back-ported but FMODE_CREATED does not yet exist, use
fsnotify_create as an indication of file creation. This requires a new probe on fsnotify to set a thread local map entry, which the current do_filp_open exit probe can then test for.

Since the fsnotify probe can be noisy and the parameters have changed over time, only
enable that probe when necessary. Ideally, we would test for the existence of FMODE_CREATED, but as far as I'm aware, there's not a way to detect #defines. There's another commit (torvalds/linux@44907d7) related
to the addition of FMODE_CREATED which is detectable by testing the parameter count of the
atomic_open function pointer within struct inode_operations.

A new function was added to use btf for detecting the parameter change, and is used to conditionally apply the fnsotify probe. Hopefully, the parameter count to atomic_open will not change back to 6.

Also, re-enabled file testing for the appropriate kernels.

Thanks @haesbaert for the feedback/review. I incorporated and squashed this and this.

@nicholasberlin nicholasberlin mentioned this pull request Jun 30, 2025
Closed
@nicholasberlin
Probe fsnotify_create
4d4003b 
On RHEL kernels where ebpf has been backported but FMODE_CREATED does not yet exist, use
fsnotify_create as an indication of file creation. This requires a new probe to set a thread
local map entry, which the current do_filp_open probe can then test for.
@nicholasberlin
Add new func to count op func params
291f951 
Since the fsnotify probe can be noisy and the parameters have changed over time, only
enable that probe when necessary. Ideally, we would test for the existence of FMODE_CREATED,
but as far as I'm aware, there's not a way to detect defines. There's another commit
(torvalds/linux@44907d7) related
to the addition of FMODE_CREATED which is detectable by testing the parameter count to the
atomic_open function pointer within struct inode_operations.

This commit adds a function to detect the commit using btf, and conditionally adds the fsnotify
probe.
@nicholasberlin
Re-enable file creation tests in CI
5835923
@nicholasberlin nicholasberlin marked this pull request as ready for review June 30, 2025 16:57
@nicholasberlin nicholasberlin requested a review from a team as a code owner June 30, 2025 16:57
@nicholasberlin nicholasberlin changed the title Rhel8 file create RHEL-8 file create Jun 30, 2025
@haesbaert
Copy link
Collaborator

haesbaert commented Jun 30, 2025

Awesome, this is great thanks!

@haesbaert haesbaert merged commit 3fb921c into main Jun 30, 2025
2 checks passed
@haesbaert haesbaert mentioned this pull request Jun 30, 2025
Closed
@nicholasberlin nicholasberlin deleted the rhel8_file_create branch October 28, 2025 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haesbaert haesbaert haesbaert approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicholasberlin @haesbaert