Skip to content

RHEL-8 file create #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 30, 2025
Merged

RHEL-8 file create #199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4d4003b
Probe fsnotify_create
nicholasberlin Jun 30, 2025
291f951
Add new func to count op func params
nicholasberlin Jun 30, 2025
5835923
Re-enable file creation tests in CI
nicholasberlin Jun 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .buildkite/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,9 +220,9 @@ steps:
machineType: n2-standard-2
enableNestedVirtualization: true

- label: "quark-test on rhel 8 (file creation broken)"
- label: "quark-test on rhel 8"
key: test_rhel_8
command: "./.buildkite/runtest_distro.sh rhel 8 -x t_file"
command: "./.buildkite/runtest_distro.sh rhel 8"
depends_on:
- make_docker
agents:
Expand Down Expand Up @@ -286,9 +286,9 @@ steps:
machineType: n2-standard-2
enableNestedVirtualization: true

- label: "quark-test on rhel 8.8 (file creation broken)"
- label: "quark-test on rhel 8.8"
key: test_rhel_8_8
command: "./.buildkite/runtest_distro.sh rhel 8.8 -x t_file"
command: "./.buildkite/runtest_distro.sh rhel 8.8"
depends_on:
- make_docker
agents:
Expand All @@ -297,9 +297,9 @@ steps:
machineType: n2-standard-2
enableNestedVirtualization: true

- label: "quark-test on rhel 8.9 (file creation broken)"
- label: "quark-test on rhel 8.9"
key: test_rhel_8_9
command: "./.buildkite/runtest_distro.sh rhel 8.9 -x t_file"
command: "./.buildkite/runtest_distro.sh rhel 8.9"
depends_on:
- make_docker
agents:
Expand Down
7 changes: 7 additions & 0 deletions bpf_queue.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -667,9 +667,14 @@ bpf_queue_open1(struct quark_queue *qq, int use_fentry)
}

if (qq->flags & QQ_FILE) {
int use_fsnotify =
(btf_number_of_params_of_ptr(btf, "inode_operations", "atomic_open") == 6);

if (use_fentry) {
bpf_program__set_autoload(p->progs.fentry__do_renameat2, 1);
bpf_program__set_autoload(p->progs.fentry__do_unlinkat, 1);
if (use_fsnotify)
bpf_program__set_autoload(p->progs.fentry__fsnotify, 1);
bpf_program__set_autoload(p->progs.fentry__mnt_want_write, 1);
bpf_program__set_autoload(p->progs.fentry__vfs_rename, 1);
bpf_program__set_autoload(p->progs.fentry__vfs_unlink, 1);
Expand All @@ -688,6 +693,8 @@ bpf_queue_open1(struct quark_queue *qq, int use_fentry)
bpf_program__set_autoload(p->progs.kretprobe__chown_common, 1);
bpf_program__set_autoload(p->progs.kprobe__do_truncate, 1);
bpf_program__set_autoload(p->progs.kretprobe__do_truncate, 1);
if (use_fsnotify)
bpf_program__set_autoload(p->progs.kprobe__fsnotify, 1);
bpf_program__set_autoload(p->progs.kprobe__vfs_writev, 1);
bpf_program__set_autoload(p->progs.kretprobe__vfs_writev, 1);
bpf_program__set_autoload(p->progs.kprobe__vfs_rename, 1);
Expand Down
43 changes: 40 additions & 3 deletions btf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,13 +186,29 @@ btf_offsetof(struct btf *btf, const char *parent_name, const char *member_name,
if (parent_t == NULL)
parent_t = btf_type_by_name_kind(btf, NULL, parent_name,
BTF_KIND_UNION);
if (parent_t == NULL)
if (parent_t == NULL) {
if (ret_member != NULL)
*ret_member = NULL;
return (-1);
}

return (btf_offsetof_rec(btf, parent_t, member_name, ret_member, 0));

}

/*
* Given a struct or union parent_name, find the btf_member{} of member_name.
*/
static struct btf_member *
btf_find_member(struct btf *btf, const char *parent_name, const char *member_name)
{
struct btf_member *member = NULL;

btf_offsetof(btf, parent_name, member_name, &member);

return (member);
}

static s32
btf_root_offset2(struct btf *btf, const char *dotname)
{
Expand Down Expand Up @@ -292,11 +308,32 @@ btf_enum_value(struct btf *btf, const char *dotname, ssize_t *uv)
return (-1);
}

int
btf_number_of_params_of_ptr(struct btf *btf, const char *parent_name, const char *name)
{
struct btf_member *m;
const struct btf_type *t;

m = btf_find_member(btf, parent_name, name);
if (m == NULL)
return (-1);
t = btf__type_by_id(btf, m->type);
if (t == NULL)
return (-1);
t = btf__type_by_id(btf, t->type);
if (t == NULL)
return (-1);
if (!btf_is_func_proto(t))
return (-1);

return (btf_vlen(t));
}

int
btf_number_of_params(struct btf *btf, const char *func)
{
s32 off;
const struct btf_type *t;
const struct btf_type *t;
s32 off;

off = btf__find_by_name_kind(btf, func, BTF_KIND_FUNC);
if (off < 0)
Expand Down
39 changes: 38 additions & 1 deletion elastic-ebpf/GPL/Events/File/Probe.bpf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,8 @@ static int do_filp_open__exit(struct file *f)
goto out;

fmode_t fmode = BPF_CORE_READ(f, f_mode);
if (fmode & (fmode_t)0x100000) { // FMODE_CREATED
if ((fmode & (fmode_t)0x100000) || // FMODE_CREATED
(ebpf_events_state__get(EBPF_EVENTS_STATE_FS_CREATE) != NULL)) { // 4.18.x
// generate a file creation event
prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0);
} else {
Expand Down Expand Up @@ -330,9 +331,45 @@ static int do_filp_open__exit(struct file *f)
}

out:
ebpf_events_state__del(EBPF_EVENTS_STATE_FS_CREATE);

return 0;
}

static int fsnotify__enter(u32 mask)
{
if (mask & 0x100) { // FS_CREATE
struct ebpf_events_state state = {};
ebpf_events_state__set(EBPF_EVENTS_STATE_FS_CREATE, &state);
}

return 0;
}

SEC("kprobe/fsnotify")
int BPF_KPROBE(kprobe__fsnotify,
struct inode *to_tell,
u32 mask,
const void *data,
int data_is,
const unsigned char *file_name,
u32 cookie)
{
return fsnotify__enter(mask);
}

SEC("fentry/fsnotify")
int BPF_PROG(fentry__fsnotify,
struct inode *to_tell,
u32 mask,
const void *data,
int data_is,
const unsigned char *file_name,
u32 cookie)
{
return fsnotify__enter(mask);
}

SEC("fexit/do_filp_open")
int BPF_PROG(fexit__do_filp_open,
int dfd,
Expand Down
2 changes: 2 additions & 0 deletions elastic-ebpf/GPL/Events/State.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ enum ebpf_events_state_op {
EBPF_EVENTS_STATE_WRITEV = 8,
EBPF_EVENTS_STATE_CHOWN = 9,
EBPF_EVENTS_STATE_GROUP_DEAD = 10,
EBPF_EVENTS_STATE_FS_CREATE = 11,
};

struct ebpf_events_key {
Expand Down Expand Up @@ -93,6 +94,7 @@ struct ebpf_events_state {
struct ebpf_events_writev_state writev;
struct ebpf_events_chown_state chown;
/* struct ebpf_events_group_dead group_dead; nada */
/* struct ebpf_events_fs_create fs_create; nada */
};
};

Expand Down
1 change: 1 addition & 0 deletions quark.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ ssize_t quark_btf_offset(struct quark_btf *, const char *);
struct btf;
s32 btf_root_offset(struct btf *, const char *, int);
int btf_number_of_params(struct btf *, const char *);
int btf_number_of_params_of_ptr(struct btf *, const char *, const char *);
int btf_index_of_param(struct btf *, const char *, const char *);

/* bpf_queue.c */
Expand Down