-
Notifications
You must be signed in to change notification settings - Fork 186
/
kfilefields.go
80 lines (75 loc) · 2.8 KB
/
kfilefields.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
// Copyright 2023 The Inspektor Gadget authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package kfilefields provides functions to read kernel "struct file" fields against a file descriptor.
//
// This is done:
// - without using bpf iterators in order to work on old kernels.
// - without comparing pids from userspace and ebpf in order to work from
// different pid namespaces.
package kfilefields
import "fmt"
// ReadPrivateDataFromFd uses ebpf to read the private_data pointer from the
// kernel "struct file" associated with the given fd.
func ReadPrivateDataFromFd(fd int) (uint64, error) {
t, err := creatAndInstallTracer()
if err != nil {
return 0, fmt.Errorf("creating and installing tracer: %w", err)
}
defer t.close()
ff, err := t.readStructFileFields(fd)
if err != nil {
return 0, fmt.Errorf("reading file fields: %w", err)
}
return ff.PrivateData, nil
}
// ReadFOpForFdType uses ebpf to read the f_op pointer from the kernel "struct file"
// associated with the given fd type.
func ReadFOpForFdType(ft FdType) (uint64, error) {
if _, ok := supportedFdTypesForFOp[ft]; !ok {
return 0, fmt.Errorf("unsupported fd type %s", ft.String())
}
t, err := creatAndInstallTracer()
if err != nil {
return 0, fmt.Errorf("creating and installing tracer: %w", err)
}
defer t.close()
fd, err := t.getFdFromType(ft)
if err != nil {
return 0, fmt.Errorf("getting fd from type %s: %w", ft.String(), err)
}
ff, err := t.readStructFileFields(fd)
if err != nil {
return 0, fmt.Errorf("reading file fields: %w", err)
}
return ff.FOp, nil
}
// ReadRealInodeFromFd uses ebpf to read the f_inode pointer from the
// kernel "struct file" associated with the given fd.
// Specifically, if fd belongs to overlayFS, it will return the underlying, real inode.
//
// This feature makes it possible to check if two fds come from the same
// underlying file, even if they come from two different overlay filesystems.
// This is useful for uprobes because they get attached to the underlying file.
func ReadRealInodeFromFd(fd int) (uint64, error) {
t, err := creatAndInstallTracer()
if err != nil {
return 0, fmt.Errorf("creating and installing tracer: %w", err)
}
defer t.close()
ff, err := t.readStructFileFields(fd)
if err != nil {
return 0, fmt.Errorf("reading file fields: %w", err)
}
return ff.RealInode, nil
}