[CWS] do not request OffsetInode[CM]time constant outside of kernel…

… range (#32406) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> (cherry picked from commit 500434d)
DataDog · Dec 20, 2024 · 658d7a3 · 658d7a3
1 parent 3e130e9
commit 658d7a3
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 10 deletions.
diff --git a/pkg/security/ebpf/c/include/helpers/filesystem.h b/pkg/security/ebpf/c/include/helpers/filesystem.h
@@ -123,12 +123,9 @@ void __attribute__((always_inline)) fill_file(struct dentry *dentry, struct file
 		bpf_probe_read(&nsec, sizeof(nsec), (void *)d_inode + inode_ctime_nsec_offset);
 		file->metadata.ctime.tv_nsec = nsec;
 	} else {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
-    bpf_probe_read(&file->metadata.ctime, sizeof(file->metadata.ctime), &d_inode->i_ctime);
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
     u64 inode_ctime_offset;
     LOAD_CONSTANT("inode_ctime_offset", inode_ctime_offset);
-
     bpf_probe_read(&file->metadata.ctime, sizeof(file->metadata.ctime), (void *)d_inode + inode_ctime_offset);
 #else
     bpf_probe_read(&file->metadata.ctime.tv_sec, sizeof(file->metadata.ctime.tv_sec), &d_inode->i_ctime_sec);
@@ -147,12 +144,9 @@ void __attribute__((always_inline)) fill_file(struct dentry *dentry, struct file
 		bpf_probe_read(&nsec, sizeof(nsec), (void *)d_inode + inode_mtime_nsec_offset);
 		file->metadata.mtime.tv_nsec = nsec;
 	} else {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 7, 0)
-    bpf_probe_read(&file->metadata.mtime, sizeof(file->metadata.mtime), &d_inode->i_mtime);
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
     u64 inode_mtime_offset;
     LOAD_CONSTANT("inode_mtime_offset", inode_mtime_offset);
-
     bpf_probe_read(&file->metadata.mtime, sizeof(file->metadata.mtime), (void *)d_inode + inode_mtime_offset);
 #else
     bpf_probe_read(&file->metadata.mtime.tv_sec, sizeof(file->metadata.mtime.tv_sec), &d_inode->i_mtime_sec);

diff --git a/pkg/security/ebpf/kernel/kernel.go b/pkg/security/ebpf/kernel/kernel.go
@@ -102,6 +102,8 @@ var (
 	Kernel6_5 = kernel.VersionCode(6, 5, 0)
 	// Kernel6_6 is the KernelVersion representation of kernel version 6.6
 	Kernel6_6 = kernel.VersionCode(6, 6, 0)
+	// Kernel6_7 is the KernelVersion representation of kernel version 6.7
+	Kernel6_7 = kernel.VersionCode(6, 7, 0)
 	// Kernel6_10 is the KernelVersion representation of kernel version 6.10
 	Kernel6_10 = kernel.VersionCode(6, 10, 0)
 	// Kernel6_11 is the KernelVersion representation of kernel version 6.11

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -2496,8 +2496,13 @@ func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher,
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeIno, "struct inode", "i_ino", "linux/fs.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeGid, "struct inode", "i_gid", "linux/fs.h")
 	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeNlink, "struct inode", "i_nlink", "linux/fs.h")
-	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeMtime, "struct inode", "__i_mtime", "linux/fs.h")
-	constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeCtime, "struct inode", "__i_ctime", "linux/fs.h")
+	if kv.IsInRangeCloseOpen(kernel.Kernel6_7, kernel.Kernel6_11) {
+		constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeMtime, "struct inode", "__i_mtime", "linux/fs.h")
+		constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeCtime, "struct inode", "__i_ctime", "linux/fs.h")
+	} else if kv.Code < kernel.Kernel6_7 {
+		constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeMtime, "struct inode", "i_mtime", "linux/fs.h")
+		constantFetcher.AppendOffsetofRequest(constantfetch.OffsetInodeCtime, "struct inode", "i_ctime", "linux/fs.h")
+	}
 }
 
 // HandleActions handles the rule actions