[Backport 7.61.x] [CWS] fix inode i_ino offset on kernels >= 6.8 (#32420

) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: paulcacheux <[email protected]> Co-authored-by: safchain <[email protected]>
DataDog · Dec 20, 2024 · 89fdd24 · 89fdd24
1 parent 54b17d2
commit 89fdd24
Show file tree

Hide file tree

Showing 8 changed files with 1,305 additions and 15 deletions.
diff --git a/pkg/security/ebpf/c/include/constants/offsets/filesystem.h b/pkg/security/ebpf/c/include/constants/offsets/filesystem.h
@@ -9,8 +9,11 @@
 struct mount;
 
 unsigned long __attribute__((always_inline)) get_inode_ino(struct inode *inode) {
+    u64 inode_ino_offset;
+    LOAD_CONSTANT("inode_ino_offset", inode_ino_offset);
+
     unsigned long ino;
-    bpf_probe_read(&ino, sizeof(inode), &inode->i_ino);
+    bpf_probe_read(&ino, sizeof(inode), (void *)inode + inode_ino_offset);
     return ino;
 }
 

diff --git a/pkg/security/ebpf/c/include/helpers/filesystem.h b/pkg/security/ebpf/c/include/helpers/filesystem.h
@@ -102,10 +102,15 @@ void __attribute__((always_inline)) fill_file(struct dentry *dentry, struct file
 
     file->dev = get_dentry_dev(dentry);
 
-    bpf_probe_read(&file->metadata.nlink, sizeof(file->metadata.nlink), (void *)&d_inode->i_nlink);
+    u64 inode_nlink_offset;
+    LOAD_CONSTANT("inode_nlink_offset", inode_nlink_offset);
+    u64 inode_gid_offset;
+    LOAD_CONSTANT("inode_gid_offset", inode_gid_offset);
+
+    bpf_probe_read(&file->metadata.nlink, sizeof(file->metadata.nlink), (void *)d_inode + inode_nlink_offset);
     bpf_probe_read(&file->metadata.mode, sizeof(file->metadata.mode), &d_inode->i_mode);
     bpf_probe_read(&file->metadata.uid, sizeof(file->metadata.uid), &d_inode->i_uid);
-    bpf_probe_read(&file->metadata.gid, sizeof(file->metadata.gid), &d_inode->i_gid);
+    bpf_probe_read(&file->metadata.gid, sizeof(file->metadata.gid), (void *)d_inode + inode_gid_offset);
 
     u64 inode_ctime_sec_offset;
     LOAD_CONSTANT("inode_ctime_sec_offset", inode_ctime_sec_offset);
@@ -118,10 +123,10 @@ void __attribute__((always_inline)) fill_file(struct dentry *dentry, struct file
 		bpf_probe_read(&nsec, sizeof(nsec), (void *)d_inode + inode_ctime_nsec_offset);
 		file->metadata.ctime.tv_nsec = nsec;
 	} else {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
-    bpf_probe_read(&file->metadata.ctime, sizeof(file->metadata.ctime), &d_inode->i_ctime);
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
-    bpf_probe_read(&file->metadata.ctime, sizeof(file->metadata.ctime), &d_inode->__i_ctime);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
+    u64 inode_ctime_offset;
+    LOAD_CONSTANT("inode_ctime_offset", inode_ctime_offset);
+    bpf_probe_read(&file->metadata.ctime, sizeof(file->metadata.ctime), (void *)d_inode + inode_ctime_offset);
 #else
     bpf_probe_read(&file->metadata.ctime.tv_sec, sizeof(file->metadata.ctime.tv_sec), &d_inode->i_ctime_sec);
     bpf_probe_read(&file->metadata.ctime.tv_nsec, sizeof(file->metadata.ctime.tv_nsec), &d_inode->i_ctime_nsec);
@@ -139,10 +144,10 @@ void __attribute__((always_inline)) fill_file(struct dentry *dentry, struct file
 		bpf_probe_read(&nsec, sizeof(nsec), (void *)d_inode + inode_mtime_nsec_offset);
 		file->metadata.mtime.tv_nsec = nsec;
 	} else {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 7, 0)
-    bpf_probe_read(&file->metadata.mtime, sizeof(file->metadata.mtime), &d_inode->i_mtime);
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
-    bpf_probe_read(&file->metadata.mtime, sizeof(file->metadata.mtime), &d_inode->__i_mtime);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 11, 0)
+    u64 inode_mtime_offset;
+    LOAD_CONSTANT("inode_mtime_offset", inode_mtime_offset);
+    bpf_probe_read(&file->metadata.mtime, sizeof(file->metadata.mtime), (void *)d_inode + inode_mtime_offset);
 #else
     bpf_probe_read(&file->metadata.mtime.tv_sec, sizeof(file->metadata.mtime.tv_sec), &d_inode->i_mtime_sec);
     bpf_probe_read(&file->metadata.mtime.tv_nsec, sizeof(file->metadata.mtime.tv_nsec), &d_inode->i_mtime_nsec);

diff --git a/pkg/security/ebpf/kernel/kernel.go b/pkg/security/ebpf/kernel/kernel.go
@@ -102,6 +102,8 @@ var (
 	Kernel6_5 = kernel.VersionCode(6, 5, 0)
 	// Kernel6_6 is the KernelVersion representation of kernel version 6.6
 	Kernel6_6 = kernel.VersionCode(6, 6, 0)
+	// Kernel6_7 is the KernelVersion representation of kernel version 6.7
+	Kernel6_7 = kernel.VersionCode(6, 7, 0)
 	// Kernel6_10 is the KernelVersion representation of kernel version 6.10
 	Kernel6_10 = kernel.VersionCode(6, 10, 0)
 	// Kernel6_11 is the KernelVersion representation of kernel version 6.11