forked from falcosecurity/libs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
struct_flavors.h
92 lines (75 loc) · 2.35 KB
/
struct_flavors.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
* Copyright (C) 2023 The Falco Authors.
*
* This file is dual licensed under either the MIT or GPL 2. See MIT.txt
* or GPL2.txt for full copies of the license.
*/
/* We need this header to keep track of all struct/field/enum changes between kernel versions */
#ifndef __STRUCT_FLAVORS_H__
#define __STRUCT_FLAVORS_H__
#include "vmlinux.h"
#ifndef BPF_NO_PRESERVE_ACCESS_INDEX
#pragma clang attribute push(__attribute__((preserve_access_index)), apply_to = record)
#endif
struct mm_struct___v6_2 {
struct percpu_counter rss_stat[NR_MM_COUNTERS];
};
typedef struct {
uint64_t val;
} kernel_cap_t___v6_3;
/* COS kernels handle audit field differently, see [1]. To support both
* versions define COS subset of task_struct with a flavor suffix (which will
* be ignored during relocation matching [2]).
*
* [1]:
* https://chromium.googlesource.com/chromiumos/third_party/kernel/+/096925a44076ba5c52faa84d255a847130ff341e%5E%21/#F2
* [2]:
* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/lib/bpf/libbpf.c#n5347
*/
struct audit_task_info {
kuid_t loginuid;
unsigned int sessionid;
struct audit_context *ctx;
};
struct task_struct___cos {
struct audit_task_info *audit;
};
struct inode___v6_6 {
struct timespec64 __i_ctime;
};
struct inode___v6_7 {
struct timespec64 __i_mtime;
};
struct inode___v6_11 {
int64_t i_mtime_sec;
int64_t i_ctime_sec;
uint32_t i_mtime_nsec;
uint32_t i_ctime_nsec;
};
#ifndef BPF_NO_PRESERVE_ACCESS_INDEX
#pragma clang attribute pop
#endif
/* We don't need relocation on these structs, they are internally defined by us as a fallback!
* Use the prefix `modern_bpf__` before the real name of the struct we want to replace.
*/
/* We use this as a fallback for kernels where `struct __kernel_timespec` is not defined. */
struct modern_bpf__kernel_timespec {
long int tv_sec;
long int tv_nsec;
};
/* We use this as a fallback for kernels where `struct __kernel_timex_timeval` is not defined. */
struct modern_bpf__kernel_timex_timeval {
long long int tv_sec;
long long int tv_usec;
};
/*
* This is equivalent to old_timespec32 or compat_timespec. Some old distros
* don't define old_timespec32 (e.g. centos 8 with 4.18 kernel), so we define
* it here.
*/
struct modern_bpf__kernel_timespec_ia32 {
int tv_sec;
int tv_nsec;
};
#endif /* __STRUCT_FLAVORS_H__ */