file events: add creds info (#183)

GPL/Events/EbpfEventProto.h

@@ -146,6 +146,7 @@ struct ebpf_file_info {
 struct ebpf_file_delete_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
+    struct ebpf_cred_info creds;
     struct ebpf_file_info finfo;
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
@@ -157,6 +158,7 @@ struct ebpf_file_delete_event {
 struct ebpf_file_create_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
+    struct ebpf_cred_info creds;
     struct ebpf_file_info finfo;
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
@@ -168,6 +170,7 @@ struct ebpf_file_create_event {
 struct ebpf_file_rename_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
+    struct ebpf_cred_info creds;
     struct ebpf_file_info finfo;
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
@@ -187,6 +190,7 @@ enum ebpf_file_change_type {
 struct ebpf_file_modify_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
+    struct ebpf_cred_info creds;
     struct ebpf_file_info finfo;
     enum ebpf_file_change_type change_type;
     uint32_t mntns;

GPL/Events/File/Probe.bpf.c

@@ -125,6 +125,7 @@ static int vfs_unlink__exit(int ret)
     event->hdr.type = EBPF_EVENT_FILE_DELETE;
     event->hdr.ts   = bpf_ktime_get_ns();
     ebpf_pid_info__fill(&event->pids, task);
+    ebpf_cred_info__fill(&event->creds, task);
 
     struct path p;
     p.dentry     = &state->unlink.de;
@@ -236,6 +237,7 @@ static int do_filp_open__exit(struct file *f)
         struct task_struct *task = (struct task_struct *)bpf_get_current_task();
         struct path p            = BPF_CORE_READ(f, f_path);
         ebpf_pid_info__fill(&event->pids, task);
+        ebpf_cred_info__fill(&event->creds, task);
         event->mntns = mntns(task);
         bpf_get_current_comm(event->comm, TASK_COMM_LEN);
         ebpf_file_info__fill(&event->finfo, p.dentry);
@@ -416,6 +418,7 @@ static int vfs_rename__exit(int ret)
     event->hdr.type = EBPF_EVENT_FILE_RENAME;
     event->hdr.ts   = bpf_ktime_get_ns();
     ebpf_pid_info__fill(&event->pids, task);
+    ebpf_cred_info__fill(&event->creds, task);
     event->mntns = mntns(task);
     bpf_get_current_comm(event->comm, TASK_COMM_LEN);
     ebpf_file_info__fill(&event->finfo, de);
@@ -479,6 +482,7 @@ static void file_modify_event__emit(enum ebpf_file_change_type typ, struct path
     event->hdr.ts      = bpf_ktime_get_ns();
     event->change_type = typ;
     ebpf_pid_info__fill(&event->pids, task);
+    ebpf_cred_info__fill(&event->creds, task);
     event->mntns = mntns(task);
     bpf_get_current_comm(event->comm, TASK_COMM_LEN);
     struct dentry *d = BPF_CORE_READ(path, dentry);

non-GPL/Events/EventsTrace/EventsTrace.c

@@ -403,6 +403,9 @@ static void out_file_delete(struct ebpf_file_delete_event *evt)
     out_pid_info("pids", &evt->pids);
     out_comma();
 
+    out_cred_info("creds", &evt->creds);
+    out_comma();
+
     out_int("mount_namespace", evt->mntns);
     out_comma();
 
@@ -441,6 +444,9 @@ static void out_file_create(struct ebpf_file_create_event *evt)
     out_pid_info("pids", &evt->pids);
     out_comma();
 
+    out_cred_info("creds", &evt->creds);
+    out_comma();
+
     out_int("mount_namespace", evt->mntns);
     out_comma();
 
@@ -479,6 +485,9 @@ static void out_file_rename(struct ebpf_file_rename_event *evt)
     out_pid_info("pids", &evt->pids);
     out_comma();
 
+    out_cred_info("creds", &evt->creds);
+    out_comma();
+
     out_int("mount_namespace", evt->mntns);
     out_comma();
 
@@ -520,6 +529,9 @@ static void out_file_modify(struct ebpf_file_modify_event *evt)
     out_pid_info("pids", &evt->pids);
     out_comma();
 
+    out_cred_info("creds", &evt->creds);
+    out_comma();
+
     out_int("mount_namespace", evt->mntns);
     out_comma();