Add cgroup path to file events (#184)

events: add cgroup path to file events

GPL/Events/EbpfEventProto.h

@@ -151,7 +151,7 @@ struct ebpf_file_delete_event {
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
 
-    // Variable length fields: path, symlink_target_path
+    // Variable length fields: path, symlink_target_path, pids_ss_cgroup_path
     struct ebpf_varlen_fields_start vl_fields;
 } __attribute__((packed));
 
@@ -163,7 +163,7 @@ struct ebpf_file_create_event {
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
 
-    // Variable length fields: path, symlink_target_path
+    // Variable length fields: path, symlink_target_path, pids_ss_cgroup_path
     struct ebpf_varlen_fields_start vl_fields;
 } __attribute__((packed));
 
@@ -175,7 +175,7 @@ struct ebpf_file_rename_event {
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
 
-    // Variable length fields: old_path, new_path, symlink_target_path
+    // Variable length fields: old_path, new_path, symlink_target_path, pids_ss_cgroup_path
     struct ebpf_varlen_fields_start vl_fields;
 } __attribute__((packed));
 
@@ -196,7 +196,7 @@ struct ebpf_file_modify_event {
     uint32_t mntns;
     char comm[TASK_COMM_LEN];
 
-    // Variable length fields: path, symlink_target_path
+    // Variable length fields: path, symlink_target_path, pids_ss_cgroup_path
     struct ebpf_varlen_fields_start vl_fields;
 } __attribute__((packed));
 

GPL/Events/File/Probe.bpf.c

@@ -150,6 +150,11 @@ static int vfs_unlink__exit(int ret)
     size       = read_kernel_str_or_empty_str(field->data, PATH_MAX, link);
     ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
+    // pids ss cgroup path
+    field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH);
+    size  = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task);
+    ebpf_vl_field__set_size(&event->vl_fields, field, size);
+
     bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);
 
     // Certain filesystems (eg. overlayfs) call vfs_unlink twice during the same
@@ -258,6 +263,11 @@ static int do_filp_open__exit(struct file *f)
         size       = read_kernel_str_or_empty_str(field->data, PATH_MAX, link);
         ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
+        // pids ss cgroup path
+        field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH);
+        size  = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task);
+        ebpf_vl_field__set_size(&event->vl_fields, field, size);
+
         bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);
     }
 
@@ -444,6 +454,11 @@ static int vfs_rename__exit(int ret)
     size       = read_kernel_str_or_empty_str(field->data, PATH_MAX, link);
     ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
+    // pids ss cgroup path
+    field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH);
+    size  = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task);
+    ebpf_vl_field__set_size(&event->vl_fields, field, size);
+
     bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);
 
     // Certain filesystems (eg. overlayfs) call vfs_rename twice during the same
@@ -511,6 +526,11 @@ static void file_modify_event__emit(enum ebpf_file_change_type typ, struct path
     size       = read_kernel_str_or_empty_str(field->data, PATH_MAX, link);
     ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
+    // pids ss cgroup path
+    field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH);
+    size  = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task);
+    ebpf_vl_field__set_size(&event->vl_fields, field, size);
+
     bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);
 
 out:

non-GPL/Events/EventsTrace/EventsTrace.c

@@ -425,6 +425,9 @@ static void out_file_delete(struct ebpf_file_delete_event *evt)
         case EBPF_VL_FIELD_SYMLINK_TARGET_PATH:
             out_string("symlink_target_path", field->data);
             break;
+        case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH:
+            out_string("pids_ss_cgroup_path", field->data);
+            break;
         default:
             fprintf(stderr, "Unexpected variable length field: %d\n", field->type);
             break;
@@ -466,6 +469,9 @@ static void out_file_create(struct ebpf_file_create_event *evt)
         case EBPF_VL_FIELD_SYMLINK_TARGET_PATH:
             out_string("symlink_target_path", field->data);
             break;
+        case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH:
+            out_string("pids_ss_cgroup_path", field->data);
+            break;
         default:
             fprintf(stderr, "Unexpected variable length field: %d\n", field->type);
             break;
@@ -510,6 +516,9 @@ static void out_file_rename(struct ebpf_file_rename_event *evt)
         case EBPF_VL_FIELD_SYMLINK_TARGET_PATH:
             out_string("symlink_target_path", field->data);
             break;
+        case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH:
+            out_string("pids_ss_cgroup_path", field->data);
+            break;
         default:
             fprintf(stderr, "Unexpected variable length field: %d\n", field->type);
             break;
@@ -570,6 +579,9 @@ static void out_file_modify(struct ebpf_file_modify_event *evt)
         case EBPF_VL_FIELD_SYMLINK_TARGET_PATH:
             out_string("symlink_target_path", field->data);
             break;
+        case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH:
+            out_string("pids_ss_cgroup_path", field->data);
+            break;
         default:
             fprintf(stderr, "Unexpected variable length field: %d\n", field->type);
             break;