diff --git a/GPL/Events/EbpfEventProto.h b/GPL/Events/EbpfEventProto.h index 9dde3246..45d38cb0 100644 --- a/GPL/Events/EbpfEventProto.h +++ b/GPL/Events/EbpfEventProto.h @@ -151,7 +151,7 @@ struct ebpf_file_delete_event { uint32_t mntns; char comm[TASK_COMM_LEN]; - // Variable length fields: path, symlink_target_path + // Variable length fields: path, symlink_target_path, pids_ss_cgroup_path struct ebpf_varlen_fields_start vl_fields; } __attribute__((packed)); @@ -163,7 +163,7 @@ struct ebpf_file_create_event { uint32_t mntns; char comm[TASK_COMM_LEN]; - // Variable length fields: path, symlink_target_path + // Variable length fields: path, symlink_target_path, pids_ss_cgroup_path struct ebpf_varlen_fields_start vl_fields; } __attribute__((packed)); @@ -175,7 +175,7 @@ struct ebpf_file_rename_event { uint32_t mntns; char comm[TASK_COMM_LEN]; - // Variable length fields: old_path, new_path, symlink_target_path + // Variable length fields: old_path, new_path, symlink_target_path, pids_ss_cgroup_path struct ebpf_varlen_fields_start vl_fields; } __attribute__((packed)); @@ -196,7 +196,7 @@ struct ebpf_file_modify_event { uint32_t mntns; char comm[TASK_COMM_LEN]; - // Variable length fields: path, symlink_target_path + // Variable length fields: path, symlink_target_path, pids_ss_cgroup_path struct ebpf_varlen_fields_start vl_fields; } __attribute__((packed)); diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c index 7bd8428c..780c9473 100644 --- a/GPL/Events/File/Probe.bpf.c +++ b/GPL/Events/File/Probe.bpf.c @@ -150,6 +150,11 @@ static int vfs_unlink__exit(int ret) size = read_kernel_str_or_empty_str(field->data, PATH_MAX, link); ebpf_vl_field__set_size(&event->vl_fields, field, size); + // pids ss cgroup path + field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH); + size = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task); + ebpf_vl_field__set_size(&event->vl_fields, field, size); + bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0); // Certain filesystems (eg. overlayfs) call vfs_unlink twice during the same @@ -258,6 +263,11 @@ static int do_filp_open__exit(struct file *f) size = read_kernel_str_or_empty_str(field->data, PATH_MAX, link); ebpf_vl_field__set_size(&event->vl_fields, field, size); + // pids ss cgroup path + field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH); + size = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task); + ebpf_vl_field__set_size(&event->vl_fields, field, size); + bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0); } @@ -444,6 +454,11 @@ static int vfs_rename__exit(int ret) size = read_kernel_str_or_empty_str(field->data, PATH_MAX, link); ebpf_vl_field__set_size(&event->vl_fields, field, size); + // pids ss cgroup path + field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH); + size = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task); + ebpf_vl_field__set_size(&event->vl_fields, field, size); + bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0); // Certain filesystems (eg. overlayfs) call vfs_rename twice during the same @@ -511,6 +526,11 @@ static void file_modify_event__emit(enum ebpf_file_change_type typ, struct path size = read_kernel_str_or_empty_str(field->data, PATH_MAX, link); ebpf_vl_field__set_size(&event->vl_fields, field, size); + // pids ss cgroup path + field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH); + size = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task); + ebpf_vl_field__set_size(&event->vl_fields, field, size); + bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0); out: diff --git a/non-GPL/Events/EventsTrace/EventsTrace.c b/non-GPL/Events/EventsTrace/EventsTrace.c index 59419ff6..3ef4b596 100644 --- a/non-GPL/Events/EventsTrace/EventsTrace.c +++ b/non-GPL/Events/EventsTrace/EventsTrace.c @@ -425,6 +425,9 @@ static void out_file_delete(struct ebpf_file_delete_event *evt) case EBPF_VL_FIELD_SYMLINK_TARGET_PATH: out_string("symlink_target_path", field->data); break; + case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH: + out_string("pids_ss_cgroup_path", field->data); + break; default: fprintf(stderr, "Unexpected variable length field: %d\n", field->type); break; @@ -466,6 +469,9 @@ static void out_file_create(struct ebpf_file_create_event *evt) case EBPF_VL_FIELD_SYMLINK_TARGET_PATH: out_string("symlink_target_path", field->data); break; + case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH: + out_string("pids_ss_cgroup_path", field->data); + break; default: fprintf(stderr, "Unexpected variable length field: %d\n", field->type); break; @@ -510,6 +516,9 @@ static void out_file_rename(struct ebpf_file_rename_event *evt) case EBPF_VL_FIELD_SYMLINK_TARGET_PATH: out_string("symlink_target_path", field->data); break; + case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH: + out_string("pids_ss_cgroup_path", field->data); + break; default: fprintf(stderr, "Unexpected variable length field: %d\n", field->type); break; @@ -570,6 +579,9 @@ static void out_file_modify(struct ebpf_file_modify_event *evt) case EBPF_VL_FIELD_SYMLINK_TARGET_PATH: out_string("symlink_target_path", field->data); break; + case EBPF_VL_FIELD_PIDS_SS_CGROUP_PATH: + out_string("pids_ss_cgroup_path", field->data); + break; default: fprintf(stderr, "Unexpected variable length field: %d\n", field->type); break;