fix: path_rename lsm hook for kernel >= 5.19

exein-io · Nov 13, 2024 · 48af895 · 48af895
1 parent e0645e6
commit 48af895
Showing 1 changed file with 52 additions and 3 deletions.
diff --git a/crates/modules/file-system-monitor/probes.bpf.c b/crates/modules/file-system-monitor/probes.bpf.c
@@ -169,9 +169,7 @@ static __always_inline void on_path_rmdir(void *ctx, struct path *dir,
   output_fs_event(ctx, event);
 }
 
-PULSAR_LSM_HOOK(path_rename, struct path *, old_dir, struct dentry *,
-                old_dentry, struct path *, new_dir, struct dentry *,
-                new_dentry);
+// Manually implements hooks below
 static __always_inline void on_path_rename(void *ctx, struct path *old_dir,
                                            struct dentry *old_dentry,
                                            struct path *new_dir,
@@ -188,3 +186,54 @@ static __always_inline void on_path_rename(void *ctx, struct path *old_dir,
   get_path_str(&destination, &event->buffer, &event->rename.destination);
   output_fs_event(ctx, event);
 }
+
+#ifdef FEATURE_LSM
+  /// This function shim is needed to make the verifier happy,
+  static __always_inline int jmp_on_path_rename(unsigned long long *ctx,
+                                                struct path *old_dir,
+                                                struct dentry *old_dentry,
+                                                struct path *new_dir,
+                                                struct dentry *new_dentry,
+                                                unsigned int flags,
+                                                int ret) {
+    on_path_rename(ctx,old_dir, old_dentry, new_dir, new_dentry);
+    return ret;
+  }
+
+  SEC("lsm/path_rename")                                                      
+  int BPF_PROG(path_rename,
+               struct path *old_dir,
+               struct dentry *old_dentry,
+               struct path *new_dir,
+               struct dentry *new_dentry) {
+    // struct path *old_dir = (struct path *) ctx[0];
+    // struct dentry *old_dentry = (struct dentry *) ctx[1];
+    // struct path *new_dir = (struct path *) ctx[2];
+    // struct dentry *new_dentry = (struct dentry *) ctx[3];
+
+    // On kernel > 5.18 there is another parameter:
+    // `unsigned int flags` in `ctx[4]`;
+    // So ret it located foward
+    if ((LINUX_KERNEL_VERSION >= KERNEL_VERSION(5, 19, 0))) {
+      // LOG_ERROR(">>>>> step 1");
+      unsigned int flags = (unsigned int) ctx[4];
+      // LOG_ERROR(">>>>> il 4: %d", flags);
+      int ret = (int) (ctx[5]);
+      // on_path_rename(ctx,old_dir, old_dentry, new_dir, new_dentry);
+      // return (int)(uintptr_t)(ctx[5]);
+      return jmp_on_path_rename(ctx, old_dir, old_dentry, new_dir, new_dentry, flags, ret);
+    } else {
+      // LOG_ERROR(">>>>> step 2");
+      // ret = (int )(ctx[4]);
+      on_path_rename(ctx,old_dir, old_dentry, new_dir, new_dentry);
+      return (int)(uintptr_t)(ctx[4]);
+      // return jmp_on_path_rename(ctx, old_dir, old_dentry, new_dir, new_dentry, (int)(ctx[4]));
+    }                                                              
+  }
+#else
+  SEC("kprobe/security_path_rename")                                          
+  int BPF_KPROBE(security_path_rename, struct path *old_dir, struct dentry *old_dentry, struct path *new_dir, struct dentry *new_dentry) {
+    on_path_rename(ctx, old_dir, old_dentry, new_dir, new_dentry);
+    return 0;                                                                  
+  }
+#endif