Skip to content

Commit

Permalink
update: support almalinux8 and almalinux9
Browse files Browse the repository at this point in the history 
Signed-off-by: Andrea Terzolo <[email protected]>
  • Loading branch information
@Andreagit97 @poiana
Andreagit97 authored and poiana committed Apr 5, 2023
1 parent d4c79c3 commit a9adef1
Show file tree
Hide file tree
Showing 6 changed files with 99 additions and 29 deletions.
18 changes: 18 additions & 0 deletions driver/modern_bpf/definitions/struct_flavors.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,22 @@ struct mm_struct___v6_2
#pragma clang attribute pop
#endif

/* We don't need relocation on these structs, they are internally defined by us as a fallback!
* Use the prefix `modern_bpf__` before the real name of the struct we want to replace.
*/

/* We use this as a fallback for kernels where `struct __kernel_timespec` is not defined. */
struct modern_bpf__kernel_timespec
{
long int tv_sec;
long int tv_nsec;
};

/* We use this as a fallback for kernels where `struct __kernel_timex_timeval` is not defined. */
struct modern_bpf__kernel_timex_timeval
{
long long int tv_sec;
long long int tv_usec;
};

#endif /* __STRUCT_FLAVORS_H__ */
4 changes: 2 additions & 2 deletions driver/modern_bpf/helpers/store/auxmap_store_params.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -856,7 +856,7 @@ static __always_inline void auxmap__store_sockopt_param(struct auxiliary_map *au
/* We use a signed int because in some case we have to convert it to a negative value. */
s32 val32 = 0;
u64 val64 = 0;
struct __kernel_timex_timeval tv;
struct modern_bpf__kernel_timex_timeval tv;
u16 total_size_to_push = sizeof(u8); /* 1 byte for the PPM type. */

/* Levels different from `SOL_SOCKET` are not supported
Expand Down Expand Up @@ -885,7 +885,7 @@ static __always_inline void auxmap__store_sockopt_param(struct auxiliary_map *au
case SO_SNDTIMEO_OLD:
case SO_SNDTIMEO_NEW:
push__u8(auxmap->data, &auxmap->payload_pos, PPM_SOCKOPT_IDX_TIMEVAL);
bpf_probe_read_user((void *)&tv, bpf_core_type_size(struct __kernel_timex_timeval), (void *)optval);
bpf_probe_read_user((void *)&tv, sizeof(tv), (void *)optval);
push__u64(auxmap->data, &auxmap->payload_pos, tv.tv_sec * SEC_FACTOR + tv.tv_usec * USEC_FACTOR);
total_size_to_push += sizeof(u64);
break;
Expand Down
14 changes: 9 additions & 5 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/clone3.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,11 +191,15 @@ int BPF_PROG(t1_clone3_x,

/* Parameter 16: flags (type: PT_FLAGS32) */
/* the `clone_args` struct is defined since kernel version 5.3 */
unsigned long cl_args_pointer = extract__syscall_argument(regs, 0);
struct clone_args cl_args = {0};
bpf_probe_read_user((void *)&cl_args, bpf_core_type_size(struct clone_args), (void *)cl_args_pointer);
unsigned long flags = cl_args.flags;
auxmap__store_u32_param(auxmap, (u32)extract__clone_flags(task, flags));
unsigned long flags = 0;
if(bpf_core_type_exists(struct clone_args))
{
unsigned long cl_args_pointer = extract__syscall_argument(regs, 0);
struct clone_args cl_args = {0};
bpf_probe_read_user((void *)&cl_args, bpf_core_type_size(struct clone_args), (void *)cl_args_pointer);
flags = extract__clone_flags(task, cl_args.flags);
}
auxmap__store_u32_param(auxmap, (u32)flags);

/* Parameter 17: uid (type: PT_UINT32) */
u32 euid = 0;
Expand Down
58 changes: 42 additions & 16 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/io_uring_setup.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,29 +60,55 @@ int BPF_PROG(io_uring_setup_x,
ringbuf__store_u32(&ringbuf, entries);

/* Get the second syscall argument that is a `struct io_uring_params*`
* This struct is defined since kernel release 5.1
* This struct is defined since kernel release 5.1.
* Some machines like almalinux8 and almalinux9 don't have the
* `struct io_uring_params` defined in their vmlinux, for this reason, we send
* empty params.
*/
unsigned long params_pointer = extract__syscall_argument(regs, 1);
struct io_uring_params params = {0};
bpf_probe_read_user((void *)&params, bpf_core_type_size(struct io_uring_params), (void *)params_pointer);
if(bpf_core_type_exists(struct io_uring_params))
{
unsigned long params_pointer = extract__syscall_argument(regs, 1);
struct io_uring_params params = {0};
bpf_probe_read_user((void *)&params, bpf_core_type_size(struct io_uring_params), (void *)params_pointer);

/* Parameter 3: sq_entries (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.sq_entries);

/* Parameter 4: cq_entries (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.cq_entries);

/* Parameter 3: sq_entries (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.sq_entries);
/* Parameter 5: flags (type: PT_FLAGS32) */
ringbuf__store_u32(&ringbuf, (u32)io_uring_setup_flags_to_scap(params.flags));

/* Parameter 4: cq_entries (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.cq_entries);
/* Parameter 6: sq_thread_cpu (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.sq_thread_cpu);

/* Parameter 5: flags (type: PT_FLAGS32) */
ringbuf__store_u32(&ringbuf, (u32)io_uring_setup_flags_to_scap(params.flags));
/* Parameter 7: sq_thread_idle (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.sq_thread_idle);

/* Parameter 6: sq_thread_cpu (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.sq_thread_cpu);
/* Parameter 8: features (type: PT_FLAGS32) */
ringbuf__store_u32(&ringbuf, (u32)io_uring_setup_feats_to_scap(params.features));
}
else
{
/* Parameter 3: sq_entries (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, 0);

/* Parameter 7: sq_thread_idle (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, params.sq_thread_idle);
/* Parameter 4: cq_entries (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, 0);

/* Parameter 8: features (type: PT_FLAGS32) */
ringbuf__store_u32(&ringbuf, (u32)io_uring_setup_feats_to_scap(params.features));
/* Parameter 5: flags (type: PT_FLAGS32) */
ringbuf__store_u32(&ringbuf, 0);

/* Parameter 6: sq_thread_cpu (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, 0);

/* Parameter 7: sq_thread_idle (type: PT_UINT32) */
ringbuf__store_u32(&ringbuf, 0);

/* Parameter 8: features (type: PT_FLAGS32) */
ringbuf__store_u32(&ringbuf, 0);
}

/*=============================== COLLECT PARAMETERS ===========================*/

Expand Down
17 changes: 14 additions & 3 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/nanosleep.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,21 @@ int BPF_PROG(nanosleep_e,
/*=============================== COLLECT PARAMETERS ===========================*/

/* Parameter 1: req (type: PT_RELTIME) */
struct __kernel_timespec ts = {0};
u64 nanosec = 0;
unsigned long ts_pointer = extract__syscall_argument(regs, 0);
bpf_probe_read_user(&ts, bpf_core_type_size(struct __kernel_timespec), (void *)ts_pointer);
ringbuf__store_u64(&ringbuf, ((u64)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec);
if(bpf_core_type_exists(struct __kernel_timespec))
{
struct __kernel_timespec ts = {0};
bpf_probe_read_user(&ts, bpf_core_type_size(struct __kernel_timespec), (void *)ts_pointer);
nanosec = ((u64)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
}
else
{
struct modern_bpf__kernel_timespec ts = {0};
bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
nanosec = ((u64)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
}
ringbuf__store_u64(&ringbuf, nanosec);

/*=============================== COLLECT PARAMETERS ===========================*/

Expand Down
17 changes: 14 additions & 3 deletions driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/ppoll.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,21 @@ int BPF_PROG(ppoll_e,
auxmap__store_fdlist_param(auxmap, fds_pointer, nfds, REQUESTED_EVENTS);

/* Parameter 2: timeout (type: PT_RELTIME) */
struct __kernel_timespec ts = {0};
u64 nanosec = 0;
unsigned long ts_pointer = extract__syscall_argument(regs, 2);
bpf_probe_read_user(&ts, bpf_core_type_size(struct __kernel_timespec), (void *)ts_pointer);
auxmap__store_u64_param(auxmap, ((u64)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec);
if(bpf_core_type_exists(struct __kernel_timespec))
{
struct __kernel_timespec ts = {0};
bpf_probe_read_user(&ts, bpf_core_type_size(struct __kernel_timespec), (void *)ts_pointer);
nanosec = ((u64)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
}
else
{
struct modern_bpf__kernel_timespec ts = {0};
bpf_probe_read_user(&ts, sizeof(ts), (void *)ts_pointer);
nanosec = ((u64)ts.tv_sec) * SECOND_TO_NS + ts.tv_nsec;
}
auxmap__store_u64_param(auxmap, nanosec);

/* Parameter 3: sigmask (type: PT_SIGSET) */
long unsigned int sigmask[1] = {0};
Expand Down

0 comments on commit a9adef1

Please sign in to comment.