[CWS] onboard first batch of fs constants to the fetcher (DataDog#32700)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
johntrogan · Jan 6, 2025 · c672370 · c672370
1 parent 841329e
commit c672370
Show file tree

Hide file tree

Showing 5 changed files with 779 additions and 35 deletions.
diff --git a/pkg/security/ebpf/c/include/constants/offsets/filesystem.h b/pkg/security/ebpf/c/include/constants/offsets/filesystem.h
@@ -17,23 +17,37 @@ unsigned long __attribute__((always_inline)) get_inode_ino(struct inode *inode)
     return ino;
 }
 
-dev_t __attribute__((always_inline)) get_inode_dev(struct inode *inode) {
+struct inode* get_dentry_inode(struct dentry *dentry) {
+    u64 offset;
+    LOAD_CONSTANT("dentry_d_inode_offset", offset);
+
+    struct inode *inode;
+    bpf_probe_read(&inode, sizeof(inode), (void *)dentry + offset);
+    return inode;
+}
+
+dev_t __attribute__((always_inline)) get_sb_dev(struct super_block *sb) {
+    u64 sb_dev_offset;
+    LOAD_CONSTANT("sb_dev_offset", sb_dev_offset);
+
     dev_t dev;
+    bpf_probe_read(&dev, sizeof(dev), (void *)sb + sb_dev_offset);
+    return dev;
+}
+
+dev_t __attribute__((always_inline)) get_inode_dev(struct inode *inode) {
     struct super_block *sb;
     bpf_probe_read(&sb, sizeof(sb), &inode->i_sb);
-    bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
-    return dev;
+    return get_sb_dev(sb);
 }
 
 dev_t __attribute__((always_inline)) get_dentry_dev(struct dentry *dentry) {
     u64 offset;
     LOAD_CONSTANT("dentry_d_sb_offset", offset);
 
-    dev_t dev;
     struct super_block *sb;
     bpf_probe_read(&sb, sizeof(sb), (char *)dentry + offset);
-    bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
-    return dev;
+    return get_sb_dev(sb);
 }
 
 void *__attribute__((always_inline)) get_file_f_inode_addr(struct file *file) {
@@ -134,12 +148,6 @@ struct super_block *__attribute__((always_inline)) get_vfsmount_sb(struct vfsmou
     return sb;
 }
 
-dev_t __attribute__((always_inline)) get_sb_dev(struct super_block *sb) {
-    dev_t dev;
-    bpf_probe_read(&dev, sizeof(dev), &sb->s_dev);
-    return dev;
-}
-
 struct dentry *__attribute__((always_inline)) get_mountpoint_dentry(void *mntpoint) {
     struct dentry *dentry;
 
@@ -156,31 +164,25 @@ dev_t __attribute__((always_inline)) get_mount_dev(void *mnt) {
     return get_vfsmount_dev(get_mount_vfsmount(mnt));
 }
 
-struct inode *__attribute__((always_inline)) get_dentry_inode(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
-    return d_inode;
-}
-
 unsigned long __attribute__((always_inline)) get_dentry_ino(struct dentry *dentry) {
     return get_inode_ino(get_dentry_inode(dentry));
 }
 
-struct dentry *__attribute__((always_inline)) get_file_dentry(struct file *file) {
-    struct dentry *file_dentry;
-    bpf_probe_read(&file_dentry, sizeof(file_dentry), &get_file_f_path_addr(file)->dentry);
-    return file_dentry;
-}
-
 struct dentry *__attribute__((always_inline)) get_path_dentry(struct path *path) {
+    u64 offset;
+    LOAD_CONSTANT("path_dentry_offset", offset);
+
     struct dentry *dentry;
-    bpf_probe_read(&dentry, sizeof(dentry), &path->dentry);
+    bpf_probe_read(&dentry, sizeof(dentry), (void *)path + offset);
     return dentry;
 }
 
+struct dentry *__attribute__((always_inline)) get_file_dentry(struct file *file) {
+    return get_path_dentry(get_file_f_path_addr(file));
+}
+
 unsigned long __attribute__((always_inline)) get_path_ino(struct path *path) {
-    struct dentry *dentry;
-    bpf_probe_read(&dentry, sizeof(dentry), &path->dentry);
+    struct dentry *dentry = get_path_dentry(path);
 
     if (dentry) {
         return get_dentry_ino(dentry);
@@ -247,8 +249,7 @@ static __attribute__((always_inline)) int is_overlayfs(struct dentry *dentry) {
 }
 
 int __attribute__((always_inline)) get_ovl_lower_ino_direct(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     // escape from the embedded vfs_inode to reach ovl_inode
     struct inode *lower;
@@ -258,8 +259,7 @@ int __attribute__((always_inline)) get_ovl_lower_ino_direct(struct dentry *dentr
 }
 
 int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_path(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     // escape from the embedded vfs_inode to reach ovl_inode
     struct dentry *lower;
@@ -269,8 +269,7 @@ int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_path(struct dentry
 }
 
 int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_entry(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     void *oe;
     bpf_probe_read(&oe, sizeof(oe), (char *)d_inode + get_sizeof_inode() + 8);
@@ -283,8 +282,7 @@ int __attribute__((always_inline)) get_ovl_lower_ino_from_ovl_entry(struct dentr
 }
 
 int __attribute__((always_inline)) get_ovl_upper_ino(struct dentry *dentry) {
-    struct inode *d_inode;
-    bpf_probe_read(&d_inode, sizeof(d_inode), &dentry->d_inode);
+    struct inode *d_inode = get_dentry_inode(dentry);
 
     // escape from the embedded vfs_inode to reach ovl_inode
     struct dentry *upper;