Skip to content

Commit

Permalink
file: support new inode struct *time fields (#182)
Browse files Browse the repository at this point in the history
  • Loading branch information
mmat11 authored Jan 24, 2024
1 parent 4fc88dc commit bbab4f1
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 6 deletions.
38 changes: 32 additions & 6 deletions GPL/Events/File/File.h
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@
#include <bpf/bpf_core_read.h>

#include "EbpfEventProto.h"
#include "Helpers.h"

/* struct inode */
DECL_FIELD_OFFSET(inode, __i_atime);
DECL_FIELD_OFFSET(inode, __i_mtime);
DECL_FIELD_OFFSET(inode, __i_ctime);

#define PATH_MAX 4096

Expand Down Expand Up @@ -49,19 +55,39 @@ static struct path *path_from_file(struct file *f)

static void ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de)
{
struct timespec64 ts;

struct inode *ino = BPF_CORE_READ(de, d_inode);

finfo->inode = BPF_CORE_READ(ino, i_ino);
finfo->mode = BPF_CORE_READ(ino, i_mode);
finfo->size = BPF_CORE_READ(ino, i_size);
finfo->uid = BPF_CORE_READ(ino, i_uid.val);
finfo->gid = BPF_CORE_READ(ino, i_gid.val);
finfo->atime = BPF_CORE_READ(ino, i_atime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_atime.tv_nsec);
finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_mtime.tv_nsec);
finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_ctime.tv_nsec);

if (FIELD_OFFSET(inode, __i_atime)) {
bpf_core_read(&ts, sizeof(ts), (char *)ino + FIELD_OFFSET(inode, __i_atime));
finfo->atime = ts.tv_sec * NANOSECONDS_IN_SECOND + ts.tv_nsec;
} else if (bpf_core_field_exists(ino->i_atime)) {
finfo->atime = BPF_CORE_READ(ino, i_atime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_atime.tv_nsec);
}

if (FIELD_OFFSET(inode, __i_mtime)) {
bpf_core_read(&ts, sizeof(ts), (char *)ino + FIELD_OFFSET(inode, __i_mtime));
finfo->mtime = ts.tv_sec * NANOSECONDS_IN_SECOND + ts.tv_nsec;
} else if (bpf_core_field_exists(ino->i_mtime)) {
finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_mtime.tv_nsec);
}

if (FIELD_OFFSET(inode, __i_ctime)) {
bpf_core_read(&ts, sizeof(ts), (char *)ino + FIELD_OFFSET(inode, __i_ctime));
finfo->ctime = ts.tv_sec * NANOSECONDS_IN_SECOND + ts.tv_nsec;
} else if (bpf_core_field_exists(ino->i_ctime)) {
finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_ctime.tv_nsec);
}

if (S_ISREG(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_FILE;
Expand Down
7 changes: 7 additions & 0 deletions non-GPL/Events/Lib/EbpfEvents.c
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,13 @@ static int probe_fill_relos(struct btf *btf, struct EventProbe_bpf *obj)
err = err ?: FILL_FUNC_ARG_IDX(obj, btf, do_truncate, filp);
err = err ?: FILL_FUNC_RET_IDX(obj, btf, do_truncate);

if (BTF_FIELD_EXISTS(btf, inode, __i_atime))
err = err ?: FILL_FIELD_OFFSET(obj, btf, inode, __i_atime);
if (BTF_FIELD_EXISTS(btf, inode, __i_mtime))
err = err ?: FILL_FIELD_OFFSET(obj, btf, inode, __i_mtime);
if (BTF_FIELD_EXISTS(btf, inode, __i_ctime))
err = err ?: FILL_FIELD_OFFSET(obj, btf, inode, __i_ctime);

return err;
}

Expand Down

0 comments on commit bbab4f1

Please sign in to comment.