diff --git a/GPL/Events/File/File.h b/GPL/Events/File/File.h index 6e4de5ad..63d5108d 100644 --- a/GPL/Events/File/File.h +++ b/GPL/Events/File/File.h @@ -15,6 +15,12 @@ #include #include "EbpfEventProto.h" +#include "Helpers.h" + +/* struct inode */ +DECL_FIELD_OFFSET(inode, __i_atime); +DECL_FIELD_OFFSET(inode, __i_mtime); +DECL_FIELD_OFFSET(inode, __i_ctime); #define PATH_MAX 4096 @@ -49,6 +55,8 @@ static struct path *path_from_file(struct file *f) static void ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de) { + struct timespec64 ts; + struct inode *ino = BPF_CORE_READ(de, d_inode); finfo->inode = BPF_CORE_READ(ino, i_ino); @@ -56,12 +64,30 @@ static void ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de finfo->size = BPF_CORE_READ(ino, i_size); finfo->uid = BPF_CORE_READ(ino, i_uid.val); finfo->gid = BPF_CORE_READ(ino, i_gid.val); - finfo->atime = BPF_CORE_READ(ino, i_atime.tv_sec) * NANOSECONDS_IN_SECOND + - BPF_CORE_READ(ino, i_atime.tv_nsec); - finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_sec) * NANOSECONDS_IN_SECOND + - BPF_CORE_READ(ino, i_mtime.tv_nsec); - finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_sec) * NANOSECONDS_IN_SECOND + - BPF_CORE_READ(ino, i_ctime.tv_nsec); + + if (FIELD_OFFSET(inode, __i_atime)) { + bpf_core_read(&ts, sizeof(ts), (char *)ino + FIELD_OFFSET(inode, __i_atime)); + finfo->atime = ts.tv_sec * NANOSECONDS_IN_SECOND + ts.tv_nsec; + } else if (bpf_core_field_exists(ino->i_atime)) { + finfo->atime = BPF_CORE_READ(ino, i_atime.tv_sec) * NANOSECONDS_IN_SECOND + + BPF_CORE_READ(ino, i_atime.tv_nsec); + } + + if (FIELD_OFFSET(inode, __i_mtime)) { + bpf_core_read(&ts, sizeof(ts), (char *)ino + FIELD_OFFSET(inode, __i_mtime)); + finfo->mtime = ts.tv_sec * NANOSECONDS_IN_SECOND + ts.tv_nsec; + } else if (bpf_core_field_exists(ino->i_mtime)) { + finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_sec) * NANOSECONDS_IN_SECOND + + BPF_CORE_READ(ino, i_mtime.tv_nsec); + } + + if (FIELD_OFFSET(inode, __i_ctime)) { + bpf_core_read(&ts, sizeof(ts), (char *)ino + FIELD_OFFSET(inode, __i_ctime)); + finfo->ctime = ts.tv_sec * NANOSECONDS_IN_SECOND + ts.tv_nsec; + } else if (bpf_core_field_exists(ino->i_ctime)) { + finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_sec) * NANOSECONDS_IN_SECOND + + BPF_CORE_READ(ino, i_ctime.tv_nsec); + } if (S_ISREG(finfo->mode)) { finfo->type = EBPF_FILE_TYPE_FILE; diff --git a/non-GPL/Events/Lib/EbpfEvents.c b/non-GPL/Events/Lib/EbpfEvents.c index 377f383c..f915ff62 100644 --- a/non-GPL/Events/Lib/EbpfEvents.c +++ b/non-GPL/Events/Lib/EbpfEvents.c @@ -284,6 +284,13 @@ static int probe_fill_relos(struct btf *btf, struct EventProbe_bpf *obj) err = err ?: FILL_FUNC_ARG_IDX(obj, btf, do_truncate, filp); err = err ?: FILL_FUNC_RET_IDX(obj, btf, do_truncate); + if (BTF_FIELD_EXISTS(btf, inode, __i_atime)) + err = err ?: FILL_FIELD_OFFSET(obj, btf, inode, __i_atime); + if (BTF_FIELD_EXISTS(btf, inode, __i_mtime)) + err = err ?: FILL_FIELD_OFFSET(obj, btf, inode, __i_mtime); + if (BTF_FIELD_EXISTS(btf, inode, __i_ctime)) + err = err ?: FILL_FIELD_OFFSET(obj, btf, inode, __i_ctime); + return err; }