Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EventProbe: capture file info from inode #178

Merged
merged 3 commits into from
Oct 27, 2023
Merged

EventProbe: capture file info from inode #178

merged 3 commits into from
Oct 27, 2023

Conversation

mmat11
Copy link
Contributor

@mmat11 mmat11 commented Oct 24, 2023

tested manually (eventstrace):

{"event_type":"FILE_CREATE","pids":{"tid":3874,"tgid":3813,"ppid":2956,"pgid":2956,"sid":2956,"start_time_ns":50065645985},"mount_namespace":4026531841,"comm":"Cache2 I/O","file_info":{"type":"FILE","inode":48667076,"mode":100600,"size":0,"uid":1000,"gid":1000,"mtime":493949622,"ctime":493949622},"path":"/home/matt/.cache/mozilla/firefox/lpqgi4lp.default-release/cache2/entries/080AE6076F29C7973BFF7A893740046655644EBE","symlink_target_path":""}
{"event_type":"FILE_DELETE","pids":{"tid":777527,"tgid":777527,"ppid":13733,"pgid":777527,"sid":777527,"start_time_ns":181390102798979},"mount_namespace":4026531841,"comm":"zsh","file_info":{"type":"SYMLINK","inode":48667077,"mode":120777,"size":23,"uid":1000,"gid":1000,"mtime":773993000,"ctime":774993006},"path":"/home/matt/.zsh_history.LOCK","symlink_target_path":""}
{"event_type":"FILE_DELETE","pids":{"tid":979918,"tgid":979918,"ppid":777527,"pgid":979918,"sid":777527,"start_time_ns":231767498246356},"mount_namespace":4026531841,"comm":"rm","file_info":{"type":"SYMLINK","inode":6706,"mode":120777,"size":11,"uid":1000,"gid":1000,"mtime":241817035,"ctime":776993018},"path":"/tmp/ciao124","symlink_target_path":"/tmp/ciao123"}

draft: this temporarily reintroduces this bug: 039ceef ; can be merged after I find a workaround
edit: veristat is succesful on both elastic/ebpf and elastic/ebpfevents compiled probes, the problem was probably caused by the previous usage of the (old) FUNC_ARG_READ_PTREGS; tldr: this is good to go

@mmat11 mmat11 requested a review from a team as a code owner October 24, 2023 10:46
@mmat11 mmat11 force-pushed the matt/inode branch 2 times, most recently from e016d09 to 6d36362 Compare October 24, 2023 11:35
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still going through this ...

GPL/Events/File/File.h Outdated Show resolved Hide resolved
GPL/Events/File/File.h Show resolved Hide resolved
GPL/Events/File/File.h Outdated Show resolved Hide resolved
GPL/Events/File/File.h Show resolved Hide resolved
GPL/Events/File/Probe.bpf.c Outdated Show resolved Hide resolved
GPL/Events/File/Probe.bpf.c Show resolved Hide resolved
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, full pass done.

Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@stanek-michal stanek-michal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mmat11 mmat11 merged commit 1e2cf70 into main Oct 27, 2023
27 of 28 checks passed
@mmat11 mmat11 deleted the matt/inode branch October 27, 2023 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants