From 18f0501a5fc7b36611f3b573174154cd23f7b833 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Wed, 2 Oct 2024 08:05:17 +0200 Subject: [PATCH] cleanup(drivers): use helper methods Signed-off-by: Andrea Terzolo Co-authored-by: Federico Di Pierro --- driver/bpf/configure/TASK_PIDS_FIELD/test.c | 3 -- driver/bpf/filler_helpers.h | 27 +++++++++++ driver/bpf/fillers.h | 46 +------------------ .../helpers/store/auxmap_store_params.h | 9 ++++ .../attached/events/sched_process_exec.bpf.c | 6 +-- .../syscall_dispatched_events/execve.bpf.c | 6 +-- .../syscall_dispatched_events/execveat.bpf.c | 6 +-- driver/ppm_fillers.c | 31 ++++++------- 8 files changed, 55 insertions(+), 79 deletions(-) diff --git a/driver/bpf/configure/TASK_PIDS_FIELD/test.c b/driver/bpf/configure/TASK_PIDS_FIELD/test.c index 1ccd8cd823..e58fa6b1aa 100644 --- a/driver/bpf/configure/TASK_PIDS_FIELD/test.c +++ b/driver/bpf/configure/TASK_PIDS_FIELD/test.c @@ -18,9 +18,6 @@ or GPL2.txt for full copies of the license. #include "../../ppm_events_public.h" #include "../../types.h" -// struct task_struct declaration -#include - BPF_PROBE("signal/", signal_deliver, signal_deliver_args) { struct task_struct *task = (struct task_struct *)0; if(task->pids) { diff --git a/driver/bpf/filler_helpers.h b/driver/bpf/filler_helpers.h index b12524dfd0..bd29fac975 100644 --- a/driver/bpf/filler_helpers.h +++ b/driver/bpf/filler_helpers.h @@ -943,6 +943,33 @@ static __always_inline long bpf_fd_to_socktuple(struct filler_data *data, return size; } +static __always_inline pid_t bpf_push_pgid(struct filler_data *data, struct task_struct *task) { + pid_t pgid = 0; + // this is like calling in the kernel: + // + // struct pid *grp = task_pgrp(current); + // int pgrp = pid_nr(grp); +#ifdef HAS_TASK_PIDS_FIELD + struct task_struct *leader = (struct task_struct *)_READ(task->group_leader); + if(leader) { + struct pid_link link = _READ(leader->pids[PIDTYPE_PGID]); + struct pid *pid_struct = link.pid; + if(pid_struct) { + pgid = _READ(pid_struct->numbers[0].nr); + } + } +#else + struct signal_struct *signal = (struct signal_struct *)_READ(task->signal); + if(signal) { + struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]); + if(pid_struct) { + pgid = _READ(pid_struct->numbers[0].nr); + } + } +#endif + return bpf_push_s64_to_ring(data, (int64_t)pgid); +} + static __always_inline int __bpf_read_val_into(struct filler_data *data, unsigned long curoff_bounded, unsigned long val, diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index cd759d706a..09234aeedc 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -2821,30 +2821,7 @@ FILLER(execve_extra_tail_2, true) { CHECK_RES(res); /* Parameter 29: pgid (type: PT_UID) */ - pid_t pgid = 0; - // this is like calling in the kernel: - // - // struct pid *grp = task_pgrp(current); - // int pgrp = pid_nr(grp); -#ifdef HAS_TASK_PIDS_FIELD - struct task_struct *leader = (struct task_struct *)_READ(task->group_leader); - if(leader) { - struct pid_link link = _READ(leader->pids[PIDTYPE_PGID]); - struct pid *pid_struct = link.pid; - if(pid_struct) { - pgid = _READ(pid_struct->numbers[0].nr); - } - } -#else - struct signal_struct *signal = (struct signal_struct *)_READ(task->signal); - if(signal) { - struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]); - if(pid_struct) { - pgid = _READ(pid_struct->numbers[0].nr); - } - } -#endif - return bpf_push_s64_to_ring(data, (int64_t)pgid); + return bpf_push_pgid(data, task); } FILLER(sys_accept4_e, true) { @@ -6623,26 +6600,7 @@ FILLER(sched_prog_exec_5, false) { CHECK_RES(res); /* Parameter 29: pgid (type: PT_UID) */ - pid_t pgid = 0; -#ifdef HAS_TASK_PIDS_FIELD - struct task_struct *leader = (struct task_struct *)_READ(task->group_leader); - if(leader) { - struct pid_link link = _READ(leader->pids[PIDTYPE_PGID]); - struct pid *pid_struct = link.pid; - if(pid_struct) { - pgid = _READ(pid_struct->numbers[0].nr); - } - } -#else - struct signal_struct *signal = (struct signal_struct *)_READ(task->signal); - if(signal) { - struct pid *pid_struct = _READ(signal->pids[PIDTYPE_PGID]); - if(pid_struct) { - pgid = _READ(pid_struct->numbers[0].nr); - } - } -#endif - return bpf_push_s64_to_ring(data, (int64_t)pgid); + return bpf_push_pgid(data, task); } #endif diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h index 5887b63d04..1cfde59ad7 100644 --- a/driver/modern_bpf/helpers/store/auxmap_store_params.h +++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h @@ -1815,3 +1815,12 @@ static __always_inline void auxmap__store_d_path_approx(struct auxiliary_map *au MAX_COMPONENT_LEN, KERNEL); } + +static __always_inline void auxmap__store_pgid(struct auxiliary_map *auxmap, + struct task_struct *task) { + pid_t pgid = 0; + struct pid *pid_struct = NULL; + READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); + BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); + auxmap__store_s64_param(auxmap, (int64_t)pgid); +} diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c index 98573fb070..3fbec7532f 100644 --- a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c +++ b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c @@ -258,11 +258,7 @@ int BPF_PROG(t2_sched_p_exec, struct pt_regs *regs, long ret) { } /* Parameter 29: pgid (type: PT_UID) */ - pid_t pgid = 0; - struct pid *pid_struct = NULL; - READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); - BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); - auxmap__store_s64_param(auxmap, (int64_t)pgid); + auxmap__store_pgid(auxmap, task); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c index 1a7937962f..693118b395 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c @@ -308,11 +308,7 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) { } /* Parameter 29: pgid (type: PT_UID) */ - pid_t pgid = 0; - struct pid *pid_struct = NULL; - READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); - BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); - auxmap__store_s64_param(auxmap, (int64_t)pgid); + auxmap__store_pgid(auxmap, task); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c index c2f1dd4269..6776314bc7 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c @@ -320,11 +320,7 @@ int BPF_PROG(t2_execveat_x, struct pt_regs *regs, long ret) { } /* Parameter 29: pgid (type: PT_UID) */ - pid_t pgid = 0; - struct pid *pid_struct = NULL; - READ_TASK_FIELD_INTO(&pid_struct, task, signal, pids[PIDTYPE_PGID]); - BPF_CORE_READ_INTO(&pgid, pid_struct, numbers[0].nr); - auxmap__store_s64_param(auxmap, (int64_t)pgid); + auxmap__store_pgid(auxmap, task); /*=============================== COLLECT PARAMETERS ===========================*/ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 2609dd2eca..f5950d5fb1 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -926,6 +926,18 @@ static enum ppm_overlay ppm_get_overlay_layer(struct file *file) { #endif // LINUX_VERSION_CODE < KERNEL_VERSION(3, 18, 0) } +static inline int push_pgid(struct event_filler_arguments *args) { +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) + // task_pgrp_nr_ns has been introduced in 2.6.24 + // https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458 + return val_to_ring(args, task_pgrp_nr_ns(current, &init_pid_ns), 0, false, 0); +#else + // https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543 + // we don't have the concept of pid namespace in this kernel version + return val_to_ring(args, process_group(current), 0, false, 0); +#endif +} + int f_proc_startupdate(struct event_filler_arguments *args) { unsigned long val = 0; int res = 0; @@ -1549,15 +1561,7 @@ int f_proc_startupdate(struct event_filler_arguments *args) { CHECK_RES(res); /* Parameter 29: pgid (type: PT_UID) */ -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) - // task_pgrp_nr_ns has been introduced in 2.6.24 - // https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458 - res = val_to_ring(args, task_pgrp_nr_ns(current, &init_pid_ns), 0, false, 0); -#else - // https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543 - // we don't have the concept of pid namespace in this kernel version - res = val_to_ring(args, process_group(current), 0, false, 0); -#endif + res = push_pgid(args); CHECK_RES(res); } return add_sentinel(args); @@ -7445,14 +7449,7 @@ int f_sched_prog_exec(struct event_filler_arguments *args) { CHECK_RES(res); /* Parameter 29: pgid (type: PT_UID) */ -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) - // task_pgrp_nr_ns has been introduced in 2.6.24 - // https://elixir.bootlin.com/linux/v2.6.24/source/kernel/pid.c#L458 - res = val_to_ring(args, task_pgrp_nr_ns(current, &init_pid_ns), 0, false, 0); -#else - // https://elixir.bootlin.com/linux/v2.6.23/source/kernel/sys.c#L1543 - res = val_to_ring(args, process_group(current), 0, false, 0); -#endif + res = push_pgid(args); CHECK_RES(res); return add_sentinel(args);