From f8b0fc64816742f762a49cec697780890140db1c Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Thu, 31 Oct 2024 20:42:14 +0100 Subject: [PATCH] Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8. (#210) Found in quark-test when running on RHEL8: Linux rocky8 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Wed Sep 25 09:20:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux Related commit in quark: https://github.com/elastic/quark/commit/89e606b5e37bf1a5aa2a0130c062ed1562e3c2b6 New kernels have a PIDTYPE_TGID after PIDTYPE_PID, which bumpes PIDTYPE_PGID and PIDTYPE_SID: https://elixir.bootlin.com/linux/v6.11/source/include/linux/pid_types.h#L8 4.18 (RHEL8) which we can actually run on since redhat backported ebpf ringbuffers still has the old definition: https://elixir.bootlin.com/linux/v4.18/source/include/linux/pid.h With this diff `quark-test` passes on asserting pgid and sid correspond to the return of getpgid(2) and getsid(2) on 4.18.0-553.22.1.el8_10.x86_64: https://github.com/elastic/quark/blob/main/quark-test.c#L273-L274 --- GPL/Events/Helpers.h | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h index 3844f06e..f9277f14 100644 --- a/GPL/Events/Helpers.h +++ b/GPL/Events/Helpers.h @@ -230,11 +230,21 @@ static void ebpf_ctty__fill(struct ebpf_tty_dev *ctty, const struct task_struct static void ebpf_pid_info__fill(struct ebpf_pid_info *pi, const struct task_struct *task) { - pi->tid = BPF_CORE_READ(task, pid); - pi->tgid = BPF_CORE_READ(task, tgid); - pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid); - pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_PGID], numbers[0].nr); - pi->sid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_SID], numbers[0].nr); + int e_pgid, e_sid; + + if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_PGID)) + e_pgid = bpf_core_enum_value(enum pid_type, PIDTYPE_PGID); + else + e_pgid = PIDTYPE_PGID; + if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_SID)) + e_sid = bpf_core_enum_value(enum pid_type, PIDTYPE_SID); + else + e_sid = PIDTYPE_SID; + pi->tid = BPF_CORE_READ(task, pid); + pi->tgid = BPF_CORE_READ(task, tgid); + pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid); + pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[e_pgid], numbers[0].nr); + pi->sid = BPF_CORE_READ(task, group_leader, signal, pids[e_sid], numbers[0].nr); pi->start_time_ns = BPF_CORE_READ(task, group_leader, start_time); }