Skip to content

Commit dd6a67b

Browse files
haesbaerthaesbaert
committed
Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8.
Found in quark-test when running on RHEL8: Linux rocky8 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Wed Sep 25 09:20:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux Related commit in quark: elastic/quark@89e606b New kernels have a PIDTYPE_TGID after PIDTYPE_PID, which bumpes PIDTYPE_PGID and PIDTYPE_SID: https://elixir.bootlin.com/linux/v6.11/source/include/linux/pid_types.h#L8 4.18 (RHEL9) which we can actually run on since redhat backported ebpf ringbuffers still has the old definition: https://elixir.bootlin.com/linux/v4.18/source/include/linux/pid.h With this diff `quark-test` passes on asserting pgid and sid correspond to the return of getpgid(2) and getsid(2) on 4.18.0-553.22.1.el8_10.x86_64: https://github.com/elastic/quark/blob/main/quark-test.c#L273-L274 Please the lint gods
1 parent cd3d8ea commit dd6a67b

File tree

1 file changed

+15
-5
lines changed

1 file changed

+15
-5
lines changed

GPL/Events/Helpers.h

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -230,11 +230,21 @@ static void ebpf_ctty__fill(struct ebpf_tty_dev *ctty, const struct task_struct
230230

231231
static void ebpf_pid_info__fill(struct ebpf_pid_info *pi, const struct task_struct *task)
232232
{
233-
pi->tid = BPF_CORE_READ(task, pid);
234-
pi->tgid = BPF_CORE_READ(task, tgid);
235-
pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
236-
pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_PGID], numbers[0].nr);
237-
pi->sid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_SID], numbers[0].nr);
233+
int e_pgid, e_sid;
234+
235+
if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_PGID))
236+
e_pgid = bpf_core_enum_value(enum pid_type, PIDTYPE_PGID);
237+
else
238+
e_pgid = PIDTYPE_PGID;
239+
if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_SID))
240+
e_sid = bpf_core_enum_value(enum pid_type, PIDTYPE_SID);
241+
else
242+
e_sid = PIDTYPE_SID;
243+
pi->tid = BPF_CORE_READ(task, pid);
244+
pi->tgid = BPF_CORE_READ(task, tgid);
245+
pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
246+
pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[e_pgid], numbers[0].nr);
247+
pi->sid = BPF_CORE_READ(task, group_leader, signal, pids[e_sid], numbers[0].nr);
238248
pi->start_time_ns = BPF_CORE_READ(task, group_leader, start_time);
239249
}
240250

0 commit comments

Comments
 (0)