Skip to content

Commit

Permalink
Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8. (#210)
Browse files Browse the repository at this point in the history
Found in quark-test when running on RHEL8:
Linux rocky8 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Wed Sep 25 09:20:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Related commit in quark: elastic/quark@89e606b

New kernels have a PIDTYPE_TGID after PIDTYPE_PID, which bumpes PIDTYPE_PGID and PIDTYPE_SID:
https://elixir.bootlin.com/linux/v6.11/source/include/linux/pid_types.h#L8

4.18 (RHEL8) which we can actually run on since redhat backported ebpf
ringbuffers still has the old definition:
https://elixir.bootlin.com/linux/v4.18/source/include/linux/pid.h

With this diff `quark-test` passes on asserting pgid and sid correspond to the
return of getpgid(2) and getsid(2) on 4.18.0-553.22.1.el8_10.x86_64:

https://github.com/elastic/quark/blob/main/quark-test.c#L273-L274
  • Loading branch information
haesbaert authored Oct 31, 2024
1 parent cd3d8ea commit f8b0fc6
Showing 1 changed file with 15 additions and 5 deletions.
20 changes: 15 additions & 5 deletions GPL/Events/Helpers.h
Original file line number Diff line number Diff line change
Expand Up @@ -230,11 +230,21 @@ static void ebpf_ctty__fill(struct ebpf_tty_dev *ctty, const struct task_struct

static void ebpf_pid_info__fill(struct ebpf_pid_info *pi, const struct task_struct *task)
{
pi->tid = BPF_CORE_READ(task, pid);
pi->tgid = BPF_CORE_READ(task, tgid);
pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_PGID], numbers[0].nr);
pi->sid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_SID], numbers[0].nr);
int e_pgid, e_sid;

if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_PGID))
e_pgid = bpf_core_enum_value(enum pid_type, PIDTYPE_PGID);
else
e_pgid = PIDTYPE_PGID;
if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_SID))
e_sid = bpf_core_enum_value(enum pid_type, PIDTYPE_SID);
else
e_sid = PIDTYPE_SID;
pi->tid = BPF_CORE_READ(task, pid);
pi->tgid = BPF_CORE_READ(task, tgid);
pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[e_pgid], numbers[0].nr);
pi->sid = BPF_CORE_READ(task, group_leader, signal, pids[e_sid], numbers[0].nr);
pi->start_time_ns = BPF_CORE_READ(task, group_leader, start_time);
}

Expand Down

0 comments on commit f8b0fc6

Please sign in to comment.