Pass vfsmount to d_path_local to resolve dentry path

Signed-off-by: David Windsor <[email protected]>
cilium · Jun 27, 2024 · 23e0383 · 23e0383
1 parent 0b220ba
commit 23e0383
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 14 deletions.
diff --git a/bpf/process/bpf_process_event.h b/bpf/process/bpf_process_event.h
@@ -8,6 +8,7 @@
 
 #include "bpf_cgroup.h"
 #include "bpf_cred.h"
+#include "bpf_tracing.h"
 
 #define ENAMETOOLONG 36 /* File name too long */
 
@@ -363,6 +364,43 @@ d_path_local(const struct path *path, int *buflen, int *error)
 	return buffer;
 }
 
+FUNC_INLINE char * path_from_dentry(struct dentry *dentry, char *buf, int *buflen)
+{
+        struct task_struct *task;
+        struct fs_struct *fs;
+
+        task = (struct task_struct *)get_current_task();
+        probe_read(&fs, sizeof(fs), _(&task->fs));
+
+        if (d_unlinked(dentry)) {
+                int error = prepend(&buf, buflen, " (deleted)", 10);
+                if (error) // will never happen as prepend will never return a value != 0
+                        return NULL;
+        }
+
+	// Construct struct path element with cur->nsproxy->mnt_ns->root
+	struct nsproxy *ns;
+	probe_read(&ns, sizeof(ns), _(&task->nsproxy));
+	struct mnt_namespace *mnt_ns;
+	probe_read(&mnt_ns, sizeof(mnt_ns), _(&ns->mnt_ns));
+	struct vfsmount *root;
+	probe_read(&root, sizeof(root), _(&mnt_ns->root));
+	struct path target = {
+		.mnt = root,
+		.dentry = dentry
+	};
+
+	int flags;
+	buf = d_path_local(&target, buflen, &flags);
+	if (!buf) {
+                bpf_printk("pathbuf is NULL");
+                return NULL;
+        }
+	bpf_printk("buf=%s, buflen=%d", buf, buflen);
+
+	return buf;
+}
+
 FUNC_INLINE __u32
 getcwd(struct msg_process *curr, __u32 offset, __u32 proc_pid)
 {

diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -2487,14 +2487,11 @@ read_call_arg(void *ctx, struct msg_generic_kprobe *e, int index, int type,
 	} break;
 	case dentry_type: {
 		struct dentry *dentry = (struct dentry *)arg;
-		struct qstr d_name;
-
-		arg = (unsigned long)_(&dentry->d_name);
-		probe_read(&d_name, sizeof(d_name), (const void *)arg);
-		probe_read(&arg, sizeof(arg), &d_name.name);
-
-		size = copy_strings(args, (char *)arg, MAX_STRING);
-	} break;
+		char pathbuf[MAX_STRING];
+		int len = MAX_STRING;
+		char *path = path_from_dentry(dentry, pathbuf, &len);
+		size = copy_strings(args, path, MAX_STRING);
+	}; break;
 #endif
 	case filename_ty: {
 		struct filename *file;

diff --git a/examples/tracingpolicy/security_inode_follow_link.yaml b/examples/tracingpolicy/security_inode_follow_link.yaml
@@ -12,9 +12,3 @@ spec:
     returnArg:
       index: 0
       type: "int"
-    selectors:
-    - matchArgs:
-      - index: 0
-        operator: "Equal"
-        values:
-        - "/tmp/softlink"