tetragon: Add vmlinux.h file

Adding vmlinux.h file that includes the vmlinux_generated.h and adds our local tetragon structures. Signed-off-by: Jiri Olsa <[email protected]>
cilium · Jan 16, 2025 · d5f1f4f · d5f1f4f
1 parent 77f4a1d
commit d5f1f4f
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 2 deletions.
diff --git a/bpf/include/vmlinux.h b/bpf/include/vmlinux.h
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
+#ifndef __VMLINUX_H__
+#define __VMLINUX_H__
+
+#if defined(__TARGET_ARCH_x86)
+#include "vmlinux_generated_x86.h"
+#elif defined(__TARGET_ARCH_arm64)
+#include "vmlinux_generated_arm64.h"
+#endif
+
+/*
+ * Local definitions that we use in tetragon and are no longer part
+ * of vmlinux_generated.h.
+ */
+
+struct pid_link {
+	struct hlist_node node;
+	struct pid *pid;
+};
+
+struct audit_task_info {
+	kuid_t loginuid;
+};
+
+struct task_struct___local {
+	struct pid_link pids[PIDTYPE_MAX]; // old school pid refs
+	struct pid *thread_pid;
+	struct audit_task_info *audit; // Added audit_task for older kernels
+	kuid_t loginuid;
+};
+
+/* Represent old kernfs node present in 5.4 kernels and older */
+union kernfs_node_id {
+	struct {
+		/*
+		 * blktrace will export this struct as a simplified 'struct
+		 * fid' (which is a big data struction), so userspace can use
+		 * it to find kernfs node. The layout must match the first two
+		 * fields of 'struct fid' exactly.
+		 */
+		u32 ino;
+		u32 generation;
+	};
+	u64 id;
+};
+
+#endif /* __VMLINUX_H__ */
diff --git a/bpf/lib/bpf_task.h b/bpf/lib/bpf_task.h
@@ -7,6 +7,7 @@
 #include "bpf_event.h"
 #include "bpf_helpers.h"
 #include "generic.h"
+#include "vmlinux.h"
 
 /* __d_path_local flags */
 // #define UNRESOLVED_MOUNT_POINTS	   0x01 // (deprecated)
@@ -57,8 +58,9 @@ FUNC_INLINE struct task_struct *get_task_from_pid(__u32 pid)
 	return task;
 }
 
-FUNC_INLINE __u32 get_task_pid_vnr_by_task(struct task_struct *task)
+FUNC_INLINE __u32 get_task_pid_vnr_by_task(struct task_struct *t)
 {
+	struct task_struct___local *task = (struct task_struct___local *)t;
 	int thread_pid_exists;
 	unsigned int level;
 	struct upid upid;

diff --git a/bpf/process/bpf_process_event.h b/bpf/process/bpf_process_event.h
@@ -30,8 +30,10 @@ struct {
 	__type(value, struct buffer_heap_map_value);
 } buffer_heap_map SEC(".maps");
 
-FUNC_INLINE __u64 __get_auid(struct task_struct *task)
+FUNC_INLINE __u64 __get_auid(struct task_struct *t)
 {
+	struct task_struct___local *task = (struct task_struct___local *)t;
+
 	// u64 to convince compiler to do 64bit loads early kernels do not
 	// support 32bit loads from stack, e.g. r1 = *(u32 *)(r10 -8).
 	__u64 auid = 0;