[CWS] fix COS offsets (#11077)

* [CWS] fix COS offset `pid_numbers_offset` * [CWS] add offset for `d_sb` in `struct dentry`
DataDog · Feb 25, 2022 · 0a769e1 · 0a769e1
1 parent 903d312
commit 0a769e1
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/pkg/security/ebpf/c/dentry.h b/pkg/security/ebpf/c/dentry.h
@@ -89,9 +89,12 @@ struct dentry * __attribute__((always_inline)) get_vfsmount_dentry(struct vfsmou
     return dentry;
 }
 
-struct super_block * __attribute__((always_inline)) get_dentry_sb(struct dentry *dentry) {
+struct super_block *__attribute__((always_inline)) get_dentry_sb(struct dentry *dentry) {
+    u64 offset;
+    LOAD_CONSTANT("dentry_sb_offset", offset);
+
     struct super_block *sb;
-    bpf_probe_read(&sb, sizeof(sb), &dentry->d_sb);
+    bpf_probe_read(&sb, sizeof(sb), (char *)dentry + offset);
     return sb;
 }
 

diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go
@@ -66,6 +66,8 @@ func (f *FallbackConstantFetcher) appendRequest(id string) {
 		value = getPIDNumbersOffset(f.kernelVersion)
 	case "sizeof_upid":
 		value = getSizeOfUpid(f.kernelVersion)
+	case "dentry_sb_offset":
+		value = getDentrySuperBlockOffset(f.kernelVersion)
 	}
 	f.res[id] = value
 }
@@ -354,6 +356,12 @@ func getPIDNumbersOffset(kv *kernel.Version) uint64 {
 		pidNumbersOffset = 48
 	case kv.IsSLES15Kernel():
 		pidNumbersOffset = 80
+	case kv.IsCOSKernel() && kv.IsInRangeCloseOpen(kernel.Kernel4_19, kernel.Kernel4_20):
+		pidNumbersOffset = 56
+	case kv.IsCOSKernel() && kv.IsInRangeCloseOpen(kernel.Kernel5_4, kernel.Kernel5_5):
+		pidNumbersOffset = 96
+	case kv.IsCOSKernel() && kv.IsInRangeCloseOpen(kernel.Kernel5_10, kernel.Kernel5_11):
+		pidNumbersOffset = 128
 
 	case kv.IsInRangeCloseOpen(kernel.Kernel4_15, kernel.Kernel5_3):
 		pidNumbersOffset = 48
@@ -380,3 +388,14 @@ func getSizeOfUpid(kv *kernel.Version) uint64 {
 	}
 	return sizeOfUpid
 }
+
+func getDentrySuperBlockOffset(kv *kernel.Version) uint64 {
+	offset := uint64(104)
+
+	switch {
+	case kv.IsCOSKernel():
+		offset = 128
+	}
+
+	return offset
+}
diff --git a/pkg/security/probe/probe.go b/pkg/security/probe/probe.go
@@ -1088,6 +1088,7 @@ func GetOffsetConstants(config *config.Config, probe *Probe) (map[string]uint64,
 func GetOffsetConstantsFromFetcher(constantFetcher constantfetch.ConstantFetcher, probe *Probe) (map[string]uint64, error) {
 	constantFetcher.AppendSizeofRequest("sizeof_inode", "struct inode", "linux/fs.h")
 	constantFetcher.AppendOffsetofRequest("sb_magic_offset", "struct super_block", "s_magic", "linux/fs.h")
+	constantFetcher.AppendOffsetofRequest("dentry_sb_offset", "struct dentry", "d_sb", "linux/dcache.h")
 	constantFetcher.AppendOffsetofRequest("tty_offset", "struct signal_struct", "tty", "linux/sched/signal.h")
 	constantFetcher.AppendOffsetofRequest("tty_name_offset", "struct tty_struct", "name", "linux/tty.h")
 	constantFetcher.AppendOffsetofRequest("creds_uid_offset", "struct cred", "uid", "linux/cred.h")
@@ -1108,5 +1109,6 @@ func GetOffsetConstantsFromFetcher(constantFetcher constantfetch.ConstantFetcher
 	constantFetcher.AppendOffsetofRequest("pid_level_offset", "struct pid", "level", "linux/pid.h")
 	constantFetcher.AppendOffsetofRequest("pid_numbers_offset", "struct pid", "numbers", "linux/pid.h")
 	constantFetcher.AppendSizeofRequest("sizeof_upid", "struct upid", "linux/pid.h")
+
 	return constantFetcher.FinishAndGetResults()
 }