fix(driver): fixed build against linux v6.7-rc5.

Signed-off-by: Federico Di Pierro <[email protected]>
falcosecurity · Dec 18, 2023 · bf0afa0 · bf0afa0
1 parent f899909
commit bf0afa0
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 3 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -2877,7 +2877,11 @@ FILLER(execve_extra_tail_1, true)
 	CHECK_RES(res);
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
+	time = _READ(inode->__i_mtime);
+#else
 	time = _READ(inode->i_mtime);
+#endif
 	res = bpf_push_u64_to_ring(data, bpf_epoch_ns_from_time(time));
 	CHECK_RES(res);
 
@@ -6745,7 +6749,11 @@ FILLER(sched_prog_exec_4, false)
 	CHECK_RES(res);
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
+	time = _READ(inode->__i_mtime);
+#else
 	time = _READ(inode->i_mtime);
+#endif
 	res = bpf_push_u64_to_ring(data, bpf_epoch_ns_from_time(time));
 	CHECK_RES(res);
 

diff --git a/driver/modern_bpf/definitions/struct_flavors.h b/driver/modern_bpf/definitions/struct_flavors.h
@@ -48,6 +48,10 @@ struct inode___v6_6 {
 	struct timespec64 __i_ctime;
 };
 
+struct inode___v6_7 {
+	struct timespec64 __i_mtime;
+};
+
 struct ovl_entry___before_v6_5
 {
 	long unsigned int flags;

diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c
@@ -226,7 +226,15 @@ int BPF_PROG(t1_sched_p_exec,
 	auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time));
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
-	BPF_CORE_READ_INTO(&time, exe_inode, i_mtime);
+	if(bpf_core_field_exists(exe_inode->i_mtime))
+	{
+		BPF_CORE_READ_INTO(&time, exe_inode, i_mtime);
+	}
+	else
+	{
+		struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode;
+		BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime);
+	}
 	auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time));
 
 	/* Parameter 27: euid (type: PT_UID) */

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c
@@ -290,7 +290,15 @@ int BPF_PROG(t1_execve_x,
 	auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time));
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
-	BPF_CORE_READ_INTO(&time, exe_inode, i_mtime);
+	if(bpf_core_field_exists(exe_inode->i_mtime))
+	{
+		BPF_CORE_READ_INTO(&time, exe_inode, i_mtime);
+	}
+	else
+	{
+		struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode;
+		BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime);
+	}
 	auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time));
 
 	/* Parameter 27: euid (type: PT_UID) */

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c
@@ -306,7 +306,15 @@ int BPF_PROG(t1_execveat_x,
 	auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time));
 
 	/* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */
-	BPF_CORE_READ_INTO(&time, exe_inode, i_mtime);
+	if(bpf_core_field_exists(exe_inode->i_mtime))
+	{
+		BPF_CORE_READ_INTO(&time, exe_inode, i_mtime);
+	}
+	else
+	{
+		struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode;
+		BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime);
+	}
 	auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time));
 
 	/* Parameter 27: euid (type: PT_UID) */

diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -523,6 +523,12 @@ struct file *ppm_get_mm_exe_file(struct mm_struct *mm)
 	if (exe_file && !get_file_rcu(exe_file))
 		exe_file = NULL;
 	rcu_read_unlock();
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
+	// Since linux 6.7.0, `get_file_rcu` is no more a define and takes a double pointer parameter.
+	// See https://github.com/torvalds/linux/commit/0ede61d8589cc2d93aa78230d74ac58b5b8d0244.
+	rcu_read_lock();
+	exe_file = get_file_rcu(&mm->exe_file);
+	rcu_read_unlock();
 #else
 	/* We need mmap_sem to protect against races with removal of
 	 * VM_EXECUTABLE vmas */
@@ -1421,7 +1427,15 @@ int f_proc_startupdate(struct event_filler_arguments *args)
 				 * During kernel versions `i_mtime` changed from `struct timespec` to `struct timespec64`
 				 * but fields names should be always the same.
 				 */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
+				{
+					struct timespec64 inode_mtime;
+					inode_mtime = inode_get_mtime(file_inode(exe_file));
+					mtime = inode_mtime.tv_sec * (uint64_t)1000000000 + inode_mtime.tv_nsec;
+				}
+#else
 				mtime = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec;
+#endif
 			}
 #endif
 			/* Before freeing the exefile we catch the resolved path for symlink resolution */
@@ -7439,7 +7453,15 @@ int f_sched_prog_exec(struct event_filler_arguments *args)
 			 * During kernel versions `i_mtime` changed from `struct timespec` to `struct timespec64`
 			 * but fields names should be always the same.
 			 */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
+			{
+				struct timespec64 inode_mtime;
+				inode_mtime = inode_get_mtime(file_inode(exe_file));
+				mtime = inode_mtime.tv_sec * (uint64_t)1000000000 + inode_mtime.tv_nsec;
+			}
+#else
 			mtime = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec;
+#endif
 		}
 		/* Before free the exefile we catch the resolved path for symlink resolution */
 		trusted_exepath = d_path(&exe_file->f_path, buf, PAGE_SIZE);