diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index 25185298dc..aebee43ed5 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -2877,7 +2877,11 @@ FILLER(execve_extra_tail_1, true) CHECK_RES(res); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + time = _READ(inode->__i_mtime); +#else time = _READ(inode->i_mtime); +#endif res = bpf_push_u64_to_ring(data, bpf_epoch_ns_from_time(time)); CHECK_RES(res); @@ -6745,7 +6749,11 @@ FILLER(sched_prog_exec_4, false) CHECK_RES(res); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + time = _READ(inode->__i_mtime); +#else time = _READ(inode->i_mtime); +#endif res = bpf_push_u64_to_ring(data, bpf_epoch_ns_from_time(time)); CHECK_RES(res); diff --git a/driver/modern_bpf/definitions/struct_flavors.h b/driver/modern_bpf/definitions/struct_flavors.h index 21b81deb3f..341a2b0597 100644 --- a/driver/modern_bpf/definitions/struct_flavors.h +++ b/driver/modern_bpf/definitions/struct_flavors.h @@ -48,6 +48,10 @@ struct inode___v6_6 { struct timespec64 __i_ctime; }; +struct inode___v6_7 { + struct timespec64 __i_mtime; +}; + struct ovl_entry___before_v6_5 { long unsigned int flags; diff --git a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c index 0e90989d79..87e1370e3d 100644 --- a/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c +++ b/driver/modern_bpf/programs/attached/events/sched_process_exec.bpf.c @@ -226,7 +226,15 @@ int BPF_PROG(t1_sched_p_exec, auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ - BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + if(bpf_core_field_exists(exe_inode->i_mtime)) + { + BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + } + else + { + struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode; + BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime); + } auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 27: euid (type: PT_UID) */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c index 80b8c2affd..46c14ce70c 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c @@ -290,7 +290,15 @@ int BPF_PROG(t1_execve_x, auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ - BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + if(bpf_core_field_exists(exe_inode->i_mtime)) + { + BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + } + else + { + struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode; + BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime); + } auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 27: euid (type: PT_UID) */ diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c index f690f57af6..5442b97a09 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c @@ -306,7 +306,15 @@ int BPF_PROG(t1_execveat_x, auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 26: exe_file mtime (last modification time, epoch value in nanoseconds) (type: PT_ABSTIME) */ - BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + if(bpf_core_field_exists(exe_inode->i_mtime)) + { + BPF_CORE_READ_INTO(&time, exe_inode, i_mtime); + } + else + { + struct inode___v6_7 *exe_inode_v6_7 = (void *)exe_inode; + BPF_CORE_READ_INTO(&time, exe_inode_v6_7, __i_mtime); + } auxmap__store_u64_param(auxmap, extract__epoch_ns_from_time(time)); /* Parameter 27: euid (type: PT_UID) */ diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index b9b0357dab..231059c53a 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -523,6 +523,12 @@ struct file *ppm_get_mm_exe_file(struct mm_struct *mm) if (exe_file && !get_file_rcu(exe_file)) exe_file = NULL; rcu_read_unlock(); +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + // Since linux 6.7.0, `get_file_rcu` is no more a define and takes a double pointer parameter. + // See https://github.com/torvalds/linux/commit/0ede61d8589cc2d93aa78230d74ac58b5b8d0244. + rcu_read_lock(); + exe_file = get_file_rcu(&mm->exe_file); + rcu_read_unlock(); #else /* We need mmap_sem to protect against races with removal of * VM_EXECUTABLE vmas */ @@ -1421,7 +1427,15 @@ int f_proc_startupdate(struct event_filler_arguments *args) * During kernel versions `i_mtime` changed from `struct timespec` to `struct timespec64` * but fields names should be always the same. */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + { + struct timespec64 inode_mtime; + inode_mtime = inode_get_mtime(file_inode(exe_file)); + mtime = inode_mtime.tv_sec * (uint64_t)1000000000 + inode_mtime.tv_nsec; + } +#else mtime = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec; +#endif } #endif /* Before freeing the exefile we catch the resolved path for symlink resolution */ @@ -7439,7 +7453,15 @@ int f_sched_prog_exec(struct event_filler_arguments *args) * During kernel versions `i_mtime` changed from `struct timespec` to `struct timespec64` * but fields names should be always the same. */ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0) + { + struct timespec64 inode_mtime; + inode_mtime = inode_get_mtime(file_inode(exe_file)); + mtime = inode_mtime.tv_sec * (uint64_t)1000000000 + inode_mtime.tv_nsec; + } +#else mtime = file_inode(exe_file)->i_mtime.tv_sec * (uint64_t) 1000000000 + file_inode(exe_file)->i_mtime.tv_nsec; +#endif } /* Before free the exefile we catch the resolved path for symlink resolution */ trusted_exepath = d_path(&exe_file->f_path, buf, PAGE_SIZE);