Thiết kế website giá rẻ

Question

I am using Ubuntu2204 (kernel version is 6.5.0-41-generic). By adding the ‘bpf’ option to the kernel CONFIG_LSM, I gave the kernel the ability to compile ebpf-lsm.
The code is below:

// test.bpf.c
// ...

SEC("lsm/bprm_check_security")
int file_exec(struct linux_binprm *bprm)
{
    struct file *file;
    struct dentry *dentry;
    struct inode *inode;
    char d_iname[MAX_FILENAME_LEN];

    file = BPF_CORE_READ(bprm, file);
    if (!file) {
        bpf_printk("Failed to get file from bprm");
        return 0;
    }
    bpf_printk("[LSM]bprm add is: %p, file add is: %p", bprm, file);


    dentry = BPF_CORE_READ(file, f_path.dentry);
    if (!dentry) {
        bpf_printk("Failed to get dentry");
        return 0;
    }
    bpf_printk("[LSM]dentry address: %p", dentry);

    inode = BPF_CORE_READ(file, f_inode);
    bpf_printk("[LSM]file->f_inode: %p", inode);

    bpf_probe_read_kernel(d_iname, sizeof(d_iname), dentry->d_iname);
    bpf_printk("[LSM]d_iname: %pn", d_iname);

    return 0;
}

The output is below:

              sh-12737   [004] ...11  4498.373601: bpf_trace_printk: [LSM]bprm add is: 0000000016d64d10, file add is: 000000006c831f89
              sh-12737   [004] ...11  4498.373607: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
              sh-12737   [004] ...11  4498.373609: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
              sh-12737   [004] ...11  4498.373613: bpf_trace_printk: [LSM]d_iname: 000000008dd30753

     cpuUsage.sh-12738   [002] ...11  4498.375246: bpf_trace_printk: [LSM]bprm add is: 000000007c254fba, file add is: 000000006c831f89
     cpuUsage.sh-12738   [002] ...11  4498.375281: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
     cpuUsage.sh-12738   [002] ...11  4498.375282: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
     cpuUsage.sh-12738   [002] ...11  4498.375283: bpf_trace_printk: [LSM]d_iname: 000000009369c738

           <...>-12739   [007] ...11  4498.377341: bpf_trace_printk: [LSM]bprm add is: 0000000067031410, file add is: 000000006c831f89
           <...>-12739   [007] ...11  4498.377360: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
           <...>-12739   [007] ...11  4498.377361: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
           <...>-12739   [007] ...11  4498.377361: bpf_trace_printk: [LSM]d_iname: 00000000408121a6

           <...>-12740   [004] ...11  4498.378749: bpf_trace_printk: [LSM]bprm add is: 000000003a1e099a, file add is: 000000006c831f89
           <...>-12740   [004] ...11  4498.378780: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
           <...>-12740   [004] ...11  4498.378781: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
           <...>-12740   [004] ...11  4498.378782: bpf_trace_printk: [LSM]d_iname: 00000000ac1cefa2

           <...>-12741   [003] ...11  4498.380112: bpf_trace_printk: [LSM]bprm add is: 00000000635242af, file add is: 000000006c831f89
           <...>-12741   [003] ...11  4498.380146: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
           <...>-12741   [003] ...11  4498.380147: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
           <...>-12741   [003] ...11  4498.380148: bpf_trace_printk: [LSM]d_iname: 000000001f43049b

           <...>-12742   [006] ...11  4498.380858: bpf_trace_printk: [LSM]bprm add is: 000000001bd1ee1d, file add is: 000000006c831f89
           <...>-12742   [006] ...11  4498.380878: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
           <...>-12742   [006] ...11  4498.380879: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
           <...>-12742   [006] ...11  4498.380879: bpf_trace_printk: [LSM]d_iname: 00000000aa372b41

           <...>-12743   [004] ...11  4498.382714: bpf_trace_printk: [LSM]bprm add is: 00000000589c9479, file add is: 000000006c831f89
           <...>-12743   [004] ...11  4498.382733: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
           <...>-12743   [004] ...11  4498.382733: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
           <...>-12743   [004] ...11  4498.382733: bpf_trace_printk: [LSM]d_iname: 00000000c2a44d45

           <...>-12745   [000] ...11  4498.384346: bpf_trace_printk: [LSM]bprm add is: 0000000071c6ceb0, file add is: 000000006c831f89
           <...>-12745   [000] ...11  4498.384366: bpf_trace_printk: [LSM]dentry address: 000000001d2009b0
           <...>-12745   [000] ...11  4498.384367: bpf_trace_printk: [LSM]file->f_inode: 00000000c4836b3a
           <...>-12745   [000] ...11  4498.384367: bpf_trace_printk: [LSM]d_iname: 00000000d4ef0bc6

I’m pretty sure that the relevant structures in vmlinux (struct linux_binprm and struct file) are correct, and that it’s just fine for me to get a pointer to bprm->file using other non-LSM hooks (such as tracepoint/syscalls/sys_enter_execve).
I’m curious to know why and what I should do to make the bprm->file fetched by eBPF-LSM normal.

Thiết kế website giá rẻ

Danh mục

When bprm->file is fetched using ebpf-lsm, the different bprm’s fetched point to the same strange file pointer