diff --git a/Backport-adapt-file-ebpf-for-kernel-6.6.patch b/Backport-adapt-file-ebpf-for-kernel-6.6.patch new file mode 100644 index 0000000..9b91bcb --- /dev/null +++ b/Backport-adapt-file-ebpf-for-kernel-6.6.patch @@ -0,0 +1,87 @@ +From 12f2a608cc1c519786befadd3195316968a5ca28 Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Thu, 19 Sep 2024 10:36:59 +0800 +Subject: [PATCH] adapt file ebpf for kernel 6.6 + +--- + observer_agent/ebpf/CMakeLists.txt | 2 +- + observer_agent/ebpf/file_ebpf/CMakeLists.txt | 2 +- + observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 14 ++++++++------ + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/observer_agent/ebpf/CMakeLists.txt b/observer_agent/ebpf/CMakeLists.txt +index a5c9bbe..d400c01 100644 +--- a/observer_agent/ebpf/CMakeLists.txt ++++ b/observer_agent/ebpf/CMakeLists.txt +@@ -3,7 +3,7 @@ project(ebpf) + add_subdirectory(file_ebpf) + add_custom_target(ebpf + COMMAND mkdir -p ${CMAKE_CURRENT_BINARY_DIR}/.output +- COMMAND bpftool btf dump file /sys/kernel/btf/vmlinux format c > ${CMAKE_CURRENT_BINARY_DIR}/.output/vmlinux.h ++ COMMAND bpftool btf dump file /usr/lib/debug/lib/modules/`uname -r`/vmlinux format c > ${CMAKE_CURRENT_BINARY_DIR}/.output/vmlinux.h + COMMAND clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -I${CMAKE_SOURCE_DIR}/include -I${CMAKE_CURRENT_BINARY_DIR}/.output -c ${CMAKE_CURRENT_SOURCE_DIR}/fentry.bpf.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.bpf.o + COMMAND bpftool gen skeleton ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.bpf.o > ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.skel.h + COMMAND cc -g -Wall -fPIC -I${CMAKE_SOURCE_DIR}/include -I${CMAKE_CURRENT_BINARY_DIR}/.output -I${CMAKE_CURRENT_SOURCE_DIR} -c ${CMAKE_CURRENT_SOURCE_DIR}/fentry.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.o +diff --git a/observer_agent/ebpf/file_ebpf/CMakeLists.txt b/observer_agent/ebpf/file_ebpf/CMakeLists.txt +index e9e073a..b8939df 100644 +--- a/observer_agent/ebpf/file_ebpf/CMakeLists.txt ++++ b/observer_agent/ebpf/file_ebpf/CMakeLists.txt +@@ -4,7 +4,7 @@ cmake_minimum_required(VERSION 3.22) + project(file_ebpf) + add_custom_target(file_ebpf + COMMAND mkdir -p ${CMAKE_CURRENT_BINARY_DIR}/.output +- COMMAND bpftool btf dump file /sys/kernel/btf/vmlinux format c > ${CMAKE_CURRENT_BINARY_DIR}/.output/vmlinux.h ++ COMMAND bpftool btf dump file /usr/lib/debug/lib/modules/`uname -r`/vmlinux format c > ${CMAKE_CURRENT_BINARY_DIR}/.output/vmlinux.h + COMMAND clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -I${CMAKE_SOURCE_DIR}/include -I${CMAKE_CURRENT_BINARY_DIR}/.output -c ${CMAKE_CURRENT_SOURCE_DIR}/file_fentry.bpf.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/file_fentry.bpf.o + COMMAND bpftool gen skeleton ${CMAKE_CURRENT_BINARY_DIR}/.output/file_fentry.bpf.o > ${CMAKE_CURRENT_BINARY_DIR}/.output/file_fentry.skel.h + COMMAND cc -g -Wall -fPIC -I${CMAKE_SOURCE_DIR}/include -I${CMAKE_CURRENT_BINARY_DIR}/.output -I${CMAKE_CURRENT_SOURCE_DIR} -c ${CMAKE_CURRENT_SOURCE_DIR}/file_fentry.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/file_fentry.o +diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +index 941b785..b3ef041 100644 +--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c ++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +@@ -178,7 +178,7 @@ int BPF_PROG(fexit_vfs_write, struct file *file, const char *buf, size_t count, + } + + SEC("fexit/vfs_unlink") +-int BPF_PROG(fexit_vfs_unlink, struct inode *dir, struct dentry *dentry, struct inode **delegated_inode, int ret) ++int BPF_PROG(fexit_vfs_unlink, struct mnt_idmap *idmap, struct inode *dir, struct dentry *dentry, struct inode **delegated_inode, int ret) + { + struct ebpf_event *e = NULL; + +@@ -287,7 +287,7 @@ int BPF_PROG(fexit_chown_common, const struct path *path, uid_t user, gid_t grou + } + + SEC("fentry/__vfs_setxattr_noperm") +-int BPF_PROG(fentry__vfs_setxattr_noperm, struct dentry *dentry, const char *name, const void *value, size_t size, int flags) ++int BPF_PROG(fentry__vfs_setxattr_noperm, struct mnt_idmap *idmap, struct dentry *dentry, const char *name, const void *value, size_t size, int flags) + { + struct ebpf_event *e = NULL; + +@@ -307,7 +307,7 @@ int BPF_PROG(fentry__vfs_setxattr_noperm, struct dentry *dentry, const char *nam + } + + SEC("fentry/__vfs_removexattr_locked") +-int BPF_PROG(fentry__vfs_removexattr_locked, struct dentry *dentry, const char *name, struct inode **delegated_inode) ++int BPF_PROG(fentry__vfs_removexattr_locked, struct mnt_idmap *idmap, struct dentry *dentry, const char *name, struct inode **delegated_inode) + { + struct ebpf_event *e = NULL; + +@@ -327,10 +327,12 @@ int BPF_PROG(fentry__vfs_removexattr_locked, struct dentry *dentry, const char * + } + + SEC("fentry/vfs_rename") +-int BPF_PROG(fentry_vfs_rename, struct inode *old_dir, struct dentry *old_dentry, +- struct inode *new_dir, struct dentry *new_dentry, struct inode **delegated_inode, +- unsigned int flags) ++int BPF_PROG(fentry_vfs_rename, struct renamedata *rd) + { ++ if (!rd) ++ return 0; ++ struct dentry *old_dentry = rd->old_dentry; ++ struct dentry *new_dentry = rd->new_dentry; + struct ebpf_event *e = NULL; + char name[] = "rename"; + +-- +2.33.0 + diff --git a/secDetector.spec b/secDetector.spec index f281df4..051556a 100644 --- a/secDetector.spec +++ b/secDetector.spec @@ -5,12 +5,12 @@ Name : secDetector Summary : OS Security Intrusion Detection System Version : 1.0 -Release : 14 +Release : 15 License : GPL-2.0 Source0 : %{name}-v%{version}.tar.gz BuildRequires: kernel-devel kernel-headers BuildRequires: gcc gcc-c++ clang cmake make -BuildRequires: libbpf-devel bpftool +BuildRequires: libbpf-devel bpftool uname-build-checks kernel-debuginfo BuildRequires: grpc-devel grpc-plugins protobuf-devel c-ares-devel libuuid-devel Requires : kernel Requires : protobuf grpc libuuid libbpf @@ -47,6 +47,7 @@ Patch0030: Backport-fix-the-memory-leak-in-collect-unit.patch Patch0031: Backport-fix-memory-leak-in-program_action.patch Patch0032: Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch Patch0033: Backport-fix-6.x-kernel-compile-error.patch +Patch0034: Backport-adapt-file-ebpf-for-kernel-6.6.patch %description OS Security Intrusion Detection System @@ -120,6 +121,9 @@ rm -rf %{buildroot} %attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h %changelog +* Thu Sep 19 2024 zhangguangzhi 1.0-15 +- backport patch to adapt file ebpf for kernel 6.6 + * Tue Feb 20 2024 hurricane618 1.0-14 - backport patch to fix compile error in v6.6 kernel