src/python: fix filtering by containers when kfunc are supported

The filtering by mount namespace logic has to access current_task->nsproxy->mnt_ns->ns.inum to get the mount namespace id. Before this commit, that line was written in C natural syntax and we're relying on the BCC rewriter to transform that to valid eBPF code by emitting some bpf_probe_read calls. This support was not working when using opensnoop in systems supporting kfuncs because in this case the BCC rewriter doesn't transform that line and the verifier claims about an invalid memory access: 7: (85) call bpf_get_current_task#35; return current_task->nsproxy->mnt_ns->ns.inum; 8: (79) r1 = *(u64 *)(r0 +2896) R0 invalid mem access 'inv' This commit fixes that by explicitly using bpf_probe_kernel_read() instead of the C natural syntax. Signed-off-by: Mauricio Vásquez <[email protected]>
yezhengmao1 · Sep 14, 2021 · 4fa2ed7 · 4fa2ed7
1 parent 291ec6e
commit 4fa2ed7
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/src/python/bcc/containers.py b/src/python/bcc/containers.py
@@ -76,8 +76,24 @@ def _mntns_filter_func_writer(mntnsmap):
 
  static inline int _mntns_filter() {
  struct task_struct *current_task;
+ struct nsproxy *nsproxy;
+ struct mnt_namespace *mnt_ns;
+ unsigned int inum;
+ u64 ns_id;
+
  current_task = (struct task_struct *)bpf_get_current_task();
- u64 ns_id = current_task->nsproxy->mnt_ns->ns.inum;
+
+ if (bpf_probe_read_kernel(&nsproxy, sizeof(nsproxy), &current_task->nsproxy))
+ return 0;
+
+ if (bpf_probe_read_kernel(&mnt_ns, sizeof(mnt_ns), &nsproxy->mnt_ns))
+ return 0;
+
+ if (bpf_probe_read_kernel(&inum, sizeof(inum), &mnt_ns->ns.inum))
+ return 0;
+
+ ns_id = (u64) inum;
+
  return mount_ns_set.lookup(&ns_id) == NULL;
  }
  """