fact/fact-ebpf/src/bpf/events.h at e01148bc58c78177cc48cc9bf03b0480f9239c83 · stackrox/fact · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#pragma once

// clang-format off
#include "vmlinux.h"

#include "inode.h"
#include "maps.h"
#include "process.h"
#include "types.h"

#include <bpf/bpf_helpers.h>
// clang-format on

__always_inline static void submit_event(struct metrics_by_hook_t* m,
                                         file_activity_type_t event_type,
                                         const char filename[PATH_MAX],
                                         inode_key_t* inode,
                                         bool use_bpf_d_path) {
  struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
  if (event == NULL) {
    m->ringbuffer_full++;
    return;
  }

  event->type = event_type;
  event->timestamp = bpf_ktime_get_boot_ns();
  inode_copy_or_reset(&event->inode, inode);
  bpf_probe_read_str(event->filename, PATH_MAX, filename);

  struct helper_t* helper = get_helper();
  if (helper == NULL) {
    goto error;
  }

  int64_t err = process_fill(&event->process, use_bpf_d_path);
  if (err) {
    bpf_printk("Failed to fill process information: %d", err);
    goto error;
  }

  m->added++;
  bpf_ringbuf_submit(event, 0);
  return;

error:
  m->error++;
  bpf_ringbuf_discard(event, 0);
}