0

What I want:

To add a network namespace option to execsnoop bcc tool to trace only the logs with specified network namespace just like we have filter PID option in many other bcc tools. For eg: execsnoop -N "ns_id"

I am using linux kernel structures to retrieve namespace id net = task->nsproxy->net_ns; and need to assign the retrieved ns to data.netns which is u32 int.

What I am doing:

int syscall__execve(struct pt_regs *ctx,
    const char __user *filename,
    const char __user *const __user *__argv,
    const char __user *const __user *__envp)
{
    // create data here and pass to submit_arg to save stack space (#555)
    //int ret = PT_REGS_RC(ctx);
    struct data_t data = {};
    struct task_struct *task;
    struct nsproxy *nsproxy;
    struct net *net;
    //struct mnt_namespace *mnt_ns;

    data.pid = bpf_get_current_pid_tgid() >> 32;

    u32 net_ns_inum = 0;
    //net = (struct net *)get_net_ns_by_pid(data.pid); //
       //net_ns_inum = (uintptr_t)net;


    task = (struct task_struct *)bpf_get_current_task();
    // Some kernels, like Ubuntu 4.13.0-generic, return 0
    // as the real_parent->tgid.
    // We use the get_ppid function as a fallback in those cases. (#1883)

    data.ppid = task->real_parent->tgid;

    net = task->nsproxy->net_ns;
    FILTER_NETNS

    data.netns =  (uintptr_t)net; //here have to perform casting

I have added #include </usr/include/stdint.h> but getting the warning though include <bits/libc-header-start.h> is present in stdint.h file:

In file included from /virtual/main.c:8:
/usr/include/stdint.h:26:10: fatal error: 'bits/libc-header-start.h' file not found
#include <bits/libc-header-start.h>
         ^~~~~~~~~~~~~~~~~~~~~~~~~~

and it keeps on generating other missing header files error if I resolve this one.

Qeole
  • 8,284
  • 1
  • 24
  • 52
user248396
  • 25
  • 4
  • how are you compiling? are you using the `-m32` flag? maybe this can solve your issue: https://stackoverflow.com/questions/54082459/fatal-error-bits-libc-header-start-h-no-such-file-or-directory-while-compili – Andrea Baldini May 18 '20 at 04:25
  • This is a code snippet from execsnoop.py ebpf tool. You can refer it here https://github.com/iovisor/bcc/blob/master/tools/execsnoop.py. To execute this tool, we have to simply use `./execsnoop ` , can't specify -m32 direct in the command as it is a python script. – user248396 May 18 '20 at 05:14
  • Have you tried installing the `gcc-multilib` package? I think it should fix the issue. Not sure why you need to include `stdint.h`, though? Just cast as `u32`? – Qeole May 18 '20 at 13:19

1 Answers1

0

I have resolved this issue:

Instead of using net = task->nsproxy->net_ns; I used net = task->nsproxy->net_ns->ns.inum; which is unsigned int and we can directly retrieve namespace from it.

This structure can be found in <linux/ns_common.h> header file.

struct ns_common {
    atomic_long_t stashed;
    const struct proc_ns_operations *ops;
    unsigned int inum;
};

To get a modified code with added namespace option in execsnoop tool, please follow this link: https://github.com/Sheenam3/ebpf/blob/master/execsnoop.py#L143

user248396
  • 25
  • 4