Search code examples
linuxlinux-kernelsystem-callsebpfbpf

BPF program attached to `getname` won't get called when calling the `renameat2` syscall


I'm fiddling with a BPF program that needs to attach to the two "getname" functions that are being called from the renameat2 syscall, defined in linux/fs/namei.c as:

SYSCALL_DEFINE5(renameat2, int, olddfd, const char __user *, oldname,
        int, newdfd, const char __user *, newname, unsigned int, flags)
{
    return do_renameat2(olddfd, getname(oldname), newdfd, getname(newname),
                flags);
}

getname calls getname_flags, which in turn calls strncpy_from_user. I need to access the char __user * name parameter, thus I tried creating kprobes, fentries and fexits (with a simple "print" program) to try and intercept all three of those functions. With getname*, I get a lot of output meaning that my BPF program are actually being runned. Although, when calling "renameat2" (e.g. when using the linux mv command), I get no output at all.

This is, in essence, the program I'm currently using, which doesn't get called when using the mv command:

SEC("fentry/getname_flags")
int BPF_PROG(hijack_getname, char *filename) {
  uid_t uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
  if (uid == 1002) { //hardcoded uid
    bpf_printk("<enter getname_flags> [%s]", filename);
  }
}

If I create a BPF tracepoint program that attaches to the entry and exit of renameat2, I can clearly see that there's no "getname" call between entry and exit.

As I said, I also tried with kprobe and fexit. I can't manage to attach to strncpy_from_user without getting some weird errors about "Os: 22 - invalid argument"

I really can't figure out what's happening, thus any help would be appreciated :,)


Solution

  • Solved: by analizing "vmlinux" with nm, and decompiling with "objdump", I saw that the actually called function is "getname_flags.part.0" due to compiler optimizations.