Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8.

Found in quark-test when running on RHEL8: Linux rocky8 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Wed Sep 25 09:20:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux Related commit in quark: elastic/quark@89e606b New kernels have a PIDTYPE_TGID after PIDTYPE_PID, which bumpes PIDTYPE_PGID and PIDTYPE_SID: https://elixir.bootlin.com/linux/v6.11/source/include/linux/pid_types.h#L8 4.18 (RHEL8) which we can actually run on since redhat backported ebpf ringbuffers still has the old definition: https://elixir.bootlin.com/linux/v4.18/source/include/linux/pid.h With this diff `quark-test` passes on asserting pgid and sid correspond to the return of getpgid(2) and getsid(2) on 4.18.0-553.22.1.el8_10.x86_64: https://github.com/elastic/quark/blob/main/quark-test.c#L273-L274
elastic · Oct 31, 2024 · 6f19328 · 6f19328
1 parent cd3d8ea
commit 6f19328
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h
@@ -230,11 +230,21 @@ static void ebpf_ctty__fill(struct ebpf_tty_dev *ctty, const struct task_struct
 
 static void ebpf_pid_info__fill(struct ebpf_pid_info *pi, const struct task_struct *task)
 {
-    pi->tid  = BPF_CORE_READ(task, pid);
-    pi->tgid = BPF_CORE_READ(task, tgid);
-    pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
-    pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_PGID], numbers[0].nr);
-    pi->sid  = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_SID], numbers[0].nr);
+    int e_pgid, e_sid;
+
+    if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_PGID))
+        e_pgid = bpf_core_enum_value(enum pid_type, PIDTYPE_PGID);
+    else
+        e_pgid = PIDTYPE_PGID;
+    if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_SID))
+        e_sid = bpf_core_enum_value(enum pid_type, PIDTYPE_SID);
+    else
+        e_sid = PIDTYPE_SID;
+    pi->tid           = BPF_CORE_READ(task, pid);
+    pi->tgid          = BPF_CORE_READ(task, tgid);
+    pi->ppid          = BPF_CORE_READ(task, group_leader, real_parent, tgid);
+    pi->pgid          = BPF_CORE_READ(task, group_leader, signal, pids[e_pgid], numbers[0].nr);
+    pi->sid           = BPF_CORE_READ(task, group_leader, signal, pids[e_sid], numbers[0].nr);
     pi->start_time_ns = BPF_CORE_READ(task, group_leader, start_time);
 }