kfilefields

package
v0.28.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 16, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package kfilefields provides functions to read kernel "struct file" fields against a file descriptor.

This is done:

  • without using bpf iterators in order to work on old kernels.
  • without comparing pids from userspace and ebpf in order to work from different pid namespaces.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ReadFOpForFdType 

func ReadFOpForFdType(ft FdType) (uint64, error)

ReadFOpForFdType uses ebpf to read the f_op pointer from the kernel "struct file" associated with the given fd type.

func ReadPrivateDataFromFd 

func ReadPrivateDataFromFd(fd int) (uint64, error)

ReadPrivateDataFromFd uses ebpf to read the private_data pointer from the kernel "struct file" associated with the given fd.

func ReadRealInodeFromFd added in v0.28.0 

func ReadRealInodeFromFd(fd int) (uint64, error)

ReadRealInodeFromFd uses ebpf to read the f_inode pointer from the kernel "struct file" associated with the given fd. Specifically, if fd belongs to overlayFS, it will return the underlying, real inode.

This feature makes it possible to check if two fds come from the same underlying file, even if they come from two different overlay filesystems. This is useful for uprobes because they get attached to the underlying file.

Types

type FdType 

type FdType int
const (
	FdTypeSocket FdType = iota
	FdTypeEbpfProgram
)

func (FdType) String 

func (fd FdType) String() string

type Tracer 

type Tracer struct {
	// contains filtered or unexported fields
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.