Documentation ¶
Overview ¶
Package kfilefields provides functions to read kernel "struct file" fields against a file descriptor.
This is done:
- without using bpf iterators in order to work on old kernels.
- without comparing pids from userspace and ebpf in order to work from different pid namespaces.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ReadFOpForFdType ¶
ReadFOpForFdType uses ebpf to read the f_op pointer from the kernel "struct file" associated with the given fd type.
func ReadPrivateDataFromFd ¶
ReadPrivateDataFromFd uses ebpf to read the private_data pointer from the kernel "struct file" associated with the given fd.
func ReadRealInodeFromFd ¶ added in v0.28.0
ReadRealInodeFromFd uses ebpf to read the f_inode pointer from the kernel "struct file" associated with the given fd. Specifically, if fd belongs to overlayFS, it will return the underlying, real inode.
This feature makes it possible to check if two fds come from the same underlying file, even if they come from two different overlay filesystems. This is useful for uprobes because they get attached to the underlying file.