On Wed, 2025-04-30 at 16:00 -0700, Alexei Starovoitov wrote: > > +// The dentry argument needs to be ignored because the verifier > > can't verify > > +// the integrity of the pointer coming in from kprobes. > > Exactly. > It's probably obvious that we're not going to allow > unsafe kfuncs that can easily crash the kernel. Yes--I wanted this confirmation. I was kicking myself for leaving that comment in the patch, but I'm glad it turned out to be useful. > > > +__bpf_kfunc char *bpf_dentry_path_raw(struct dentry *dentry__ign, > > We can consider something like this (without __ign, of course), > but if you insist on using kprobes we cannot help. I don't know how I could call dentry_path_raw without suppressing checks on the pointer. My previous experience with any kind of managed runtime stuff would imply wrapping the dentry pointer in a safe container, but doing that from a pointer coming straight from a kprobe just kicks the can down to wherever it gets wrapped. I wouldn't say I am insisting on using kprobes, but it's all I could figure out to get all the events for the file/directory create/open/modify/delete events that I wanted. I was surprised there already wasn't some kind of special event type for that already. Is there? Should there be? I have this future science project to try to extract PCI traffic, so if there needs to be a different type of trace for file system accesses, maybe that makes for a warmup. > You can walk dentry with probe_read-s instead, > but don't expect correct paths all the time. Let me make sure I understand then. Is the idea to basically safely derefence the pointer by using the probe_read functions to acquire the memory? So presumably I'd be writing an equivalent of dentry_path_raw in my bpf program using those copy operations. I'm guessing it's a lot like using copy_from_user in ioctls on any pointers that are coming in. I can give this a shot, but I don't think I was able to get any paths on the dentry pointers until I first called dget() on the dentry. I'm not actually a filesystem guy so I don't know if this is actually required.
