gnu: falcosecurity-libs: Fix BPF issue on Linux 6.15+.

This fixes sysdig. * gnu/packages/patches/falcosecurity-libs-bpf-probes-fix.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/linux.scm (falcosecurity-libs): Apply it. Change-Id: Ie908824288febb767114a932c050231c6f7647c9
2026-01-25 03:55:08 -06:00 · 2025-11-09 23:45:38 +09:00 · 2025-11-09 23:45:38 +09:00 · 5f7ec06d2c
commit 5f7ec06d2c
parent a21c8962e5
3 changed files with 106 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -1252,6 +1252,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/fail2ban-fix-sshd-filter.patch           \
  %D%/packages/patches/fail2ban-paths-guix-conf.patch		\
  %D%/packages/patches/faiss-tests-CMakeLists-find-googletest.patch	\
+  %D%/packages/patches/falcosecurity-libs-bpf-probes-fix.patch  \
  %D%/packages/patches/falcosecurity-libs-shared-build.patch	\
  %D%/packages/patches/farstream-gupnp.patch                         \
  %D%/packages/patches/farstream-make.patch                          \
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@ -11209,6 +11209,7 @@ set as @code{LD_PRELOAD} to override the C library file system functions.")
                "041ir9wk44v7isidwl7fzxrjvs85j637wcr7xirasd8ysxa0r4qv"))
              (patches
               (search-patches
+                "falcosecurity-libs-bpf-probes-fix.patch"
                "falcosecurity-libs-shared-build.patch"))))
    (build-system cmake-build-system)
    (arguments
--- a/gnu/packages/patches/falcosecurity-libs-bpf-probes-fix.patch
+++ b/gnu/packages/patches/falcosecurity-libs-bpf-probes-fix.patch
@ -0,0 +1,104 @@
+From c1a97c03832deb62ca4d30342e00031eda5227eb Mon Sep 17 00:00:00 2001
+From: Federico Di Pierro <nierro92@gmail.com>
+Date: Fri, 11 Apr 2025 09:03:21 +0200
+Subject: [PATCH] fix(driver): fixed build of old bpf probe against linux
+ 6.15-rc1.
+
+Also, fixed modern_ebpf running against the new kernel version.
+
+Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
+---
+ .../bpf/configure/KERNFS_NODE_PARENT/test.c   | 32 +++++++++++++++++++
+ driver/bpf/fillers.h                          |  4 +++
+ .../modern_bpf/definitions/struct_flavors.h   |  4 +++
+ .../helpers/store/auxmap_store_params.h       |  7 +++-
+ 4 files changed, 46 insertions(+), 1 deletion(-)
+ create mode 100644 driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+
+diff --git a/driver/bpf/configure/KERNFS_NODE_PARENT/test.c b/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+new file mode 100644
+index 0000000000..4887380769
+--- /dev/null
+++ b/driver/bpf/configure/KERNFS_NODE_PARENT/test.c
+@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only OR MIT
+/*
+
+Copyright (C) 2025 The Falco Authors.
+
+This file is dual licensed under either the MIT or GPL 2. See MIT.txt
+or GPL2.txt for full copies of the license.
+
+*/
+
+/*
+ * Check that kernfs_node's field `parent` exists.
+ * See 6.15 kernel commit it is named __parent:
+ * https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
+ */
+
+#include "../../quirks.h"
+#include "../../ppm_events_public.h"
+#include "../../types.h"
+
+// struct kernfs_node declaration
+#include <linux/kernfs.h>
+
+BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
+	struct kernfs_node *parent;
+	struct kernfs_node node;
+
+	parent = node.parent;
+	return 0;
+}
+
+char __license[] __bpf_section("license") = "Dual MIT/GPL";
+diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
+index 5ce78747fb..fcc57f1531 100644
+--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
+@@ -1819,7 +1819,11 @@ static __always_inline int __bpf_append_cgroup(struct css_set *cgroups,
+ 	for(int k = 0; k < MAX_CGROUP_PATHS; ++k) {
+ 		if(kn) {
+ 			cgroup_path[k] = (char *)_READ(kn->name);
+#ifdef HAS_KERNFS_NODE_PARENT
+ 			kn = _READ(kn->parent);
+#else
+			kn = _READ(kn->__parent);
+#endif
+ 		} else {
+ 			cgroup_path[k] = NULL;
+ 		}
+diff --git a/driver/modern_bpf/definitions/struct_flavors.h b/driver/modern_bpf/definitions/struct_flavors.h
+index 4e76281ed9..05f5201be4 100644
+--- a/driver/modern_bpf/definitions/struct_flavors.h
+++ b/driver/modern_bpf/definitions/struct_flavors.h
+@@ -59,6 +59,10 @@ struct inode___v6_11 {
+ 	uint32_t i_ctime_nsec;
+ };
+ 
+struct kernfs_node___v6_15 {
+	struct kernfs_node *__parent;
+};
+
+ #ifndef BPF_NO_PRESERVE_ACCESS_INDEX
+ #pragma clang attribute pop
+ #endif
+diff --git a/driver/modern_bpf/helpers/store/auxmap_store_params.h b/driver/modern_bpf/helpers/store/auxmap_store_params.h
+index d6cbe663e0..ab54e2db51 100644
+--- a/driver/modern_bpf/helpers/store/auxmap_store_params.h
+++ b/driver/modern_bpf/helpers/store/auxmap_store_params.h
+@@ -1296,7 +1296,12 @@ static __always_inline uint16_t store_cgroup_subsys(struct auxiliary_map *auxmap
+ 		}
+ 		path_components++;
+ 		BPF_CORE_READ_INTO(&cgroup_path_pointers[k], kn, name);
+-		BPF_CORE_READ_INTO(&kn, kn, parent);
+		if(bpf_core_field_exists(kn->parent)) {
+			BPF_CORE_READ_INTO(&kn, kn, parent);
+		} else {
+			struct kernfs_node___v6_15 *kn_v6_15 = (void *)kn;
+			BPF_CORE_READ_INTO(&kn, kn_v6_15, __parent);
+		}
+ 	}
+ 
+ 	/* Reconstruct the path in reverse, using previously collected pointers.