使用 BPF 工具对类型 'struct mnt_namespace' 的定义和前向声明不完整?

Incomplete definition and forward declaration of type 'struct mnt_namespace' using BPF tools?

我想要的:

execsnoop bcc 工具添加一个网络名称空间选项,以便仅跟踪具有指定网络名称空间的日志,就像我们在许多其他 bcc 工具中有过滤器 PID 选项一样。例如:execsnoop -N "ns_id"

我试过的:

int syscall__execve(struct pt_regs *ctx,
    const char __user *filename,
    const char __user *const __user *__argv,
    const char __user *const __user *__envp)
{
    // create data here and pass to submit_arg to save stack space (#555)
    struct data_t data = {};
    struct task_struct *task;


    data.pid = bpf_get_current_pid_tgid() >> 32;
    task = (struct task_struct *)bpf_get_current_task();
    // Some kernels, like Ubuntu 4.13.0-generic, return 0
    // as the real_parent->tgid.
    // We use the get_ppid function as a fallback in those cases. (#1883)

    data.ppid = task->real_parent->tgid;
    data.netns = task->nsproxy->mnt_ns->ns.inum; // I tried to mount namespace here

    bpf_get_current_comm(&data.comm, sizeof(data.comm));
    data.type = EVENT_ARG;

    __submit_arg(ctx, (void *)filename, &data);

    // skip first arg, as we submitted filename
    #pragma unroll
    for (int i = 1; i < MAXARG; i++) {
        if (submit_arg(ctx, (void *)&__argv[i], &data) == 0)
             goto out;
    }

    // handle truncated argument list
    char ellipsis[] = "...";
    __submit_arg(ctx, (void *)ellipsis, &data);
out:
    return 0;
}

收到错误:

/virtual/main.c:98:39: error: incomplete definition of type 'struct mnt_namespace'
    data.netns = task->nsproxy->mnt_ns->ns.inum;
                 ~~~~~~~~~~~~~~~~~~~~~^
include/linux/nsproxy.h:8:8: note: forward declaration of 'struct mnt_namespace'
struct mnt_namespace;
       ^
1 error generated.
Traceback (most recent call last):
  File "./execsnoop", line 230, in <module>
    b = BPF(text=bpf_text)
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 325, in __init__
    raise Exception("Failed to compile BPF text")
Exception: Failed to compile BPF text

我也尝试包含 mnt_namespace.h 头文件,但没有解决。

密件抄送工具 mountsnoop.py 似乎可以实现您想要实现的目标。他们重新定义了一些结构,注释如下:

/*
 * XXX: struct mnt_namespace is defined in fs/mount.h, which is private to the
 * VFS and not installed in any kernel-devel packages. So, let's duplicate the
 * important part of the definition. There are actually more members in the
 * real struct, but we don't need them, and they're more likely to change.
 */
struct mnt_namespace {
    atomic_t count;
    struct ns_common ns;
};

确实 fs/mount.h 中的结构没有导出。所以我怀疑你只需要在你的代码中做同样的事情:部分重新定义 struct mnt_namespace.