Sync elastic/ebpf to f8b0fc64816742f762a49cec697780890140db1c

We need the fix for PIDTYPE_PGID and PIDTYPE_SID from that commit.

elastic-ebpf/GPL/Events/EbpfEventProto.h

@@ -11,6 +11,10 @@
 #define EBPF_EVENTPROBE_EBPFEVENTPROTO_H
 
 #define TASK_COMM_LEN 16
+// The theoretical max size of DNS packets over UDP is 512.
+// Like so many things in DNS this number probaby isn't 100% accurate.
+// DNS extensions in RFC2671 and RFC6891 mean the actual size can be larger.
+#define MAX_DNS_PACKET 1500
 
 #ifndef __KERNEL__
 #include <stdint.h>
@@ -40,6 +44,7 @@ enum ebpf_event_type {
     EBPF_EVENT_PROCESS_SHMGET               = (1 << 17),
     EBPF_EVENT_PROCESS_PTRACE               = (1 << 18),
     EBPF_EVENT_PROCESS_LOAD_MODULE          = (1 << 19),
+    EBPF_EVENT_NETWORK_DNS_PKT              = (1 << 20),
 };
 
 struct ebpf_event_header {
@@ -66,6 +71,7 @@ enum ebpf_varlen_field_type {
     EBPF_VL_FIELD_SYMLINK_TARGET_PATH,
     EBPF_VL_FIELD_MOD_VERSION,
     EBPF_VL_FIELD_MOD_SRCVERSION,
+    EBPF_VL_FIELD_DNS_BODY,
 };
 
 // Convenience macro to iterate all the variable length fields in an event
@@ -341,13 +347,19 @@ struct ebpf_process_load_module_event {
 
 enum ebpf_net_info_transport {
     EBPF_NETWORK_EVENT_TRANSPORT_TCP = 1,
+    EBPF_NETWORK_EVENT_TRANSPORT_UDP = 2,
 };
 
 enum ebpf_net_info_af {
     EBPF_NETWORK_EVENT_AF_INET  = 1,
     EBPF_NETWORK_EVENT_AF_INET6 = 2,
 };
 
+enum ebpf_net_udp_info {
+    EBPF_NETWORK_EVENT_SKB_CONSUME_UDP = 1,
+    EBPF_NETWORK_EVENT_IP_SEND_UDP     = 2,
+};
+
 struct ebpf_net_info_tcp_close {
     uint64_t bytes_sent;
     uint64_t bytes_received;
@@ -379,10 +391,22 @@ struct ebpf_net_event {
     char comm[TASK_COMM_LEN];
 } __attribute__((packed));
 
+struct ebpf_dns_event {
+    struct ebpf_event_header hdr;
+    struct ebpf_pid_info pids;
+    struct ebpf_net_info net;
+    char comm[TASK_COMM_LEN];
+    enum ebpf_net_udp_info udp_evt;
+    uint64_t original_len;
+    // Variable length fields: dns body
+    struct ebpf_varlen_fields_start vl_fields;
+} __attribute__((packed));
+
 // Basic event statistics
 struct ebpf_event_stats {
-    uint64_t lost; // lost events due to a full ringbuffer
-    uint64_t sent; // events sent through the ringbuffer
+    uint64_t lost;          // lost events due to a full ringbuffer
+    uint64_t sent;          // events sent through the ringbuffer
+    uint64_t dns_zero_body; // indicates that the dns body of a sk_buff was unavailable
 };
 
 #endif // EBPF_EVENTPROBE_EBPFEVENTPROTO_H

elastic-ebpf/GPL/Events/Helpers.h

@@ -113,6 +113,7 @@ const volatile int consumer_pid = 0;
         ret;                                                                                       \
     })
 
+// value is replaced later by `probe_fill_relos()`
 #define DECL_FUNC_RET(func) const volatile int ret__##func##__ = 0;
 #define FUNC_RET_READ(type, func)                                                                  \
     ({                                                                                             \
@@ -229,11 +230,21 @@ static void ebpf_ctty__fill(struct ebpf_tty_dev *ctty, const struct task_struct
 
 static void ebpf_pid_info__fill(struct ebpf_pid_info *pi, const struct task_struct *task)
 {
-    pi->tid  = BPF_CORE_READ(task, pid);
-    pi->tgid = BPF_CORE_READ(task, tgid);
-    pi->ppid = BPF_CORE_READ(task, group_leader, real_parent, tgid);
-    pi->pgid = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_PGID], numbers[0].nr);
-    pi->sid  = BPF_CORE_READ(task, group_leader, signal, pids[PIDTYPE_SID], numbers[0].nr);
+    int e_pgid, e_sid;
+
+    if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_PGID))
+        e_pgid = bpf_core_enum_value(enum pid_type, PIDTYPE_PGID);
+    else
+        e_pgid = PIDTYPE_PGID;
+    if (bpf_core_enum_value_exists(enum pid_type, PIDTYPE_SID))
+        e_sid = bpf_core_enum_value(enum pid_type, PIDTYPE_SID);
+    else
+        e_sid = PIDTYPE_SID;
+    pi->tid           = BPF_CORE_READ(task, pid);
+    pi->tgid          = BPF_CORE_READ(task, tgid);
+    pi->ppid          = BPF_CORE_READ(task, group_leader, real_parent, tgid);
+    pi->pgid          = BPF_CORE_READ(task, group_leader, signal, pids[e_pgid], numbers[0].nr);
+    pi->sid           = BPF_CORE_READ(task, group_leader, signal, pids[e_sid], numbers[0].nr);
     pi->start_time_ns = BPF_CORE_READ(task, group_leader, start_time);
 }
 

elastic-ebpf/GPL/Events/Process/Probe.bpf.c

@@ -240,7 +240,7 @@ int BPF_KPROBE(kprobe__taskstats_exit, const struct task_struct *task, int group
 // tracepoint/syscalls/sys_[enter/exit]_[name] tracepoints are not available
 // with BTF type information, so we must use a non-BTF tracepoint
 SEC("tracepoint/syscalls/sys_exit_setsid")
-int tracepoint_syscalls_sys_exit_setsid(struct trace_event_raw_sys_exit *args)
+int tracepoint_syscalls_sys_exit_setsid(struct syscall_trace_exit *args)
 {
     const struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 
@@ -365,7 +365,7 @@ int BPF_KPROBE(kprobe__ptrace_attach,
 }
 
 SEC("tracepoint/syscalls/sys_enter_shmget")
-int tracepoint_syscalls_sys_enter_shmget(struct trace_event_raw_sys_enter *ctx)
+int tracepoint_syscalls_sys_enter_shmget(struct syscall_trace_enter *ctx)
 {
     if (ebpf_events_is_trusted_pid())
         goto out;
@@ -404,7 +404,7 @@ int tracepoint_syscalls_sys_enter_shmget(struct trace_event_raw_sys_enter *ctx)
 }
 
 SEC("tracepoint/syscalls/sys_enter_memfd_create")
-int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter *ctx)
+int tracepoint_syscalls_sys_enter_memfd_create(struct syscall_trace_enter *ctx)
 {
     if (ebpf_events_is_trusted_pid())
         goto out;

elastic-ebpf/commit

@@ -1 +1 @@
-97581e497ee15de2fb5a842353ac5c767755270d
+f8b0fc64816742f762a49cec697780890140db1c