Ebpf accessing filename from fd

Question

I am trying to write an ebpf program for write system call and I need to access Filename from file descriptor (fd).Is there any bpf helper function to do that?

I tried to store the filename and fd in the map in the open system call.Here is the code:

#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>

struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __type(key, int);        // File Descriptor
    __type(value, char[256]); // File Path
    __uint(max_entries, 1024);
} fd_to_filename_map SEC(".maps");

SEC("sys_enter_openat")
int trace_openat(struct pt_regs *ctx, int dfd, const char __user *filename, int flags, umode_t mode) {
    char fname[256];
    int fd;

    bpf_probe_read_user_str(fname, sizeof(fname), filename);
    fd = PT_REGS_RC(ctx); // Get FD returned by open call
    bpf_map_update_elem(&fd_to_filename_map, &fd, fname, BPF_ANY);

    return 0;
}

But when I ran this I got the following error:

/home/v/libbpf-bootstrap/examples/c/fentry.bpf.c:13:66: error: expected ')'
int trace_openat(struct pt_regs *ctx, int dfd, const char __user *filename, int flags, umode_t mode) {
                                                                 ^
/home/v/libbpf-bootstrap/examples/c/fentry.bpf.c:13:17: note: to match this '('
int trace_openat(struct pt_regs *ctx, int dfd, const char __user *filename, int flags, umode_t mode) {
                ^
/home/v/libbpf-bootstrap/examples/c/fentry.bpf.c:17:51: error: use of undeclared identifier 'filename'
    bpf_probe_read_user_str(fname, sizeof(fname), filename);
                                                  ^
2 errors generated.

Answer 1

The compilation error is due to the __user tag in your function arguments. That tag is for the kernel functions and of no use here.