2

I want to retrieve the sessionid from a task struct in an eBPF program. I have the following code in my eBPF program:

struct task_struct *task;
u32 sessionid;    

task = (struct task_struct *)bpf_get_current_task();
sessionid = task->sessionid;

This runs, but the sessionid always ends up being -1. I read in this answer that I can use task_session to retrieve it, but I get an error about invalid memory access. I believe I need to use bpf_probe_read to move the task_struct that task points to onto the stack, but I can't get it to work. Is there anything I'm missing?

pchaigno
  • 11,313
  • 2
  • 29
  • 54
dippynark
  • 2,743
  • 20
  • 58
  • It's difficult to say exactly why this is happening without seeing your code. Note that eBPF cannot call arbitrary kernel function. – pchaigno Jan 24 '18 at 18:19
  • Yeah I think I could have been more clear about how I was building the program/how I was injecting it - I managed to get the sessionid in a different way so I gave an answer myself. I'm now trying to do this :p https://stackoverflow.com/questions/48447855/how-can-i-track-interactive-shell-sessions-that-dont-allocate-a-tty-using-ebpf – dippynark Jan 25 '18 at 19:50

1 Answers1

4

After a bit more digging through the task_struct struct I realised you could do this:

struct task_struct *task;
struct pid_link pid_link;
struct pid pid;
unsigned int sessionid;

task = (struct task_struct *)bpf_get_current_task();

bpf_probe_read(&pid_link, sizeof(pid_link), (void *)&task->group_leader->pids[PIDTYPE_SID]);    
bpf_probe_read(&pid, sizeof(pid), (void *)pid_link.pid);

sessionid = pid.numbers[0].nr;
dippynark
  • 2,743
  • 20
  • 58