Skip to content

ROX-33198: Instrument inode tracking on file open lsm hook #391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
JoukoVirtanen wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

ROX-33198: Instrument inode tracking on file open lsm hook #391

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9cba674
X-Smart-Branch-Parent: main
JoukoVirtanen Mar 11, 2026
7773d9d
When a monitored file is created it is added to maps in kernel and us…
JoukoVirtanen Mar 15, 2026
e1bb8f0
Using inode_to_key directly instead of duplicating code. inode_to_key…
JoukoVirtanen Mar 16, 2026
ded9eb6
Parent inode is added to events. That is used to get the correct path
JoukoVirtanen Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 15 additions & 8 deletions fact-ebpf/src/bpf/events.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ __always_inline static void __submit_event(struct event_t* event,
file_activity_type_t event_type,
const char filename[PATH_MAX],
inode_key_t* inode,
inode_key_t* parent_inode,
bool use_bpf_d_path) {
event->type = event_type;
event->timestamp = bpf_ktime_get_boot_ns();
inode_copy_or_reset(&event->inode, inode);
inode_copy_or_reset(&event->parent_inode, parent_inode);
bpf_probe_read_str(event->filename, PATH_MAX, filename);

struct helper_t* helper = get_helper();
Expand All @@ -46,31 +48,34 @@ __always_inline static void __submit_event(struct event_t* event,
__always_inline static void submit_open_event(struct metrics_by_hook_t* m,
file_activity_type_t event_type,
const char filename[PATH_MAX],
inode_key_t* inode) {
inode_key_t* inode,
inode_key_t* parent_inode) {
struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
if (event == NULL) {
m->ringbuffer_full++;
return;
}

__submit_event(event, m, event_type, filename, inode, true);
__submit_event(event, m, event_type, filename, inode, parent_inode, true);
}

__always_inline static void submit_unlink_event(struct metrics_by_hook_t* m,
const char filename[PATH_MAX],
inode_key_t* inode) {
inode_key_t* inode,
inode_key_t* parent_inode) {
Copy link
Contributor Author

@JoukoVirtanen JoukoVirtanen Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parent inode was added to the event so that it could be used to find the parent path. It is added for all event types, not just when a file is opened. Perhaps NULL could be passed instead of the actual parent inode for the other type of events for now.

Copy link
Contributor

@Molter73 Molter73 Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, passing NULL should be enough for now

struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
if (event == NULL) {
m->ringbuffer_full++;
return;
}

__submit_event(event, m, FILE_ACTIVITY_UNLINK, filename, inode, path_hooks_support_bpf_d_path);
__submit_event(event, m, FILE_ACTIVITY_UNLINK, filename, inode, parent_inode, path_hooks_support_bpf_d_path);
}

__always_inline static void submit_mode_event(struct metrics_by_hook_t* m,
const char filename[PATH_MAX],
inode_key_t* inode,
inode_key_t* parent_inode,
umode_t mode,
umode_t old_mode) {
struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
Expand All @@ -82,12 +87,13 @@ __always_inline static void submit_mode_event(struct metrics_by_hook_t* m,
event->chmod.new = mode;
event->chmod.old = old_mode;

__submit_event(event, m, FILE_ACTIVITY_CHMOD, filename, inode, path_hooks_support_bpf_d_path);
__submit_event(event, m, FILE_ACTIVITY_CHMOD, filename, inode, parent_inode, path_hooks_support_bpf_d_path);
}

__always_inline static void submit_ownership_event(struct metrics_by_hook_t* m,
const char filename[PATH_MAX],
inode_key_t* inode,
inode_key_t* parent_inode,
unsigned long long uid,
unsigned long long gid,
unsigned long long old_uid,
Expand All @@ -103,14 +109,15 @@ __always_inline static void submit_ownership_event(struct metrics_by_hook_t* m,
event->chown.old.uid = old_uid;
event->chown.old.gid = old_gid;

__submit_event(event, m, FILE_ACTIVITY_CHOWN, filename, inode, path_hooks_support_bpf_d_path);
__submit_event(event, m, FILE_ACTIVITY_CHOWN, filename, inode, parent_inode, path_hooks_support_bpf_d_path);
}

__always_inline static void submit_rename_event(struct metrics_by_hook_t* m,
const char new_filename[PATH_MAX],
const char old_filename[PATH_MAX],
inode_key_t* new_inode,
inode_key_t* old_inode) {
inode_key_t* old_inode,
inode_key_t* new_parent_inode) {
struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
if (event == NULL) {
m->ringbuffer_full++;
Expand All @@ -120,5 +127,5 @@ __always_inline static void submit_rename_event(struct metrics_by_hook_t* m,
bpf_probe_read_str(event->rename.old_filename, PATH_MAX, old_filename);
inode_copy_or_reset(&event->rename.old_inode, old_inode);

__submit_event(event, m, FILE_ACTIVITY_RENAME, new_filename, new_inode, path_hooks_support_bpf_d_path);
__submit_event(event, m, FILE_ACTIVITY_RENAME, new_filename, new_inode, new_parent_inode, path_hooks_support_bpf_d_path);
}
16 changes: 12 additions & 4 deletions fact-ebpf/src/bpf/inode.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,21 +33,21 @@ __always_inline static inode_key_t inode_to_key(struct inode* inode) {
return key;
}

unsigned long magic = inode->i_sb->s_magic;
unsigned long magic = BPF_CORE_READ(inode, i_sb, s_magic);
Copy link
Contributor Author

@JoukoVirtanen JoukoVirtanen Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inode_to_key needs to be able to use untrusted pointers, so that it can get the key for a parent inode. To get it to be able to use untrusted pointers, BPF_CORE_READ is used.

switch (magic) {
case BTRFS_SUPER_MAGIC:
if (bpf_core_type_exists(struct btrfs_inode)) {
struct btrfs_inode* btrfs_inode = container_of(inode, struct btrfs_inode, vfs_inode);
key.inode = inode->i_ino;
key.inode = BPF_CORE_READ(inode, i_ino);
key.dev = BPF_CORE_READ(btrfs_inode, root, anon_dev);
break;
}
// If the btrfs_inode does not exist, most likely it is not
// supported on the system. Fallback to the generic implementation
// just in case.
default:
key.inode = inode->i_ino;
key.dev = inode->i_sb->s_dev;
key.inode = BPF_CORE_READ(inode, i_ino);
key.dev = BPF_CORE_READ(inode, i_sb, s_dev);
break;
}

Expand All @@ -65,6 +65,14 @@ __always_inline static inode_value_t* inode_get(struct inode_key_t* inode) {
return bpf_map_lookup_elem(&inode_map, inode);
}

__always_inline static long inode_add(struct inode_key_t* inode) {
if (inode == NULL) {
return -1;
}
inode_value_t value = 0;
return bpf_map_update_elem(&inode_map, inode, &value, BPF_ANY);
}

__always_inline static long inode_remove(struct inode_key_t* inode) {
if (inode == NULL) {
return 0;
Expand Down
41 changes: 38 additions & 3 deletions fact-ebpf/src/bpf/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,24 @@ int BPF_PROG(trace_file_open, struct file* file) {
inode_key_t inode_key = inode_to_key(file->f_inode);
inode_key_t* inode_to_submit = &inode_key;

// Extract parent inode
struct dentry* parent_dentry = BPF_CORE_READ(file, f_path.dentry, d_parent);
struct inode* parent_inode_ptr = parent_dentry ? BPF_CORE_READ(parent_dentry, d_inode) : NULL;
inode_key_t parent_key = inode_to_key(parent_inode_ptr);

// For file creation events, check if the parent directory is being
// monitored. If so, add the new file's inode to the tracked set.
if (event_type == FILE_ACTIVITY_CREATION) {
if (inode_is_monitored(inode_get(&parent_key)) == MONITORED) {
inode_add(&inode_key);
}
}
Comment on lines +55 to +61
Copy link
Contributor

@Molter73 Molter73 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move some of this logic to is_monitored? We can change it to return an enum with values like MONITORED, NOT_MONITORED and PARENT_MONITORED, then we can decide what to do based on that returned value (i.e, add the inode if the event is creation and the parent is monitored).


if (!is_monitored(inode_key, path, &inode_to_submit)) {
goto ignored;
}

submit_open_event(&m->file_open, event_type, path->path, inode_to_submit);
submit_open_event(&m->file_open, event_type, path->path, inode_to_submit, &parent_key);

return 0;

Expand Down Expand Up @@ -79,14 +92,19 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
inode_key_t inode_key = inode_to_key(dentry->d_inode);
inode_key_t* inode_to_submit = &inode_key;

// Extract parent inode from dir parameter
struct inode* parent_inode = BPF_CORE_READ(dir, dentry, d_inode);
inode_key_t parent_key = inode_to_key(parent_inode);

if (!is_monitored(inode_key, path, &inode_to_submit)) {
m->path_unlink.ignored++;
return 0;
}

submit_unlink_event(&m->path_unlink,
path->path,
inode_to_submit);
inode_to_submit,
&parent_key);
return 0;
}

Expand All @@ -109,6 +127,11 @@ int BPF_PROG(trace_path_chmod, struct path* path, umode_t mode) {
inode_key_t inode_key = inode_to_key(path->dentry->d_inode);
inode_key_t* inode_to_submit = &inode_key;

// Extract parent inode
struct dentry* parent_dentry = BPF_CORE_READ(path, dentry, d_parent);
struct inode* parent_inode = parent_dentry ? BPF_CORE_READ(parent_dentry, d_inode) : NULL;
inode_key_t parent_key = inode_to_key(parent_inode);

if (!is_monitored(inode_key, bound_path, &inode_to_submit)) {
m->path_chmod.ignored++;
return 0;
Expand All @@ -118,6 +141,7 @@ int BPF_PROG(trace_path_chmod, struct path* path, umode_t mode) {
submit_mode_event(&m->path_chmod,
bound_path->path,
inode_to_submit,
&parent_key,
mode,
old_mode);

Expand Down Expand Up @@ -146,6 +170,11 @@ int BPF_PROG(trace_path_chown, struct path* path, unsigned long long uid, unsign
inode_key_t inode_key = inode_to_key(path->dentry->d_inode);
inode_key_t* inode_to_submit = &inode_key;

// Extract parent inode
struct dentry* parent_dentry = BPF_CORE_READ(path, dentry, d_parent);
struct inode* parent_inode = parent_dentry ? BPF_CORE_READ(parent_dentry, d_inode) : NULL;
inode_key_t parent_key = inode_to_key(parent_inode);

if (!is_monitored(inode_key, bound_path, &inode_to_submit)) {
m->path_chown.ignored++;
return 0;
Expand All @@ -158,6 +187,7 @@ int BPF_PROG(trace_path_chown, struct path* path, unsigned long long uid, unsign
submit_ownership_event(&m->path_chown,
bound_path->path,
inode_to_submit,
&parent_key,
uid,
gid,
old_uid,
Expand Down Expand Up @@ -195,6 +225,10 @@ int BPF_PROG(trace_path_rename, struct path* old_dir,
inode_key_t* old_inode_submit = &old_inode;
inode_key_t* new_inode_submit = &new_inode;

// Extract new parent inode from new_dir
struct inode* new_parent_inode = BPF_CORE_READ(new_dir, dentry, d_inode);
inode_key_t new_parent_key = inode_to_key(new_parent_inode);

bool old_monitored = is_monitored(old_inode, old_path, &old_inode_submit);
bool new_monitored = is_monitored(new_inode, new_path, &new_inode_submit);

Expand All @@ -207,7 +241,8 @@ int BPF_PROG(trace_path_rename, struct path* old_dir,
new_path->path,
old_path->path,
old_inode_submit,
new_inode_submit);
new_inode_submit,
&new_parent_key);
return 0;

error:
Expand Down
1 change: 1 addition & 0 deletions fact-ebpf/src/bpf/types.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ struct event_t {
process_t process;
char filename[PATH_MAX];
inode_key_t inode;
inode_key_t parent_inode;
file_activity_type_t type;
union {
struct {
Expand Down
29 changes: 25 additions & 4 deletions fact/src/event/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ impl Event {
filename,
host_file,
inode: Default::default(),
parent_inode: Default::default(),
};
let file = match data {
EventTestData::Creation => FileData::Creation(inner),
Expand Down Expand Up @@ -125,6 +126,10 @@ impl Event {
})
}

pub fn is_creation(&self) -> bool {
matches!(self.file, FileData::Creation(_))
}

/// Unwrap the inner FileData and return the inode that triggered
/// the event.
///
Expand All @@ -141,6 +146,18 @@ impl Event {
}
}

/// Get the parent inode for the file in this event.
pub fn get_parent_inode(&self) -> &inode_key_t {
match &self.file {
FileData::Open(data) => &data.parent_inode,
FileData::Creation(data) => &data.parent_inode,
FileData::Unlink(data) => &data.parent_inode,
FileData::Chmod(data) => &data.inner.parent_inode,
FileData::Chown(data) => &data.inner.parent_inode,
FileData::Rename(data) => &data.new.parent_inode,
}
}

/// Same as `get_inode` but returning the 'old' inode for operations
/// like rename. For operations that involve a single inode, `None`
/// will be returned.
Expand All @@ -151,7 +168,7 @@ impl Event {
}
}

fn get_filename(&self) -> &PathBuf {
pub fn get_filename(&self) -> &PathBuf {
match &self.file {
FileData::Open(data) => &data.filename,
FileData::Creation(data) => &data.filename,
Expand Down Expand Up @@ -233,6 +250,7 @@ impl TryFrom<&event_t> for Event {
value.type_,
value.filename,
value.inode,
value.parent_inode,
value.__bindgen_anon_1,
)?;

Expand Down Expand Up @@ -282,9 +300,10 @@ impl FileData {
event_type: file_activity_type_t,
filename: [c_char; PATH_MAX as usize],
inode: inode_key_t,
parent_inode: inode_key_t,
extra_data: fact_ebpf::event_t__bindgen_ty_1,
) -> anyhow::Result<Self> {
let inner = BaseFileData::new(filename, inode)?;
let inner = BaseFileData::new(filename, inode, parent_inode)?;
let file = match event_type {
file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner),
file_activity_type_t::FILE_ACTIVITY_CREATION => FileData::Creation(inner),
Expand Down Expand Up @@ -312,7 +331,7 @@ impl FileData {
let old_inode = unsafe { extra_data.rename.old_inode };
let data = RenameFileData {
new: inner,
old: BaseFileData::new(old_filename, old_inode)?,
old: BaseFileData::new(old_filename, old_inode, Default::default())?,
};
FileData::Rename(data)
}
Expand Down Expand Up @@ -376,14 +395,16 @@ pub struct BaseFileData {
pub filename: PathBuf,
host_file: PathBuf,
inode: inode_key_t,
parent_inode: inode_key_t,
}

impl BaseFileData {
pub fn new(filename: [c_char; PATH_MAX as usize], inode: inode_key_t) -> anyhow::Result<Self> {
pub fn new(filename: [c_char; PATH_MAX as usize], inode: inode_key_t, parent_inode: inode_key_t) -> anyhow::Result<Self> {
Ok(BaseFileData {
filename: sanitize_d_path(&filename),
host_file: PathBuf::new(), // this field is set by HostScanner
inode,
parent_inode,
})
}
}
Expand Down
Loading
Loading