diff --git a/fact-ebpf/src/bpf/events.h b/fact-ebpf/src/bpf/events.h index 26254778..276a1d97 100644 --- a/fact-ebpf/src/bpf/events.h +++ b/fact-ebpf/src/bpf/events.h @@ -12,18 +12,30 @@ #include // clang-format on -__always_inline static void __submit_event(struct event_t* event, - struct metrics_by_hook_t* m, - file_activity_type_t event_type, - const char filename[PATH_MAX], - inode_key_t* inode, - inode_key_t* parent_inode, +struct submit_event_args_t { + struct event_t* event; + struct metrics_by_hook_t* metrics; + const char* filename; + inode_key_t inode; + inode_key_t parent_inode; +}; + +__always_inline static bool reserve_event(struct submit_event_args_t* args) { + args->event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); + if (args->event == NULL) { + args->metrics->ringbuffer_full++; + return false; + } + return true; +} + +__always_inline static void __submit_event(struct submit_event_args_t* args, bool use_bpf_d_path) { - event->type = event_type; + struct event_t* event = args->event; event->timestamp = bpf_ktime_get_boot_ns(); - inode_copy_or_reset(&event->inode, inode); - inode_copy_or_reset(&event->parent_inode, parent_inode); - bpf_probe_read_str(event->filename, PATH_MAX, filename); + inode_copy(&event->inode, &args->inode); + inode_copy(&event->parent_inode, &args->parent_inode); + bpf_probe_read_str(event->filename, PATH_MAX, args->filename); struct helper_t* helper = get_helper(); if (helper == NULL) { @@ -36,96 +48,86 @@ __always_inline static void __submit_event(struct event_t* event, goto error; } - m->added++; + args->metrics->added++; bpf_ringbuf_submit(event, 0); return; error: - m->error++; + args->metrics->error++; bpf_ringbuf_discard(event, 0); } -__always_inline static void submit_open_event(struct metrics_by_hook_t* m, - file_activity_type_t event_type, - const char filename[PATH_MAX], - inode_key_t* inode, - inode_key_t* parent_inode) { - struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); - if (event == NULL) { - m->ringbuffer_full++; +__always_inline static void submit_open_event(struct submit_event_args_t* args, + file_activity_type_t event_type) { + if (!reserve_event(args)) { return; } + args->event->type = event_type; - __submit_event(event, m, event_type, filename, inode, parent_inode, true); + __submit_event(args, true); } -__always_inline static void submit_unlink_event(struct metrics_by_hook_t* m, - const char filename[PATH_MAX], - inode_key_t* inode, - inode_key_t* parent_inode) { - struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); - if (event == NULL) { - m->ringbuffer_full++; +__always_inline static void submit_unlink_event(struct submit_event_args_t* args) { + if (!reserve_event(args)) { return; } + args->event->type = FILE_ACTIVITY_UNLINK; - __submit_event(event, m, FILE_ACTIVITY_UNLINK, filename, inode, parent_inode, path_hooks_support_bpf_d_path); + __submit_event(args, path_hooks_support_bpf_d_path); } -__always_inline static void submit_mode_event(struct metrics_by_hook_t* m, - const char filename[PATH_MAX], - inode_key_t* inode, - inode_key_t* parent_inode, +__always_inline static void submit_mode_event(struct submit_event_args_t* args, umode_t mode, umode_t old_mode) { - struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); - if (event == NULL) { - m->ringbuffer_full++; + if (!reserve_event(args)) { return; } - event->chmod.new = mode; - event->chmod.old = old_mode; + args->event->type = FILE_ACTIVITY_CHMOD; + args->event->chmod.new = mode; + args->event->chmod.old = old_mode; - __submit_event(event, m, FILE_ACTIVITY_CHMOD, filename, inode, parent_inode, path_hooks_support_bpf_d_path); + __submit_event(args, path_hooks_support_bpf_d_path); } -__always_inline static void submit_ownership_event(struct metrics_by_hook_t* m, - const char filename[PATH_MAX], - inode_key_t* inode, - inode_key_t* parent_inode, +__always_inline static void submit_ownership_event(struct submit_event_args_t* args, unsigned long long uid, unsigned long long gid, unsigned long long old_uid, unsigned long long old_gid) { - struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); - if (event == NULL) { - m->ringbuffer_full++; + if (!reserve_event(args)) { return; } - event->chown.new.uid = uid; - event->chown.new.gid = gid; - event->chown.old.uid = old_uid; - event->chown.old.gid = old_gid; + args->event->type = FILE_ACTIVITY_CHOWN; + args->event->chown.new.uid = uid; + args->event->chown.new.gid = gid; + args->event->chown.old.uid = old_uid; + args->event->chown.old.gid = old_gid; - __submit_event(event, m, FILE_ACTIVITY_CHOWN, filename, inode, parent_inode, path_hooks_support_bpf_d_path); + __submit_event(args, path_hooks_support_bpf_d_path); } -__always_inline static void submit_rename_event(struct metrics_by_hook_t* m, - const char new_filename[PATH_MAX], +__always_inline static void submit_rename_event(struct submit_event_args_t* args, const char old_filename[PATH_MAX], - inode_key_t* new_inode, - inode_key_t* old_inode, - inode_key_t* new_parent_inode) { - struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); - if (event == NULL) { - m->ringbuffer_full++; + inode_key_t* old_inode) { + if (!reserve_event(args)) { return; } - bpf_probe_read_str(event->rename.old_filename, PATH_MAX, old_filename); - inode_copy_or_reset(&event->rename.old_inode, old_inode); + args->event->type = FILE_ACTIVITY_RENAME; + bpf_probe_read_str(args->event->rename.old_filename, PATH_MAX, old_filename); + inode_copy(&args->event->rename.old_inode, old_inode); + + __submit_event(args, path_hooks_support_bpf_d_path); +} + +__always_inline static void submit_mkdir_event(struct submit_event_args_t* args) { + if (!reserve_event(args)) { + return; + } + args->event->type = DIR_ACTIVITY_CREATION; - __submit_event(event, m, FILE_ACTIVITY_RENAME, new_filename, new_inode, new_parent_inode, path_hooks_support_bpf_d_path); + // d_instantiate doesn't support bpf_d_path, so we use false and rely on the stashed path from path_mkdir + __submit_event(args, false); } diff --git a/fact-ebpf/src/bpf/file.h b/fact-ebpf/src/bpf/file.h index d0fdc8b1..efdccfc5 100644 --- a/fact-ebpf/src/bpf/file.h +++ b/fact-ebpf/src/bpf/file.h @@ -27,8 +27,8 @@ __always_inline static bool path_is_monitored(struct bound_path_t* path) { return res; } -__always_inline static inode_monitored_t is_monitored(inode_key_t inode, struct bound_path_t* path, const inode_key_t* parent, inode_key_t** submit) { - const inode_value_t* volatile inode_value = inode_get(&inode); +__always_inline static inode_monitored_t is_monitored(inode_key_t* inode, struct bound_path_t* path, const inode_key_t* parent) { + const inode_value_t* volatile inode_value = inode_get(inode); const inode_value_t* volatile parent_value = inode_get(parent); inode_monitored_t status = inode_is_monitored(inode_value, parent_value); @@ -36,10 +36,26 @@ __always_inline static inode_monitored_t is_monitored(inode_key_t inode, struct return status; } - *submit = NULL; + inode_reset(inode); if (path_is_monitored(path)) { return MONITORED; } return NOT_MONITORED; } + +// Check if a new directory should be tracked based on its parent and path. +// This is used during mkdir operations where the child inode doesn't exist yet. +__always_inline static inode_monitored_t should_track_mkdir(inode_key_t parent_inode, struct bound_path_t* child_path) { + const inode_value_t* volatile parent_value = inode_get(&parent_inode); + + if (parent_value != NULL) { + return PARENT_MONITORED; + } + + if (path_is_monitored(child_path)) { + return MONITORED; + } + + return NOT_MONITORED; +} diff --git a/fact-ebpf/src/bpf/inode.h b/fact-ebpf/src/bpf/inode.h index 481313e3..6b213c3b 100644 --- a/fact-ebpf/src/bpf/inode.h +++ b/fact-ebpf/src/bpf/inode.h @@ -80,6 +80,11 @@ __always_inline static long inode_remove(struct inode_key_t* inode) { return bpf_map_delete_elem(&inode_map, inode); } +__always_inline static void inode_reset(struct inode_key_t* inode) { + inode->inode = 0; + inode->dev = 0; +} + typedef enum inode_monitored_t { NOT_MONITORED = 0, MONITORED, @@ -99,16 +104,11 @@ __always_inline static inode_monitored_t inode_is_monitored(const inode_value_t* return NOT_MONITORED; } -__always_inline static void inode_copy_or_reset(inode_key_t* dst, const inode_key_t* src) { +__always_inline static void inode_copy(inode_key_t* dst, const inode_key_t* src) { if (dst == NULL) { return; } - if (src != NULL) { - dst->inode = src->inode; - dst->dev = src->dev; - } else { - dst->inode = 0; - dst->dev = 0; - } + dst->inode = src->inode; + dst->dev = src->dev; } diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index 5ac35159..c6effe8d 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -25,8 +25,9 @@ int BPF_PROG(trace_file_open, struct file* file) { if (m == NULL) { return 0; } + struct submit_event_args_t args = {.metrics = &m->file_open}; - m->file_open.total++; + args.metrics->total++; file_activity_type_t event_type = FILE_ACTIVITY_INIT; if ((file->f_mode & FMODE_CREATED) != 0) { @@ -43,25 +44,25 @@ int BPF_PROG(trace_file_open, struct file* file) { m->file_open.error++; return 0; } + args.filename = path->path; - inode_key_t inode_key = inode_to_key(file->f_inode); - inode_key_t* inode_to_submit = &inode_key; + args.inode = inode_to_key(file->f_inode); struct dentry* parent_dentry = BPF_CORE_READ(file, f_path.dentry, d_parent); struct inode* parent_inode_ptr = parent_dentry ? BPF_CORE_READ(parent_dentry, d_inode) : NULL; - inode_key_t parent_key = inode_to_key(parent_inode_ptr); + args.parent_inode = inode_to_key(parent_inode_ptr); - inode_monitored_t status = is_monitored(inode_key, path, &parent_key, &inode_to_submit); + inode_monitored_t status = is_monitored(&args.inode, path, &args.parent_inode); if (status == PARENT_MONITORED && event_type == FILE_ACTIVITY_CREATION) { - inode_add(&inode_key); + inode_add(&args.inode); } if (status == NOT_MONITORED) { goto ignored; } - submit_open_event(&m->file_open, event_type, path->path, inode_to_submit, &parent_key); + submit_open_event(&args, event_type); return 0; @@ -76,8 +77,9 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) { if (m == NULL) { return 0; } + struct submit_event_args_t args = {.metrics = &m->path_unlink}; - m->path_unlink.total++; + args.metrics->total++; struct bound_path_t* path = path_read_append_d_entry(dir, dentry); if (path == NULL) { @@ -85,22 +87,19 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) { m->path_unlink.error++; return 0; } + args.filename = path->path; - inode_key_t inode_key = inode_to_key(dentry->d_inode); - inode_key_t* inode_to_submit = &inode_key; + args.inode = inode_to_key(dentry->d_inode); - if (is_monitored(inode_key, path, NULL, &inode_to_submit) == NOT_MONITORED) { + if (is_monitored(&args.inode, path, NULL) == NOT_MONITORED) { m->path_unlink.ignored++; return 0; } // We only support files with one link for now - inode_remove(&inode_key); + inode_remove(&args.inode); - submit_unlink_event(&m->path_unlink, - path->path, - inode_to_submit, - NULL); + submit_unlink_event(&args); return 0; } @@ -110,31 +109,27 @@ int BPF_PROG(trace_path_chmod, struct path* path, umode_t mode) { if (m == NULL) { return 0; } + struct submit_event_args_t args = {.metrics = &m->path_chmod}; - m->path_chmod.total++; + args.metrics->total++; struct bound_path_t* bound_path = path_read(path); if (bound_path == NULL) { bpf_printk("Failed to read path"); - m->path_chmod.error++; + args.metrics->error++; return 0; } + args.filename = bound_path->path; - inode_key_t inode_key = inode_to_key(path->dentry->d_inode); - inode_key_t* inode_to_submit = &inode_key; + args.inode = inode_to_key(path->dentry->d_inode); - if (is_monitored(inode_key, bound_path, NULL, &inode_to_submit) == NOT_MONITORED) { - m->path_chmod.ignored++; + if (is_monitored(&args.inode, bound_path, NULL) == NOT_MONITORED) { + args.metrics->ignored++; return 0; } umode_t old_mode = BPF_CORE_READ(path, dentry, d_inode, i_mode); - submit_mode_event(&m->path_chmod, - bound_path->path, - inode_to_submit, - NULL, - mode, - old_mode); + submit_mode_event(&args, mode, old_mode); return 0; } @@ -148,21 +143,22 @@ int BPF_PROG(trace_path_chown, struct path* path, unsigned long long uid, unsign if (m == NULL) { return 0; } + struct submit_event_args_t args = {.metrics = &m->path_chown}; - m->path_chown.total++; + args.metrics->total++; struct bound_path_t* bound_path = path_read(path); if (bound_path == NULL) { bpf_printk("Failed to read path"); - m->path_chown.error++; + args.metrics->error++; return 0; } + args.filename = bound_path->path; - inode_key_t inode_key = inode_to_key(path->dentry->d_inode); - inode_key_t* inode_to_submit = &inode_key; + args.inode = inode_to_key(path->dentry->d_inode); - if (is_monitored(inode_key, bound_path, NULL, &inode_to_submit) == NOT_MONITORED) { - m->path_chown.ignored++; + if (is_monitored(&args.inode, bound_path, NULL) == NOT_MONITORED) { + args.metrics->ignored++; return 0; } @@ -170,14 +166,7 @@ int BPF_PROG(trace_path_chown, struct path* path, unsigned long long uid, unsign unsigned long long old_uid = BPF_CORE_READ(d, d_inode, i_uid.val); unsigned long long old_gid = BPF_CORE_READ(d, d_inode, i_gid.val); - submit_ownership_event(&m->path_chown, - bound_path->path, - inode_to_submit, - NULL, - uid, - gid, - old_uid, - old_gid); + submit_ownership_event(&args, uid, gid, old_uid, old_gid); return 0; } @@ -190,14 +179,16 @@ int BPF_PROG(trace_path_rename, struct path* old_dir, if (m == NULL) { return 0; } + struct submit_event_args_t args = {.metrics = &m->path_rename}; - m->path_rename.total++; + args.metrics->total++; struct bound_path_t* new_path = path_read_append_d_entry(new_dir, new_dentry); if (new_path == NULL) { bpf_printk("Failed to read path"); goto error; } + args.filename = new_path->path; struct bound_path_t* old_path = path_read_alt_append_d_entry(old_dir, old_dentry); if (old_path == NULL) { @@ -205,29 +196,117 @@ int BPF_PROG(trace_path_rename, struct path* old_dir, goto error; } - inode_key_t old_inode = inode_to_key(old_dentry->d_inode); - inode_key_t new_inode = inode_to_key(new_dentry->d_inode); + args.inode = inode_to_key(new_dentry->d_inode); - inode_key_t* old_inode_submit = &old_inode; - inode_key_t* new_inode_submit = &new_inode; + inode_key_t old_inode = inode_to_key(old_dentry->d_inode); - inode_monitored_t old_monitored = is_monitored(old_inode, old_path, NULL, &old_inode_submit); - inode_monitored_t new_monitored = is_monitored(new_inode, new_path, NULL, &new_inode_submit); + inode_monitored_t old_monitored = is_monitored(&old_inode, old_path, NULL); + inode_monitored_t new_monitored = is_monitored(&args.inode, new_path, NULL); if (old_monitored == NOT_MONITORED && new_monitored == NOT_MONITORED) { - m->path_rename.ignored++; + args.metrics->ignored++; return 0; } - submit_rename_event(&m->path_rename, - new_path->path, - old_path->path, - old_inode_submit, - new_inode_submit, - NULL); + submit_rename_event(&args, old_path->path, &old_inode); return 0; error: - m->path_rename.error++; + args.metrics->error++; + return 0; +} + +SEC("lsm/path_mkdir") +int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t mode) { + struct metrics_t* m = get_metrics(); + if (m == NULL) { + return 0; + } + + m->path_mkdir.total++; + + struct bound_path_t* path = path_read_append_d_entry(dir, dentry); + if (path == NULL) { + bpf_printk("Failed to read path"); + m->path_mkdir.error++; + return 0; + } + + struct inode* parent_inode_ptr = BPF_CORE_READ(dir, dentry, d_inode); + inode_key_t parent_inode = inode_to_key(parent_inode_ptr); + + if (should_track_mkdir(parent_inode, path) != PARENT_MONITORED) { + m->path_mkdir.ignored++; + return 0; + } + + // Stash mkdir context for security_d_instantiate + __u64 pid_tgid = bpf_get_current_pid_tgid(); + struct mkdir_context_t* mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); + if (mkdir_ctx == NULL) { + static const struct mkdir_context_t empty_ctx = {0}; + if (bpf_map_update_elem(&mkdir_context, &pid_tgid, &empty_ctx, BPF_NOEXIST) != 0) { + bpf_printk("Failed to create mkdir context entry"); + m->path_mkdir.error++; + return 0; + } + mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); + if (mkdir_ctx == NULL) { + bpf_printk("Failed to lookup mkdir context after creation"); + m->path_mkdir.error++; + return 0; + } + } + + long path_copy_len = bpf_probe_read_str(mkdir_ctx->path, PATH_MAX, path->path); + if (path_copy_len < 0) { + bpf_printk("Failed to copy path string"); + m->path_mkdir.error++; + bpf_map_delete_elem(&mkdir_context, &pid_tgid); + return 0; + } + mkdir_ctx->parent_inode = parent_inode; + + return 0; +} + +SEC("lsm/d_instantiate") +int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { + struct metrics_t* m = get_metrics(); + if (m == NULL) { + return 0; + } + struct submit_event_args_t args = {.metrics = &m->d_instantiate}; + + args.metrics->total++; + + __u64 pid_tgid = bpf_get_current_pid_tgid(); + + if (inode == NULL) { + args.metrics->ignored++; + goto cleanup; + } + + struct mkdir_context_t* mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); + + if (mkdir_ctx == NULL) { + args.metrics->ignored++; + return 0; + } + args.filename = mkdir_ctx->path; + args.parent_inode = mkdir_ctx->parent_inode; + + args.inode = inode_to_key(inode); + + if (inode_add(&args.inode) == 0) { + args.metrics->added++; + } else { + args.metrics->error++; + } + + submit_mkdir_event(&args); + +cleanup: + bpf_map_delete_elem(&mkdir_context, &pid_tgid); return 0; } diff --git a/fact-ebpf/src/bpf/maps.h b/fact-ebpf/src/bpf/maps.h index eca822f0..c8595829 100644 --- a/fact-ebpf/src/bpf/maps.h +++ b/fact-ebpf/src/bpf/maps.h @@ -83,6 +83,13 @@ struct { __uint(map_flags, BPF_F_NO_PREALLOC); } inode_map SEC(".maps"); +struct { + __uint(type, BPF_MAP_TYPE_LRU_HASH); + __type(key, __u64); + __type(value, struct mkdir_context_t); + __uint(max_entries, 16384); +} mkdir_context SEC(".maps"); + struct { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); __type(key, __u32); diff --git a/fact-ebpf/src/bpf/types.h b/fact-ebpf/src/bpf/types.h index 55005c00..95c67e86 100644 --- a/fact-ebpf/src/bpf/types.h +++ b/fact-ebpf/src/bpf/types.h @@ -55,6 +55,7 @@ typedef enum file_activity_type_t { FILE_ACTIVITY_CHMOD, FILE_ACTIVITY_CHOWN, FILE_ACTIVITY_RENAME, + DIR_ACTIVITY_CREATION, } file_activity_type_t; struct event_t { @@ -96,6 +97,12 @@ struct path_prefix_t { const char path[LPM_SIZE_MAX]; }; +// Context for correlating mkdir operations +struct mkdir_context_t { + char path[PATH_MAX]; + inode_key_t parent_inode; +}; + // Metrics types struct metrics_by_hook_t { unsigned long long total; @@ -111,4 +118,6 @@ struct metrics_t { struct metrics_by_hook_t path_chmod; struct metrics_by_hook_t path_chown; struct metrics_by_hook_t path_rename; + struct metrics_by_hook_t path_mkdir; + struct metrics_by_hook_t d_instantiate; }; diff --git a/fact-ebpf/src/lib.rs b/fact-ebpf/src/lib.rs index bd84ee08..c4c95ec6 100644 --- a/fact-ebpf/src/lib.rs +++ b/fact-ebpf/src/lib.rs @@ -125,6 +125,8 @@ impl metrics_t { m.path_chmod = m.path_chmod.accumulate(&other.path_chmod); m.path_chown = m.path_chown.accumulate(&other.path_chown); m.path_rename = m.path_rename.accumulate(&other.path_rename); + m.path_mkdir = m.path_mkdir.accumulate(&other.path_mkdir); + m.d_instantiate = m.d_instantiate.accumulate(&other.d_instantiate); m } } diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index bc9d7897..1854d7af 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -7,6 +7,7 @@ use std::{ }; use globset::GlobSet; +use log::warn; use serde::Serialize; use fact_ebpf::{PATH_MAX, event_t, file_activity_type_t, inode_key_t}; @@ -127,9 +128,17 @@ impl Event { } pub fn is_creation(&self) -> bool { + matches!(self.file, FileData::Creation(_) | FileData::MkDir(_)) + } + + pub fn is_file_creation(&self) -> bool { matches!(self.file, FileData::Creation(_)) } + pub fn is_mkdir(&self) -> bool { + matches!(self.file, FileData::MkDir(_)) + } + pub fn is_unlink(&self) -> bool { matches!(self.file, FileData::Unlink(_)) } @@ -143,6 +152,7 @@ impl Event { match &self.file { FileData::Open(data) => &data.inode, FileData::Creation(data) => &data.inode, + FileData::MkDir(data) => &data.inode, FileData::Unlink(data) => &data.inode, FileData::Chmod(data) => &data.inner.inode, FileData::Chown(data) => &data.inner.inode, @@ -155,6 +165,7 @@ impl Event { match &self.file { FileData::Open(data) => &data.parent_inode, FileData::Creation(data) => &data.parent_inode, + FileData::MkDir(data) => &data.parent_inode, FileData::Unlink(data) => &data.parent_inode, FileData::Chmod(data) => &data.inner.parent_inode, FileData::Chown(data) => &data.inner.parent_inode, @@ -176,6 +187,7 @@ impl Event { match &self.file { FileData::Open(data) => &data.filename, FileData::Creation(data) => &data.filename, + FileData::MkDir(data) => &data.filename, FileData::Unlink(data) => &data.filename, FileData::Chmod(data) => &data.inner.filename, FileData::Chown(data) => &data.inner.filename, @@ -194,6 +206,7 @@ impl Event { match &self.file { FileData::Open(data) => &data.host_file, FileData::Creation(data) => &data.host_file, + FileData::MkDir(data) => &data.host_file, FileData::Unlink(data) => &data.host_file, FileData::Chmod(data) => &data.inner.host_file, FileData::Chown(data) => &data.inner.host_file, @@ -209,6 +222,7 @@ impl Event { match &mut self.file { FileData::Open(data) => data.host_file = host_path, FileData::Creation(data) => data.host_file = host_path, + FileData::MkDir(data) => data.host_file = host_path, FileData::Unlink(data) => data.host_file = host_path, FileData::Chmod(data) => data.inner.host_file = host_path, FileData::Chown(data) => data.inner.host_file = host_path, @@ -293,6 +307,7 @@ impl PartialEq for Event { pub enum FileData { Open(BaseFileData), Creation(BaseFileData), + MkDir(BaseFileData), Unlink(BaseFileData), Chmod(ChmodFileData), Chown(ChownFileData), @@ -311,6 +326,7 @@ impl FileData { let file = match event_type { file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner), file_activity_type_t::FILE_ACTIVITY_CREATION => FileData::Creation(inner), + file_activity_type_t::DIR_ACTIVITY_CREATION => FileData::MkDir(inner), file_activity_type_t::FILE_ACTIVITY_UNLINK => FileData::Unlink(inner), file_activity_type_t::FILE_ACTIVITY_CHMOD => { let data = ChmodFileData { @@ -359,6 +375,14 @@ impl From for fact_api::file_activity::File { let f_act = fact_api::FileCreation { activity }; fact_api::file_activity::File::Creation(f_act) } + FileData::MkDir(event) => { + warn!( + "MkDir event reached protobuf conversion - converting to Creation (filtering may have failed)" + ); + let activity = Some(fact_api::FileActivityBase::from(event)); + let f_act = fact_api::FileCreation { activity }; + fact_api::file_activity::File::Creation(f_act) + } FileData::Unlink(event) => { let activity = Some(fact_api::FileActivityBase::from(event)); let f_act = fact_api::FileUnlink { activity }; @@ -386,6 +410,7 @@ impl PartialEq for FileData { match (self, other) { (FileData::Open(this), FileData::Open(other)) => this == other, (FileData::Creation(this), FileData::Creation(other)) => this == other, + (FileData::MkDir(this), FileData::MkDir(other)) => this == other, (FileData::Unlink(this), FileData::Unlink(other)) => this == other, (FileData::Chmod(this), FileData::Chmod(other)) => this == other, (FileData::Rename(this), FileData::Rename(other)) => this == other, diff --git a/fact/src/host_scanner.rs b/fact/src/host_scanner.rs index 19d5b719..f49c621f 100644 --- a/fact/src/host_scanner.rs +++ b/fact/src/host_scanner.rs @@ -280,7 +280,7 @@ impl HostScanner { }; self.metrics.events.added(); - // Handle file creation events by adding new inodes to the map + // Handle file and directory creation events by adding new inodes to the map if event.is_creation() && let Err(e) = self.handle_creation_event(&event) { warn!("Failed to handle creation event: {e}"); @@ -301,10 +301,13 @@ impl HostScanner { self.handle_unlink_event(&event); } - let event = Arc::new(event); - if let Err(e) = self.tx.send(event) { - self.metrics.events.dropped(); - warn!("Failed to send event: {e}"); + // Skip directory creation events - we track them internally but don't send to sensor + if !event.is_mkdir() { + let event = Arc::new(event); + if let Err(e) = self.tx.send(event) { + self.metrics.events.dropped(); + warn!("Failed to send event: {e}"); + } } }, _ = scan_trigger.notified() => self.scan()?, diff --git a/fact/src/metrics/kernel_metrics.rs b/fact/src/metrics/kernel_metrics.rs index d1a3a242..9caa1ff3 100644 --- a/fact/src/metrics/kernel_metrics.rs +++ b/fact/src/metrics/kernel_metrics.rs @@ -13,6 +13,8 @@ pub struct KernelMetrics { path_chmod: EventCounter, path_chown: EventCounter, path_rename: EventCounter, + path_mkdir: EventCounter, + d_instantiate: EventCounter, map: PerCpuArray, } @@ -43,12 +45,24 @@ impl KernelMetrics { "Events processed by the path_rename LSM hook", &[], // Labels are not needed since `collect` will add them all ); + let path_mkdir = EventCounter::new( + "kernel_path_mkdir_events", + "Events processed by the path_mkdir LSM hook", + &[], // Labels are not needed since `collect` will add them all + ); + let d_instantiate = EventCounter::new( + "kernel_d_instantiate_events", + "Events processed by the d_instantiate LSM hook", + &[], // Labels are not needed since `collect` will add them all + ); file_open.register(reg); path_unlink.register(reg); path_chmod.register(reg); path_chown.register(reg); path_rename.register(reg); + path_mkdir.register(reg); + d_instantiate.register(reg); KernelMetrics { file_open, @@ -56,6 +70,8 @@ impl KernelMetrics { path_chmod, path_chown, path_rename, + path_mkdir, + d_instantiate, map: kernel_metrics, } } @@ -105,6 +121,8 @@ impl KernelMetrics { KernelMetrics::refresh_labels(&self.path_chmod, &metrics.path_chmod); KernelMetrics::refresh_labels(&self.path_chown, &metrics.path_chown); KernelMetrics::refresh_labels(&self.path_rename, &metrics.path_rename); + KernelMetrics::refresh_labels(&self.path_mkdir, &metrics.path_mkdir); + KernelMetrics::refresh_labels(&self.d_instantiate, &metrics.d_instantiate); Ok(()) } diff --git a/tests/test_path_mkdir.py b/tests/test_path_mkdir.py new file mode 100644 index 00000000..88685f8f --- /dev/null +++ b/tests/test_path_mkdir.py @@ -0,0 +1,73 @@ +import os + +import pytest + +from event import Event, EventType, Process + + +@pytest.mark.parametrize("dirname", [ + pytest.param('level3', id='ASCII'), + pytest.param('café', id='French'), + pytest.param('файл', id='Cyrillic'), + pytest.param('日本語', id='Japanese'), +]) +def test_mkdir_nested(monitored_dir, server, dirname): + """ + Tests that creating nested directories tracks all inodes correctly. + + Args: + monitored_dir: Temporary directory path for creating the test directory. + server: The server instance to communicate with. + dirname: Final directory name to test (including UTF-8 variants). + """ + process = Process.from_proc() + + # Create nested directories + test_dir = os.path.join(monitored_dir, 'level1', 'level2', dirname) + os.makedirs(test_dir, exist_ok=True) + + # Create a file in the deepest directory + test_file = os.path.join(test_dir, 'deep_file.txt') + with open(test_file, 'w') as f: + f.write('nested content') + + # Directory creation events are tracked internally but not sent to sensor + # Only the file creation event should be sent + events = [ + Event(process=process, event_type=EventType.CREATION, + file=test_file, host_path=test_file), + ] + + server.wait_events(events) + + +def test_mkdir_ignored(monitored_dir, ignored_dir, server): + """ + Tests that directories created outside monitored paths are ignored. + + Args: + monitored_dir: Temporary directory path that is monitored. + ignored_dir: Temporary directory path that is not monitored. + server: The server instance to communicate with. + """ + process = Process.from_proc() + + # Create directory in ignored path - should not be tracked + ignored_subdir = os.path.join(ignored_dir, 'ignored_subdir') + os.mkdir(ignored_subdir) + ignored_file = os.path.join(ignored_subdir, 'ignored.txt') + with open(ignored_file, 'w') as f: + f.write('ignored') + + # Create directory in monitored path - should be tracked + monitored_subdir = os.path.join(monitored_dir, 'monitored_subdir') + os.mkdir(monitored_subdir) + monitored_file = os.path.join(monitored_subdir, 'monitored.txt') + with open(monitored_file, 'w') as f: + f.write('monitored') + + # Only the monitored file should generate an event (directories are tracked internally) + e = Event(process=process, event_type=EventType.CREATION, + file=monitored_file, host_path=monitored_file) + + server.wait_events([e]) diff --git a/tests/test_path_rename.py b/tests/test_path_rename.py index a3600eff..98c3447a 100644 --- a/tests/test_path_rename.py +++ b/tests/test_path_rename.py @@ -48,9 +48,9 @@ def test_rename(monitored_dir, server, filename): Event(process=Process.from_proc(), event_type=EventType.CREATION, file=old_fut, host_path=old_fut), Event(process=Process.from_proc(), event_type=EventType.RENAME, - file=fut, host_path=old_fut, old_file=old_fut, old_host_path=''), + file=fut, host_path='', old_file=old_fut, old_host_path=old_fut), Event(process=Process.from_proc(), event_type=EventType.RENAME, - file=old_fut, host_path=old_fut, old_file=fut, old_host_path=''), + file=old_fut, host_path='', old_file=fut, old_host_path=old_fut), ] server.wait_events(events)