ROX-33217: Instrument inode tracking on directory being created path mkdir

[JoukoVirtanen]

Description

Directory creation events need to be handled correctly. When a directory is created in a tracked directory its inode should be added to a hash set in kernel space. In user space an entry needs to be added into a map with the inode as the key and file path as the value.

An alternative approach can be found at #449

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Checked metrics

$ grep path_mkdir */metrics 
test_mkdir_ignored/metrics:# HELP stackrox_fact_kernel_path_mkdir_events Events processed by the path_mkdir LSM hook.
test_mkdir_ignored/metrics:# TYPE stackrox_fact_kernel_path_mkdir_events counter
test_mkdir_ignored/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="RingbufferFull"} 0
test_mkdir_ignored/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Added"} 0
test_mkdir_ignored/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Error"} 0
test_mkdir_ignored/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Ignored"} 2
test_mkdir_ignored/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Total"} 3
test_mkdir_nested/metrics:# HELP stackrox_fact_kernel_path_mkdir_events Events processed by the path_mkdir LSM hook.
test_mkdir_nested/metrics:# TYPE stackrox_fact_kernel_path_mkdir_events counter
test_mkdir_nested/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="RingbufferFull"} 0
test_mkdir_nested/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Added"} 0
test_mkdir_nested/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Total"} 3
test_mkdir_nested/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Ignored"} 0
test_mkdir_nested/metrics:stackrox_fact_kernel_path_mkdir_events_total{label="Error"} 0

$ grep d_instantiate */metrics 
test_mkdir_ignored/metrics:# HELP stackrox_fact_kernel_d_instantiate_events Events processed by the d_instantiate LSM hook.
test_mkdir_ignored/metrics:# TYPE stackrox_fact_kernel_d_instantiate_events counter
test_mkdir_ignored/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Error"} 0
test_mkdir_ignored/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Added"} 2
test_mkdir_ignored/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Ignored"} 36
test_mkdir_ignored/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="RingbufferFull"} 0
test_mkdir_ignored/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Total"} 37
test_mkdir_nested/metrics:# HELP stackrox_fact_kernel_d_instantiate_events Events processed by the d_instantiate LSM hook.
test_mkdir_nested/metrics:# TYPE stackrox_fact_kernel_d_instantiate_events counter
test_mkdir_nested/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="RingbufferFull"} 0
test_mkdir_nested/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Added"} 6
test_mkdir_nested/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Error"} 0
test_mkdir_nested/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Total"} 115
test_mkdir_nested/metrics:stackrox_fact_kernel_d_instantiate_events_total{label="Ignored"} 112

[JoukoVirtanen]

I originally had

if (should_track_mkdir(parent_inode, path) == NOT_MONITORED) {

However, test_nonrecursive_wildcard::test_wildcard.py failed with that change. The reason was that was the inodes of all directories created in that test were tracked and subsequently all files in those directories were tracked regardless if they matched the wildcard pattern or not.

[Molter73]

Could we add a permalink to the definition?

[JoukoVirtanen]

Done

[Molter73]

We should check if m->d_instantiate.ignored actually increases, I have a feeling this condition should never be met.

[JoukoVirtanen]

m->d_instantiate.ignored increases, but I don't know if it is due to this or other locations with m->d_instantiate.ignored++;.

[Molter73]

We should check if inode can actually be null, if so, we probably still want to try and cleanup the mkdir_context map entry.

[JoukoVirtanen]

There is now cleanup even when the inode is null.

[Molter73]

Calling __submit_event will cause a full event to be filled in, including process information. However, mkdir is mostly needed for inode tracking and probably not interesting enough to send an event over gRPC, so we might want to look into having an abbreviated version that will just submit a FILE_ACTIVITY_MKDIR event that will be processed by HostScanner and dropped after adding to the userspace map.

[Molter73]

This seems to be unused.

[JoukoVirtanen]

This is used. get_mkdir_context is used at https://github.com/stackrox/fact/pull/465/changes#diff-ffd13aea0af666b10cf909b17d6e19eb4c0855151d6cf2cbf6567a941c21b068R264

[Molter73]

You are right, but now I'm wondering why we are not just getting an entry from mkdir_context directly and filling that in, instead of getting an entry from mkdir_context_heap and then copying it over.

There's a few things you could try for when the entry doesn't actually exist.

• If you drop BPF_F_NO_PREALLOC from mkdir_context, I'm fairly certain you should always get a value back.
• You can try using bpf_map_lookup_elem and if it fails, create a new entry passing value as NULL.
• If that doesn't work, you can just pass a pointer to a default value from a const global, which will end up in .rodata section.

[Molter73]

I think you also need to add your metrics here:

fact/fact-ebpf/src/lib.rs

Lines 123 to 127 in eb0b3a9

	m.file_open = m.file_open.accumulate(&other.file_open);
	m.path_unlink = m.path_unlink.accumulate(&other.path_unlink);
	m.path_chmod = m.path_chmod.accumulate(&other.path_chmod);
	m.path_chown = m.path_chown.accumulate(&other.path_chown);
	m.path_rename = m.path_rename.accumulate(&other.path_rename);

I will look into improving how we handle these, it is getting very repetitive and having it scattered among multiple files is very error prone.

[Molter73]

[nit] We can probably just use os.makedirs on level3.

[Molter73]

Maybe we can parametrize the final directory with UTF-8 characters?

[Molter73]

You are right, but now I'm wondering why we are not just getting an entry from mkdir_context directly and filling that in, instead of getting an entry from mkdir_context_heap and then copying it over.

There's a few things you could try for when the entry doesn't actually exist.

• If you drop BPF_F_NO_PREALLOC from mkdir_context, I'm fairly certain you should always get a value back.
• You can try using bpf_map_lookup_elem and if it fails, create a new entry passing value as NULL.
• If that doesn't work, you can just pass a pointer to a default value from a const global, which will end up in .rodata section.