From 6e63d30b8b1633fce93441fd1902c00c5e711dfd Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Tue, 31 Mar 2026 15:32:42 -0700 Subject: [PATCH 01/22] X-Smart-Branch-Parent: main From 0682fb295d25eab4163ede8ff7e8e59b8b448207 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Tue, 31 Mar 2026 16:41:02 -0700 Subject: [PATCH 02/22] Added integration tests --- tests/test_path_mkdir.py | 69 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 tests/test_path_mkdir.py diff --git a/tests/test_path_mkdir.py b/tests/test_path_mkdir.py new file mode 100644 index 00000000..5242894d --- /dev/null +++ b/tests/test_path_mkdir.py @@ -0,0 +1,69 @@ +import os + +import pytest + +from event import Event, EventType, Process + + +def test_mkdir_nested(monitored_dir, server): + """ + Tests that creating nested directories tracks all inodes correctly. + + Args: + monitored_dir: Temporary directory path for creating the test directory. + server: The server instance to communicate with. + """ + process = Process.from_proc() + + # Create nested directories + level1 = os.path.join(monitored_dir, 'level1') + level2 = os.path.join(level1, 'level2') + level3 = os.path.join(level2, 'level3') + + os.mkdir(level1) + os.mkdir(level2) + os.mkdir(level3) + + # Create a file in the deepest directory + test_file = os.path.join(level3, 'deep_file.txt') + with open(test_file, 'w') as f: + f.write('nested content') + + events = [ + Event(process=process, event_type=EventType.CREATION, + file=level1, host_path=level1), + Event(process=process, event_type=EventType.CREATION, + file=level2, host_path=level2), + Event(process=process, event_type=EventType.CREATION, + file=level3, host_path=level3), + Event(process=process, event_type=EventType.CREATION, + file=test_file, host_path=test_file), + ] + + server.wait_events(events) + + +def test_mkdir_ignored(monitored_dir, ignored_dir, server): + """ + Tests that directories created outside monitored paths are ignored. + + Args: + monitored_dir: Temporary directory path that is monitored. + ignored_dir: Temporary directory path that is not monitored. + server: The server instance to communicate with. + """ + process = Process.from_proc() + + # Create directory in ignored path - should not be tracked + ignored_subdir = os.path.join(ignored_dir, 'ignored_subdir') + os.mkdir(ignored_subdir) + + # Create directory in monitored path - should be tracked + monitored_subdir = os.path.join(monitored_dir, 'monitored_subdir') + os.mkdir(monitored_subdir) + + # Only the monitored directory should generate an event + e = Event(process=process, event_type=EventType.CREATION, + file=monitored_subdir, host_path=monitored_subdir) + + server.wait_events([e]) From 7aecaa4ff2f19f88881a4171650f0a1669cf1ce1 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 1 Apr 2026 10:50:56 -0700 Subject: [PATCH 03/22] Instrument inode tracking on directory being created --- fact-ebpf/src/bpf/events.h | 14 ++++ fact-ebpf/src/bpf/file.h | 16 +++++ fact-ebpf/src/bpf/main.c | 107 +++++++++++++++++++++++++++++ fact-ebpf/src/bpf/maps.h | 20 ++++++ fact-ebpf/src/bpf/types.h | 8 +++ fact/src/metrics/kernel_metrics.rs | 18 +++++ 6 files changed, 183 insertions(+) diff --git a/fact-ebpf/src/bpf/events.h b/fact-ebpf/src/bpf/events.h index 26254778..5fc3d3a6 100644 --- a/fact-ebpf/src/bpf/events.h +++ b/fact-ebpf/src/bpf/events.h @@ -129,3 +129,17 @@ __always_inline static void submit_rename_event(struct metrics_by_hook_t* m, __submit_event(event, m, FILE_ACTIVITY_RENAME, new_filename, new_inode, new_parent_inode, path_hooks_support_bpf_d_path); } + +__always_inline static void submit_mkdir_event(struct metrics_by_hook_t* m, + const char filename[PATH_MAX], + inode_key_t* inode, + inode_key_t* parent_inode) { + struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0); + if (event == NULL) { + m->ringbuffer_full++; + return; + } + + // d_instantiate doesn't support bpf_d_path, so we use false and rely on the stashed path from path_mkdir + __submit_event(event, m, FILE_ACTIVITY_CREATION, filename, inode, parent_inode, false); +} diff --git a/fact-ebpf/src/bpf/file.h b/fact-ebpf/src/bpf/file.h index d0fdc8b1..eac1b429 100644 --- a/fact-ebpf/src/bpf/file.h +++ b/fact-ebpf/src/bpf/file.h @@ -43,3 +43,19 @@ __always_inline static inode_monitored_t is_monitored(inode_key_t inode, struct return NOT_MONITORED; } + +// Check if a new directory should be tracked based on its parent and path. +// This is used during mkdir operations where the child inode doesn't exist yet. +__always_inline static inode_monitored_t should_track_mkdir(inode_key_t parent_inode, struct bound_path_t* child_path) { + const inode_value_t* volatile parent_value = inode_get(&parent_inode); + + if (parent_value != NULL) { + return PARENT_MONITORED; + } + + if (path_is_monitored(child_path)) { + return MONITORED; + } + + return NOT_MONITORED; +} diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index b7c044f1..f8b30a92 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -19,6 +19,11 @@ char _license[] SEC("license") = "Dual MIT/GPL"; #define FMODE_PWRITE ((fmode_t)(1 << 4)) #define FMODE_CREATED ((fmode_t)(1 << 20)) +// File type constants from linux/stat.h +#define S_IFMT 00170000 +#define S_IFDIR 0040000 +#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) + SEC("lsm/file_open") int BPF_PROG(trace_file_open, struct file* file) { struct metrics_t* m = get_metrics(); @@ -228,3 +233,105 @@ int BPF_PROG(trace_path_rename, struct path* old_dir, m->path_rename.error++; return 0; } + +SEC("lsm/path_mkdir") +int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t mode) { + struct metrics_t* m = get_metrics(); + if (m == NULL) { + return 0; + } + + m->path_mkdir.total++; + + struct bound_path_t* path = path_read_append_d_entry(dir, dentry); + if (path == NULL) { + bpf_printk("Failed to read path"); + m->path_mkdir.error++; + return 0; + } + + struct dentry* parent_dentry = BPF_CORE_READ(dir, dentry); + struct inode* parent_inode_ptr = BPF_CORE_READ(parent_dentry, d_inode); + inode_key_t parent_inode = inode_to_key(parent_inode_ptr); + + if (should_track_mkdir(parent_inode, path) == NOT_MONITORED) { + m->path_mkdir.ignored++; + return 0; + } + + // Stash mkdir context for security_d_instantiate + __u64 pid_tgid = bpf_get_current_pid_tgid(); + struct mkdir_context_t* mkdir_ctx = get_mkdir_context(); + if (mkdir_ctx == NULL) { + bpf_printk("Failed to get mkdir context buffer"); + m->path_mkdir.error++; + return 0; + } + + long path_copy_len = bpf_probe_read_str(mkdir_ctx->path, PATH_MAX, path->path); + if (path_copy_len < 0) { + bpf_printk("Failed to copy path string"); + m->path_mkdir.error++; + return 0; + } + mkdir_ctx->parent_inode = parent_inode; + + if (bpf_map_update_elem(&mkdir_context, &pid_tgid, mkdir_ctx, BPF_ANY) != 0) { + bpf_printk("Failed to stash mkdir context"); + m->path_mkdir.error++; + return 0; + } + + return 0; +} + +SEC("lsm/d_instantiate") +int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { + struct metrics_t* m = get_metrics(); + if (m == NULL) { + return 0; + } + + m->d_instantiate.total++; + + if (inode == NULL) { + m->d_instantiate.ignored++; + return 0; + } + + __u64 pid_tgid = bpf_get_current_pid_tgid(); + struct mkdir_context_t* mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); + if (mkdir_ctx == NULL) { + m->d_instantiate.ignored++; + return 0; + } + + // Check if this is a directory + umode_t mode = BPF_CORE_READ(inode, i_mode); + if (!S_ISDIR(mode)) { + bpf_map_delete_elem(&mkdir_context, &pid_tgid); + m->d_instantiate.ignored++; + return 0; + } + + // Get the inode key for the new directory + inode_key_t inode_key = inode_to_key(inode); + + // Add the new directory inode to tracking + if (inode_add(&inode_key) == 0) { + m->d_instantiate.added++; + } else { + m->d_instantiate.error++; + } + + // Submit creation event using the stashed path + submit_mkdir_event(&m->d_instantiate, + mkdir_ctx->path, + &inode_key, + &mkdir_ctx->parent_inode); + + // Clean up context + bpf_map_delete_elem(&mkdir_context, &pid_tgid); + + return 0; +} diff --git a/fact-ebpf/src/bpf/maps.h b/fact-ebpf/src/bpf/maps.h index eca822f0..3758ea80 100644 --- a/fact-ebpf/src/bpf/maps.h +++ b/fact-ebpf/src/bpf/maps.h @@ -83,6 +83,26 @@ struct { __uint(map_flags, BPF_F_NO_PREALLOC); } inode_map SEC(".maps"); +struct { + __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); + __type(key, __u32); + __type(value, struct mkdir_context_t); + __uint(max_entries, 1); +} mkdir_context_heap SEC(".maps"); + +__always_inline static struct mkdir_context_t* get_mkdir_context() { + unsigned int zero = 0; + return bpf_map_lookup_elem(&mkdir_context_heap, &zero); +} + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, __u64); + __type(value, struct mkdir_context_t); + __uint(max_entries, 16384); + __uint(map_flags, BPF_F_NO_PREALLOC); +} mkdir_context SEC(".maps"); + struct { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); __type(key, __u32); diff --git a/fact-ebpf/src/bpf/types.h b/fact-ebpf/src/bpf/types.h index 55005c00..9059c7aa 100644 --- a/fact-ebpf/src/bpf/types.h +++ b/fact-ebpf/src/bpf/types.h @@ -96,6 +96,12 @@ struct path_prefix_t { const char path[LPM_SIZE_MAX]; }; +// Context for correlating mkdir operations +struct mkdir_context_t { + char path[PATH_MAX]; + inode_key_t parent_inode; +}; + // Metrics types struct metrics_by_hook_t { unsigned long long total; @@ -111,4 +117,6 @@ struct metrics_t { struct metrics_by_hook_t path_chmod; struct metrics_by_hook_t path_chown; struct metrics_by_hook_t path_rename; + struct metrics_by_hook_t path_mkdir; + struct metrics_by_hook_t d_instantiate; }; diff --git a/fact/src/metrics/kernel_metrics.rs b/fact/src/metrics/kernel_metrics.rs index d1a3a242..9caa1ff3 100644 --- a/fact/src/metrics/kernel_metrics.rs +++ b/fact/src/metrics/kernel_metrics.rs @@ -13,6 +13,8 @@ pub struct KernelMetrics { path_chmod: EventCounter, path_chown: EventCounter, path_rename: EventCounter, + path_mkdir: EventCounter, + d_instantiate: EventCounter, map: PerCpuArray, } @@ -43,12 +45,24 @@ impl KernelMetrics { "Events processed by the path_rename LSM hook", &[], // Labels are not needed since `collect` will add them all ); + let path_mkdir = EventCounter::new( + "kernel_path_mkdir_events", + "Events processed by the path_mkdir LSM hook", + &[], // Labels are not needed since `collect` will add them all + ); + let d_instantiate = EventCounter::new( + "kernel_d_instantiate_events", + "Events processed by the d_instantiate LSM hook", + &[], // Labels are not needed since `collect` will add them all + ); file_open.register(reg); path_unlink.register(reg); path_chmod.register(reg); path_chown.register(reg); path_rename.register(reg); + path_mkdir.register(reg); + d_instantiate.register(reg); KernelMetrics { file_open, @@ -56,6 +70,8 @@ impl KernelMetrics { path_chmod, path_chown, path_rename, + path_mkdir, + d_instantiate, map: kernel_metrics, } } @@ -105,6 +121,8 @@ impl KernelMetrics { KernelMetrics::refresh_labels(&self.path_chmod, &metrics.path_chmod); KernelMetrics::refresh_labels(&self.path_chown, &metrics.path_chown); KernelMetrics::refresh_labels(&self.path_rename, &metrics.path_rename); + KernelMetrics::refresh_labels(&self.path_mkdir, &metrics.path_mkdir); + KernelMetrics::refresh_labels(&self.d_instantiate, &metrics.d_instantiate); Ok(()) } From e01ccb1c2d84f7ddf98640d305ce7525579ecc44 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 1 Apr 2026 15:29:42 -0700 Subject: [PATCH 04/22] Only tracking directories if the parent is monitored --- fact-ebpf/src/bpf/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index f8b30a92..744f2a18 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -254,7 +254,7 @@ int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t struct inode* parent_inode_ptr = BPF_CORE_READ(parent_dentry, d_inode); inode_key_t parent_inode = inode_to_key(parent_inode_ptr); - if (should_track_mkdir(parent_inode, path) == NOT_MONITORED) { + if (should_track_mkdir(parent_inode, path) != PARENT_MONITORED) { m->path_mkdir.ignored++; return 0; } From 9a7a03ea22eef339aea02f61a972ffadbaae66ce Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 1 Apr 2026 16:41:52 -0700 Subject: [PATCH 05/22] Removed some comments --- fact-ebpf/src/bpf/main.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index 744f2a18..9b3c9c54 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -306,7 +306,6 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { return 0; } - // Check if this is a directory umode_t mode = BPF_CORE_READ(inode, i_mode); if (!S_ISDIR(mode)) { bpf_map_delete_elem(&mkdir_context, &pid_tgid); @@ -314,23 +313,19 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { return 0; } - // Get the inode key for the new directory inode_key_t inode_key = inode_to_key(inode); - // Add the new directory inode to tracking if (inode_add(&inode_key) == 0) { m->d_instantiate.added++; } else { m->d_instantiate.error++; } - // Submit creation event using the stashed path submit_mkdir_event(&m->d_instantiate, mkdir_ctx->path, &inode_key, &mkdir_ctx->parent_inode); - // Clean up context bpf_map_delete_elem(&mkdir_context, &pid_tgid); return 0; From ab17d2654471a91375b8ae71f59b484c181bee83 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 2 Apr 2026 10:43:48 -0700 Subject: [PATCH 06/22] Combined two uses of BPF_CORE_READ --- fact-ebpf/src/bpf/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index 9b3c9c54..ced11746 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -250,8 +250,7 @@ int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t return 0; } - struct dentry* parent_dentry = BPF_CORE_READ(dir, dentry); - struct inode* parent_inode_ptr = BPF_CORE_READ(parent_dentry, d_inode); + struct inode* parent_inode_ptr = BPF_CORE_READ(dir, dentry, d_inode); inode_key_t parent_inode = inode_to_key(parent_inode_ptr); if (should_track_mkdir(parent_inode, path) != PARENT_MONITORED) { From 3aa499889d355bfe656bef57e82160e546aae375 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 2 Apr 2026 11:25:58 -0700 Subject: [PATCH 07/22] Added DIR_ACTIVITY_CREATION --- fact-ebpf/src/bpf/events.h | 2 +- fact-ebpf/src/bpf/types.h | 1 + fact/src/event/mod.rs | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/fact-ebpf/src/bpf/events.h b/fact-ebpf/src/bpf/events.h index 5fc3d3a6..fe521450 100644 --- a/fact-ebpf/src/bpf/events.h +++ b/fact-ebpf/src/bpf/events.h @@ -141,5 +141,5 @@ __always_inline static void submit_mkdir_event(struct metrics_by_hook_t* m, } // d_instantiate doesn't support bpf_d_path, so we use false and rely on the stashed path from path_mkdir - __submit_event(event, m, FILE_ACTIVITY_CREATION, filename, inode, parent_inode, false); + __submit_event(event, m, DIR_ACTIVITY_CREATION, filename, inode, parent_inode, false); } diff --git a/fact-ebpf/src/bpf/types.h b/fact-ebpf/src/bpf/types.h index 9059c7aa..95c67e86 100644 --- a/fact-ebpf/src/bpf/types.h +++ b/fact-ebpf/src/bpf/types.h @@ -55,6 +55,7 @@ typedef enum file_activity_type_t { FILE_ACTIVITY_CHMOD, FILE_ACTIVITY_CHOWN, FILE_ACTIVITY_RENAME, + DIR_ACTIVITY_CREATION, } file_activity_type_t; struct event_t { diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index 40bd317a..6ddf1199 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -307,6 +307,7 @@ impl FileData { let file = match event_type { file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner), file_activity_type_t::FILE_ACTIVITY_CREATION => FileData::Creation(inner), + file_activity_type_t::DIR_ACTIVITY_CREATION => FileData::Creation(inner), file_activity_type_t::FILE_ACTIVITY_UNLINK => FileData::Unlink(inner), file_activity_type_t::FILE_ACTIVITY_CHMOD => { let data = ChmodFileData { From 52888663006369af703b8ec9b74dd657e07df995 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 2 Apr 2026 11:29:22 -0700 Subject: [PATCH 08/22] Added permalink to linux/stat.h --- fact-ebpf/src/bpf/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index ced11746..c4ede974 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -20,6 +20,7 @@ char _license[] SEC("license") = "Dual MIT/GPL"; #define FMODE_CREATED ((fmode_t)(1 << 20)) // File type constants from linux/stat.h +// https://github.com/torvalds/linux/blob/5619b098e2fbf3a23bf13d91897056a1fe238c6d/include/uapi/linux/stat.h #define S_IFMT 00170000 #define S_IFDIR 0040000 #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) From 99ee8cbb3c9a643231be5703e8a8d98cbf38e699 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 2 Apr 2026 11:43:15 -0700 Subject: [PATCH 09/22] Removing map entry in case of early return in lsm/d_instantiate --- fact-ebpf/src/bpf/main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index c4ede974..1343e7b1 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -306,11 +306,11 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { return 0; } + // From this point on, we must clean up mkdir_context before returning umode_t mode = BPF_CORE_READ(inode, i_mode); if (!S_ISDIR(mode)) { - bpf_map_delete_elem(&mkdir_context, &pid_tgid); m->d_instantiate.ignored++; - return 0; + goto cleanup; } inode_key_t inode_key = inode_to_key(inode); @@ -326,7 +326,7 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { &inode_key, &mkdir_ctx->parent_inode); +cleanup: bpf_map_delete_elem(&mkdir_context, &pid_tgid); - return 0; } From be580e185b1658386b615f9b6149ee87ce1e6065 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 2 Apr 2026 15:25:20 -0700 Subject: [PATCH 10/22] Using os.makedirs instead of os.mkdir three times --- tests/test_path_mkdir.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/test_path_mkdir.py b/tests/test_path_mkdir.py index 5242894d..759e0022 100644 --- a/tests/test_path_mkdir.py +++ b/tests/test_path_mkdir.py @@ -20,9 +20,7 @@ def test_mkdir_nested(monitored_dir, server): level2 = os.path.join(level1, 'level2') level3 = os.path.join(level2, 'level3') - os.mkdir(level1) - os.mkdir(level2) - os.mkdir(level3) + os.makedirs(level3, exist_ok=True) # Create a file in the deepest directory test_file = os.path.join(level3, 'deep_file.txt') From 29743736296c6f93cc84f910fc40a6eac742b0f7 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Fri, 3 Apr 2026 10:55:54 -0700 Subject: [PATCH 11/22] Accumulate m.path_mkdir and m.d_instantiate --- fact-ebpf/src/lib.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fact-ebpf/src/lib.rs b/fact-ebpf/src/lib.rs index bd84ee08..c4c95ec6 100644 --- a/fact-ebpf/src/lib.rs +++ b/fact-ebpf/src/lib.rs @@ -125,6 +125,8 @@ impl metrics_t { m.path_chmod = m.path_chmod.accumulate(&other.path_chmod); m.path_chown = m.path_chown.accumulate(&other.path_chown); m.path_rename = m.path_rename.accumulate(&other.path_rename); + m.path_mkdir = m.path_mkdir.accumulate(&other.path_mkdir); + m.d_instantiate = m.d_instantiate.accumulate(&other.d_instantiate); m } } From b0ef4fe588d29a18aa9078ea9bac715277d562cb Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Fri, 3 Apr 2026 11:58:44 -0700 Subject: [PATCH 12/22] Checking pid_tgid earlier so if inode is null we still cleanup --- fact-ebpf/src/bpf/main.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index 1343e7b1..e514a153 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -294,19 +294,19 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { m->d_instantiate.total++; - if (inode == NULL) { - m->d_instantiate.ignored++; - return 0; - } - __u64 pid_tgid = bpf_get_current_pid_tgid(); struct mkdir_context_t* mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); + if (mkdir_ctx == NULL) { m->d_instantiate.ignored++; return 0; } - // From this point on, we must clean up mkdir_context before returning + if (inode == NULL) { + m->d_instantiate.ignored++; + goto cleanup; + } + umode_t mode = BPF_CORE_READ(inode, i_mode); if (!S_ISDIR(mode)) { m->d_instantiate.ignored++; From a295468506d57c50713110a11a7f1ab7ea2f8c8f Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Mon, 6 Apr 2026 17:09:10 -0700 Subject: [PATCH 13/22] Not using BPF_F_NO_PREALLOC --- fact-ebpf/src/bpf/main.c | 18 ++++++++++-------- fact-ebpf/src/bpf/maps.h | 13 ------------- 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index e514a153..25714df3 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -261,9 +261,16 @@ int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t // Stash mkdir context for security_d_instantiate __u64 pid_tgid = bpf_get_current_pid_tgid(); - struct mkdir_context_t* mkdir_ctx = get_mkdir_context(); + + if (bpf_map_update_elem(&mkdir_context, &pid_tgid, NULL, BPF_ANY) != 0) { + bpf_printk("Failed to create mkdir context entry"); + m->path_mkdir.error++; + return 0; + } + + struct mkdir_context_t* mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); if (mkdir_ctx == NULL) { - bpf_printk("Failed to get mkdir context buffer"); + bpf_printk("Failed to lookup mkdir context after creation"); m->path_mkdir.error++; return 0; } @@ -272,16 +279,11 @@ int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t if (path_copy_len < 0) { bpf_printk("Failed to copy path string"); m->path_mkdir.error++; + bpf_map_delete_elem(&mkdir_context, &pid_tgid); return 0; } mkdir_ctx->parent_inode = parent_inode; - if (bpf_map_update_elem(&mkdir_context, &pid_tgid, mkdir_ctx, BPF_ANY) != 0) { - bpf_printk("Failed to stash mkdir context"); - m->path_mkdir.error++; - return 0; - } - return 0; } diff --git a/fact-ebpf/src/bpf/maps.h b/fact-ebpf/src/bpf/maps.h index 3758ea80..acd498f7 100644 --- a/fact-ebpf/src/bpf/maps.h +++ b/fact-ebpf/src/bpf/maps.h @@ -83,24 +83,11 @@ struct { __uint(map_flags, BPF_F_NO_PREALLOC); } inode_map SEC(".maps"); -struct { - __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); - __type(key, __u32); - __type(value, struct mkdir_context_t); - __uint(max_entries, 1); -} mkdir_context_heap SEC(".maps"); - -__always_inline static struct mkdir_context_t* get_mkdir_context() { - unsigned int zero = 0; - return bpf_map_lookup_elem(&mkdir_context_heap, &zero); -} - struct { __uint(type, BPF_MAP_TYPE_HASH); __type(key, __u64); __type(value, struct mkdir_context_t); __uint(max_entries, 16384); - __uint(map_flags, BPF_F_NO_PREALLOC); } mkdir_context SEC(".maps"); struct { From 5f882ba2d5321fb134e4af254924e77cb9c938a1 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Mon, 6 Apr 2026 18:46:35 -0700 Subject: [PATCH 14/22] Switched from BPF_MAP_TYPE_HASH to BPF_MAP_TYPE_LRU_HASH --- fact-ebpf/src/bpf/maps.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fact-ebpf/src/bpf/maps.h b/fact-ebpf/src/bpf/maps.h index acd498f7..c8595829 100644 --- a/fact-ebpf/src/bpf/maps.h +++ b/fact-ebpf/src/bpf/maps.h @@ -84,7 +84,7 @@ struct { } inode_map SEC(".maps"); struct { - __uint(type, BPF_MAP_TYPE_HASH); + __uint(type, BPF_MAP_TYPE_LRU_HASH); __type(key, __u64); __type(value, struct mkdir_context_t); __uint(max_entries, 16384); From 349a4e2f305bce2d918844ae61ea56d051c9e471 Mon Sep 17 00:00:00 2001 From: Jouko Virtanen Date: Mon, 6 Apr 2026 18:53:01 -0700 Subject: [PATCH 15/22] Apply suggestion from @Molter73 Co-authored-by: Mauro Ezequiel Moltrasio --- fact/src/event/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index 6ddf1199..e015fcde 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -306,7 +306,7 @@ impl FileData { let inner = BaseFileData::new(filename, inode, parent_inode)?; let file = match event_type { file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner), - file_activity_type_t::FILE_ACTIVITY_CREATION => FileData::Creation(inner), + file_activity_type_t::FILE_ACTIVITY_CREATION | file_activity_type_t::DIR_ACTIVITY_CREATION => FileData::Creation(inner), file_activity_type_t::FILE_ACTIVITY_UNLINK => FileData::Unlink(inner), file_activity_type_t::FILE_ACTIVITY_CHMOD => { From be4d39dbf7456883a26b3bfc266f1a424c1ba18c Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Mon, 6 Apr 2026 19:01:45 -0700 Subject: [PATCH 16/22] Parameterized test --- tests/test_path_mkdir.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/test_path_mkdir.py b/tests/test_path_mkdir.py index 759e0022..a3953e50 100644 --- a/tests/test_path_mkdir.py +++ b/tests/test_path_mkdir.py @@ -5,20 +5,27 @@ from event import Event, EventType, Process -def test_mkdir_nested(monitored_dir, server): +@pytest.mark.parametrize("dirname", [ + pytest.param('level3', id='ASCII'), + pytest.param('café', id='French'), + pytest.param('файл', id='Cyrillic'), + pytest.param('日本語', id='Japanese'), +]) +def test_mkdir_nested(monitored_dir, server, dirname): """ Tests that creating nested directories tracks all inodes correctly. Args: monitored_dir: Temporary directory path for creating the test directory. server: The server instance to communicate with. + dirname: Final directory name to test (including UTF-8 variants). """ process = Process.from_proc() # Create nested directories level1 = os.path.join(monitored_dir, 'level1') level2 = os.path.join(level1, 'level2') - level3 = os.path.join(level2, 'level3') + level3 = os.path.join(level2, dirname) os.makedirs(level3, exist_ok=True) From e93080b7f21bf7abbeac8223c4c2db072a0c4794 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Mon, 6 Apr 2026 22:13:37 -0700 Subject: [PATCH 17/22] Fixed verifier issue. Not sending directory creation events --- fact-ebpf/src/bpf/main.c | 22 ++++++++++++---------- fact/src/event/mod.rs | 8 ++++++++ fact/src/host_scanner.rs | 11 +++++++---- tests/test_path_mkdir.py | 18 ++++++++++-------- 4 files changed, 37 insertions(+), 22 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index 25714df3..7fcfbc72 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -261,18 +261,20 @@ int BPF_PROG(trace_path_mkdir, struct path* dir, struct dentry* dentry, umode_t // Stash mkdir context for security_d_instantiate __u64 pid_tgid = bpf_get_current_pid_tgid(); - - if (bpf_map_update_elem(&mkdir_context, &pid_tgid, NULL, BPF_ANY) != 0) { - bpf_printk("Failed to create mkdir context entry"); - m->path_mkdir.error++; - return 0; - } - struct mkdir_context_t* mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); if (mkdir_ctx == NULL) { - bpf_printk("Failed to lookup mkdir context after creation"); - m->path_mkdir.error++; - return 0; + static const struct mkdir_context_t empty_ctx = {0}; + if (bpf_map_update_elem(&mkdir_context, &pid_tgid, &empty_ctx, BPF_NOEXIST) != 0) { + bpf_printk("Failed to create mkdir context entry"); + m->path_mkdir.error++; + return 0; + } + mkdir_ctx = bpf_map_lookup_elem(&mkdir_context, &pid_tgid); + if (mkdir_ctx == NULL) { + bpf_printk("Failed to lookup mkdir context after creation"); + m->path_mkdir.error++; + return 0; + } } long path_copy_len = bpf_probe_read_str(mkdir_ctx->path, PATH_MAX, path->path); diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index e015fcde..4b6cd041 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -74,6 +74,8 @@ pub struct Event { hostname: &'static str, process: Process, file: FileData, + #[serde(skip)] + event_type: file_activity_type_t, } impl Event { @@ -123,6 +125,7 @@ impl Event { hostname, process, file, + event_type: file_activity_type_t::FILE_ACTIVITY_CREATION, }) } @@ -130,6 +133,10 @@ impl Event { matches!(self.file, FileData::Creation(_)) } + pub fn is_dir_creation(&self) -> bool { + self.event_type == file_activity_type_t::DIR_ACTIVITY_CREATION + } + /// Unwrap the inner FileData and return the inode that triggered /// the event. /// @@ -259,6 +266,7 @@ impl TryFrom<&event_t> for Event { hostname: host_info::get_hostname(), process, file, + event_type: value.type_, }) } } diff --git a/fact/src/host_scanner.rs b/fact/src/host_scanner.rs index 36cacdef..f4598348 100644 --- a/fact/src/host_scanner.rs +++ b/fact/src/host_scanner.rs @@ -277,10 +277,13 @@ impl HostScanner { event.set_old_host_path(host_path); } - let event = Arc::new(event); - if let Err(e) = self.tx.send(event) { - self.metrics.events.dropped(); - warn!("Failed to send event: {e}"); + // Skip directory creation events - we track them internally but don't send to sensor + if !event.is_dir_creation() { + let event = Arc::new(event); + if let Err(e) = self.tx.send(event) { + self.metrics.events.dropped(); + warn!("Failed to send event: {e}"); + } } }, _ = scan_trigger.notified() => self.scan()?, diff --git a/tests/test_path_mkdir.py b/tests/test_path_mkdir.py index a3953e50..89fd3b72 100644 --- a/tests/test_path_mkdir.py +++ b/tests/test_path_mkdir.py @@ -34,13 +34,9 @@ def test_mkdir_nested(monitored_dir, server, dirname): with open(test_file, 'w') as f: f.write('nested content') + # Directory creation events are tracked internally but not sent to sensor + # Only the file creation event should be sent events = [ - Event(process=process, event_type=EventType.CREATION, - file=level1, host_path=level1), - Event(process=process, event_type=EventType.CREATION, - file=level2, host_path=level2), - Event(process=process, event_type=EventType.CREATION, - file=level3, host_path=level3), Event(process=process, event_type=EventType.CREATION, file=test_file, host_path=test_file), ] @@ -62,13 +58,19 @@ def test_mkdir_ignored(monitored_dir, ignored_dir, server): # Create directory in ignored path - should not be tracked ignored_subdir = os.path.join(ignored_dir, 'ignored_subdir') os.mkdir(ignored_subdir) + ignored_file = os.path.join(ignored_subdir, 'ignored.txt') + with open(ignored_file, 'w') as f: + f.write('ignored') # Create directory in monitored path - should be tracked monitored_subdir = os.path.join(monitored_dir, 'monitored_subdir') os.mkdir(monitored_subdir) + monitored_file = os.path.join(monitored_subdir, 'monitored.txt') + with open(monitored_file, 'w') as f: + f.write('monitored') - # Only the monitored directory should generate an event + # Only the monitored file should generate an event (directories are tracked internally) e = Event(process=process, event_type=EventType.CREATION, - file=monitored_subdir, host_path=monitored_subdir) + file=monitored_file, host_path=monitored_file) server.wait_events([e]) From 60b3962751b53e2e028e1e60c36bb3cfe11d0efb Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Tue, 7 Apr 2026 07:40:47 -0700 Subject: [PATCH 18/22] make format --- fact/src/event/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index 4b6cd041..55338e8e 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -314,8 +314,8 @@ impl FileData { let inner = BaseFileData::new(filename, inode, parent_inode)?; let file = match event_type { file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner), - file_activity_type_t::FILE_ACTIVITY_CREATION | - file_activity_type_t::DIR_ACTIVITY_CREATION => FileData::Creation(inner), + file_activity_type_t::FILE_ACTIVITY_CREATION + | file_activity_type_t::DIR_ACTIVITY_CREATION => FileData::Creation(inner), file_activity_type_t::FILE_ACTIVITY_UNLINK => FileData::Unlink(inner), file_activity_type_t::FILE_ACTIVITY_CHMOD => { let data = ChmodFileData { From 9a56abb4af38cdd0839ba27466f1a55d47702ef5 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 8 Apr 2026 08:57:44 -0700 Subject: [PATCH 19/22] Improved test Event constructor --- fact/src/event/mod.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index 55338e8e..c78c66a4 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -97,16 +97,16 @@ impl Event { inode: Default::default(), parent_inode: Default::default(), }; - let file = match data { - EventTestData::Creation => FileData::Creation(inner), - EventTestData::Unlink => FileData::Unlink(inner), + let (file, event_type) = match data { + EventTestData::Creation => (FileData::Creation(inner), file_activity_type_t::FILE_ACTIVITY_CREATION), + EventTestData::Unlink => (FileData::Unlink(inner), file_activity_type_t::FILE_ACTIVITY_UNLINK), EventTestData::Chmod(new_mode, old_mode) => { let data = ChmodFileData { inner, new_mode, old_mode, }; - FileData::Chmod(data) + (FileData::Chmod(data), file_activity_type_t::FILE_ACTIVITY_CHMOD) } EventTestData::Rename(old_path) => { let data = RenameFileData { @@ -116,7 +116,7 @@ impl Event { ..Default::default() }, }; - FileData::Rename(data) + (FileData::Rename(data), file_activity_type_t::FILE_ACTIVITY_RENAME) } }; @@ -125,7 +125,7 @@ impl Event { hostname, process, file, - event_type: file_activity_type_t::FILE_ACTIVITY_CREATION, + event_type, }) } From b61a1b86b90b4faae3e45210aac9196cd87f140e Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 8 Apr 2026 09:17:06 -0700 Subject: [PATCH 20/22] Remove is_dir_creation --- fact/src/event/mod.rs | 4 ++-- fact/src/host_scanner.rs | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index c78c66a4..1dfda01b 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -133,8 +133,8 @@ impl Event { matches!(self.file, FileData::Creation(_)) } - pub fn is_dir_creation(&self) -> bool { - self.event_type == file_activity_type_t::DIR_ACTIVITY_CREATION + pub(crate) fn event_type(&self) -> file_activity_type_t { + self.event_type } /// Unwrap the inner FileData and return the inode that triggered diff --git a/fact/src/host_scanner.rs b/fact/src/host_scanner.rs index f4598348..3596c1fc 100644 --- a/fact/src/host_scanner.rs +++ b/fact/src/host_scanner.rs @@ -278,7 +278,7 @@ impl HostScanner { } // Skip directory creation events - we track them internally but don't send to sensor - if !event.is_dir_creation() { + if event.event_type() != fact_ebpf::file_activity_type_t::DIR_ACTIVITY_CREATION { let event = Arc::new(event); if let Err(e) = self.tx.send(event) { self.metrics.events.dropped(); From f7c34cb5027846c0e32e3e95e03e3c77fa1818c6 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 8 Apr 2026 09:45:02 -0700 Subject: [PATCH 21/22] Removed unneeded S_ISDIR --- fact-ebpf/src/bpf/main.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c index 7fcfbc72..8ed07bac 100644 --- a/fact-ebpf/src/bpf/main.c +++ b/fact-ebpf/src/bpf/main.c @@ -19,12 +19,6 @@ char _license[] SEC("license") = "Dual MIT/GPL"; #define FMODE_PWRITE ((fmode_t)(1 << 4)) #define FMODE_CREATED ((fmode_t)(1 << 20)) -// File type constants from linux/stat.h -// https://github.com/torvalds/linux/blob/5619b098e2fbf3a23bf13d91897056a1fe238c6d/include/uapi/linux/stat.h -#define S_IFMT 00170000 -#define S_IFDIR 0040000 -#define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) - SEC("lsm/file_open") int BPF_PROG(trace_file_open, struct file* file) { struct metrics_t* m = get_metrics(); @@ -311,12 +305,6 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) { goto cleanup; } - umode_t mode = BPF_CORE_READ(inode, i_mode); - if (!S_ISDIR(mode)) { - m->d_instantiate.ignored++; - goto cleanup; - } - inode_key_t inode_key = inode_to_key(inode); if (inode_add(&inode_key) == 0) { From 752d064245245f118f7b37fc1bd249684390e8ed Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 8 Apr 2026 09:51:21 -0700 Subject: [PATCH 22/22] make format --- fact/src/event/mod.rs | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs index 1dfda01b..3405fd97 100644 --- a/fact/src/event/mod.rs +++ b/fact/src/event/mod.rs @@ -98,15 +98,24 @@ impl Event { parent_inode: Default::default(), }; let (file, event_type) = match data { - EventTestData::Creation => (FileData::Creation(inner), file_activity_type_t::FILE_ACTIVITY_CREATION), - EventTestData::Unlink => (FileData::Unlink(inner), file_activity_type_t::FILE_ACTIVITY_UNLINK), + EventTestData::Creation => ( + FileData::Creation(inner), + file_activity_type_t::FILE_ACTIVITY_CREATION, + ), + EventTestData::Unlink => ( + FileData::Unlink(inner), + file_activity_type_t::FILE_ACTIVITY_UNLINK, + ), EventTestData::Chmod(new_mode, old_mode) => { let data = ChmodFileData { inner, new_mode, old_mode, }; - (FileData::Chmod(data), file_activity_type_t::FILE_ACTIVITY_CHMOD) + ( + FileData::Chmod(data), + file_activity_type_t::FILE_ACTIVITY_CHMOD, + ) } EventTestData::Rename(old_path) => { let data = RenameFileData { @@ -116,7 +125,10 @@ impl Event { ..Default::default() }, }; - (FileData::Rename(data), file_activity_type_t::FILE_ACTIVITY_RENAME) + ( + FileData::Rename(data), + file_activity_type_t::FILE_ACTIVITY_RENAME, + ) } };