Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File system monitor improvements #68

Merged
merged 9 commits into from
Oct 6, 2022
Merged

File system monitor improvements #68

merged 9 commits into from
Oct 6, 2022

Conversation

MatteoNardi
Copy link
Contributor

@MatteoNardi MatteoNardi commented Sep 26, 2022
edited
Loading

New events: file rename, directory creation, directory deletion, symbolic link, hard link

Hook into LSM path_rename, path_rmdir, path_mkdir, path_link and path_symlink. As usual, we use kprobes as a fallback.

Fix #64 and #67

Fix bug #11

I fixed bug #11 by using the LSM hooks accepting a path argument. This requires the CONFIG_SECURITY_PATH config variable.
Unify the two path extraction functions to require a struct path*.

I have

  • run cargo fmt;
  • run cargo clippy;
  • run cargo testand all tests pass;
  • linked to the originating issue (if applicable).

@MatteoNardi MatteoNardi changed the title new(file-system-monitor): add symbolic and hard links support File system monitor improvements Sep 27, 2022
@MatteoNardi MatteoNardi marked this pull request as ready for review September 28, 2022 13:17
Base automatically changed from compatiblity_fixes to main October 6, 2022 15:51
@MatteoNardi
new(file-system-monitor): add symbolic and hard links support
a8b4b8b 
Hook into LSM `path_link` and `path_symlink` to get events about new
symbolic and hard links. As usual, we use kprobes as a fallback.

Refactor `get_path_str` to accept the `struct vfsmount *` as a second
parameter. This allows to use a single version of the function, which
can be used both for `struct dentry` and `struct path`.

Fix #64
@MatteoNardi
fix(file-system-monitor): use path_unlink instead of inode_unlink
8d15cdd 
This fixes path resolution across mount points for the delete event.

Ref #11
@MatteoNardi
fix(file-system-monitor): use path_mknod instead of inode_create
bc0a206 
This fixes path resolution across mount points for the create event.

Fix #11
@MatteoNardi
docs(vagrant): add note about missing IPv6 support
903ab02
@MatteoNardi
fix(file-system-monitor): fix kprobes getting wrong arguments
c5251f7
@MatteoNardi
misc(probes): add PULSAR_LSM_HOOK macro
4963713 
This macro makes it easy to hook into LSM attach points, keeping a kprobe
fallback.
PULSAR_LSM_HOOK(hook_point, args) will attach to `lsm/<hook_point>` and
`kprobe/security_<hook_point>`. It calls function `on_<hook_point>`, which
must be defined by the user and accept the specified args args.

Example:
```c
PULSAR_LSM_HOOK(file_open, struct file *, file);
```

Expands to:

```c
SEC("lsm/file_open")
int BPF_PROG(file_open, struct file *file, int ret) {
  on_file_open(ctx, file);
  return ret;
}

SEC("kprobe/security_file_open")
int BPF_KPROBE(security_file_open, struct file *file) {
  on_file_open(ctx, file);
  return 0;
}
```
@MatteoNardi
misc: cleanup, add fs-monitor variants
6350cfd
@MatteoNardi
new(file-system-monitor): track dir operations and rename
4bc81fc 
Fix #67
@MatteoNardi
misc(file-system-monitor): cleanup code
45e373c
@MatteoNardi MatteoNardi merged commit 30ee18b into main Oct 6, 2022
@MatteoNardi MatteoNardi deleted the probe_links branch October 6, 2022 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banditopazzo banditopazzo banditopazzo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fs-monitor: add an event for link and unlink syscalls
2 participants
@MatteoNardi @banditopazzo