ROX-30437: resolve host path via inode tracking

Cargo.toml

@@ -4,6 +4,7 @@ members = [
     "fact",
     "fact-api",
     "fact-ebpf",
+    "fact-ffi",
 ]
 default-members = ["fact"]
 
@@ -14,6 +15,7 @@ license = "MIT OR Apache-2.0"
 aya = { version = "0.13.1", default-features = false }
 
 anyhow = { version = "1", default-features = false, features = ["std", "backtrace"] }
+cc = "1.2.46"
 clap = { version = "4.5.41", features = ["derive", "env"] }
 env_logger = { version = "0.11.5", default-features = false, features = ["humantime"] }
 http-body-util = "0.1.3"

fact-api/build.rs

@@ -1,6 +1,7 @@
 use anyhow::Context;
 
 fn main() -> anyhow::Result<()> {
+    println!("cargo::rerun-if-changed=../third_party/stackrox/");
     tonic_prost_build::configure()
         .build_server(false)
         .compile_protos(

fact-ebpf/src/bpf/events.h

@@ -7,7 +7,7 @@
 #include "types.h"
 #include "vmlinux.h"
 
-__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], struct dentry* dentry, bool use_bpf_d_path) {
+__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], const char* host_path, bool use_bpf_d_path) {
   struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
   if (event == NULL) {
     m->ringbuffer_full++;
@@ -18,14 +18,10 @@ __always_inline static void submit_event(struct metrics_by_hook_t* m, file_activ
   event->timestamp = bpf_ktime_get_boot_ns();
   bpf_probe_read_str(event->filename, PATH_MAX, filename);
 
-  struct helper_t* helper = get_helper();
-  if (helper == NULL) {
-    goto error;
-  }
-
-  const char* p = get_host_path(helper->buf, dentry);
-  if (p != NULL) {
-    bpf_probe_read_str(event->host_file, PATH_MAX, p);
+  if (host_path != NULL) {
+    bpf_probe_read_str(event->host_file, PATH_MAX, host_path);
+  } else {
+    event->host_file[0] = '\0';
   }
 
   int64_t err = process_fill(&event->process, use_bpf_d_path);

fact-ebpf/src/bpf/file.h

@@ -3,61 +3,13 @@
 // clang-format off
 #include "vmlinux.h"
 
-#include "bound_path.h"
-#include "builtins.h"
-#include "d_path.h"
 #include "types.h"
 #include "maps.h"
 
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_core_read.h>
 // clang-format on
 
-__always_inline static char* get_host_path(char buf[PATH_MAX * 2], struct dentry* d) {
-  int offset = PATH_MAX - 1;
-  buf[PATH_MAX - 1] = '\0';
-
-  for (int i = 0; i < 16 && offset > 0; i++) {
-    struct qstr d_name;
-    BPF_CORE_READ_INTO(&d_name, d, d_name);
-    if (d_name.name == NULL) {
-      break;
-    }
-
-    int len = d_name.len;
-    if (len <= 0 || len >= PATH_MAX) {
-      return NULL;
-    }
-
-    offset -= len;
-    if (offset <= 0) {
-      return NULL;
-    }
-
-    if (bpf_probe_read_kernel(&buf[offset], len, d_name.name) != 0) {
-      return NULL;
-    }
-
-    if (len == 1 && buf[offset] == '/') {
-      // Reached the root
-      offset++;
-      break;
-    }
-
-    offset--;
-    buf[offset] = '/';
-
-    struct dentry* parent = BPF_CORE_READ(d, d_parent);
-    // if we reached the root
-    if (parent == NULL || d == parent) {
-      break;
-    }
-    d = parent;
-  }
-
-  return &buf[offset];
-}
-
 __always_inline static bool is_monitored(struct bound_path_t* path) {
   if (!filter_by_prefix()) {
     // no path configured, allow all

fact-ebpf/src/bpf/main.c

@@ -37,19 +37,19 @@ int BPF_PROG(trace_file_open, struct file* file) {
     goto ignored;
   }
 
+  const char* host_path = bpf_inode_storage_get(&inode_store, file->f_inode, NULL, 0);
   struct bound_path_t* path = path_read(&file->f_path);
   if (path == NULL) {
     bpf_printk("Failed to read path");
     m->file_open.error++;
     return 0;
   }
 
-  if (!is_monitored(path)) {
+  if (host_path == NULL && !is_monitored(path)) {
     goto ignored;
   }
 
-  struct dentry* d = BPF_CORE_READ(file, f_path.dentry);
-  submit_event(&m->file_open, event_type, path->path, d, true);
+  submit_event(&m->file_open, event_type, path->path, host_path, true);
 
   return 0;
 
@@ -67,6 +67,7 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
 
   m->path_unlink.total++;
 
+  const char* host_path = bpf_inode_storage_get(&inode_store, dentry->d_inode, NULL, 0);
   struct bound_path_t* path = NULL;
   if (path_unlink_supports_bpf_d_path) {
     path = path_read(dir);
@@ -91,12 +92,12 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
       goto error;
   }
 
-  if (!is_monitored(path)) {
+  if (host_path == NULL && !is_monitored(path)) {
     m->path_unlink.ignored++;
     return 0;
   }
 
-  submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry, path_unlink_supports_bpf_d_path);
+  submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, host_path, path_unlink_supports_bpf_d_path);
   return 0;
 
 error:

fact-ebpf/src/bpf/maps.h

@@ -107,4 +107,12 @@ __always_inline static struct metrics_t* get_metrics() {
 uint64_t host_mount_ns;
 volatile const bool path_unlink_supports_bpf_d_path;
 
+struct {
+  __uint(type, BPF_MAP_TYPE_INODE_STORAGE);
+  __type(key, __u32);
+  __type(value, char[4096]);
+  __uint(max_entries, 0);
+  __uint(map_flags, BPF_F_NO_PREALLOC);
+} inode_store SEC(".maps");
+
 // clang-format on

fact-ebpf/src/bpf/process.h

@@ -1,6 +1,6 @@
 #pragma once
 
-#include "file.h"
+#include "d_path.h"
 #include "maps.h"
 #include "types.h"
 

fact-ffi/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "fact-ffi"
+version = "0.1.0"
+edition = "2021"
+
+license.workspace = true
+
+[lib]
+
+[dependencies]
+anyhow = { workspace = true }
+aya = { workspace = true }
+
+[build-dependencies]
+cc = { workspace = true }

fact-ffi/build.rs

@@ -0,0 +1,9 @@
+fn main() {
+    println!("cargo::rerun-if-changed=src/c/");
+    cc::Build::new()
+        .file("src/c/inode.c")
+        .opt_level(2)
+        .warnings_into_errors(true)
+        .warnings(true)
+        .compile("inode");
+}

fact-ffi/src/c/inode.c

@@ -0,0 +1,36 @@
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <linux/bpf.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+
+int32_t add_path(int32_t map_fd, const char* path, const char* host_path) {
+  int fd = open(path, O_RDONLY);
+  if (fd <= 0) {
+    fprintf(stderr, "%s:%d - open error: %d\n", __FILE__, __LINE__, errno);
+    return errno;
+  }
+
+  char buf[4096];
+  snprintf(buf, 4096, "%s", host_path);
+
+  union bpf_attr attr;
+  memset(&attr, 0, sizeof(attr));
+  attr.map_fd = map_fd;
+  attr.key = (unsigned long long)&fd;
+  attr.value = (unsigned long long)buf;
+  attr.flags = BPF_NOEXIST;
+
+  long res = syscall(SYS_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
+  if (res == -EEXIST) {
+    res = 0;
+  }
+
+  close(fd);
+  return res;
+}

fact-ffi/src/inode_store.rs

@@ -0,0 +1,33 @@
+use std::{
+    ffi::{c_char, CString},
+    os::fd::{AsFd, AsRawFd},
+    path::Path,
+};
+
+use aya::maps::MapData;
+
+#[link(name = "inode")]
+unsafe extern "C" {
+    fn add_path(map_fd: i32, path: *const c_char, host_path: *const c_char) -> i32;
+}
+
+fn path_to_cstring(path: &Path) -> anyhow::Result<CString> {
+    let path = path.as_os_str().to_string_lossy();
+    Ok(CString::new(path.to_string())?)
+}
+
+pub fn try_add_path(
+    inode_store: &mut MapData,
+    path: &Path,
+    host_path: &Path,
+) -> anyhow::Result<()> {
+    let path = path_to_cstring(path)?;
+    let host_path = path_to_cstring(host_path)?;
+    let fd = inode_store.fd().as_fd().as_raw_fd();
+    let res = unsafe { add_path(fd, path.as_ptr(), host_path.as_ptr()) };
+
+    if res != 0 {
+        anyhow::bail!("Failed to add inode: {res}");
+    }
+    Ok(())
+}

fact-ffi/src/lib.rs

@@ -0,0 +1 @@
+pub mod inode_store;

fact/Cargo.toml

@@ -28,6 +28,7 @@ yaml-rust2 = { workspace = true }
 
 fact-api = { path = "../fact-api" }
 fact-ebpf = { path = "../fact-ebpf" }
+fact-ffi = { path = "../fact-ffi" }
 
 [dev-dependencies]
 tempfile = { workspace = true }

fact/src/bpf/checks.rs

@@ -9,6 +9,7 @@ pub(super) struct Checks {
 impl Checks {
     pub(super) fn new(btf: &Btf) -> anyhow::Result<Self> {
         let mut obj = aya::EbpfLoader::new()
+            .allow_unsupported_maps()
             .load(fact_ebpf::CHECKS_OBJ)
             .context("Failed to load checks.o")?;