ROX-30437: basic inode tracking for host path resolution (#166)

* ROX-30437: basic inode tracking for host path resolution

This is a very basic implementation of inode tracking meant to be used
in the upcoming release and improved upon in the near future.

The current implementation will perform a scan of the paths that are
configured to be monitored, using the inode and device numbers as a key
to two maps:
- A BPF hash map for kernelspace to know when an inode triggers an
  event.
- A HashMap in userspace that maps the inode to a path that we found the
  inode at.

With these two maps we are able to confidently emit events for files
that are mounted into containers with paths that don't necessarily match
the prefixes configured for monitoring and, at a later stage in
userspace, add the path on the host to the event itself.

The implemented approach is far from complete, it will only work as long
as the files found during the initial scan are not moved, deleted or
replaced by a different file. Future patches will extend the
functionality of both kernel and userspace to be able to catch more
corner cases.

* ROX-30437: add integration tests

Added tests will validate events generated on an overlayfs file properly
shows the event on the upper layer and the access to the underlying FS.
They also validate a mounted path on a container resolves to the correct
host path.

While developing these tests, it became painfully obvious getting the
information of the process running inside the container is not
straightforward. Because containers tend to be fairly static, we should
be able to manually create the information statically in the test and
still have everything work correctly. In order to minimize the amount of
changes on existing tests, the default Process constructor now takes
fields directly and there is a from_proc class method that builds a new
Process object from /proc. Additionally, getting the pid of a process in
a container is virtually impossible, so we make the pid check optional.

* ROX-30437: fix k8s manifest for inode tracking

* chore: general cleanups

* Added a missing null check.
* Added missing doc strings.
* Downgrade inode and dev numbers to 32 bits.
* Added some logging statements.

* Small comment on char vs bool

Author: Molter73

Cargo.lock

@@ -10,6 +10,7 @@ license.workspace = true
 [dependencies]
 aya = { workspace = true }
 libc = { workspace = true }
+serde = { workspace = true }
 
 [build-dependencies]
 anyhow = { workspace = true }

fact-ebpf/Cargo.toml

@@ -1,13 +1,21 @@
 #pragma once
 
-#include <bpf/bpf_helpers.h>
+// clang-format off
+#include "vmlinux.h"
 
+#include "inode.h"
 #include "maps.h"
 #include "process.h"
 #include "types.h"
-#include "vmlinux.h"
 
-__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], struct dentry* dentry, bool use_bpf_d_path) {
+#include <bpf/bpf_helpers.h>
+// clang-format on
+
+__always_inline static void submit_event(struct metrics_by_hook_t* m,
+                                         file_activity_type_t event_type,
+                                         const char filename[PATH_MAX],
+                                         inode_key_t* inode,
+                                         bool use_bpf_d_path) {
   struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
   if (event == NULL) {
     m->ringbuffer_full++;
@@ -16,18 +24,14 @@ __always_inline static void submit_event(struct metrics_by_hook_t* m, file_activ
 
   event->type = event_type;
   event->timestamp = bpf_ktime_get_boot_ns();
+  inode_copy_or_reset(&event->inode, inode);
   bpf_probe_read_str(event->filename, PATH_MAX, filename);
 
   struct helper_t* helper = get_helper();
   if (helper == NULL) {
     goto error;
   }
 
-  const char* p = get_host_path(helper->buf, dentry);
-  if (p != NULL) {
-    bpf_probe_read_str(event->host_file, PATH_MAX, p);
-  }
-
   int64_t err = process_fill(&event->process, use_bpf_d_path);
   if (err) {
     bpf_printk("Failed to fill process information: %d", err);

fact-ebpf/src/bpf/builtins.h

@@ -3,61 +3,14 @@
 // clang-format off
 #include "vmlinux.h"
 
-#include "bound_path.h"
 #include "builtins.h"
-#include "d_path.h"
 #include "types.h"
 #include "maps.h"
 
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_core_read.h>
 // clang-format on
 
-__always_inline static char* get_host_path(char buf[PATH_MAX * 2], struct dentry* d) {
-  int offset = PATH_MAX - 1;
-  buf[PATH_MAX - 1] = '\0';
-
-  for (int i = 0; i < 16 && offset > 0; i++) {
-    struct qstr d_name;
-    BPF_CORE_READ_INTO(&d_name, d, d_name);
-    if (d_name.name == NULL) {
-      break;
-    }
-
-    int len = d_name.len;
-    if (len <= 0 || len >= PATH_MAX) {
-      return NULL;
-    }
-
-    offset -= len;
-    if (offset <= 0) {
-      return NULL;
-    }
-
-    if (bpf_probe_read_kernel(&buf[offset], len, d_name.name) != 0) {
-      return NULL;
-    }
-
-    if (len == 1 && buf[offset] == '/') {
-      // Reached the root
-      offset++;
-      break;
-    }
-
-    offset--;
-    buf[offset] = '/';
-
-    struct dentry* parent = BPF_CORE_READ(d, d_parent);
-    // if we reached the root
-    if (parent == NULL || d == parent) {
-      break;
-    }
-    d = parent;
-  }
-
-  return &buf[offset];
-}
-
 __always_inline static bool is_monitored(struct bound_path_t* path) {
   if (!filter_by_prefix()) {
     // no path configured, allow all

fact-ebpf/src/bpf/events.h

@@ -0,0 +1,108 @@
+#pragma once
+
+// clang-format off
+#include "vmlinux.h"
+
+#include "kdev.h"
+#include "types.h"
+#include "maps.h"
+
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+// clang-format on
+
+#define BTRFS_SUPER_MAGIC 0x9123683E
+
+/**
+ * Retrieve the inode and device numbers and return them as a new key.
+ *
+ * Different filesystems may `stat` files in different ways, if support
+ * for a new filesystem is needed, add it here.
+ *
+ * Most Linux filesystems use the following generic function to fill
+ * these fields when running `stat`:
+ * https://github.com/torvalds/linux/blob/7d0a66e4bb9081d75c82ec4957c50034cb0ea449/fs/stat.c#L82
+ *
+ * The method used to retrieve the device is different in btrfs and can
+ * be found here:
+ * https://github.com/torvalds/linux/blob/7d0a66e4bb9081d75c82ec4957c50034cb0ea449/fs/btrfs/inode.c#L8038
+ */
+__always_inline static inode_key_t inode_to_key(struct inode* inode) {
+  inode_key_t key = {0};
+  if (inode == NULL) {
+    return key;
+  }
+
+  unsigned long magic = inode->i_sb->s_magic;
+  switch (magic) {
+    case BTRFS_SUPER_MAGIC:
+      if (bpf_core_type_exists(struct btrfs_inode)) {
+        struct btrfs_inode* btrfs_inode = container_of(inode, struct btrfs_inode, vfs_inode);
+        key.inode = inode->i_ino;
+        key.dev = BPF_CORE_READ(btrfs_inode, root, anon_dev);
+        break;
+      }
+    // If the btrfs_inode does not exist, most likely it is not
+    // supported on the system. Fallback to the generic implementation
+    // just in case.
+    default:
+      key.inode = inode->i_ino;
+      key.dev = inode->i_sb->s_dev;
+      break;
+  }
+
+  // Encode the device so it matches with the result of `stat` in
+  // userspace
+  key.dev = new_encode_dev(key.dev);
+
+  return key;
+}
+
+__always_inline static inode_value_t* inode_get(struct inode_key_t* inode) {
+  if (inode == NULL) {
+    return NULL;
+  }
+  return bpf_map_lookup_elem(&inode_map, inode);
+}
+
+__always_inline static long inode_remove(struct inode_key_t* inode) {
+  if (inode == NULL) {
+    return 0;
+  }
+  return bpf_map_delete_elem(&inode_map, inode);
+}
+
+typedef enum inode_monitored_t {
+  NOT_MONITORED = 0,
+  MONITORED,
+} inode_monitored_t;
+
+/**
+ * Check if the provided inode is being monitored.
+ *
+ * The current implementation is very basic and might seem like
+ * overkill, but in the near future this function will be extended to
+ * check if the parent of the provided inode is monitored and provide
+ * different results for handling more complicated scenarios.
+ */
+__always_inline static inode_monitored_t inode_is_monitored(const inode_value_t* inode) {
+  if (inode != NULL) {
+    return MONITORED;
+  }
+
+  return NOT_MONITORED;
+}
+
+__always_inline static void inode_copy_or_reset(inode_key_t* dst, const inode_key_t* src) {
+  if (dst == NULL) {
+    return;
+  }
+
+  if (src != NULL) {
+    dst->inode = src->inode;
+    dst->dev = src->dev;
+  } else {
+    dst->inode = 0;
+    dst->dev = 0;
+  }
+}

fact-ebpf/src/bpf/file.h

@@ -0,0 +1,22 @@
+#pragma once
+
+// clang-format off
+#include "vmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+// clang-format on
+
+// Most of the code in this file is taken from:
+// https://github.com/torvalds/linux/blob/559e608c46553c107dbba19dae0854af7b219400/include/linux/kdev_t.h
+
+#define MINORBITS 20
+#define MINORMASK ((1U << MINORBITS) - 1)
+
+#define MAJOR(dev) ((unsigned int)((dev) >> MINORBITS))
+#define MINOR(dev) ((unsigned int)((dev) & MINORMASK))
+
+__always_inline static u32 new_encode_dev(dev_t dev) {
+  unsigned major = MAJOR(dev);
+  unsigned minor = MINOR(dev);
+  return (minor & 0xff) | (major << 8) | ((minor & ~0xff) << 12);
+}

fact-ebpf/src/bpf/inode.h

@@ -3,7 +3,7 @@
 
 #include "file.h"
 #include "types.h"
-#include "process.h"
+#include "inode.h"
 #include "maps.h"
 #include "events.h"
 #include "bound_path.h"
@@ -44,12 +44,19 @@ int BPF_PROG(trace_file_open, struct file* file) {
     return 0;
   }
 
-  if (!is_monitored(path)) {
-    goto ignored;
+  inode_key_t inode_key = inode_to_key(file->f_inode);
+  const inode_value_t* inode = inode_get(&inode_key);
+  switch (inode_is_monitored(inode)) {
+    case NOT_MONITORED:
+      if (!is_monitored(path)) {
+        goto ignored;
+      }
+      break;
+    case MONITORED:
+      break;
   }
 
-  struct dentry* d = BPF_CORE_READ(file, f_path.dentry);
-  submit_event(&m->file_open, event_type, path->path, d, true);
+  submit_event(&m->file_open, event_type, path->path, &inode_key, true);
 
   return 0;
 
@@ -91,12 +98,27 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
       goto error;
   }
 
-  if (!is_monitored(path)) {
-    m->path_unlink.ignored++;
-    return 0;
+  inode_key_t inode_key = inode_to_key(dentry->d_inode);
+  const inode_value_t* inode = inode_get(&inode_key);
+
+  switch (inode_is_monitored(inode)) {
+    case NOT_MONITORED:
+      if (!is_monitored(path)) {
+        m->path_unlink.ignored++;
+        return 0;
+      }
+      break;
+
+    case MONITORED:
+      inode_remove(&inode_key);
+      break;
   }
 
-  submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry, path_unlink_supports_bpf_d_path);
+  submit_event(&m->path_unlink,
+               FILE_ACTIVITY_UNLINK,
+               path->path,
+               &inode_key,
+               path_unlink_supports_bpf_d_path);
   return 0;
 
 error:

fact-ebpf/src/bpf/kdev.h

@@ -92,6 +92,13 @@ struct {
   __uint(max_entries, 8 * 1024 * 1024);
 } rb SEC(".maps");
 
+struct {
+  __uint(type, BPF_MAP_TYPE_HASH);
+  __type(key, inode_key_t);
+  __type(value, inode_value_t);
+  __uint(max_entries, 1024);
+} inode_map SEC(".maps");
+
 struct {
   __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
   __type(key, __u32);

fact-ebpf/src/bpf/main.c

@@ -1,12 +1,12 @@
 #pragma once
 
-#include "file.h"
-#include "maps.h"
-#include "types.h"
-
 // clang-format off
 #include "vmlinux.h"
 
+#include "d_path.h"
+#include "maps.h"
+#include "types.h"
+
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_core_read.h>
 // clang-format on