Attach to the chown LSM hook

Extend the event type with a union of type specific structs.

Author: ovalenti

fact-ebpf/build.rs

@@ -49,6 +49,7 @@ fn generate_bindings(out_dir: &Path) -> anyhow::Result<()> {
     let bindings = bindgen::Builder::default()
         .header("src/bpf/types.h")
         .derive_default(true)
+        .impl_debug(true)
         .parse_callbacks(Box::new(bindgen::CargoCallbacks::new()))
         .default_enum_style(bindgen::EnumVariation::NewType {
             is_bitfield: false,

fact-ebpf/src/bpf/events.h

@@ -7,7 +7,7 @@
 #include "types.h"
 #include "vmlinux.h"
 
-__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], struct dentry* dentry) {
+__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], struct dentry* dentry, union event_type_specific* specific) {
   struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
   if (event == NULL) {
     m->ringbuffer_full++;
@@ -34,6 +34,10 @@ __always_inline static void submit_event(struct metrics_by_hook_t* m, file_activ
     goto error;
   }
 
+  if (specific != NULL) {
+    bpf_probe_read_kernel(&event->u, sizeof(event->u), specific);
+  }
+
   m->added++;
   bpf_ringbuf_submit(event, 0);
   return;

fact-ebpf/src/bpf/file.h

@@ -77,3 +77,20 @@ __always_inline static bool is_monitored(struct bound_path_t* path) {
   path->len = len;
   return res;
 }
+
+__always_inline static int get_owner_uid_gid(struct dentry* dentry, unsigned int* uid, unsigned int* gid) {
+  struct inode* inode;
+
+  inode = BPF_CORE_READ(dentry, d_inode);
+  if (inode == NULL) {
+    return !0;
+  }
+
+  kuid_t kuid = BPF_CORE_READ(inode, i_uid);
+  kgid_t kgid = BPF_CORE_READ(inode, i_gid);
+
+  *uid = BPF_CORE_READ(&kuid, val);
+  *gid = BPF_CORE_READ(&kgid, val);
+
+  return 0;
+}

fact-ebpf/src/bpf/main.c

@@ -49,7 +49,7 @@ int BPF_PROG(trace_file_open, struct file* file) {
   }
 
   struct dentry* d = BPF_CORE_READ(file, f_path.dentry);
-  submit_event(&m->file_open, event_type, path->path, d);
+  submit_event(&m->file_open, event_type, path->path, d, NULL);
 
   return 0;
 
@@ -96,10 +96,46 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
     return 0;
   }
 
-  submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry);
+  submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry, NULL);
   return 0;
 
 error:
   m->path_unlink.error++;
   return 0;
 }
+
+SEC("lsm/path_chown")
+int BPF_PROG(trace_path_chown, struct path *path, unsigned long long uid, unsigned long long gid) {
+  struct metrics_t* m = get_metrics();
+  union event_type_specific specific = { 0 };
+  struct dentry* dentry;
+
+  m->path_chown.total++;
+
+  struct bound_path_t* bound_path = path_read(path);
+  if (bound_path == NULL) {
+    bpf_printk("Failed to read path");
+    goto error;
+  }
+
+  if (!is_monitored(bound_path)) {
+    m->path_chown.ignored++;
+    return 0;
+  }
+
+  dentry = BPF_CORE_READ(path, dentry);
+
+  specific.chown.new_ovner.uid = uid;
+  specific.chown.new_ovner.gid = gid;
+  if (get_owner_uid_gid(dentry, &specific.chown.prev_owner.uid, &specific.chown.prev_owner.uid)) {
+    bpf_printk("Failed to get owner uid/gid");
+    goto error;
+  }
+  
+  submit_event(&m->path_chown, FILE_ACTIVITY_CHOWN, bound_path->path, dentry, &specific);
+  return 0;
+
+error:
+  m->path_chown.error++;
+  return 0;
+}

fact-ebpf/src/bpf/types.h

@@ -37,6 +37,7 @@ typedef enum file_activity_type_t {
   FILE_ACTIVITY_OPEN = 0,
   FILE_ACTIVITY_CREATION,
   FILE_ACTIVITY_UNLINK,
+  FILE_ACTIVITY_CHOWN,
 } file_activity_type_t;
 
 struct event_t {
@@ -45,6 +46,14 @@ struct event_t {
   char filename[PATH_MAX];
   char host_file[PATH_MAX];
   file_activity_type_t type;
+  union event_type_specific {
+    struct {
+      struct {
+        unsigned int uid;
+        unsigned int gid;
+      } prev_owner, new_ovner;
+    } chown;
+  } u;
 };
 
 /**
@@ -73,4 +82,5 @@ struct metrics_by_hook_t {
 struct metrics_t {
   struct metrics_by_hook_t file_open;
   struct metrics_by_hook_t path_unlink;
+  struct metrics_by_hook_t path_chown;
 };