ROX-33218: Instrument inode tracking on directory being deleted (#530)

Author: JoukoVirtanen

fact-ebpf/src/bpf/events.h

@@ -131,3 +131,12 @@ __always_inline static void submit_mkdir_event(struct submit_event_args_t* args)
   // d_instantiate doesn't support bpf_d_path, so we use false and rely on the stashed path from path_mkdir
   __submit_event(args, false);
 }
+
+__always_inline static void submit_rmdir_event(struct submit_event_args_t* args) {
+  if (!reserve_event(args)) {
+    return;
+  }
+  args->event->type = DIR_ACTIVITY_UNLINK;
+
+  __submit_event(args, path_hooks_support_bpf_d_path);
+}

fact-ebpf/src/bpf/main.c

@@ -326,3 +326,34 @@ int BPF_PROG(trace_d_instantiate, struct dentry* dentry, struct inode* inode) {
   bpf_map_delete_elem(&mkdir_context, &pid_tgid);
   return 0;
 }
+
+SEC("lsm/path_rmdir")
+int BPF_PROG(trace_path_rmdir, struct path* dir, struct dentry* dentry) {
+  struct metrics_t* m = get_metrics();
+  if (m == NULL) {
+    return 0;
+  }
+  struct submit_event_args_t args = {.metrics = &m->path_rmdir};
+
+  args.metrics->total++;
+
+  struct bound_path_t* path = path_read_append_d_entry(dir, dentry);
+  if (path == NULL) {
+    bpf_printk("Failed to read directory path");
+    m->path_rmdir.error++;
+    return 0;
+  }
+  args.filename = path->path;
+
+  args.inode = inode_to_key(dentry->d_inode);
+
+  if (is_monitored(&args.inode, path, NULL) == NOT_MONITORED) {
+    m->path_rmdir.ignored++;
+    return 0;
+  }
+
+  inode_remove(&args.inode);
+
+  submit_rmdir_event(&args);
+  return 0;
+}

fact-ebpf/src/bpf/types.h

@@ -56,6 +56,7 @@ typedef enum file_activity_type_t {
   FILE_ACTIVITY_CHOWN,
   FILE_ACTIVITY_RENAME,
   DIR_ACTIVITY_CREATION,
+  DIR_ACTIVITY_UNLINK,
 } file_activity_type_t;
 
 struct event_t {
@@ -120,4 +121,5 @@ struct metrics_t {
   struct metrics_by_hook_t path_rename;
   struct metrics_by_hook_t path_mkdir;
   struct metrics_by_hook_t d_instantiate;
+  struct metrics_by_hook_t path_rmdir;
 };

fact-ebpf/src/lib.rs

@@ -126,6 +126,7 @@ impl metrics_t {
         m.path_chown = m.path_chown.accumulate(&other.path_chown);
         m.path_rename = m.path_rename.accumulate(&other.path_rename);
         m.path_mkdir = m.path_mkdir.accumulate(&other.path_mkdir);
+        m.path_rmdir = m.path_rmdir.accumulate(&other.path_rmdir);
         m.d_instantiate = m.d_instantiate.accumulate(&other.d_instantiate);
         m
     }

fact/src/event/mod.rs

@@ -134,8 +134,12 @@ impl Event {
         matches!(self.file, FileData::MkDir(_))
     }
 
-    pub fn is_unlink(&self) -> bool {
-        matches!(self.file, FileData::Unlink(_))
+    pub fn is_rmdir(&self) -> bool {
+        matches!(self.file, FileData::RmDir(_))
+    }
+
+    pub fn is_deletion(&self) -> bool {
+        matches!(self.file, FileData::Unlink(_) | FileData::RmDir(_))
     }
 
     /// Unwrap the inner FileData and return the inode that triggered
@@ -148,6 +152,7 @@ impl Event {
             FileData::Open(data) => &data.inode,
             FileData::Creation(data) => &data.inode,
             FileData::MkDir(data) => &data.inode,
+            FileData::RmDir(data) => &data.inode,
             FileData::Unlink(data) => &data.inode,
             FileData::Chmod(data) => &data.inner.inode,
             FileData::Chown(data) => &data.inner.inode,
@@ -161,6 +166,7 @@ impl Event {
             FileData::Open(data) => &data.parent_inode,
             FileData::Creation(data) => &data.parent_inode,
             FileData::MkDir(data) => &data.parent_inode,
+            FileData::RmDir(data) => &data.parent_inode,
             FileData::Unlink(data) => &data.parent_inode,
             FileData::Chmod(data) => &data.inner.parent_inode,
             FileData::Chown(data) => &data.inner.parent_inode,
@@ -183,6 +189,7 @@ impl Event {
             FileData::Open(data) => &data.filename,
             FileData::Creation(data) => &data.filename,
             FileData::MkDir(data) => &data.filename,
+            FileData::RmDir(data) => &data.filename,
             FileData::Unlink(data) => &data.filename,
             FileData::Chmod(data) => &data.inner.filename,
             FileData::Chown(data) => &data.inner.filename,
@@ -202,6 +209,7 @@ impl Event {
             FileData::Open(data) => &data.host_file,
             FileData::Creation(data) => &data.host_file,
             FileData::MkDir(data) => &data.host_file,
+            FileData::RmDir(data) => &data.host_file,
             FileData::Unlink(data) => &data.host_file,
             FileData::Chmod(data) => &data.inner.host_file,
             FileData::Chown(data) => &data.inner.host_file,
@@ -218,6 +226,7 @@ impl Event {
             FileData::Open(data) => data.host_file = host_path,
             FileData::Creation(data) => data.host_file = host_path,
             FileData::MkDir(data) => data.host_file = host_path,
+            FileData::RmDir(data) => data.host_file = host_path,
             FileData::Unlink(data) => data.host_file = host_path,
             FileData::Chmod(data) => data.inner.host_file = host_path,
             FileData::Chown(data) => data.inner.host_file = host_path,
@@ -303,6 +312,7 @@ pub enum FileData {
     Open(BaseFileData),
     Creation(BaseFileData),
     MkDir(BaseFileData),
+    RmDir(BaseFileData),
     Unlink(BaseFileData),
     Chmod(ChmodFileData),
     Chown(ChownFileData),
@@ -322,6 +332,7 @@ impl FileData {
             file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner),
             file_activity_type_t::FILE_ACTIVITY_CREATION => FileData::Creation(inner),
             file_activity_type_t::DIR_ACTIVITY_CREATION => FileData::MkDir(inner),
+            file_activity_type_t::DIR_ACTIVITY_UNLINK => FileData::RmDir(inner),
             file_activity_type_t::FILE_ACTIVITY_UNLINK => FileData::Unlink(inner),
             file_activity_type_t::FILE_ACTIVITY_CHMOD => {
                 let data = ChmodFileData {
@@ -373,6 +384,9 @@ impl From<FileData> for fact_api::file_activity::File {
             FileData::MkDir(_) => {
                 unreachable!("MkDir event reached protobuf conversion");
             }
+            FileData::RmDir(_) => {
+                unreachable!("RmDir event reached protobuf conversion");
+            }
             FileData::Unlink(event) => {
                 let activity = Some(fact_api::FileActivityBase::from(event));
                 let f_act = fact_api::FileUnlink { activity };
@@ -401,6 +415,7 @@ impl PartialEq for FileData {
             (FileData::Open(this), FileData::Open(other)) => this == other,
             (FileData::Creation(this), FileData::Creation(other)) => this == other,
             (FileData::MkDir(this), FileData::MkDir(other)) => this == other,
+            (FileData::RmDir(this), FileData::RmDir(other)) => this == other,
             (FileData::Unlink(this), FileData::Unlink(other)) => this == other,
             (FileData::Chmod(this), FileData::Chmod(other)) => this == other,
             (FileData::Rename(this), FileData::Rename(other)) => this == other,

fact/src/host_scanner.rs

@@ -291,12 +291,12 @@ impl HostScanner {
                         }
 
                         // Remove inode from the map
-                        if event.is_unlink() {
+                        if event.is_deletion() {
                             self.handle_unlink_event(&event);
                         }
 
-                        // Skip directory creation events - we track them internally but don't send to sensor
-                        if event.is_mkdir() {
+                        // Skip directory creation and deletion events - we track them internally but don't send to sensor
+                        if event.is_mkdir() || event.is_rmdir() {
                             continue;
                         }
 

fact/src/metrics/kernel_metrics.rs

@@ -14,6 +14,7 @@ pub struct KernelMetrics {
     path_chown: EventCounter,
     path_rename: EventCounter,
     path_mkdir: EventCounter,
+    path_rmdir: EventCounter,
     d_instantiate: EventCounter,
     map: PerCpuArray<MapData, metrics_t>,
 }
@@ -50,6 +51,11 @@ impl KernelMetrics {
             "Events processed by the path_mkdir LSM hook",
             &[], // Labels are not needed since `collect` will add them all
         );
+        let path_rmdir = EventCounter::new(
+            "kernel_path_rmdir_events",
+            "Events processed by the path_rmdir LSM hook",
+            &[], // Labels are not needed since `collect` will add them all
+        );
         let d_instantiate = EventCounter::new(
             "kernel_d_instantiate_events",
             "Events processed by the d_instantiate LSM hook",
@@ -62,6 +68,7 @@ impl KernelMetrics {
         path_chown.register(reg);
         path_rename.register(reg);
         path_mkdir.register(reg);
+        path_rmdir.register(reg);
         d_instantiate.register(reg);
 
         KernelMetrics {
@@ -71,6 +78,7 @@ impl KernelMetrics {
             path_chown,
             path_rename,
             path_mkdir,
+            path_rmdir,
             d_instantiate,
             map: kernel_metrics,
         }
@@ -122,6 +130,7 @@ impl KernelMetrics {
         KernelMetrics::refresh_labels(&self.path_chown, &metrics.path_chown);
         KernelMetrics::refresh_labels(&self.path_rename, &metrics.path_rename);
         KernelMetrics::refresh_labels(&self.path_mkdir, &metrics.path_mkdir);
+        KernelMetrics::refresh_labels(&self.path_rmdir, &metrics.path_rmdir);
         KernelMetrics::refresh_labels(&self.d_instantiate, &metrics.d_instantiate);
 
         Ok(())