feat: use BPF_MAP_TYPE_INODE_STORAGE for ignored cache

Molter73 · Molter73 · commit 08e05bd353e7 · 2025-10-06T15:04:12.000+02:00
Whenever we find a file that we should ignore based on its path, we can
attach a byte to its inode so that we will know on future accesses that
the file should be ignored before we do any sort of processing on our
hooks. Because the information is attached to the inode itself, when the
inode is removed, the storage will be cleaned up on its own. A re-used
pointer to an inode should also not cause false hits, since this is
specific to the inode we attached to and should go away when the inode
is freed.
diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c
@@ -34,6 +34,10 @@ int BPF_PROG(trace_file_open, struct file* file) {
     goto ignored;
   }
 
+  if (is_ignored(file->f_path.dentry->d_inode)) {
+    goto ignored;
+  }
+
   struct bound_path_t* path = path_read(&file->f_path);
   if (path == NULL) {
     bpf_printk("Failed to read path");
@@ -42,6 +46,7 @@ int BPF_PROG(trace_file_open, struct file* file) {
   }
 
   if (!is_monitored(path)) {
+    add_ignored(file->f_path.dentry->d_inode);
     goto ignored;
   }
 
@@ -61,6 +66,10 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
 
   m->path_unlink.total++;
 
+  if (is_ignored(dentry->d_inode)) {
+    goto ignored;
+  }
+
   struct bound_path_t* path = path_read(dir);
   if (path == NULL) {
     bpf_printk("Failed to read path");
@@ -80,8 +89,7 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
   }
 
   if (!is_monitored(path)) {
-    m->path_unlink.ignored++;
-    return 0;
+    goto ignored;
   }
 
   submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry);
@@ -90,4 +98,8 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
 error:
   m->path_unlink.error++;
   return 0;
+
+ignored:
+  m->path_unlink.ignored++;
+  return 0;
 }
diff --git a/fact-ebpf/src/bpf/maps.h b/fact-ebpf/src/bpf/maps.h
@@ -85,4 +85,20 @@ __always_inline static struct metrics_t* get_metrics() {
 
 uint64_t host_mount_ns;
 
+struct {
+  __uint(type, BPF_MAP_TYPE_INODE_STORAGE);
+  __type(key, unsigned int);
+  __type(value, char);
+  __uint(max_entries, 0);
+  __uint(map_flags, BPF_F_NO_PREALLOC);
+} ignored SEC(".maps");
+
+__always_inline static void add_ignored(struct inode* inode) {
+  bpf_inode_storage_get(&ignored, inode, NULL, BPF_LOCAL_STORAGE_GET_F_CREATE);
+}
+
+__always_inline static bool is_ignored(struct inode* inode) {
+  return bpf_inode_storage_get(&ignored, inode, NULL, 0) != NULL;
+}
+
 // clang-format on
diff --git a/fact/src/bpf.rs b/fact/src/bpf.rs
@@ -42,6 +42,7 @@ impl Bpf {
             )
             .set_global("host_mount_ns", &host_info::get_host_mount_ns(), true)
             .set_max_entries(RINGBUFFER_NAME, config.ringbuf_size() * 1024)
+            .allow_unsupported_maps()
             .load(fact_ebpf::EBPF_OBJ)?;
 
         let ringbuf = match obj.take_map(RINGBUFFER_NAME) {

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ impl Bpf {`
`42`	`42`	`)`
`43`	`43`	`.set_global("host_mount_ns", &host_info::get_host_mount_ns(), true)`
`44`	`44`	`.set_max_entries(RINGBUFFER_NAME, config.ringbuf_size() * 1024)`
	`45`	`+ .allow_unsupported_maps()`
`45`	`46`	`.load(fact_ebpf::EBPF_OBJ)?;`
`46`	`47`
`47`	`48`	`let ringbuf = match obj.take_map(RINGBUFFER_NAME) {`