refactor: clean up BPF hooks (#91)

* refactor: clean up BPF hooks

This patch makes some refactorings to the LSM hooks to reduce duplicated
code and overall simplify the complexity of them.

* Add a submit_event function that handles reserving a ringbuffer event
  and submitting it.
* Add path_write for reading struct path as string into
  path_cfg_helper_t type.
* Add path_append_dentry for easily appending dentry names to a buffer.
* Move length logic for LPM TRIE maps to the is_monitored function.
* Add simple getter functions for infallible map lookups.
* Add path_write_char for simple and safe access to write a single char
  in a path buffer.

* Rename path_cfg_helper_t to bound_path_t

Also moved some logic for interacting with bound_path_t to a separate
bound_path.h header.

Author: Molter73

fact-ebpf/src/bpf/bound_path.h

@@ -0,0 +1,62 @@
+#pragma once
+
+// clang-format off
+#include "types.h"
+#include "maps.h"
+
+#include "vmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
+// clang-format on
+
+#define PATH_MAX_MASK (PATH_MAX - 1)
+#define path_len_clamp(len) ((len) & PATH_MAX_MASK)
+
+__always_inline static char* path_safe_access(char* p, unsigned int offset) {
+  return &p[path_len_clamp(offset)];
+}
+
+__always_inline static void path_write_char(char* p, unsigned int offset, char c) {
+  *path_safe_access(p, offset) = c;
+}
+
+__always_inline static struct bound_path_t* path_read(struct path* path) {
+  struct bound_path_t* bound_path = get_bound_path();
+
+  bound_path->len = bpf_d_path(path, bound_path->path, PATH_MAX);
+  if (bound_path->len <= 0) {
+    return NULL;
+  }
+
+  // Ensure length is within PATH_MAX for the verifier
+  bound_path->len = path_len_clamp(bound_path->len);
+
+  return bound_path;
+}
+
+enum path_append_status_t {
+  PATH_APPEND_SUCCESS = 0,
+  PATH_APPEND_INVALID_LENGTH,
+  PATH_APPEND_READ_ERROR,
+};
+
+__always_inline static enum path_append_status_t path_append_dentry(struct bound_path_t* path, struct dentry* dentry) {
+  struct qstr d_name;
+  BPF_CORE_READ_INTO(&d_name, dentry, d_name);
+  int len = d_name.len;
+  if (len + path->len > PATH_MAX) {
+    path->len += len;
+    return PATH_APPEND_INVALID_LENGTH;
+  }
+
+  char* path_offset = path_safe_access(path->path, path->len);
+  if (bpf_probe_read_kernel(path_offset, path_len_clamp(len), d_name.name)) {
+    return PATH_APPEND_READ_ERROR;
+  }
+
+  path->len += len;
+  path_write_char(path->path, path->len, '\0');
+
+  return 0;
+}

fact-ebpf/src/bpf/events.h

@@ -0,0 +1,38 @@
+#include <bpf/bpf_helpers.h>
+
+#include "maps.h"
+#include "process.h"
+#include "types.h"
+#include "vmlinux.h"
+
+__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], struct dentry* dentry) {
+  struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
+  if (event == NULL) {
+    m->ringbuffer_full++;
+    return;
+  }
+
+  event->type = event_type;
+  event->timestamp = bpf_ktime_get_boot_ns();
+  bpf_probe_read_str(event->filename, PATH_MAX, filename);
+
+  struct helper_t* helper = get_helper();
+  const char* p = get_host_path(helper->buf, dentry);
+  if (p != NULL) {
+    bpf_probe_read_str(event->host_file, PATH_MAX, p);
+  }
+
+  int64_t err = process_fill(&event->process);
+  if (err) {
+    bpf_printk("Failed to fill process information: %d", err);
+    goto error;
+  }
+
+  m->added++;
+  bpf_ringbuf_submit(event, 0);
+  return;
+
+error:
+  m->error++;
+  bpf_ringbuf_discard(event, 0);
+}

fact-ebpf/src/bpf/file.h

@@ -3,6 +3,7 @@
 // clang-format off
 #include "vmlinux.h"
 
+#include "bound_path.h"
 #include "builtins.h"
 #include "types.h"
 #include "maps.h"
@@ -11,13 +12,6 @@
 #include <bpf/bpf_core_read.h>
 // clang-format on
 
-#define PATH_MAX_MASK (PATH_MAX - 1)
-#define path_len_clamp(len) ((len) & PATH_MAX_MASK)
-
-__always_inline static char* path_safe_access(char* p, unsigned int offset) {
-  return &p[path_len_clamp(offset)];
-}
-
 /**
  * Reimplementation of the kernel d_path function.
  *
@@ -129,11 +123,22 @@ __always_inline static char* get_host_path(char buf[PATH_MAX * 2], struct dentry
   return &buf[offset];
 }
 
-__always_inline static bool is_monitored(struct path_cfg_helper_t* path) {
+__always_inline static bool is_monitored(struct bound_path_t* path) {
   if (!filter_by_prefix) {
     // no path configured, allow all
     return true;
   }
 
-  return bpf_map_lookup_elem(&path_prefix, path) != NULL;
+  // Backup bytes length and restore it before exiting
+  unsigned int len = path->len;
+
+  if (path->len > LPM_SIZE_MAX) {
+    path->len = LPM_SIZE_MAX;
+  }
+  // for LPM maps, the length is the total number of bits
+  path->len = path->len * 8;
+
+  bool res = bpf_map_lookup_elem(&path_prefix, path) != NULL;
+  path->len = len;
+  return res;
 }

fact-ebpf/src/bpf/main.c

@@ -3,6 +3,8 @@
 #include "types.h"
 #include "process.h"
 #include "maps.h"
+#include "events.h"
+#include "bound_path.h"
 
 #include "vmlinux.h"
 
@@ -19,13 +21,7 @@ char _license[] SEC("license") = "Dual MIT/GPL";
 
 SEC("lsm/file_open")
 int BPF_PROG(trace_file_open, struct file* file) {
-  uint32_t key = 0;
-  struct event_t* event = NULL;
-  struct metrics_t* m = bpf_map_lookup_elem(&metrics, &key);
-  if (m == NULL) {
-    bpf_printk("Failed to get metrics entry, this should not happen");
-    return 0;
-  }
+  struct metrics_t* m = get_metrics();
 
   m->file_open.total++;
 
@@ -38,67 +34,20 @@ int BPF_PROG(trace_file_open, struct file* file) {
     goto ignored;
   }
 
-  struct path_cfg_helper_t* prefix_helper = bpf_map_lookup_elem(&path_prefix_helper, &key);
-  if (prefix_helper == NULL) {
-    bpf_printk("Failed to get prefix helper");
-    goto error;
-  }
-
-  long len = bpf_d_path(&file->f_path, prefix_helper->path, PATH_MAX);
-  if (len <= 0) {
+  struct bound_path_t* path = path_read(&file->f_path);
+  if (path == NULL) {
     bpf_printk("Failed to read path");
-    goto error;
-  }
-
-  if (len > LPM_SIZE_MAX) {
-    len = LPM_SIZE_MAX;
-  }
-  // for LPM maps, the length is the total number of bits
-  prefix_helper->bit_len = len * 8;
-
-  if (!is_monitored(prefix_helper)) {
-    goto ignored;
-  }
-
-  event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
-  if (event == NULL) {
-    m->file_open.ringbuffer_full++;
-    bpf_printk("Failed to get event entry");
+    m->file_open.error++;
     return 0;
   }
 
-  event->type = event_type;
-  event->timestamp = bpf_ktime_get_boot_ns();
-  bpf_probe_read_str(event->filename, PATH_MAX, prefix_helper->path);
-
-  int64_t err = process_fill(&event->process);
-  if (err) {
-    bpf_printk("Failed to fill process information: %d", err);
-    goto error;
-  }
-
-  struct helper_t* helper = bpf_map_lookup_elem(&helper_map, &key);
-  if (helper == NULL) {
-    bpf_printk("Failed to get helper entry");
-    return 0;
+  if (!is_monitored(path)) {
+    goto ignored;
   }
 
   struct dentry* d = BPF_CORE_READ(file, f_path.dentry);
-  const char* p = get_host_path(helper->buf, d);
-  if (p != NULL) {
-    bpf_probe_read_str(event->host_file, PATH_MAX, p);
-  }
-
-  m->file_open.added++;
-  bpf_ringbuf_submit(event, 0);
-
-  return 0;
+  submit_event(&m->file_open, event_type, path->path, d);
 
-error:
-  m->file_open.error++;
-  if (event != NULL) {
-    bpf_ringbuf_discard(event, 0);
-  }
   return 0;
 
 ignored:
@@ -108,89 +57,37 @@ int BPF_PROG(trace_file_open, struct file* file) {
 
 SEC("lsm/path_unlink")
 int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
-  uint32_t key = 0;
-  struct event_t* event = NULL;
-  struct metrics_t* m = bpf_map_lookup_elem(&metrics, &key);
-  if (m == NULL) {
-    bpf_printk("Failed to get metrics entry, this should not happen");
-    return 0;
-  }
+  struct metrics_t* m = get_metrics();
 
   m->path_unlink.total++;
 
-  struct path_cfg_helper_t* prefix_helper = bpf_map_lookup_elem(&path_prefix_helper, &key);
-  if (prefix_helper == NULL) {
-    bpf_printk("Failed to get prefix helper");
-    goto error;
-  }
-
-  long path_len = bpf_d_path(dir, prefix_helper->path, PATH_MAX);
-  if (path_len <= 0) {
+  struct bound_path_t* path = path_read(dir);
+  if (path == NULL) {
     bpf_printk("Failed to read path");
     goto error;
   }
-  *path_safe_access(prefix_helper->path, path_len - 1) = '/';
-
-  struct qstr d_name;
-  BPF_CORE_READ_INTO(&d_name, dentry, d_name);
-  int len = d_name.len;
-  if (len + path_len > PATH_MAX) {
-    bpf_printk("Invalid path length: %u", len + path_len);
-    goto error;
-  }
-
-  char* path_offset = path_safe_access(prefix_helper->path, path_len);
-  if (bpf_probe_read_kernel(path_offset, path_len_clamp(len), d_name.name)) {
-    bpf_printk("Failed to read final path component");
-    goto error;
-  }
-  *path_safe_access(prefix_helper->path, path_len + len) = '\0';
-
-  len += path_len;
-  if (len > LPM_SIZE_MAX) {
-    len = LPM_SIZE_MAX;
-  }
-  // for LPM maps, the length is the total number of bits
-  prefix_helper->bit_len = len * 8;
+  path_write_char(path->path, path->len - 1, '/');
 
-  if (!is_monitored(prefix_helper)) {
-    goto ignored;
+  switch (path_append_dentry(path, dentry)) {
+    case PATH_APPEND_SUCCESS:
+      break;
+    case PATH_APPEND_INVALID_LENGTH:
+      bpf_printk("Invalid path length: %u", path->len);
+      goto error;
+    case PATH_APPEND_READ_ERROR:
+      bpf_printk("Failed to read final path component");
+      goto error;
   }
 
-  event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
-  if (event == NULL) {
-    m->path_unlink.ringbuffer_full++;
-    bpf_printk("Failed to get event entry");
+  if (!is_monitored(path)) {
+    m->path_unlink.ignored++;
     return 0;
   }
 
-  bpf_probe_read_str(event->filename, PATH_MAX, prefix_helper->path);
-  event->type = FILE_ACTIVITY_UNLINK;
-  event->timestamp = bpf_ktime_get_boot_ns();
-  int64_t err = process_fill(&event->process);
-  if (err) {
-    bpf_printk("Failed to fill process information: %d", err);
-    goto error;
-  }
-
-  const char* p = get_host_path(prefix_helper->path, dentry);
-  if (p != NULL) {
-    bpf_probe_read_str(event->host_file, PATH_MAX, p);
-  }
-
-  m->path_unlink.added++;
-  bpf_ringbuf_submit(event, 0);
-
+  submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry);
   return 0;
 
 error:
   m->path_unlink.error++;
-  if (event != NULL) {
-    bpf_ringbuf_discard(event, 0);
-  }
-  return 0;
-
-ignored:
-  m->path_unlink.ignored++;
   return 0;
 }