Skip to content

feat: use BPF_MAP_TYPE_INODE_STORAGE for ignored cache #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: use BPF_MAP_TYPE_INODE_STORAGE for ignored cache #95

wants to merge 1 commit into from

Conversation

@Molter73
Copy link
Collaborator

@Molter73 Molter73 commented Oct 6, 2025

Description

Whenever we find a file that we should ignore based on its path, we can attach a byte to its inode so that we will know on future accesses that the file should be ignored before we do any sort of processing on our hooks. Because the information is attached to the inode itself, when the inode is removed the storage will be cleaned up on its own. A re-used pointer to an inode should also not cause false hits, since this is specific to the inode we attached to and should go away when the inode is freed.

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

  • Manually tested with some print statements that hits are happening.

@Molter73 Molter73 force-pushed the mauro/feat/ignore-inodes branch from 3006422 to 3b779f2 Compare October 6, 2025 11:26
Base automatically changed from mauro/refactor/cleanup-bpf-code to main October 6, 2025 13:03
@Molter73
feat: use BPF_MAP_TYPE_INODE_STORAGE for ignored cache
08e05bd 
Whenever we find a file that we should ignore based on its path, we can
attach a byte to its inode so that we will know on future accesses that
the file should be ignored before we do any sort of processing on our
hooks. Because the information is attached to the inode itself, when the
inode is removed, the storage will be cleaned up on its own. A re-used
pointer to an inode should also not cause false hits, since this is
specific to the inode we attached to and should go away when the inode
is freed.
@Molter73 Molter73 force-pushed the mauro/feat/ignore-inodes branch from 3b779f2 to 08e05bd Compare October 6, 2025 13:04
@Molter73
Copy link
Collaborator Author

Molter73 commented Oct 6, 2025
edited
Loading

After some more testing this approach may yield wrong results with hardlinks, causing a monitored file to stop reporting events if accessed via a hardlink on a path that is not monitored. Example:

  • Monitor /etc/monitored
  • touch /etc/monitored/something will trigger an event.
  • Create a hardlink with ln /etc/monitored/something /etc/something
  • touch /etc/something doesn't generate an event.
  • touch /etc/monitored/something no longer triggers events.

We might be able to use struct dentry or struct path as a key to a LRU map instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Molter73