ROX-30257: implement permission change tracking

Molter73 · Molter73 · commit aa0399aace3b · 2025-12-17T12:25:11.000+01:00
This is done via the path_chmod LSM hook.

WIP: the old mode is not quite working yet.
diff --git a/fact-ebpf/src/bpf/events.h b/fact-ebpf/src/bpf/events.h
@@ -11,17 +11,12 @@
 #include <bpf/bpf_helpers.h>
 // clang-format on
 
-__always_inline static void submit_event(struct metrics_by_hook_t* m,
-                                         file_activity_type_t event_type,
-                                         const char filename[PATH_MAX],
-                                         inode_key_t* inode,
-                                         bool use_bpf_d_path) {
-  struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
-  if (event == NULL) {
-    m->ringbuffer_full++;
-    return;
-  }
-
+__always_inline static void __submit_event(struct event_t* event,
+                                           struct metrics_by_hook_t* m,
+                                           file_activity_type_t event_type,
+                                           const char filename[PATH_MAX],
+                                           inode_key_t* inode,
+                                           bool use_bpf_d_path) {
   event->type = event_type;
   event->timestamp = bpf_ktime_get_boot_ns();
   inode_copy_or_reset(&event->inode, inode);
@@ -46,3 +41,35 @@ __always_inline static void submit_event(struct metrics_by_hook_t* m,
   m->error++;
   bpf_ringbuf_discard(event, 0);
 }
+
+__always_inline static void submit_event(struct metrics_by_hook_t* m,
+                                         file_activity_type_t event_type,
+                                         const char filename[PATH_MAX],
+                                         inode_key_t* inode,
+                                         bool use_bpf_d_path) {
+  struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
+  if (event == NULL) {
+    m->ringbuffer_full++;
+    return;
+  }
+
+  __submit_event(event, m, event_type, filename, inode, use_bpf_d_path);
+}
+
+__always_inline static void submit_mode_event(struct metrics_by_hook_t* m,
+                                              const char filename[PATH_MAX],
+                                              inode_key_t* inode,
+                                              umode_t mode,
+                                              umode_t old_mode,
+                                              bool use_bpf_d_path) {
+  struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
+  if (event == NULL) {
+    m->ringbuffer_full++;
+    return;
+  }
+
+  event->chmod.new = mode;
+  event->chmod.old = old_mode;
+
+  __submit_event(event, m, FILE_ACTIVITY_CHMOD, filename, inode, use_bpf_d_path);
+}
diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c
@@ -7,6 +7,7 @@
 #include "maps.h"
 #include "events.h"
 #include "bound_path.h"
+#include "vmlinux/x86_64.h"
 
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
@@ -125,3 +126,40 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
   m->path_unlink.error++;
   return 0;
 }
+
+SEC("lsm/path_chmod")
+int BPF_PROG(trace_path_chmod, struct path* path, umode_t mode) {
+  struct metrics_t* m = get_metrics();
+  if (m == NULL) {
+    return 0;
+  }
+
+  m->path_chmod.total++;
+
+  struct bound_path_t* bound_path = path_read(path);
+  if (bound_path == NULL) {
+    bpf_printk("Failed to read path");
+    m->path_chmod.error++;
+    return 0;
+  }
+
+  inode_key_t inode_key = inode_to_key(path->dentry->d_inode);
+  const inode_value_t* inode = inode_get(&inode_key);
+
+  switch (inode_is_monitored(inode)) {
+    case NOT_MONITORED:
+      if (!is_monitored(bound_path)) {
+        m->path_chmod.ignored++;
+        return 0;
+      }
+      break;
+
+    case MONITORED:
+      break;
+  }
+
+  umode_t old_mode = BPF_CORE_READ(path, dentry, d_inode, i_mode);
+  submit_mode_event(&m->path_chmod, bound_path->path, &inode_key, mode, old_mode, true);
+
+  return 0;
+}
diff --git a/fact-ebpf/src/bpf/types.h b/fact-ebpf/src/bpf/types.h
@@ -47,6 +47,7 @@ typedef enum file_activity_type_t {
   FILE_ACTIVITY_OPEN = 0,
   FILE_ACTIVITY_CREATION,
   FILE_ACTIVITY_UNLINK,
+  FILE_ACTIVITY_CHMOD,
 } file_activity_type_t;
 
 struct event_t {
@@ -55,6 +56,12 @@ struct event_t {
   char filename[PATH_MAX];
   inode_key_t inode;
   file_activity_type_t type;
+  union {
+    struct {
+      short unsigned int new;
+      short unsigned int old;
+    } chmod;
+  };
 };
 
 /**
@@ -83,4 +90,5 @@ struct metrics_by_hook_t {
 struct metrics_t {
   struct metrics_by_hook_t file_open;
   struct metrics_by_hook_t path_unlink;
+  struct metrics_by_hook_t path_chmod;
 };
diff --git a/fact-ebpf/src/lib.rs b/fact-ebpf/src/lib.rs
@@ -111,6 +111,7 @@ impl metrics_t {
         let mut m = metrics_t { ..*self };
         m.file_open = m.file_open.accumulate(&other.file_open);
         m.path_unlink = m.path_unlink.accumulate(&other.path_unlink);
+        m.path_chmod = m.path_chmod.accumulate(&other.path_chmod);
         m
     }
 }
diff --git a/fact/src/bpf/mod.rs b/fact/src/bpf/mod.rs
@@ -8,7 +8,7 @@ use aya::{
 };
 use checks::Checks;
 use libc::c_char;
-use log::{debug, error, info};
+use log::{error, info};
 use tokio::{
     io::unix::AsyncFd,
     sync::{mpsc, watch},
@@ -154,7 +154,8 @@ impl Bpf {
 
     fn load_progs(&mut self, btf: &Btf) -> anyhow::Result<()> {
         self.load_lsm_prog("trace_file_open", "file_open", btf)?;
-        self.load_lsm_prog("trace_path_unlink", "path_unlink", btf)
+        self.load_lsm_prog("trace_path_unlink", "path_unlink", btf)?;
+        self.load_lsm_prog("trace_path_chmod", "path_chmod", btf)
     }
 
     fn attach_progs(&mut self) -> anyhow::Result<()> {
@@ -192,7 +193,6 @@ impl Bpf {
                                 Ok(event) => event,
                                 Err(e) => {
                                     error!("Failed to parse event: '{e}'");
-                                    debug!("Event: {event:?}");
                                     event_counter.dropped();
                                     continue;
                                 }
diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs
@@ -67,6 +67,7 @@ impl Event {
             FileData::Open(data) => &data.inode,
             FileData::Creation(data) => &data.inode,
             FileData::Unlink(data) => &data.inode,
+            FileData::Chmod(data) => &data.file.inode,
         }
     }
 
@@ -75,6 +76,7 @@ impl Event {
             FileData::Open(data) => data.host_file = host_path,
             FileData::Creation(data) => data.host_file = host_path,
             FileData::Unlink(data) => data.host_file = host_path,
+            FileData::Chmod(data) => data.file.host_file = host_path,
         }
     }
 }
@@ -85,7 +87,12 @@ impl TryFrom<&event_t> for Event {
     fn try_from(value: &event_t) -> Result<Self, Self::Error> {
         let process = Process::try_from(value.process)?;
         let timestamp = host_info::get_boot_time() + value.timestamp;
-        let file = FileData::new(value.type_, value.filename, value.inode)?;
+        let file = FileData::new(
+            value.type_,
+            value.filename,
+            value.inode,
+            value.__bindgen_anon_1,
+        )?;
 
         Ok(Event {
             timestamp,
@@ -123,19 +130,29 @@ pub enum FileData {
     Open(BaseFileData),
     Creation(BaseFileData),
     Unlink(BaseFileData),
+    Chmod(ChmodFileData),
 }
 
 impl FileData {
     pub fn new(
         event_type: file_activity_type_t,
         filename: [c_char; PATH_MAX as usize],
         inode: inode_key_t,
+        extra_data: fact_ebpf::event_t__bindgen_ty_1,
     ) -> anyhow::Result<Self> {
         let inner = BaseFileData::new(filename, inode)?;
         let file = match event_type {
             file_activity_type_t::FILE_ACTIVITY_OPEN => FileData::Open(inner),
             file_activity_type_t::FILE_ACTIVITY_CREATION => FileData::Creation(inner),
             file_activity_type_t::FILE_ACTIVITY_UNLINK => FileData::Unlink(inner),
+            file_activity_type_t::FILE_ACTIVITY_CHMOD => {
+                let data = ChmodFileData {
+                    file: inner,
+                    new_mode: unsafe { extra_data.chmod.new },
+                    old_mode: unsafe { extra_data.chmod.old },
+                };
+                FileData::Chmod(data)
+            }
             invalid => unreachable!("Invalid event type: {invalid:?}"),
         };
 
@@ -161,6 +178,10 @@ impl From<FileData> for fact_api::file_activity::File {
                 let f_act = fact_api::FileUnlink { activity };
                 fact_api::file_activity::File::Unlink(f_act)
             }
+            FileData::Chmod(event) => {
+                let f_act = fact_api::FilePermissionChange::from(event);
+                fact_api::file_activity::File::Permission(f_act)
+            }
         }
     }
 }
@@ -211,3 +232,42 @@ impl From<BaseFileData> for fact_api::FileActivityBase {
         }
     }
 }
+
+#[derive(Debug, Clone, Serialize)]
+pub struct ChmodFileData {
+    file: BaseFileData,
+    new_mode: u16,
+    old_mode: u16,
+}
+
+impl ChmodFileData {
+    pub fn new(
+        filename: [c_char; PATH_MAX as usize],
+        inode: inode_key_t,
+        new_mode: u16,
+        old_mode: u16,
+    ) -> anyhow::Result<Self> {
+        let file = BaseFileData::new(filename, inode)?;
+
+        Ok(ChmodFileData {
+            file,
+            new_mode,
+            old_mode,
+        })
+    }
+}
+
+impl From<ChmodFileData> for fact_api::FilePermissionChange {
+    fn from(value: ChmodFileData) -> Self {
+        let ChmodFileData {
+            file,
+            new_mode,
+            old_mode: _,
+        } = value;
+        let activity = fact_api::FileActivityBase::from(file);
+        fact_api::FilePermissionChange {
+            activity: Some(activity),
+            mode: new_mode as u32,
+        }
+    }
+}
diff --git a/fact/src/metrics/kernel_metrics.rs b/fact/src/metrics/kernel_metrics.rs
@@ -10,6 +10,7 @@ use super::{EventCounter, LabelValues};
 pub struct KernelMetrics {
     file_open: EventCounter,
     path_unlink: EventCounter,
+    path_chmod: EventCounter,
     map: PerCpuArray<MapData, metrics_t>,
 }
 
@@ -25,13 +26,20 @@ impl KernelMetrics {
             "Events processed by the path_unlink LSM hook",
             &[], // Labels are not needed since `collect` will add them all
         );
+        let path_chmod = EventCounter::new(
+            "kernel_path_chmod_events",
+            "Events processed by the path_chmod LSM hook",
+            &[], // Labels are not needed since `collect` will add them all
+        );
 
         file_open.register(reg);
         path_unlink.register(reg);
+        path_chmod.register(reg);
 
         KernelMetrics {
             file_open,
             path_unlink,
+            path_chmod,
             map: kernel_metrics,
         }
     }
@@ -78,6 +86,7 @@ impl KernelMetrics {
 
         KernelMetrics::refresh_labels(&self.file_open, &metrics.file_open);
         KernelMetrics::refresh_labels(&self.path_unlink, &metrics.path_unlink);
+        KernelMetrics::refresh_labels(&self.path_chmod, &metrics.path_chmod);
 
         Ok(())
     }

Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,7 @@ impl metrics_t {`
`111`	`111`	`let mut m = metrics_t { ..*self };`
`112`	`112`	`m.file_open = m.file_open.accumulate(&other.file_open);`
`113`	`113`	`m.path_unlink = m.path_unlink.accumulate(&other.path_unlink);`
	`114`	`+ m.path_chmod = m.path_chmod.accumulate(&other.path_chmod);`
`114`	`115`	`m`
`115`	`116`	`}`
`116`	`117`	`}`