fix(fact-ebpf): improve compatibility with arm64 kernels

Author: Molter73

fact-ebpf/build.rs

@@ -6,7 +6,12 @@ use std::{
 };
 
 fn compile_bpf(out_dir: &Path) -> anyhow::Result<()> {
-    let target_arch = format!("-D__TARGET_ARCH_{}", env::var("CARGO_CFG_TARGET_ARCH")?);
+    let target_arch = match env::var("CARGO_CFG_TARGET_ARCH")?.as_str() {
+        "x86_64" => "x86",
+        "aarch64" => "arm64",
+        arch => unimplemented!("Unsupported arch {arch}"),
+    };
+    let target_arch = format!("-D__TARGET_ARCH_{target_arch}");
     let base_args = [
         "-target",
         "bpf",

fact-ebpf/src/bpf/bound_path.h

@@ -22,7 +22,7 @@ __always_inline static void path_write_char(char* p, unsigned int offset, char c
   *path_safe_access(p, offset) = c;
 }
 
-__always_inline static struct bound_path_t* _path_read(struct path* path, bool use_bpf_d_path) {
+__always_inline static struct bound_path_t* path_read(struct path* path, bool use_bpf_d_path) {
   struct bound_path_t* bound_path = get_bound_path();
   if (bound_path == NULL) {
     return NULL;
@@ -39,14 +39,6 @@ __always_inline static struct bound_path_t* _path_read(struct path* path, bool u
   return bound_path;
 }
 
-__always_inline static struct bound_path_t* path_read(struct path* path) {
-  return _path_read(path, true);
-}
-
-__always_inline static struct bound_path_t* path_read_alternate(struct path* path) {
-  return _path_read(path, false);
-}
-
 enum path_append_status_t {
   PATH_APPEND_SUCCESS = 0,
   PATH_APPEND_INVALID_LENGTH,

fact-ebpf/src/bpf/checks.c

@@ -7,9 +7,14 @@
 #include <bpf/bpf_tracing.h>
 // clang-format on
 
+SEC("lsm/file_open")
+int BPF_PROG(check_lsm_support, struct file* file) {
+  return 0;
+}
+
 SEC("lsm/path_unlink")
 int BPF_PROG(check_path_unlink_supports_bpf_d_path, struct path* dir, struct dentry* dentry) {
-  struct bound_path_t* p = path_read(dir);
+  struct bound_path_t* p = path_read(dir, true);
   bpf_printk("dir: %s", p->path);
   return 0;
 }

fact-ebpf/src/bpf/main.c

@@ -19,8 +19,7 @@ char _license[] SEC("license") = "Dual MIT/GPL";
 #define FMODE_PWRITE ((fmode_t)(1 << 4))
 #define FMODE_CREATED ((fmode_t)(1 << 20))
 
-SEC("lsm/file_open")
-int BPF_PROG(trace_file_open, struct file* file) {
+__always_inline static int do_file_open(struct file* file, bool use_bpf_d_path) {
   struct metrics_t* m = get_metrics();
   if (m == NULL) {
     return 0;
@@ -37,7 +36,7 @@ int BPF_PROG(trace_file_open, struct file* file) {
     goto ignored;
   }
 
-  struct bound_path_t* path = path_read(&file->f_path);
+  struct bound_path_t* path = path_read(&file->f_path, use_bpf_d_path);
   if (path == NULL) {
     bpf_printk("Failed to read path");
     m->file_open.error++;
@@ -58,21 +57,28 @@ int BPF_PROG(trace_file_open, struct file* file) {
   return 0;
 }
 
-SEC("lsm/path_unlink")
-int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
+SEC("kprobe/security_file_open")
+int BPF_KPROBE(kprobe_file_open, struct file* file) {
+  struct file f;
+  BPF_CORE_READ_INTO(&f.f_mode, file, f_mode);
+  BPF_CORE_READ_INTO(&f.f_path, file, f_path);
+  return do_file_open(&f, false);
+}
+
+SEC("lsm/file_open")
+int BPF_PROG(trace_file_open, struct file* file) {
+  return do_file_open(file, true);
+}
+
+__always_inline int do_path_unlink(struct path* dir, struct dentry* dentry, bool use_bpf_d_path) {
   struct metrics_t* m = get_metrics();
   if (m == NULL) {
     return 0;
   }
 
   m->path_unlink.total++;
 
-  struct bound_path_t* path = NULL;
-  if (path_unlink_supports_bpf_d_path) {
-    path = path_read(dir);
-  } else {
-    path = path_read_alternate(dir);
-  }
+  struct bound_path_t* path = path_read(dir, use_bpf_d_path);
 
   if (path == NULL) {
     bpf_printk("Failed to read path");
@@ -103,3 +109,16 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
   m->path_unlink.error++;
   return 0;
 }
+
+SEC("kprobe/security_path_unlink")
+int BPF_KPROBE(kprobe_path_unlink, struct path* dir, struct dentry* dentry) {
+  struct path p;
+  p.mnt = BPF_CORE_READ(dir, mnt);
+  p.dentry = BPF_CORE_READ(dir, dentry);
+  return do_path_unlink(&p, dentry, false);
+}
+
+SEC("lsm/path_unlink")
+int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
+  return do_path_unlink(dir, dentry, path_unlink_supports_bpf_d_path);
+}

fact-ebpf/src/bpf/vmlinux.h

@@ -1,8 +1,8 @@
 #pragma once
 
-#if defined(__TARGET_ARCH_x86_64)
+#if defined(__TARGET_ARCH_x86)
 #  include "vmlinux/x86_64.h"
-#elif defined(__TARGET_ARCH_aarch64)
+#elif defined(__TARGET_ARCH_arm64)
 #  include "vmlinux/aarch64.h"
 #else
 #  error "Unknown target"

fact/src/bpf/checks.rs

@@ -1,26 +1,66 @@
-use anyhow::Context;
-use aya::{programs::Lsm, Btf};
+use anyhow::{Context, Ok};
+use aya::{programs::Lsm, Btf, Ebpf};
 use log::debug;
 
+#[derive(Default)]
 pub(super) struct Checks {
+    pub(super) lsm_support: bool,
     pub(super) path_unlink_supports_bpf_d_path: bool,
 }
 
 impl Checks {
     pub(super) fn new(btf: &Btf) -> anyhow::Result<Self> {
-        let mut obj = aya::EbpfLoader::new()
+        let checks = ChecksBuilder::new(btf)?
+            .check_lsm_support()
+            .check_path_unlink_supports_bpf_d_path()
+            .build();
+
+        Ok(checks)
+    }
+}
+
+struct ChecksBuilder<'a> {
+    obj: Ebpf,
+    btf: &'a Btf,
+    checks: Checks,
+}
+
+impl<'a> ChecksBuilder<'a> {
+    fn new(btf: &'a Btf) -> anyhow::Result<Self> {
+        let obj = aya::EbpfLoader::new()
             .load(fact_ebpf::CHECKS_OBJ)
             .context("Failed to load checks.o")?;
 
-        let prog = obj
+        let checks = Checks::default();
+
+        Ok(ChecksBuilder { obj, btf, checks })
+    }
+
+    fn build(self) -> Checks {
+        self.checks
+    }
+
+    fn check_lsm_support(mut self) -> Self {
+        let prog = self
+            .obj
+            .program_mut("check_lsm_support")
+            .expect("Failed to find 'check_lsm_support' program");
+        let prog: &mut Lsm = prog.try_into().expect("'check_lsm_support' is not Lsm");
+
+        self.checks.lsm_support = prog.load("file_open", self.btf).is_ok() && prog.attach().is_ok();
+        self
+    }
+
+    fn check_path_unlink_supports_bpf_d_path(mut self) -> Self {
+        let prog = self
+            .obj
             .program_mut("check_path_unlink_supports_bpf_d_path")
-            .context("Failed to find 'check_path_unlink_supports_bpf_d_path' program")?;
-        let prog: &mut Lsm = prog.try_into()?;
-        let path_unlink_supports_bpf_d_path = prog.load("path_unlink", btf).is_ok();
+            .expect("Failed to find 'check_path_unlink_supports_bpf_d_path' program");
+        let prog: &mut Lsm = prog
+            .try_into()
+            .expect("'check_path_unlink_supports_bpf_d_path' is not Lsm");
+        let path_unlink_supports_bpf_d_path = prog.load("path_unlink", self.btf).is_ok();
         debug!("path_unlink_supports_bpf_d_path: {path_unlink_supports_bpf_d_path}");
-
-        Ok(Checks {
-            path_unlink_supports_bpf_d_path,
-        })
+        self
     }
 }

fact/src/bpf/mod.rs

@@ -3,7 +3,7 @@ use std::{io, path::PathBuf, sync::Arc};
 use anyhow::{bail, Context};
 use aya::{
     maps::{Array, LpmTrie, MapData, PerCpuArray, RingBuf},
-    programs::Lsm,
+    programs::Program,
     Btf, Ebpf,
 };
 use checks::Checks;
@@ -30,6 +30,8 @@ pub struct Bpf {
 
     paths: Vec<path_prefix_t>,
     paths_config: watch::Receiver<Vec<PathBuf>>,
+
+    use_lsm_hook: bool,
 }
 
 impl Bpf {
@@ -61,6 +63,7 @@ impl Bpf {
             tx,
             paths,
             paths_config,
+            use_lsm_hook: checks.lsm_support,
         };
 
         bpf.load_paths()?;
@@ -138,24 +141,59 @@ impl Bpf {
         Ok(())
     }
 
-    fn load_lsm_prog(&mut self, name: &str, hook: &str, btf: &Btf) -> anyhow::Result<()> {
+    fn load_prog(&mut self, name: &str, btf: &Btf) -> anyhow::Result<()> {
         let Some(prog) = self.obj.program_mut(name) else {
             bail!("{name} program not found");
         };
-        let prog: &mut Lsm = prog.try_into()?;
-        prog.load(hook, btf)?;
+
+        match prog {
+            Program::Lsm(lsm) => match name {
+                "trace_file_open" => lsm.load("file_open", btf)?,
+                "trace_path_unlink" => lsm.load("path_unlink", btf)?,
+                name => bail!("Unexpected LSM hook '{name}'"),
+            },
+            Program::KProbe(kprobe) => kprobe.load()?,
+            prog => bail!("Unexpected program {prog:?}"),
+        }
+
         Ok(())
     }
 
     fn load_progs(&mut self, btf: &Btf) -> anyhow::Result<()> {
-        self.load_lsm_prog("trace_file_open", "file_open", btf)?;
-        self.load_lsm_prog("trace_path_unlink", "path_unlink", btf)
+        if self.use_lsm_hook {
+            debug!("Loading LSM hooks");
+            self.load_prog("trace_file_open", btf)?;
+            self.load_prog("trace_path_unlink", btf)?;
+        } else {
+            debug!("Loading KProbes");
+            self.load_prog("kprobe_file_open", btf)?;
+            self.load_prog("kprobe_path_unlink", btf)?;
+        }
+        Ok(())
     }
 
     fn attach_progs(&mut self) -> anyhow::Result<()> {
-        for (_, prog) in self.obj.programs_mut() {
-            let prog: &mut Lsm = prog.try_into()?;
-            prog.attach()?;
+        for (name, prog) in self.obj.programs_mut() {
+            match prog {
+                Program::Lsm(prog) => {
+                    if self.use_lsm_hook {
+                        debug!("Attaching '{name}'");
+                        prog.attach()?;
+                    }
+                }
+                Program::KProbe(prog) => {
+                    if !self.use_lsm_hook {
+                        debug!("Attaching '{name}'");
+                        let fn_name = match name {
+                            "kprobe_file_open" => "security_file_open",
+                            "kprobe_path_unlink" => "security_path_unlink",
+                            name => unimplemented!("Invalid '{name}' kprobe"),
+                        };
+                        prog.attach(fn_name, 0)?;
+                    }
+                }
+                ty => unimplemented!("Unsupported type {ty:?}"),
+            }
         }
         Ok(())
     }

fact/src/lib.rs

@@ -98,8 +98,11 @@ pub async fn run(config: FactConfig) -> anyhow::Result<()> {
             _ = sigterm.recv() => break,
             _ = sighup.recv() => config_trigger.notify_one(),
             res = bpf_handle.borrow_mut() => {
-                if let Err(e) = res {
-                    warn!("BPF worker errored out: {e}");
+                match res {
+                    Ok(res) => if let Err(e) = res {
+                        warn!("BPF worker errored out: {e:?}");
+                    }
+                    Err(e) => warn!("BPF task errored out: {e:?}"),
                 }
                 break;
             }