fix(fact-ebpf): improve kernel compatibility

In the context of ROX-30439, I started testing fact on some RHCOS
versions and found some issues that are addressed by this PR, namely:

* The relocation of kernfs_node for the renamed parent field was wrong,
  causing cgroups to not be captured correctly.
* Some missing null checks that are not necessary on newer kernels.
* path_unlink LSM hook is not allowed to call bpf_d_path on older
  kernels.

This last point is the most involved part of the PR, I couldn't find a
precise way to check if this call is allowed on the running kernel, so
instead I created a small checks BPF object that can try to load a small
probe and check if the load was successful, then use a constant loaded
at runtime to exclude the call when needed.

Author: Molter73

fact-ebpf/build.rs

@@ -6,35 +6,41 @@ use std::{
 };
 
 fn compile_bpf(out_dir: &Path) -> anyhow::Result<()> {
-    let obj = match out_dir.join("main.o").into_os_string().into_string() {
-        Ok(s) => s,
-        Err(os_string) => anyhow::bail!("Failed to convert path to string {:?}", os_string),
-    };
-
     let target_arch = format!("-D__TARGET_ARCH_{}", env::var("CARGO_CFG_TARGET_ARCH")?);
+    let base_args = [
+        "-target",
+        "bpf",
+        "-O2",
+        "-g",
+        "-c",
+        "-Wall",
+        "-Werror",
+        &target_arch,
+    ];
+
+    for name in ["main", "checks"] {
+        let obj = match out_dir
+            .join(format!("{name}.o"))
+            .into_os_string()
+            .into_string()
+        {
+            Ok(s) => s,
+            Err(os_string) => anyhow::bail!("Failed to convert path to string {:?}", os_string),
+        };
 
-    match Command::new("clang")
-        .args([
-            "-target",
-            "bpf",
-            "-O2",
-            "-g",
-            "-c",
-            "-Wall",
-            "-Werror",
-            &target_arch,
-            "src/bpf/main.c",
-            "-o",
-            &obj,
-        ])
-        .status()
-    {
-        Ok(status) => {
-            if !status.success() {
-                anyhow::bail!("Failed to compile eBPF. See stderr for details.");
+        match Command::new("clang")
+            .args(base_args)
+            .arg(format!("src/bpf/{name}.c"))
+            .args(["-o", &obj])
+            .status()
+        {
+            Ok(status) => {
+                if !status.success() {
+                    anyhow::bail!("Failed to compile eBPF. See stderr for details.");
+                }
             }
+            Err(e) => anyhow::bail!("Failed to execute clang: {}", e),
         }
-        Err(e) => anyhow::bail!("Failed to execute clang: {}", e),
     }
     Ok(())
 }

fact-ebpf/src/bpf/bound_path.h

@@ -3,6 +3,7 @@
 // clang-format off
 #include "types.h"
 #include "maps.h"
+#include "d_path.h"
 
 #include "vmlinux.h"
 
@@ -21,10 +22,13 @@ __always_inline static void path_write_char(char* p, unsigned int offset, char c
   *path_safe_access(p, offset) = c;
 }
 
-__always_inline static struct bound_path_t* path_read(struct path* path) {
+__always_inline static struct bound_path_t* _path_read(struct path* path, bool use_bpf_d_path) {
   struct bound_path_t* bound_path = get_bound_path();
+  if (bound_path == NULL) {
+    return NULL;
+  }
 
-  bound_path->len = bpf_d_path(path, bound_path->path, PATH_MAX);
+  bound_path->len = use_bpf_d_path ? bpf_d_path(path, bound_path->path, PATH_MAX) : d_path(path, bound_path->path, PATH_MAX);
   if (bound_path->len <= 0) {
     return NULL;
   }
@@ -35,6 +39,14 @@ __always_inline static struct bound_path_t* path_read(struct path* path) {
   return bound_path;
 }
 
+__always_inline static struct bound_path_t* path_read(struct path* path) {
+  return _path_read(path, true);
+}
+
+__always_inline static struct bound_path_t* path_read_alternate(struct path* path) {
+  return _path_read(path, false);
+}
+
 enum path_append_status_t {
   PATH_APPEND_SUCCESS = 0,
   PATH_APPEND_INVALID_LENGTH,

fact-ebpf/src/bpf/checks.c

@@ -0,0 +1,15 @@
+// clang-format off
+#include "vmlinux.h"
+
+#include "bound_path.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+// clang-format on
+
+SEC("lsm/path_unlink")
+int BPF_PROG(check_path_unlink_supports_bpf_d_path, struct path* dir, struct dentry* dentry) {
+  struct bound_path_t* p = path_read(dir);
+  bpf_printk("dir: %s", p->path);
+  return 0;
+}

fact-ebpf/src/bpf/d_path.h

@@ -0,0 +1,81 @@
+#pragma once
+
+// clang-format off
+#include "maps.h"
+#include "vmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
+// clang-format on
+
+/**
+ * Reimplementation of the kernel d_path function.
+ *
+ * We should attempt to use bpf_d_path when possible, but you can't on
+ * values that have been read using the bpf_probe_* helpers.
+ */
+__always_inline static long d_path(const struct path* path, char* buf, int buflen) {
+  if (buflen <= 0) {
+    return -1;
+  }
+
+  struct helper_t* helper = get_helper();
+  if (helper == NULL) {
+    return -1;
+  }
+
+  struct task_struct* task = (struct task_struct*)bpf_get_current_task();
+  int offset = (buflen - 1) & (PATH_MAX - 1);
+  helper->buf[offset] = '\0';  // Ensure null termination
+
+  struct path root;
+  BPF_CORE_READ_INTO(&root, task, fs, root);
+  struct mount* mnt = container_of(path->mnt, struct mount, mnt);
+  struct dentry* dentry = BPF_CORE_READ(path, dentry);
+
+  for (int i = 0; i < 16 && (dentry != root.dentry || &mnt->mnt != root.mnt); i++) {
+    struct dentry* parent = BPF_CORE_READ(dentry, d_parent);
+    struct dentry* mnt_root = BPF_CORE_READ(mnt, mnt.mnt_root);
+
+    if (dentry == mnt_root) {
+      struct mount* m = BPF_CORE_READ(mnt, mnt_parent);
+      if (m != mnt) {
+        dentry = BPF_CORE_READ(mnt, mnt_mountpoint);
+        mnt = m;
+        continue;
+      }
+      break;
+    }
+
+    if (dentry == parent) {
+      return -1;
+    }
+
+    struct qstr d_name;
+    BPF_CORE_READ_INTO(&d_name, dentry, d_name);
+    int len = d_name.len;
+    if (len <= 0 || len >= buflen) {
+      return -1;
+    }
+
+    offset -= len;
+    if (offset <= 0) {
+      return -1;
+    }
+
+    if (bpf_probe_read_kernel(&helper->buf[offset], len, d_name.name) != 0) {
+      return -1;
+    }
+
+    offset--;
+    if (offset <= 0) {
+      return -1;
+    }
+    helper->buf[offset] = '/';
+
+    dentry = parent;
+  }
+
+  bpf_probe_read_str(buf, buflen, &helper->buf[offset]);
+  return buflen - offset;
+}

fact-ebpf/src/bpf/events.h

@@ -1,3 +1,5 @@
+#pragma once
+
 #include <bpf/bpf_helpers.h>
 
 #include "maps.h"
@@ -17,6 +19,10 @@ __always_inline static void submit_event(struct metrics_by_hook_t* m, file_activ
   bpf_probe_read_str(event->filename, PATH_MAX, filename);
 
   struct helper_t* helper = get_helper();
+  if (helper == NULL) {
+    goto error;
+  }
+
   const char* p = get_host_path(helper->buf, dentry);
   if (p != NULL) {
     bpf_probe_read_str(event->host_file, PATH_MAX, p);

fact-ebpf/src/bpf/file.h

@@ -5,79 +5,14 @@
 
 #include "bound_path.h"
 #include "builtins.h"
+#include "d_path.h"
 #include "types.h"
 #include "maps.h"
 
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_core_read.h>
 // clang-format on
 
-/**
- * Reimplementation of the kernel d_path function.
- *
- * We should attempt to use bpf_d_path when possible, but you can't on
- * values that have been read using the bpf_probe_* helpers.
- */
-__always_inline static char* d_path(const struct path* path, char* buf, int buflen) {
-  if (buflen <= 0) {
-    return NULL;
-  }
-
-  struct task_struct* task = (struct task_struct*)bpf_get_current_task();
-  int offset = (buflen - 1) & (PATH_MAX - 1);
-  buf[offset] = '\0';  // Ensure null termination
-
-  struct path root;
-  BPF_CORE_READ_INTO(&root, task, fs, root);
-  struct mount* mnt = container_of(path->mnt, struct mount, mnt);
-  struct dentry* dentry = BPF_CORE_READ(path, dentry);
-
-  for (int i = 0; i < 16 && (dentry != root.dentry || &mnt->mnt != root.mnt); i++) {
-    struct dentry* parent = BPF_CORE_READ(dentry, d_parent);
-    struct dentry* mnt_root = BPF_CORE_READ(mnt, mnt.mnt_root);
-
-    if (dentry == mnt_root) {
-      struct mount* m = BPF_CORE_READ(mnt, mnt_parent);
-      if (m != mnt) {
-        dentry = BPF_CORE_READ(mnt, mnt_mountpoint);
-        mnt = m;
-        continue;
-      }
-      return &buf[offset];
-    }
-
-    if (dentry == parent) {
-      return NULL;
-    }
-
-    struct qstr d_name;
-    BPF_CORE_READ_INTO(&d_name, dentry, d_name);
-    int len = d_name.len;
-    if (len <= 0 || len >= buflen) {
-      return NULL;
-    }
-
-    offset -= len;
-    if (offset <= 0) {
-      return NULL;
-    }
-
-    if (bpf_probe_read_kernel(&buf[offset], len, d_name.name) != 0) {
-      return NULL;
-    }
-
-    offset--;
-    if (offset <= 0) {
-      return NULL;
-    }
-    buf[offset] = '/';
-
-    dentry = parent;
-  }
-
-  return &buf[offset];
-}
-
 __always_inline static char* get_host_path(char buf[PATH_MAX * 2], struct dentry* d) {
   int offset = PATH_MAX - 1;
   buf[PATH_MAX - 1] = '\0';

fact-ebpf/src/bpf/main.c

@@ -1,13 +1,13 @@
 // clang-format off
+#include "vmlinux.h"
+
 #include "file.h"
 #include "types.h"
 #include "process.h"
 #include "maps.h"
 #include "events.h"
 #include "bound_path.h"
 
-#include "vmlinux.h"
-
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
@@ -22,6 +22,9 @@ char _license[] SEC("license") = "Dual MIT/GPL";
 SEC("lsm/file_open")
 int BPF_PROG(trace_file_open, struct file* file) {
   struct metrics_t* m = get_metrics();
+  if (m == NULL) {
+    return 0;
+  }
 
   m->file_open.total++;
 
@@ -58,10 +61,19 @@ int BPF_PROG(trace_file_open, struct file* file) {
 SEC("lsm/path_unlink")
 int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
   struct metrics_t* m = get_metrics();
+  if (m == NULL) {
+    return 0;
+  }
 
   m->path_unlink.total++;
 
-  struct bound_path_t* path = path_read(dir);
+  struct bound_path_t* path = NULL;
+  if (path_unlink_supports_bpf_d_path) {
+    path = path_read(dir);
+  } else {
+    path = path_read_alternate(dir);
+  }
+
   if (path == NULL) {
     bpf_printk("Failed to read path");
     goto error;

fact-ebpf/src/bpf/maps.h

@@ -38,7 +38,10 @@ struct {
 __always_inline static bool filter_by_prefix() {
   unsigned int zero = 0;
   char* res = bpf_map_lookup_elem(&filter_by_prefix_map, &zero);
-  return *res != 0;
+
+  // The NULL check is simply here to satisfy some verifiers, the result
+  // will never actually be NULL.
+  return res == NULL || *res != 0;
 }
 
 struct {
@@ -82,6 +85,7 @@ __always_inline static struct bound_path_t* get_bound_path() {
 
 struct {
   __uint(type, BPF_MAP_TYPE_RINGBUF);
+  __uint(max_entries, 8 * 1024 * 1024);
 } rb SEC(".maps");
 
 struct {
@@ -97,5 +101,6 @@ __always_inline static struct metrics_t* get_metrics() {
 }
 
 uint64_t host_mount_ns;
+volatile const bool path_unlink_supports_bpf_d_path;
 
 // clang-format on