Fix file_modification event & tv_nsec read#5243
Open
geyslan wants to merge 2 commits intoaquasecurity:mainfrom
Open
Fix file_modification event & tv_nsec read#5243geyslan wants to merge 2 commits intoaquasecurity:mainfrom
geyslan wants to merge 2 commits intoaquasecurity:mainfrom
Conversation
geyslan
changed the title
There was a problem hiding this comment.
Pull request overview
This PR fixes issue #5242 where file_modification events were not being reported for all file modifications, particularly on filesystems like btrfs that bypass VFS write hooks. The fix includes two distinct changes: (1) masking bit 31 from tv_nsec to handle the multigranularity floor flag introduced in kernel 6.13, and (2) implementing a close-time fallback detection mechanism for filesystems that update inode timestamps directly without calling file_modified() or file_update_time().
Changes:
- Added tv_nsec bit 31 masking to strip the MG_FLOOR flag from kernels >= 6.13 with CONFIG_FS_MGTIME
- Introduced close-time fallback detection in
trace_filp_closethat compares ctime and file size at close against values captured at open - Enhanced the file_modification_map to store open_ctime and open_size in addition to the operation state
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/events/core.go | Clarified probe requirement comments to be more concise |
| pkg/ebpf/c/types.h | Added file_mod_value_t struct to store operation state, open_ctime, and open_size |
| pkg/ebpf/c/maps.h | Updated file_modification_map value type from s32 to file_mod_value_t |
| pkg/ebpf/c/tracee.bpf.c | Enhanced fd_install to filter FMODE_WRITE files and store open state; added close-time detection in filp_close; updated common_file_modification_ret to preserve open_ctime |
| pkg/ebpf/c/common/filesystem.h | Added bit 31 masking to tv_nsec to handle MG_FLOOR flag in kernels >= 6.13 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5243 +/- ##
==========================================
+ Coverage 33.51% 35.43% +1.91%
==========================================
Files 250 239 -11
Lines 28908 31524 +2616
==========================================
+ Hits 9688 11169 +1481
- Misses 18609 19642 +1033
- Partials 611 713 +102
🚀 New features to boost your workflow:
|
…e hooks Filesystems like btrfs update inode timestamps directly without calling file_modified()/file_update_time(), so Tracee's write-time kprobes never fire and file_modification events go undetected. Add a close-time fallback in trace_filp_close: compare ctime and file size at close against values captured at fd_install. If either changed, submit the event. The existing write-time detection path continues to work for filesystems that call file_modified() (e.g. tmpfs, ext4). - Introduce file_mod_value_t (op, open_ctime, open_size) as the file_modification_map value type, replacing the bare s32 - Filter fd_install to only track regular files opened for writing (FMODE_WRITE), reducing map pressure - Defer path string extraction in filp_close until an event is actually submitted - Use get_file_id() instead of get_file_info() where only device, inode, and ctime are needed, avoiding unnecessary path resolution
Mask MG_FLOOR flag (bit 31) from tv_nsec in get_ctime_nanosec_from_inode to strip the multigranularity floor marker that kernels >= 6.13 with CONFIG_FS_MGTIME store in the raw inode field (commit 4e40eff).
geyslan
force-pushed
the
fix-file_modification
branch
from
1c892a1 to
a3b4acc
Compare
Member
Author
|
Pinging for reviewing. 😬 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Close: #5242
1. Explain what the PR does
a3b4acc fix(ebpf): mask bit 31 from tv_nsec
--
0072d7f fix(ebpf): detect file_modification on filesystems bypassing VFS write hooks
--
2. Explain how to test it
One may want to test writing to files on tmpfs, ext4, btrfs etc. After, compare the new ctime output by Tracee with what you can get from the file via
stat --printf='%.9Z\n' ${filename} | sed 's/\.//'.3. Other comments