Filter mountpoint stored based on configuration

Molter73 · Molter73 · commit 1c58b678f0b7 · 2025-11-17T11:58:41.000+01:00
diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c
@@ -41,9 +41,11 @@ int BPF_PROG(trace_file_open, struct file* file) {
     return 0;
   }
 
+  /*
   if (!is_monitored(path)) {
     goto ignored;
   }
+  */
 
   struct dentry* d = BPF_CORE_READ(file, f_path.dentry);
   submit_event(&m->file_open, event_type, path->path, d);
@@ -79,10 +81,12 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
       goto error;
   }
 
+  /*
   if (!is_monitored(path)) {
     m->path_unlink.ignored++;
     return 0;
   }
+  */
 
   submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry);
   return 0;
diff --git a/fact/src/bpf.rs b/fact/src/bpf.rs
@@ -15,7 +15,10 @@ use tokio::{
 };
 
 use crate::{
-    event::{parser::EventParser, Event},
+    event::{
+        parser::{EventParser, EventParserError},
+        Event,
+    },
     host_info,
     metrics::EventCounter,
 };
@@ -51,7 +54,7 @@ impl Bpf {
 
         let paths = Vec::new();
         let (tx, _) = broadcast::channel(100);
-        let parser = EventParser::new()?;
+        let parser = EventParser::new(paths_config.borrow().as_slice())?;
         let mut bpf = Bpf {
             obj,
             tx,
@@ -182,7 +185,23 @@ impl Bpf {
                         while let Some(event) = ringbuf.next() {
                             let event: &event_t = unsafe { &*(event.as_ptr() as *const _) };
                             let event = match self.parser.parse(event) {
-                                Ok(event) => Arc::new(event),
+                                Ok(event) => event,
+                                Err(EventParserError::NotFound) => {
+                                    let paths_config = self.paths_config.borrow();
+                                    self.parser.refresh(paths_config.as_slice())?;
+                                    if self.parser.mountinfo.get(&event.dev).is_none() {
+                                        self.parser.mountinfo.insert_empty(event.dev);
+                                    }
+                                    match self.parser.parse(event) {
+                                        Ok(event) => event,
+                                        Err(e) => {
+                                            error!("Failed to parse event: '{e}'");
+                                            debug!("Event: {event:?}");
+                                            event_counter.dropped();
+                                            continue;
+                                        }
+                                    }
+                                }
                                 Err(e) => {
                                     error!("Failed to parse event: '{e}'");
                                     debug!("Event: {event:?}");
@@ -191,6 +210,12 @@ impl Bpf {
                                 }
                             };
 
+                            if !event.is_monitored(self.paths_config.borrow().as_slice()) {
+                                event_counter.ignored();
+                                continue;
+                            }
+                            let event = Arc::new(event);
+
                             event_counter.added();
                             if self.tx.send(event).is_err() {
                                 info!("No BPF consumers left, stopping...");
diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs
@@ -61,6 +61,18 @@ impl Event {
             file,
         })
     }
+
+    pub fn is_monitored(&self, paths: &[PathBuf]) -> bool {
+        let file = match &self.file {
+            FileData::Open(base_file_data) => base_file_data,
+            FileData::Creation(base_file_data) => base_file_data,
+            FileData::Unlink(base_file_data) => base_file_data,
+        };
+
+        paths
+            .iter()
+            .any(|prefix| file.filename.starts_with(prefix) || file.host_file.starts_with(prefix))
+    }
 }
 
 impl From<Event> for fact_api::FileActivity {
diff --git a/fact/src/event/parser.rs b/fact/src/event/parser.rs
@@ -1,36 +1,60 @@
+use std::{error::Error, fmt::Display, path::PathBuf};
+
 use fact_ebpf::event_t;
 
 use crate::{host_info, mount_info::MountInfo};
 
 use super::{process::Process, Event, FileData};
 
+#[derive(Debug)]
+pub(crate) enum EventParserError {
+    NotFound,
+    ProcessParse(String),
+    FileParse(String),
+}
+
+impl Error for EventParserError {}
+impl Display for EventParserError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            EventParserError::NotFound => write!(f, "mountpoint not found"),
+            EventParserError::ProcessParse(e) => write!(f, "Failed to parse process: {e}"),
+            EventParserError::FileParse(e) => write!(f, "Failed to parse file: {e}"),
+        }
+    }
+}
+
 pub(crate) struct EventParser {
-    mountinfo: MountInfo,
+    pub mountinfo: MountInfo,
 }
 
 impl EventParser {
-    pub(crate) fn new() -> anyhow::Result<Self> {
-        let mountinfo = MountInfo::new()?;
+    pub(crate) fn new(paths: &[PathBuf]) -> anyhow::Result<Self> {
+        let mountinfo = MountInfo::new(paths)?;
 
         Ok(EventParser { mountinfo })
     }
 
-    pub(crate) fn parse(&mut self, event: &event_t) -> anyhow::Result<Event> {
-        let process = Process::try_from(event.process)?;
+    pub(crate) fn refresh(&mut self, paths: &[PathBuf]) -> anyhow::Result<()> {
+        self.mountinfo.refresh(paths)
+    }
+
+    pub(crate) fn parse(&mut self, event: &event_t) -> Result<Event, EventParserError> {
+        let process = match Process::try_from(event.process) {
+            Ok(p) => p,
+            Err(e) => return Err(EventParserError::ProcessParse(e.to_string())),
+        };
         let timestamp = host_info::get_boot_time() + event.timestamp;
 
         let mounts = match self.mountinfo.get(&event.dev) {
             Some(mounts) => mounts,
-            None => {
-                self.mountinfo.refresh()?;
-                match self.mountinfo.get(&event.dev) {
-                    Some(mounts) => mounts,
-                    None => self.mountinfo.insert_empty(event.dev),
-                }
-            }
+            None => return Err(EventParserError::NotFound),
         };
 
-        let file = FileData::new(event.type_, event.filename, event.host_file, mounts)?;
+        let file = match FileData::new(event.type_, event.filename, event.host_file, mounts) {
+            Ok(f) => f,
+            Err(e) => return Err(EventParserError::FileParse(e.to_string())),
+        };
 
         Ok(Event {
             timestamp,
diff --git a/fact/src/metrics/mod.rs b/fact/src/metrics/mod.rs
@@ -97,6 +97,19 @@ impl EventCounter {
             .unwrap()
             .inc_by(n);
     }
+
+    /// Increment the counter for the Ignored label.
+    ///
+    /// Panics if the counter did not add the Ignored label as part of
+    /// its creation step.
+    pub fn ignored(&self) {
+        self.counter
+            .get(&MetricEvents {
+                label: LabelValues::Ignored,
+            })
+            .unwrap()
+            .inc();
+    }
 }
 
 #[derive(Debug, Clone)]
diff --git a/fact/src/mount_info.rs b/fact/src/mount_info.rs
@@ -18,13 +18,13 @@ pub struct MountEntry {
 pub struct MountInfo(HashMap<u32, Vec<MountEntry>>);
 
 impl MountInfo {
-    pub fn new() -> anyhow::Result<Self> {
-        let cache = MountInfo::build_cache()?;
+    pub fn new(paths: &[PathBuf]) -> anyhow::Result<Self> {
+        let cache = MountInfo::build_cache(paths)?;
         Ok(MountInfo(cache))
     }
 
-    pub fn refresh(&mut self) -> anyhow::Result<()> {
-        let cache = MountInfo::build_cache()?;
+    pub fn refresh(&mut self, paths: &[PathBuf]) -> anyhow::Result<()> {
+        let cache = MountInfo::build_cache(paths)?;
         self.0 = cache;
         Ok(())
     }
@@ -54,7 +54,7 @@ impl MountInfo {
         self.0.entry(k).or_default()
     }
 
-    fn build_cache() -> anyhow::Result<HashMap<u32, Vec<MountEntry>>> {
+    fn build_cache(paths: &[PathBuf]) -> anyhow::Result<HashMap<u32, Vec<MountEntry>>> {
         let host_mount = host_info::get_host_mount();
         let path = PathBuf::from("/proc/self/mountinfo");
         if !path.exists() {
@@ -93,7 +93,14 @@ impl MountInfo {
         for i in mountinfo_it {
             let (dev, mountinfo) = i?;
             let entry: &mut Vec<MountEntry> = cache.entry(dev).or_default();
-            if mountinfo.root != Path::new("/") && mountinfo.root != mountinfo.mount_point {
+
+            if mountinfo.root != Path::new("/")
+                && mountinfo.root != mountinfo.mount_point
+                && paths.iter().any(|monitored_path| {
+                    mountinfo.mount_point.starts_with(monitored_path)
+                        || monitored_path.starts_with(&mountinfo.mount_point)
+                })
+            {
                 entry.push(mountinfo);
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -41,9 +41,11 @@ int BPF_PROG(trace_file_open, struct file* file) {`
`41`	`41`	`return 0;`
`42`	`42`	`}`
`43`	`43`
	`44`	`+ /*`
`44`	`45`	`if (!is_monitored(path)) {`
`45`	`46`	`goto ignored;`
`46`	`47`	`}`
	`48`	`+ */`
`47`	`49`
`48`	`50`	`struct dentry* d = BPF_CORE_READ(file, f_path.dentry);`
`49`	`51`	`submit_event(&m->file_open, event_type, path->path, d);`
`@@ -79,10 +81,12 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {`
`79`	`81`	`goto error;`
`80`	`82`	`}`
`81`	`83`
	`84`	`+ /*`
`82`	`85`	`if (!is_monitored(path)) {`
`83`	`86`	`m->path_unlink.ignored++;`
`84`	`87`	`return 0;`
`85`	`88`	`}`
	`89`	`+ */`
`86`	`90`
`87`	`91`	`submit_event(&m->path_unlink, FILE_ACTIVITY_UNLINK, path->path, dentry);`
`88`	`92`	`return 0;`