bpfink is using BPF to trace file events in the kernels space. While most users of BPF rely on BCC. Which does JIT compilation of BPF programs. This introduces a hard requires every host to have llvm, and c-lang to be installed. We decided, it is much simpler to pre-compile the BPF program into an ELF file and load this in at runtime. We build out multiple ELF files per Kernel Major.Minor versions. Right now we build packages per Kernel Major.Minor version.
The current plan is to build out all Kernel Major.Minor versions of the ELF file, and give bpfink the ability to pick the correct version at runtime.
Right now the BPF program has two probes vfs_write and vfs_rename. The vfs_write probe covers most traditional file write events. When the probe is triggered, we read in inode number from the event. Using a hash map build out of inodes from files we want to monitor, we check to see if the inode number exists in the hashmap. If it does, we send an event to user space with a ring buffer map.
Some programs like passwd, want to write files atomically. One way to approach this is to write to a different file, and using rename syscall. This allows for the temp file to become the real file in one atomic function call. In order to catch these types of events. The probe vfs_rename looks for old inode numbers in our hashmap. If the inode exists, we send an event to userspace via the ring buffer. Where the user space program reload the file into the hashmap. So that future changes can be monitored.
There has been some research into monitoring mmap on files, so that events can be sent to user space. This will likely be achieved by coupling multiple probes together:
vma_linksys_msyncfd_installvfs_unlinkvfs_openvfs_rmdirdone_path_create
There are other linux system function calls that will need to have probes implemented as well.