aa-ebpf 0.0.1-alpha.8

eBPF-based kernel-level monitoring hooks for Agent Assembly
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

//! Event types emitted by eBPF probes.
//!
//! Re-exports shared event types from [`aa_ebpf_common`] and defines
//! userspace-only event types for file I/O kprobes.

pub use aa_ebpf_common::exec::{
    AlertLevel, ExecEvent, ProcessExitEvent, ProcessNode, ProcessSpawnEvent, ShellInjectionAlert, MAX_ARGV_ENTRIES,
    MAX_ARGV_LEN, MAX_EXECUTABLE_LEN,
};

use crate::error::EbpfError;
use crate::syscall::SyscallKind;
use aa_ebpf_common::file::{FileIoEventRaw, SyscallType};

/// A file I/O event captured by a kprobe.
///
/// Each event represents a single syscall interception with the metadata
/// needed to evaluate governance policies (PID lineage, file path, flags).
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct FileIoEvent {
    /// Process ID of the intercepted syscall.
    pub pid: u32,
    /// Thread ID of the intercepted syscall.
    pub tid: u32,
    /// Kernel timestamp in nanoseconds (from `bpf_ktime_get_ns`).
    pub timestamp_ns: u64,
    /// Which syscall was intercepted.
    pub syscall: SyscallKind,
    /// File path associated with the syscall.
    pub path: String,
    /// Syscall-specific flags (e.g., `O_RDONLY` for `openat`).
    pub flags: u32,
    /// Syscall return code (`0` for success on entry probes).
    pub return_code: i64,
    /// Whether this event matched a blocklisted path (flags bit 0).
    pub is_sensitive: bool,
    /// End-to-end syscall duration in nanoseconds (`exit_ts − enter_ts`).
    ///
    /// `0` when the syscall has only an entry hook today (read /
    /// write / unlink / rename — tracked under the AAASM-1425 follow-up).
    /// Populated for `openat` via the entry-timestamp map.
    pub duration_ns: u64,
}

impl FileIoEvent {
    /// Parse a [`FileIoEventRaw`] received from the BPF perf event array
    /// into a userspace-friendly [`FileIoEvent`].
    pub fn from_raw(raw: &FileIoEventRaw) -> Result<Self, EbpfError> {
        let syscall = match raw.syscall {
            SyscallType::Openat => SyscallKind::Openat,
            SyscallType::Read => SyscallKind::Read,
            SyscallType::Write => SyscallKind::Write,
            SyscallType::Unlink => SyscallKind::Unlink,
            SyscallType::Rename => SyscallKind::Rename,
        };

        // Extract the null-terminated path from the fixed-size buffer.
        let nul_pos = raw.path.iter().position(|&b| b == 0).unwrap_or(raw.path.len());
        let path = core::str::from_utf8(&raw.path[..nul_pos])
            .map_err(|e| EbpfError::EventParse(format!("invalid UTF-8 in path: {e}")))?
            .to_string();

        Ok(Self {
            pid: raw.pid,
            tid: raw.tid,
            timestamp_ns: raw.timestamp_ns,
            syscall,
            path,
            flags: raw.flags,
            return_code: raw.return_code,
            is_sensitive: raw.flags & 1 != 0,
            duration_ns: raw.duration_ns,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use aa_ebpf_common::file::MAX_PATH_LEN;

    fn make_raw(path: &str, syscall: SyscallType, flags: u32) -> FileIoEventRaw {
        let mut path_buf = [0u8; MAX_PATH_LEN];
        let bytes = path.as_bytes();
        path_buf[..bytes.len()].copy_from_slice(bytes);
        FileIoEventRaw {
            pid: 42,
            tid: 43,
            timestamp_ns: 1_000_000,
            syscall,
            flags,
            return_code: 3,
            duration_ns: 0,
            path: path_buf,
        }
    }

    #[test]
    fn file_io_event_construction() {
        let event = FileIoEvent {
            pid: 1234,
            tid: 1234,
            timestamp_ns: 999_999,
            syscall: SyscallKind::Openat,
            path: "/etc/shadow".into(),
            flags: 0,
            return_code: 0,
            is_sensitive: false,
            duration_ns: 0,
        };
        assert_eq!(event.pid, 1234);
        assert_eq!(event.syscall, SyscallKind::Openat);
        assert_eq!(event.path, "/etc/shadow");
    }

    #[test]
    fn from_raw_carries_duration_ns_through() {
        let mut raw = make_raw("/tmp/timed.txt", SyscallType::Openat, 0);
        raw.duration_ns = 123_456;
        let event = FileIoEvent::from_raw(&raw).expect("parse");
        assert_eq!(event.duration_ns, 123_456);
    }

    #[test]
    fn from_raw_parses_openat() {
        let raw = make_raw("/tmp/test.txt", SyscallType::Openat, 0);
        let event = FileIoEvent::from_raw(&raw).unwrap();
        assert_eq!(event.pid, 42);
        assert_eq!(event.tid, 43);
        assert_eq!(event.timestamp_ns, 1_000_000);
        assert_eq!(event.syscall, SyscallKind::Openat);
        assert_eq!(event.path, "/tmp/test.txt");
        assert_eq!(event.return_code, 3);
        assert!(!event.is_sensitive);
    }

    #[test]
    fn from_raw_parses_all_syscall_types() {
        let cases = [
            (SyscallType::Openat, SyscallKind::Openat),
            (SyscallType::Read, SyscallKind::Read),
            (SyscallType::Write, SyscallKind::Write),
            (SyscallType::Unlink, SyscallKind::Unlink),
            (SyscallType::Rename, SyscallKind::Rename),
        ];
        for (raw_kind, expected_kind) in cases {
            let raw = make_raw("/x", raw_kind, 0);
            let event = FileIoEvent::from_raw(&raw).unwrap();
            assert_eq!(event.syscall, expected_kind);
        }
    }

    #[test]
    fn from_raw_sensitive_flag() {
        let raw = make_raw("/etc/shadow", SyscallType::Openat, 1);
        let event = FileIoEvent::from_raw(&raw).unwrap();
        assert!(event.is_sensitive);
    }

    #[test]
    fn from_raw_no_sensitive_flag() {
        let raw = make_raw("/tmp/ok", SyscallType::Read, 0);
        let event = FileIoEvent::from_raw(&raw).unwrap();
        assert!(!event.is_sensitive);
    }

    #[test]
    fn from_raw_truncates_at_null() {
        let raw = make_raw("/a", SyscallType::Write, 0);
        let event = FileIoEvent::from_raw(&raw).unwrap();
        assert_eq!(event.path, "/a");
    }

    #[test]
    fn from_raw_empty_path() {
        let raw = make_raw("", SyscallType::Unlink, 0);
        let event = FileIoEvent::from_raw(&raw).unwrap();
        assert_eq!(event.path, "");
    }
}