aa-ebpf 0.0.1-alpha.9

eBPF-based kernel-level monitoring hooks for Agent Assembly
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

//! BPF map types and constants for path filtering.

/// Maximum number of path patterns in the BPF hash map.
pub const MAX_PATH_PATTERNS: u32 = 256;

/// Maximum byte length of a single path pattern stored in a BPF map entry.
pub const MAX_PATH_LEN: usize = 256;

/// Whether matching a path pattern should allow or deny the operation.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[repr(u8)]
pub enum PathVerdict {
    /// The path is allowed — no policy violation.
    Allow = 0,
    /// The path is blocked — triggers a policy violation event.
    Deny = 1,
}

/// A path pattern entry stored in a BPF hash map.
///
/// Userspace writes these entries to configure which file paths the kprobes
/// should flag. The map is updatable at runtime without reloading the eBPF
/// programs.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct PathPattern {
    /// The path prefix or exact path to match (e.g., `/etc/shadow`).
    pub pattern: String,
    /// Whether matching this pattern should allow or deny the operation.
    pub verdict: PathVerdict,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn path_pattern_construction() {
        let pattern = PathPattern {
            pattern: "/etc/shadow".into(),
            verdict: PathVerdict::Deny,
        };
        assert_eq!(pattern.pattern, "/etc/shadow");
        assert_eq!(pattern.verdict, PathVerdict::Deny);
    }

    #[test]
    fn constants_have_expected_values() {
        assert_eq!(MAX_PATH_PATTERNS, 256);
        assert_eq!(MAX_PATH_LEN, 256);
    }
}