assay-common 3.9.1

Common shared types and utilities for the Assay framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211

#![no_std]
#![allow(unsafe_code)]

#[cfg(feature = "std")]
extern crate std;

#[cfg(feature = "std")]
pub mod exports;

pub const EVENT_OPENAT: u32 = 1;
pub const EVENT_CONNECT: u32 = 2;
pub const EVENT_FORK: u32 = 3;
pub const EVENT_EXEC: u32 = 4;
pub const EVENT_EXIT: u32 = 5;

pub const KEY_MONITOR_ALL: u32 = 100;

pub const EVENT_FILE_BLOCKED: u32 = 10;
pub const EVENT_CONNECT_BLOCKED: u32 = 20;

pub const DATA_LEN: usize = 512;

pub const MONITOR_STATS_LEN: u32 = 10;
pub const MONITOR_STAT_TRACEPOINT_EVENTS_EMITTED: u32 = 0;
pub const MONITOR_STAT_TRACEPOINT_RINGBUF_DROPPED: u32 = 1;
pub const MONITOR_STAT_LSM_EVENTS_EMITTED: u32 = 2;
pub const MONITOR_STAT_LSM_RINGBUF_DROPPED: u32 = 3;

pub const SOCKET_STATS_LEN: u32 = 8;
pub const SOCKET_STAT_CHECKS: u32 = 0;
pub const SOCKET_STAT_BLOCKED_CIDR: u32 = 1;
pub const SOCKET_STAT_BLOCKED_PORT: u32 = 2;
pub const SOCKET_STAT_ALLOWED: u32 = 3;
pub const SOCKET_STAT_EVENTS_EMITTED: u32 = 4;
pub const SOCKET_STAT_RINGBUF_DROPPED: u32 = 5;

#[repr(C)]
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub struct MonitorEvent {
    pub pid: u32,
    pub event_type: u32,
    pub data: [u8; DATA_LEN],
}

/// Key used to identify an inode in BPF maps.
///
/// # ABI and kernel assumptions
///
/// This struct is `#[repr(C)]` and used across the eBPF/userspace boundary,
/// so its layout must remain in sync with the corresponding kernel/BPF-side
/// definition.
///
/// The `dev` field stores the kernel's encoded `dev_t` value (e.g. from
/// `super_block.s_dev`) as a `u32`. On modern Linux kernels, this uses the
/// `new_encode_dev()` format:
///   (minor & 0xff) | ((major & 0xfff) << 8) | ((minor & 0xfffff00) << 12)
/// This matches `sb->s_dev` seen by eBPF.
#[repr(C)]
#[derive(Clone, Copy, Debug, Eq, PartialEq, Hash)]
pub struct InodeKey {
    pub ino: u64,
    pub dev: u32,
    pub gen: u32,
}

/// Explicit 16-byte key for BPF Map Lookups (ino + dev + gen).
/// Layout: | ino (8) | dev (4) | gen (4) | = 16 bytes.
/// Guarantees dense packing without padding issues.
#[repr(C)]
#[derive(Clone, Copy, Debug, Eq, PartialEq, Hash)]
pub struct InodeKeyMap {
    pub ino: u64,
    pub dev: u32,
    pub gen: u32,
}

/// Encode userspace dev_t into Linux kernel's `new_encode_dev()` format (sb->s_dev).
/// This matches include/linux/kdev_t.h:
///   new_encode_dev(MKDEV(major,minor)) for 32-bit dev_t encoding used in-kernel.
#[cfg(target_os = "linux")]
pub fn encode_kernel_dev(dev: u64) -> u32 {
    // Replicate Linux/glibc major()/minor() from <sys/sysmacros.h>
    // major(dev) = ((dev >> 8) & 0xfff)
    // minor(dev) = (dev & 0xff) | ((dev >> 12) & 0xfff00)
    let major = ((dev >> 8) & 0xfff) as u32;
    let minor = ((dev & 0xff) | ((dev >> 12) & 0xfff00)) as u32;

    // new_encode_dev:
    // (minor & 0xff) | ((major & 0xfff) << 8) | ((minor & 0xfffff00) << 12)
    (minor & 0xff) | ((major & 0xfff) << 8) | ((minor & 0xfffff00) << 12)
}

// Event ID for Inode Resolution telemetry
pub const EVENT_INODE_RESOLVED: u32 = 112;

// Shared ABI struct for Event 112
#[repr(C)]
#[derive(Clone, Copy, Debug)]
pub struct InodeResolved {
    pub dev: u64, // s_dev cast to u64
    pub ino: u64, // i_ino
    pub gen: u32, // i_generation
    pub _pad: u32,
}

#[cfg(all(target_os = "linux", feature = "user"))]
unsafe impl aya::Pod for InodeResolved {}

#[cfg(all(target_os = "linux", feature = "user"))]
unsafe impl aya::Pod for InodeKeyMap {}

#[cfg(all(target_os = "linux", feature = "user"))]
unsafe impl aya::Pod for InodeKey {}

#[cfg(all(target_os = "linux", feature = "user"))]
const _: () = {
    fn _assert_pod<T: aya::Pod>() {}
    fn _check() {
        _assert_pod::<InodeKeyMap>();
    }
};

impl MonitorEvent {
    pub const fn zeroed() -> Self {
        Self {
            pid: 0,
            event_type: 0,
            data: [0u8; DATA_LEN],
        }
    }
}

impl Default for MonitorEvent {
    fn default() -> Self {
        Self::zeroed()
    }
}

// -----------------------------
// Compile-time ABI/layout checks
// -----------------------------

// Exact size: 4 + 4 + 512 = 520 bytes
const _: [(); 520] = [(); core::mem::size_of::<MonitorEvent>()];

// Alignment should be 4 on all sane targets; if this fails, your ABI is different.
const _: [(); 4] = [(); core::mem::align_of::<MonitorEvent>()];

#[cfg(all(target_os = "linux", feature = "std"))]
pub fn get_inode_generation(fd: std::os::fd::RawFd) -> std::io::Result<u32> {
    use nix::libc;
    use nix::request_code_read;

    // FS_IOC_GETVERSION is defined as _IOR('v', 1, long) in uapi/linux/fs.h
    // Kernel returns i_generation (32-bit value).
    // Best-effort: read into libc::c_long and cast to u32.

    // build ioctl request code: _IOR('v', 1, long)
    const fn fs_ioc_getversion() -> libc::c_ulong {
        request_code_read!(b'v', 1, core::mem::size_of::<libc::c_long>()) as libc::c_ulong
    }

    let mut out: libc::c_long = 0;
    // Safety: ioctl is unsafe, passing valid fd and pointer to initialized memory (0)
    // Cast request code to whatever the platform libc expects (c_ulong or c_int)
    let rc = unsafe { libc::ioctl(fd, fs_ioc_getversion() as _, &mut out) };
    if rc < 0 {
        return Err(std::io::Error::last_os_error());
    }
    Ok(out as u32)
}

#[cfg(all(target_os = "linux", feature = "std"))]
pub mod strict_open {
    use libc::c_long;
    use std::{ffi::CStr, mem::size_of};

    #[repr(C)]
    pub struct OpenHow {
        pub flags: u64,
        pub mode: u64,
        pub resolve: u64,
    }

    // UAPI openat2 resolve flags (uapi/linux/openat2.h)
    pub const RESOLVE_NO_SYMLINKS: u64 = 0x04;
    // pub const RESOLVE_BENEATH: u64 = 0x08; // Too strict for some CI setups (cross-device /tmp)

    pub fn openat2_strict(path: &CStr) -> std::io::Result<i32> {
        let how = OpenHow {
            flags: (libc::O_RDONLY | libc::O_NONBLOCK | libc::O_CLOEXEC) as u64,
            mode: 0,
            resolve: RESOLVE_NO_SYMLINKS, // Removed RESOLVE_BENEATH to avoid EXDEV in CI
        };

        let fd = unsafe {
            libc::syscall(
                libc::SYS_openat2,
                libc::AT_FDCWD,
                path.as_ptr(),
                &how as *const OpenHow,
                size_of::<OpenHow>(),
            ) as c_long
        };

        if fd < 0 {
            return Err(std::io::Error::last_os_error());
        }
        Ok(fd as i32)
    }
}