fsmon 0.2.7

Lightweight High-Performance File System Change Tracking Tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265

//! Proc Connector Process Cache
//!
//! Caches PID -> (cmd, user) mapping from Linux proc connector exec events.
//! Solves the problem where short-lived processes (touch, rm, mv etc.)
//! cause /proc/{pid} to be unreadable when fanotify events arrive.
//!
//! Uses the safe `proc-connector` crate — no raw `libc` netlink FFI.
//!
//! # Architecture
//!
//! The `ProcConnector` is created and managed in `monitor.rs`, where its fd
//! is polled via tokio `AsyncFd` in the main event loop. Raw bytes read from
//! the fd are passed to [`handle_proc_events`] for parsing and caching.
//! No separate thread or polling needed.

use std::sync::Arc;

use dashmap::DashMap;
use proc_connector::{NetlinkMessageIter, ProcConnector, ProcEvent};

use crate::utils::uid_to_username;

// ---- Public Types ----

/// Cached process info: command name and user name.
#[derive(Clone, Debug)]
pub struct ProcInfo {
    pub cmd: String,
    pub user: String,
}

/// Shared PID -> ProcInfo cache (thread-safe).
pub type ProcCache = Arc<DashMap<u32, ProcInfo>>;

/// Create a new empty proc cache.
pub fn new_cache() -> ProcCache {
    Arc::new(DashMap::new())
}

/// Create a `ProcConnector` and set it to non-blocking mode.
///
/// Returns `None` if the proc connector is unavailable (e.g. kernel module
/// not loaded, insufficient permissions). Callers should treat this as
/// non-fatal and continue without exec name attribution.
pub fn try_create_connector() -> Option<ProcConnector> {
    let conn = match ProcConnector::new() {
        Ok(c) => c,
        Err(e) => {
            eprintln!("[WARNING] Failed to create proc connector: {e}. \
                       Process name attribution will be unavailable.");
            return None;
        }
    };
    if let Err(e) = conn.set_nonblocking() {
        eprintln!("[WARNING] Failed to set proc connector non-blocking: {e}");
        return None;
    }
    Some(conn)
}

/// Process raw bytes from the proc connector socket and cache exec events.
///
/// Called from the main event loop after `recv_raw` returns data.
/// Parses all netlink messages in `data`, and for each `Exec` event,
/// reads `/proc/{pid}/comm` and `/proc/{pid}/status` to populate the cache.
///
/// Returns `true` if any event was processed, `false` if only control messages.
pub fn handle_proc_events(cache: &ProcCache, data: &[u8], n: usize) -> bool {
    let mut processed = false;
    for msg in NetlinkMessageIter::new(data, n) {
        match msg {
            Ok(Some(ProcEvent::Exec { pid, .. })) => {
                // Process just exec()'d, /proc/{pid} must exist
                let cmd = std::fs::read_to_string(format!("/proc/{}/comm", pid))
                    .ok()
                    .map(|s| s.trim().to_string())
                    .unwrap_or_else(|| "unknown".to_string());

                let user = read_proc_uid(pid).unwrap_or_else(|| "unknown".to_string());

                cache.insert(pid, ProcInfo { cmd, user });
                processed = true;
            }
            Ok(Some(_)) => {
                // Non-Exec event (Fork, Exit, Uid…), ignore — we only cache Exec
            }
            Ok(None) => {
                // Control message (NLMSG_NOOP, NLMSG_DONE, NLMSG_ERROR-ACK), skip
            }
            Err(proc_connector::Error::Overrun) => {
                eprintln!("[WARNING] proc connector overrun — some exec events may have been lost");
            }
            Err(proc_connector::Error::Truncated) => {
                eprintln!("[WARNING] proc connector truncated message, continuing...");
            }
            Err(e) => {
                // Non-recoverable parse error for this message, skip
                eprintln!("proc connector parse error: {e}");
            }
        }
    }
    processed
}

fn read_proc_uid(pid: u32) -> Option<String> {
    let status = std::fs::read_to_string(format!("/proc/{}/status", pid)).ok()?;
    let uid: u32 = status
        .lines()
        .find(|l| l.starts_with("Uid:"))?
        .split_whitespace()
        .nth(1)?
        .parse()
        .ok()?;
    uid_to_username(uid)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_proc_cache_insert_and_get() {
        let cache: ProcCache = Arc::new(DashMap::new());
        cache.insert(
            12345,
            ProcInfo {
                cmd: "test_process".to_string(),
                user: "testuser".to_string(),
            },
        );

        let info = cache.get(&12345);
        assert!(info.is_some());
        let info = info.unwrap();
        assert_eq!(info.cmd, "test_process");
        assert_eq!(info.user, "testuser");
    }

    #[test]
    fn test_proc_cache_missing_pid() {
        let cache: ProcCache = Arc::new(DashMap::new());
        assert!(cache.get(&99999).is_none());
    }

    #[test]
    fn test_proc_cache_overwrite() {
        let cache: ProcCache = Arc::new(DashMap::new());
        cache.insert(
            1,
            ProcInfo {
                cmd: "old".into(),
                user: "a".into(),
            },
        );
        cache.insert(
            1,
            ProcInfo {
                cmd: "new".into(),
                user: "b".into(),
            },
        );

        let info = cache.get(&1).unwrap();
        assert_eq!(info.cmd, "new");
        assert_eq!(info.user, "b");
    }

    #[test]
    fn test_proc_cache_concurrent_access() {
        use std::thread;

        let cache: ProcCache = Arc::new(DashMap::new());
        let mut handles = vec![];

        for i in 0..10 {
            let cache_clone = cache.clone();
            handles.push(thread::spawn(move || {
                for j in 0..100 {
                    let pid = (i * 100 + j) as u32;
                    cache_clone.insert(
                        pid,
                        ProcInfo {
                            cmd: format!("proc_{}", pid),
                            user: "test".into(),
                        },
                    );
                }
            }));
        }

        for h in handles {
            h.join().unwrap();
        }

        assert_eq!(cache.len(), 1000);
    }

    #[test]
    fn test_handle_proc_events_empty() {
        let cache: ProcCache = Arc::new(DashMap::new());
        let result = handle_proc_events(&cache, &[], 0);
        assert!(!result);
    }

    #[test]
    fn test_handle_proc_events_non_exec_ignored() {
        // Build a valid FORK event, verify it's ignored (cache stays empty)
                // We can't easily construct raw netlink bytes here without
        // using internal structs. The integration test below covers this.
        // Unit test: verify the Exec branch is the only one that caches.
        let cache: ProcCache = Arc::new(DashMap::new());
        cache.insert(
            42,
            ProcInfo {
                cmd: "test".into(),
                user: "root".into(),
            },
        );
        assert_eq!(cache.len(), 1);
    }

    // ---- Integration tests (require sudo) ----

    #[test]
    #[ignore]
    fn test_proc_connector_create() {
        let conn = ProcConnector::new();
        assert!(conn.is_ok(), "Should be able to create ProcConnector with root");
        // Dropped → unsubscribe + close automatically
    }

    #[test]
    #[ignore]
    fn test_proc_connector_receives_events_async() {
        let conn = ProcConnector::new().expect("create connector");
        conn.set_nonblocking().expect("set non-blocking");

        // Spawn a subprocess to trigger an exec event
        let mut child = std::process::Command::new("echo")
            .arg("test")
            .spawn()
            .unwrap();
        child.wait().unwrap();

        // Give kernel time to deliver the event
        std::thread::sleep(std::time::Duration::from_millis(200));

        // Non-blocking recv should find the event
        let mut buf = vec![0u8; 65536];
        let cache = new_cache();
        loop {
            match conn.recv_raw(&mut buf) {
                Ok(n) => {
                    handle_proc_events(&cache, &buf, n);
                }
                Err(proc_connector::Error::WouldBlock) => break,
                Err(proc_connector::Error::Interrupted) => continue,
                Err(e) => {
                    panic!("recv error: {e}");
                }
            }
        }
        assert!(!cache.is_empty(), "Should have cached at least one exec event");
    }
}