Struct OriginRecord

Source

#[repr(C)]pub struct OriginRecord {
    pub version: u32,
    pub pid: u32,
    pub ts_boot_ns: u64,
    pub comm: [u8; 16],
    pub creator_uid: u32,
    pub _pad: u32,
    pub creator_path_hash: u64,
    pub landing_folder_hash: u64,
    pub landing_basename_hash: u64,
    pub landing_ancestor_hashes: [u64; 32],
}

Expand description

Provenance record. Carried in the security.bpf.linprov.origin xattr and in the INODE_MARKS storage map. Fixed 64 bytes — every variable-length field is an FNV-1a-64 hash, so the record never grows with path length and always fits a single xattr block.

Filled in stages:

BPF file_open sets version, pid, ts_boot_ns, comm, creator_uid, and the two landing hashes (landing_folder_hash, landing_basename_hash), computed in one pass over the landing path. creator_path_hash is left 0 — BPF can’t cheaply resolve the creator’s exe path here.
Userspace, on the corresponding ringbuf event, reads /proc/$pid/exe, fills creator_path_hash, and overwrites the xattr with the augmented record. It also records each hash → path mapping in the plaintext audit db so logs, soak, and the user’s own grep can resolve hashes back to paths.

creator_path_hash == 0 is the “not yet augmented” sentinel: bprm_check_security reads the storage record first and falls through to the xattr when it sees a zero creator hash. Rules keyed on creator_process won’t match an unaugmented record, but other dims still do.

Fields§

§version: u32§pid: u32§ts_boot_ns: u64§comm: [u8; 16]§creator_uid: u32§_pad: u32§creator_path_hash: u64

FNV-1a-64 of the creator’s full exe path (/proc/$pid/exe). 0 until userspace augments the record.

§landing_folder_hash: u64

FNV-1a-64 of the landing file’s immediate parent directory, including the trailing / (matches normalize_folder). Always the immediate parent regardless of depth — used for exact landing_folder matching and for soak/log resolution.

§landing_basename_hash: u64

FNV-1a-64 of the landing file’s basename (final path component, no slash).

§landing_ancestor_hashes: [u64; 32]

FNV-1a-64 of each /-terminated ancestor of the landing path (shallow → deep), up to MAX_FOLDER_ANCESTORS. Enables nested landing_folder matching: a rule whose folder hash equals any entry matches. Unused slots are 0.

OriginRecord

Struct OriginRecord Copy item path

Fields§

Trait Implementations§

impl Clone for OriginRecord

fn clone(&self) -> OriginRecord

fn clone_from(&mut self, source: &Self)

impl Copy for OriginRecord

Auto Trait Implementations§

impl Freeze for OriginRecord

impl RefUnwindSafe for OriginRecord

impl Send for OriginRecord

impl Sync for OriginRecord

impl Unpin for OriginRecord

impl UnsafeUnpin for OriginRecord

impl UnwindSafe for OriginRecord

Blanket Implementations§

impl<T> Any for Twhere T: 'static + ?Sized,

fn type_id(&self) -> TypeId

impl<T> Borrow<T> for Twhere T: ?Sized,

fn borrow(&self) -> &T

impl<T> BorrowMut<T> for Twhere T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

impl<T> CloneToUninit for Twhere T: Clone,

unsafe fn clone_to_uninit(&self, dest: *mut u8)

impl<T> From<T> for T

fn from(t: T) -> T

impl<T, U> Into<U> for Twhere U: From<T>,

fn into(self) -> U

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

type Error = Infallible

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Struct OriginRecord

impl<T> Any for T
where T: 'static + ?Sized,

impl<T> Borrow<T> for T
where T: ?Sized,

impl<T> BorrowMut<T> for T
where T: ?Sized,

impl<T> CloneToUninit for T
where T: Clone,

impl<T, U> Into<U> for T
where U: From<T>,

impl<T, U> TryFrom<U> for T
where U: Into<T>,

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,