Building a Custom eBPF Filesystem Watcher to Catch Root Ownership Goofs
a day ago
- #eBPF
- #Filesystem Monitoring
- #Linux Kernel
- Customized systems often require manual maintenance, leading to potential errors like incorrect file ownership affecting service restarts.
- Solutions like file permissions, ACLs, and SELinux policies exist but building a filesystem watcher was explored for a more engaging approach.
- Attempt 1 used fanotify, a Linux kernel API for filesystem event monitoring, but faced limitations like non-recursive directory monitoring and extra steps to identify process credentials.
- Attempt 2 explored eBPF for kernel-space program execution, offering performance benefits but introducing challenges like unstable ABIs and the complexity of path filtering in kernel-space.
- A solution was developed using eBPF to walk the directory tree within constraints, utilizing the dentry struct and RCU locks for safe traversal.
- LSM hooks were identified as a more stable alternative for future exploration, offering semantic meaning and reduced event filtering.
- The project provided deep insights into Linux kernel internals and eBPF, highlighting the tool's power and the importance of careful usage.
- The experience underscored the value of thorough documentation review and the challenges of integrating scattered information sources.