ROX-33199: unlink inode tracking (#429)

ovalenti · web-flow · commit 26b043de973a · 2026-04-09T17:08:50.000+02:00
diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c
@@ -94,6 +94,9 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
     return 0;
   }
 
+  // We only support files with one link for now
+  inode_remove(&inode_key);
+
   submit_unlink_event(&m->path_unlink,
                       path->path,
                       inode_to_submit,
diff --git a/fact/src/config/mod.rs b/fact/src/config/mod.rs
@@ -209,13 +209,14 @@ impl TryFrom<Vec<Yaml>> for FactConfig {
                     config.hotreload = Some(hotreload);
                 }
                 "scan_interval" => {
+                    // scan_internal == 0 disables the scanner
                     if let Some(scan_interval) = v.as_f64() {
-                        if scan_interval <= 0.0 {
+                        if scan_interval < 0.0 {
                             bail!("invalid scan_interval: {scan_interval}");
                         }
                         config.scan_interval = Some(Duration::from_secs_f64(scan_interval));
                     } else if let Some(scan_interval) = v.as_i64() {
-                        if scan_interval <= 0 {
+                        if scan_interval < 0 {
                             bail!("invalid scan_interval: {scan_interval}");
                         }
                         config.scan_interval = Some(Duration::from_secs(scan_interval as u64))
diff --git a/fact/src/config/tests.rs b/fact/src/config/tests.rs
@@ -465,8 +465,6 @@ paths:
             "scan_interval: true",
             "scan_interval field has incorrect type: Boolean(true)",
         ),
-        ("scan_interval: 0", "invalid scan_interval: 0"),
-        ("scan_interval: 0.0", "invalid scan_interval: 0"),
         ("scan_interval: -128", "invalid scan_interval: -128"),
         ("scan_interval: -128.5", "invalid scan_interval: -128.5"),
         ("unknown:", "Invalid field 'unknown' with value: Null"),
diff --git a/fact/src/event/mod.rs b/fact/src/event/mod.rs
@@ -130,6 +130,10 @@ impl Event {
         matches!(self.file, FileData::Creation(_))
     }
 
+    pub fn is_unlink(&self) -> bool {
+        matches!(self.file, FileData::Unlink(_))
+    }
+
     /// Unwrap the inner FileData and return the inode that triggered
     /// the event.
     ///
diff --git a/fact/src/host_scanner.rs b/fact/src/host_scanner.rs
@@ -220,6 +220,19 @@ impl HostScanner {
         Ok(())
     }
 
+    /// Handle unlink events by removing the inode from the inode->path map.
+    ///
+    /// The probe already cleared the kernel inode map.
+    fn handle_unlink_event(&self, event: &Event) {
+        let inode = event.get_inode();
+
+        if self.inode_map.borrow_mut().remove(inode).is_some() {
+            self.metrics.scan_inc(ScanLabels::InodeRemoved);
+        }
+
+        self.metrics.scan_inc(ScanLabels::FileRemoved);
+    }
+
     /// Periodically notify the host scanner main task that a scan needs
     /// to happen.
     ///
@@ -246,8 +259,14 @@ impl HostScanner {
     }
 
     pub fn start(mut self) -> JoinHandle<anyhow::Result<()>> {
+        let scan_interval_value = *self.scan_interval.borrow();
         let scan_trigger = Arc::new(Notify::new());
-        self.start_scan_notifier(scan_trigger.clone());
+
+        if scan_interval_value.is_zero() {
+            warn!("Host scanner periodic scans permanently disabled (scan_interval is 0)");
+        } else {
+            self.start_scan_notifier(scan_trigger.clone());
+        }
 
         tokio::spawn(async move {
             info!("Starting host scanner...");
@@ -277,6 +296,11 @@ impl HostScanner {
                             event.set_old_host_path(host_path);
                         }
 
+                        // Remove inode from the map
+                        if event.is_unlink() {
+                            self.handle_unlink_event(&event);
+                        }
+
                         let event = Arc::new(event);
                         if let Err(e) = self.tx.send(event) {
                             self.metrics.events.dropped();
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -119,6 +119,7 @@ def fact_config(request, monitored_dir, logs_dir):
             'health_check': True,
         },
         'json': True,
+        'scan_interval': 0,
     }
     config_file = NamedTemporaryFile(
         prefix='fact-config-', suffix='.yml', dir=cwd, mode='w')

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,9 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {`
`94`	`94`	`return 0;`
`95`	`95`	`}`
`96`	`96`
	`97`	`+ // We only support files with one link for now`
	`98`	`+ inode_remove(&inode_key);`
	`99`	`+`
`97`	`100`	`submit_unlink_event(&m->path_unlink,`
`98`	`101`	`path->path,`
`99`	`102`	`inode_to_submit,`
Original file line number	Diff line number	Diff line change
`@@ -209,13 +209,14 @@ impl TryFrom<Vec<Yaml>> for FactConfig {`
`209`	`209`	`config.hotreload = Some(hotreload);`
`210`	`210`	`}`
`211`	`211`	`"scan_interval" => {`
	`212`	`+ // scan_internal == 0 disables the scanner`
`212`	`213`	`if let Some(scan_interval) = v.as_f64() {`
`213`		`- if scan_interval <= 0.0 {`
	`214`	`+ if scan_interval < 0.0 {`
`214`	`215`	`bail!("invalid scan_interval: {scan_interval}");`
`215`	`216`	`}`
`216`	`217`	`config.scan_interval = Some(Duration::from_secs_f64(scan_interval));`
`217`	`218`	`} else if let Some(scan_interval) = v.as_i64() {`
`218`		`- if scan_interval <= 0 {`
	`219`	`+ if scan_interval < 0 {`
`219`	`220`	`bail!("invalid scan_interval: {scan_interval}");`
`220`	`221`	`}`
`221`	`222`	`config.scan_interval = Some(Duration::from_secs(scan_interval as u64))`
Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,7 @@ def fact_config(request, monitored_dir, logs_dir):`
`119`	`119`	`'health_check': True,`
`120`	`120`	`},`
`121`	`121`	`'json': True,`
	`122`	`+ 'scan_interval': 0,`
`122`	`123`	`}`
`123`	`124`	`config_file = NamedTemporaryFile(`
`124`	`125`	`prefix='fact-config-', suffix='.yml', dir=cwd, mode='w')`