ROX-30296: track POSIX ACL changes via inode_set_acl LSM hook#878
ROX-30296: track POSIX ACL changes via inode_set_acl LSM hook#878Stringy wants to merge 11 commits into
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #878 +/- ##
==========================================
- Coverage 32.23% 31.17% -1.06%
==========================================
Files 21 21
Lines 2736 2829 +93
Branches 2736 2829 +93
==========================================
Hits 882 882
- Misses 1851 1944 +93
Partials 3 3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
46d84a9 to
11683ba
Compare
67a3b12 to
be7fb22
Compare
eae45f0 to
fc73ed7
Compare
Description
Adds ACL tracking via inode_set_acl hook. Due to lack of path info in this hook, it is only possible to monitor inode-tracked files (i.e. those on the host file system) this is similar to how xattrs are tracked.
An extension to the BPF checks.c file has been added, because this hook does not exist on older kernels (where ACLs were applied via xattrs, so we still have coverage on those old kernels, just through a different mechanism.)
Tests factor in this optional nature of the hook, and will only run when we know the kernel supports it.
Relies on stackrox/stackrox#21357
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
Tested locally, with setfacl, and the integration tests.