I am trying to track deletion of files using ebpf and wanted to take back up even before the deletion of file happens and then delete the file .
To track deletion of files I was told to use three methods by other community members
- To trace security_path_unlink(const struct path *dir, struct dentry *dentry); function.
but the end of the day i need file path to take back up so to fetch file path i was given with two options again
long bpf_d_path(struct path *path, char *buf, u32 sz) Unfortunately, bpf_d_path allowlist does not have security_path_unlink() function.
In the same time, you can still attach to security_path_unlink() function with kfunc or kprobe, but you need to do your own path traversal similar to kernel code in bpf program.
but not sure weather with second approach to fetch the file
- Use LSM_PROBE to hook security_path_unlink, reject such call and make the backup, then delete the file.
but the catch is still not sure how to fetch the path
- Security_inode_unlink function is used by aquasecurity tracee project to track deletion of files but tracee project uses dentry to file path method to fetch file path and traverse it
Is it possible to do it using eBPF? I.e., Can I capture the event before the file is deleted.and fetch file path as well .But not able to in-cooperate any of them please suggest me a proper approach to solve this problem