Skip to content

ROX-34104: deduplicate overlayfs events#500

Open
Stringy wants to merge 2 commits intomainfrom
giles/ROX-34104-deduplicate-overlayfs-events
Open

ROX-34104: deduplicate overlayfs events#500
Stringy wants to merge 2 commits intomainfrom
giles/ROX-34104-deduplicate-overlayfs-events

Conversation

@Stringy
Copy link
Copy Markdown
Contributor

@Stringy Stringy commented Apr 13, 2026

Description

Introduces a new map to track overlayfs open event duplication in the BPF driver, keeping the overlayfs event which tends to have the richer information
(e.g. create)

The underlying file system event is dropped.

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests
  • modified existing tests

If any of these don't apply, please comment below.

Testing Performed

Existing overlyfs tests (correctly) failed with the duplication fix. Removing the extra (open) events resulted in the tests passing again.

@Stringy
ROX-34104: deduplicate overlayfs events
75fa3dc 
Introduces a new map to track overlayfs open event
duplication in the BPF driver, keeping the overlayfs
event which tends to have the richer information
(e.g. create)

The underlying file system event is dropped.
@Stringy Stringy requested a review from a team as a code owner April 13, 2026 14:00
JoukoVirtanen
JoukoVirtanen reviewed Apr 13, 2026
View reviewed changes
Comment thread fact-ebpf/src/bpf/inode.h
JoukoVirtanen
JoukoVirtanen reviewed Apr 13, 2026
View reviewed changes
Comment thread fact-ebpf/src/bpf/maps.h Outdated
// Track pid_tgid of overlayfs file_open events so we can skip the
// duplicate underlying filesystem event that follows immediately.
struct {
__uint(type, BPF_MAP_TYPE_LRU_HASH);
Copy link
Copy Markdown
Contributor

@JoukoVirtanen JoukoVirtanen Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per CPU?

JoukoVirtanen
JoukoVirtanen reviewed Apr 13, 2026
View reviewed changes
Comment thread fact-ebpf/src/bpf/inode.h
/**
* Check if the given inode belongs to an overlayfs filesystem.
*
* Overlayfs triggers LSM hooks for both the merged view and the
Copy link
Copy Markdown
Contributor

@JoukoVirtanen JoukoVirtanen Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update.

@Stringy Stringy requested review from a team and JoukoVirtanen April 13, 2026 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoukoVirtanen JoukoVirtanen Awaiting requested review from JoukoVirtanen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Stringy @JoukoVirtanen