Giving paths relative to FS

[AlonZivony]

So we have an issue with writing signatures to Tracee:
Lets say I want to catch writing to a file in sysfs with path PATH.
The naive and current possible way to do it is to search for writing to /sys/PATH.
However, more sophisticated attackers can probably just mount sysfs in a random directory, than accessing the file from there. For example, create /tmp/sys for mounting point, then writing to /tmp/sys/PATH.
Now, this means they have the capabilities and permissions to mount sysfs. But it is very possible case.

My idea is the following:
Why not divide the path, maybe to a list, and specify for each file system on the full path the specific path in the FS, and its type.
For example, in our case, the path will be - /sys of type ext4, and PATH of type sysfs.
Then, a simple signature will check if the last part is sysfs, and if the path in it is PATH.

WDYT?

[AlonZivony]

@rafaeldtinoco @yanivagman I will appreciate your opinion

[AlonZivony]

Another idea - we can connect devices to their types, so at least we can give the information of the last FS in which the file resides.

[yanivagman]

Yes, I also thought about adding the file-system type as part of file related events.
This should be easy to extract.

[AlonZivony]

Yes, I also thought about adding the file-system type as part of file related events. This should be easy to extract.

But we do need a way to know which part of the path is related to the file system to address different mounting points

[yanivagman]

Isn't checking the inode's superblock enough?
For example, both /sys/kernel and /tmp/sys/kernel will tell you that the "kernel" inode is if sysfs type