vivarium 0.1.1 → 0.2.0

data/lib/vivarium.rb

@@ -5,6 +5,7 @@ require "fileutils"
 require "optparse"
 require "pathname"
 require "rbbcc"
+require "socket"
 require_relative "vivarium/version"
 require_relative "vivarium/logger"
 
@@ -20,8 +21,57 @@ module Vivarium
 
   EVENT_NAME_SIZE = 16
   EVENT_PAYLOAD_SIZE = 256
-  EVENT_STRUCT_SIZE = 4 + EVENT_NAME_SIZE + EVENT_PAYLOAD_SIZE
-  EVENT_CAPACITY = 64
+  EVENT_TS_SIZE = 8
+  PROC_EXEC_SLOT_SIZE = 64
+  PROC_EXEC_SLOT_COUNT = 4
+  EVENT_STRUCT_SIZE = 288
+  EVENT_TS_OFFSET = 0
+  EVENT_PID_OFFSET = 8
+  EVENT_NAME_OFFSET = 12
+  EVENT_PAYLOAD_OFFSET = 28
+  EVENT_CAPACITY = 1024
+  EVENT_SEVERITY_HIGH = %w[
+    capable_check bprm_creds setid_change task_kill
+    ptrace_check sb_mount kernel_read_file
+  ].freeze
+
+  CAPABILITY_NAMES = {
+    0 => "CAP_CHOWN",
+    1 => "CAP_DAC_OVERRIDE",
+    2 => "CAP_DAC_READ_SEARCH",
+    3 => "CAP_FOWNER",
+    4 => "CAP_FSETID",
+    5 => "CAP_KILL",
+    6 => "CAP_SETGID",
+    7 => "CAP_SETUID",
+    8 => "CAP_SETPCAP",
+    9 => "CAP_LINUX_IMMUTABLE",
+    10 => "CAP_NET_BIND_SERVICE",
+    12 => "CAP_NET_ADMIN",
+    13 => "CAP_NET_RAW",
+    16 => "CAP_SYS_MODULE",
+    17 => "CAP_SYS_RAWIO",
+    18 => "CAP_SYS_CHROOT",
+    19 => "CAP_SYS_PTRACE",
+    21 => "CAP_SYS_ADMIN",
+    22 => "CAP_SYS_BOOT",
+    23 => "CAP_SYS_NICE",
+    24 => "CAP_SYS_RESOURCE",
+    25 => "CAP_SYS_TIME",
+    27 => "CAP_MKNOD",
+    29 => "CAP_AUDIT_WRITE",
+    37 => "CAP_AUDIT_READ",
+    38 => "CAP_PERFMON",
+    39 => "CAP_BPF",
+    40 => "CAP_CHECKPOINT_RESTORE"
+  }.freeze
+
+  SETID_FLAG_NAMES = {
+    0x01 => "LSM_SETID_ID",
+    0x02 => "LSM_SETID_RE",
+    0x04 => "LSM_SETID_RES",
+    0x08 => "LSM_SETID_FS"
+  }.freeze
 
   @bpf_pin_dir = PIN_DIR
 
@@ -33,201 +83,1183 @@ module Vivarium
     end
   end
 
-  Event = Struct.new(:pid, :event_name, :payload, keyword_init: true) do
+  Event = Struct.new(:ktime_ns, :pid, :event_name, :payload, keyword_init: true) do
     def empty?
-      pid.to_i.zero? && event_name.to_s.empty? && payload.to_s.empty?
+      ktime_ns.to_i.zero? && pid.to_i.zero? && event_name.to_s.empty? && payload.to_s.empty?
+    end
+
+    def severity
+      Vivarium.event_severity(event_name)
     end
 
     def self.from_binary(raw)
       bytes = raw.to_s.b
       bytes = bytes.ljust(EVENT_STRUCT_SIZE, "\x00")
 
-      pid = bytes[0, 4].unpack1("L<")
-      event_name = c_string(bytes[4, EVENT_NAME_SIZE])
-      payload = c_string(bytes[4 + EVENT_NAME_SIZE, EVENT_PAYLOAD_SIZE])
+      ktime_ns = bytes[EVENT_TS_OFFSET, EVENT_TS_SIZE].unpack1("Q<")
+      pid = bytes[EVENT_PID_OFFSET, 4].unpack1("L<")
+      event_name = c_string(bytes[EVENT_NAME_OFFSET, EVENT_NAME_SIZE])
+      raw_payload = bytes[EVENT_PAYLOAD_OFFSET, EVENT_PAYLOAD_SIZE]
+      raw_payload_events = %w[
+        dns_req sock_connect odd_socket proc_exec
+        file_symlink file_hardlink file_rename file_chmod file_getdents
+        ptrace_check sb_mount kernel_read_file task_kill
+        setid_change capable_check bprm_creds
+      ]
+      payload = if raw_payload_events.include?(event_name)
+                  raw_payload
+                else
+                  c_string(raw_payload)
+                end
+
+      new(ktime_ns: ktime_ns, pid: pid, event_name: event_name, payload: payload)
+    end
+
+    def self.c_string(bytes)
+      str = bytes.to_s.b
+      nul = str.index("\x00")
+      return str if nul.nil?
+
+      str[0, nul]
+    end
+  end
+
+  def self.c_string(bytes)
+    Event.c_string(bytes)
+  end
+
+  def self.event_severity(event_name)
+    EVENT_SEVERITY_HIGH.include?(event_name.to_s) ? "high" : "medium"
+  end
+
+  def self.decode_dns_qname(raw_payload)
+    bytes = raw_payload.to_s.b.bytes
+    labels = []
+    idx = 0
+
+    while idx < bytes.length
+      length = bytes[idx]
+      break if length.nil? || length.zero?
+      break if length > 63
+
+      idx += 1
+      break if (idx + length) > bytes.length
+
+      label = bytes[idx, length].pack("C*")
+      labels << label
+      idx += length
+    end
+
+    return "" if labels.empty?
+
+    labels.join(".")
+  end
+
+  def self.decode_sock_connect_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 20
+
+    family = bytes[0, 2].unpack1("S<")
+    port = bytes[2, 2].unpack1("n")
+    addr = bytes[4, 16]
+
+    case family
+    when 2 # AF_INET
+      ipv4 = addr[0, 4].bytes.join(".")
+      "#{ipv4}:#{port} (#{socket_const_name("AF_", family)})"
+    when 10 # AF_INET6
+      words = addr.unpack("n8")
+      ipv6 = words.map { |w| format("%x", w) }.join(":")
+      "[#{ipv6}]:#{port} (#{socket_const_name("AF_", family)})"
+    else
+      "family=#{family}(#{socket_const_name("AF_", family)}) port=#{port}"
+    end
+  end
+
+  def self.decode_odd_socket_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 6
+
+    family = bytes[0, 2].unpack1("S<")
+    type = bytes[2, 2].unpack1("S<")
+    protocol = bytes[4, 2].unpack1("S<")
+    family_name = socket_const_name("AF_", family)
+    type_name = socket_const_name("SOCK_", type)
+    protocol_name = socket_const_name("IPPROTO_", protocol)
+    "family=#{family}(#{family_name}) type=#{type}(#{type_name}) protocol=#{protocol}(#{protocol_name})"
+  end
+
+  def self.socket_const_name(prefix, value)
+    return "UNKNOWN" unless defined?(Socket)
+
+    key = Socket.constants.find do |name|
+      name.to_s.start_with?(prefix) && Socket.const_get(name) == value
+    rescue NameError
+      false
+    end
+
+    key ? key.to_s : "UNKNOWN"
+  end
+
+  def self.decode_bad_socket_payload(raw_payload)
+    decode_odd_socket_payload(raw_payload)
+  end
+
+  def self.decode_file_symlink_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    target = c_string(bytes[0, 128])
+    link_name = c_string(bytes[128, 128])
+    "target=#{target.inspect} link_name=#{link_name.inspect}"
+  end
+
+  def self.decode_file_hardlink_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    old_path = c_string(bytes[0, 128])
+    new_name = c_string(bytes[128, 128])
+    "old_path=#{old_path.inspect} new_name=#{new_name.inspect}"
+  end
+
+  def self.decode_file_rename_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    old_name = c_string(bytes[0, 128])
+    new_name = c_string(bytes[128, 128])
+    "old_name=#{old_name.inspect} new_name=#{new_name.inspect}"
+  end
+
+  def self.decode_file_chmod_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 2
+
+    mode = bytes[0, 2].unpack1("S<")
+    path = c_string(bytes[2, 254])
+    "mode=#{format('0o%o', mode)} path=#{path.inspect}"
+  end
+
+  def self.decode_file_getdents_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 8
+
+    fd = bytes[0, 4].unpack1("L<")
+    count = bytes[4, 4].unpack1("L<")
+    "fd=#{fd} count=#{count}"
+  end
+
+  def self.decode_proc_exec_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    slots = PROC_EXEC_SLOT_COUNT.times.map do |index|
+      offset = index * PROC_EXEC_SLOT_SIZE
+      c_string(bytes[offset, PROC_EXEC_SLOT_SIZE])
+    end
+    slots.reject!(&:empty?)
+    return "" if slots.empty?
+
+    filename = slots.shift
+    argv = slots
+    "filename=#{filename.inspect} argv=[#{argv.map(&:inspect).join(', ')}]"
+  end
+
+  def self.decode_ptrace_check_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 4
+
+    mode = bytes[0, 4].unpack1("L<")
+    "mode=0x#{mode.to_s(16)}"
+  end
+
+  def self.decode_sb_mount_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 248
+
+    flags = bytes[0, 8].unpack1("Q<")
+    dev_name = c_string(bytes[8, 120])
+    fs_type = c_string(bytes[128, 120])
+    "flags=0x#{flags.to_s(16)} dev_name=#{dev_name.inspect} fs_type=#{fs_type.inspect}"
+  end
+
+  def self.decode_kernel_read_file_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 8
+
+    id = bytes[0, 4].unpack1("L<")
+    contents = bytes[4, 4].unpack1("L<")
+    "id=#{id} contents=#{contents}"
+  end
+
+  def self.decode_task_kill_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 4
+
+    sig = bytes[0, 4].unpack1("l<")
+    signame = begin
+      Signal.signame(sig)
+    rescue ArgumentError
+      nil
+    end
+
+    signame ? "sig=#{sig} signame=#{signame}" : "sig=#{sig}"
+  end
+
+  def self.decode_setid_change_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 4
+
+    flags = bytes[0, 4].unpack1("L<")
+    names = SETID_FLAG_NAMES.each_with_object([]) do |(bit, name), acc|
+      acc << name if (flags & bit) != 0
+    end
+    names << "UNKNOWN" if names.empty?
+    "flags=0x#{flags.to_s(16)} kinds=[#{names.join(', ')}]"
+  end
+
+  def self.decode_capable_check_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 8
+
+    cap = bytes[0, 4].unpack1("L<")
+    opts = bytes[4, 4].unpack1("L<")
+    cap_name = CAPABILITY_NAMES.fetch(cap, "UNKNOWN")
+    "cap=#{cap}(#{cap_name}) opts=0x#{opts.to_s(16)}"
+  end
+
+  def self.decode_bprm_creds_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 2
+
+    has_file = bytes.getbyte(0).to_i
+    path = c_string(bytes[1, EVENT_PAYLOAD_SIZE - 1])
+    "has_file=#{has_file} file=#{path.inspect}"
+  end
+
+  def self.render_event_payload(event)
+    case event.event_name
+    when "dns_req"
+      decoded = decode_dns_qname(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "sock_connect"
+      decoded = decode_sock_connect_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "odd_socket"
+      decoded = decode_odd_socket_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "proc_exec"
+      decoded = decode_proc_exec_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "ptrace_check"
+      decoded = decode_ptrace_check_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "sb_mount"
+      decoded = decode_sb_mount_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "kernel_read_file"
+      decoded = decode_kernel_read_file_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "task_kill"
+      decoded = decode_task_kill_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "setid_change"
+      decoded = decode_setid_change_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "capable_check"
+      decoded = decode_capable_check_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "bprm_creds"
+      decoded = decode_bprm_creds_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_symlink"
+      decoded = decode_file_symlink_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_hardlink"
+      decoded = decode_file_hardlink_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_rename"
+      decoded = decode_file_rename_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_chmod"
+      decoded = decode_file_chmod_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "file_getdents"
+      decoded = decode_file_getdents_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    else
+      event.payload.inspect
+    end
+  end
+
+  class MapStore
+    def initialize(pin_dir: Vivarium.bpf_pin_dir)
+      @pin_dir = pin_dir
+      @config_root_targets = RbBCC::HashTable.from_pin(
+        File.join(@pin_dir, "config_root_targets"),
+        "unsigned int",
+        "unsigned char",
+        keysize: 4,
+        leafsize: 1
+      )
+      @config_spawned_targets = RbBCC::HashTable.from_pin(
+        File.join(@pin_dir, "config_spawned_targets"),
+        "unsigned int",
+        "unsigned char",
+        keysize: 4,
+        leafsize: 1
+      )
+      @event_invoked = RbBCC::ArrayTable.from_pin(
+        File.join(@pin_dir, "event_invoked"),
+        "unsigned int",
+        "char[#{EVENT_STRUCT_SIZE}]",
+        keysize: 4,
+        leafsize: EVENT_STRUCT_SIZE
+      )
+      @event_write_pos = RbBCC::ArrayTable.from_pin(
+        File.join(@pin_dir, "event_write_pos"),
+        "unsigned int",
+        "unsigned int",
+        keysize: 4,
+        leafsize: 4
+      )
+    rescue StandardError => e
+      raise Error, "failed to open pinned maps under #{@pin_dir}: #{e.class}: #{e.message}"
+    end
+
+    def register_pid(pid)
+      @config_root_targets[pid] = 1
+    end
+
+    def unregister_pid(pid)
+      @config_root_targets.delete(pid)
+      @config_spawned_targets.clear
+    rescue KeyError
+      nil
+    end
+
+    def drain_events
+      events = []
+      EVENT_CAPACITY.times do |idx|
+        ptr = @event_invoked[idx]
+        next unless ptr
+
+        event = Event.from_binary(ptr[0, EVENT_STRUCT_SIZE])
+        next if event.empty?
+
+        events << event
+        @event_invoked[idx] = zeroed_event_ptr
+      end
+
+      @event_write_pos[0] = 0
+      events
+    end
+
+    private
+
+    def zeroed_event_ptr
+      ptr = Fiddle::Pointer.malloc(EVENT_STRUCT_SIZE)
+      ptr[0, EVENT_STRUCT_SIZE] = "\x00" * EVENT_STRUCT_SIZE
+      ptr
+    end
+  end
+
+  class Daemon
+    BPF_PROGRAM_TEMPLATE = <<~CLANG
+      #include <linux/socket.h>
+      #include <uapi/linux/in.h>
+      #include <uapi/linux/in6.h>
+      #include <uapi/linux/ip.h>
+      #include <uapi/linux/udp.h>
+
+      #ifndef SOCK_STREAM
+      #define SOCK_STREAM 1
+      #endif
+      #ifndef SOCK_DGRAM
+      #define SOCK_DGRAM 2
+      #endif
+
+      struct net;
+      struct sock;
+      struct sk_buff;
+      struct task_struct;
+      struct kernel_siginfo;
+      struct cred;
+      struct user_namespace;
+      struct linux_binprm;
+
+      struct path {
+        void *mnt;
+        void *dentry;
+      };
+      struct file {
+        char __off[__VIVARIUM_F_PATH_OFFSET__];
+        struct path f_path;
+      };
+
+      struct qstr {
+        union {
+          struct {
+            u64 hash_len;
+          };
+          struct {
+            u32 hash;
+            u32 len;
+          };
+        };
+        const unsigned char *name;
+      };
+
+      struct dentry_base {
+        char __pad[__VIVARIUM_DENTRY_D_NAME_OFFSET__];
+        struct qstr d_name;
+      };
+
+      struct sockaddr_t {
+        u16 sa_family;
+        unsigned char sa_data[14];
+      };
+
+      struct sockaddr_in_t {
+        u16 sin_family;
+        u16 sin_port;
+        u32 sin_addr;
+        unsigned char pad[8];
+      };
+
+      struct sockaddr_in6_t {
+        u16 sin6_family;
+        u16 sin6_port;
+        u32 sin6_flowinfo;
+        unsigned char sin6_addr[16];
+        u32 sin6_scope_id;
+      };
+
+      struct sockaddr_port_t {
+        u16 family;
+        u16 port;
+      };
+
+      struct iovec_t {
+        void *iov_base;
+        unsigned long iov_len;
+      };
+
+      struct user_msghdr_t {
+        void *msg_name;
+        int msg_namelen;
+        struct iovec_t *msg_iov;
+        unsigned long msg_iovlen;
+        void *msg_control;
+        unsigned long msg_controllen;
+        unsigned int msg_flags;
+      };
+
+      struct mmsghdr_t {
+        struct user_msghdr_t msg_hdr;
+        unsigned int msg_len;
+      };
+
+      struct sk_buff_t {
+        unsigned char *head;
+        unsigned char *data;
+        u32 len;
+        u16 mac_header;
+        u16 network_header;
+        u16 transport_header;
+      };
+
+      struct event_t {
+        u64 ktime_ns;
+        u32 pid;
+        char event_name[16];
+        char payload[#{EVENT_PAYLOAD_SIZE}];
+      };
+
+      BPF_HASH(config_root_targets, u32, u8, 1024);
+      BPF_HASH(config_spawned_targets, u32, u8, 8192);
+      BPF_HASH(dns_connected_tids, u32, u8, 8192);
+      BPF_ARRAY(event_invoked, struct event_t, #{EVENT_CAPACITY});
+      BPF_ARRAY(event_write_pos, u32, 1);
+
+      static __always_inline int target_enabled(u32 pid, u32 tid)
+      {
+        u8 *enabled_root = config_root_targets.lookup(&pid);
+        if (enabled_root && *enabled_root == 1) {
+          return 1;
+        }
+
+        u8 *enabled_spawned = config_spawned_targets.lookup(&tid);
+        if (enabled_spawned && *enabled_spawned == 1) {
+          return 1;
+        }
+
+        return 0;
+      }
+
+      static __always_inline int monitored_capability(int cap)
+      {
+        switch (cap) {
+          case 1:  /* CAP_DAC_OVERRIDE */
+          case 2:  /* CAP_DAC_READ_SEARCH */
+          case 6:  /* CAP_SETGID */
+          case 7:  /* CAP_SETUID */
+          case 12: /* CAP_NET_ADMIN */
+          case 16: /* CAP_SYS_MODULE */
+          case 17: /* CAP_SYS_RAWIO */
+          case 19: /* CAP_SYS_PTRACE */
+          case 21: /* CAP_SYS_ADMIN */
+          case 22: /* CAP_SYS_BOOT */
+          case 25: /* CAP_SYS_TIME */
+          case 38: /* CAP_PERFMON */
+          case 39: /* CAP_BPF */
+          case 40: /* CAP_CHECKPOINT_RESTORE */
+            return 1;
+          default:
+            return 0;
+        }
+      }
+
+      static __always_inline void submit_event(struct event_t *ev)
+      {
+        u32 zero = 0;
+        u32 *write_pos = event_write_pos.lookup(&zero);
+        if (!write_pos) {
+          return;
+        }
+
+        ev->ktime_ns = bpf_ktime_get_ns();
+
+        u32 idx = *write_pos % #{EVENT_CAPACITY};
+        __sync_fetch_and_add(write_pos, 1);
+        event_invoked.update(&idx, ev);
+      }
+
+      static __always_inline int is_dns_destination(void *addr)
+      {
+        u16 family = 0;
+        bpf_probe_read_user(&family, sizeof(family), addr);
+
+        if (family == AF_INET) {
+          struct sockaddr_in_t sin = {};
+          bpf_probe_read_user(&sin, sizeof(sin), addr);
+          return sin.sin_port == __constant_htons(53);
+        }
+
+        if (family == AF_INET6) {
+          struct sockaddr_in6_t sin6 = {};
+          bpf_probe_read_user(&sin6, sizeof(sin6), addr);
+          return sin6.sin6_port == __constant_htons(53);
+        }
+
+        return 0;
+      }
+
+      static __always_inline void submit_dns_req(u32 pid, unsigned char *payload, unsigned int payload_len)
+      {
+        unsigned int copy_len = payload_len;
+
+        if (copy_len <= 12) {
+          return;
+        }
+
+        copy_len -= 12;
+        if (copy_len > 64) {
+          copy_len = 64;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "dns_req", 8);
+        bpf_probe_read_user(&ev.payload[0], copy_len, payload + 12);
+        submit_event(&ev);
+      }
+
+      static __always_inline int read_dentry_name(struct dentry *dentry, char *buffer, size_t max)
+      {
+        struct dentry_base d = {};
+        struct qstr qname = {};
+
+        if (!dentry || !buffer) {
+          return -1;
+        }
+
+        bpf_probe_read_kernel(&d, sizeof(d), (void *)dentry);
+        if (!d.d_name.name) {
+          return -1;
+        }
+
+        unsigned int len = d.d_name.len;
+        if (len > max) {
+          len = max;
+        }
+
+        bpf_probe_read_kernel_str(buffer, len + 1, (void *)d.d_name.name);
+        return len;
+      }
+
+      TRACEPOINT_PROBE(sched, sched_process_fork)
+      {
+        u32 parent = args->parent_pid;
+        u32 child = args->child_pid;
+        u8 one = 1;
+
+        u8 *enabled_root = config_root_targets.lookup(&parent);
+        if (enabled_root && *enabled_root == 1) {
+          config_spawned_targets.update(&child, &one);
+          return 0;
+        }
+
+        u8 *enabled_spawned = config_spawned_targets.lookup(&parent);
+        if (enabled_spawned && *enabled_spawned == 1) {
+          config_spawned_targets.update(&child, &one);
+        }
+
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(sched, sched_process_exit)
+      {
+        u32 tid = (u32)bpf_get_current_pid_tgid();
+        config_spawned_targets.delete(&tid);
+        dns_connected_tids.delete(&tid);
+        return 0;
+      }
+
+      LSM_PROBE(file_open, struct file *file)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        bpf_trace_printk("vivarium: invoked pid=%d\\n", pid);
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        int path_ret;
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "path_open", 9);
+
+        path_ret = bpf_d_path(&file->f_path, ev.payload, sizeof(ev.payload));
+        if (path_ret < 0) {
+          if (ev.payload[0] == 0) {
+            __builtin_memcpy(ev.payload, "<path_error>", 13);
+            bpf_trace_printk("vivarium: failed to obtain full path. pid=%d path=%s\\n", pid, ev.payload);
+          }
+        }
+
+        bpf_trace_printk("vivarium: pid=%d path=%s\\n", pid, ev.payload);
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if ((family == AF_INET || family == AF_INET6) && (type == SOCK_STREAM || type == SOCK_DGRAM)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u16 family16 = family;
+        u16 type16 = type;
+        u16 proto16 = protocol;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "odd_socket", 11);
+        __builtin_memcpy(&ev.payload[0], &family16, sizeof(family16));
+        __builtin_memcpy(&ev.payload[2], &type16, sizeof(type16));
+        __builtin_memcpy(&ev.payload[4], &proto16, sizeof(proto16));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(socket_connect, struct socket *sock, struct sockaddr *address, int addrlen)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        u16 family = 0;
+        u8 one = 1;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!address) {
+          return 0;
+        }
+
+        bpf_probe_read_kernel(&family, sizeof(family), address);
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "sock_connect", 13);
+        __builtin_memcpy(&ev.payload[0], &family, sizeof(family));
+
+        if (family == AF_INET) {
+          struct sockaddr_in_t sin = {};
+          bpf_probe_read_kernel(&sin, sizeof(sin), address);
+          __builtin_memcpy(&ev.payload[2], &sin.sin_port, sizeof(sin.sin_port));
+          __builtin_memcpy(&ev.payload[4], &sin.sin_addr, sizeof(sin.sin_addr));
+          if (sin.sin_port == __constant_htons(53)) {
+            dns_connected_tids.update(&tid, &one);
+          }
+        } else if (family == AF_INET6) {
+          struct sockaddr_in6_t sin6 = {};
+          bpf_probe_read_kernel(&sin6, sizeof(sin6), address);
+          __builtin_memcpy(&ev.payload[2], &sin6.sin6_port, sizeof(sin6.sin6_port));
+          __builtin_memcpy(&ev.payload[4], &sin6.sin6_addr, sizeof(sin6.sin6_addr));
+          if (sin6.sin6_port == __constant_htons(53)) {
+            dns_connected_tids.update(&tid, &one);
+          }
+        }
+
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_sendmsg)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        struct user_msghdr_t msg = {};
+        struct iovec_t iov = {};
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!args->msg) {
+          return 0;
+        }
+
+        bpf_probe_read_user(&msg, sizeof(msg), args->msg);
+        if (!msg.msg_iov || msg.msg_iovlen == 0) {
+          return 0;
+        }
+
+        if (msg.msg_name && !is_dns_destination(msg.msg_name)) {
+          return 0;
+        }
+
+        bpf_probe_read_user(&iov, sizeof(iov), msg.msg_iov);
+        if (!iov.iov_base) {
+          return 0;
+        }
+
+        submit_dns_req(pid, (unsigned char *)iov.iov_base, (unsigned int)iov.iov_len);
+
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_sendto)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        unsigned char *buff = args->buff;
+        int dns_match = 0;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!buff) {
+          return 0;
+        }
+
+        if (args->addr) {
+          dns_match = is_dns_destination(args->addr);
+        } else {
+          u8 *connected = dns_connected_tids.lookup(&tid);
+          dns_match = connected && *connected == 1;
+        }
+
+        if (!dns_match) {
+          return 0;
+        }
+
+        submit_dns_req(pid, buff, args->len);
+        dns_connected_tids.delete(&tid);
+
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_sendmmsg)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        struct mmsghdr_t mmsg = {};
+        struct iovec_t iov = {};
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!args->mmsg) {
+          return 0;
+        }
+
+        bpf_probe_read_user(&mmsg, sizeof(mmsg), args->mmsg);
+        if (mmsg.msg_hdr.msg_name && !is_dns_destination(mmsg.msg_hdr.msg_name)) {
+          return 0;
+        }
+
+        if (!mmsg.msg_hdr.msg_iov || mmsg.msg_hdr.msg_iovlen == 0) {
+          return 0;
+        }
+
+        bpf_probe_read_user(&iov, sizeof(iov), mmsg.msg_hdr.msg_iov);
+        if (!iov.iov_base) {
+          return 0;
+        }
+
+        submit_dns_req(pid, (unsigned char *)iov.iov_base, (unsigned int)iov.iov_len);
+
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_execve)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        const char *argv0 = 0;
+        const char *argv1 = 0;
+        const char *argv2 = 0;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        if (!args->filename) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "proc_exec", 10);
+        bpf_probe_read_user_str(&ev.payload[0], #{PROC_EXEC_SLOT_SIZE}, args->filename);
+
+        if (args->argv) {
+          bpf_probe_read_user(&argv0, sizeof(argv0), &args->argv[0]);
+          bpf_probe_read_user(&argv1, sizeof(argv1), &args->argv[1]);
+          bpf_probe_read_user(&argv2, sizeof(argv2), &args->argv[2]);
+
+          if (argv0) {
+            bpf_probe_read_user_str(&ev.payload[#{PROC_EXEC_SLOT_SIZE}], #{PROC_EXEC_SLOT_SIZE}, argv0);
+          }
+          if (argv1) {
+            bpf_probe_read_user_str(&ev.payload[#{PROC_EXEC_SLOT_SIZE * 2}], #{PROC_EXEC_SLOT_SIZE}, argv1);
+          }
+          if (argv2) {
+            bpf_probe_read_user_str(&ev.payload[#{PROC_EXEC_SLOT_SIZE * 3}], #{PROC_EXEC_SLOT_SIZE}, argv2);
+          }
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
+      LSM_PROBE(ptrace_access_check, struct task_struct *child, unsigned int mode)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 mode32 = mode;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "ptrace_check", 13);
+        __builtin_memcpy(&ev.payload[0], &mode32, sizeof(mode32));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(sb_mount, const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u64 flags64 = flags;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "sb_mount", 9);
+        __builtin_memcpy(&ev.payload[0], &flags64, sizeof(flags64));
+
+        if (dev_name) {
+          bpf_probe_read_kernel_str(&ev.payload[8], 120, dev_name);
+        }
+        if (type) {
+          bpf_probe_read_kernel_str(&ev.payload[128], 120, type);
+        }
+
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(kernel_read_file, struct file *file, int id, int contents)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u32 id32 = id;
+        u32 contents32 = contents;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "kernel_read_file", 16);
+        __builtin_memcpy(&ev.payload[0], &id32, sizeof(id32));
+        __builtin_memcpy(&ev.payload[4], &contents32, sizeof(contents32));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(task_kill, struct task_struct *p, struct kernel_siginfo *info, int sig, const struct cred *cred)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
 
-      new(pid: pid, event_name: event_name, payload: payload)
-    end
+        struct event_t ev = {};
 
-    def self.c_string(bytes)
-      str = bytes.to_s.b
-      nul = str.index("\x00")
-      return str if nul.nil?
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "task_kill", 10);
+        __builtin_memcpy(&ev.payload[0], &sig, sizeof(sig));
+        submit_event(&ev);
 
-      str[0, nul]
-    end
-  end
+        return 0;
+      }
 
-  class MapStore
-    def initialize(pin_dir: Vivarium.bpf_pin_dir)
-      @pin_dir = pin_dir
-      @config_root_targets = RbBCC::HashTable.from_pin(
-        File.join(@pin_dir, "config_root_targets"),
-        "unsigned int",
-        "unsigned char",
-        keysize: 4,
-        leafsize: 1
-      )
-      @config_spawned_targets = RbBCC::HashTable.from_pin(
-        File.join(@pin_dir, "config_spawned_targets"),
-        "unsigned int",
-        "unsigned char",
-        keysize: 4,
-        leafsize: 1
-      )
-      @event_invoked = RbBCC::ArrayTable.from_pin(
-        File.join(@pin_dir, "event_invoked"),
-        "unsigned int",
-        "char[#{EVENT_STRUCT_SIZE}]",
-        keysize: 4,
-        leafsize: EVENT_STRUCT_SIZE
-      )
-      @event_write_pos = RbBCC::ArrayTable.from_pin(
-        File.join(@pin_dir, "event_write_pos"),
-        "unsigned int",
-        "unsigned int",
-        keysize: 4,
-        leafsize: 4
-      )
-    rescue StandardError => e
-      raise Error, "failed to open pinned maps under #{@pin_dir}: #{e.class}: #{e.message}"
-    end
+      LSM_PROBE(task_fix_setuid, struct cred *new, const struct cred *old, int flags)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
 
-    def register_pid(pid)
-      @config_root_targets[pid] = 1
-    end
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
 
-    def unregister_pid(pid)
-      @config_root_targets.delete(pid)
-      @config_spawned_targets.clear
-    rescue KeyError
-      nil
-    end
+        struct event_t ev = {};
+        u32 flags32 = flags;
 
-    def drain_events
-      events = []
-      EVENT_CAPACITY.times do |idx|
-        ptr = @event_invoked[idx]
-        next unless ptr
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "setid_change", 13);
+        __builtin_memcpy(&ev.payload[0], &flags32, sizeof(flags32));
+        submit_event(&ev);
 
-        event = Event.from_binary(ptr[0, EVENT_STRUCT_SIZE])
-        next if event.empty?
+        return 0;
+      }
 
-        events << event
-        @event_invoked[idx] = zeroed_event_ptr
-      end
+      LSM_PROBE(capable, const struct cred *cred, struct user_namespace *targ_ns, int cap, unsigned int opts)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
 
-      @event_write_pos[0] = 0
-      events
-    end
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
 
-    private
+        if (!monitored_capability(cap)) {
+          return 0;
+        }
 
-    def zeroed_event_ptr
-      ptr = Fiddle::Pointer.malloc(EVENT_STRUCT_SIZE)
-      ptr[0, EVENT_STRUCT_SIZE] = "\x00" * EVENT_STRUCT_SIZE
-      ptr
-    end
-  end
+        struct event_t ev = {};
+        u32 cap32 = cap;
+        u32 opts32 = opts;
 
-  class Daemon
-    BPF_PROGRAM_TEMPLATE = <<~CLANG
-      struct path {
-        void *mnt;
-        void *dentry;
-      };
-      struct file {
-        char __off[__VIVARIUM_F_PATH_OFFSET__];
-        struct path f_path;
-      };
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "capable_check", 14);
+        __builtin_memcpy(&ev.payload[0], &cap32, sizeof(cap32));
+        __builtin_memcpy(&ev.payload[4], &opts32, sizeof(opts32));
+        submit_event(&ev);
 
-      struct event_t {
-        u32 pid;
-        char event_name[16];
-        char payload[#{EVENT_PAYLOAD_SIZE}];
-      };
+        return 0;
+      }
 
-      BPF_HASH(config_root_targets, u32, u8, 1024);
-      BPF_HASH(config_spawned_targets, u32, u8, 8192);
-      BPF_ARRAY(event_invoked, struct event_t, 1024);
-      BPF_ARRAY(event_write_pos, u32, 1);
+      LSM_PROBE(bprm_creds_from_file, struct linux_binprm *bprm, struct file *file)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
 
-      static __always_inline int target_enabled(u32 pid, u32 tid)
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        u8 has_file = 0;
+
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "bprm_creds", 11);
+
+        if (file) {
+          has_file = 1;
+          bpf_d_path(&file->f_path, &ev.payload[1], sizeof(ev.payload) - 1);
+        }
+
+        __builtin_memcpy(&ev.payload[0], &has_file, sizeof(has_file));
+        submit_event(&ev);
+
+        return 0;
+      }
+
+      LSM_PROBE(inode_symlink, struct inode *dir, struct dentry *dentry, const char *oldname)
       {
-        u8 *enabled_root = config_root_targets.lookup(&pid);
-        if (enabled_root && *enabled_root == 1) {
-          return 1;
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
         }
 
-        u8 *enabled_spawned = config_spawned_targets.lookup(&tid);
-        if (enabled_spawned && *enabled_spawned == 1) {
-          return 1;
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_symlink", 13);
+
+        if (oldname) {
+          bpf_probe_read_user_str(&ev.payload[0], 128, oldname);
+        }
+
+        if (dentry) {
+          read_dentry_name(dentry, &ev.payload[128], 128);
         }
 
+        submit_event(&ev);
         return 0;
       }
 
-      TRACEPOINT_PROBE(sched, sched_process_fork)
+      LSM_PROBE(inode_link, struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
       {
-        u32 parent = args->parent_pid;
-        u32 child = args->child_pid;
-        u8 one = 1;
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
 
-        u8 *enabled_root = config_root_targets.lookup(&parent);
-        if (enabled_root && *enabled_root == 1) {
-          config_spawned_targets.update(&child, &one);
+        if (!target_enabled(pid, tid)) {
           return 0;
         }
 
-        u8 *enabled_spawned = config_spawned_targets.lookup(&parent);
-        if (enabled_spawned && *enabled_spawned == 1) {
-          config_spawned_targets.update(&child, &one);
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_hardlink", 14);
+
+        if (old_dentry) {
+          read_dentry_name(old_dentry, &ev.payload[0], 128);
+        }
+
+        if (new_dentry) {
+          read_dentry_name(new_dentry, &ev.payload[128], 128);
         }
 
+        submit_event(&ev);
         return 0;
       }
 
-      TRACEPOINT_PROBE(sched, sched_process_exit)
+      LSM_PROBE(inode_rename, struct inode *old_dir, struct dentry *old_dentry, 
+                struct inode *new_dir, struct dentry *new_dentry, unsigned int flags)
       {
-        u32 tid = (u32)bpf_get_current_pid_tgid();
-        config_spawned_targets.delete(&tid);
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_rename", 12);
+
+        if (old_dentry) {
+          read_dentry_name(old_dentry, &ev.payload[0], 128);
+        }
+
+        if (new_dentry) {
+          read_dentry_name(new_dentry, &ev.payload[128], 128);
+        }
+
+        submit_event(&ev);
         return 0;
       }
 
-      LSM_PROBE(file_open, struct file *file)
+      LSM_PROBE(path_chmod, struct path *path, umode_t mode)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
         u32 pid = pid_tgid >> 32;
         u32 tid = (u32)pid_tgid;
-        bpf_trace_printk("vivarium: invoked pid=%d\\n", pid);
+
         if (!target_enabled(pid, tid)) {
           return 0;
         }
 
-        u32 zero = 0;
-        u32 *write_pos = event_write_pos.lookup(&zero);
-        if (!write_pos) {
+        if (!path) {
           return 0;
         }
 
-        u32 idx = *write_pos & 1023;
-        __sync_fetch_and_add(write_pos, 1);
         struct event_t ev = {};
-        int path_ret;
+        u16 mode_short = mode & 0xFFFF;
         ev.pid = pid;
-        __builtin_memcpy(ev.event_name, "path_open", 9);
+        __builtin_memcpy(ev.event_name, "file_chmod", 11);
+        __builtin_memcpy(&ev.payload[0], &mode_short, sizeof(mode_short));
 
-        path_ret = bpf_d_path(&file->f_path, ev.payload, sizeof(ev.payload));
-        if (path_ret < 0) {
-          if (ev.payload[0] == 0) {
-            __builtin_memcpy(ev.payload, "<path_error>", 13);
-            bpf_trace_printk("vivarium: failed to obtain full path. pid=%d path=%s\\n", pid, ev.payload);
-          }
+        bpf_d_path(path, &ev.payload[2], sizeof(ev.payload) - 2);
+        submit_event(&ev);
+        return 0;
+      }
+
+      TRACEPOINT_PROBE(syscalls, sys_enter_getdents64)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+
+        if (!target_enabled(pid, tid)) {
+          return 0;
         }
 
-        bpf_trace_printk("vivarium: pid=%d path=%s\\n", pid, ev.payload);
-        event_invoked.update(&idx, &ev);
+        struct event_t ev = {};
+        u32 fd = args->fd;
+        u32 count = args->count;
 
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "file_getdents", 14);
+        __builtin_memcpy(&ev.payload[0], &fd, sizeof(fd));
+        __builtin_memcpy(&ev.payload[4], &count, sizeof(count));
+
+        submit_event(&ev);
         return 0;
       }
     CLANG
@@ -241,7 +1273,10 @@ module Vivarium
       FileUtils.mkdir_p(@pin_dir)
 
       f_path_offset = detect_f_path_offset
-      program = BPF_PROGRAM_TEMPLATE.gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
+      d_name_offset = detect_dentry_d_name_offset
+      program = BPF_PROGRAM_TEMPLATE
+        .gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
+        .gsub("__VIVARIUM_DENTRY_D_NAME_OFFSET__", d_name_offset.to_s)
 
       bpf = RbBCC::BCC.new(text: program)
       kprint_thread = start_kprint_logger(bpf)
@@ -377,6 +1412,56 @@ module Vivarium
     rescue Errno::ENOENT
       raise Error, "bpftool is required to resolve struct file::f_path offset"
     end
+
+    def detect_dentry_d_name_offset
+      env_offset = ENV["VIVARIUM_DENTRY_D_NAME_OFFSET"]
+      return Integer(env_offset, 10) if env_offset
+
+      raw = IO.popen(
+        %w[bpftool btf dump file /sys/kernel/btf/vmlinux format raw],
+        err: IO::NULL,
+        &:read
+      )
+
+      in_dentry_struct = false
+      d_name_bits_offset = nil
+
+      raw.each_line do |line|
+        if line =~ /^\[\d+\] STRUCT 'dentry' /
+          in_dentry_struct = true
+          next
+        end
+
+        if in_dentry_struct && line.start_with?("[")
+          break
+        end
+
+        next unless in_dentry_struct
+
+        if (match = line.match(/'d_name'.*bits_offset=(\d+)/))
+          d_name_bits_offset = Integer(match[1], 10)
+          break
+        end
+      end
+
+      if d_name_bits_offset
+        if (d_name_bits_offset % 8).positive?
+          raise Error, "unsupported d_name bits offset=#{d_name_bits_offset}"
+        end
+
+        if d_name_bits_offset >= 1024
+          warn "[vivariumd] suspicious d_name offset=#{d_name_bits_offset / 8}, fallback to offset=32"
+          return 32
+        end
+
+        return d_name_bits_offset / 8
+      end
+
+      warn "[vivariumd] could not find struct dentry::d_name in BTF, fallback to offset=32"
+      32
+    rescue Errno::ENOENT
+      raise Error, "bpftool is required to resolve struct dentry::d_name offset"
+    end
   end
 
   class ObservationSession