Fact now sends xattr events as gRPC messages

Author: JoukoVirtanen

fact/src/event/mod.rs

@@ -431,13 +431,21 @@ impl FileData {
                 let xattr_name = slice_to_string(
                     &unsafe { extra_data.xattr }.name[..XATTR_NAME_MAX_LEN as usize],
                 )?;
-                FileData::SetXattr(XattrFileData { inner, xattr_name })
+                FileData::SetXattr(XattrFileData {
+                    inner,
+                    xattr_name,
+                    operation: XattrOperation::Set,
+                })
             }
             file_activity_type_t::FILE_ACTIVITY_REMOVEXATTR => {
                 let xattr_name = slice_to_string(
                     &unsafe { extra_data.xattr }.name[..XATTR_NAME_MAX_LEN as usize],
                 )?;
-                FileData::RemoveXattr(XattrFileData { inner, xattr_name })
+                FileData::RemoveXattr(XattrFileData {
+                    inner,
+                    xattr_name,
+                    operation: XattrOperation::Remove,
+                })
             }
             invalid => unreachable!("Invalid event type: {invalid:?}"),
         };
@@ -465,11 +473,13 @@ impl From<FileData> for fact_api::file_activity::File {
             FileData::RmDir(_) => {
                 unreachable!("RmDir event reached protobuf conversion");
             }
-            FileData::SetXattr(_) => {
-                unreachable!("SetXattr event reached protobuf conversion");
+            FileData::SetXattr(event) => {
+                let f_act = fact_api::FileXattrChange::from(event);
+                fact_api::file_activity::File::Xattr(f_act)
             }
-            FileData::RemoveXattr(_) => {
-                unreachable!("RemoveXattr event reached protobuf conversion");
+            FileData::RemoveXattr(event) => {
+                let f_act = fact_api::FileXattrChange::from(event);
+                fact_api::file_activity::File::Xattr(f_act)
             }
             FileData::Unlink(event) => {
                 let activity = Some(fact_api::FileActivityBase::from(event));
@@ -635,10 +645,32 @@ impl PartialEq for RenameFileData {
     }
 }
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
+pub enum XattrOperation {
+    Set,
+    Remove,
+}
+
 #[derive(Debug, Clone, Serialize)]
 pub struct XattrFileData {
     inner: BaseFileData,
     xattr_name: String,
+    operation: XattrOperation,
+}
+
+impl From<XattrFileData> for fact_api::FileXattrChange {
+    fn from(value: XattrFileData) -> Self {
+        let activity = fact_api::FileActivityBase::from(value.inner);
+        let operation = match value.operation {
+            XattrOperation::Set => fact_api::file_xattr_change::Operation::Set,
+            XattrOperation::Remove => fact_api::file_xattr_change::Operation::Remove,
+        };
+        fact_api::FileXattrChange {
+            activity: Some(activity),
+            xattr_name: value.xattr_name,
+            operation: operation.into(),
+        }
+    }
 }
 
 #[cfg(test)]

fact/src/host_scanner.rs

@@ -452,8 +452,8 @@ You can increase this limit with:
                             self.handle_unlink_event(&event);
                         }
 
-                        // Skip events that are tracked internally but not yet sent to sensor
-                        if event.is_mkdir() || event.is_rmdir() || event.is_xattr() {
+                        // Skip directory creation and deletion events - we track them internally but don't send to sensor
+                        if event.is_mkdir() || event.is_rmdir() {
                             continue;
                         }