Skip to content

Commit 1a525bd

Browse files
banditopazzobanditopazzo
committed
chore: add dedicated struct to ensure the buffer for the container id is big enough
1 parent c8285c5 commit 1a525bd

File tree

1 file changed

+30
-24
lines changed

1 file changed

+30
-24
lines changed

crates/modules/process-monitor/probes.bpf.c

+30-24
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,15 @@ struct
151151
__uint(max_entries, MAX_PENDING_DEAD_PARENTS);
152152
} orphans_map SEC(".maps");
153153

154+
/*
155+
Buffer for reading container info of a process. The Container ID is located at `buf[id_offset]`
156+
*/
157+
struct container_id_buffer
158+
{
159+
char buf[CONTAINER_ID_MAX_BUF];
160+
int id_offset;
161+
};
162+
154163
/*
155164
Identifies the container engine and reads the cgroup id of a process
156165
from its `task_struct` into an given array of character.
@@ -182,8 +191,7 @@ The array size MUST be greater than 72.
182191
of the process after a successful parse of a `container`
183192
cgroup name for the given process
184193
*/
185-
static __always_inline int get_container_info(struct task_struct *cur_tsk,
186-
char *buf, int *offset)
194+
static __always_inline int get_container_info(struct task_struct *cur_tsk, struct container_id_buffer *c_id_buf)
187195
{
188196
int cgrp_id;
189197
char buf_parent[CONTAINER_ID_MAX_BUF];
@@ -198,9 +206,9 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk,
198206

199207
struct kernfs_node *kn = BPF_CORE_READ(cur_tsk, cgroups, subsys[cgrp_id], cgroup, kn);
200208
const char *name = BPF_CORE_READ(kn, name);
201-
if (bpf_probe_read_kernel_str(buf, CONTAINER_ID_MAX_BUF, name) < 0)
209+
if (bpf_probe_read_kernel_str(c_id_buf->buf, CONTAINER_ID_MAX_BUF, name) < 0)
202210
{
203-
LOG_ERROR("failed to get kernfs node name: %s\n", buf);
211+
LOG_ERROR("failed to get kernfs node name: %s\n", c_id_buf->buf);
204212
return FAILED_READ_CGROUP_NAME;
205213
}
206214

@@ -227,9 +235,9 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk,
227235
// `docker` and the child node contains the container ID.
228236

229237
// Case 1.
230-
if (STRNCMP(buf, 7, "docker-") == 0)
238+
if (STRNCMP(c_id_buf->buf, 7, "docker-") == 0)
231239
{
232-
*offset = 7;
240+
c_id_buf->id_offset = 7;
233241
return DOCKER_CONTAINER_ENGINE;
234242
}
235243

@@ -240,36 +248,36 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk,
240248
if (STRNCMP(buf_parent, 6, "docker") == 0 && buf_parent[6] == '\0')
241249
{
242250
// The last node is unprefixed, it contains just container ID.
243-
*offset = 0;
251+
c_id_buf->id_offset = 0;
244252
return DOCKER_CONTAINER_ENGINE;
245253
}
246254

247255
// Podman case
248256
//
249257
// the check for NULL character is needed to avoid collisions with
250258
// `containerd-` prefixed cgroup name
251-
if (STRNCMP(buf, 9, "container") == 0 && buf[9] == '\0')
259+
if (STRNCMP(c_id_buf->buf, 9, "container") == 0 && c_id_buf->buf[9] == '\0')
252260
{
253261
// Read `parent_name` to the main buffer `buf`.
254-
if (parent_name == NULL || bpf_probe_read_kernel_str(buf, CONTAINER_ID_MAX_BUF, parent_name) < 0)
262+
if (parent_name == NULL || bpf_probe_read_kernel_str(c_id_buf->buf, CONTAINER_ID_MAX_BUF, parent_name) < 0)
255263
{
256-
LOG_ERROR("failed to get parent kernfs node name: %s\n", buf);
264+
LOG_ERROR("failed to get parent kernfs node name: %s\n", c_id_buf->buf);
257265
return FAILED_READ_PARENT_CGROUP_NAME;
258266
}
259267

260-
if (STRNCMP(buf, 7, "libpod-") == 0)
268+
if (STRNCMP(c_id_buf->buf, 7, "libpod-") == 0)
261269
{
262-
*offset = 7;
270+
c_id_buf->id_offset = 7;
263271
return PODMAN_CONTAINER_ENGINE;
264272
}
265273

266274
// Error podman step 2
267-
LOG_ERROR("failed parsing libpod id: %s\n", buf);
275+
LOG_ERROR("failed parsing libpod id: %s\n", c_id_buf->buf);
268276
return FAILED_PARSE_LIBPOD_CGROUP_NAME;
269277
}
270278

271279
// No container or unknown container engine
272-
LOG_DEBUG("no container or unknown container engine. id: %s\n", buf);
280+
LOG_DEBUG("no container or unknown container engine. id: %s\n", c_id_buf->buf);
273281
return UNKNOWN_CONTAINER_ENGINE;
274282
}
275283

@@ -282,7 +290,7 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
282290
pid_t parent_tgid = BPF_CORE_READ(parent, tgid);
283291
pid_t child_tgid = BPF_CORE_READ(child, tgid);
284292

285-
char buf[CONTAINER_ID_MAX_BUF];
293+
struct container_id_buffer c_id_buf;
286294

287295
// if parent process group matches the child one, we're forking a thread
288296
// and we ignore the event.
@@ -311,8 +319,7 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
311319
event->fork.namespaces.time = BPF_CORE_READ(child, nsproxy, time_ns, ns.inum);
312320
event->fork.namespaces.cgroup = BPF_CORE_READ(child, nsproxy, cgroup_ns, ns.inum);
313321

314-
int id_offset;
315-
int container_engine = get_container_info(child, buf, &id_offset);
322+
int container_engine = get_container_info(child, &c_id_buf);
316323
if (container_engine < 0)
317324
{
318325
// TODO: print error ??
@@ -327,9 +334,9 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
327334
event->fork.option_index.container_id.container_engine = container_engine;
328335
buffer_index_init(&event->buffer, &event->fork.option_index.container_id.cgroup_id);
329336
buffer_append_str(&event->buffer, &event->fork.option_index.container_id.cgroup_id,
330-
buf + id_offset, CONTAINER_ID_MAX_BUF);
337+
c_id_buf.buf + c_id_buf.id_offset, CONTAINER_ID_MAX_BUF);
331338

332-
LOG_DEBUG("fork - detected container with id: %s", buf + id_offset);
339+
LOG_DEBUG("fork - detected container with id: %s", c_id_buf.buf + c_id_buf.id_offset);
333340
}
334341

335342
output_process_event(ctx, event);
@@ -342,7 +349,7 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
342349
{
343350
pid_t tgid = bpf_get_current_pid_tgid() >> 32;
344351

345-
char buf[CONTAINER_ID_MAX_BUF];
352+
struct container_id_buffer c_id_buf;
346353

347354
struct process_event *event = init_process_event(EVENT_EXEC, tgid);
348355
if (!event)
@@ -360,8 +367,7 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
360367
event->exec.namespaces.time = BPF_CORE_READ(p, nsproxy, time_ns, ns.inum);
361368
event->exec.namespaces.cgroup = BPF_CORE_READ(p, nsproxy, cgroup_ns, ns.inum);
362369

363-
int id_offset;
364-
int container_engine = get_container_info(p, buf, &id_offset);
370+
int container_engine = get_container_info(p, &c_id_buf);
365371
if (container_engine < 0)
366372
{
367373
event->exec.option_index.discriminant = OPTION_NONE;
@@ -374,9 +380,9 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
374380
event->exec.option_index.container_id.container_engine = container_engine;
375381
buffer_index_init(&event->buffer, &event->exec.option_index.container_id.cgroup_id);
376382
buffer_append_str(&event->buffer, &event->exec.option_index.container_id.cgroup_id,
377-
buf + id_offset, CONTAINER_ID_MAX_BUF);
383+
c_id_buf.buf + c_id_buf.id_offset, CONTAINER_ID_MAX_BUF);
378384

379-
LOG_DEBUG("exec - detected container with id: %s", buf + id_offset);
385+
LOG_DEBUG("exec - detected container with id: %s", c_id_buf.buf + c_id_buf.id_offset);
380386
}
381387

382388
// This is needed because the first MAX_IMAGE_LEN bytes of buffer will

0 commit comments

Comments
 (0)