Skip to content

Commit 896d07f

Browse files
banditopazzobanditopazzo
committed
chore: add dedicated struct to ensure the buffer for the container id is big enough
1 parent c8285c5 commit 896d07f

File tree

1 file changed

+30
-26
lines changed

1 file changed

+30
-26
lines changed

crates/modules/process-monitor/probes.bpf.c

+30-26
Original file line numberDiff line numberDiff line change
@@ -151,12 +151,19 @@ struct
151151
__uint(max_entries, MAX_PENDING_DEAD_PARENTS);
152152
} orphans_map SEC(".maps");
153153

154+
/*
155+
Buffer for reading container id of a process. The Container ID is located at `buf[id_offset]`
156+
*/
157+
struct container_id_buffer
158+
{
159+
char buf[CONTAINER_ID_MAX_BUF];
160+
int id_offset;
161+
};
162+
154163
/*
155164
Identifies the container engine and reads the cgroup id of a process
156165
from its `task_struct` into an given array of character.
157166
158-
The array size MUST be greater than 72.
159-
160167
### Input:
161168
`char buf[]`: a pointer to an array of characters
162169
`size_t sz`: size of the buffer
@@ -182,8 +189,7 @@ The array size MUST be greater than 72.
182189
of the process after a successful parse of a `container`
183190
cgroup name for the given process
184191
*/
185-
static __always_inline int get_container_info(struct task_struct *cur_tsk,
186-
char *buf, int *offset)
192+
static __always_inline int get_container_info(struct task_struct *cur_tsk, struct container_id_buffer *c_id_buf)
187193
{
188194
int cgrp_id;
189195
char buf_parent[CONTAINER_ID_MAX_BUF];
@@ -198,9 +204,9 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk,
198204

199205
struct kernfs_node *kn = BPF_CORE_READ(cur_tsk, cgroups, subsys[cgrp_id], cgroup, kn);
200206
const char *name = BPF_CORE_READ(kn, name);
201-
if (bpf_probe_read_kernel_str(buf, CONTAINER_ID_MAX_BUF, name) < 0)
207+
if (bpf_probe_read_kernel_str(c_id_buf->buf, CONTAINER_ID_MAX_BUF, name) < 0)
202208
{
203-
LOG_ERROR("failed to get kernfs node name: %s\n", buf);
209+
LOG_ERROR("failed to get kernfs node name: %s\n", c_id_buf->buf);
204210
return FAILED_READ_CGROUP_NAME;
205211
}
206212

@@ -227,9 +233,9 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk,
227233
// `docker` and the child node contains the container ID.
228234

229235
// Case 1.
230-
if (STRNCMP(buf, 7, "docker-") == 0)
236+
if (STRNCMP(c_id_buf->buf, 7, "docker-") == 0)
231237
{
232-
*offset = 7;
238+
c_id_buf->id_offset = 7;
233239
return DOCKER_CONTAINER_ENGINE;
234240
}
235241

@@ -240,36 +246,36 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk,
240246
if (STRNCMP(buf_parent, 6, "docker") == 0 && buf_parent[6] == '\0')
241247
{
242248
// The last node is unprefixed, it contains just container ID.
243-
*offset = 0;
249+
c_id_buf->id_offset = 0;
244250
return DOCKER_CONTAINER_ENGINE;
245251
}
246252

247253
// Podman case
248254
//
249255
// the check for NULL character is needed to avoid collisions with
250256
// `containerd-` prefixed cgroup name
251-
if (STRNCMP(buf, 9, "container") == 0 && buf[9] == '\0')
257+
if (STRNCMP(c_id_buf->buf, 9, "container") == 0 && c_id_buf->buf[9] == '\0')
252258
{
253259
// Read `parent_name` to the main buffer `buf`.
254-
if (parent_name == NULL || bpf_probe_read_kernel_str(buf, CONTAINER_ID_MAX_BUF, parent_name) < 0)
260+
if (parent_name == NULL || bpf_probe_read_kernel_str(c_id_buf->buf, CONTAINER_ID_MAX_BUF, parent_name) < 0)
255261
{
256-
LOG_ERROR("failed to get parent kernfs node name: %s\n", buf);
262+
LOG_ERROR("failed to get parent kernfs node name: %s\n", c_id_buf->buf);
257263
return FAILED_READ_PARENT_CGROUP_NAME;
258264
}
259265

260-
if (STRNCMP(buf, 7, "libpod-") == 0)
266+
if (STRNCMP(c_id_buf->buf, 7, "libpod-") == 0)
261267
{
262-
*offset = 7;
268+
c_id_buf->id_offset = 7;
263269
return PODMAN_CONTAINER_ENGINE;
264270
}
265271

266272
// Error podman step 2
267-
LOG_ERROR("failed parsing libpod id: %s\n", buf);
273+
LOG_ERROR("failed parsing libpod id: %s\n", c_id_buf->buf);
268274
return FAILED_PARSE_LIBPOD_CGROUP_NAME;
269275
}
270276

271277
// No container or unknown container engine
272-
LOG_DEBUG("no container or unknown container engine. id: %s\n", buf);
278+
LOG_DEBUG("no container or unknown container engine. id: %s\n", c_id_buf->buf);
273279
return UNKNOWN_CONTAINER_ENGINE;
274280
}
275281

@@ -282,7 +288,7 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
282288
pid_t parent_tgid = BPF_CORE_READ(parent, tgid);
283289
pid_t child_tgid = BPF_CORE_READ(child, tgid);
284290

285-
char buf[CONTAINER_ID_MAX_BUF];
291+
struct container_id_buffer c_id_buf;
286292

287293
// if parent process group matches the child one, we're forking a thread
288294
// and we ignore the event.
@@ -311,8 +317,7 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
311317
event->fork.namespaces.time = BPF_CORE_READ(child, nsproxy, time_ns, ns.inum);
312318
event->fork.namespaces.cgroup = BPF_CORE_READ(child, nsproxy, cgroup_ns, ns.inum);
313319

314-
int id_offset;
315-
int container_engine = get_container_info(child, buf, &id_offset);
320+
int container_engine = get_container_info(child, &c_id_buf);
316321
if (container_engine < 0)
317322
{
318323
// TODO: print error ??
@@ -327,9 +332,9 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
327332
event->fork.option_index.container_id.container_engine = container_engine;
328333
buffer_index_init(&event->buffer, &event->fork.option_index.container_id.cgroup_id);
329334
buffer_append_str(&event->buffer, &event->fork.option_index.container_id.cgroup_id,
330-
buf + id_offset, CONTAINER_ID_MAX_BUF);
335+
c_id_buf.buf + c_id_buf.id_offset, CONTAINER_ID_MAX_BUF);
331336

332-
LOG_DEBUG("fork - detected container with id: %s", buf + id_offset);
337+
LOG_DEBUG("fork - detected container with id: %s", c_id_buf.buf + c_id_buf.id_offset);
333338
}
334339

335340
output_process_event(ctx, event);
@@ -342,7 +347,7 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
342347
{
343348
pid_t tgid = bpf_get_current_pid_tgid() >> 32;
344349

345-
char buf[CONTAINER_ID_MAX_BUF];
350+
struct container_id_buffer c_id_buf;
346351

347352
struct process_event *event = init_process_event(EVENT_EXEC, tgid);
348353
if (!event)
@@ -360,8 +365,7 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
360365
event->exec.namespaces.time = BPF_CORE_READ(p, nsproxy, time_ns, ns.inum);
361366
event->exec.namespaces.cgroup = BPF_CORE_READ(p, nsproxy, cgroup_ns, ns.inum);
362367

363-
int id_offset;
364-
int container_engine = get_container_info(p, buf, &id_offset);
368+
int container_engine = get_container_info(p, &c_id_buf);
365369
if (container_engine < 0)
366370
{
367371
event->exec.option_index.discriminant = OPTION_NONE;
@@ -374,9 +378,9 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
374378
event->exec.option_index.container_id.container_engine = container_engine;
375379
buffer_index_init(&event->buffer, &event->exec.option_index.container_id.cgroup_id);
376380
buffer_append_str(&event->buffer, &event->exec.option_index.container_id.cgroup_id,
377-
buf + id_offset, CONTAINER_ID_MAX_BUF);
381+
c_id_buf.buf + c_id_buf.id_offset, CONTAINER_ID_MAX_BUF);
378382

379-
LOG_DEBUG("exec - detected container with id: %s", buf + id_offset);
383+
LOG_DEBUG("exec - detected container with id: %s", c_id_buf.buf + c_id_buf.id_offset);
380384
}
381385

382386
// This is needed because the first MAX_IMAGE_LEN bytes of buffer will

0 commit comments

Comments
 (0)