Revert "chore: add dedicated struct to ensure the buffer for the cont…

…ainer id is big enough" This reverts commit 802a07b.
exein-io · Jun 24, 2024 · 15e7b1c · 15e7b1c
1 parent 802a07b
commit 15e7b1c
Showing 1 changed file with 26 additions and 30 deletions.
diff --git a/crates/modules/process-monitor/probes.bpf.c b/crates/modules/process-monitor/probes.bpf.c
@@ -151,19 +151,12 @@ struct
   __uint(max_entries, MAX_PENDING_DEAD_PARENTS);
 } orphans_map SEC(".maps");
 
-/*
-Buffer for reading container id of a process. The Container ID is located at `buf[offset]`
- */
-struct container_id_buffer
-{
-  char buf[CONTAINER_ID_MAX_BUF];
-  int offset;
-};
-
 /*
 Identifies the container engine and reads the cgroup id of a process
 from its `task_struct` into an given array of character.
 
+The array size MUST be greater than 72.
+
 ### Input:
     `char buf[]`: a pointer to an array of characters
     `size_t sz`: size of the buffer
@@ -189,7 +182,8 @@ from its `task_struct` into an given array of character.
               of the process after a successful parse of a `container`
               cgroup name for the given process
 */
-static __always_inline int get_container_info(struct task_struct *cur_tsk, struct container_id_buffer *c_id_buf)
+static __always_inline int get_container_info(struct task_struct *cur_tsk,
+                                              char *buf, int *offset)
 {
   int cgrp_id;
   char buf_parent[CONTAINER_ID_MAX_BUF];
@@ -204,9 +198,9 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk, struc
 
   struct kernfs_node *kn = BPF_CORE_READ(cur_tsk, cgroups, subsys[cgrp_id], cgroup, kn);
   const char *name = BPF_CORE_READ(kn, name);
-  if (bpf_probe_read_kernel_str(c_id_buf->buf, CONTAINER_ID_MAX_BUF, name) < 0)
+  if (bpf_probe_read_kernel_str(buf, CONTAINER_ID_MAX_BUF, name) < 0)
   {
-    LOG_ERROR("failed to get kernfs node name: %s\n", c_id_buf->buf);
+    LOG_ERROR("failed to get kernfs node name: %s\n", buf);
     return FAILED_READ_CGROUP_NAME;
   }
 
@@ -233,9 +227,9 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk, struc
   //    `docker` and the child node contains the container ID.
 
   // Case 1.
-  if (STRNCMP(c_id_buf->buf, 7, "docker-") == 0)
+  if (STRNCMP(buf, 7, "docker-") == 0)
   {
-    c_id_buf->offset = 7;
+    *offset = 7;
     return DOCKER_CONTAINER_ENGINE;
   }
 
@@ -246,36 +240,36 @@ static __always_inline int get_container_info(struct task_struct *cur_tsk, struc
   if (STRNCMP(buf_parent, 6, "docker") == 0 && buf_parent[6] == '\0')
   {
     // The last node is unprefixed, it contains just container ID.
-    c_id_buf->offset = 0;
+    *offset = 0;
     return DOCKER_CONTAINER_ENGINE;
   }
 
   // Podman case
   //
   // the check for NULL character is needed to avoid collisions with
   // `containerd-` prefixed cgroup name
-  if (STRNCMP(c_id_buf->buf, 9, "container") == 0 && c_id_buf->buf[9] == '\0')
+  if (STRNCMP(buf, 9, "container") == 0 && buf[9] == '\0')
   {
     // Read `parent_name` to the main buffer `buf`.
-    if (parent_name == NULL || bpf_probe_read_kernel_str(c_id_buf->buf, CONTAINER_ID_MAX_BUF, parent_name) < 0)
+    if (parent_name == NULL || bpf_probe_read_kernel_str(buf, CONTAINER_ID_MAX_BUF, parent_name) < 0)
     {
-      LOG_ERROR("failed to get parent kernfs node name: %s\n", c_id_buf->buf);
+      LOG_ERROR("failed to get parent kernfs node name: %s\n", buf);
       return FAILED_READ_PARENT_CGROUP_NAME;
     }
 
-    if (STRNCMP(c_id_buf->buf, 7, "libpod-") == 0)
+    if (STRNCMP(buf, 7, "libpod-") == 0)
     {
-      c_id_buf->offset = 7;
+      *offset = 7;
       return PODMAN_CONTAINER_ENGINE;
     }
 
     // Error podman step 2
-    LOG_ERROR("failed parsing libpod id: %s\n", c_id_buf->buf);
+    LOG_ERROR("failed parsing libpod id: %s\n", buf);
     return FAILED_PARSE_LIBPOD_CGROUP_NAME;
   }
 
   // No container or unknown container engine
-  LOG_DEBUG("no container or unknown container engine. id: %s\n", c_id_buf->buf);
+  LOG_DEBUG("no container or unknown container engine. id: %s\n", buf);
   return UNKNOWN_CONTAINER_ENGINE;
 }
 
@@ -288,7 +282,7 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
   pid_t parent_tgid = BPF_CORE_READ(parent, tgid);
   pid_t child_tgid = BPF_CORE_READ(child, tgid);
 
-  struct container_id_buffer c_id_buf;
+  char buf[CONTAINER_ID_MAX_BUF];
 
   // if parent process group matches the child one, we're forking a thread
   // and we ignore the event.
@@ -317,7 +311,8 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
   event->fork.namespaces.time = BPF_CORE_READ(child, nsproxy, time_ns, ns.inum);
   event->fork.namespaces.cgroup = BPF_CORE_READ(child, nsproxy, cgroup_ns, ns.inum);
 
-  int container_engine = get_container_info(child, &c_id_buf);
+  int id_offset;
+  int container_engine = get_container_info(child, buf, &id_offset);
   if (container_engine < 0)
   {
     // TODO: print error ??
@@ -332,9 +327,9 @@ int BPF_PROG(sched_process_fork, struct task_struct *parent,
     event->fork.option_index.container_id.container_engine = container_engine;
     buffer_index_init(&event->buffer, &event->fork.option_index.container_id.cgroup_id);
     buffer_append_str(&event->buffer, &event->fork.option_index.container_id.cgroup_id,
-                      c_id_buf.buf + c_id_buf.offset, CONTAINER_ID_MAX_BUF);
+                      buf + id_offset, CONTAINER_ID_MAX_BUF);
 
-    LOG_DEBUG("fork - detected container with id: %s", c_id_buf.buf + c_id_buf.offset);
+    LOG_DEBUG("fork - detected container with id: %s", buf + id_offset);
   }
 
   output_process_event(ctx, event);
@@ -347,7 +342,7 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
 {
   pid_t tgid = bpf_get_current_pid_tgid() >> 32;
 
-  struct container_id_buffer c_id_buf;
+  char buf[CONTAINER_ID_MAX_BUF];
 
   struct process_event *event = init_process_event(EVENT_EXEC, tgid);
   if (!event)
@@ -365,7 +360,8 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
   event->exec.namespaces.time = BPF_CORE_READ(p, nsproxy, time_ns, ns.inum);
   event->exec.namespaces.cgroup = BPF_CORE_READ(p, nsproxy, cgroup_ns, ns.inum);
 
-  int container_engine = get_container_info(p, &c_id_buf);
+  int id_offset;
+  int container_engine = get_container_info(p, buf, &id_offset);
   if (container_engine < 0)
   {
     event->exec.option_index.discriminant = OPTION_NONE;
@@ -378,9 +374,9 @@ int BPF_PROG(sched_process_exec, struct task_struct *p, pid_t old_pid,
     event->exec.option_index.container_id.container_engine = container_engine;
     buffer_index_init(&event->buffer, &event->exec.option_index.container_id.cgroup_id);
     buffer_append_str(&event->buffer, &event->exec.option_index.container_id.cgroup_id,
-                      c_id_buf.buf + c_id_buf.offset, CONTAINER_ID_MAX_BUF);
+                      buf + id_offset, CONTAINER_ID_MAX_BUF);
 
-    LOG_DEBUG("exec - detected container with id: %s", c_id_buf.buf + c_id_buf.offset);
+    LOG_DEBUG("exec - detected container with id: %s", buf + id_offset);
   }
 
   // This is needed because the first MAX_IMAGE_LEN bytes of buffer will