fix: Docker container ID parsing with cgroupfs driver

exein-io / pulsar

A modular and blazing fast runtime security tool for the IoT, powered by eBPF.

https://pulsar.sh

Other

888 stars 51 forks source link

fix: Docker container ID parsing with cgroupfs driver #293

Closed vadorovsky closed 2 months ago

vadorovsky commented 2 months ago

The format of cgroup path is different for systemd and cgroupfs drivers.

For systemd driver, it's

0::/system.slice/docker-d4ea646fc22c701dbb146e52db4e9125dcca2eebb2f5552f90fedbb28a0f0716.scope

For cgroupfs driver, it's

0::/docker/2cf2e0be458a80acb354c953f7bb03de5d2d277dfcb8ebaa6575f95668a0c15f

Handle both formats.

banditopazzo commented 2 months ago

Seems good to me.

I would like to make one final consideration: looking at the history the commit fix: Handle offsets and their bounds in buffer_append_str didn't solve the verifier issue, but it was solved in the next commit fix: Use container_id_buffer also for parent_buf. so is it possible to revert to the previous function signature of the function buffer_append_str? I'm ok if it's the only way to solve the verifier issue, I'm only asking if we can keep the signature less weird

vadorovsky commented 2 months ago

@banditopazzo There were two separate verifier issues which both of these commits were solving. :sweat_smile:

fixed the verifier error on kernel 5.13 fixed an another verifier error on kernel 6.0

if you check out to a change before both of commits, integration tests fail for both 5.13 and 6.0. I initially didn't notice the latter, but that's the case.

If you check out to the first commit, the tests for 6.0 will fail.

And I think that both changes make sense (regardless of verifier errors) - the first one makes the offset checks more reliable in the whole helper, the second one uses your buffer struct consequently. :)