search

exein-io / pulsar

A modular and blazing fast runtime security tool for the IoT, powered by eBPF.
https://pulsar.sh
Other
888 stars 51 forks source link

Container id buffer struct #299

Closed banditopazzo closed 2 months ago

banditopazzo commented 2 months ago

Reviewing #293 I noticed a potential issue with the signature of the function get_container_info.

The above mentioned PR changes are the following:

- static __always_inline int get_container_info(struct task_struct *cur_tsk, char *buf, size_t sz, int *offset)
+ static __always_inline int get_container_info(struct task_struct *cur_tsk,
                                              char *buf, int *offset)

The new version assumes that char *buf is big at least CONTAINER_ID_MAX_BUF using this size in bpf helpers, but this is not true just looking at the signature.

The old version it's not free of issue: it takes the size_t sz from the caller and safely use this size in the helpers. In general this approach is fine, it's the correct way of use it but in this case we need the buffer at least of size 72. Now we rely on the documentation of the function:

/*
...
The array size MUST be greater than 72.
...
*/

but I'm proposing to use a dedicated struct for the job. The struct enforces the size of the buffer and as a plus we can pack int id_offset with the buffer.

vadorovsky commented 2 months ago

Nice, definitely cleaner than the approach with passing a pointer to offset integer.