Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure to extract absolute file paths on exec #166

Merged
merged 8 commits into from Apr 19, 2023
Merged

Make sure to extract absolute file paths on exec #166

merged 8 commits into from Apr 19, 2023

Conversation

MatteoNardi
Copy link
Contributor

Fix process-monitor to always get the absolute file path on exec.
Before this change executing a file with a relative path would have resulted in an exec event with path ./executable. After this change it will be /path/to/executable.

Since the code to extract the full file path is quite complex, we'll execute it only when needed.

I have

  • run cargo fmt;
  • run cargo clippy;
  • run cargo testand all tests pass;
  • linked to the originating issue (if applicable).

MatteoNardi
MatteoNardi commented Mar 24, 2023
View reviewed changes
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
@MatteoNardi
misc(bpf): cleanup get_path
f8c0fa4 
misc(bpf): cleanup get_path
@MatteoNardi MatteoNardi mentioned this pull request Apr 5, 2023
Closed
@MatteoNardi
fix(process-monitor): clear garbage used in map lookup
96c2147 
Tests were failing because we were searching in rules maps (target and
whitelist map) an image which contained potential garbage after the
filename.
@MatteoNardi
fix(scripts): fix check_bytecode.sh
cc4b76d
@MatteoNardi
fix(process-monitor): fix failing test on embedded systems
53373e3 
On busybox-based embedded systems, `which echo` returns `/bin/echo`,
which is a symlink to `/bin/busybox`.
On relative path execution, our `sched_process_exec` handler takes the
path from `bprm->filename`, which leads to the linked at file.
For this reason we need to use `canonicalize()` in the relative exec
test case.
@MatteoNardi
new(ebpf): use longer iterations when bpf_loop available
6dc496e 
The LOOP macro now takes an extra `max_unroll` parameter, which defines
the maximum loop unroll when bpf_loop is missing.
This allows in `get_path_str` to have a MAX_PATH_COMPONENTS of 100, but
unroll the loop only up to 20, since a bigger value would be rejected by
the verifier.
banditopazzo
banditopazzo requested changes Apr 18, 2023
View reviewed changes
crates/bpf-builder/include/get_path.bpf.h Outdated Show resolved Hide resolved
crates/bpf-builder/include/loop.bpf.h Outdated Show resolved Hide resolved
crates/modules/file-system-monitor/probes.bpf.c Outdated Show resolved Hide resolved
crates/modules/file-system-monitor/probes.bpf.c Outdated Show resolved Hide resolved
@MatteoNardi MatteoNardi merged commit 5eb446f into main Apr 19, 2023
17 checks passed
@MatteoNardi MatteoNardi mentioned this pull request May 3, 2023
Closed
3 tasks
@banditopazzo banditopazzo deleted the fix_relative_exec branch June 6, 2023 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banditopazzo banditopazzo banditopazzo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MatteoNardi @banditopazzo