bugfix(ebpf): avoid errors upon hash calc fail

Avoid creating errors upon errors in hash calculations from known reasons. This includes memfd files, and race conditions in container FS access
aquasecurity · Dec 5, 2023 · 2c18013 · 2c18013
1 parent 5bc741e
commit 2c18013
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 6 deletions.
diff --git a/pkg/containers/path_resolver.go b/pkg/containers/path_resolver.go
@@ -1,6 +1,7 @@
 package containers
 
 import (
+	"errors"
 	"fmt"
 	"io/fs"
 	"os"
@@ -36,7 +37,7 @@ func (cPathRes *ContainerPathResolver) GetHostAbsPath(mountNSAbsolutePath string
 ) {
 	// path should be absolute, except, for example, memfd_create files
 	if mountNSAbsolutePath == "" || mountNSAbsolutePath[0] != '/' {
-		return "", errfmt.Errorf("file path is not absolute in its container mount point")
+		return "", NonAbsolutePathError
 	}
 
 	// Current process has already died, try to access the root fs from another
@@ -73,8 +74,10 @@ func (cPathRes *ContainerPathResolver) GetHostAbsPath(mountNSAbsolutePath string
 		}
 	}
 
-	return "", errfmt.Errorf(
-		"has no access to container fs - no living task of mountns %d",
-		mountNS,
-	)
+	return "", ContainerFSUnreachableError
 }
+
+var (
+	ContainerFSUnreachableError = errors.New("container file system is unreachable in mount namespace because there are not living children")
+	NonAbsolutePathError        = errors.New("file path is not absolute in its container mount point")
+)
diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go
@@ -2,13 +2,16 @@ package ebpf
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"path/filepath"
 	"strconv"
+	"strings"
 
 	"golang.org/x/sys/unix"
 
 	"github.com/aquasecurity/tracee/pkg/capabilities"
+	"github.com/aquasecurity/tracee/pkg/containers"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/events/parse"
@@ -365,6 +368,10 @@ func (t *Tracee) normalizeEventArgTime(event *trace.Event, argName string) error
 // addHashArg calculate file hash (in a best-effort efficiency manner) and add it as an argument
 func (t *Tracee) addHashArg(event *trace.Event, fileName string, ctime int64) error {
 	if t.config.Output.CalcHashes {
+		// Currently Tracee does not support hash calculation of memfd files
+		if strings.HasPrefix(fileName, "memfd") {
+			return nil
+		}
 		hash, err := t.getFileHash(fileName, ctime, event.MountNS, event.ContainerID)
 
 		event.Args = append(
@@ -375,6 +382,13 @@ func (t *Tracee) addHashArg(event *trace.Event, fileName string, ctime int64) er
 		)
 		event.ArgsNum++
 
+		// Container FS unreachable can happen because of race condition on any system,
+		// so there is no reason to return an error on it
+		if errors.Is(err, containers.ContainerFSUnreachableError) {
+			logger.Debugw("failed to calculate hash", "error", err, "mount NS", event.MountNS)
+			err = nil
+		}
+
 		return err
 	}
 	return nil
@@ -392,5 +406,6 @@ func (t *Tracee) processSharedObjectLoaded(event *trace.Event) error {
 		return nil
 	}
 
-	return t.addHashArg(event, filePath, int64(fileCtime))
+	err = t.addHashArg(event, filePath, int64(fileCtime))
+	return nil
 }