fix(processors): change args values by name

Change all places that change args values in processors to find arguments by their names instead of index. This way the order of the arguments received from the kernel shall not cause bugs.
aquasecurity · Feb 1, 2024 · abfb8be · abfb8be
1 parent ccb2c11
commit abfb8be
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/pkg/ebpf/processor_funcs.go b/pkg/ebpf/processor_funcs.go
@@ -260,7 +260,8 @@ const (
 
 // processHookedProcFops processes a hooked_proc_fops event.
 func (t *Tracee) processHookedProcFops(event *trace.Event) error {
-	fopsAddresses, err := parse.ArgVal[[]uint64](event.Args, "hooked_fops_pointers")
+	const hookedFopsPointersArgName = "hooked_fops_pointers"
+	fopsAddresses, err := parse.ArgVal[[]uint64](event.Args, hookedFopsPointersArgName)
 	if err != nil || fopsAddresses == nil {
 		return errfmt.Errorf("error parsing hooked_proc_fops args: %v", err)
 	}
@@ -282,7 +283,10 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error {
 		}
 		hookedFops = append(hookedFops, trace.HookedSymbolData{SymbolName: functionName, ModuleOwner: hookingFunction.Owner})
 	}
-	event.Args[0].Value = hookedFops
+	err = events.SetArgValue(event, hookedFopsPointersArgName, hookedFops)
+	if err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -318,9 +322,18 @@ func (t *Tracee) processPrintMemDump(event *trace.Event) error {
 		return errfmt.WrapError(err)
 	}
 	arch = string(bytes.TrimRight(utsName.Machine[:], "\x00"))
-	event.Args[4].Value = arch
-	event.Args[5].Value = symbol.Name
-	event.Args[6].Value = symbol.Owner
+	err = events.SetArgValue(event, "arch", arch)
+	if err != nil {
+		return err
+	}
+	err = events.SetArgValue(event, "symbol_name", symbol.Name)
+	if err != nil {
+		return err
+	}
+	err = events.SetArgValue(event, "symbol_owner", symbol.Owner)
+	if err != nil {
+		return err
+	}
 	return nil
 }
 

diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go
@@ -308,6 +308,15 @@ func GetArg(event *trace.Event, argName string) *trace.Argument {
 	return nil
 }
 
+func SetArgValue(event *trace.Event, argName string, value any) error {
+	archArg := GetArg(event, argName)
+	if archArg == nil {
+		return fmt.Errorf("event %s has no argument named %s", event.EventName, argName)
+	}
+	archArg.Value = value
+	return nil
+}
+
 type CustomFunctionArgument struct {
 	val uint64
 	str string