[WIP] Collect correct arguments when setproctitle is called
#976
Conversation
Signed-off-by: Andrea Terzolo <[email protected]> Co-authored-by: Federico Di Pierro <[email protected]>
poiana
added
release-note-none
do-not-merge/work-in-progress
kind/feature
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| exe_len = bpf_probe_read_kernel_str(&data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF], | ||
| SCRATCH_SIZE_HALF, | ||
| &data->buf[data->state->tail_ctx.curoff & SCRATCH_SIZE_HALF]); | ||
| /* if true application is using setproctitle() */ |
There was a problem hiding this comment.
Just to better highlight the algo here: https://elixir.bootlin.com/linux/latest/source/mm/util.c#L965
|
Wow extraordinary research work ❤️ , need to look more into it, hence only posting some initial thoughts:
|
Not sure about that but as we saw from e2e tests at least
agree with that 👍
we will try to find something else 🔍 |
|
Maybe in Dec or early next year we could revive this discussion? |
|
Just checking in here: How do we all feel wrt prioritization? Since this PR has been created a while ago. |
|
No super priority at the moment IMO |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
|
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
|
@poiana: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/reopen |
|
@FedeDP: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Please double check driver/SCHEMA_VERSION file. See versioning. /hold |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area driver-kmod
/area driver-bpf
/area driver-modern-bpf
Does this PR require a change in the driver versions?
No
What this PR does / why we need it:
Some days ago we faced this strange thing in the PR regarding e2e tests (#967 (comment)).
The question was, why the modern probe is taking something different respect than the other 2 drivers? the answer is pretty funny.
nginxunder the hood calls thesetproctitlemethod, what this method does is quite strange it moves the actual args of the process frommm->arg_starttomm->arg_env, so into the environment variables space, and overwrite the content ofmm->arg_startwith the "process title". In our case the modern probe prints:this is because it tries to read a string until the first
\0is faced, in this case sinceargsmemory andenvmemory are contiguous we are reading both the process title (nginx: master process) and the exe+args (nginx -g daemon off). The other 2 drivers try to read only theargsmemory and for this reason, we read just the process titlenginx: master processinstead of realexeandargs.This patch tries to solve this issue in all three drivers but we have some concerns:
proc_startupdateare very dangerous from the stability point of view. This is why we were evaluating a partial refactor...setproctitlefunction). What this function does is check if there is a null terminator at the end of theargsmemory, if no, it considers this area modified bysetproctitleand checks for the realargsinto theenvmemory. BTW it could happen that for some reasonargsmemory misses the final terminator, this would mean that we read theenvmemory even ifsetproctitlewas not called and so we read junk...take a look at theforkX_father_setproctitletest indrivers_testsBefore proceeding in fixing the verifier losing some days (:laughing:) we would be sure that this is what we want :) WDYT @LucaGuerra @Molter73 @incertum ?
Which issue(s) this PR fixes:
Fixes #988
Special notes for your reviewer:
Does this PR introduce a user-facing change?: