Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: fix assign vfsmnt correctly #3261

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

bug: fix assign vfsmnt correctly #3261

wants to merge 1 commit into from
+1 −2

Conversation

arthur-zhang
Copy link
Contributor

@arthur-zhang arthur-zhang commented Dec 27, 2024
edited
Loading

Fixes

Description

cwd_read do not assign data->vfsmnt correctly.

reproduce:

sudo mount -t nfs  x.x.x.x:/data/dev/nfs_dir /home/arthur/my_run

$ mount -t
x.x.x.x:/data/dev/nfs_dir on /home/arthur/my_run
/dev/nvme0n1p5 on /home type ext4 (rw,relatime)

and cat a file in my_run dir

cat /home/arthur/my_run/a.txt

in tetragon side, it will get a path : /home/home/arthur/my_run/a.txt, but it should be /home/arthur/my_run/a.txt

cat-2152134 [003] d...1 3725192.671779: bpf_trace_printk: copy path: /home/home/arthur/my_run/a.txt

and in another production env, i found it will get path more than expected when i cat /tmp/tetragon. the prefix /scon/containers/01J6HEV7R29R4WXXS1N2CS9ATP/rootfs/ should not be obtained.

/scon/containers/01J6HEV7R29R4WXXS1N2CS9ATP/rootfs/tmp/tetragon

in the old code, mnt is pointer to the old data->mnt, which is not correct.

struct mount *mnt = data->mnt;
...
if (data->mnt != parent) {
    probe_read(&data->dentry, sizeof(data->dentry),
			    _(&mnt->mnt_mountpoint));
    data->mnt = parent;
    probe_read(&data->vfsmnt, sizeof(data->vfsmnt),
			    _(&mnt->mnt));
    return 0;
}

Changelog

Fix vfsmnt assign bug in bpf/process/bpf_process_event.h
Fixes

Description

cwd_read do not assign data->vfsmnt correctly.

reproduce:

sudo mount -t nfs  x.x.x.x:/data/dev/nfs_dir /home/arthur/my_run

$ mount -t
x.x.x.x:/data/dev/nfs_dir on /home/arthur/my_run
/dev/nvme0n1p5 on /home type ext4 (rw,relatime)

and cat a file in my_run dir

cat /home/arthur/my_run/a.txt

in tetragon side, it will get a path : /home/home/arthur/my_run/a.txt, but it should be /home/arthur/my_run/a.txt

cat-2152134 [003] d...1 3725192.671779: bpf_trace_printk: copy path: /home/home/arthur/my_run/a.txt

and in another production env, i found it will get path more than expected when i cat /tmp/tetragon. the prefix /scon/containers/01J6HEV7R29R4WXXS1N2CS9ATP/rootfs/ should not be obtained.

/scon/containers/01J6HEV7R29R4WXXS1N2CS9ATP/rootfs/tmp/tetragon

in the old code, mnt is pointer to the old data->mnt, which is not correct.

struct mount *mnt = data->mnt;
...
if (data->mnt != parent) {
    probe_read(&data->dentry, sizeof(data->dentry),
			    _(&mnt->mnt_mountpoint));
    data->mnt = parent;
    probe_read(&data->vfsmnt, sizeof(data->vfsmnt),
			    _(&mnt->mnt));
    return 0;
}

@arthur-zhang arthur-zhang requested a review from a team as a code owner December 27, 2024 04:01
@arthur-zhang arthur-zhang changed the title fix: update cwd_read to assign vfsmnt correctly bug: fix assign vfsmnt correctly Jan 3, 2025
@olsajiri
Copy link
Contributor

olsajiri commented Jan 3, 2025

Fixes

Description

cwd_read do not assign data->vfsmnt correctly.

reproduce:

sudo mount -t nfs  x.x.x.x:/data/dev/nfs_dir /home/arthur/my_run

$ mount -t
x.x.x.x:/data/dev/nfs_dir on /home/arthur/my_run
/dev/nvme0n1p5 on /home type ext4 (rw,relatime)

and cat a file in my_run dir

cat /home/arthur/my_run/a.txt

in tetragon side, it will get a path : /home/home/arthur/my_run/a.txt, but it should be /home/arthur/my_run/a.txt

cat-2152134 [003] d...1 3725192.671779: bpf_trace_printk: copy path: /home/home/arthur/my_run/a.txt

and in another production env, i found it will get path more than expected when i cat /tmp/tetragon. the prefix /scon/containers/01J6HEV7R29R4WXXS1N2CS9ATP/rootfs/ should not be obtained.

/scon/containers/01J6HEV7R29R4WXXS1N2CS9ATP/rootfs/tmp/tetragon

in the old code, mnt is pointer to the old data->mnt, which is not correct.

struct mount *mnt = data->mnt;
...
if (data->mnt != parent) {
    probe_read(&data->dentry, sizeof(data->dentry),
			    _(&mnt->mnt_mountpoint));
    data->mnt = parent;
    probe_read(&data->vfsmnt, sizeof(data->vfsmnt),
			    _(&mnt->mnt));
    return 0;
}

Changelog

Fix vfsmnt assign bug in bpf/process/bpf_process_event.h

@arthur-zhang please put all this in the commit changelog, also any chance you could add test the issue? thanks

olsajiri
olsajiri reviewed Jan 3, 2025
View reviewed changes
bpf/process/bpf_process_event.h Outdated
@@ -202,8 +202,7 @@ FUNC_INLINE long cwd_read(struct cwd_read_data *data)
probe_read(&data->dentry, sizeof(data->dentry),
_(&mnt->mnt_mountpoint));
data->mnt = parent;
probe_read(&data->vfsmnt, sizeof(data->vfsmnt),
_(&mnt->mnt));
data->vfsmnt = &parent->mnt;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, parent->mnt is not pointer but actual vfsmnt object embedded in mount struct,
so we can just take the address from parent.. but I think you still need to use _() to get CORE involved

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, i will fix it

@netlify Netlify
Copy link

netlify bot commented Jan 6, 2025

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit b32361f
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/677b42c18107ed0008525bb8
😎 Deploy Preview https://deploy-preview-3261--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@arthur-zhang arthur-zhang requested a review from olsajiri January 6, 2025 02:41
@kkourt kkourt self-requested a review January 6, 2025 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olsajiri olsajiri Awaiting requested review from olsajiri

@kkourt kkourt Awaiting requested review from kkourt

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arthur-zhang @olsajiri