feat: improve handling of path buffers

Since paths can be in non UTF-8 formats, we should strive to use types
that are able to handle this situation when possible. In the case of the
exe_path and filename fields that come from the kernel, handling has
been changed to treat them as binary blobs (same way the kernel d_path
function does) and the length is now being sent to userspace.

With this change, userspace is able to reconstruct a path in a fully
safe way from the path buffer, treating it as a slice and using the
first len - 1 (exclude the null terminator) bytes. This way we are able
to preserve the path all the way to the gRPC event, which requires UTF-8
compliant strings. In a future change we might want to change path
handling in our protobuffs to use byte blobs instead, but this will
probably also require an effort from front end to properly display the
data.

Author: Molter73

fact-ebpf/src/bpf/d_path.h

@@ -77,7 +77,7 @@ __always_inline static long __d_path(const struct path* path, char* buf, int buf
     dentry = parent;
   }
 
-  bpf_probe_read_str(buf, buflen, &helper->buf[offset]);
+  bpf_probe_read(buf, buflen - offset, &helper->buf[offset]);
   return buflen - offset;
 }
 

fact-ebpf/src/bpf/events.h

@@ -13,7 +13,7 @@
 
 __always_inline static void submit_event(struct metrics_by_hook_t* m,
                                          file_activity_type_t event_type,
-                                         const char filename[PATH_MAX],
+                                         struct bound_path_t* path,
                                          inode_key_t* inode,
                                          bool use_bpf_d_path) {
   struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
@@ -25,7 +25,8 @@ __always_inline static void submit_event(struct metrics_by_hook_t* m,
   event->type = event_type;
   event->timestamp = bpf_ktime_get_boot_ns();
   inode_copy_or_reset(&event->inode, inode);
-  bpf_probe_read_str(event->filename, PATH_MAX, filename);
+  bpf_probe_read(event->filename, path->len & (PATH_MAX - 1), path->path);
+  event->filename_len = path->len;
 
   struct helper_t* helper = get_helper();
   if (helper == NULL) {

fact-ebpf/src/bpf/main.c

@@ -56,7 +56,7 @@ int BPF_PROG(trace_file_open, struct file* file) {
       break;
   }
 
-  submit_event(&m->file_open, event_type, path->path, &inode_key, true);
+  submit_event(&m->file_open, event_type, path, &inode_key, true);
 
   return 0;
 
@@ -116,7 +116,7 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
 
   submit_event(&m->path_unlink,
                FILE_ACTIVITY_UNLINK,
-               path->path,
+               path,
                &inode_key,
                path_unlink_supports_bpf_d_path);
   return 0;

fact-ebpf/src/bpf/process.h

@@ -131,7 +131,7 @@ __always_inline static int64_t process_fill(process_t* p, bool use_bpf_d_path) {
     return -1;
   }
 
-  d_path(&task->mm->exe_file->f_path, p->exe_path, PATH_MAX, use_bpf_d_path);
+  p->exe_path_len = d_path(&task->mm->exe_file->f_path, p->exe_path, PATH_MAX, use_bpf_d_path);
 
   const char* cg = get_memory_cgroup(helper);
   if (cg != NULL) {

fact-ebpf/src/bpf/types.h

@@ -22,6 +22,7 @@ typedef struct process_t {
   char args[4096];
   unsigned int args_len;
   char exe_path[PATH_MAX];
+  short unsigned int exe_path_len;
   char memory_cgroup[PATH_MAX];
   unsigned int uid;
   unsigned int gid;
@@ -53,6 +54,7 @@ struct event_t {
   unsigned long timestamp;
   process_t process;
   char filename[PATH_MAX];
+  short unsigned int filename_len;
   inode_key_t inode;
   file_activity_type_t type;
 };

fact/src/event/mod.rs

@@ -1,16 +1,28 @@
 #[cfg(test)]
 use std::time::{SystemTime, UNIX_EPOCH};
-use std::{ffi::CStr, os::raw::c_char, path::PathBuf};
+use std::{
+    ffi::{CStr, OsString},
+    os::{raw::c_char, unix::ffi::OsStringExt},
+    path::PathBuf,
+};
 
 use serde::Serialize;
 
-use fact_ebpf::{event_t, file_activity_type_t, inode_key_t, PATH_MAX};
+use fact_ebpf::{event_t, file_activity_type_t, inode_key_t};
 
 use crate::host_info;
 use process::Process;
 
 pub(crate) mod process;
 
+fn slice_to_pathbuf(s: &[c_char]) -> PathBuf {
+    #[cfg(target_arch = "x86_64")]
+    let v = s.iter().map(|c| *c as u8).collect::<Vec<u8>>();
+    #[cfg(not(target_arch = "x86_64"))]
+    let v = s.to_vec();
+    OsString::from_vec(v).into()
+}
+
 fn slice_to_string(s: &[c_char]) -> anyhow::Result<String> {
     Ok(unsafe { CStr::from_ptr(s.as_ptr()) }.to_str()?.to_owned())
 }
@@ -85,7 +97,9 @@ impl TryFrom<&event_t> for Event {
     fn try_from(value: &event_t) -> Result<Self, Self::Error> {
         let process = Process::try_from(value.process)?;
         let timestamp = host_info::get_boot_time() + value.timestamp;
-        let file = FileData::new(value.type_, value.filename, value.inode)?;
+        let filename_len = value.filename_len as usize;
+        let (filename, _) = value.filename.as_slice().split_at(filename_len - 1);
+        let file = FileData::new(value.type_, filename, value.inode)?;
 
         Ok(Event {
             timestamp,
@@ -128,7 +142,7 @@ pub enum FileData {
 impl FileData {
     pub fn new(
         event_type: file_activity_type_t,
-        filename: [c_char; PATH_MAX as usize],
+        filename: &[c_char],
         inode: inode_key_t,
     ) -> anyhow::Result<Self> {
         let inner = BaseFileData::new(filename, inode)?;
@@ -185,8 +199,8 @@ pub struct BaseFileData {
 }
 
 impl BaseFileData {
-    pub fn new(filename: [c_char; PATH_MAX as usize], inode: inode_key_t) -> anyhow::Result<Self> {
-        let filename = slice_to_string(&filename)?.into();
+    pub fn new(filename: &[c_char], inode: inode_key_t) -> anyhow::Result<Self> {
+        let filename = slice_to_pathbuf(filename);
 
         Ok(BaseFileData {
             filename,

fact/src/event/process.rs

@@ -1,12 +1,12 @@
-use std::ffi::CStr;
+use std::{ffi::CStr, path::PathBuf};
 
 use fact_ebpf::{lineage_t, process_t};
 use serde::Serialize;
 use uuid::Uuid;
 
 use crate::host_info;
 
-use super::slice_to_string;
+use super::{slice_to_pathbuf, slice_to_string};
 
 #[derive(Debug, Clone, Default, Serialize)]
 pub struct Lineage {
@@ -48,7 +48,7 @@ impl From<Lineage> for fact_api::process_signal::LineageInfo {
 pub struct Process {
     comm: String,
     args: Vec<String>,
-    exe_path: String,
+    exe_path: PathBuf,
     container_id: Option<String>,
     uid: u32,
     username: &'static str,
@@ -66,11 +66,7 @@ impl Process {
     pub fn current() -> Self {
         use crate::host_info::{get_host_mount_ns, get_mount_ns};
 
-        let exe_path = std::env::current_exe()
-            .expect("Failed to get current exe")
-            .into_os_string()
-            .into_string()
-            .unwrap();
+        let exe_path = std::env::current_exe().expect("Failed to get current exe");
         let args = std::env::args().collect::<Vec<_>>();
         let cgroup = std::fs::read_to_string("/proc/self/cgroup").expect("Failed to read cgroup");
         let container_id = Process::extract_container_id(&cgroup);
@@ -142,7 +138,9 @@ impl TryFrom<process_t> for Process {
 
     fn try_from(value: process_t) -> Result<Self, Self::Error> {
         let comm = slice_to_string(value.comm.as_slice())?;
-        let exe_path = slice_to_string(value.exe_path.as_slice())?;
+        let exe_path_len = value.exe_path_len as usize;
+        let (exe_path, _) = value.exe_path.as_slice().split_at(exe_path_len - 1);
+        let exe_path = slice_to_pathbuf(exe_path);
         let memory_cgroup = unsafe { CStr::from_ptr(value.memory_cgroup.as_ptr()) }.to_str()?;
         let container_id = Process::extract_container_id(memory_cgroup);
         let in_root_mount_ns = value.in_root_mount_ns != 0;
@@ -213,7 +211,7 @@ impl From<Process> for fact_api::ProcessSignal {
             creation_time: None,
             name: comm,
             args,
-            exec_file_path: exe_path,
+            exec_file_path: exe_path.to_string_lossy().into_owned(),
             pid,
             uid,
             gid,