tracer: fix prefix matching

Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda · Feb 18, 2025 · 6c8f11b · 6c8f11b
1 parent c450292
commit 6c8f11b
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 24 deletions.
diff --git a/examples/profiles/docker-26.1.3.mod b/examples/profiles/docker-26.1.3.mod
@@ -67,7 +67,6 @@ require (
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	// gomodjail:unconfined
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect

diff --git a/pkg/profile/profile.go b/pkg/profile/profile.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log/slog"
 	"slices"
+	"strings"
 )
 
 type Policy = string
@@ -40,3 +41,23 @@ func (p *Profile) Validate() error {
 	}
 	return nil
 }
+
+type Confinment struct {
+	Module string
+	Policy Policy
+}
+
+func (p *Profile) Confined(sym string) *Confinment {
+	for module, policy := range p.Modules {
+		switch policy {
+		case PolicyConfined:
+			if sym == module || strings.HasPrefix(sym, module+"/") || strings.HasPrefix(sym, module+".") {
+				return &Confinment{
+					Module: module,
+					Policy: policy,
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/pkg/profile/profile_test.go b/pkg/profile/profile_test.go
@@ -0,0 +1,36 @@
+package profile
+
+import (
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestProfile(t *testing.T) {
+	prof := New()
+	prof.Modules["example.com/foo"] = PolicyConfined
+	prof.Modules["example.com/foobaz"] = PolicyConfined
+	assert.NilError(t, prof.Validate())
+	assert.DeepEqual(t, &Confinment{
+		Module: "example.com/foo",
+		Policy: PolicyConfined,
+	}, prof.Confined("example.com/foo"))
+	assert.DeepEqual(t, &Confinment{
+		Module: "example.com/foo",
+		Policy: PolicyConfined,
+	}, prof.Confined("example.com/foo/bar"))
+	assert.DeepEqual(t, &Confinment{
+		Module: "example.com/foo",
+		Policy: PolicyConfined,
+	}, prof.Confined("example.com/foo.fn"))
+	assert.DeepEqual(t, &Confinment{
+		Module: "example.com/foo",
+		Policy: PolicyConfined,
+	}, prof.Confined("example.com/foo/bar.fn"))
+	assert.Assert(t, prof.Confined("example.com/foobar.fn") == nil)
+	assert.DeepEqual(t, &Confinment{
+		Module: "example.com/foobaz",
+		Policy: PolicyConfined,
+	}, prof.Confined("example.com/foobaz.fn"))
+	assert.Assert(t, prof.Confined("example.com/baz.fn") == nil)
+}
diff --git a/pkg/tracer/tracer_darwin.go b/pkg/tracer/tracer_darwin.go
@@ -9,7 +9,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strings"
 
 	"github.com/AkihiroSuda/gomodjail/pkg/profile"
 )
@@ -117,17 +116,12 @@ func (tracer *tracer) handlerConn(c net.Conn) error {
 	}
 	slog.Debug("handling request", "req", req)
 
-	// TODO: consolidate OS-specific codes
 	allow := true
 	for _, e := range req.Stack {
-		for module, policy := range tracer.profile.Modules {
-			if policy == profile.PolicyConfined {
-				if strings.HasPrefix(e.Symbol, module) {
-					slog.Warn("***Blocked***", "pid", req.Pid, "exe", req.Exe, "syscall", req.Syscall, "entry", e, "module", module)
-					allow = false
-					break
-				}
-			}
+		if cf := tracer.profile.Confined(e.Symbol); cf != nil {
+			slog.Warn("***Blocked***", "pid", req.Pid, "exe", req.Exe, "syscall", req.Syscall, "entry", e, "module", cf.Module)
+			allow = false
+			break
 		}
 	}
 

diff --git a/pkg/tracer/tracer_linux.go b/pkg/tracer/tracer_linux.go
@@ -8,7 +8,6 @@ import (
 	"os"
 	"os/exec"
 	"runtime"
-	"strings"
 
 	"github.com/AkihiroSuda/gomodjail/pkg/procutil"
 	"github.com/AkihiroSuda/gomodjail/pkg/profile"
@@ -177,22 +176,16 @@ func (tracer *tracer) handleSyscall(pid int, regs *regs.Regs) error {
 	if err != nil {
 		return err
 	}
-	// TODO: consolidate OS-specific codes
 	slog.Debug("handler", "pid", pid, "exe", filename, "syscall", syscallName)
 	for i, e := range entries {
 		slog.Debug("stack", "entryNo", i, "entry", e.String())
 		pkgName := e.Func.Sym.PackageName()
-		// TODO: cache ap[packageName]moduleName table
-		for module, policy := range tracer.profile.Modules {
-			if policy == profile.PolicyConfined {
-				if strings.HasPrefix(pkgName, module) {
-					slog.Warn("***Blocked***", "pid", pid, "exe", filename, "syscall", syscallName, "entry", e.String(), "module", module)
-					ret := -1 * int(unix.EPERM)
-					regs.SetRet(uint64(ret))
-					regs.SetSyscall(unix.SYS_GETPID) // Only needed on amd64?
-					return nil
-				}
-			}
+		if cf := tracer.profile.Confined(pkgName); cf != nil {
+			slog.Warn("***Blocked***", "pid", pid, "exe", filename, "syscall", syscallName, "entry", e.String(), "module", cf.Module)
+			ret := -1 * int(unix.EPERM)
+			regs.SetRet(uint64(ret))
+			regs.SetSyscall(unix.SYS_GETPID) // Only needed on amd64?
+			return nil
 		}
 	}
 	return nil