refactor(libsinsp): rewrite concatenate_paths with std::filesystem

[LucaGuerra]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug
/kind cleanup

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area libsinsp

/area tests

Does this PR require a change in the driver versions?

No

What this PR does / why we need it:

This gets rid of a scary function that was operating on path strings by hand and is prone to breakage or (worse) memory error issues and replaces with a native C++ implementation.

@incertum I still have a failing test and I would like to be more certain of when we depend on specific behaviors in libs before I go through. Can you take a look? Thanks!

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[incertum]

@LucaGuerra thank you very much for starting this PR! Continued a bit.

openat* filtercheck was a quick fix.

Then there were issues with cwd that I could replicate locally:

libs/userspace/libsinsp/test/events_proc.ut.cpp:487: Failure
Expected equality of these values:
  get_field_as_string(evt, "proc.cwd")
    Which is: "/tmp/target-directory"
  "/tmp/target-directory/"

Seems to be fixed now as well at least on my fedora box.

EDIT: Re the previous unit test failures because of inconsistent handling of /: I researched a bit more https://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap04.html#tag_04_11 and eventually came to the conclusion that path1 is likely more well behaved as it should either be empty or cwd or sdir in our parsers. Only path2 is user / app supplied and can be wrong (in that case the open* syscall does not succeed of course). I updated the unit tests to reflect this. I hope they are now more realistic. @LucaGuerra mind checking again and do you have more thoughts? Btw this refactor is really good for the project as we outsource the difficult and error prone task of path concatenation and normalization.

[incertum]

Since we introduced std::filesystem for the newer fs.path.* I compared them:

• First this implementations' fd.name always matched the old implementation in my manual tests, so we shouldn't be changing semantics and instead the refactored version should now be more robust in odd edge cases and more memory safe since we observed some stack buffer underflows on real servers with the old implementation
• However, I noticed that fs.path.* can sometimes be wrong (best addressed in another PR)

When the path is relative, everything matches:

cat ..//app/build/../random/falco/

{"evt.res":"ENOENT","evt.type":"openat","fd.name":"/tmp/a/b/c/app/random/falco","fd.nameraw":"../app/build/../random/falco/","fs.path.name":"/tmp/a/b/c/app/random/falco/","fs.path.nameraw":"..//app/build/../random/falco/","proc.cwd":"/tmp/a/b/c/target-dir/"}

But there is a mismatch when the path is absolute:

cat /app/build/../../random/falco/
cat /app/build/../random/falco/

{"evt.res":"ENOENT","evt.type":"openat","fd.name":"/random/falco","fd.nameraw":"/app/build/../../random/falco/","fs.path.name":"/app/build/../../random/falco/","fs.path.nameraw":"/app/build/../../random/falco/","proc.cwd":"/tmp/a/b/c/target-dir/"}
{"evt.res":"ENOENT","evt.type":"openat","fd.name":"/app/random/falco","fd.nameraw":"/app/build/../random/falco/","fs.path.name":"/app/build/../random/falco/","fs.path.nameraw":"/app/build/../random/falco/","proc.cwd":"/tmp/a/b/c/target-dir/"}

CC @mstemm

[federico-sysdig]

Just a few comments. I'm not approving for the moment as I see it is WIP, but I don't see major issues.

[federico-sysdig]

No need for len.

Suggested change

	if(len == 0 || (tinfo->m_cwd[len - 1] != '/'))
	if(tinfo->m_cwd.empty() || tinfo->m_cwd.back() != '/'))

[incertum]

That's better, after you respond to above's comment I can rewind the last 2 commits.

[federico-sysdig]

Why concatenate when one item is an empty path? Is it because the function enforces a final slash? If so, wouldn't it be better to put the slash when the path is finally used for its purpose? I know this logic was already there, but it seems a lot of work to check the path at any point it is manipulated when it could be done only once at the final step. End of rant.

[incertum]

It also does the directory traversal if applicable. We wouldn't need this here? for this one perhaps let's do a 2 step, first get this one in, before risking breaking things and take the time to check more.

[federico-sysdig]

I was only curious. I understand this would be a larger change.

[incertum]

I think we can at least move it out of wip?

[incertum]

We still have an unrelated windows CI failure.

[incertum]

Fix falcosecurity/falco#2958

Additional note: @mstemm fs.path.* also doesn't do any sanitation in case we are interested in equalizing fd.name and fs.path.name in the future.

[LucaGuerra]

Thank you all for the reviews! I'm going through all comments and the Windows + shared libs failure to get this in a mergeable state :)

[LucaGuerra]

So the Windows failure is kind of expected, and it's a problem.

This is because we are hitting a problem that I did not consider earlier: STL will interpret paths in different ways depending on the platform. This is actually documented: https://en.cppreference.com/w/cpp/filesystem/path . The problem is that Windows has a concept of root-name that will be interpreted even if we are setting generic_format. For instance, //dirname/hello is split into //dirname as root-name and hello as the actual path. This instance will not bother us a lot, but imagine if a Windows-Falco is trying to interpret a perfectly valid unix relative path that starts with c:/, it will think that it's looking at an absolute path instead.

I think this is not acceptable in the current situation, so I thought about three solutions:

• Instead of using std::filesystem, use an OSS library that is easy to import and has a compatible license which does not present this problem
• Rewrite the C++ STL path normalization algorithm without the platform differences by hand
• Revert this change and leave the hand-rolled implementation (I would not like to do it)

I'm thinking about trying to find a simple library that can solve our issues without having to have a custom algorithm here.

[incertum]

So the Windows failure is kind of expected, and it's a problem.

This is because we are hitting a problem that I did not consider earlier: STL will interpret paths in different ways depending on the platform. This is actually documented: https://en.cppreference.com/w/cpp/filesystem/path . The problem is that Windows has a concept of root-name that will be interpreted even if we are setting generic_format. For instance, //dirname/hello is split into //dirname as root-name and hello as the actual path. This instance will not bother us a lot, but imagine if a Windows-Falco is trying to interpret a perfectly valid unix relative path that starts with c:/, it will think that it's looking at an absolute path instead.

I think this is not acceptable in the current situation, so I thought about three solutions:

* Instead of using `std::filesystem`, use an OSS library that is easy to import and has a compatible license which does not present this problem

* Rewrite the C++ STL path normalization algorithm without the platform differences by hand

* Revert this change and leave the hand-rolled implementation (I would not like to do it)

I'm thinking about trying to find a simple library that can solve our issues without having to have a custom algorithm here.

While I honor us supporting multi-platform for scap files and plugins, I don't think this should sacrifice the primary Linux syscalls monitoring, plus we already use std::filesystem for fs.path*. Instead add a workaround ifdef for windows I would say.

[LucaGuerra]

Since we are already using std::filesystem we can probably also implement a workaround for the edge cases we are thinking about. Not thrilled but I would rather use STL over third-party components.

[LucaGuerra]

@incertum @federico-sysdig I ended up implementing the workaround. All tests are passing including the corner cases we identified. It's not the best but it will do. Also, the fs.* function now points to this implementation since it was doing the same thing.

[incertum]

@incertum @federico-sysdig I ended up implementing the workaround. All tests are passing including the corner cases we identified. It's not the best but it will do. Also, the fs.* function now points to this implementation since it was doing the same thing.

Thanks a bunch @LucaGuerra LGTM! @federico-sysdig could we get another review pass from you, ty! 🙏

[federico-sysdig]

lgtm, just nits that can be read, understood, and ignored

[federico-sysdig]

Nit: the type name need not be repeated. Just noticed, but it can be left as it is.

		std::string cwd(evt->get_param(1)->as<std::string_view>());

[federico-sysdig]

Nit: Perhaps we can avoid repeating the type in this kind of definitions as it is already on the RHS. Just a thought for the future. Leave it as it is for the moment.

			auto name = parinfo->as<std::string_view>();

[poiana]

@federico-sysdig: changing LGTM is restricted to collaborators

In response to this:

lgtm, just nits that can be read, understood, and ignored

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[incertum]

Since I also contributed my

/approve

is on behalf of @federico-sysdig, thanks a bunch for your help!

[poiana]

LGTM label has been added.

Git tree hash: 0765025267b638a9aa0f633d3a07676a22268a64

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, federico-sysdig, incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment