[CWS] Enforce tty name (#11053)

* Enforce tty name * [CWS] Add null check around tty collection Co-authored-by: Paul Cacheux <paul.cacheux@datadoghq.com>
DataDog · Feb 24, 2022 · ab37447 · ab37447
1 parent 64f9c30
commit ab37447
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/pkg/security/ebpf/c/exec.h b/pkg/security/ebpf/c/exec.h
@@ -530,7 +530,9 @@ int kprobe_exit_itimers(struct pt_regs *ctx) {
 
         struct tty_struct *tty;
         bpf_probe_read(&tty, sizeof(tty), (char *)signal + tty_offset);
-        bpf_probe_read_str(entry->tty_name, TTY_NAME_LEN, (char *)tty + tty_name_offset);
+        if (tty) {
+            bpf_probe_read_str(entry->tty_name, TTY_NAME_LEN, (char *)tty + tty_name_offset);
+        }
     }
 
     return 0;

diff --git a/pkg/security/secl/model/unmarshallers.go b/pkg/security/secl/model/unmarshallers.go
@@ -7,6 +7,7 @@ package model
 
 import (
 	"fmt"
+	"strings"
 	"time"
 	"unsafe"
 )
@@ -129,6 +130,11 @@ func unmarshalTime(data []byte) time.Time {
 	return time.Time{}
 }
 
+// isValidTTYName uses a naive assumption as other tty driver may create tty with other prefix
+func isValidTTYName(ttyName string) bool {
+	return IsPrintableASCII(ttyName) && (strings.HasPrefix(ttyName, "tty") || strings.HasPrefix(ttyName, "pts"))
+}
+
 // UnmarshalBinary unmarshalls a binary representation of itself
 func (e *Process) UnmarshalBinary(data []byte) (int, error) {
 	// Unmarshal proc_cache_t
@@ -150,7 +156,7 @@ func (e *Process) UnmarshalBinary(data []byte) (int, error) {
 	if err != nil {
 		return 0, err
 	}
-	if IsPrintableASCII(ttyName) {
+	if isValidTTYName(ttyName) {
 		e.TTYName = ttyName
 	}
 	read += 64