Merge pull request bytedance#539 from bytedance/fix-rasp-mount

fix mount when process not in container and feat JVM version check
Hackerl · Sep 26, 2023 · c0504eb · c0504eb
2 parents 24e93a5 + 71ab887
commit c0504eb
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 10 deletions.
diff --git a/rasp/Makefile b/rasp/Makefile
@@ -422,7 +422,7 @@ else
 	cp util-linux/nsenter $(OUTPUT)/nsenter
 endif
 
-	cp NSMount/bin/NSMount $(LIB_OUTPUT)/NSMount
+	cp NSMount/bin/NSMount $(OUTPUT)/NSMount
 	cp pangolin/bin/pangolin $(LIB_OUTPUT)/pangolin
 
 	cp jvm/JVMProbe/output/SmithAgent.jar $(LIB_OUTPUT)/java/SmithAgent.jar

diff --git a/rasp/librasp/src/comm.rs b/rasp/librasp/src/comm.rs
@@ -190,6 +190,26 @@ impl RASPComm for ThreadMode {
         _probe_report_sender: Sender<plugins::Record>,
         _patch_filed: HashMap<&'static str, String>,
     ) -> AnyhowResult<()> {
+        match check_need_mount(_mnt_namespace) {
+            Ok(same_ns) => {
+                if same_ns{
+                    self.using_mount = false;
+                    info!(
+                        "process {} namespace as same as root, so no need to mount, using_mount : {}", pid, self.using_mount
+                    );
+                } else {
+                    self.using_mount = true;
+                    info!(
+                        "process {} namespace are not same as root, so need to mount", pid
+                    );
+                }
+            }
+            Err(e) => {
+                warn!(
+                    "check_need_mount failed, {}", e
+                );
+            }
+        }
         if self.using_mount {
             if let Some(bind_dir) = std::path::Path::new(&self.bind_path.clone()).parent() {
                 let bind_dir_str = bind_dir.to_str().unwrap();
@@ -273,6 +293,15 @@ fn mount(pid: i32, from: &str, to: &str) -> AnyhowResult<()> {
     };
 }
 
+fn check_need_mount(pid_mntns: &String) -> AnyhowResult<bool> {
+    let root_mnt = std::fs::read_link("/proc/1/ns/mnt")?;
+    debug!(
+        "pid namespace && root namespace : {} && {}",
+        pid_mntns, root_mnt.display()
+    );
+    Ok(&root_mnt.display().to_string() == pid_mntns)
+}
+
 pub struct EbpfMode {
     pub ctrl: Control,
     pub kernel_version: procfs::sys::kernel::Version,

diff --git a/rasp/librasp/src/runtime.rs b/rasp/librasp/src/runtime.rs
@@ -63,15 +63,31 @@ pub trait RuntimeInspect {
                     return Err(anyhow!("jvm filter deserialize failed: {}", e));
                 }
             };
-        if let Ok(jvm) = jvm_process_filter.match_exe(&process_exe_file) {
-            if jvm {
-                let version = vm_version(process_info.pid)?;
-                let version_string = version.to_string();
-                return Ok(Some(Runtime {
-                    name: "JVM",
-                    version: version_string,
-                }));
-            }
+        let jvm_process_filter_check_reuslt =
+            match jvm_process_filter.match_exe(&process_exe_file) {
+                Ok(o) => o,
+                Err(_) => false,
+            };
+
+        if  jvm_process_filter_check_reuslt {
+            let version = match vm_version(process_info.pid) {
+                Ok(ver) => {
+                    if ver < 8 {
+                        let msg = format!("process {}, Java version lower than 8: {}, so not inject",process_info.pid, ver);
+                        warn!("Java version lower than 8: {}, so not inject", ver);
+                        return Err(anyhow!(msg));
+                    }
+                    ver.to_string()
+                }
+                Err(e) => {
+                    warn!("read jvm version failed: {}", e);
+                    String::new()
+                }
+            };
+            return Ok(Some(Runtime {
+                name: "JVM",
+                version: version,
+            }));
         }
         let cpython_process_filter: RuntimeFilter =
             match serde_json::from_str(DEFAULT_CPYTHON_FILTER_JSON_STR) {