bpf: Stop hashing strings, use container ID as string

Signed-off-by: Michal Rostecki <[email protected]>

Author: vadorovsky

lockc/src/bpf/limits.h

@@ -7,6 +7,9 @@
  */
 #define PID_MAX_LIMIT 4194304
 
+/* Container ID limit. */
+#define CONTAINER_ID_LIMIT 64
+
 /* Our arbitrary path length limit. */
 #define PATH_LEN 64
 #define PATH_MAX_LIMIT 128

lockc/src/bpf/lockc.bpf.c

@@ -55,14 +55,15 @@ static __always_inline int handle_new_process(struct task_struct *parent,
 	bpf_printk("found parent containerized process: %d\n", ppid);
 	bpf_printk("comm: %s\n", BPF_CORE_READ(child, comm));
 
-	u32 container_id = parent_lookup->container_id;
-	u32 *container_lookup = bpf_map_lookup_elem(&containers, &container_id);
+	struct container_id container_id = parent_lookup->container_id;
+	struct container *container_lookup =
+		bpf_map_lookup_elem(&containers, &container_id);
 	if (!container_lookup) {
 		/* Shouldn't happen */
 		bpf_printk("error: handle_new_process: cound not find a "
 			   "container for a registered process %d, "
-			   "container id: %d\n",
-			   pid, container_id);
+			   "container id: %s\n",
+			   pid, container_id.id);
 		return -EPERM;
 	}
 

lockc/src/bpf/map_structs.h

@@ -4,12 +4,16 @@
 #include "limits.h"
 #include "policy.h"
 
+struct container_id {
+	unsigned char id[CONTAINER_ID_LIMIT];
+};
+
 struct container {
 	enum container_policy_level policy_level;
 };
 
 struct process {
-	unsigned int container_id;
+	struct container_id container_id;
 };
 
 struct accessed_path {

lockc/src/bpf/maps.h

@@ -11,7 +11,7 @@
 struct bpf_map_def SEC("maps/containers") containers = {
 	.type = BPF_MAP_TYPE_HASH,
 	.max_entries = PID_MAX_LIMIT,
-	.key_size = sizeof(u32),
+	.key_size = sizeof(struct container_id),
 	.value_size = sizeof(struct container),
 };