Removed prefix in overlayfs mounts

DataDog · Oct 11, 2024 · b7806b1 · b7806b1
1 parent 8802a20
commit b7806b1
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/pkg/util/containerd/containerd_util.go b/pkg/util/containerd/containerd_util.go
@@ -18,7 +18,6 @@ import (
 
 	"github.com/opencontainers/image-spec/identity"
 
-	"github.com/DataDog/datadog-agent/pkg/config/env"
 	pkgconfigsetup "github.com/DataDog/datadog-agent/pkg/config/setup"
 	dderrors "github.com/DataDog/datadog-agent/pkg/errors"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
@@ -453,15 +452,25 @@ func (c *ContainerdUtil) getMounts(ctx context.Context, expiration time.Duration
 		return nil, nil, fmt.Errorf("No snapshots returned for image: %s", imageID)
 	}
 
-	// Transforming mounts in case we're running in a container
-	if env.IsContainerized() {
-		for i := range mounts {
-			mounts[i].Source = strings.ReplaceAll(mounts[i].Source, "/var/lib", "/host/var/lib")
-			for j := range mounts[i].Options {
-				mounts[i].Options[j] = strings.ReplaceAll(mounts[i].Options[j], "/var/lib", "/host/var/lib")
+	for i := range mounts {
+		mounts[i].Source = sanitizePath(mounts[i].Source)
+
+		for j, opt := range mounts[i].Options {
+			for _, prefix := range []string{"upperdir=", "lowerdir=", "workdir="} {
+				if strings.HasPrefix(opt, prefix) {
+					trimmedOpt := strings.TrimPrefix(opt, prefix)
+					dirs := strings.Split(trimmedOpt, ":")
+					for n, dir := range dirs {
+						dirs[n] = sanitizePath(dir)
+					}
+					mounts[i].Options[j] = prefix + strings.Join(dirs, ":")
+				}
 			}
+
+			log.Debugf("Sanitized overlayfs mount options to %s", strings.Join(mounts[i].Options, ","))
 		}
 	}
+
 	return mounts, func(ctx context.Context) error {
 		ctx = namespaces.WithNamespace(ctx, namespace)
 		if err := cleanSnapshot(ctx); err != nil {
@@ -474,6 +483,14 @@ func (c *ContainerdUtil) getMounts(ctx context.Context, expiration time.Duration
 	}, nil
 }
 
+func sanitizePath(path string) string {
+	if index := strings.Index(path, "/var/lib"); index != -1 {
+		return "/host" + path[index:]
+	}
+
+	return path
+}
+
 // Mounts returns the mounts for an image
 func (c *ContainerdUtil) Mounts(ctx context.Context, expiration time.Duration, namespace string, img containerd.Image) ([]mount.Mount, error) {
 	mounts, clean, err := c.getMounts(ctx, expiration, namespace, img)

diff --git a/pkg/util/trivy/trivy.go b/pkg/util/trivy/trivy.go
@@ -318,6 +318,7 @@ func (c *Collector) ScanContainerdImageFromSnapshotter(ctx context.Context, imgM
 	if err != nil {
 		return nil, fmt.Errorf("unable to get mounts for image %s, err: %w", imgMeta.ID, err)
 	}
+
 	layers := extractLayersFromOverlayFSMounts(mounts)
 	if len(layers) == 0 {
 		return nil, fmt.Errorf("unable to extract layers from overlayfs mounts %+v for image %s", mounts, imgMeta.ID)