fix(plugins/container): redefine port binding port and IP as integers

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

Author: ekoops

plugins/container/CMakeLists.txt

@@ -9,7 +9,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
 # project metadata
 project(
         container
-        VERSION 0.2.4
+        VERSION 0.2.5
         DESCRIPTION "Falco container metadata enrichment Plugin"
         LANGUAGES CXX)
 

plugins/container/go-worker/pkg/container/docker.go

@@ -2,15 +2,19 @@ package container
 
 import (
 	"context"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/events"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/client"
 	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/config"
 	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
+	"net/netip"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -102,7 +106,7 @@ func parseHealthcheckProbe(hcheck *container.HealthConfig) *event.Probe {
 	return &p
 }
 
-func (dc *dockerEngine) ctrToInfo(ctx context.Context, ctr types.ContainerJSON) event.Info {
+func (dc *dockerEngine) ctrToInfo(ctx context.Context, ctr types.ContainerJSON) (*event.Info, error) {
 	hostCfg := ctr.HostConfig
 	if hostCfg == nil {
 		hostCfg = &container.HostConfig{
@@ -139,9 +143,29 @@ func (dc *dockerEngine) ctrToInfo(ctx context.Context, ctr types.ContainerJSON)
 		}
 		containerPort := port.Int()
 		for _, portBinding := range portBindings {
+			rawHostIP, rawHostPort := portBinding.HostIP, portBinding.HostPort
+			// Parse IP address to uint32.
+			addr, err := netip.ParseAddr(rawHostIP)
+			if err != nil {
+				return nil, fmt.Errorf("error parsing port binding's host IP %s as address: %w", rawHostIP, err)
+			}
+			if addr.Is6() {
+				// TODO(ekoops): handle IPv6 addresses.
+				continue
+			}
+			ipv4Addr := addr.As4()
+			hostIP := binary.BigEndian.Uint32(ipv4Addr[:])
+
+			// Parse port as uint16.
+			hostPort, err := strconv.ParseUint(rawHostPort, 10, 16)
+			if err != nil {
+				return nil, fmt.Errorf("error converting port binding's port %s into 16-bit unsigned integer: %w",
+					rawHostPort, err)
+			}
+
 			portMappings = append(portMappings, event.PortMapping{
-				HostIp:        portBinding.HostIP,
-				HostPort:      portBinding.HostPort,
+				HostIP:        hostIP,
+				HostPort:      (uint16)(hostPort),
 				ContainerPort: containerPort,
 			})
 		}
@@ -259,7 +283,7 @@ func (dc *dockerEngine) ctrToInfo(ctx context.Context, ctr types.ContainerJSON)
 		size = *ctr.SizeRw
 	}
 
-	return event.Info{
+	return &event.Info{
 		Container: event.Container{
 			Type:             typeDocker.ToCTValue(),
 			ID:               shortContainerID(ctr.ID),
@@ -293,17 +317,23 @@ func (dc *dockerEngine) ctrToInfo(ctx context.Context, ctr types.ContainerJSON)
 			ReadinessProbe:   readinessProbe,
 			HealthcheckProbe: healthcheckProbe,
 		},
-	}
+	}, nil
 }
 
 func (dc *dockerEngine) get(ctx context.Context, containerId string) (*event.Event, error) {
 	ctrJson, _, err := dc.ContainerInspectWithRaw(ctx, containerId, config.GetWithSize())
 	if err != nil {
 		return nil, err
 	}
+
+	info, err := dc.ctrToInfo(ctx, ctrJson)
+	if err != nil {
+		return nil, fmt.Errorf("error converting container to info: %w", err)
+	}
+
 	return &event.Event{
+		Info:     *info,
 		IsCreate: true,
-		Info:     dc.ctrToInfo(ctx, ctrJson),
 	}, nil
 }
 
@@ -340,9 +370,14 @@ func (dc *dockerEngine) List(ctx context.Context) ([]event.Event, error) {
 				IsCreate: true,
 			}
 		}
+		info, err := dc.ctrToInfo(ctx, ctrJson)
+		if err != nil {
+			return nil, fmt.Errorf("error converting container %s (index %d) to info: %w", ctr.ID, idx, err)
+		}
+
 		evts[idx] = event.Event{
+			Info:     *info,
 			IsCreate: true,
-			Info:     dc.ctrToInfo(ctx, ctrJson),
 		}
 	}
 	return evts, nil
@@ -379,17 +414,20 @@ func (dc *dockerEngine) Listen(ctx context.Context, wg *sync.WaitGroup) (<-chan
 				case events.ActionCreate, events.ActionStart:
 					ctrJson, _, err = dc.ContainerInspectWithRaw(ctx, msg.Actor.ID, config.GetWithSize())
 					if err == nil {
-						outCh <- event.Event{
-							Info:     dc.ctrToInfo(ctx, ctrJson),
-							IsCreate: true,
+						var info *event.Info
+						if info, err = dc.ctrToInfo(ctx, ctrJson); err == nil {
+							outCh <- event.Event{
+								Info:     *info,
+								IsCreate: true,
+							}
 						}
 					}
 				case events.ActionDestroy:
 					err = errors.New("inspect useless on action destroy")
 				}
 
 				// This is called for ActionDestroy
-				// AND as a fallback whenever ContainerInspectWithRaw fails.
+				// AND as a fallback whenever ContainerInspectWithRaw or dockerEngine.ctrToInfo fail.
 				if err != nil {
 					// At least send an event with the minimum set of data
 					outCh <- event.Event{

plugins/container/go-worker/pkg/container/podman.go

@@ -4,8 +4,10 @@ package container
 
 import (
 	"context"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"github.com/containers/podman/v5/libpod/define"
 	"github.com/containers/podman/v5/pkg/bindings"
 	"github.com/containers/podman/v5/pkg/bindings/containers"
@@ -15,6 +17,7 @@ import (
 	"github.com/docker/docker/api/types/events"
 	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/config"
 	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
@@ -41,7 +44,7 @@ func (pc *podmanEngine) copy(ctx context.Context) (Engine, error) {
 	return newPodmanEngine(ctx, pc.socket)
 }
 
-func (pc *podmanEngine) ctrToInfo(ctr *define.InspectContainerData) event.Info {
+func (pc *podmanEngine) ctrToInfo(ctr *define.InspectContainerData) (*event.Info, error) {
 	cfg := ctr.Config
 	if cfg == nil {
 		cfg = &define.InspectContainerConfig{}
@@ -80,9 +83,30 @@ func (pc *podmanEngine) ctrToInfo(ctr *define.InspectContainerData) event.Info {
 			continue
 		}
 		for _, portBinding := range portBindings {
+			rawHostIP, rawHostPort := portBinding.HostIP, portBinding.HostPort
+
+			// Parse IP address to uint32.
+			addr, err := netip.ParseAddr(rawHostIP)
+			if err != nil {
+				return nil, fmt.Errorf("error parsing port binding's host IP %s as address: %w", rawHostIP, err)
+			}
+			if addr.Is6() {
+				// TODO(ekoops): handle IPv6 addresses.
+				continue
+			}
+			ipv4Addr := addr.As4()
+			hostIP := binary.BigEndian.Uint32(ipv4Addr[:])
+
+			// Parse port as uint16.
+			hostPort, err := strconv.ParseUint(rawHostPort, 10, 16)
+			if err != nil {
+				return nil, fmt.Errorf("error converting port binding's port %s into 16-bit unsigned integer: %w",
+					rawHostPort, err)
+			}
+
 			portMappings = append(portMappings, event.PortMapping{
-				HostIp:        portBinding.HostIP,
-				HostPort:      portBinding.HostPort,
+				HostIP:        hostIP,
+				HostPort:      (uint16)(hostPort),
 				ContainerPort: containerPort,
 			})
 		}
@@ -149,7 +173,7 @@ func (pc *podmanEngine) ctrToInfo(ctr *define.InspectContainerData) event.Info {
 		size = *ctr.SizeRw
 	}
 
-	return event.Info{
+	return &event.Info{
 		Container: event.Container{
 			Type:             typePodman.ToCTValue(),
 			ID:               shortContainerID(ctr.ID),
@@ -183,7 +207,7 @@ func (pc *podmanEngine) ctrToInfo(ctr *define.InspectContainerData) event.Info {
 			ReadinessProbe:   readinessProbe,
 			HealthcheckProbe: healthcheckProbe,
 		},
-	}
+	}, nil
 }
 
 func (pc *podmanEngine) get(_ context.Context, containerId string) (*event.Event, error) {
@@ -192,8 +216,14 @@ func (pc *podmanEngine) get(_ context.Context, containerId string) (*event.Event
 	if err != nil {
 		return nil, err
 	}
+
+	info, err := pc.ctrToInfo(ctrInfo)
+	if err != nil {
+		return nil, fmt.Errorf("error converting container to info: %w", err)
+	}
+
 	return &event.Event{
-		Info:     pc.ctrToInfo(ctrInfo),
+		Info:     *info,
 		IsCreate: true,
 	}, nil
 }
@@ -214,7 +244,7 @@ func (pc *podmanEngine) List(_ context.Context) ([]event.Event, error) {
 	if err != nil {
 		return nil, err
 	}
-	for _, c := range cList {
+	for idx, c := range cList {
 		ctrInfo, err := containers.Inspect(pc.pCtx, c.ID, &containers.InspectOptions{Size: &size})
 		if err != nil {
 			evts = append(evts, event.Event{
@@ -231,8 +261,13 @@ func (pc *podmanEngine) List(_ context.Context) ([]event.Event, error) {
 				IsCreate: true,
 			})
 		} else {
+			info, err := pc.ctrToInfo(ctrInfo)
+			if err != nil {
+				return nil, fmt.Errorf("error converting container %s (index %d) to info: %w", ctrInfo.ID, idx, err)
+			}
+
 			evts = append(evts, event.Event{
-				Info:     pc.ctrToInfo(ctrInfo),
+				Info:     *info,
 				IsCreate: true,
 			})
 		}
@@ -290,17 +325,20 @@ func (pc *podmanEngine) Listen(ctx context.Context, wg *sync.WaitGroup) (<-chan
 				case events.ActionCreate, events.ActionStart:
 					ctr, err = containers.Inspect(pc.pCtx, ev.Actor.ID, &containers.InspectOptions{Size: &size})
 					if err == nil {
-						outCh <- event.Event{
-							Info:     pc.ctrToInfo(ctr),
-							IsCreate: true,
+						var info *event.Info
+						if info, err = pc.ctrToInfo(ctr); err == nil {
+							outCh <- event.Event{
+								Info:     *info,
+								IsCreate: true,
+							}
 						}
 					}
 				case events.ActionRemove:
 					err = errors.New("inspect useless on action destroy")
 				}
 
 				// This is called for ActionRemove
-				// AND as a fallback whenever Inspect fails.
+				// AND as a fallback whenever Inspect or podmanEngine.ctrToInfo fail.
 				if err != nil {
 					// At least send an event with the minimal set of data
 					outCh <- event.Event{

plugins/container/go-worker/pkg/event/event.go

@@ -3,8 +3,8 @@ package event
 import "encoding/json"
 
 type PortMapping struct {
-	HostIp        string `json:"HostIp"`
-	HostPort      string `json:"HostPort"`
+	HostIP        uint32 `json:"HostIp"`
+	HostPort      uint16 `json:"HostPort"`
 	ContainerPort int    `json:"ContainerPort"`
 }