intercept: preload is more roboust against environment changes

Author: rizsotto

Cargo.lock

@@ -2,7 +2,7 @@
 
 use std::collections::HashSet;
 
-pub const KEY_DESTINATION: &str = "INTERCEPT_COLLECTOR_ADDRESS";
+pub const KEY_INTERCEPT_STATE: &str = "BEAR_INTERCEPT";
 
 // man page for `ld.so` (Linux dynamic linker/loader)
 pub const KEY_OS__PRELOAD_PATH: &str = "LD_PRELOAD";
@@ -105,7 +105,7 @@ static GCC_INCLUDE_KEYS: std::sync::LazyLock<HashSet<&'static str>> = std::sync:
 });
 
 pub fn relevant_env(key: &str) -> bool {
-    matches!(key, KEY_DESTINATION | KEY_OS__PRELOAD_PATH | KEY_OS__MACOS_PRELOAD_PATH | KEY_OS__MACOS_FLAT_NAMESPACE)
+    matches!(key, KEY_INTERCEPT_STATE | KEY_OS__PRELOAD_PATH | KEY_OS__MACOS_PRELOAD_PATH | KEY_OS__MACOS_FLAT_NAMESPACE)
         || MAKE_PROGRAM_KEYS.contains(key)
         || MAKE_FLAGS_KEYS.contains(key)
         || CARGO_PROGRAM_KEYS.contains(key)

bear/src/environment.rs

@@ -2,7 +2,7 @@
 
 #[cfg(not(target_os = "macos"))]
 use crate::environment::KEY_OS__PRELOAD_PATH;
-use crate::environment::{KEY_DESTINATION, KEY_OS__PATH};
+use crate::environment::{KEY_INTERCEPT_STATE, KEY_OS__PATH};
 #[cfg(target_os = "macos")]
 use crate::environment::{KEY_OS__MACOS_FLAT_NAMESPACE, KEY_OS__MACOS_PRELOAD_PATH};
 use crate::intercept::supervise;
@@ -20,6 +20,42 @@ use thiserror::Error;
 
 use crate::intercept::wrapper::{WrapperDirectory, WrapperDirectoryBuilder, WrapperDirectoryError};
 
+/// Represents the state information needed for preload-based interception.
+///
+/// This struct is serialized to JSON and passed to the preloaded library via
+/// an environment variable. It contains all the information the library needs
+/// to report execution events back to the Bear process.
+#[derive(Clone, Debug, Eq, PartialEq, serde::Deserialize, serde::Serialize)]
+pub struct PreloadState {
+    /// The socket address where execution events should be reported
+    pub destination: SocketAddr,
+    /// The path to the preload library itself
+    pub library: PathBuf,
+}
+
+impl TryInto<String> for PreloadState {
+    type Error = serde_json::Error;
+
+    fn try_into(self) -> Result<String, Self::Error> {
+        serde_json::to_string(&self)
+    }
+}
+impl TryFrom<&str> for PreloadState {
+    type Error = serde_json::Error;
+
+    fn try_from(value: &str) -> Result<Self, Self::Error> {
+        serde_json::from_str(value)
+    }
+}
+
+impl TryFrom<String> for PreloadState {
+    type Error = serde_json::Error;
+
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        serde_json::from_str(&value)
+    }
+}
+
 /// Manages the environment setup for intercepting build commands during compilation.
 ///
 /// `BuildEnvironment` is responsible for configuring the execution environment to enable
@@ -248,7 +284,11 @@ impl BuildEnvironment {
             environment_overrides.insert(KEY_OS__PRELOAD_PATH.to_string(), preload_updated);
         }
 
-        environment_overrides.insert(KEY_DESTINATION.to_string(), address.to_string());
+        // Make the current state available as a single environment variable
+        let state: String = PreloadState { destination: address, library: path.to_path_buf() }
+            .try_into()
+            .map_err(|_| ConfigurationError::PathNotFound)?;
+        environment_overrides.insert(KEY_INTERCEPT_STATE.to_string(), state);
 
         Ok(Self { environment_overrides, _wrapper_directory: None })
     }
@@ -331,7 +371,7 @@ pub enum ConfigurationError {
 /// - If `first` already exists in `original`, it's moved to the front
 /// - If `first` doesn't exist, it's prepended to the existing paths
 /// - Uses platform-appropriate path separators and handles path encoding
-fn insert_to_path<P: AsRef<Path>>(original: &str, first: P) -> Result<String, JoinPathsError> {
+pub fn insert_to_path<P: AsRef<Path>>(original: &str, first: P) -> Result<String, JoinPathsError> {
     let first_path = first.as_ref();
 
     if original.is_empty() {
@@ -519,7 +559,10 @@ mod test {
         };
 
         // Check that destination is set
-        assert_eq!(sut.environment_overrides.get(KEY_DESTINATION), Some(&"127.0.0.1:8080".to_string()));
+        assert_eq!(
+            sut.environment_overrides.get(KEY_INTERCEPT_STATE),
+            Some(&r#"{"destination":"127.0.0.1:8080","library":"/usr/local/lib/libexec.so"}"#.to_string())
+        );
 
         // Check platform-specific preload configuration
         #[cfg(target_os = "macos")]

bear/src/intercept/environment.rs

@@ -10,16 +10,9 @@
 //! - Defining the `Reporter` trait for sending events.
 //! - Providing error types for initialization and reporting.
 //! - Implementing a factory to create TCP-based reporters.
-//!
-//! # Usage
-//!
-//! Use `ReporterFactory::create()` to instantiate a reporter with a socket address, or
-//! `ReporterFactory::create_as_ptr()` to obtain a raw pointer suitable for static/global usage.
-//! The reporter sends events to a remote collector at the specified address.
 
 use crate::intercept::{Event, tcp};
 use std::net::SocketAddr;
-use std::sync::atomic::AtomicPtr;
 use thiserror::Error;
 
 /// Trait for reporting intercepted events to a remote collector.
@@ -47,36 +40,7 @@ impl ReporterFactory {
     /// Creates a new TCP-based reporter using the destination from the environment.
     ///
     /// The created reporter is not connected yet; it only stores the destination address.
-    pub fn create(address: SocketAddr) -> impl Reporter {
+    pub fn create(address: SocketAddr) -> tcp::ReporterOnTcp {
         tcp::ReporterOnTcp::new(address)
     }
-
-    /// Creates a new reporter and returns it as an atomic pointer.
-    ///
-    /// This is useful for static/global usage where a stable pointer is required
-    /// for the program's lifetime.
-    ///
-    /// # Safety
-    ///
-    /// The caller is responsible for ensuring the returned pointer is not used after
-    /// the program terminates. The memory will be leaked intentionally to provide a
-    /// stable pointer for the lifetime of the program.
-    ///
-    /// Returns a null pointer if reporter creation fails. Caller must check for null
-    /// before dereferencing.
-    pub fn create_as_ptr(address_str: &str) -> AtomicPtr<tcp::ReporterOnTcp> {
-        match address_str.parse::<SocketAddr>() {
-            Ok(address) => {
-                // Leak the reporter to get a stable pointer for the lifetime of the program
-                let boxed_reporter = Box::new(tcp::ReporterOnTcp::new(address));
-                let ptr = Box::into_raw(boxed_reporter);
-
-                AtomicPtr::new(ptr)
-            }
-            Err(err) => {
-                log::warn!("Failed to create reporter: {err}");
-                AtomicPtr::new(std::ptr::null_mut())
-            }
-        }
-    }
 }

bear/src/intercept/reporter.rs

@@ -33,6 +33,9 @@ libc.workspace = true
 platform-checks = { path = "../platform-checks" }
 cc.workspace = true
 
+[dev-dependencies]
+serde_json.workspace = true
+
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [
     'cfg(has_header_dlfcn_h)',

intercept-preload/Cargo.toml

@@ -31,15 +31,32 @@
 // Ensure symbols are exported from the shared library
 #define EXPORT __attribute__((visibility("default")))
 
+// Platform-specific environment access
+//
+// When the dynamic linker loads the library, the `environ` variable might not
+// be available yet. This is the case on macOS where we need to use
+// `_NSGetEnviron()` to reliably access the environment during library
+// initialization.
+
+#if defined(__APPLE__)
+#include <crt_externs.h>
+#define get_environ() (*_NSGetEnviron())
+#else
+extern char **environ;
+#define get_environ() environ
+#endif
+
 // Rust implementation functions
 //
 // These are defined in implementation.rs with #[no_mangle] and handle:
 // - Reporting the execution to the collector
 // - Calling the real function via dlsym(RTLD_NEXT, ...)
 
-extern int rust_execv(const char *path, char *const argv[]);
+// Session initialization - called from constructor to capture environment
+extern void rust_session_init(char *const *envp);
+
+// Exec family functions
 extern int rust_execve(const char *path, char *const argv[], char *const envp[]);
-extern int rust_execvp(const char *file, char *const argv[]);
 extern int rust_execvpe(const char *file, char *const argv[], char *const envp[]);
 extern int rust_execvP(const char *file, const char *search_path, char *const argv[]);
 extern int rust_exect(const char *path, char *const argv[], char *const envp[]);
@@ -54,6 +71,27 @@ extern int rust_posix_spawnp(pid_t *pid, const char *file,
 extern FILE *rust_popen(const char *command, const char *mode);
 extern int rust_system(const char *command);
 
+// Library constructor
+//
+// This function is called when the library is loaded into memory. It captures
+// the current environment and passes it to Rust for session initialization.
+// This is critical because:
+//
+// 1. On macOS, `environ` is not available during early library initialization,
+//    so we use `_NSGetEnviron()` instead.
+// 2. Build systems may clear or modify environment variables like LD_PRELOAD
+//    and INTERCEPT_COLLECTOR_ADDRESS. By capturing them early, we can restore
+//    them when executing child processes.
+
+__attribute__((constructor))
+static void on_load(void)
+{
+    char *const *envp = get_environ();
+    if (envp != NULL) {
+        rust_session_init(envp);
+    }
+}
+
 // Count variadic arguments until NULL terminator
 // The va_list is consumed by this function
 static size_t va_count_args(va_list ap)
@@ -97,7 +135,7 @@ EXPORT int execl(const char *path, const char *arg0, ...)
 
     va_end(ap);
 
-    return rust_execv(path, argv);
+    return rust_execve(path, argv, get_environ());
 }
 #endif
 
@@ -125,7 +163,7 @@ EXPORT int execlp(const char *file, const char *arg0, ...)
 
     va_end(ap);
 
-    return rust_execvp(file, argv);
+    return rust_execvpe(file, argv, get_environ());
 }
 #endif
 
@@ -168,7 +206,7 @@ EXPORT int execle(const char *path, const char *arg0, ...)
 #if defined(has_symbol_execv)
 EXPORT int execv(const char *path, char *const argv[])
 {
-    return rust_execv(path, argv);
+    return rust_execve(path, argv, get_environ());
 }
 #endif
 
@@ -188,7 +226,7 @@ EXPORT int execve(const char *path, char *const argv[], char *const envp[])
 #if defined(has_symbol_execvp)
 EXPORT int execvp(const char *file, char *const argv[])
 {
-    return rust_execvp(file, argv);
+    return rust_execvpe(file, argv, get_environ());
 }
 #endif
 
@@ -266,4 +304,4 @@ EXPORT int system(const char *command)
 {
     return rust_system(command);
 }
-#endif
+#endif