libbpf-tools: Always escape tab and newline chars in execsnoop#5497
libbpf-tools: Always escape tab and newline chars in execsnoop#5497ReillyBrogan wants to merge 1 commit intoiovisor:masterfrom
Conversation
5340c21 made it so that the Python execsnoop always escaped newline characters which is required to avoid breaking tools that parse the execsnoop stdout when command args contain newlines. This applies the same change to the libbpf-tools version as well as additionally escaping tab characters. Specifically I noticed this difference in behavior when porting system76-scheduler to libbpf execsnoop. It would probably be better to have a json output instead but this at least gets system76-scheduler working without additional changes.
ReillyBrogan
requested review from
brendangregg,
chenhengqi,
ekyooo and
yonghong-song
as code owners
There was a problem hiding this comment.
Pull request overview
This PR aligns libbpf-tools’s execsnoop output escaping behavior with the Python implementation by ensuring newline characters (and additionally tabs) are always escaped in printed exec arguments, preventing stdout line-breaking for downstream parsers.
Changes:
- Replaces the quoting/escaping helper with a generalized
escape_symbol()routine. - Escapes
\nand\teven when-q(quoted args) mode is not enabled. - Keeps double-quote escaping conditional on quoted-output mode.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| static void inline quoted_symbol(char c) { | ||
| static void inline escape_symbol(char c, bool quote) { | ||
| switch(c) { |
There was a problem hiding this comment.
Style nit: use switch (c) (with a space) to match the rest of this file (e.g., switch (key) above).
| switch(c) { | |
| switch (c) { |
| if (c == '\0') { | ||
| args_counter++; | ||
| putchar(' '); | ||
| } else { | ||
| putchar(c); | ||
| escape_symbol(c, false); |
There was a problem hiding this comment.
print_args takes a bool quote parameter, but the function logic uses env.quote and the escaping calls hardcode true/false. Since this is a static helper, consider either using the quote parameter consistently (and pass it through to escape_symbol) or removing it to avoid a misleading signature.
|
5340c21 made it so that the Python execsnoop always escaped newline characters which is required to avoid breaking tools that parse the execsnoop stdout when command args contain newlines. This applies the same change to the libbpf-tools version as well as additionally escaping tab characters.
Specifically I noticed this difference in behavior when porting system76-scheduler to libbpf execsnoop. It would probably be better to have a json output instead but this at least gets system76-scheduler working without additional changes.