fix: skip /tmp extraction when profiling libraries are installed#526
Open
xroche wants to merge 1 commit intoDataDog:mainfrom
Open
fix: skip /tmp extraction when profiling libraries are installed#526xroche wants to merge 1 commit intoDataDog:mainfrom
xroche wants to merge 1 commit intoDataDog:mainfrom
Conversation
xroche
force-pushed
the
fix/avoid-tmp-extraction
branch
2 times, most recently
from
17a47d1 to
ec872ba
Compare
The loader constructor used to extract both libdd_profiling-embedded.so and the ddprof executable to /tmp on every load. This triggers security scanners (e.g. Falcon) that flag new executables in /tmp. When ddprof is installed as a package, the .so already sits in a standard library search path and the binary is already in PATH. The extraction is unnecessary. The loader now tries dlopen with a bare library name first. Per dlopen(3), a filename without a slash is resolved through the standard search order (DT_RPATH, LD_LIBRARY_PATH, DT_RUNPATH, ldconfig cache, /lib, /usr/lib). If that succeeds, no files are written to /tmp at all. exec_ddprof gains a similar fallback: try execvp (PATH search) before resorting to memfd_create + fexecve from embedded data. When the libraries are NOT installed (self-contained / ad-hoc usage), both paths fall through to the existing /tmp extraction, so nothing changes for that use case. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
xroche
force-pushed
the
fix/avoid-tmp-extraction
branch
from
ec872ba to
9a467b0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #527.
Summary
When ddprof is installed as a package, skip writing executables and shared libraries to /tmp. Security scanners like CrowdStrike Falcon flag new executables in /tmp, and the extraction is pointless when the files already sit in standard system paths.
How
The loader constructor tries
dlopenwith the bare library name (libdd_profiling-embedded.so) before falling back to /tmp extraction. Per dlopen(3), a filename without a slash goes through the standard search order (DT_RPATH, LD_LIBRARY_PATH, DT_RUNPATH, ldconfig cache, /lib, /usr/lib). If found, nothing is written to /tmp.exec_ddprofdoes the same for the daemon binary: tryexecvp(execvp(3), PATH search) beforememfd_create+fexecvefrom embedded data.Self-contained / ad-hoc usage (libraries not installed) falls through to the existing /tmp extraction. Default behavior is unchanged.