Alan-Jowett / sonde / 23516607531

82%

push

github

Reject ephemeral programs that declare maps at ingestion time (#482)

* Reject ephemeral programs that declare maps at ingestion time

Ephemeral programs are stateless and must not carry map definitions.
Previously, such programs would pass ingestion and fail later on the
node. Now \ingest_elf()\ performs a lightweight scan of ELF section
headers for \.maps\/\maps\ sections and rejects ephemeral programs
early with an actionable \VerificationFailed\ error.

Spec changes (GW-0401 criterion 5, T-0408, design §8.2 step 2).

Closes #473

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address review findings for ephemeral map rejection

- Validate ELF magic, 64-bit class, and LE endianness before scanning
  section headers, preventing false positives on non-ELF input.
- Use checked arithmetic (`checked_mul`/`checked_add`) for all offset
  computations derived from untrusted ELF bytes, preventing overflow-
  induced panics on malformed input.
- Extend map-backed section detection to include `.rodata`, `.data`,
  and `.bss` (libbpf/prevail promote these to array maps), covering
  the `.rodata` failure mode reported in #473.
- Fix `ingest_elf` doc comment step ordering to match actual control
  flow (ephemeral rejection happens before temp file write).
- Update test helper doc comment to reflect pre-Prevail section-scan
  context.
- Update gateway-design.md to list the full set of detected sections.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Alan Jowett <alan.jowett@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

175 of 188 new or added lines in 1 file covered. (93.09%)

22125 of 25769 relevant lines covered (85.86%)

163.07 hits per line