Revert "feat(proctree): control procfs query by config (aquasecurity#…

…3989)" This reverts commit f587631.
yanivagman · May 6, 2024 · 9120001 · 9120001
1 parent f587631
commit 9120001
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 49 deletions.
diff --git a/docs/docs/advanced/data-sources/builtin/process-tree.md b/docs/docs/advanced/data-sources/builtin/process-tree.md
@@ -16,13 +16,6 @@ The underlying structure is populated using the core `sched_process_fork`, `sche
 
 The number of processes retained in the tree hinges on cache size. We have two separate caches at play: one for processes and another for threads. Both default to a size of 32K, supporting tracking for up to 32,768 processes and the same number of threads. It's worth noting that these are LRU caches: once full, they'll evict the least recently accessed entries to accommodate fresh ones.
 
-The process tree query the procfs upon initialization and during runtime to fill missing data:
-* During initialization, it runs over all procfs to fill all existing processes and threads
-* During runtime, it queries specific processes in the case of missing information caused by missing events. 
-
-> [!CAUTION]
-> The procfs query might increase the feature toll on CPU and memory. The runtime query might have a snowball effect on lost events, as it will reduce the system resources in the processes of filling missing information.
-
 ## Command Line Option
 
 ```bash
@@ -33,9 +26,8 @@ Example:
       events       | process tree is built from events.
       signals      | process tree is built from signals.
       both         | process tree is built from both events and signals.
-  --proctree process-cache=8192   | will cache up to 8192 processes in the tree (LRU cache).
-  --proctree thread-cache=4096    | will cache up to 4096 threads in the tree (LRU cache).
-  --proctree disable-procfs-query | Will disable procfs quering during runtime
+  --proctree process-cache=8192  | will cache up to 8192 processes in the tree (LRU cache).
+  --proctree thread-cache=4096   | will cache up to 4096 threads in the tree (LRU cache).
 
 Use comma OR use the flag multiple times to choose multiple options:
   --proctree source=A,process-cache=B,thread-cache=C

diff --git a/pkg/cmd/flags/proctree.go b/pkg/cmd/flags/proctree.go
@@ -18,9 +18,8 @@ Example:
       events       | process tree is built from events.
       signals      | process tree is built from signals.
       both         | process tree is built from both events and signals.
-  --proctree process-cache=8192   | will cache up to 8192 processes in the tree (LRU cache).
-  --proctree thread-cache=4096    | will cache up to 4096 threads in the tree (LRU cache).
-  --proctree disable-procfs-query | Will disable procfs queries during runtime
+  --proctree process-cache=8192  | will cache up to 8192 processes in the tree (LRU cache).
+  --proctree thread-cache=4096   | will cache up to 4096 threads in the tree (LRU cache).
 
 Use comma OR use the flag multiple times to choose multiple options:
   --proctree source=A,process-cache=B,thread-cache=C
@@ -32,11 +31,9 @@ func PrepareProcTree(cacheSlice []string) (proctree.ProcTreeConfig, error) {
 	var err error
 
 	config := proctree.ProcTreeConfig{
-		Source:               proctree.SourceNone, // disabled by default
-		ProcessCacheSize:     proctree.DefaultProcessCacheSize,
-		ThreadCacheSize:      proctree.DefaultThreadCacheSize,
-		ProcfsInitialization: true,
-		ProcfsQuerying:       true,
+		Source:           proctree.SourceNone, // disabled by default
+		ProcessCacheSize: proctree.DefaultProcessCacheSize,
+		ThreadCacheSize:  proctree.DefaultThreadCacheSize,
 	}
 
 	cacheSet := false
@@ -93,10 +90,6 @@ func PrepareProcTree(cacheSlice []string) (proctree.ProcTreeConfig, error) {
 				cacheSet = true
 				continue
 			}
-			if strings.HasPrefix(value, "disable-procfs-query") {
-				config.ProcfsQuerying = false
-				continue
-			}
 			err = fmt.Errorf("unrecognized proctree option format: %v", value)
 		}
 	}

diff --git a/pkg/proctree/proctree.go b/pkg/proctree/proctree.go
@@ -63,22 +63,19 @@ func (s SourceType) String() string {
 }
 
 type ProcTreeConfig struct {
-	Source               SourceType
-	ProcessCacheSize     int
-	ThreadCacheSize      int
-	ProcfsInitialization bool // Determine whether to scan procfs data for process tree initialization
-	ProcfsQuerying       bool // Determine whether to query procfs for missing information during runtime
+	Source           SourceType
+	ProcessCacheSize int
+	ThreadCacheSize  int
 }
 
 // ProcessTree is a tree of processes and threads.
 type ProcessTree struct {
-	processes   *lru.Cache[uint32, *Process] // hash -> process
-	threads     *lru.Cache[uint32, *Thread]  // hash -> threads
-	procfsChan  chan int                     // channel of pids to read from procfs
-	procfsOnce  *sync.Once                   // busy loop debug message throttling
-	ctx         context.Context              // context for the process tree
-	mutex       *sync.RWMutex                // mutex for the process tree
-	procfsQuery bool
+	processes  *lru.Cache[uint32, *Process] // hash -> process
+	threads    *lru.Cache[uint32, *Thread]  // hash -> threads
+	procfsChan chan int                     // channel of pids to read from procfs
+	procfsOnce *sync.Once                   // busy loop debug message throttling
+	ctx        context.Context              // context for the process tree
+	mutex      *sync.RWMutex                // mutex for the process tree
 }
 
 // NewProcessTree creates a new process tree.
@@ -136,17 +133,14 @@ func NewProcessTree(ctx context.Context, config ProcTreeConfig) (*ProcessTree, e
 	}()
 
 	procTree := &ProcessTree{
-		processes:   processes,
-		threads:     threads,
-		ctx:         ctx,
-		mutex:       &sync.RWMutex{},
-		procfsQuery: config.ProcfsQuerying,
+		processes: processes,
+		threads:   threads,
+		ctx:       ctx,
+		mutex:     &sync.RWMutex{},
 	}
 
-	if config.ProcfsInitialization {
-		// Walk procfs and feed the process tree with data.
-		procTree.FeedFromProcFSAsync(AllPIDs)
-	}
+	// Walk procfs and feed the process tree with data.
+	procTree.FeedFromProcFSAsync(AllPIDs)
 
 	return procTree, nil
 }

diff --git a/pkg/proctree/proctree_feed.go b/pkg/proctree/proctree_feed.go
@@ -63,9 +63,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 			},
 			utils.NsSinceBootTimeToTime(feed.TimeStamp),
 		)
-		if pt.procfsQuery {
-			pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
-		}
+		pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
 	}
 
 	parent, found := pt.GetProcessByHash(feed.ParentHash) // always a real process
@@ -101,9 +99,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 			},
 			utils.NsSinceBootTimeToTime(feed.TimeStamp),
 		)
-		if pt.procfsQuery {
-			pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
-		}
+		pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
 	}
 
 	leader, found := pt.GetProcessByHash(feed.LeaderHash)