fix: fix container edge case in events pipeline

See #3251 for more details.
aquasecurity · Jun 19, 2023 · 045f08b · 045f08b
1 parent eb3c959
commit 045f08b
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -220,7 +220,7 @@ func (t *Tracee) decodeEvents(outerCtx context.Context, sourceChan chan []byte)
 				PodUID:       containerInfo.Pod.UID,
 			}
 
-			flags := parseContextFlags(ctx.Flags)
+			flags := parseContextFlags(containerData.ID, ctx.Flags)
 			syscall := ""
 			if ctx.Syscall != noSyscall {
 				var err error
@@ -380,15 +380,19 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 {
 	return bitmap
 }
 
-func parseContextFlags(flags uint32) trace.ContextFlags {
+func parseContextFlags(containerId string, flags uint32) trace.ContextFlags {
 	const (
 		contStartFlag = 1 << iota
 		IsCompatFlag
 	)
-	return trace.ContextFlags{
-		ContainerStarted: (flags & contStartFlag) != 0,
-		IsCompat:         (flags & IsCompatFlag) != 0,
-	}
+
+	var cflags trace.ContextFlags
+	// Check the edge case where the container ID is empty, but the flag is set.
+	// See #3251 for more details.
+	cflags.ContainerStarted = (containerId != "") && (flags&contStartFlag) != 0
+	cflags.IsCompat = (flags & IsCompatFlag) != 0
+
+	return cflags
 }
 
 // Get the syscall name from its ID, taking into account architecture and 32bit/64bit modes