fix: Fix containerStarted flag in decode stage

This commit addresses an issue where an empty container ID was observed while the containerStarted flag was set to true. Since it is not possible to have knowledge of a started container without its ID, this behavior is considered an edge case, potentially caused by a race condition. The fix involves modifying the decode stage to set the containerStarted flag to false whenever an empty container ID is found. This ensures that the flag accurately reflects the event's container status and resolves the inconsistency observed in the issue #3251.
aquasecurity · Jun 20, 2023 · 3ddc2a2 · 3ddc2a2
1 parent eb3c959
commit 3ddc2a2
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -220,7 +220,7 @@ func (t *Tracee) decodeEvents(outerCtx context.Context, sourceChan chan []byte)
 				PodUID:       containerInfo.Pod.UID,
 			}
 
-			flags := parseContextFlags(ctx.Flags)
+			flags := parseContextFlags(containerData.ID, ctx.Flags)
 			syscall := ""
 			if ctx.Syscall != noSyscall {
 				var err error
@@ -380,15 +380,19 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 {
 	return bitmap
 }
 
-func parseContextFlags(flags uint32) trace.ContextFlags {
+func parseContextFlags(containerId string, flags uint32) trace.ContextFlags {
 	const (
 		contStartFlag = 1 << iota
 		IsCompatFlag
 	)
-	return trace.ContextFlags{
-		ContainerStarted: (flags & contStartFlag) != 0,
-		IsCompat:         (flags & IsCompatFlag) != 0,
-	}
+
+	var cflags trace.ContextFlags
+	// Handle the edge case where containerStarted flag remains true despite an empty containerId.
+	// See #3251 for more details.
+	cflags.ContainerStarted = (containerId != "") && (flags&contStartFlag) != 0
+	cflags.IsCompat = (flags & IsCompatFlag) != 0
+
+	return cflags
 }
 
 // Get the syscall name from its ID, taking into account architecture and 32bit/64bit modes