From 3ddc2a210698db54d180bb29302907d5c6ab665c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Mon, 19 Jun 2023 14:16:05 -0300 Subject: [PATCH] fix: Fix containerStarted flag in decode stage This commit addresses an issue where an empty container ID was observed while the containerStarted flag was set to true. Since it is not possible to have knowledge of a started container without its ID, this behavior is considered an edge case, potentially caused by a race condition. The fix involves modifying the decode stage to set the containerStarted flag to false whenever an empty container ID is found. This ensures that the flag accurately reflects the event's container status and resolves the inconsistency observed in the issue #3251. --- pkg/ebpf/events_pipeline.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go index e0736882052..993099db889 100644 --- a/pkg/ebpf/events_pipeline.go +++ b/pkg/ebpf/events_pipeline.go @@ -220,7 +220,7 @@ func (t *Tracee) decodeEvents(outerCtx context.Context, sourceChan chan []byte) PodUID: containerInfo.Pod.UID, } - flags := parseContextFlags(ctx.Flags) + flags := parseContextFlags(containerData.ID, ctx.Flags) syscall := "" if ctx.Syscall != noSyscall { var err error @@ -380,15 +380,19 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 { return bitmap } -func parseContextFlags(flags uint32) trace.ContextFlags { +func parseContextFlags(containerId string, flags uint32) trace.ContextFlags { const ( contStartFlag = 1 << iota IsCompatFlag ) - return trace.ContextFlags{ - ContainerStarted: (flags & contStartFlag) != 0, - IsCompat: (flags & IsCompatFlag) != 0, - } + + var cflags trace.ContextFlags + // Handle the edge case where containerStarted flag remains true despite an empty containerId. + // See #3251 for more details. + cflags.ContainerStarted = (containerId != "") && (flags&contStartFlag) != 0 + cflags.IsCompat = (flags & IsCompatFlag) != 0 + + return cflags } // Get the syscall name from its ID, taking into account architecture and 32bit/64bit modes