api: improve process.uid and process_credentials documentation

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
cilium · Jun 21, 2024 · d308a15 · d308a15
1 parent a8200d8
commit d308a15
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 80 deletions.
diff --git a/api/v1/README.md b/api/v1/README.md
diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go
diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto
@@ -112,21 +112,21 @@ message UserNamespace {
 }
 
 message ProcessCredentials {
-	// The real user ID
+	// The real user ID of the process' owner.
 	google.protobuf.UInt32Value uid = 1;
-	// The real group ID
+	// The real group ID of the process' owner.
 	google.protobuf.UInt32Value gid = 2;
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	google.protobuf.UInt32Value euid = 3;
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	google.protobuf.UInt32Value egid = 4;
-	// The saved user ID
+	// The saved user ID.
 	google.protobuf.UInt32Value suid = 5;
-	// The saved group ID
+	// The saved group ID.
 	google.protobuf.UInt32Value sgid = 6;
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	google.protobuf.UInt32Value fsuid = 7;
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	google.protobuf.UInt32Value fsgid = 8;
 	// Secure management flags
 	repeated SecureBitsType securebits = 9;
@@ -178,7 +178,9 @@ message Process {
     string exec_id = 1;
     // Process identifier from host PID namespace.
     google.protobuf.UInt32Value pid = 2;
-    // User identifier associated with the process.
+    // The effective User identifier used for permission checks. This field maps to the
+    // 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+    // enable 'ProcessCredentials' and get all the User and Group identifiers.
     google.protobuf.UInt32Value uid = 3;
     // Current working directory of the process.
     string cwd = 4;
@@ -262,7 +264,8 @@ message Process {
     Namespaces ns = 15;
     // Thread ID, note that for the thread group leader, tid is equal to pid.
     google.protobuf.UInt32Value tid = 16;
-    // Process credentials
+    // Process credentials, disabled by default, can be enabled by the
+    // `--enable-process-cred` flag.
     ProcessCredentials process_credentials = 17;
     // Executed binary properties. This field is only available on ProcessExec events.
     BinaryProperties binary_properties = 18;

diff --git a/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
diff --git a/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md