ebpf: Ignore kernel threads during clone events

In Tetragon we do not report process_exec and process_exit events for kernel threads. When searching for the parent of a kernel thread, we failed to do so and we simply ignore that. This patch optimizes that path as we abort early by checking the task_struct's flags. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
cilium · Nov 4, 2023 · f38b799 · f38b799
1 parent b29fc81
commit f38b799
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/bpf/process/bpf_fork.c b/bpf/process/bpf_fork.c
@@ -22,12 +22,17 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 {
 	struct execve_map_value *curr, *parent;
 	struct msg_clone_event msg;
+	u32 flags, tgid = 0;
 	u64 msg_size;
-	u32 tgid = 0;
 
 	if (!task)
 		return 0;
 
+	/* We do not care about kernel threads. */
+	flags = BPF_CORE_READ(task, flags);
+	if (flags & PF_KTHREAD)
+		return 0;
+
 	tgid = BPF_CORE_READ(task, tgid);
 
 	/* Do not try to create any msg or calling execve_map_get