Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing parent issue in clone events #1708

Merged
merged 3 commits into from
Nov 9, 2023
Merged

Fix missing parent issue in clone events #1708

merged 3 commits into from
Nov 9, 2023

Commits on Nov 3, 2023

  1. ebpf: Remove unused error_flags in event_wake_up_new_task 

    Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
    @tpapagian
    tpapagian committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    6b4d4dc View commit details
    Browse the repository at this point in the history

Commits on Nov 4, 2023

  1. ebpf: Fix missing parent issue in clone events 

    Clone events are handled in event_wake_up_new_task program. In the
case of __event_find_parent failure, we do not send an event to the
user. On the other hand, execve_map_get has already added a new
entry in execve_map. This causes an inconsistency between execve_map
and the user space process cache that may lead for events to go through
the eventcache and waing of a process that never arrives.

To solve this, we try to find our parent in the beginning of the
program. If we fail to do so, we simply stop the execution of this
program (and do not add any entries in the execve_map). This commit
also does some refactoring to cleanup the code.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
    @tpapagian
    tpapagian committed Nov 4, 2023
    Configuration menu
    Copy the full SHA
    9b82c3f View commit details
    Browse the repository at this point in the history

  2. ebpf: Ignore kernel threads during clone events 

    In Tetragon we do not report process_exec and process_exit events for
kernel threads. When searching for the parent of a kernel thread, we
failed to do so and we simply ignore that.

This patch optimizes that path as we abort early by checking the
task_struct's flags.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
    @tpapagian
    tpapagian committed Nov 4, 2023
    Configuration menu
    Copy the full SHA
    05d0638 View commit details
    Browse the repository at this point in the history