Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The tracking of orphan processes is lost. #2048

Closed
lclin56 opened this issue Dec 14, 2023 · 2 comments
Closed

The tracking of orphan processes is lost. #2048

lclin56 opened this issue Dec 14, 2023 · 2 comments

Comments

@lclin56
Copy link

lclin56 commented Dec 14, 2023

I want to trace all descendant processes created after specifying proc.apid=xxx to track them from pid=xxx (for example, the pid of a sh session). However, when I try the following demo, sysdig loses track of the child processes.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/prctl.h>

int main(int argc, char *argv[])
{
    if (argc == 2 && strcmp(argv[1], "child") == 0)
    {
        pid_t pid = fork(); 

        if (pid < 0)
        {
            perror("fork failed");
            exit(EXIT_FAILURE);
        }

        if (pid > 0)
        {
            printf("Parent process (PID %d) is exiting.\n", getpid());
            exit(EXIT_SUCCESS); 
        }

        printf("Child process (PID %d) started.\n", getpid());

        const char *new_name = "newproc";
        prctl(PR_SET_NAME, new_name, 0, 0, 0);

        if (argc > 1)
        {
            char *cmdline = argv[1];
            int i;
            for (i = 1; i < argc; i++)
            {
                memset(argv[i], 0, strlen(argv[i]));
                if (i < argc - 1)
                {
                    argv[i + 1] = argv[i] + strlen(argv[i]) + 1;
                }
            }
            strncpy(argv[0], cmdline, strlen(cmdline));
        }
        while (1)
        {
            sleep(5); 
            printf("Child process (PID %d) is still running...\n", getpid());
        }
    }
    else
    {
        char *newLocation = "/tmp/new_executable";
        char command[256];

        sprintf(command, "cp %s %s", argv[0], newLocation);
        system(command);

        sprintf(command, "chmod +x %s", newLocation);
        system(command);

        execl(newLocation, newLocation, "child", (char *)NULL);
    }

    return 0;
}

After the parent process exits, the child process is managed by the process with pid=1, and at that point, its proc.apid becomes the pid of that process.
Considering specifying proc.name or proc.aname in the tracking conditions can solve the issue of losing track of orphan processes when the process name doesn't change. However, in cases like the one in my demo, proc.name or proc.aname also changes. Is there any way to solve my problem? Currently, the only solution I can think of is running the target program inside a container and tracking events for the entire container.
@therealbobo
Copy link
Contributor

Hey @lclin56! Thank you for the issue! As far as I know, the behaviour that you are describing is the expected behaviour and I couldn't think of a way to solve the issue. 🤔 However, this behaviour is not directly managed by sysdig but it's delegated to the libs (https://github.com/falcosecurity/libs , the main building block of sysdig). Feel free to open an issue there! 😄

@lclin56
Copy link
Author

lclin56 commented Dec 14, 2023

Hey @therealbobo! Thank you for your response. I will try to solve this problem with an alternative approach.

@lclin56 lclin56 closed this as completed Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@therealbobo @lclin56