auditd: cache new Proc objects

evilsocket · Mar 21, 2021 · 630e371 · 630e371
1 parent 36cdb76
commit 630e371
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/daemon/procmon/parse.go b/daemon/procmon/parse.go
@@ -89,6 +89,11 @@ func FindProcess(pid int, interceptUnknown bool) *Process {
 	if interceptUnknown && pid < 0 {
 		return NewProcess(0, "")
 	}
+
+	if proc := findProcessInActivePidsCache(uint32(pid)); proc != nil {
+		return proc
+	}
+
 	if methodIsAudit() {
 		if aevent := audit.GetEventByPid(pid); aevent != nil {
 			audit.Lock.RLock()
@@ -103,14 +108,11 @@ func FindProcess(pid int, interceptUnknown bool) *Process {
 			proc.readEnv()
 			proc.cleanPath()
 
+			addToActivePidsCache(uint32(pid), proc)
 			return proc
 		}
 	}
 
-	if proc := findProcessInActivePidsCache(uint32(pid)); proc != nil {
-		return proc
-	}
-
 	linkName := fmt.Sprint("/proc/", pid, "/exe")
 	if _, err := os.Lstat(linkName); err != nil {
 		return nil