Fix for execve events that come after clone

ef0a426 changes the behaviour of exec events that come after a clone event. Before that commit we used to have: process_clone with process pid 10 parent pid 9 // we cannot see that event as process_clone are not exported process_exec with process pid 10 parent pid 9 // will have as parent pid the clone's event parent pid process_exec with process pid 10 parent pid 10 // will have as parent the previous exec's pid Now we have: process_clone with process pid 10 parent pid 9 // we cannot see that event as process_clone are not exported process_exec with process pid 10 parent pid 10 // will have as parent pid the one from the clone event process_exec with process pid 10 parent pid 10 // will have as parent the previous exec's pid This commit fixes that to behave the same as before. This is done by using the real parent for the first exec event after a clone event. Signed-off-by: Anastasios Papagiannis <[email protected]>
cilium · Nov 7, 2022 · a66af7e · a66af7e
1 parent 539ef41
commit a66af7e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/process/process.go b/pkg/process/process.go
@@ -235,7 +235,7 @@ func GetParentProcessInternal(pid uint32, ktime uint64) (*ProcessInternal, *Proc
 // AddExecEvent constructs a new ProcessInternal structure from an Execve event, adds it to the cache, and also returns it
 func AddExecEvent(event *tetragonAPI.MsgExecveEventUnix) *ProcessInternal {
 	var proc *ProcessInternal
-	if event.CleanupProcess.Ktime == 0 {
+	if event.CleanupProcess.Ktime == 0 || event.Process.Flags&api.EventClone != 0 {
 		// there is a case where we cannot find this entry in execve_map
 		// in that case we use as parent what Linux knows
 		proc, _ = GetProcess(event.Process, event.Kube.Docker, event.Parent, event.Capabilities, event.Namespaces)