Skip to content

Commit

Permalink
tetragon: for exit events use TID of execve ones
Browse files Browse the repository at this point in the history 
Ensure that during execve we always set TID == PID, then re-use it
during exit event. This turns the TID at exit from bpf side to
an assertion.

We still need a copy of the process when streaming grpc.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
  • Loading branch information
@tixxdz
tixxdz committed Jul 21, 2023
1 parent 0f6a5c5 commit 49cb54d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 6 deletions.
18 changes: 12 additions & 6 deletions pkg/grpc/exec/exec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,15 @@ func GetProcessExit(event *MsgExitEventUnix) *tetragon.ProcessExit {
code := event.Info.Code >> 8
signal := readerexec.Signal(event.Info.Code & 0xFF)

// Ensure that we get PID == TID
if event.ProcessKey.Pid != event.Info.Tid {
logger.GetLogger().WithFields(logrus.Fields{
"event.name": "Exit",
"event.process.pid": event.ProcessKey.Pid,
"event.process.tid": event.Info.Tid,
}).Debug("ExitEvent: process PID and TID mismatch")
}

tetragonEvent := &tetragon.ProcessExit{
Process: tetragonProcess,
Parent: tetragonParent,
Expand All @@ -306,10 +315,9 @@ func GetProcessExit(event *MsgExitEventUnix) *tetragon.ProcessExit {
parent.RefDec()
}
if proc != nil {
// Copy process before returning
tetragonEvent.Process = proc.GetProcessCopy()
proc.RefDec()
// Use the bpf recorded TID to update the event
process.UpdateEventProcessTid(tetragonEvent.Process, &event.Info.Tid)
}
return tetragonEvent
}
Expand Down Expand Up @@ -339,13 +347,11 @@ func (msg *MsgExitEventUnix) RetryInternal(ev notify.Event, timestamp uint64) (*
}

if internal != nil {
proc := internal.GetProcessCopy()
ev.SetProcess(internal.GetProcessCopy())
if !msg.RefCntDone[ProcessRefCnt] {
internal.RefDec()
msg.RefCntDone[ProcessRefCnt] = true
}
// Update the Process TID with the recorded one from BPF side
process.UpdateEventProcessTid(proc, &msg.Info.Tid)
} else {
errormetrics.ErrorTotalInc(errormetrics.EventCacheProcessInfoFailed)
err = eventcache.ErrFailedToGetProcessInfo
Expand All @@ -358,7 +364,7 @@ func (msg *MsgExitEventUnix) RetryInternal(ev notify.Event, timestamp uint64) (*
}

func (msg *MsgExitEventUnix) Retry(internal *process.ProcessInternal, ev notify.Event) error {
return eventcache.HandleGenericEvent(internal, ev, &msg.Info.Tid)
return eventcache.HandleGenericEvent(internal, ev, nil)
}

func (msg *MsgExitEventUnix) HandleMessage() *tetragon.GetEventsResponse {
Expand Down
10 changes: 10 additions & 0 deletions pkg/process/process.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,16 @@ func initProcessInternalExec(
protoPod, endpoint := GetPodInfo(containerID, process.Filename, args, process.NSPID)
caps := caps.GetMsgCapabilities(capabilities)
ns := namespace.GetMsgNamespaces(namespaces)
if process.PID != process.TID {
logger.GetLogger().WithFields(logrus.Fields{
"event.name": "Execve",
"event.process.pid": process.PID,
"event.process.tid": process.TID,
"event.process.exec_id": execID,
"event.parent.exec_id": parentExecID,
}).Debug("ExecveEvent: process PID and TID mismatch")
process.TID = process.PID
}
return &ProcessInternal{
process: &tetragon.Process{
Pid: &wrapperspb.UInt32Value{Value: process.PID},
Expand Down

0 comments on commit 49cb54d

Please sign in to comment.