process:bpf: report euid as the process.uid

api/v1/tetragon/tetragon.proto

@@ -112,21 +112,21 @@ message UserNamespace {
 }
 
 message ProcessCredentials {
-	// The real user ID
+	// The real user ID of the process' owner.
 	google.protobuf.UInt32Value uid = 1;
-	// The real group ID
+	// The real group ID of the process' owner.
 	google.protobuf.UInt32Value gid = 2;
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	google.protobuf.UInt32Value euid = 3;
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	google.protobuf.UInt32Value egid = 4;
-	// The saved user ID
+	// The saved user ID.
 	google.protobuf.UInt32Value suid = 5;
-	// The saved group ID
+	// The saved group ID.
 	google.protobuf.UInt32Value sgid = 6;
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	google.protobuf.UInt32Value fsuid = 7;
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	google.protobuf.UInt32Value fsgid = 8;
 	// Secure management flags
 	repeated SecureBitsType securebits = 9;
@@ -178,7 +178,9 @@ message Process {
     string exec_id = 1;
     // Process identifier from host PID namespace.
     google.protobuf.UInt32Value pid = 2;
-    // User identifier associated with the process.
+    // The effective User identifier used for permission checks. This field maps to the
+    // 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+    // enable 'ProcessCredentials' and get all the User and Group identifiers.
     google.protobuf.UInt32Value uid = 3;
     // Current working directory of the process.
     string cwd = 4;
@@ -262,7 +264,8 @@ message Process {
     Namespaces ns = 15;
     // Thread ID, note that for the thread group leader, tid is equal to pid.
     google.protobuf.UInt32Value tid = 16;
-    // Process credentials
+    // Process credentials, disabled by default, can be enabled by the
+    // `--enable-process-cred` flag.
     ProcessCredentials process_credentials = 17;
     // Executed binary properties. This field is only available on ProcessExec events.
     BinaryProperties binary_properties = 18;

bpf/process/bpf_execve_event.c

@@ -214,7 +214,6 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	p->ktime = ktime_get_ns();
 	p->size = offsetof(struct msg_process, args);
 	p->auid = get_auid();
-	p->uid = get_current_uid_gid();
 	read_execve_shared_info(ctx, p, pid);
 
 	p->size += read_path(ctx, event, filename);
@@ -228,6 +227,13 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	BPF_CORE_READ_INTO(&event->kube.net_ns, task, nsproxy, net_ns, ns.inum);
 
 	get_current_subj_creds(&event->creds, task);
+	/**
+	 * Instead of showing the task owner, we want to display the effective
+	 * uid that is used to calculate the privileges of current task when
+	 * acting upon other objects. This allows to be compatible with the 'ps'
+	 * tool that reports snapshot of current processes.
+	 */
+	p->uid = event->creds.euid;
 	get_namespaces(&event->ns, task);
 	p->flags |= __event_get_cgroup_info(task, &event->kube);