Skip to content

Commit

Permalink
fix: nspid assign is not correct
Browse files Browse the repository at this point in the history
The current code incorrectly obtains the nspid from the parent process's task_struct instead of the forked child process, leading to incorrect nspid values when running in containerized environments.

Signed-off-by: arthur-zhang <[email protected]>
  • Loading branch information
arthur-zhang committed Jan 9, 2025
1 parent c3df31c commit 7ef1d5c
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 5 deletions.
2 changes: 1 addition & 1 deletion bpf/cgroup/bpf_cgroup_events.h
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ send_cgrp_event(struct bpf_raw_tracepoint_args *ctx,
}
msg->cgrp_op = op;
msg->pid = pid;
msg->nspid = get_task_pid_vnr();
msg->nspid = get_task_pid_vnr_curr();
msg->cgrpid = cgrpid;
/* It is same as we are not tracking nested cgroups */
msg->cgrpid_tracker = cgrpid;
Expand Down
10 changes: 8 additions & 2 deletions bpf/lib/bpf_task.h
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,8 @@ FUNC_INLINE struct task_struct *get_task_from_pid(__u32 pid)
return task;
}

FUNC_INLINE __u32 get_task_pid_vnr(void)
FUNC_INLINE __u32 get_task_pid_vnr_by_task(struct task_struct *task)
{
struct task_struct *task = (struct task_struct *)get_current_task();
int thread_pid_exists;
unsigned int level;
struct upid upid;
Expand Down Expand Up @@ -96,6 +95,13 @@ FUNC_INLINE __u32 get_task_pid_vnr(void)
return upid.nr;
}

FUNC_INLINE __u32 get_task_pid_vnr_curr(void)
{
struct task_struct *task = (struct task_struct *)get_current_task();

return get_task_pid_vnr_by_task(task);
}

FUNC_INLINE __u32 event_find_parent_pid(struct task_struct *t)
{
struct task_struct *task = get_parent(t);
Expand Down
2 changes: 1 addition & 1 deletion bpf/process/bpf_execve_event.c
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
*/
p->pid = pid >> 32;
p->tid = (__u32)pid;
p->nspid = get_task_pid_vnr();
p->nspid = get_task_pid_vnr_curr();
p->ktime = ktime_get_ns();
p->size = offsetof(struct msg_process, args);
p->auid = get_auid();
Expand Down
2 changes: 1 addition & 1 deletion bpf/process/bpf_fork.c
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
curr->flags = EVENT_COMMON_FLAG_CLONE;
curr->key.pid = tgid;
curr->key.ktime = ktime_get_ns();
curr->nspid = get_task_pid_vnr();
curr->nspid = get_task_pid_vnr_by_task(task);
memcpy(&curr->bin, &parent->bin, sizeof(curr->bin));
curr->pkey = parent->key;

Expand Down

0 comments on commit 7ef1d5c

Please sign in to comment.