From 8af0b9729d65714848ea9a1c33f868ed6a1efb81 Mon Sep 17 00:00:00 2001 From: arthur-zhang Date: Tue, 31 Dec 2024 16:55:32 +0800 Subject: [PATCH] fix: nspid assign is not correct The current code incorrectly obtains the nspid from the parent process's task_struct instead of the forked child process, leading to incorrect nspid values when running in containerized environments. Signed-off-by: arthur-zhang --- bpf/cgroup/bpf_cgroup_events.h | 2 +- bpf/lib/bpf_task.h | 10 ++++++++-- bpf/process/bpf_execve_event.c | 2 +- bpf/process/bpf_fork.c | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/bpf/cgroup/bpf_cgroup_events.h b/bpf/cgroup/bpf_cgroup_events.h index dc1c9a44ec4..59c5e3e5b64 100644 --- a/bpf/cgroup/bpf_cgroup_events.h +++ b/bpf/cgroup/bpf_cgroup_events.h @@ -41,7 +41,7 @@ send_cgrp_event(struct bpf_raw_tracepoint_args *ctx, } msg->cgrp_op = op; msg->pid = pid; - msg->nspid = get_task_pid_vnr(); + msg->nspid = get_task_pid_vnr_curr(); msg->cgrpid = cgrpid; /* It is same as we are not tracking nested cgroups */ msg->cgrpid_tracker = cgrpid; diff --git a/bpf/lib/bpf_task.h b/bpf/lib/bpf_task.h index 0fbe017763c..190e814e382 100644 --- a/bpf/lib/bpf_task.h +++ b/bpf/lib/bpf_task.h @@ -57,9 +57,8 @@ FUNC_INLINE struct task_struct *get_task_from_pid(__u32 pid) return task; } -FUNC_INLINE __u32 get_task_pid_vnr(void) +FUNC_INLINE __u32 get_task_pid_vnr_by_task(struct task_struct *task) { - struct task_struct *task = (struct task_struct *)get_current_task(); int thread_pid_exists; unsigned int level; struct upid upid; @@ -96,6 +95,13 @@ FUNC_INLINE __u32 get_task_pid_vnr(void) return upid.nr; } +FUNC_INLINE __u32 get_task_pid_vnr_curr(void) +{ + struct task_struct *task = (struct task_struct *)get_current_task(); + + return get_task_pid_vnr_by_task(task); +} + FUNC_INLINE __u32 event_find_parent_pid(struct task_struct *t) { struct task_struct *task = get_parent(t); diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index 8489dc01aee..4571bbb4a18 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -259,7 +259,7 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx) */ p->pid = pid >> 32; p->tid = (__u32)pid; - p->nspid = get_task_pid_vnr(); + p->nspid = get_task_pid_vnr_curr(); p->ktime = ktime_get_ns(); p->size = offsetof(struct msg_process, args); p->auid = get_auid(); diff --git a/bpf/process/bpf_fork.c b/bpf/process/bpf_fork.c index 1c0b5d0af37..554a9c0f60c 100644 --- a/bpf/process/bpf_fork.c +++ b/bpf/process/bpf_fork.c @@ -56,7 +56,7 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task) curr->flags = EVENT_COMMON_FLAG_CLONE; curr->key.pid = tgid; curr->key.ktime = ktime_get_ns(); - curr->nspid = get_task_pid_vnr(); + curr->nspid = get_task_pid_vnr_by_task(task); memcpy(&curr->bin, &parent->bin, sizeof(curr->bin)); curr->pkey = parent->key;