Remove Pid from CgroupTracing event

DataDog · Dec 12, 2024 · 1823d5e · 1823d5e
1 parent 97aa08a
commit 1823d5e
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 41 deletions.
diff --git a/pkg/security/ebpf/c/include/events_definition.h b/pkg/security/ebpf/c/include/events_definition.h
@@ -122,7 +122,6 @@ struct cgroup_tracing_event_t {
     struct container_context_t container;
     struct activity_dump_config config;
     u64 cookie;
-    u32 pid;
 };
 
 struct cgroup_write_event_t {

diff --git a/pkg/security/ebpf/c/include/helpers/activity_dump.h b/pkg/security/ebpf/c/include/helpers/activity_dump.h
@@ -110,10 +110,8 @@ __attribute__((always_inline)) u64 trace_new_cgroup(void *ctx, u64 now, struct c
     evt->container.cgroup_context = container->cgroup_context;
     evt->cookie = cookie;
     evt->config = config;
-    evt->pid = bpf_get_current_pid_tgid() >> 32;
     send_event_ptr(ctx, EVENT_CGROUP_TRACING, evt);
 
-    // return cookie
     return cookie;
 }
 

diff --git a/pkg/security/probe/field_handlers_ebpf.go b/pkg/security/probe/field_handlers_ebpf.go
@@ -516,11 +516,11 @@ func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupCon
 				return string(entry.CGroup.CGroupID)
 			}
 
-			if err := fh.resolvers.ResolveCGroup(entry, e.CGroupFile, e.CGroupFlags); err != nil {
+			if cgroupContext, err := fh.resolvers.ResolveCGroupContext(e.CGroupFile, e.CGroupFlags); err != nil {
 				seclog.Debugf("Failed to resolve cgroup: %s", err)
+			} else {
+				*e = *cgroupContext
 			}
-
-			e.CGroupID = entry.CGroup.CGroupID
 		}
 	}
 

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -818,16 +818,18 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 			return
 		}
 
-		pce := p.Resolvers.ProcessResolver.Resolve(event.CgroupTracing.Pid, event.CgroupTracing.Pid, 0, false, newEntryCb)
-		if pce != nil {
-			if err := p.Resolvers.ResolveCGroup(pce, event.CgroupTracing.CGroupContext.CGroupFile, containerutils.CGroupFlags(event.CgroupTracing.CGroupContext.CGroupFlags)); err != nil {
-				seclog.Debugf("Failed to resolve cgroup: %s", err)
+		if cgroupContext, err := p.Resolvers.ResolveCGroupContext(event.CgroupTracing.CGroupContext.CGroupFile, containerutils.CGroupFlags(event.CgroupTracing.CGroupContext.CGroupFlags)); err != nil {
+			seclog.Debugf("Failed to resolve cgroup: %s", err)
+		} else {
+			event.CgroupTracing.CGroupContext = *cgroupContext
+			if cgroupContext.CGroupFlags.IsContainer() {
+				containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
+				event.CgroupTracing.ContainerContext.ContainerID = containerID
 			}
 
-			event.CgroupTracing.CGroupContext = pce.CGroup
+			p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
 		}
 
-		p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
 		return
 	case model.CgroupWriteEventType:
 		if _, err = event.CgroupWrite.UnmarshalBinary(data[offset:]); err != nil {
@@ -837,10 +839,21 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 
 		pce := p.Resolvers.ProcessResolver.Resolve(event.CgroupWrite.Pid, event.CgroupWrite.Pid, 0, false, newEntryCb)
 		if pce != nil {
-			if err := p.Resolvers.ResolveCGroup(pce, event.CgroupWrite.File.PathKey, containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags)); err != nil {
+			cgroupContext, err := p.Resolvers.ResolveCGroupContext(event.CgroupWrite.File.PathKey, containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags))
+			if err != nil {
 				seclog.Debugf("Failed to resolve cgroup: %s", err)
+			} else {
+				pce.Process.CGroup = *cgroupContext
+				pce.CGroup = *cgroupContext
+
+				if cgroupContext.CGroupFlags.IsContainer() {
+					containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
+					pce.ContainerID = containerID
+					pce.Process.ContainerID = containerID
+				}
 			}
 		}
+
 		return
 	case model.UnshareMountNsEventType:
 		if _, err = event.UnshareMountNS.UnmarshalBinary(data[offset:]); err != nil {

diff --git a/pkg/security/resolvers/resolvers_ebpf.go b/pkg/security/resolvers/resolvers_ebpf.go
@@ -217,35 +217,25 @@ func (r *EBPFResolvers) Start(ctx context.Context) error {
 	return r.NamespaceResolver.Start(ctx)
 }
 
-// ResolveCGroup resolves the path of cgroup for a process cache entry
-func (r *EBPFResolvers) ResolveCGroup(pce *model.ProcessCacheEntry, pathKey model.PathKey, cgroupFlags containerutils.CGroupFlags) error {
+// ResolveCGroupContext resolves the cgroup context from a cgroup path key
+func (r *EBPFResolvers) ResolveCGroupContext(pathKey model.PathKey, cgroupFlags containerutils.CGroupFlags) (*model.CGroupContext, error) {
 	path, err := r.DentryResolver.Resolve(pathKey, true)
-	if err == nil && path != "" {
-		cgroup := filepath.Dir(string(path))
-		if cgroup == "/" {
-			cgroup = path
-		}
-
-		cgroupFlags := containerutils.CGroupFlags(cgroupFlags)
-		cgroupContext := model.CGroupContext{
-			CGroupID:    containerutils.CGroupID(cgroup),
-			CGroupFlags: containerutils.CGroupFlags(cgroupFlags),
-			CGroupFile:  pathKey,
-		}
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve cgroup file %v: %w", pathKey, err)
+	}
 
-		pce.Process.CGroup = cgroupContext
-		pce.CGroup = cgroupContext
+	cgroup := filepath.Dir(string(path))
+	if cgroup == "/" {
+		cgroup = path
+	}
 
-		if cgroupFlags.IsContainer() {
-			containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
-			pce.ContainerID = containerID
-			pce.Process.ContainerID = containerID
-		}
-	} else {
-		return fmt.Errorf("failed to resolve cgroup file %v: %w", pathKey, err)
+	cgroupContext := &model.CGroupContext{
+		CGroupID:    containerutils.CGroupID(cgroup),
+		CGroupFlags: containerutils.CGroupFlags(cgroupFlags),
+		CGroupFile:  pathKey,
 	}
 
-	return nil
+	return cgroupContext, nil
 }
 
 // Snapshot collects data on the current state of the system to populate user space and kernel space caches.

diff --git a/pkg/security/secl/model/model_unix.go b/pkg/security/secl/model/model_unix.go
@@ -624,7 +624,6 @@ type CgroupTracingEvent struct {
 	ContainerContext ContainerContext
 	CGroupContext    CGroupContext
 	Config           ActivityDumpLoadConfig
-	Pid              uint32
 	ConfigCookie     uint64
 }
 

diff --git a/pkg/security/secl/model/unmarshallers_linux.go b/pkg/security/secl/model/unmarshallers_linux.go
@@ -984,13 +984,12 @@ func (e *CgroupTracingEvent) UnmarshalBinary(data []byte) (int, error) {
 	}
 	cursor += read
 
-	if len(data)-cursor < 12 {
+	if len(data)-cursor < 8 {
 		return 0, ErrNotEnoughData
 	}
 
 	e.ConfigCookie = binary.NativeEndian.Uint64(data[cursor : cursor+8])
-	e.Pid = binary.NativeEndian.Uint32(data[cursor+8 : cursor+12])
-	return cursor + 12, nil
+	return cursor + 8, nil
 }
 
 // UnmarshalBinary unmarshals a binary representation of itself