Skip to content

Commit

Permalink
[CWS] Resolve context using pid for CgroupTracing events (#32652)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lebauce
lebauce authored Jan 10, 2025
1 parent 0100661 commit cfc479d
Show file tree
Hide file tree
Showing 5 changed files with 31 additions and 25 deletions.
1 change: 1 addition & 0 deletions pkg/security/ebpf/c/include/events_definition.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ struct cgroup_tracing_event_t {
struct container_context_t container;
struct activity_dump_config config;
u64 cookie;
u32 pid;
};

struct cgroup_write_event_t {
Expand Down
1 change: 1 addition & 0 deletions pkg/security/ebpf/c/include/helpers/activity_dump.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ __attribute__((always_inline)) u64 trace_new_cgroup(void *ctx, u64 now, struct c
evt->container.cgroup_context = container->cgroup_context;
evt->cookie = cookie;
evt->config = config;
evt->pid = bpf_get_current_pid_tgid() >> 32;
send_event_ptr(ctx, EVENT_CGROUP_TRACING, evt);

return cookie;
Expand Down
48 changes: 25 additions & 23 deletions pkg/security/probe/probe_ebpf.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,27 @@ func (p *EBPFProbe) zeroEvent() *model.Event {
return p.event
}

func (p *EBPFProbe) resolveCGroup(pid uint32, cgroupPathKey model.PathKey, cgroupFlags containerutils.CGroupFlags, newEntryCb func(entry *model.ProcessCacheEntry, err error)) (*model.CGroupContext, error) {
pce := p.Resolvers.ProcessResolver.Resolve(pid, pid, 0, false, newEntryCb)
if pce != nil {
cgroupContext, err := p.Resolvers.ResolveCGroupContext(cgroupPathKey, cgroupFlags)
if err != nil {
return nil, fmt.Errorf("failed to resorve cgroup for pid %d: %w", pid, err)
}

pce.Process.CGroup = *cgroupContext
pce.CGroup = *cgroupContext
if cgroupContext.CGroupFlags.IsContainer() {
containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
pce.ContainerID = containerID
pce.Process.ContainerID = containerID
}
} else {
return nil, fmt.Errorf("entry not found for pid %d", pid)
}
return &pce.CGroup, nil
}

func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
// handle play snapshot
if p.playSnapShotState.Swap(false) {
Expand Down Expand Up @@ -811,44 +832,25 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
seclog.Errorf("shouldn't receive Cgroup event if activity dumps are disabled")
return
}

if _, err = event.CgroupTracing.UnmarshalBinary(data[offset:]); err != nil {
seclog.Errorf("failed to decode cgroup tracing event: %s (offset %d, len %d)", err, offset, dataLen)
return
}

cgroupContext, err := p.Resolvers.ResolveCGroupContext(event.CgroupTracing.CGroupContext.CGroupFile, containerutils.CGroupFlags(event.CgroupTracing.CGroupContext.CGroupFlags))
if err != nil {
seclog.Debugf("Failed to resolve cgroup: %s", err)
if cgroupContext, err := p.resolveCGroup(event.CgroupTracing.Pid, event.CgroupTracing.CGroupContext.CGroupFile, event.CgroupTracing.CGroupContext.CGroupFlags, newEntryCb); err != nil {
seclog.Debugf("Failed to resolve cgroup: %s", err.Error())
} else {
event.CgroupTracing.CGroupContext = *cgroupContext
p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
}

return
case model.CgroupWriteEventType:
if _, err = event.CgroupWrite.UnmarshalBinary(data[offset:]); err != nil {
seclog.Errorf("failed to decode cgroup write released event: %s (offset %d, len %d)", err, offset, dataLen)
return
}

pce := p.Resolvers.ProcessResolver.Resolve(event.CgroupWrite.Pid, event.CgroupWrite.Pid, 0, false, newEntryCb)
if pce != nil {
cgroupContext, err := p.Resolvers.ResolveCGroupContext(event.CgroupWrite.File.PathKey, containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags))
if err != nil {
seclog.Debugf("Failed to resolve cgroup: %s", err)
} else {
pce.Process.CGroup = *cgroupContext
pce.CGroup = *cgroupContext

if cgroupContext.CGroupFlags.IsContainer() {
containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
pce.ContainerID = containerID
pce.Process.ContainerID = containerID
}
}
if _, err := p.resolveCGroup(event.CgroupWrite.Pid, event.CgroupWrite.File.PathKey, containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags), newEntryCb); err != nil {
seclog.Debugf("Failed to resolve cgroup: %s", err.Error())
}

return
case model.UnshareMountNsEventType:
if _, err = event.UnshareMountNS.UnmarshalBinary(data[offset:]); err != nil {
Expand Down
1 change: 1 addition & 0 deletions pkg/security/secl/model/model_unix.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -634,6 +634,7 @@ type CgroupTracingEvent struct {
ContainerContext ContainerContext
CGroupContext CGroupContext
Config ActivityDumpLoadConfig
Pid uint32
ConfigCookie uint64
}

Expand Down
5 changes: 3 additions & 2 deletions pkg/security/secl/model/unmarshallers_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -985,12 +985,13 @@ func (e *CgroupTracingEvent) UnmarshalBinary(data []byte) (int, error) {
}
cursor += read

if len(data)-cursor < 8 {
if len(data)-cursor < 12 {
return 0, ErrNotEnoughData
}

e.ConfigCookie = binary.NativeEndian.Uint64(data[cursor : cursor+8])
return cursor + 8, nil
e.Pid = binary.NativeEndian.Uint32(data[cursor+8 : cursor+12])
return cursor + 12, nil
}

// UnmarshalBinary unmarshals a binary representation of itself
Expand Down

0 comments on commit cfc479d

Please sign in to comment.