Never infer cgroup from container ID

DataDog · Dec 2, 2024 · 913a5d9 · 913a5d9
1 parent 03e0026
commit 913a5d9
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 30 deletions.
diff --git a/pkg/security/probe/field_handlers_ebpf.go b/pkg/security/probe/field_handlers_ebpf.go
@@ -525,11 +525,10 @@ func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupCon
 
 				entry.Process.CGroup.CGroupID = containerutils.CGroupID(cgroup)
 				entry.CGroup.CGroupID = containerutils.CGroupID(cgroup)
+				entry.CGroup.CGroupFile = e.CGroupFile
 				containerID, _ := containerutils.GetContainerFromCgroup(entry.CGroup.CGroupID)
 				entry.Process.ContainerID = containerutils.ContainerID(containerID)
 				entry.ContainerID = containerutils.ContainerID(containerID)
-			} else {
-				entry.CGroup.CGroupID = containerutils.GetCgroupFromContainer(entry.ContainerID, entry.CGroup.CGroupFlags)
 			}
 
 			e.CGroupID = entry.CGroup.CGroupID

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -638,9 +638,6 @@ func (p *EBPFProbe) unmarshalContexts(data []byte, event *model.Event) (int, err
 		return 0, err
 	}
 
-	// TODO(lebauce): fix this
-	event.CGroupContext.CGroupID, event.ContainerContext.ContainerID = containerutils.GetCGroupContext(event.ContainerContext.ContainerID, event.CGroupContext.CGroupFlags)
-
 	return read, nil
 }
 
@@ -669,9 +666,8 @@ func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (in
 		return n, err
 	}
 
-	entry.Process.CGroup.CGroupID, entry.Process.ContainerID = containerutils.GetCGroupContext(ev.ContainerContext.ContainerID, ev.CGroupContext.CGroupFlags)
-	entry.Process.CGroup.CGroupFlags = ev.CGroupContext.CGroupFlags
-	entry.Process.CGroup.CGroupFile = ev.CGroupContext.CGroupFile
+	entry.Process.ContainerID = ev.ContainerContext.ContainerID
+	entry.Process.CGroup = ev.CGroupContext
 	entry.Source = model.ProcessCacheEntryFromEvent
 
 	return n, nil
@@ -832,6 +828,8 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 				cgroupID := containerutils.CGroupID(path)
 				pce.CGroup.CGroupID = cgroupID
 				pce.Process.CGroup.CGroupID = cgroupID
+				pce.CGroup.CGroupFile = event.CgroupWrite.File.FileFields.PathKey
+				pce.Process.CGroup.CGroupFile = event.CgroupWrite.File.FileFields.PathKey
 				cgroupFlags := containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags)
 				if cgroupFlags.IsContainer() {
 					containerID, _ := containerutils.GetContainerFromCgroup(cgroupID)

diff --git a/pkg/security/resolvers/cgroup/model/model.go b/pkg/security/resolvers/cgroup/model/model.go
@@ -33,7 +33,6 @@ func NewCacheEntry(containerID containerutils.ContainerID, cgroupFlags uint64, p
 	newCGroup := CacheEntry{
 		Deleted: atomic.NewBool(false),
 		CGroupContext: model.CGroupContext{
-			CGroupID:    containerutils.GetCgroupFromContainer(containerID, containerutils.CGroupFlags(cgroupFlags)),
 			CGroupFlags: containerutils.CGroupFlags(cgroupFlags),
 		},
 		ContainerContext: model.ContainerContext{

diff --git a/pkg/security/resolvers/process/resolver_ebpf.go b/pkg/security/resolvers/process/resolver_ebpf.go
@@ -874,10 +874,9 @@ func (p *EBPFResolver) resolveFromKernelMaps(pid, tid uint32, inode uint64, newE
 	// the parent is in a container. In other words, we have to fall back to /proc to query the container ID of the
 	// process.
 	if entry.ContainerID == "" {
-		containerID, containerFlags, err := p.containerResolver.GetContainerContext(pid)
+		_, containerFlags, err := p.containerResolver.GetContainerContext(pid)
 		if err == nil {
 			entry.CGroup.CGroupFlags = containerFlags
-			entry.CGroup.CGroupID = containerutils.GetCgroupFromContainer(containerID, containerFlags)
 		}
 	}
 

diff --git a/pkg/security/secl/containerutils/cgroup.go b/pkg/security/secl/containerutils/cgroup.go
@@ -65,13 +65,3 @@ func GetContainerFromCgroup(cgroup CGroupID) (ContainerID, CGroupFlags) {
 	}
 	return "", 0
 }
-
-// GetCgroupFromContainer infers the container runtime from a cgroup name
-func GetCgroupFromContainer(id ContainerID, flags CGroupFlags) CGroupID {
-	for runtimePrefix, runtimeFlag := range RuntimePrefixes {
-		if flags&CGroupManagerMask == CGroupFlags(runtimeFlag) {
-			return CGroupID(runtimePrefix + string(id))
-		}
-	}
-	return CGroupID("")
-}
diff --git a/pkg/security/secl/containerutils/helpers.go b/pkg/security/secl/containerutils/helpers.go
@@ -76,12 +76,3 @@ func FindContainerID(s string) (ContainerID, uint64) {
 
 	return containerID, uint64(flags)
 }
-
-// GetCGroupContext returns the cgroup ID and the sanitized container ID from a container id/flags tuple
-func GetCGroupContext(containerID ContainerID, cgroupFlags CGroupFlags) (CGroupID, ContainerID) {
-	cgroupID := GetCgroupFromContainer(containerID, cgroupFlags)
-	if !cgroupFlags.IsContainer() {
-		containerID = ""
-	}
-	return CGroupID(cgroupID), ContainerID(containerID)
-}