Add Merge method on cgroup context

DataDog · Dec 4, 2024 · deefc6e · deefc6e
1 parent 4d8df74
commit deefc6e
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 10 deletions.
diff --git a/pkg/security/probe/field_handlers_ebpf.go b/pkg/security/probe/field_handlers_ebpf.go
@@ -516,7 +516,7 @@ func (fh *EBPFFieldHandlers) ResolveCGroupID(ev *model.Event, e *model.CGroupCon
 				return string(entry.CGroup.CGroupID)
 			}
 
-			if err := fh.resolvers.ResolveCGroup(entry, ev.BaseEvent.PIDContext.Pid, e.CGroupFile, e.CGroupFlags, nil); err != nil {
+			if err := fh.resolvers.ResolveCGroup(entry, e.CGroupFile, e.CGroupFlags); err != nil {
 				seclog.Debugf("Failed to resolve cgroup: %s", err)
 			}
 

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -673,7 +673,11 @@ func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (in
 	}
 
 	entry.Process.ContainerID = ev.ContainerContext.ContainerID
-	entry.Process.CGroup = ev.CGroupContext
+	entry.ContainerID = ev.ContainerContext.ContainerID
+
+	entry.Process.CGroup.Merge(&ev.CGroupContext)
+	entry.CGroup.Merge(&ev.CGroupContext)
+
 	entry.Source = model.ProcessCacheEntryFromEvent
 
 	return n, nil
@@ -824,7 +828,7 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 
 		pce := p.Resolvers.ProcessResolver.Resolve(event.CgroupWrite.Pid, event.CgroupWrite.Pid, 0, false, newEntryCb)
 		if pce != nil {
-			if err := p.Resolvers.ResolveCGroup(pce, event.CgroupWrite.Pid, event.CgroupWrite.File.PathKey, containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags), newEntryCb); err != nil {
+			if err := p.Resolvers.ResolveCGroup(pce, event.CgroupWrite.File.PathKey, containerutils.CGroupFlags(event.CgroupWrite.CGroupFlags)); err != nil {
 				seclog.Debugf("Failed to resolve cgroup: %s", err)
 			}
 		}

diff --git a/pkg/security/resolvers/process/resolver_ebpf.go b/pkg/security/resolvers/process/resolver_ebpf.go
@@ -852,10 +852,9 @@ func (p *EBPFResolver) resolveFromKernelMaps(pid, tid uint32, inode uint64, newE
 	// is no insurance that the parent of this process is still running, we can't use our user space cache to check if
 	// the parent is in a container. In other words, we have to fall back to /proc to query the container ID of the
 	// process.
-	if entry.CGroup.CGroupID == "" || entry.ContainerID == "" {
-		containerID, cgroup, err := p.containerResolver.GetContainerContext(pid)
-		if err == nil {
-			entry.CGroup = cgroup
+	if entry.ContainerID == "" || entry.CGroup.CGroupFile.Inode == 0 {
+		if containerID, cgroup, err := p.containerResolver.GetContainerContext(pid); err == nil {
+			entry.CGroup.Merge(&cgroup)
 			entry.ContainerID = containerID
 		}
 	}

diff --git a/pkg/security/resolvers/resolvers_ebpf.go b/pkg/security/resolvers/resolvers_ebpf.go
@@ -218,7 +218,7 @@ func (r *EBPFResolvers) Start(ctx context.Context) error {
 }
 
 // ResolveCGroup resolves the path of cgroup for a process cache entry
-func (r *EBPFResolvers) ResolveCGroup(pce *model.ProcessCacheEntry, pid uint32, pathKey model.PathKey, cgroupFlags containerutils.CGroupFlags, newEntryCb func(entry *model.ProcessCacheEntry, err error)) error {
+func (r *EBPFResolvers) ResolveCGroup(pce *model.ProcessCacheEntry, pathKey model.PathKey, cgroupFlags containerutils.CGroupFlags) error {
 	path, err := r.DentryResolver.Resolve(pathKey, true)
 	if err == nil && path != "" {
 		cgroup := filepath.Dir(string(path))
@@ -233,8 +233,8 @@ func (r *EBPFResolvers) ResolveCGroup(pce *model.ProcessCacheEntry, pid uint32,
 			CGroupFile:  pathKey,
 		}
 
-		pce.Process.CGroup = cgroupContext
-		pce.CGroup = cgroupContext
+		pce.Process.CGroup.Merge(&cgroupContext)
+		pce.CGroup.Merge(&cgroupContext)
 
 		if cgroupFlags.IsContainer() {
 			containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)

diff --git a/pkg/security/secl/model/model_unix.go b/pkg/security/secl/model/model_unix.go
@@ -101,6 +101,22 @@ type CGroupContext struct {
 	CGroupFile    PathKey                    `field:"file"`
 }
 
+// Merge two cgroup context
+func (cg *CGroupContext) Merge(cg2 *CGroupContext) {
+	if cg.CGroupID == "" {
+		cg.CGroupID = cg2.CGroupID
+	}
+	if cg.CGroupFlags == 0 {
+		cg.CGroupFlags = cg2.CGroupFlags
+	}
+	if cg.CGroupFile.Inode == 0 {
+		cg.CGroupFile.Inode = cg2.CGroupFile.Inode
+	}
+	if cg.CGroupFile.MountID == 0 {
+		cg.CGroupFile.MountID = cg2.CGroupFile.MountID
+	}
+}
+
 // SyscallEvent contains common fields for all the event
 type SyscallEvent struct {
 	Retval int64 `field:"retval"` // SECLDoc[retval] Definition:`Return value of the syscall` Constants:`Error constants`