fix: nspid assign is not correct

[arthur-zhang]

Description

curr->nspid should be obtained from the child task arguments, not from the current task_struct (the parent process).

This will lead to a mismatch between pid and nspid.

__attribute__((section("kprobe/wake_up_new_task"), used)) int
BPF_KPROBE(event_wake_up_new_task, struct task_struct *task) {
struct execve_map_value *curr;

  tgid = BPF_CORE_READ(task, tgid); 
  curr->key.pid = tgid; // curr->key.pid is obtained from the task argument
  // is not correct.
  curr->nspid = get_task_pid_vnr(); // curr->nspid is obtained from the current task_struct (parent)!
}

for example. if we run in docker, we run a app which fork process every second, the pid in container will be like this

Hello from child process (PID: 485), parent: 1
Hello from child process (PID: 486), parent: 1
Hello from child process (PID: 487), parent: 1
Hello from child process (PID: 488), parent: 1
Hello from child process (PID: 489), parent: 1
Hello from child process (PID: 490), parent: 1

but when we get from bpf side, pid is the real host pid ,but nspid is always 1(the root parent process in container)

       fork_test-2040715 [002] d...1 3632982.277835: bpf_trace_printk: >>>>, pid: 2052883, nspid:1
       fork_test-2040333 [000] d...1 3632985.145937: bpf_trace_printk: >>>>, pid: 2052884, nspid:1
       fork_test-2040715 [002] d...1 3632985.278018: bpf_trace_printk: >>>>, pid: 2052885, nspid:1

Changelog

Description

curr->nspid should be obtained from the child task arguments, not from the current task_struct (the parent process).

This will lead to a mismatch between pid and nspid.

__attribute__((section("kprobe/wake_up_new_task"), used)) int
BPF_KPROBE(event_wake_up_new_task, struct task_struct *task) {
struct execve_map_value *curr;

  tgid = BPF_CORE_READ(task, tgid); 
  curr->key.pid = tgid; // curr->key.pid is obtained from the task argument
  // is not correct.
  curr->nspid = get_task_pid_vnr(); // curr->nspid is obtained from the current task_struct (parent)!
}

for example. if we run in docker, we run a app which fork process every second, the pid in container will be like this

Hello from child process (PID: 485), parent: 1
Hello from child process (PID: 486), parent: 1
Hello from child process (PID: 487), parent: 1
Hello from child process (PID: 488), parent: 1
Hello from child process (PID: 489), parent: 1
Hello from child process (PID: 490), parent: 1

but when we get from bpf side, pid is the real host pid ,but nspid is always 1(the root parent process in container)

       fork_test-2040715 [002] d...1 3632982.277835: bpf_trace_printk: >>>>, pid: 2052883, nspid:1
       fork_test-2040333 [000] d...1 3632985.145937: bpf_trace_printk: >>>>, pid: 2052884, nspid:1
       fork_test-2040715 [002] d...1 3632985.278018: bpf_trace_printk: >>>>, pid: 2052885, nspid:1

[olsajiri]

nice catch, please put the PR description into commit changelog

[olsajiri]

please put extra line after declaration

[arthur-zhang]

done

[olsajiri]

there needs to be empty line after declrations, so something like:

--- a/bpf/lib/bpf_task.h
+++ b/bpf/lib/bpf_task.h
@@ -98,6 +98,7 @@ FUNC_INLINE __u32 get_task_pid_vnr_by_task(struct task_struct *task)
 FUNC_INLINE __u32 get_task_pid_vnr_curr(void)
 {
        struct task_struct *task = (struct task_struct *)get_current_task();
+
        return get_task_pid_vnr_by_task(task);
 }

[arthur-zhang]

done modify

[olsajiri]

ok, also please add the missing changelog, thanks

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	c25fc78
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/6777f594dd9f3b0008353f41
😎 Deploy Preview	https://deploy-preview-3267--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.