Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ProcessTree rogue entries #4582

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix ProcessTree rogue entries #4582

wants to merge 6 commits into from

Conversation

geyslan
Copy link
Member

@geyslan geyslan commented Feb 8, 2025
edited
Loading

Close: #4580
Close: #3878

1. Explain what the PR does

3365234 chore(proctree): add debug comment
f400d59 fix(proctree): exec event already brings data
1c03c99 fix(proctree): treat kthread as special case
6132821 fix(proctree): time normalization momentum
dc544ec fix(tests): kill only tracee (-x exact match)
2b24584 chore(proctree): add exittime to debug

f400d59 fix(proctree): exec event already brings data

Populate Process TaskInfo with data from sched_process_exec event.
Without it, the ProcessTree when set as source=events will contain
entries with no relevant data.

1c03c99 fix(proctree): treat kthread as special case

kthread was being added only as parent, so its taskinfo was not being
updated.

6132821 fix(proctree): time normalization momentum

ProcessTree was populated with rogue entries because time normalization
was not performed at the correct moment, leading to a mismatch between
hashes from signals and those from events.

2. Explain how to test it

Uncomment https://github.com/aquasecurity/tracee/pull/4582/files#diff-72195925b110a2e9579f4bd9491d18052a9fb1875d2b3757987cfdfc288a1cffR183 and run tracee with --proctree source=both, --proctree source=events, --proctree source=signals for checking the current state of the ProcessTree. One might also wanna run INSTTESTS="PROCTREE_DATA_SOURCE" ./tests/e2e-inst-test.sh changing the source type inside that script before.

One won't see anymore:

  • Rogue entries (hashes without pid, tid or ppid)
  • Different hashes for the same pid, tid and ppid
  • pid 2 as a rogue entry

3. Other comments

@geyslan
chore(proctree): add exittime to debug
2b24584
@geyslan
fix(tests): kill only tracee (-x exact match)
dc544ec
@geyslan
fix(proctree): time normalization momentum
6132821 
ProcessTree was populated with rogue entries because time normalization
was not performed at the correct moment, leading to a mismatch between
hashes from signals and those from events.
@geyslan
fix(proctree): treat kthread as special case
1c03c99 
kthread was being added only as parent, so its taskinfo was not being
updated.
@geyslan geyslan self-assigned this Feb 8, 2025
@geyslan
fix(proctree): exec event already brings data
f400d59 
Populate Process TaskInfo with data from sched_process_exec event.
Without it, the ProcessTree when set as source=events will contain
entries with no relevant data.
@geyslan
chore(proctree): add debug comment
3365234
@geyslan geyslan force-pushed the proctree-the-fourth branch from 46d1d44 to 3365234 Compare February 8, 2025 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rscampos rscampos Awaiting requested review from rscampos

@NDStrahilevitz NDStrahilevitz Awaiting requested review from NDStrahilevitz

At least 1 approving review is required to merge this pull request.

Assignees

@geyslan geyslan

Labels
area/ebpf area/testing kind/bug milestone/v0.23.0
Projects
None yet
Milestone
No milestone
1 participant
@geyslan