bpf: store thread leader namespaces at fork and reduce false positives

Store the thread leader namespaces during fork so we can check later if they changed, as right now they are only stored late during execv which will point to a new exec_id entry anyway. Right now during fork they are zeroed in the execve_map which make it unreliable to detect if they changed between the fork and the final execve, they will always be reported as if they changed which could be a false positive report. Signed-off-by: Djalal Harouni <[email protected]>
cilium · Apr 23, 2024 · 6e9cace · 6e9cace
1 parent 2101ea1
commit 6e9cace
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/bpf/process/bpf_fork.c b/bpf/process/bpf_fork.c
@@ -23,6 +23,7 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 	struct execve_map_value *curr, *parent;
 	struct msg_clone_event msg;
 	struct msg_capabilities caps;
+	struct msg_ns ns;
 	u64 msg_size = sizeof(struct msg_clone_event);
 	u32 tgid = 0;
 
@@ -66,6 +67,12 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 	curr->caps.effective = caps.effective;
 	curr->caps.inheritable = caps.inheritable;
 
+	/* Store the thread leader namespaces so we can check later
+	 * before the execve hook point if they changed or not.
+	 */
+	get_namespaces(&ns, task);
+	memcpy(&curr->ns, &ns, sizeof(struct msg_ns));
+
 	/* Setup the msg_clone_event and sent to the user. */
 	msg.common.op = MSG_OP_CLONE;
 	msg.common.size = msg_size;