bpf: store thread leader namespaces at fork and reduce false positives

[ Upstream main 67e436b ] Store the thread leader namespaces during fork so we can check later if they changed, as right now they are only stored late during execv which will point to a new exec_id entry anyway. Right now during fork they are zeroed in the execve_map which make it unreliable to detect if they changed between the fork and the final execve, they will always be reported as if they changed which could be While we are it improve how we fetch and store capabilities. Signed-off-by: Djalal Harouni <[email protected]>
cilium · Jul 19, 2024 · f5ddcc7 · f5ddcc7
1 parent b5c68c8
commit f5ddcc7
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/bpf/process/bpf_fork.c b/bpf/process/bpf_fork.c
@@ -22,7 +22,6 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 {
 	struct execve_map_value *curr, *parent;
 	struct msg_clone_event msg;
-	struct msg_capabilities caps;
 	u64 msg_size = sizeof(struct msg_clone_event);
 	u32 tgid = 0;
 
@@ -61,10 +60,12 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 	 * before the execve hook point if they changed or not.
 	 * This needs to be converted later to credentials.
 	 */
-	get_current_subj_caps(&caps, task);
-	curr->caps.permitted = caps.permitted;
-	curr->caps.effective = caps.effective;
-	curr->caps.inheritable = caps.inheritable;
+	get_current_subj_caps(&curr->caps, task);
+
+	/* Store the thread leader namespaces so we can check later
+	 * before the execve hook point if they changed or not.
+	 */
+	get_namespaces(&curr->ns, task);
 
 	/* Setup the msg_clone_event and sent to the user. */
 	msg.common.op = MSG_OP_CLONE;