From cb82a38169cc0918132ee00763ec6383a0af54d7 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@gmail.com>
Date: Tue, 18 Jun 2024 00:09:33 +0100
Subject: [PATCH 1/2] process:bpf: report euid as the process.uid at execve

[ Upstream main a8200d8c91a1e3 ]

Instead of reporting the real uid of the task that is the owner of
the task in 'process.uid' when collecting execve info in bpf, let's
report the effective uid that is used to calculate the privileges
of the current task when acting upon other objects. This allows to
be compatible with 'ps'.

We already do this for processes that we collect from /proc, the
process.uid == euid actually. So align bpf as well.

For /proc it is a bit more complicated, since the processes may
change their uids, drop/gain privs, etc after their execve and before
tetragon starts, so we do not have that much context. For processes
that start after tetragon, we can record at execve time and cache
it.

The real uid != euid at execve time happens when we are executing
a setuid/setgid binary where the inode->i_uid|i_gid are mapped to
current idmapping mount and reflected to the new euid and egid. Then
if the capability LSM allows setuid/setgid execution then the new
euid and egid will be propagated to suid/fsuid and sgid/fsgid while
the uid and gid still have the values of the original task performing
execve call.

The following details why the kernel has both real and effective uid
and how they are used in permission checks. We start by real uid:

* Real uid is used to determine the task owner (uid that started it).

* Change privileges of a task drop/raise while keeping it possible
  to restore the effective, saved and other uids back that are used
  for various permission checks to the original real uid that started
  the task, in case of setuid system calls.

* When mounting some file systems to auto fill up the owner of the fs.

* When a process is sending a signal, its real uid is used
  to fill up the siginfo_t.uid field but also it is used to determine
  if we can signal the remote task, as the permission check is:
  caller->euid == target->suid || caller->euid == target->uid

  If the caller euid does not match the kill permission check switches
  to use the real uid:
  caller->uid == target->suid || caller->uid == target->uid.

* When ptracing a target task. The ptrace call has different access
  modes. To be precise accessing a task is possible through filesystem
  like /proc or directly through a syscall by pid, where caller may
  specify to use PTRACE_MODE_FSCREDS fsuid,fsgid for the former or
  PTRACE_MODE_REALCREDS real uid/gid for the later.

  In case of PTRACE_MODE_REALCREDS then the real task owner real
  uid/gid will be computed against the target task:
  caller->uid == target->euid == target->suid && target->uid &&
  caller->gid == target->egid == target->sgid && target->gid

  This is another case where the real uid of caller could be used
  to calculate privileges.

Now for the effective uid it is used for most permission checks when
acting upong other objects:

* A task is considered privileged if its euid == user_ns->owner,
  so a task is privileged if its euid equals the current user namespace
  owner, or one of the parent user namespaces owners. Even if that
  task has no capabilities, it has full privileges as being the
  owner of one user namespace, including init host user namespace.

  This allows access to mostly everything, even for the kill signal
  permission check, as the capability check will eventually fallback
  to the euid to determine if it has ownership on task's user
  namespace.

* The inode i_uid owner is usually initialized with caller fsuid,
  where the fsuid always matches the euid at execve time.

* The fsuid that is used for file system access permission always
  matches the euid at execve time, in this context access permission
  aligns with euid.

If users want more details about all different uids, then they can
specify the --enable-process-cred flag which will export the
'process.process_credentials' struct with all the uids/gids.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
 bpf/process/bpf_execve_event.c |  8 +++++++-
 pkg/sensors/exec/exec_test.go  | 12 ++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
index 59612148bba..f4d091e3b7d 100644
--- a/bpf/process/bpf_execve_event.c
+++ b/bpf/process/bpf_execve_event.c
@@ -212,7 +212,6 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	p->ktime = ktime_get_ns();
 	p->size = offsetof(struct msg_process, args);
 	p->auid = get_auid();
-	p->uid = get_current_uid_gid();
 	read_execve_shared_info(ctx, p, pid);
 
 	p->size += read_path(ctx, event, filename);
@@ -226,6 +225,13 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	BPF_CORE_READ_INTO(&event->kube.net_ns, task, nsproxy, net_ns, ns.inum);
 
 	get_current_subj_creds(&event->creds, task);
+	/**
+	 * Instead of showing the task owner, we want to display the effective
+	 * uid that is used to calculate the privileges of current task when
+	 * acting upon other objects. This allows to be compatible with the 'ps'
+	 * tool that reports snapshot of current processes.
+	 */
+	p->uid = event->creds.euid;
 	get_namespaces(&event->ns, task);
 	p->flags |= __event_get_cgroup_info(task, &event->kube);
 
diff --git a/pkg/sensors/exec/exec_test.go b/pkg/sensors/exec/exec_test.go
index c6925db545d..1c01d709be4 100644
--- a/pkg/sensors/exec/exec_test.go
+++ b/pkg/sensors/exec/exec_test.go
@@ -1148,10 +1148,10 @@ func TestExecProcessCredentialsSetgidChanges(t *testing.T) {
 	setgidNonRootCreds := ec.NewProcessCredentialsChecker().
 		WithUid(0).WithEuid(uint32(gid)).WithSuid(uint32(gid)).WithFsuid(uint32(gid)).
 		WithGid(0).WithEgid(uint32(gid)).WithSgid(uint32(gid)).WithFsgid(uint32(gid))
-	procExecSetgidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(0)).
+	procExecSetgidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(gid)).
 		WithBinary(sm.Full(testSuid)).WithProcessCredentials(setgidNonRootCreds).WithBinaryProperties(bpSetgidNoRoot)
 	execSetgidNoRootChecker := ec.NewProcessExecChecker("exec").WithProcess(procExecSetgidNoRootChecker)
-	procExitSetgidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(0)).
+	procExitSetgidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(gid)).
 		WithBinary(sm.Full(testSuid)).WithProcessCredentials(setgidNonRootCreds).WithBinaryProperties(nil)
 	exitSetgidNoRootChecker := ec.NewProcessExitChecker("exit").WithProcess(procExitSetgidNoRootChecker)
 
@@ -1222,10 +1222,10 @@ func TestExecProcessCredentialsSetuidChanges(t *testing.T) {
 	setuidNonRootCreds := ec.NewProcessCredentialsChecker().
 		WithUid(0).WithEuid(uint32(gid)).WithSuid(uint32(gid)).WithFsuid(uint32(gid)).
 		WithGid(0).WithEgid(uint32(gid)).WithSgid(uint32(gid)).WithFsgid(uint32(gid))
-	procExecSetuidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(0)).
+	procExecSetuidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(gid)).
 		WithBinary(sm.Full(testSuid)).WithProcessCredentials(setuidNonRootCreds).WithBinaryProperties(bpSetuidNoRoot)
 	execSetuidNoRootChecker := ec.NewProcessExecChecker("exec").WithProcess(procExecSetuidNoRootChecker)
-	procExitSetuidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(0)).
+	procExitSetuidNoRootChecker := ec.NewProcessChecker().WithUid(uint32(gid)).
 		WithBinary(sm.Full(testSuid)).WithProcessCredentials(setuidNonRootCreds).WithBinaryProperties(nil)
 	exitSetuidNoRootChecker := ec.NewProcessExitChecker("exit").WithProcess(procExitSetuidNoRootChecker)
 
@@ -1240,10 +1240,10 @@ func TestExecProcessCredentialsSetuidChanges(t *testing.T) {
 	setuidRootCreds := ec.NewProcessCredentialsChecker().
 		WithUid(uint32(gid)).WithEuid(0).WithSuid(0).WithFsuid(0).
 		WithGid(uint32(gid)).WithEgid(uint32(gid)).WithSgid(uint32(gid)).WithFsgid(uint32(gid))
-	procExecSetuidRootChecker := ec.NewProcessChecker().WithUid(uint32(gid)).
+	procExecSetuidRootChecker := ec.NewProcessChecker().WithUid(uint32(0)).
 		WithBinary(sm.Full(testSu)).WithProcessCredentials(setuidRootCreds).WithBinaryProperties(bpSetuidRoot)
 	execSetuidRootChecker := ec.NewProcessExecChecker("exec").WithProcess(procExecSetuidRootChecker)
-	procExitSetuidRootChecker := ec.NewProcessChecker().WithUid(uint32(gid)).
+	procExitSetuidRootChecker := ec.NewProcessChecker().WithUid(uint32(0)).
 		WithBinary(sm.Full(testSu)).WithProcessCredentials(setuidRootCreds).WithBinaryProperties(nil)
 	exitSetuidRootChecker := ec.NewProcessExitChecker("exit").WithProcess(procExitSetuidRootChecker)
 

From fd9a1860a0f04ebb8f129243b293f380469f1021 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@gmail.com>
Date: Tue, 18 Jun 2024 16:22:28 +0100
Subject: [PATCH 2/2] api: improve process.uid and process_credentials
 documentation

[ Upstream main d308a1565a65aeea ]

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
 api/v1/README.md                              | 20 ++++++++--------
 api/v1/tetragon/tetragon.pb.go                | 23 +++++++++++--------
 api/v1/tetragon/tetragon.proto                | 23 +++++++++++--------
 .../tetragon/api/v1/tetragon/tetragon.pb.go   | 23 +++++++++++--------
 .../tetragon/api/v1/tetragon/tetragon.proto   | 23 +++++++++++--------
 docs/content/en/docs/reference/grpc-api.md    | 20 ++++++++--------
 .../tetragon/api/v1/tetragon/tetragon.pb.go   | 23 +++++++++++--------
 .../tetragon/api/v1/tetragon/tetragon.proto   | 23 +++++++++++--------
 8 files changed, 98 insertions(+), 80 deletions(-)

diff --git a/api/v1/README.md b/api/v1/README.md
index 8c7563936c4..4b783c7fd81 100644
--- a/api/v1/README.md
+++ b/api/v1/README.md
@@ -793,7 +793,7 @@ https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontain
 | ----- | ---- | ----- | ----------- |
 | exec_id | [string](#string) |  | Exec ID uniquely identifies the process over time across all the nodes in the cluster. |
 | pid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | Process identifier from host PID namespace. |
-| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | User identifier associated with the process. |
+| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective User identifier used for permission checks. This field maps to the &#39;ProcessCredentials.euid&#39; field. Run with the `--enable-process-cred` flag to enable &#39;ProcessCredentials&#39; and get all the User and Group identifiers. |
 | cwd | [string](#string) |  | Current working directory of the process. |
 | binary | [string](#string) |  | Absolute path of the executed binary. |
 | arguments | [string](#string) |  | Arguments passed to the binary at execution. |
@@ -807,7 +807,7 @@ https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontain
 | cap | [Capabilities](#tetragon-Capabilities) |  | Set of capabilities that define the permissions the process can execute with. |
 | ns | [Namespaces](#tetragon-Namespaces) |  | Linux namespaces of the process, disabled by default, can be enabled by the `--enable-process-ns` flag. |
 | tid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | Thread ID, note that for the thread group leader, tid is equal to pid. |
-| process_credentials | [ProcessCredentials](#tetragon-ProcessCredentials) |  | Process credentials |
+| process_credentials | [ProcessCredentials](#tetragon-ProcessCredentials) |  | Process credentials, disabled by default, can be enabled by the `--enable-process-cred` flag. |
 | binary_properties | [BinaryProperties](#tetragon-BinaryProperties) |  | Executed binary properties. This field is only available on ProcessExec events. |
 | user | [UserRecord](#tetragon-UserRecord) |  | UserRecord contains user information about the event.
 
@@ -826,14 +826,14 @@ UserRecord is only supported when i) Tetragon is running as a systemd service or
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real user ID |
-| gid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real group ID |
-| euid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective user ID |
-| egid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective group ID |
-| suid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved user ID |
-| sgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved group ID |
-| fsuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | the filesystem user ID |
-| fsgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The filesystem group ID |
+| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real user ID of the process&#39; owner. |
+| gid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real group ID of the process&#39; owner. |
+| euid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective user ID used for permission checks. |
+| egid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective group ID used for permission checks. |
+| suid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved user ID. |
+| sgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved group ID. |
+| fsuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | the filesystem user ID used for filesystem access checks. Usually equals the euid. |
+| fsgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The filesystem group ID used for filesystem access checks. Usually equals the egid. |
 | securebits | [SecureBitsType](#tetragon-SecureBitsType) | repeated | Secure management flags |
 | caps | [Capabilities](#tetragon-Capabilities) |  | Set of capabilities that define the permissions the process can execute with. |
 | user_ns | [UserNamespace](#tetragon-UserNamespace) |  | User namespace where the UIDs, GIDs and capabilities are relative to. |
diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go
index 7f892632d21..ace6dfcfc1c 100644
--- a/api/v1/tetragon/tetragon.pb.go
+++ b/api/v1/tetragon/tetragon.pb.go
@@ -885,21 +885,21 @@ type ProcessCredentials struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// The real user ID
+	// The real user ID of the process' owner.
 	Uid *wrapperspb.UInt32Value `protobuf:"bytes,1,opt,name=uid,proto3" json:"uid,omitempty"`
-	// The real group ID
+	// The real group ID of the process' owner.
 	Gid *wrapperspb.UInt32Value `protobuf:"bytes,2,opt,name=gid,proto3" json:"gid,omitempty"`
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	Euid *wrapperspb.UInt32Value `protobuf:"bytes,3,opt,name=euid,proto3" json:"euid,omitempty"`
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	Egid *wrapperspb.UInt32Value `protobuf:"bytes,4,opt,name=egid,proto3" json:"egid,omitempty"`
-	// The saved user ID
+	// The saved user ID.
 	Suid *wrapperspb.UInt32Value `protobuf:"bytes,5,opt,name=suid,proto3" json:"suid,omitempty"`
-	// The saved group ID
+	// The saved group ID.
 	Sgid *wrapperspb.UInt32Value `protobuf:"bytes,6,opt,name=sgid,proto3" json:"sgid,omitempty"`
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	Fsuid *wrapperspb.UInt32Value `protobuf:"bytes,7,opt,name=fsuid,proto3" json:"fsuid,omitempty"`
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	Fsgid *wrapperspb.UInt32Value `protobuf:"bytes,8,opt,name=fsgid,proto3" json:"fsgid,omitempty"`
 	// Secure management flags
 	Securebits []SecureBitsType `protobuf:"varint,9,rep,packed,name=securebits,proto3,enum=tetragon.SecureBitsType" json:"securebits,omitempty"`
@@ -1271,7 +1271,9 @@ type Process struct {
 	ExecId string `protobuf:"bytes,1,opt,name=exec_id,json=execId,proto3" json:"exec_id,omitempty"`
 	// Process identifier from host PID namespace.
 	Pid *wrapperspb.UInt32Value `protobuf:"bytes,2,opt,name=pid,proto3" json:"pid,omitempty"`
-	// User identifier associated with the process.
+	// The effective User identifier used for permission checks. This field maps to the
+	// 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+	// enable 'ProcessCredentials' and get all the User and Group identifiers.
 	Uid *wrapperspb.UInt32Value `protobuf:"bytes,3,opt,name=uid,proto3" json:"uid,omitempty"`
 	// Current working directory of the process.
 	Cwd string `protobuf:"bytes,4,opt,name=cwd,proto3" json:"cwd,omitempty"`
@@ -1355,7 +1357,8 @@ type Process struct {
 	Ns *Namespaces `protobuf:"bytes,15,opt,name=ns,proto3" json:"ns,omitempty"`
 	// Thread ID, note that for the thread group leader, tid is equal to pid.
 	Tid *wrapperspb.UInt32Value `protobuf:"bytes,16,opt,name=tid,proto3" json:"tid,omitempty"`
-	// Process credentials
+	// Process credentials, disabled by default, can be enabled by the
+	// `--enable-process-cred` flag.
 	ProcessCredentials *ProcessCredentials `protobuf:"bytes,17,opt,name=process_credentials,json=processCredentials,proto3" json:"process_credentials,omitempty"`
 	// Executed binary properties. This field is only available on ProcessExec events.
 	BinaryProperties *BinaryProperties `protobuf:"bytes,18,opt,name=binary_properties,json=binaryProperties,proto3" json:"binary_properties,omitempty"`
diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto
index 79f74a78121..801f46c0b3f 100644
--- a/api/v1/tetragon/tetragon.proto
+++ b/api/v1/tetragon/tetragon.proto
@@ -112,21 +112,21 @@ message UserNamespace {
 }
 
 message ProcessCredentials {
-	// The real user ID
+	// The real user ID of the process' owner.
 	google.protobuf.UInt32Value uid = 1;
-	// The real group ID
+	// The real group ID of the process' owner.
 	google.protobuf.UInt32Value gid = 2;
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	google.protobuf.UInt32Value euid = 3;
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	google.protobuf.UInt32Value egid = 4;
-	// The saved user ID
+	// The saved user ID.
 	google.protobuf.UInt32Value suid = 5;
-	// The saved group ID
+	// The saved group ID.
 	google.protobuf.UInt32Value sgid = 6;
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	google.protobuf.UInt32Value fsuid = 7;
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	google.protobuf.UInt32Value fsgid = 8;
 	// Secure management flags
 	repeated SecureBitsType securebits = 9;
@@ -178,7 +178,9 @@ message Process {
     string exec_id = 1;
     // Process identifier from host PID namespace.
     google.protobuf.UInt32Value pid = 2;
-    // User identifier associated with the process.
+    // The effective User identifier used for permission checks. This field maps to the
+    // 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+    // enable 'ProcessCredentials' and get all the User and Group identifiers.
     google.protobuf.UInt32Value uid = 3;
     // Current working directory of the process.
     string cwd = 4;
@@ -262,7 +264,8 @@ message Process {
     Namespaces ns = 15;
     // Thread ID, note that for the thread group leader, tid is equal to pid.
     google.protobuf.UInt32Value tid = 16;
-    // Process credentials
+    // Process credentials, disabled by default, can be enabled by the
+    // `--enable-process-cred` flag.
     ProcessCredentials process_credentials = 17;
     // Executed binary properties. This field is only available on ProcessExec events.
     BinaryProperties binary_properties = 18;
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
index 7f892632d21..ace6dfcfc1c 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
@@ -885,21 +885,21 @@ type ProcessCredentials struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// The real user ID
+	// The real user ID of the process' owner.
 	Uid *wrapperspb.UInt32Value `protobuf:"bytes,1,opt,name=uid,proto3" json:"uid,omitempty"`
-	// The real group ID
+	// The real group ID of the process' owner.
 	Gid *wrapperspb.UInt32Value `protobuf:"bytes,2,opt,name=gid,proto3" json:"gid,omitempty"`
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	Euid *wrapperspb.UInt32Value `protobuf:"bytes,3,opt,name=euid,proto3" json:"euid,omitempty"`
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	Egid *wrapperspb.UInt32Value `protobuf:"bytes,4,opt,name=egid,proto3" json:"egid,omitempty"`
-	// The saved user ID
+	// The saved user ID.
 	Suid *wrapperspb.UInt32Value `protobuf:"bytes,5,opt,name=suid,proto3" json:"suid,omitempty"`
-	// The saved group ID
+	// The saved group ID.
 	Sgid *wrapperspb.UInt32Value `protobuf:"bytes,6,opt,name=sgid,proto3" json:"sgid,omitempty"`
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	Fsuid *wrapperspb.UInt32Value `protobuf:"bytes,7,opt,name=fsuid,proto3" json:"fsuid,omitempty"`
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	Fsgid *wrapperspb.UInt32Value `protobuf:"bytes,8,opt,name=fsgid,proto3" json:"fsgid,omitempty"`
 	// Secure management flags
 	Securebits []SecureBitsType `protobuf:"varint,9,rep,packed,name=securebits,proto3,enum=tetragon.SecureBitsType" json:"securebits,omitempty"`
@@ -1271,7 +1271,9 @@ type Process struct {
 	ExecId string `protobuf:"bytes,1,opt,name=exec_id,json=execId,proto3" json:"exec_id,omitempty"`
 	// Process identifier from host PID namespace.
 	Pid *wrapperspb.UInt32Value `protobuf:"bytes,2,opt,name=pid,proto3" json:"pid,omitempty"`
-	// User identifier associated with the process.
+	// The effective User identifier used for permission checks. This field maps to the
+	// 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+	// enable 'ProcessCredentials' and get all the User and Group identifiers.
 	Uid *wrapperspb.UInt32Value `protobuf:"bytes,3,opt,name=uid,proto3" json:"uid,omitempty"`
 	// Current working directory of the process.
 	Cwd string `protobuf:"bytes,4,opt,name=cwd,proto3" json:"cwd,omitempty"`
@@ -1355,7 +1357,8 @@ type Process struct {
 	Ns *Namespaces `protobuf:"bytes,15,opt,name=ns,proto3" json:"ns,omitempty"`
 	// Thread ID, note that for the thread group leader, tid is equal to pid.
 	Tid *wrapperspb.UInt32Value `protobuf:"bytes,16,opt,name=tid,proto3" json:"tid,omitempty"`
-	// Process credentials
+	// Process credentials, disabled by default, can be enabled by the
+	// `--enable-process-cred` flag.
 	ProcessCredentials *ProcessCredentials `protobuf:"bytes,17,opt,name=process_credentials,json=processCredentials,proto3" json:"process_credentials,omitempty"`
 	// Executed binary properties. This field is only available on ProcessExec events.
 	BinaryProperties *BinaryProperties `protobuf:"bytes,18,opt,name=binary_properties,json=binaryProperties,proto3" json:"binary_properties,omitempty"`
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
index 79f74a78121..801f46c0b3f 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
@@ -112,21 +112,21 @@ message UserNamespace {
 }
 
 message ProcessCredentials {
-	// The real user ID
+	// The real user ID of the process' owner.
 	google.protobuf.UInt32Value uid = 1;
-	// The real group ID
+	// The real group ID of the process' owner.
 	google.protobuf.UInt32Value gid = 2;
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	google.protobuf.UInt32Value euid = 3;
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	google.protobuf.UInt32Value egid = 4;
-	// The saved user ID
+	// The saved user ID.
 	google.protobuf.UInt32Value suid = 5;
-	// The saved group ID
+	// The saved group ID.
 	google.protobuf.UInt32Value sgid = 6;
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	google.protobuf.UInt32Value fsuid = 7;
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	google.protobuf.UInt32Value fsgid = 8;
 	// Secure management flags
 	repeated SecureBitsType securebits = 9;
@@ -178,7 +178,9 @@ message Process {
     string exec_id = 1;
     // Process identifier from host PID namespace.
     google.protobuf.UInt32Value pid = 2;
-    // User identifier associated with the process.
+    // The effective User identifier used for permission checks. This field maps to the
+    // 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+    // enable 'ProcessCredentials' and get all the User and Group identifiers.
     google.protobuf.UInt32Value uid = 3;
     // Current working directory of the process.
     string cwd = 4;
@@ -262,7 +264,8 @@ message Process {
     Namespaces ns = 15;
     // Thread ID, note that for the thread group leader, tid is equal to pid.
     google.protobuf.UInt32Value tid = 16;
-    // Process credentials
+    // Process credentials, disabled by default, can be enabled by the
+    // `--enable-process-cred` flag.
     ProcessCredentials process_credentials = 17;
     // Executed binary properties. This field is only available on ProcessExec events.
     BinaryProperties binary_properties = 18;
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
index b096ca4f50c..c9641cca840 100644
--- a/docs/content/en/docs/reference/grpc-api.md
+++ b/docs/content/en/docs/reference/grpc-api.md
@@ -459,7 +459,7 @@ https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontain
 | ----- | ---- | ----- | ----------- |
 | exec_id | [string](#string) |  | Exec ID uniquely identifies the process over time across all the nodes in the cluster. |
 | pid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | Process identifier from host PID namespace. |
-| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | User identifier associated with the process. |
+| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective User identifier used for permission checks. This field maps to the &#39;ProcessCredentials.euid&#39; field. Run with the `--enable-process-cred` flag to enable &#39;ProcessCredentials&#39; and get all the User and Group identifiers. |
 | cwd | [string](#string) |  | Current working directory of the process. |
 | binary | [string](#string) |  | Absolute path of the executed binary. |
 | arguments | [string](#string) |  | Arguments passed to the binary at execution. |
@@ -473,7 +473,7 @@ https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontain
 | cap | [Capabilities](#tetragon-Capabilities) |  | Set of capabilities that define the permissions the process can execute with. |
 | ns | [Namespaces](#tetragon-Namespaces) |  | Linux namespaces of the process, disabled by default, can be enabled by the `--enable-process-ns` flag. |
 | tid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | Thread ID, note that for the thread group leader, tid is equal to pid. |
-| process_credentials | [ProcessCredentials](#tetragon-ProcessCredentials) |  | Process credentials |
+| process_credentials | [ProcessCredentials](#tetragon-ProcessCredentials) |  | Process credentials, disabled by default, can be enabled by the `--enable-process-cred` flag. |
 | binary_properties | [BinaryProperties](#tetragon-BinaryProperties) |  | Executed binary properties. This field is only available on ProcessExec events. |
 | user | [UserRecord](#tetragon-UserRecord) |  | UserRecord contains user information about the event.
 
@@ -485,14 +485,14 @@ UserRecord is only supported when i) Tetragon is running as a systemd service or
 
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real user ID |
-| gid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real group ID |
-| euid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective user ID |
-| egid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective group ID |
-| suid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved user ID |
-| sgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved group ID |
-| fsuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | the filesystem user ID |
-| fsgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The filesystem group ID |
+| uid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real user ID of the process&#39; owner. |
+| gid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The real group ID of the process&#39; owner. |
+| euid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective user ID used for permission checks. |
+| egid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The effective group ID used for permission checks. |
+| suid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved user ID. |
+| sgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The saved group ID. |
+| fsuid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | the filesystem user ID used for filesystem access checks. Usually equals the euid. |
+| fsgid | [google.protobuf.UInt32Value](#google-protobuf-UInt32Value) |  | The filesystem group ID used for filesystem access checks. Usually equals the egid. |
 | securebits | [SecureBitsType](#tetragon-SecureBitsType) | repeated | Secure management flags |
 | caps | [Capabilities](#tetragon-Capabilities) |  | Set of capabilities that define the permissions the process can execute with. |
 | user_ns | [UserNamespace](#tetragon-UserNamespace) |  | User namespace where the UIDs, GIDs and capabilities are relative to. |
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
index 7f892632d21..ace6dfcfc1c 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
@@ -885,21 +885,21 @@ type ProcessCredentials struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// The real user ID
+	// The real user ID of the process' owner.
 	Uid *wrapperspb.UInt32Value `protobuf:"bytes,1,opt,name=uid,proto3" json:"uid,omitempty"`
-	// The real group ID
+	// The real group ID of the process' owner.
 	Gid *wrapperspb.UInt32Value `protobuf:"bytes,2,opt,name=gid,proto3" json:"gid,omitempty"`
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	Euid *wrapperspb.UInt32Value `protobuf:"bytes,3,opt,name=euid,proto3" json:"euid,omitempty"`
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	Egid *wrapperspb.UInt32Value `protobuf:"bytes,4,opt,name=egid,proto3" json:"egid,omitempty"`
-	// The saved user ID
+	// The saved user ID.
 	Suid *wrapperspb.UInt32Value `protobuf:"bytes,5,opt,name=suid,proto3" json:"suid,omitempty"`
-	// The saved group ID
+	// The saved group ID.
 	Sgid *wrapperspb.UInt32Value `protobuf:"bytes,6,opt,name=sgid,proto3" json:"sgid,omitempty"`
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	Fsuid *wrapperspb.UInt32Value `protobuf:"bytes,7,opt,name=fsuid,proto3" json:"fsuid,omitempty"`
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	Fsgid *wrapperspb.UInt32Value `protobuf:"bytes,8,opt,name=fsgid,proto3" json:"fsgid,omitempty"`
 	// Secure management flags
 	Securebits []SecureBitsType `protobuf:"varint,9,rep,packed,name=securebits,proto3,enum=tetragon.SecureBitsType" json:"securebits,omitempty"`
@@ -1271,7 +1271,9 @@ type Process struct {
 	ExecId string `protobuf:"bytes,1,opt,name=exec_id,json=execId,proto3" json:"exec_id,omitempty"`
 	// Process identifier from host PID namespace.
 	Pid *wrapperspb.UInt32Value `protobuf:"bytes,2,opt,name=pid,proto3" json:"pid,omitempty"`
-	// User identifier associated with the process.
+	// The effective User identifier used for permission checks. This field maps to the
+	// 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+	// enable 'ProcessCredentials' and get all the User and Group identifiers.
 	Uid *wrapperspb.UInt32Value `protobuf:"bytes,3,opt,name=uid,proto3" json:"uid,omitempty"`
 	// Current working directory of the process.
 	Cwd string `protobuf:"bytes,4,opt,name=cwd,proto3" json:"cwd,omitempty"`
@@ -1355,7 +1357,8 @@ type Process struct {
 	Ns *Namespaces `protobuf:"bytes,15,opt,name=ns,proto3" json:"ns,omitempty"`
 	// Thread ID, note that for the thread group leader, tid is equal to pid.
 	Tid *wrapperspb.UInt32Value `protobuf:"bytes,16,opt,name=tid,proto3" json:"tid,omitempty"`
-	// Process credentials
+	// Process credentials, disabled by default, can be enabled by the
+	// `--enable-process-cred` flag.
 	ProcessCredentials *ProcessCredentials `protobuf:"bytes,17,opt,name=process_credentials,json=processCredentials,proto3" json:"process_credentials,omitempty"`
 	// Executed binary properties. This field is only available on ProcessExec events.
 	BinaryProperties *BinaryProperties `protobuf:"bytes,18,opt,name=binary_properties,json=binaryProperties,proto3" json:"binary_properties,omitempty"`
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
index 79f74a78121..801f46c0b3f 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
@@ -112,21 +112,21 @@ message UserNamespace {
 }
 
 message ProcessCredentials {
-	// The real user ID
+	// The real user ID of the process' owner.
 	google.protobuf.UInt32Value uid = 1;
-	// The real group ID
+	// The real group ID of the process' owner.
 	google.protobuf.UInt32Value gid = 2;
-	// The effective user ID
+	// The effective user ID used for permission checks.
 	google.protobuf.UInt32Value euid = 3;
-	// The effective group ID
+	// The effective group ID used for permission checks.
 	google.protobuf.UInt32Value egid = 4;
-	// The saved user ID
+	// The saved user ID.
 	google.protobuf.UInt32Value suid = 5;
-	// The saved group ID
+	// The saved group ID.
 	google.protobuf.UInt32Value sgid = 6;
-	// the filesystem user ID
+	// the filesystem user ID used for filesystem access checks. Usually equals the euid.
 	google.protobuf.UInt32Value fsuid = 7;
-	// The filesystem group ID
+	// The filesystem group ID used for filesystem access checks. Usually equals the egid.
 	google.protobuf.UInt32Value fsgid = 8;
 	// Secure management flags
 	repeated SecureBitsType securebits = 9;
@@ -178,7 +178,9 @@ message Process {
     string exec_id = 1;
     // Process identifier from host PID namespace.
     google.protobuf.UInt32Value pid = 2;
-    // User identifier associated with the process.
+    // The effective User identifier used for permission checks. This field maps to the
+    // 'ProcessCredentials.euid' field. Run with the `--enable-process-cred` flag to
+    // enable 'ProcessCredentials' and get all the User and Group identifiers.
     google.protobuf.UInt32Value uid = 3;
     // Current working directory of the process.
     string cwd = 4;
@@ -262,7 +264,8 @@ message Process {
     Namespaces ns = 15;
     // Thread ID, note that for the thread group leader, tid is equal to pid.
     google.protobuf.UInt32Value tid = 16;
-    // Process credentials
+    // Process credentials, disabled by default, can be enabled by the
+    // `--enable-process-cred` flag.
     ProcessCredentials process_credentials = 17;
     // Executed binary properties. This field is only available on ProcessExec events.
     BinaryProperties binary_properties = 18;