Skip to content

Commit

Permalink
perf(proctree): move functions from FeedFromFork
Browse files Browse the repository at this point in the history
  • Loading branch information
@geyslan
geyslan committed Jan 28, 2025
1 parent a1ceb10 commit 1c9f52a
Showing 1 changed file with 79 additions and 63 deletions.
142 changes: 79 additions & 63 deletions pkg/proctree/proctree_feed.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package proctree

import (
"path/filepath"
"time"

"github.com/aquasecurity/tracee/pkg/errfmt"
"github.com/aquasecurity/tracee/pkg/logger"
Expand Down Expand Up @@ -34,6 +35,81 @@ type ForkFeed struct {
ChildStartTime uint64
}

func (pt *ProcessTree) setParentFeed(
parent *Process,
feed *ForkFeed,
feedTimeStamp time.Time,
) {
parent.GetInfo().SetFeedAt(
TaskInfoFeed{
Name: "", // do not change the parent name
Tid: int(feed.ParentTid),
Pid: int(feed.ParentPid),
NsTid: int(feed.ParentNsTid),
NsPid: int(feed.ParentNsPid),
StartTimeNS: feed.ParentStartTime,
PPid: -1, // do not change the parent ppid
NsPPid: -1, // do not change the parent nsppid
Uid: -1, // do not change the parent uid
Gid: -1, // do not change the parent gid
},
feedTimeStamp,
)

if pt.procfsQuery {
pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
}
}

func (pt *ProcessTree) setLeaderFeed(
leader, parent *Process,
feed *ForkFeed,
feedTimeStamp time.Time,
) {
leader.GetInfo().SetFeedAt(
TaskInfoFeed{
Name: parent.GetInfo().GetName(),
Tid: int(feed.LeaderTid),
Pid: int(feed.LeaderPid),
NsTid: int(feed.LeaderNsTid),
NsPid: int(feed.LeaderNsPid),
StartTimeNS: feed.LeaderStartTime,
PPid: int(feed.ParentPid),
NsPPid: int(feed.ParentNsPid),
Uid: -1, // do not change the parent ui
Gid: -1, // do not change the parent gid
},
feedTimeStamp,
)

if pt.procfsQuery {
pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
}
}

func (pt *ProcessTree) setThreadFeed(
thread *Thread,
leader *Process,
feed *ForkFeed,
feedTimeStamp time.Time,
) {
thread.GetInfo().SetFeedAt(
TaskInfoFeed{
Name: leader.GetInfo().GetName(),
Tid: int(feed.ChildTid),
Pid: int(feed.ChildPid),
NsTid: int(feed.ChildNsTid),
NsPid: int(feed.ChildNsPid),
StartTimeNS: feed.ChildStartTime,
PPid: int(feed.ParentPid),
NsPPid: int(feed.ParentNsPid),
Uid: -1, // do not change the thread uid
Gid: -1, // do not change the thread gid
},
feedTimeStamp,
)
}

// FeedFromFork feeds the process tree with a fork event.
func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
if feed.ChildHash == 0 || feed.ParentHash == 0 {
Expand All @@ -51,27 +127,6 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {

// Update the parent process (might already exist)

setParentFeed := func(parent *Process) {
parent.GetInfo().SetFeedAt(
TaskInfoFeed{
Name: "", // do not change the parent name
Tid: int(feed.ParentTid),
Pid: int(feed.ParentPid),
NsTid: int(feed.ParentNsTid),
NsPid: int(feed.ParentNsPid),
StartTimeNS: feed.ParentStartTime,
PPid: -1, // do not change the parent ppid
NsPPid: -1, // do not change the parent nsppid
Uid: -1, // do not change the parent uid
Gid: -1, // do not change the parent gid
},
feedTimeStamp,
)
if pt.procfsQuery {
pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
}
}

parent, found := pt.GetProcessByHash(feed.ParentHash) // always a real process
if !found {
parent = pt.GetOrCreateProcessByHash(feed.ParentHash)
Expand All @@ -82,34 +137,13 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
// ppid, for example).

if !found || parent.GetInfo().GetPid() != int(feed.ParentPid) {
setParentFeed(parent)
pt.setParentFeed(parent, &feed, feedTimeStamp)
}

parent.AddChild(feed.LeaderHash) // add the leader as a child of the parent

// Update the leader process (might exist, might be the same as child if child is a process)

setLeaderFeed := func(leader *Process) {
leader.GetInfo().SetFeedAt(
TaskInfoFeed{
Name: parent.GetInfo().GetName(),
Tid: int(feed.LeaderTid),
Pid: int(feed.LeaderPid),
NsTid: int(feed.LeaderNsTid),
NsPid: int(feed.LeaderNsPid),
StartTimeNS: feed.LeaderStartTime,
PPid: int(feed.ParentPid),
NsPPid: int(feed.ParentNsPid),
Uid: -1, // do not change the parent ui
Gid: -1, // do not change the parent gid
},
feedTimeStamp,
)
if pt.procfsQuery {
pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
}
}

leader, found := pt.GetProcessByHash(feed.LeaderHash)
if !found {
leader = pt.GetOrCreateProcessByHash(feed.LeaderHash)
Expand All @@ -118,7 +152,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
// Same case here (for events out of order created by execve first)

if !found || leader.GetInfo().GetPPid() != int(feed.ParentPid) {
setLeaderFeed(leader)
pt.setLeaderFeed(leader, parent, &feed, feedTimeStamp)
}

leader.SetParentHash(feed.ParentHash) // add the parent as the parent of the leader
Expand All @@ -135,24 +169,6 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {

// In all cases (task is a process, or a thread) there is a thread entry.

setThreadFeed := func(thread *Thread) {
thread.GetInfo().SetFeedAt(
TaskInfoFeed{
Name: leader.GetInfo().GetName(),
Tid: int(feed.ChildTid),
Pid: int(feed.ChildPid),
NsTid: int(feed.ChildNsTid),
NsPid: int(feed.ChildNsPid),
StartTimeNS: feed.ChildStartTime,
PPid: int(feed.ParentPid),
NsPPid: int(feed.ParentNsPid),
Uid: -1, // do not change the thread uid
Gid: -1, // do not change the thread gid
},
feedTimeStamp,
)
}

thread, found := pt.GetThreadByHash(feed.ChildHash)
if !found {
thread = pt.GetOrCreateThreadByHash(feed.ChildHash)
Expand All @@ -161,7 +177,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
// Same case here (for events out of order created by execve first)

if !found || thread.GetInfo().GetPPid() != int(feed.ParentPid) {
setThreadFeed(thread)
pt.setThreadFeed(thread, leader, &feed, feedTimeStamp)
}

thread.SetParentHash(feed.ParentHash) // all threads have the same parent as the thread group leader
Expand Down

0 comments on commit 1c9f52a

Please sign in to comment.