diff --git a/pkg/proctree/proctree_feed.go b/pkg/proctree/proctree_feed.go index 354f66f0af8f..ea1297b42aab 100644 --- a/pkg/proctree/proctree_feed.go +++ b/pkg/proctree/proctree_feed.go @@ -2,6 +2,7 @@ package proctree import ( "path/filepath" + "time" "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/logger" @@ -34,6 +35,81 @@ type ForkFeed struct { ChildStartTime uint64 } +func (pt *ProcessTree) setParentFeed( + parent *Process, + feed *ForkFeed, + feedTimeStamp time.Time, +) { + parent.GetInfo().SetFeedAt( + TaskInfoFeed{ + Name: "", // do not change the parent name + Tid: int(feed.ParentTid), + Pid: int(feed.ParentPid), + NsTid: int(feed.ParentNsTid), + NsPid: int(feed.ParentNsPid), + StartTimeNS: feed.ParentStartTime, + PPid: -1, // do not change the parent ppid + NsPPid: -1, // do not change the parent nsppid + Uid: -1, // do not change the parent uid + Gid: -1, // do not change the parent gid + }, + feedTimeStamp, + ) + + if pt.procfsQuery { + pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs + } +} + +func (pt *ProcessTree) setLeaderFeed( + leader, parent *Process, + feed *ForkFeed, + feedTimeStamp time.Time, +) { + leader.GetInfo().SetFeedAt( + TaskInfoFeed{ + Name: parent.GetInfo().GetName(), + Tid: int(feed.LeaderTid), + Pid: int(feed.LeaderPid), + NsTid: int(feed.LeaderNsTid), + NsPid: int(feed.LeaderNsPid), + StartTimeNS: feed.LeaderStartTime, + PPid: int(feed.ParentPid), + NsPPid: int(feed.ParentNsPid), + Uid: -1, // do not change the parent ui + Gid: -1, // do not change the parent gid + }, + feedTimeStamp, + ) + + if pt.procfsQuery { + pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed + } +} + +func (pt *ProcessTree) setThreadFeed( + thread *Thread, + leader *Process, + feed *ForkFeed, + feedTimeStamp time.Time, +) { + thread.GetInfo().SetFeedAt( + TaskInfoFeed{ + Name: leader.GetInfo().GetName(), + Tid: int(feed.ChildTid), + Pid: int(feed.ChildPid), + NsTid: int(feed.ChildNsTid), + NsPid: int(feed.ChildNsPid), + StartTimeNS: feed.ChildStartTime, + PPid: int(feed.ParentPid), + NsPPid: int(feed.ParentNsPid), + Uid: -1, // do not change the thread uid + Gid: -1, // do not change the thread gid + }, + feedTimeStamp, + ) +} + // FeedFromFork feeds the process tree with a fork event. func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error { if feed.ChildHash == 0 || feed.ParentHash == 0 { @@ -51,27 +127,6 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error { // Update the parent process (might already exist) - setParentFeed := func(parent *Process) { - parent.GetInfo().SetFeedAt( - TaskInfoFeed{ - Name: "", // do not change the parent name - Tid: int(feed.ParentTid), - Pid: int(feed.ParentPid), - NsTid: int(feed.ParentNsTid), - NsPid: int(feed.ParentNsPid), - StartTimeNS: feed.ParentStartTime, - PPid: -1, // do not change the parent ppid - NsPPid: -1, // do not change the parent nsppid - Uid: -1, // do not change the parent uid - Gid: -1, // do not change the parent gid - }, - feedTimeStamp, - ) - if pt.procfsQuery { - pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs - } - } - parent, found := pt.GetProcessByHash(feed.ParentHash) // always a real process if !found { parent = pt.GetOrCreateProcessByHash(feed.ParentHash) @@ -82,34 +137,13 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error { // ppid, for example). if !found || parent.GetInfo().GetPid() != int(feed.ParentPid) { - setParentFeed(parent) + pt.setParentFeed(parent, &feed, feedTimeStamp) } parent.AddChild(feed.LeaderHash) // add the leader as a child of the parent // Update the leader process (might exist, might be the same as child if child is a process) - setLeaderFeed := func(leader *Process) { - leader.GetInfo().SetFeedAt( - TaskInfoFeed{ - Name: parent.GetInfo().GetName(), - Tid: int(feed.LeaderTid), - Pid: int(feed.LeaderPid), - NsTid: int(feed.LeaderNsTid), - NsPid: int(feed.LeaderNsPid), - StartTimeNS: feed.LeaderStartTime, - PPid: int(feed.ParentPid), - NsPPid: int(feed.ParentNsPid), - Uid: -1, // do not change the parent ui - Gid: -1, // do not change the parent gid - }, - feedTimeStamp, - ) - if pt.procfsQuery { - pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed - } - } - leader, found := pt.GetProcessByHash(feed.LeaderHash) if !found { leader = pt.GetOrCreateProcessByHash(feed.LeaderHash) @@ -118,7 +152,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error { // Same case here (for events out of order created by execve first) if !found || leader.GetInfo().GetPPid() != int(feed.ParentPid) { - setLeaderFeed(leader) + pt.setLeaderFeed(leader, parent, &feed, feedTimeStamp) } leader.SetParentHash(feed.ParentHash) // add the parent as the parent of the leader @@ -135,24 +169,6 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error { // In all cases (task is a process, or a thread) there is a thread entry. - setThreadFeed := func(thread *Thread) { - thread.GetInfo().SetFeedAt( - TaskInfoFeed{ - Name: leader.GetInfo().GetName(), - Tid: int(feed.ChildTid), - Pid: int(feed.ChildPid), - NsTid: int(feed.ChildNsTid), - NsPid: int(feed.ChildNsPid), - StartTimeNS: feed.ChildStartTime, - PPid: int(feed.ParentPid), - NsPPid: int(feed.ParentNsPid), - Uid: -1, // do not change the thread uid - Gid: -1, // do not change the thread gid - }, - feedTimeStamp, - ) - } - thread, found := pt.GetThreadByHash(feed.ChildHash) if !found { thread = pt.GetOrCreateThreadByHash(feed.ChildHash) @@ -161,7 +177,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error { // Same case here (for events out of order created by execve first) if !found || thread.GetInfo().GetPPid() != int(feed.ParentPid) { - setThreadFeed(thread) + pt.setThreadFeed(thread, leader, &feed, feedTimeStamp) } thread.SetParentHash(feed.ParentHash) // all threads have the same parent as the thread group leader