solving missing events issue by adding tracepoints on sys_enter_exit(…

…+_group)

internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c

@@ -19,6 +19,7 @@
 #define PROBE_TYPE_WRITE        5
 #define PROBE_TYPE_SOCKET       6
 #define PROBE_TYPE_CAP          7
+#define PROBE_TYPE_EXIT         8
 
 enum
 {
@@ -607,6 +608,39 @@ int BPF_KPROBE(trace_cap_capable)
     return 0;
 }
 
+static __always_inline void handle_exit()
+{
+    apparmor_event_data_t *event;
+
+    u32 pid = bpf_get_current_pid_tgid() >> 32;
+
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return;
+
+    event = bpf_ringbuf_reserve(&apparmor_events, sizeof(apparmor_event_data_t), 0);
+    if (event) {
+        event->pid = pid;
+        event->mntns = mntns;
+        event->type = PROBE_TYPE_EXIT;
+        bpf_ringbuf_submit(event, 0);
+    }
+}
+
+SEC("tracepoint/syscalls/sys_enter_exit")
+int syscall__exit(struct trace_event_raw_sys_enter *ctx)
+{
+    handle_exit();
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_exit_group")
+int syscall__exit_group(struct trace_event_raw_sys_enter *ctx)
+{
+    handle_exit();
+    return 0;
+}
+
 SEC("tracepoint/raw_syscalls/sys_enter")
 int sys_enter(struct trace_event_raw_sys_enter * args)
 {

internal/pkg/daemon/bpfrecorder/bpfrecorder.go

@@ -73,6 +73,7 @@ const (
 	probeTypeWrite      int           = 5
 	probeTypeSocket     int           = 6
 	probeTypeCap        int           = 7
+	probeTypeExit       int           = 8
 	protRead            int           = 0x1
 	protWrite           int           = 0x2
 	protExec            int           = 0x4
@@ -111,6 +112,7 @@ type BpfRecorder struct {
 	lockRecordedSocketsUse   sync.Mutex
 	recordedCapabilities     []string
 	lockRecordedCapabilities sync.Mutex
+	lockAppArmorRecording    sync.Mutex
 }
 
 type syscallTracepoint struct {
@@ -213,6 +215,16 @@ var apparmorSyscallTracepoints = []syscallTracepoint{
 		program:  "syscall__socket",
 		name:     "sys_enter_socket",
 	},
+	{
+		category: "syscalls",
+		program:  "syscall__exit",
+		name:     "sys_enter_exit",
+	},
+	{
+		category: "syscalls",
+		program:  "syscall__exit_group",
+		name:     "sys_enter_exit_group",
+	},
 }
 
 var capabilities = map[int]string{
@@ -303,6 +315,10 @@ func (b *BpfRecorder) Syscalls() *bpf.BPFMap {
 func (b *BpfRecorder) GetAppArmorProcessed() BpfAppArmorProcessed {
 	var processed BpfAppArmorProcessed
 
+	// validating that the process exited.
+	// TODO: should this be subject to a flag for the Kubernetes controller integration?
+	b.lockAppArmorRecording.Lock()
+
 	processed.FileProcessed = b.processExecFsEvents()
 	processed.Socket = b.recordedSocketsUse
 	processed.Capabilities = b.recordedCapabilities
@@ -704,6 +720,7 @@ func (b *BpfRecorder) Load(startEventProcessor bool) (err error) {
 			return fmt.Errorf("init apparmor_events ringbuffer: %w", err)
 		}
 		b.PollRingBuffer(apparmorRingbuffer, timeout)
+		b.lockAppArmorRecording.Lock()
 		go b.handleAppArmorEvents(apparmorEvents)
 	}
 
@@ -979,6 +996,8 @@ func (b *BpfRecorder) handleAppArmorEvents(apparmorEvents chan []byte) {
 			b.handleAppArmorSocketEvents(apparmorEvent)
 		case uint8(probeTypeCap):
 			b.handleAppArmorCapabilityEvents(apparmorEvent)
+		case uint8(probeTypeExit):
+			b.lockAppArmorRecording.Unlock()
 		}
 	}
 }