Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix(events): don't remove fork excess args #4167

Merged
merged 1 commit into from
Jul 8, 2024
Merged

Fix(events): don't remove fork excess args #4167

merged 1 commit into from
Jul 8, 2024

Conversation

rscampos
Copy link
Contributor

@rscampos rscampos commented Jul 2, 2024
edited
Loading

Part of #3520

1. Explain what the PR does

05ffffb Fix(events): don't remove fork excess args

Stop removing arguments from the `sched_process_fork` event.
This is removing an edge case making it easier to use the event.
It also makes it easier to reproducing the process tree.

The real parent process variable name 'up_parent_xxx' has been
renamed to 'parent_process_xxx'.

Co-authored-by: Alon Zivony <alon.zivony@aquasec.com>

2. Explain how to test it

3. Other comments

Credits to @AlonZivony, who did the work.

@rscampos rscampos self-assigned this Jul 2, 2024
@rscampos
Copy link
Contributor Author

rscampos commented Jul 2, 2024

@yanivagman , if I understood correctly from this comment (09f4685#r1660126189), the ideia is to replace the following to parent_process_xxx instead of up_parent_xxx in the core.go?

tracee/pkg/events/core.go

Lines 11175 to 11179 in 3cab205

{Type: "int", Name: "up_parent_tid"},
{Type: "int", Name: "up_parent_ns_tid"},
{Type: "int", Name: "up_parent_pid"},
{Type: "int", Name: "up_parent_ns_pid"},
{Type: "unsigned long", Name: "up_parent_start_time"},

But this way won't be confused with:

tracee/pkg/events/core.go

Lines 11162 to 11166 in 3cab205

{Type: "int", Name: "parent_tid"},
{Type: "int", Name: "parent_ns_tid"},
{Type: "int", Name: "parent_pid"},
{Type: "int", Name: "parent_ns_pid"},
{Type: "unsigned long", Name: "parent_start_time"},

If it's the case, should we try something different like ancestor_xxx?

@rscampos rscampos mentioned this pull request Jul 2, 2024
Draft
@rscampos rscampos requested a review from yanivagman July 2, 2024 19:02
@yanivagman
Copy link
Collaborator

yanivagman commented Jul 3, 2024
edited
Loading

@yanivagman , if I understood correctly from this comment (09f4685#r1660126189), the ideia is to replace the following to parent_process_xxx instead of up_parent_xxx in the core.go?

tracee/pkg/events/core.go

Lines 11175 to 11179 in 3cab205

{Type: "int", Name: "up_parent_tid"},
{Type: "int", Name: "up_parent_ns_tid"},
{Type: "int", Name: "up_parent_pid"},
{Type: "int", Name: "up_parent_ns_pid"},
{Type: "unsigned long", Name: "up_parent_start_time"},

But this way won't be confused with:

tracee/pkg/events/core.go

Lines 11162 to 11166 in 3cab205

{Type: "int", Name: "parent_tid"},
{Type: "int", Name: "parent_ns_tid"},
{Type: "int", Name: "parent_pid"},
{Type: "int", Name: "parent_ns_pid"},
{Type: "unsigned long", Name: "parent_start_time"},

If it's the case, should we try something different like ancestor_xxx?

I agree that it is confusing.
I think that if we will have parent_xxx and ancestor_xxx it will also be confusing.
It would be probably best to rename both so we will have parent_process_xxx and parent_task_xxx (which can also refer to a thread), but that may break existing signatures. For now, I think we can go with parent_process_xxx and keep parent_xxx as is, in the future we may break the other fields by introducing a new version of the event. WDYT?

@rscampos @AlonZivony
Fix(events): don't remove fork excess args
05ffffb 
Stop removing arguments from the `sched_process_fork` event.
This is removing an edge case making it easier to use the event.
It also makes it easier to reproducing the process tree.

The real parent process variable name 'up_parent_xxx' has been
renamed to 'parent_process_xxx'.

Co-authored-by: Alon Zivony <alon.zivony@aquasec.com>
@rscampos rscampos force-pushed the pr_4120_commit_2_fork_args branch from 3cab205 to 05ffffb Compare July 4, 2024 14:32
@rscampos
Copy link
Contributor Author

rscampos commented Jul 4, 2024

Think we can use parent_process_xxx for now and in the future we also rename the other field to parent_task_xxx to be less confusing.

yanivagman
yanivagman approved these changes Jul 7, 2024
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rscampos rscampos merged commit eee78ce into aquasecurity:main Jul 8, 2024
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

Assignees

@rscampos rscampos

Labels
area/ebpf area/events
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rscampos @yanivagman