mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 00:24:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ebpf: delete pid from exec maps if it exists

Browse source 
We track new processes execution by intercepting the enter and exit
of the functions, but sometimes the exit hook is not called, so the
corresponding entry was not being removed from the map.
In this situation the map becomes full and accepts no new entries.

Now the entry is deleted from the map once the process exits, if it
still exists in the map.
This commit is contained in:
Gustavo Iñiguez Goia 2024-01-08 01:33:54 +01:00
parent bb95a77c58
commit 9446d191f0
Failed to generate hash of commit
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ebpf_prog/opensnitch-procs.c
View file

@ -39,6 +39,9 @@ static __always_inline void new_event(struct data_t* data)
bpf_get_current_comm(&data->comm, sizeof(data->comm));
};
/*
* send to userspace the result of the execve* call.
*/
static __always_inline void __handle_exit_execve(struct trace_sys_exit_execve *ctx)
{
u64 pid_tgid = bpf_get_current_pid_tgid();
@ -50,7 +53,7 @@ static __always_inline void __handle_exit_execve(struct trace_sys_exit_execve *c
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, proc, sizeof(*proc));
out:
bpf_map_delete_elem(&execMap, &pid_tgid);
bpf_map_delete_elem(&execMap, &pid_tgid);
}
// https://0xax.gitbooks.io/linux-insides/content/SysCall/linux-syscall-4.html
@ -68,6 +71,8 @@ int tracepoint__sched_sched_process_exit(struct pt_regs *ctx)
data->type = EVENT_SCHED_EXIT;
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, data, sizeof(*data));
u64 pid_tgid = bpf_get_current_pid_tgid();
bpf_map_delete_elem(&execMap, &pid_tgid);
return 0;
};