mirror of
https://github.com/evilsocket/opensnitch.git
synced 2025-03-04 08:34:40 +01:00
1a493b9da1
In order to detect short-lived processes we intercept new processes executions as they happen, and cache them for later use. When a new connection is established, then we check if the PID of the connection is cached, and use the details of the process to ask the user to allow or deny it. However, there're some situations where the path or cmdline of a PID, doesn't correspond with the one that's establishing the connection. Given the same PID: - Sometimes we receive from the tracepoint a wrong/non-existent path. - Other times we receive a "helper" which is the one executing the real binary that opens the connection. For these reasons now when a new connection is established, we read the path to the binary from proc. If the PID is cached and the cached path differs, then we'll use the path from proc. We lose a bit of performance, but hopefully we'll be more consistent with what the user expect, while at the same time keeping intercepting short-lived processes. Downsides: for execveat() executions we won't display the original binary. Closes #771 |
||
|---|---|---|
| .. | ||
| audit | ||
| ebpf | ||
| monitor | ||
| activepids.go | ||
| activepids_test.go | ||
| cache.go | ||
| cache_test.go | ||
| details.go | ||
| find.go | ||
| find_test.go | ||
| parse.go | ||
| process.go | ||
| process_test.go | ||
| watcher.go | ||