fill user info for the running process and fix case for uid == 0

mozillazg · Jan 18, 2025 · 55b185b · 55b185b
1 parent 1e37c9f
commit 55b185b
Show file tree

Hide file tree

Showing 10 changed files with 41 additions and 15 deletions.
diff --git a/bpf/bpf_arm64_bpfel.o b/bpf/bpf_arm64_bpfel.o
diff --git a/bpf/bpf_legacy_arm64_bpfel.o b/bpf/bpf_legacy_arm64_bpfel.o
diff --git a/bpf/bpf_legacy_x86_bpfel.o b/bpf/bpf_legacy_x86_bpfel.o
diff --git a/bpf/bpf_no_tracing_arm64_bpfel.o b/bpf/bpf_no_tracing_arm64_bpfel.o
diff --git a/bpf/bpf_no_tracing_x86_bpfel.o b/bpf/bpf_no_tracing_x86_bpfel.o
diff --git a/bpf/bpf_x86_bpfel.o b/bpf/bpf_x86_bpfel.o
diff --git a/bpf/process.h b/bpf/process.h
@@ -253,16 +253,13 @@ static __always_inline void fill_process_meta(struct task_struct *task, struct p
     BPF_CORE_READ_INTO(&meta->pid, task, tgid);
     BPF_CORE_READ_INTO(&meta->ppid, task, real_parent, tgid);
 
-    u64 uid_gid = bpf_get_current_uid_gid();
-    if (uid_gid > 0) {
-        meta->uid = uid_gid & 0xFFFFFFFF;
-        meta->gid = uid_gid >> 32;
-    } else {
-        BPF_CORE_READ_INTO(&meta->uid, task, cred, uid);
-        BPF_CORE_READ_INTO(&meta->gid, task, cred, gid);
-    }
+    //    u64 uid_gid = bpf_get_current_uid_gid();
+    //    meta->uid = uid_gid & 0xFFFFFFFF;
+    //    meta->gid = uid_gid >> 32;
+    BPF_CORE_READ_INTO(&meta->uid, task, cred, uid);
+    BPF_CORE_READ_INTO(&meta->gid, task, cred, gid);
 
-    debug_log("uid %lld, gid %lld\n", meta->uid, meta->gid);
+    //    debug_log("uid %lld, gid %lld\n", meta->uid, meta->gid);
 
     const char *cname = BPF_CORE_READ(task, cgroups, subsys[0], cgroup, kn, name);
     int size = bpf_core_read_str(&meta->cgroup_name, sizeof(meta->cgroup_name), cname);

diff --git a/internal/metadata/process.go b/internal/metadata/process.go
@@ -82,6 +82,7 @@ func (c *ProcessCache) fillRunningProcesses(ctx context.Context) error {
 				<-pool
 				wg.Done()
 			}()
+
 			ppid := 0
 			if parent, err := p.ParentWithContext(ctx); err == nil {
 				ppid = int(parent.Pid)
@@ -91,9 +92,20 @@ func (c *ProcessCache) fillRunningProcesses(ctx context.Context) error {
 				filename, _ = p.Name()
 			}
 			args, _ := p.CmdlineSlice()
+			uid := -1
+			gid := -1
+			if uids, _ := p.Uids(); len(uids) > 0 {
+				uid = int(uids[0])
+			}
+			if gids, _ := p.Gids(); len(gids) > 0 {
+				gid = int(gids[0])
+			}
+
 			e := types.ProcessExec{
 				PPid:              ppid,
 				Pid:               int(p.Pid),
+				Uid:               uid,
+				Gid:               gid,
 				Filename:          filename,
 				FilenameTruncated: false,
 				Args:              args,
@@ -187,6 +199,11 @@ func (c *ProcessCache) AddItemWithContext(exec types.ProcessExec, rawCtx types.P
 			ProcessBase: types.ProcessBase{
 				Pid:           exec.Pid,
 				Cmd:           exec.FilenameStr(),
+				CmdTruncated:  false,
+				Tid:           0,
+				TName:         "",
+				UserId:        exec.Uid,
+				GroupId:       exec.Gid,
 				Args:          exec.Args,
 				ArgsTruncated: exec.ArgsTruncated,
 			},
@@ -235,6 +252,10 @@ func (c *ProcessCache) getProcessBase(pid int) types.ProcessBase {
 		Pid:           pid,
 		Cmd:           cmd,
 		CmdTruncated:  false,
+		Tid:           0,
+		TName:         "",
+		UserId:        -1,
+		GroupId:       -1,
 		Args:          args,
 		ArgsTruncated: false,
 	}

diff --git a/internal/writer/pcapng.go b/internal/writer/pcapng.go
@@ -48,8 +48,12 @@ func (w *PcapNGWriter) Write(e *event.Packet) error {
 	p := w.pcache.Get(e.Pid, e.MntNs, e.NetNs, e.CgroupName)
 	p.Tid = e.Tid
 	p.TName = e.TName
-	p.UserId = e.Uid
-	p.GroupId = e.Gid
+	if p.UserId == 0 && e.Uid != 0 {
+		p.UserId = e.Uid
+	}
+	if p.GroupId == 0 && e.Gid != 0 {
+		p.GroupId = e.Gid
+	}
 
 	opts := pcapgo.NgPacketOptions{}
 	if w.enhancedContext.ProcessContext() && p.Pid > 0 {
@@ -64,7 +68,7 @@ func (w *PcapNGWriter) Write(e *event.Packet) error {
 					p.Tid, p.TName),
 			)
 		}
-		if w.enhancedContext.UserContext() && p.UserId > 0 {
+		if w.enhancedContext.UserContext() && p.UserId >= 0 {
 			opts.Comments = append(opts.Comments,
 				fmt.Sprintf("UserId: %d\nGroupId: %d",
 					p.UserId, p.GroupId),

diff --git a/internal/writer/stdout.go b/internal/writer/stdout.go
@@ -61,8 +61,12 @@ func (w *StdoutWriter) Write(e *event.Packet) error {
 	p := w.pcache.Get(e.Pid, e.MntNs, e.NetNs, e.CgroupName)
 	p.Tid = e.Tid
 	p.TName = e.TName
-	p.UserId = e.Uid
-	p.GroupId = e.Gid
+	if p.UserId == 0 && e.Uid != 0 {
+		p.UserId = e.Uid
+	}
+	if p.GroupId == 0 && e.Gid != 0 {
+		p.GroupId = e.Gid
+	}
 
 	processInfo := ""
 	threadInfo := ""
@@ -80,7 +84,7 @@ func (w *StdoutWriter) Write(e *event.Packet) error {
 		if w.enhancedContext.ProcessContext() && p.Tid > 0 {
 			threadInfo = fmt.Sprintf("Thread (tid %d, name %s)", p.Tid, p.TName)
 		}
-		if w.enhancedContext.UserContext() && p.UserId > 0 {
+		if w.enhancedContext.UserContext() && p.UserId >= 0 {
 			userInfo = fmt.Sprintf("User (uid %d, gid %d)", p.UserId, p.GroupId)
 		}
 		if w.enhancedContext.ParentProcContext() && p.Parent.Pid > 0 {