tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[BUG] Missing existing containers mount ns in cache

Open AlonZivony opened this issue 2 years ago • 2 comments

Prerequisites

  • [x] This affects latest released version.
  • [x] This affects current development tree (origin/HEAD).
  • [x] There isn't an issue describing the bug.

Select one OR another:

  • [x] I'm going to create a PR to solve this (assign to yourself).
  • [ ] Someone else should solve this.

Bug description

Tracee has the member pidsInMntns which cache PIDs in each mount namespace, where the first one is the entry-point process. Using this cache we access files inside the different mount namespaces using procfs. However, the cache is filled using the sched_process_exec event alone. As a result, it's missing mount namespaces which existed before tracee initialization (as long as no process was executed there). This result to many errors and reduction in tracee reliability.

AlonZivony avatar Aug 11 '22 09:08 AlonZivony

See #2036 for the source discussion resulted this issue.

AlonZivony avatar Aug 30 '22 17:08 AlonZivony

Can be extracted from the ExistingContainer event

AlonZivony avatar Sep 20 '22 14:09 AlonZivony