From 2adc6a06d685e7eb52f8818851bd3d7fa8abfe1f Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Fri, 10 May 2024 09:10:54 +0200
Subject: [PATCH] fix(modern): extract the scap vpid instead of the pid

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 .../events/syscall_dispatched_events/socket.bpf.c           | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c
index 476dffb0c2..a2d3afd19a 100644
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c
@@ -77,7 +77,11 @@ int BPF_PROG(socket_x,
 	if(ret >= 0 && maps__get_socket_file_ops() == NULL)
 	{
 		struct task_struct *task = get_current_task();
-		pid_t tgid = extract__task_xid_nr(task, PIDTYPE_TGID);
+		/* Please note that in `g_settings.scap_pid` scap will put its virtual pid
+		 * if it is running inside a container. If we want to extract the same information
+		 * in the kernel we need to extract the virtual pid of the task.
+		 */
+		pid_t vpid = extract__task_xid_vnr(task, PIDTYPE_TGID);
 		/* it means that scap is performing the calibration */
 		if(tgid == maps__get_scap_pid())
 		{