fix(modern): extract the scap vpid instead of the pid

Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · May 10, 2024 · 5a013f8 · 5a013f8
1 parent 81068b8
commit 5a013f8
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/socket.bpf.c
@@ -77,9 +77,13 @@ int BPF_PROG(socket_x,
 	if(ret >= 0 && maps__get_socket_file_ops() == NULL)
 	{
 		struct task_struct *task = get_current_task();
-		pid_t tgid = extract__task_xid_nr(task, PIDTYPE_TGID);
+		/* Please note that in `g_settings.scap_pid` scap will put its virtual pid
+		 * if it is running inside a container. If we want to extract the same information
+		 * in the kernel we need to extract the virtual pid of the task.
+		 */
+		pid_t vpid = extract__task_xid_vnr(task, PIDTYPE_TGID);
 		/* it means that scap is performing the calibration */
-		if(tgid == maps__get_scap_pid())
+		if(vpid == maps__get_scap_pid())
 		{
 			struct file *f = extract__file_struct_from_fd(ret);
 			if(f)