[CWS] skip rawpacket event when no process context

DataDog · Nov 25, 2024 · ec57f54 · ec57f54
1 parent 88729a6
commit ec57f54
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/pkg/security/ebpf/c/include/helpers/network.h b/pkg/security/ebpf/c/include/helpers/network.h
@@ -5,15 +5,15 @@
 #include "constants/macros.h"
 #include "maps.h"
 
-__attribute__((always_inline)) u32 get_flow_pid(struct pid_route_t *key) {
+__attribute__((always_inline)) s64 get_flow_pid(struct pid_route_t *key) {
     u32 *value = bpf_map_lookup_elem(&flow_pid, key);
     if (!value) {
         // Try with IP set to 0.0.0.0
         key->addr[0] = 0;
         key->addr[1] = 0;
         value = bpf_map_lookup_elem(&flow_pid, key);
         if (!value) {
-            return 0;
+            return -1;
         }
     }
 

diff --git a/pkg/security/ebpf/c/include/hooks/network/tc.h b/pkg/security/ebpf/c/include/hooks/network/tc.h
@@ -60,6 +60,11 @@ int classifier_raw_packet_ingress(struct __sk_buff *skb) {
         return ACT_OK;
     }
 
+    // do not handle packet without process context
+    if (pkt->pid < 0) {
+        return ACT_OK;
+    }
+
     if (prepare_raw_packet_event(skb) != ACT_OK) {
         return ACT_OK;
     }
@@ -76,6 +81,11 @@ int classifier_raw_packet_egress(struct __sk_buff *skb) {
         return ACT_OK;
     }
 
+    // do not handle packet without process context
+    if (pkt->pid < 0) {
+        return ACT_OK;
+    }
+
     if (prepare_raw_packet_event(skb) != ACT_OK) {
         return ACT_OK;
     }

diff --git a/pkg/security/ebpf/c/include/structs/network.h b/pkg/security/ebpf/c/include/structs/network.h
@@ -64,7 +64,7 @@ struct packet_t {
     struct namespaced_flow_t translated_ns_flow;
 
     u32 offset;
-    u32 pid;
+    s64 pid;
     u32 payload_len;
     u16 l4_protocol;
 };