Revert "ebpf: Ignore kernel threads during clone events"

This reverts commit 63c854f. The previous commit fixes an issue where user processes that start from a kernel thread miss parent info. This patch reverts a commit that avoids sending clone events to the user. We still do not generate any events for these, but it allows us to have our internal data structures (i.e. execve_map and processLRU up-to-date). Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
cilium · Feb 12, 2024 · f59a334 · f59a334
1 parent af89c1c
commit f59a334
Showing 1 changed file with 1 addition and 6 deletions.
diff --git a/bpf/process/bpf_fork.c b/bpf/process/bpf_fork.c
@@ -23,16 +23,11 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 	struct execve_map_value *curr, *parent;
 	struct msg_clone_event msg;
 	u64 msg_size = sizeof(struct msg_clone_event);
-	u32 flags, tgid = 0;
+	u32 tgid = 0;
 
 	if (!task)
 		return 0;
 
-	/* We do not care about kernel threads. */
-	flags = BPF_CORE_READ(task, flags);
-	if (flags & PF_KTHREAD)
-		return 0;
-
 	tgid = BPF_CORE_READ(task, tgid);
 
 	/* Do not try to create any msg or calling execve_map_get