From f59a334cc4fedf18d17a754e85f88701ec34ef2e Mon Sep 17 00:00:00 2001
From: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
Date: Mon, 12 Feb 2024 16:02:45 +0000
Subject: [PATCH] Revert "ebpf: Ignore kernel threads during clone events"

This reverts commit 63c854f33547c6cfc57483de54a4af6b13d43c7e.

The previous commit fixes an issue where user processes that start from
a kernel thread miss parent info.

This patch reverts a commit that avoids sending clone events to the user.
We still do not generate any events for these, but it allows us to have
our internal data structures (i.e. execve_map and processLRU up-to-date).

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
---
 bpf/process/bpf_fork.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/bpf/process/bpf_fork.c b/bpf/process/bpf_fork.c
index 55ffe2d7582..f4b8e0f1215 100644
--- a/bpf/process/bpf_fork.c
+++ b/bpf/process/bpf_fork.c
@@ -23,16 +23,11 @@ BPF_KPROBE(event_wake_up_new_task, struct task_struct *task)
 	struct execve_map_value *curr, *parent;
 	struct msg_clone_event msg;
 	u64 msg_size = sizeof(struct msg_clone_event);
-	u32 flags, tgid = 0;
+	u32 tgid = 0;
 
 	if (!task)
 		return 0;
 
-	/* We do not care about kernel threads. */
-	flags = BPF_CORE_READ(task, flags);
-	if (flags & PF_KTHREAD)
-		return 0;
-
 	tgid = BPF_CORE_READ(task, tgid);
 
 	/* Do not try to create any msg or calling execve_map_get