[CWS] process cache entry refcount fixes (#36412)

(cherry picked from commit 7b87646)

Author: safchain

pkg/security/ebpf/map.go

@@ -164,3 +164,10 @@ var (
 	// BufferSelectorDNSResponseFilteredMonitorKey is the key used to select the filtered DNS responses
 	BufferSelectorDNSResponseFilteredMonitorKey = Uint32MapItem(4)
 )
+
+// Map is the interface for all eBPF maps
+type Map interface {
+	LookupBytes(interface{}) ([]byte, error)
+	Put(interface{}, interface{}) error
+	Delete(interface{}) error
+}

pkg/security/resolvers/process/resolver_ebpf.go

@@ -29,6 +29,7 @@ import (
 	"go.uber.org/atomic"
 
 	"github.com/DataDog/datadog-agent/pkg/process/procutil"
+	"github.com/DataDog/datadog-agent/pkg/security/ebpf"
 	"github.com/DataDog/datadog-agent/pkg/security/metrics"
 	"github.com/DataDog/datadog-agent/pkg/security/probe/config"
 	"github.com/DataDog/datadog-agent/pkg/security/probe/managerhelper"
@@ -77,9 +78,9 @@ type EBPFResolver struct {
 	pathResolver      spath.ResolverInterface
 	envVarsResolver   *envvars.Resolver
 
-	inodeFileMap *lib.Map
-	procCacheMap *lib.Map
-	pidCacheMap  *lib.Map
+	inodeFileMap ebpf.Map
+	procCacheMap ebpf.Map
+	pidCacheMap  ebpf.Map
 	opts         ResolverOpts
 
 	// stats
@@ -564,15 +565,16 @@ func (p *EBPFResolver) RetrieveFileFieldsFromProcfs(filename string) (*model.Fil
 	return &fileFields, nil
 }
 
-func (p *EBPFResolver) insertEntry(entry, prev *model.ProcessCacheEntry, source uint64) {
+func (p *EBPFResolver) insertEntry(entry *model.ProcessCacheEntry, source uint64) {
 	entry.Source = source
-	p.entryCache[entry.Pid] = entry
-	entry.Retain()
 
-	if prev != nil {
+	if prev := p.entryCache[entry.Pid]; prev != nil {
 		prev.Release()
 	}
 
+	p.entryCache[entry.Pid] = entry
+	entry.Retain()
+
 	if p.cgroupResolver != nil && entry.CGroup.CGroupID != "" {
 		// add the new PID in the right cgroup_resolver bucket
 		p.cgroupResolver.AddPID(entry)
@@ -591,7 +593,6 @@ func (p *EBPFResolver) insertEntry(entry, prev *model.ProcessCacheEntry, source
 }
 
 func (p *EBPFResolver) insertForkEntry(entry *model.ProcessCacheEntry, inode uint64, source uint64, newEntryCb func(*model.ProcessCacheEntry, error)) {
-
 	if entry.Pid == 0 {
 		return
 	}
@@ -619,7 +620,7 @@ func (p *EBPFResolver) insertForkEntry(entry *model.ProcessCacheEntry, inode uin
 		}
 	}
 
-	p.insertEntry(entry, prev, source)
+	p.insertEntry(entry, source)
 }
 
 func (p *EBPFResolver) insertExecEntry(entry *model.ProcessCacheEntry, inode uint64, source uint64) {
@@ -634,7 +635,7 @@ func (p *EBPFResolver) insertExecEntry(entry *model.ProcessCacheEntry, inode uin
 			p.inodeErrStats.Inc()
 		}
 
-		// check exec bomb
+		// check exec bomb, keep the prev entry and update it
 		if prev.Equals(entry) {
 			prev.ApplyExecTimeOf(entry)
 			return
@@ -644,7 +645,7 @@ func (p *EBPFResolver) insertExecEntry(entry *model.ProcessCacheEntry, inode uin
 		entry.IsParentMissing = true
 	}
 
-	p.insertEntry(entry, prev, source)
+	p.insertEntry(entry, source)
 }
 
 func (p *EBPFResolver) deleteEntry(pid uint32, exitTime time.Time) {
@@ -706,7 +707,7 @@ func (p *EBPFResolver) resolve(pid, tid uint32, inode uint64, useProcFS bool, ne
 
 	if p.procFallbackLimiter.Allow(pid) {
 		// fallback to /proc, the in-kernel LRU may have deleted the entry
-		if entry := p.resolveFromProcfs(pid, procResolveMaxDepth, newEntryCb); entry != nil {
+		if entry := p.resolveFromProcfs(pid, inode, procResolveMaxDepth, newEntryCb); entry != nil {
 			p.hitsStats[metrics.ProcFSTag].Inc()
 			return entry
 		}
@@ -950,13 +951,13 @@ func (p *EBPFResolver) resolveFromKernelMaps(pid, tid uint32, inode uint64, newE
 }
 
 // ResolveFromProcfs resolves the entry from procfs
-func (p *EBPFResolver) ResolveFromProcfs(pid uint32, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry {
+func (p *EBPFResolver) ResolveFromProcfs(pid uint32, inode uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry {
 	p.Lock()
 	defer p.Unlock()
-	return p.resolveFromProcfs(pid, procResolveMaxDepth, newEntryCb)
+	return p.resolveFromProcfs(pid, inode, procResolveMaxDepth, newEntryCb)
 }
 
-func (p *EBPFResolver) resolveFromProcfs(pid uint32, maxDepth int, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry {
+func (p *EBPFResolver) resolveFromProcfs(pid uint32, inode uint64, maxDepth int, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry {
 	if maxDepth < 1 {
 		seclog.Tracef("max depth reached during procfs resolution: %d", pid)
 		return nil
@@ -986,10 +987,12 @@ func (p *EBPFResolver) resolveFromProcfs(pid uint32, maxDepth int, newEntryCb fu
 
 	ppid := uint32(filledProc.Ppid)
 	if ppid != 0 && p.entryCache[ppid] == nil {
-		p.resolveFromProcfs(ppid, maxDepth-1, newEntryCb)
+		// do not use the inode from the pid context on the parent
+		// it may be a different process
+		p.resolveFromProcfs(ppid, 0, maxDepth-1, newEntryCb)
 	}
 
-	return p.newEntryFromProcfsAndSyncKernelMaps(proc, filledProc, model.ProcessCacheEntryFromProcFS, newEntryCb)
+	return p.newEntryFromProcfsAndSyncKernelMaps(proc, filledProc, inode, model.ProcessCacheEntryFromProcFS, newEntryCb)
 }
 
 // SetProcessArgs set arguments to cache entry
@@ -1284,7 +1287,7 @@ func (p *EBPFResolver) SyncCache(proc *process.Process) {
 		return
 	}
 
-	p.newEntryFromProcfsAndSyncKernelMaps(proc, filledProc, model.ProcessCacheEntryFromSnapshot, nil)
+	p.newEntryFromProcfsAndSyncKernelMaps(proc, filledProc, 0, model.ProcessCacheEntryFromSnapshot, nil)
 }
 
 func (p *EBPFResolver) setAncestor(pce *model.ProcessCacheEntry) {
@@ -1294,20 +1297,52 @@ func (p *EBPFResolver) setAncestor(pce *model.ProcessCacheEntry) {
 	}
 }
 
+func (p *EBPFResolver) syncKernelMaps(entry *model.ProcessCacheEntry) {
+	bootTime := p.timeResolver.GetBootTime()
+
+	// insert new entry in kernel maps
+	procCacheEntryB := make([]byte, 248)
+	_, err := entry.Process.MarshalProcCache(procCacheEntryB, bootTime)
+	if err != nil {
+		seclog.Errorf("couldn't marshal proc_cache entry: %s", err)
+	} else {
+		if err = p.procCacheMap.Put(entry.Cookie, procCacheEntryB); err != nil {
+			seclog.Errorf("couldn't push proc_cache entry to kernel space: %s", err)
+		}
+	}
+	pidCacheEntryB := make([]byte, 88)
+	_, err = entry.Process.MarshalPidCache(pidCacheEntryB, bootTime)
+	if err != nil {
+		seclog.Errorf("couldn't marshal pid_cache entry: %s", err)
+	} else {
+		if err = p.pidCacheMap.Put(entry.PIDContext.Pid, pidCacheEntryB); err != nil {
+			seclog.Errorf("couldn't push pid_cache entry to kernel space: %s", err)
+		}
+	}
+}
+
 // newEntryFromProcfsAndSyncKernelMaps snapshots /proc for the provided pid and sync the kernel maps
-func (p *EBPFResolver) newEntryFromProcfsAndSyncKernelMaps(proc *process.Process, filledProc *utils.FilledProcess, source uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry {
+func (p *EBPFResolver) newEntryFromProcfsAndSyncKernelMaps(proc *process.Process, filledProc *utils.FilledProcess, inode uint64, source uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry {
 	pid := uint32(proc.Pid)
 
 	entry := p.NewProcessCacheEntry(model.PIDContext{Pid: pid, Tid: pid})
 
 	// update the cache entry
 	if err := p.enrichEventFromProcfs(entry, proc, filledProc); err != nil {
-		entry.Release()
-
 		seclog.Trace(err)
 		return nil
 	}
 
+	// use the inode from the pid context if set so that we don't propagate a potentially wrong inode
+	if inode != 0 {
+		if entry.FileEvent.Inode != inode {
+			seclog.Errorf("inode mismatch, using inode from pid context %d: %d != %d", pid, entry.FileEvent.Inode, inode)
+
+			entry.FileEvent.Inode = inode
+			entry.IsParentMissing = true
+		}
+	}
+
 	entry.IsKworker = filledProc.Ppid == 0 && filledProc.Pid != 1
 
 	parent := p.entryCache[entry.PPid]
@@ -1325,29 +1360,9 @@ func (p *EBPFResolver) newEntryFromProcfsAndSyncKernelMaps(proc *process.Process
 		seclog.Debugf("unable to set the type of process, not pid 1, no parent in cache: %+v", entry)
 	}
 
-	p.insertEntry(entry, p.entryCache[pid], source)
+	p.insertEntry(entry, source)
 
-	bootTime := p.timeResolver.GetBootTime()
-
-	// insert new entry in kernel maps
-	procCacheEntryB := make([]byte, 248)
-	_, err := entry.Process.MarshalProcCache(procCacheEntryB, bootTime)
-	if err != nil {
-		seclog.Errorf("couldn't marshal proc_cache entry: %s", err)
-	} else {
-		if err = p.procCacheMap.Put(entry.Cookie, procCacheEntryB); err != nil {
-			seclog.Errorf("couldn't push proc_cache entry to kernel space: %s", err)
-		}
-	}
-	pidCacheEntryB := make([]byte, 88)
-	_, err = entry.Process.MarshalPidCache(pidCacheEntryB, bootTime)
-	if err != nil {
-		seclog.Errorf("couldn't marshal pid_cache entry: %s", err)
-	} else {
-		if err = p.pidCacheMap.Put(pid, pidCacheEntryB); err != nil {
-			seclog.Errorf("couldn't push pid_cache entry to kernel space: %s", err)
-		}
-	}
+	p.syncKernelMaps(entry)
 
 	seclog.Tracef("New process cache entry added: %s %s %d/%d", entry.Comm, entry.FileEvent.PathnameStr, pid, entry.FileEvent.Inode)
 

pkg/security/resolvers/process/resolver_test.go

@@ -9,21 +9,83 @@
 package process
 
 import (
+	"encoding/binary"
+	"errors"
 	"fmt"
+	"os"
 	"testing"
 	"time"
 
 	"github.com/avast/retry-go/v4"
 	"github.com/stretchr/testify/assert"
 
+	"github.com/DataDog/datadog-agent/pkg/security/probe/config"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers/cgroup"
+	"github.com/DataDog/datadog-agent/pkg/security/resolvers/container"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers/path"
 	"github.com/DataDog/datadog-agent/pkg/security/resolvers/usergroup"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/model"
 	"github.com/DataDog/datadog-agent/pkg/util/ktime"
 	"github.com/DataDog/datadog-go/v5/statsd"
 )
 
+type fakeEBPMap struct {
+	data map[string]interface{}
+}
+
+func newFakeEBPMap() *fakeEBPMap {
+	return &fakeEBPMap{
+		data: make(map[string]interface{}),
+	}
+}
+
+func (f *fakeEBPMap) marshal(i interface{}) ([]byte, error) {
+	switch value := i.(type) {
+	case []byte:
+		return value, nil
+	case uint32:
+		return binary.NativeEndian.AppendUint32(make([]byte, 0, 4), value), nil
+	case uint64:
+		return binary.NativeEndian.AppendUint64(make([]byte, 0, 8), value), nil
+	default:
+		return nil, fmt.Errorf("unsupported type %T", value)
+	}
+}
+
+func (f *fakeEBPMap) LookupBytes(key interface{}) ([]byte, error) {
+	keyB, err := f.marshal(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if value, ok := f.data[string(keyB)]; ok {
+		if b, ok := value.([]byte); ok {
+			return b, nil
+		}
+	}
+	return nil, errors.New("not found")
+}
+
+func (f *fakeEBPMap) Put(key, value interface{}) error {
+	keyB, err := f.marshal(key)
+	if err != nil {
+		return err
+	}
+
+	f.data[string(keyB)] = value
+	return nil
+}
+
+func (f *fakeEBPMap) Delete(key interface{}) error {
+	keyB, err := f.marshal(key)
+	if err != nil {
+		return err
+	}
+
+	delete(f.data, string(keyB))
+	return nil
+}
+
 func newFakeForkEvent(ppid, pid int, inode uint64, resolver *EBPFResolver) *model.Event {
 	e := model.NewFakeEvent()
 	e.Type = uint32(model.ForkEventType)
@@ -83,7 +145,9 @@ func newResolver() (*EBPFResolver, error) {
 		return nil, err
 	}
 
-	resolver, err := NewEBPFResolver(nil, nil, &statsd.NoOpClient{}, nil, nil, nil, cgroupsResolver, userGroupResolver, timeResolver, &path.NoOpResolver{}, nil, NewResolverOpts())
+	containerResolver := container.New()
+
+	resolver, err := NewEBPFResolver(nil, &config.Config{}, &statsd.NoOpClient{}, nil, containerResolver, nil, cgroupsResolver, userGroupResolver, timeResolver, &path.NoOpResolver{}, nil, NewResolverOpts())
 	if err != nil {
 		return nil, err
 	}
@@ -232,6 +296,27 @@ func TestForkExec(t *testing.T) {
 	testCacheSize(t, resolver)
 }
 
+func TestResolveFromProcfs(t *testing.T) {
+	resolver, err := newResolver()
+	if err != nil {
+		t.Fatal()
+	}
+	resolver.procCacheMap = newFakeEBPMap()
+	resolver.pidCacheMap = newFakeEBPMap()
+	resolver.inodeFileMap = newFakeEBPMap()
+
+	// use self pid so that the procfs entry exists and we have the permissions to read it
+	pid := os.Getpid()
+
+	t.Run("sanitize-inode", func(t *testing.T) {
+		entry := resolver.resolveFromProcfs(uint32(pid), 222, 1, func(pce *model.ProcessCacheEntry, _ error) {
+			assert.Equal(t, uint64(222), pce.FileEvent.Inode)
+			assert.True(t, pce.IsParentMissing)
+		})
+		assert.NotNil(t, entry)
+	})
+}
+
 func TestOrphanExec(t *testing.T) {
 	resolver, err := newResolver()
 	if err != nil {
@@ -746,15 +831,15 @@ func TestIsExecExecSnapshot(t *testing.T) {
 	child3 := newFakeExecEvent(3, 4, 769, resolver)
 
 	// X(pid:3)
-	resolver.insertEntry(parent.ProcessCacheEntry, nil, model.ProcessCacheEntryFromSnapshot)
+	resolver.insertEntry(parent.ProcessCacheEntry, model.ProcessCacheEntryFromSnapshot)
 	assert.Equal(t, parent.ProcessCacheEntry, resolver.entryCache[parent.ProcessCacheEntry.Pid])
 	assert.Equal(t, 1, len(resolver.entryCache))
 
 	// X(pid:3)
 	//    |
 	// X(pid:4)
 	resolver.setAncestor(child.ProcessCacheEntry)
-	resolver.insertEntry(child.ProcessCacheEntry, nil, model.ProcessCacheEntryFromSnapshot)
+	resolver.insertEntry(child.ProcessCacheEntry, model.ProcessCacheEntryFromSnapshot)
 	assert.Equal(t, child.ProcessCacheEntry, resolver.entryCache[child.ProcessCacheEntry.Pid])
 	assert.Equal(t, 2, len(resolver.entryCache))
 	assert.Equal(t, parent.ProcessCacheEntry, child.ProcessCacheEntry.Ancestor)

pkg/security/secl/model/model.go

@@ -461,8 +461,8 @@ func (pc *ProcessCacheEntry) callReleaseCallbacks() {
 
 // Release decrement and eventually release the entry
 func (pc *ProcessCacheEntry) Release() {
-	pc.refCount--
-	if pc.refCount > 0 {
+	if pc.refCount > 1 {
+		pc.refCount--
 		return
 	}
 

pkg/security/seclwin/model/model.go

@@ -2284,7 +2284,7 @@ func TestProcessResolution(t *testing.T) {
 
 		// This makes use of the cache and do not parse /proc
 		// it still checks the ResolveFromProcfs returns the correct entry
-		procEntry := resolver.ResolveFromProcfs(pid, nil)
+		procEntry := resolver.ResolveFromProcfs(pid, 0, nil)
 		if procEntry == nil {
 			t.Errorf("not able to resolve the entry of pid %d", pid)
 			return