uprobe: fix uprobe trigger triggered from multiple tracee instances (#2230)

AsafEitani · web-flow · commit f44a4355070f · 2022-10-13T11:38:28.000+03:00
Fixes the issue that multiple tracee instances are all invoking the uprobe trigger events for each instance. Fixes: #2225
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -3689,6 +3689,7 @@ SEC("uprobe/trigger_syscall_event")
 int uprobe_syscall_trigger(struct pt_regs *ctx)
 {
     u64 caller_ctx_id = 0;
+    u32 trigger_pid = bpf_get_current_pid_tgid() >> 32;
 
     // clang-format off
     //
@@ -3720,6 +3721,10 @@ int uprobe_syscall_trigger(struct pt_regs *ctx)
     if (!init_event_data(&data, ctx))
         return 0;
 
+    // uprobe was triggered from other tracee instance
+    if (data.config->tracee_pid != trigger_pid)
+        return 0;
+
     int key = 0;
     // TODO: https://github.com/aquasecurity/tracee/issues/2055
     if (bpf_map_lookup_elem(&syscalls_to_check_map, (void *) &key) == NULL)
@@ -3761,6 +3766,7 @@ int uprobe_seq_ops_trigger(struct pt_regs *ctx)
     u64 caller_ctx_id = 0;
     u64 *address_array = NULL;
     u64 struct_address;
+    u32 trigger_pid = bpf_get_current_pid_tgid() >> 32;
 
     // clang-format off
     //
@@ -3795,6 +3801,10 @@ int uprobe_seq_ops_trigger(struct pt_regs *ctx)
     if (!init_event_data(&data, ctx))
         return 0;
 
+    // uprobe was triggered from other tracee instance
+    if (data.config->tracee_pid != trigger_pid)
+        return 0;
+
     u32 count_off = data.buf_off + 1;
     save_u64_arr_to_buf(&data, NULL, 0, 0); // init u64 array with size 0
 
