fix process names

Signed-off-by: Jaehyun Nam <[email protected]>

KubeArmor/monitor/hostLogUpdate.go

@@ -25,7 +25,7 @@ func (mon *SystemMonitor) UpdateHostLogs() {
 			}
 
 			// generate a log
-			log := mon.BuildLogBase(msg)
+			log := mon.BuildLogBase(msg.ContextSys.EventID, msg)
 
 			switch msg.ContextSys.EventID {
 			case SysOpen:

KubeArmor/monitor/logUpdate.go

@@ -51,7 +51,7 @@ func (mon *SystemMonitor) UpdateContainerInfoByContainerID(log tp.Log) tp.Log {
 }
 
 // BuildLogBase Function
-func (mon *SystemMonitor) BuildLogBase(msg ContextCombined) tp.Log {
+func (mon *SystemMonitor) BuildLogBase(eventID int32, msg ContextCombined) tp.Log {
 	log := tp.Log{}
 
 	timestamp, updatedTime := kl.GetDateTimeNow()
@@ -80,7 +80,11 @@ func (mon *SystemMonitor) BuildLogBase(msg ContextCombined) tp.Log {
 	log.PID = int32(msg.ContextSys.PID)
 	log.UID = int32(msg.ContextSys.UID)
 
-	log.Source = mon.GetCommand(msg.ContainerID, msg.ContextSys.HostPID)
+	if msg.ContextSys.EventID == SysExecve || msg.ContextSys.EventID == SysExecveAt {
+		log.Source = mon.GetParentExecPath(msg.ContainerID, msg.ContextSys.HostPID)
+	} else {
+		log.Source = mon.GetCommand(msg.ContainerID, msg.ContextSys.HostPID)
+	}
 
 	log.ParentProcessName = mon.GetExecPath(msg.ContainerID, msg.ContextSys.HostPPID)
 	log.ProcessName = mon.GetExecPath(msg.ContainerID, msg.ContextSys.HostPID)
@@ -90,36 +94,27 @@ func (mon *SystemMonitor) BuildLogBase(msg ContextCombined) tp.Log {
 
 // UpdateLogBase Function (SYS_EXECVE, SYS_EXECVEAT)
 func (mon *SystemMonitor) UpdateLogBase(eventID int32, log tp.Log) tp.Log {
-	if log.ParentProcessName == "" || strings.HasPrefix(log.ParentProcessName, "/") {
-		parentProcessName := mon.GetExecPath(log.ContainerID, uint32(log.HostPPID))
+	if log.ParentProcessName == "" || !strings.HasPrefix(log.ParentProcessName, "/") {
+		parentProcessName := mon.GetParentExecPath(log.ContainerID, uint32(log.HostPID))
 		if parentProcessName != "" {
 			log.ParentProcessName = parentProcessName
 		}
 	}
 
-	if log.ProcessName == "" || strings.HasPrefix(log.ProcessName, "/") {
+	if log.ProcessName == "" || !strings.HasPrefix(log.ProcessName, "/") {
 		processName := mon.GetExecPath(log.ContainerID, uint32(log.HostPID))
 		if processName != "" {
 			log.ProcessName = processName
 		}
 	}
 
-	if log.Source == "" || strings.HasPrefix(log.Source, "/") {
-		source := mon.GetCommand(log.ContainerID, uint32(log.HostPID))
+	if log.Source == "" || !strings.HasPrefix(log.Source, "/") {
+		source := mon.GetExecPath(log.ContainerID, uint32(log.HostPPID))
 		if source != "" {
 			log.Source = source
 		}
 	}
 
-	if !strings.HasPrefix(log.Resource, "/") {
-		resource := strings.Split(log.Resource, " ")
-		if len(resource) == 1 {
-			log.Resource = log.Source
-		} else {
-			log.Resource = log.Source + " " + strings.Join(resource[1:], " ")
-		}
-	}
-
 	return log
 }
 
@@ -136,7 +131,7 @@ func (mon *SystemMonitor) UpdateLogs() {
 			}
 
 			// generate a log
-			log := mon.BuildLogBase(msg)
+			log := mon.BuildLogBase(msg.ContextSys.EventID, msg)
 
 			switch msg.ContextSys.EventID {
 			case SysOpen:

KubeArmor/monitor/processTree.go

@@ -77,7 +77,7 @@ func (mon *SystemMonitor) BuildPidNode(containerID string, ctx SyscallContext, e
 	node.ParentExecPath = mon.GetExecPath(containerID, ctx.HostPPID)
 	node.ExecPath = execPath
 
-	node.Source = node.ParentExecPath
+	node.Source = execPath
 	node.Args = ""
 
 	for idx, arg := range args {
@@ -141,32 +141,36 @@ func (mon *SystemMonitor) UpdateExecPath(containerID string, hostPid uint32, exe
 	}
 }
 
-// GetExecPath Function
-func (mon *SystemMonitor) GetExecPath(containerID string, hostPid uint32) string {
+// GetParentExecPath Function
+func (mon *SystemMonitor) GetParentExecPath(containerID string, hostPid uint32) string {
 	ActiveHostPidMap := *(mon.ActiveHostPidMap)
 	ActivePidMapLock := *(mon.ActivePidMapLock)
 
 	ActivePidMapLock.Lock()
 	defer ActivePidMapLock.Unlock()
 
+	ppid := uint32(0)
+
 	if pidMap, ok := ActiveHostPidMap[containerID]; ok {
 		if node, ok := pidMap[hostPid]; ok {
-			if node.ExecPath != "/" && strings.HasPrefix(node.ExecPath, "/") {
-				return node.ExecPath
+			if node.ParentExecPath != "/" && strings.HasPrefix(node.ParentExecPath, "/") {
+				return node.ParentExecPath
 			}
 		}
 	}
 
-	// just in case that it couldn't still get the full path
-	if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(hostPid), 10) + "/exe"); err == nil && data != "" && data != "/" {
-		return data
+	if ppid > 0 {
+		// just in case that it couldn't still get the full path
+		if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(ppid), 10) + "/exe"); err == nil && data != "" && data != "/" {
+			return data
+		}
 	}
 
 	return ""
 }
 
-// GetCommand Function
-func (mon *SystemMonitor) GetCommand(containerID string, hostPid uint32) string {
+// GetExecPath Function
+func (mon *SystemMonitor) GetExecPath(containerID string, hostPid uint32) string {
 	ActiveHostPidMap := *(mon.ActiveHostPidMap)
 	ActivePidMapLock := *(mon.ActivePidMapLock)
 
@@ -175,15 +179,22 @@ func (mon *SystemMonitor) GetCommand(containerID string, hostPid uint32) string
 
 	if pidMap, ok := ActiveHostPidMap[containerID]; ok {
 		if node, ok := pidMap[hostPid]; ok {
-			return node.Source
+			if node.ExecPath != "/" && strings.HasPrefix(node.ExecPath, "/") {
+				return node.ExecPath
+			}
 		}
 	}
 
+	// just in case that it couldn't still get the full path
+	if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(hostPid), 10) + "/exe"); err == nil && data != "" && data != "/" {
+		return data
+	}
+
 	return ""
 }
 
-// GetCommandWithArgs Function
-func (mon *SystemMonitor) GetCommandWithArgs(containerID string, hostPid uint32) string {
+// GetCommand Function
+func (mon *SystemMonitor) GetCommand(containerID string, hostPid uint32) string {
 	ActiveHostPidMap := *(mon.ActiveHostPidMap)
 	ActivePidMapLock := *(mon.ActivePidMapLock)
 
@@ -199,6 +210,11 @@ func (mon *SystemMonitor) GetCommandWithArgs(containerID string, hostPid uint32)
 		}
 	}
 
+	// just in case that it couldn't still get the full path
+	if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(hostPid), 10) + "/exe"); err == nil && data != "" && data != "/" {
+		return data
+	}
+
 	return ""
 }
 

KubeArmor/monitor/systemMonitor.go

@@ -508,7 +508,7 @@ func (mon *SystemMonitor) TraceSyscall() {
 					mon.AddActivePid(containerID, pidNode)
 
 					// generate a log with the base information
-					log := mon.BuildLogBase(ContextCombined{ContainerID: containerID, ContextSys: ctx})
+					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx})
 
 					// add arguments
 					if val, ok := args[0].(string); ok {
@@ -566,7 +566,7 @@ func (mon *SystemMonitor) TraceSyscall() {
 					mon.AddActivePid(containerID, pidNode)
 
 					// generate a log with the base information
-					log := mon.BuildLogBase(ContextCombined{ContainerID: containerID, ContextSys: ctx})
+					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx})
 
 					fd := ""
 					procExecFlag := ""
@@ -691,7 +691,7 @@ func (mon *SystemMonitor) TraceHostSyscall() {
 					mon.AddActivePid("", pidNode)
 
 					// generate a log with the base information
-					log := mon.BuildLogBase(ContextCombined{ContainerID: "", ContextSys: ctx})
+					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: "", ContextSys: ctx})
 
 					// add arguments
 					if val, ok := args[0].(string); ok {
@@ -751,7 +751,7 @@ func (mon *SystemMonitor) TraceHostSyscall() {
 					mon.AddActivePid("", pidNode)
 
 					// generate a log with the base information
-					log := mon.BuildLogBase(ContextCombined{ContainerID: "", ContextSys: ctx})
+					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: "", ContextSys: ctx})
 
 					fd := ""
 					procExecFlag := ""