From 6ea63f72dc317c66bb049967722a061a886a36f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Sun, 16 May 2021 23:58:28 +0200 Subject: [PATCH] make "linux kernel" connections configurable Sometimes when a new connection is about to be established, we don't get the PID of the process using the eBPF proc monitor method. But in some rare situations, the kernel still holds information about the connection (sock_diag struct basically). We assume that these connections are initiated from kernel space. Per some debugging, this doesn't seem to be always the root cause, so these connections will only be shown if InterceptUnknown config field is set to true. --- daemon/procmon/parse.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/procmon/parse.go b/daemon/procmon/parse.go index 228f2a2f67..dccc954eda 100644 --- a/daemon/procmon/parse.go +++ b/daemon/procmon/parse.go @@ -85,7 +85,7 @@ func GetPIDFromINode(inode int, inodeKey string) int { // If it exists in /proc, a new Process{} object is returned with the details // to identify a process (cmdline, name, environment variables, etc). func FindProcess(pid int, interceptUnknown bool) *Process { - if pid == -100 { + if interceptUnknown && pid == -100 { return NewProcess(-100, "Linux kernel") } if interceptUnknown && pid < 0 {