search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.69k stars 728 forks source link

The tracking of orphan processes is lost. #2048

Closed lclin56 closed 7 months ago

lclin56 commented 7 months ago

I want to trace all descendant processes created after specifying proc.apid=xxx to track them from pid=xxx (for example, the pid of a sh session). However, when I try the following demo, sysdig loses track of the child processes. 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/prctl.h>

int main(int argc, char *argv[])
{
    if (argc == 2 && strcmp(argv[1], "child") == 0)
    {
        pid_t pid = fork(); 

        if (pid < 0)
        {
            perror("fork failed");
            exit(EXIT_FAILURE);
        }

        if (pid > 0)
        {
            printf("Parent process (PID %d) is exiting.\n", getpid());
            exit(EXIT_SUCCESS); 
        }

        printf("Child process (PID %d) started.\n", getpid());

        const char *new_name = "newproc";
        prctl(PR_SET_NAME, new_name, 0, 0, 0);

        if (argc > 1)
        {
            char *cmdline = argv[1];
            int i;
            for (i = 1; i < argc; i++)
            {
                memset(argv[i], 0, strlen(argv[i]));
                if (i < argc - 1)
                {
                    argv[i + 1] = argv[i] + strlen(argv[i]) + 1;
                }
            }
            strncpy(argv[0], cmdline, strlen(cmdline));
        }
        while (1)
        {
            sleep(5); 
            printf("Child process (PID %d) is still running...\n", getpid());
        }
    }
    else
    {
        char *newLocation = "/tmp/new_executable";
        char command[256];

        sprintf(command, "cp %s %s", argv[0], newLocation);
        system(command);

        sprintf(command, "chmod +x %s", newLocation);
        system(command);

        execl(newLocation, newLocation, "child", (char *)NULL);
    }

    return 0;
}

After the parent process exits, the child process is managed by the process with pid=1, and at that point, its proc.apid becomes the pid of that process. Considering specifying proc.name or proc.aname in the tracking conditions can solve the issue of losing track of orphan processes when the process name doesn't change. However, in cases like the one in my demo, proc.name or proc.aname also changes. Is there any way to solve my problem? Currently, the only solution I can think of is running the target program inside a container and tracking events for the entire container.

therealbobo commented 7 months ago

Hey @lclin56! Thank you for the issue! As far as I know, the behaviour that you are describing is the expected behaviour and I couldn't think of a way to solve the issue. 🤔 However, this behaviour is not directly managed by sysdig but it's delegated to the libs (https://github.com/falcosecurity/libs , the main building block of sysdig). Feel free to open an issue there! 😄

lclin56 commented 7 months ago

Hey @therealbobo! Thank you for your response. I will try to solve this problem with an alternative approach.