Currently we are using the tracepoint sched_process_fork to intercept fork events.
The output Fork pulsar event has the ppid in it's payload and the metadata in the Header struct (example: pid, image, ecc) belongs to the child process.
The problem is that in the BPF probe attached to sched_process_fork the bpf_get_current_xxx functions return parent data and we are using their output to fill child structures.
To have the event semantically correct, we should make the event relative to the parent process but this is not possible because we have some process details resolved in userspace, for example the image.
Probably the best solution right now is to leave it as child event, maybe renaming it to something else (example: ProcessCreated), and fix the probe to get all data from child struct task_struct.
Currently we are using the tracepoint
sched_process_forkto interceptforkevents.The output
Forkpulsar event has theppidin it's payload and the metadata in theHeaderstruct (example:pid,image, ecc) belongs to the child process.The problem is that in the BPF probe attached to
sched_process_forkthebpf_get_current_xxxfunctions return parent data and we are using their output to fill child structures.To have the event semantically correct, we should make the event relative to the parent process but this is not possible because we have some process details resolved in userspace, for example the
image.Probably the best solution right now is to leave it as child event, maybe renaming it to something else (example:
ProcessCreated), and fix the probe to get all data from childstruct task_struct.