Add 'cgroup' variable scope

cmd/security-agent/subcommands/runtime/command.go

@@ -539,8 +539,13 @@ func eventDataFromJSON(file string) (eval.Event, error) {
 		return nil, errors.New("unknown event type")
 	}
 
-	m := &model.Model{}
-	event := m.NewDefaultEventWithType(kind)
+	event := &model.Event{
+		BaseEvent: model.BaseEvent{
+			Type:             uint32(kind),
+			FieldHandlers:    &model.FakeFieldHandlers{},
+			ContainerContext: &model.ContainerContext{},
+		},
+	}
 	event.Init()
 
 	for k, v := range eventData.Values {

cmd/system-probe/subcommands/runtime/command.go

@@ -533,8 +533,13 @@ func eventDataFromJSON(file string) (eval.Event, error) {
 		return nil, errors.New("unknown event type")
 	}
 
-	m := &model.Model{}
-	event := m.NewDefaultEventWithType(kind)
+	event := &model.Event{
+		BaseEvent: model.BaseEvent{
+			Type:             uint32(kind),
+			FieldHandlers:    &model.FakeFieldHandlers{},
+			ContainerContext: &model.ContainerContext{},
+		},
+	}
 	event.Init()
 
 	for k, v := range eventData.Values {

pkg/security/probe/probe_ebpf.go

@@ -639,7 +639,7 @@ func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventM
 }
 
 func (p *EBPFProbe) unmarshalContexts(data []byte, event *model.Event) (int, error) {
-	read, err := model.UnmarshalBinary(data, &event.PIDContext, &event.SpanContext, event.ContainerContext, &event.CGroupContext)
+	read, err := model.UnmarshalBinary(data, &event.PIDContext, &event.SpanContext, event.ContainerContext, event.CGroupContext)
 	if err != nil {
 		return 0, err
 	}
@@ -675,8 +675,8 @@ func (p *EBPFProbe) unmarshalProcessCacheEntry(ev *model.Event, data []byte) (in
 	entry.Process.ContainerID = ev.ContainerContext.ContainerID
 	entry.ContainerID = ev.ContainerContext.ContainerID
 
-	entry.Process.CGroup.Merge(&ev.CGroupContext)
-	entry.CGroup.Merge(&ev.CGroupContext)
+	entry.Process.CGroup.Merge(ev.CGroupContext)
+	entry.CGroup.Merge(ev.CGroupContext)
 
 	entry.Source = model.ProcessCacheEntryFromEvent
 
@@ -705,7 +705,7 @@ func (p *EBPFProbe) setProcessContext(eventType model.EventType, event *model.Ev
 	}
 
 	// do the same with cgroup context
-	event.CGroupContext = event.ProcessCacheEntry.CGroup
+	event.CGroupContext = &event.ProcessCacheEntry.CGroup
 
 	if process.IsKThread(event.ProcessContext.PPid, event.ProcessContext.Pid) {
 		return false
@@ -823,6 +823,12 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 			seclog.Debugf("Failed to resolve cgroup: %s", err)
 		} else {
 			event.CgroupTracing.CGroupContext = *cgroupContext
+			if cgroupContext.CGroupFlags.IsContainer() {
+				containerID, _ := containerutils.FindContainerID(cgroupContext.CGroupID)
+				event.CgroupTracing.ContainerContext.ContainerID = containerID
+			}
+
+			event.CGroupContext = cgroupContext
 			p.profileManagers.activityDumpManager.HandleCGroupTracingEvent(&event.CgroupTracing)
 		}
 
@@ -839,6 +845,7 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 			if err != nil {
 				seclog.Debugf("Failed to resolve cgroup: %s", err)
 			} else {
+				event.CGroupContext = cgroupContext
 				pce.Process.CGroup = *cgroupContext
 				pce.CGroup = *cgroupContext
 
@@ -1261,6 +1268,9 @@ func (p *EBPFProbe) handleEvent(CPU int, data []byte) {
 	// resolve the container context
 	event.ContainerContext, _ = p.fieldHandlers.ResolveContainerContext(event)
 
+	// resolve the cgroup context
+	event.CGroupContext, _ = p.Resolvers.ResolveCGroupContext(event.CGroupContext.CGroupFile, event.CGroupContext.CGroupFlags)
+
 	// send related events
 	for _, relatedEvent := range relatedEvents {
 		p.DispatchEvent(relatedEvent, true)

pkg/security/resolvers/cgroup/resolver.go

@@ -60,7 +60,10 @@ func NewResolver() (*Resolver, error) {
 	}
 
 	cleanup := func(value *cgroupModel.CacheEntry) {
-		value.CallReleaseCallback()
+		if value.CGroupContext.IsContainer() {
+			value.ContainerContext.CallReleaseCallback()
+		}
+		value.CGroupContext.CallReleaseCallback()
 		value.Deleted.Store(true)
 
 		cr.NotifyListeners(CGroupDeleted, value)

pkg/security/secl/model/model.go

@@ -11,7 +11,6 @@ package model
 import (
 	"net"
 	"reflect"
-	"runtime"
 	"time"
 
 	"modernc.org/mathutil"
@@ -26,30 +25,8 @@ type Model struct {
 	ExtraValidateFieldFnc func(field eval.Field, fieldValue eval.FieldValue) error
 }
 
-var eventZero = Event{BaseEvent: BaseEvent{ContainerContext: &ContainerContext{}, Os: runtime.GOOS}}
 var containerContextZero ContainerContext
 
-// NewEvent returns a new Event
-func (m *Model) NewEvent() eval.Event {
-	return &Event{
-		BaseEvent: BaseEvent{
-			ContainerContext: &ContainerContext{},
-			Os:               runtime.GOOS,
-		},
-	}
-}
-
-// NewDefaultEventWithType returns a new Event for the given type
-func (m *Model) NewDefaultEventWithType(kind EventType) eval.Event {
-	return &Event{
-		BaseEvent: BaseEvent{
-			Type:             uint32(kind),
-			FieldHandlers:    &FakeFieldHandlers{},
-			ContainerContext: &ContainerContext{},
-		},
-	}
-}
-
 // Releasable represents an object than can be released
 type Releasable struct {
 	onReleaseCallbacks []func() `field:"-"`
@@ -178,28 +155,11 @@ func initMember(member reflect.Value, deja map[string]bool) {
 	}
 }
 
-// NewFakeEvent returns a new event using the default field handlers
-func NewFakeEvent() *Event {
-	return &Event{
-		BaseEvent: BaseEvent{
-			FieldHandlers:    &FakeFieldHandlers{},
-			ContainerContext: &ContainerContext{},
-			Os:               runtime.GOOS,
-		},
-	}
-}
-
 // Init initialize the event
 func (e *Event) Init() {
 	initMember(reflect.ValueOf(e).Elem(), map[string]bool{})
 }
 
-// Zero the event
-func (e *Event) Zero() {
-	*e = eventZero
-	*e.BaseEvent.ContainerContext = containerContextZero
-}
-
 // IsSavedByActivityDumps return whether saved by AD
 func (e *Event) IsSavedByActivityDumps() bool {
 	return e.Flags&EventFlagsSavedByAD > 0