Merge pull request #1470 from Prateeknandle/do_exit

fix(systemmonitor):deleting untraced file access entries in file_map
kubearmor · Oct 26, 2023 · 1e36a95 · 1e36a95
2 parents 15ad34e + cfbeb8b
commit 1e36a95
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c
@@ -1326,6 +1326,11 @@ int kprobe__do_exit(struct pt_regs *ctx)
     if (skip_syscall())
         return 0;
 
+    u64 tgid = bpf_get_current_pid_tgid();
+
+    // delete entry for file access which are not successful and are not deleted from file_map since kretprobe/__x64_sys_openat hook is not triggered
+    bpf_map_delete_elem(&file_map, &tgid);
+
     sys_context_t context = {};
 
     const long code = PT_REGS_PARM1(ctx);