deleting untraced file access entries in file_map

Signed-off-by: Prateek Nandle <prateeknandle@gmail.com>
kubearmor · Oct 20, 2023 · cfbeb8b · cfbeb8b
1 parent c4270dd
commit cfbeb8b
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c
@@ -1326,6 +1326,11 @@ int kprobe__do_exit(struct pt_regs *ctx)
     if (skip_syscall())
         return 0;
 
+    u64 tgid = bpf_get_current_pid_tgid();
+
+    // delete entry for file access which are not successful and are not deleted from file_map since kretprobe/__x64_sys_openat hook is not triggered
+    bpf_map_delete_elem(&file_map, &tgid);
+
     sys_context_t context = {};
 
     const long code = PT_REGS_PARM1(ctx);