Enable time normalization for proctree

Co-authored-by: Alon Zivony <[email protected]>

Author: rscampos

pkg/ebpf/processor_proctree.go

@@ -2,11 +2,11 @@ package ebpf
 
 import (
 	"fmt"
-	"time"
 
 	"github.com/aquasecurity/tracee/pkg/events/parse"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/proctree"
+	traceetime "github.com/aquasecurity/tracee/pkg/time"
 	"github.com/aquasecurity/tracee/pkg/utils"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -75,25 +75,25 @@ func (t *Tracee) procTreeForkProcessor(event *trace.Event) error {
 
 	return t.processTree.FeedFromFork(
 		proctree.ForkFeed{
-			TimeStamp:       childStartTime, // event timestamp is the same
+			TimeStamp:       uint64(t.timeNormalizer.NormalizeTime(int(childStartTime))), // event timestamp is the same
 			ChildHash:       childHash,
 			ParentHash:      parentHash,
 			LeaderHash:      leaderHash,
 			ParentTid:       parentTid,
 			ParentNsTid:     parentNsTid,
 			ParentPid:       parentPid,
 			ParentNsPid:     parentNsPid,
-			ParentStartTime: parentStartTime,
+			ParentStartTime: uint64(t.timeNormalizer.NormalizeTime(int(parentStartTime))),
 			LeaderTid:       leaderTid,
 			LeaderNsTid:     leaderNsTid,
 			LeaderPid:       leaderPid,
 			LeaderNsPid:     leaderNsPid,
-			LeaderStartTime: leaderStartTime,
+			LeaderStartTime: uint64(t.timeNormalizer.NormalizeTime(int(leaderStartTime))),
 			ChildTid:        childTid,
 			ChildNsTid:      childNsTid,
 			ChildPid:        childPid,
 			ChildNsPid:      childNsPid,
-			ChildStartTime:  childStartTime,
+			ChildStartTime:  uint64(t.timeNormalizer.NormalizeTime(int(childStartTime))),
 		},
 	)
 }
@@ -153,7 +153,7 @@ func (t *Tracee) procTreeExecProcessor(event *trace.Event) error {
 
 	return t.processTree.FeedFromExec(
 		proctree.ExecFeed{
-			TimeStamp:         timestamp,
+			TimeStamp:         uint64(t.timeNormalizer.NormalizeTime(int(timestamp))),
 			TaskHash:          taskHash,
 			ParentHash:        0, // regular pipeline does not have parent hash
 			LeaderHash:        0, // regular pipeline does not have leader hash
@@ -204,7 +204,7 @@ func (t *Tracee) procTreeExitProcessor(event *trace.Event) error {
 
 	return t.processTree.FeedFromExit(
 		proctree.ExitFeed{
-			TimeStamp:  timestamp, // time of exit is already a timestamp
+			TimeStamp:  uint64(t.timeNormalizer.NormalizeTime(int(timestamp))), // time of exit is already a timestamp
 			TaskHash:   taskHash,
 			ParentHash: 0, // regular pipeline does not have parent hash
 			LeaderHash: 0, // regular pipeline does not have leader hash
@@ -237,7 +237,7 @@ func (t *Tracee) procTreeAddBinInfo(event *trace.Event) error {
 	}
 
 	// Event timestamp is changed to relative (or not) at the end of all processors only.
-	eventTimestamp := time.Unix(0, int64(event.Timestamp)+int64(t.bootTime))
+	eventTimestamp := traceetime.NsSinceEpochToTime(uint64(t.timeNormalizer.NormalizeTime(event.Timestamp)))
 
 	executable := currentProcess.GetExecutable()
 

pkg/ebpf/tracee.go

@@ -564,7 +564,7 @@ func (t *Tracee) Init(ctx gocontext.Context) error {
 			proctreeConfig.ProcfsInitialization = false
 			proctreeConfig.ProcfsQuerying = false
 		}
-		t.processTree, err = proctree.NewProcessTree(ctx, proctreeConfig)
+		t.processTree, err = proctree.NewProcessTree(ctx, proctreeConfig, t.timeNormalizer)
 		if err != nil {
 			return errfmt.WrapError(err)
 		}

pkg/proctree/proctree.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	traceetime "github.com/aquasecurity/tracee/pkg/time"
 )
 
 //
@@ -72,17 +73,18 @@ type ProcTreeConfig struct {
 
 // ProcessTree is a tree of processes and threads.
 type ProcessTree struct {
-	processes   *lru.Cache[uint32, *Process] // hash -> process
-	threads     *lru.Cache[uint32, *Thread]  // hash -> threads
-	procfsChan  chan int                     // channel of pids to read from procfs
-	procfsOnce  *sync.Once                   // busy loop debug message throttling
-	ctx         context.Context              // context for the process tree
-	mutex       *sync.RWMutex                // mutex for the process tree
-	procfsQuery bool
+	processes      *lru.Cache[uint32, *Process] // hash -> process
+	threads        *lru.Cache[uint32, *Thread]  // hash -> threads
+	procfsChan     chan int                     // channel of pids to read from procfs
+	procfsOnce     *sync.Once                   // busy loop debug message throttling
+	ctx            context.Context              // context for the process tree
+	mutex          *sync.RWMutex                // mutex for the process tree
+	procfsQuery    bool
+	timeNormalizer traceetime.TimeNormalizer
 }
 
 // NewProcessTree creates a new process tree.
-func NewProcessTree(ctx context.Context, config ProcTreeConfig) (*ProcessTree, error) {
+func NewProcessTree(ctx context.Context, config ProcTreeConfig, timeNormalizer traceetime.TimeNormalizer) (*ProcessTree, error) {
 	procEvited := 0
 	thrEvicted := 0
 
@@ -136,11 +138,12 @@ func NewProcessTree(ctx context.Context, config ProcTreeConfig) (*ProcessTree, e
 	}()
 
 	procTree := &ProcessTree{
-		processes:   processes,
-		threads:     threads,
-		ctx:         ctx,
-		mutex:       &sync.RWMutex{},
-		procfsQuery: config.ProcfsQuerying,
+		processes:      processes,
+		threads:        threads,
+		ctx:            ctx,
+		mutex:          &sync.RWMutex{},
+		procfsQuery:    config.ProcfsQuerying,
+		timeNormalizer: timeNormalizer,
 	}
 
 	if config.ProcfsInitialization {

pkg/proctree/proctree_feed.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
-	"github.com/aquasecurity/tracee/pkg/utils"
+	traceetime "github.com/aquasecurity/tracee/pkg/time"
 )
 
 //
@@ -42,6 +42,8 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 	if feed.ChildTid == 0 || feed.ChildPid == 0 {
 		return errfmt.Errorf("invalid child task")
 	}
+
+	feedTimeStamp := traceetime.NsSinceEpochToTime(feed.TimeStamp)
 	// Parent PID or TID might be 0 for init (and docker containers)
 	// if feed.ParentTid == 0 || feed.ParentPid == 0 {
 	// 	return errfmt.Errorf("invalid parent task")
@@ -63,7 +65,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 				Uid:         -1, // do not change the parent uid
 				Gid:         -1, // do not change the parent gid
 			},
-			utils.NsSinceBootTimeToTime(feed.TimeStamp),
+			feedTimeStamp,
 		)
 		if pt.procfsQuery {
 			pt.FeedFromProcFSAsync(int(feed.ParentPid)) // try to enrich ppid and name from procfs
@@ -101,7 +103,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 				Uid:         -1, // do not change the parent ui
 				Gid:         -1, // do not change the parent gid
 			},
-			utils.NsSinceBootTimeToTime(feed.TimeStamp),
+			feedTimeStamp,
 		)
 		if pt.procfsQuery {
 			pt.FeedFromProcFSAsync(int(feed.LeaderPid)) // try to enrich name from procfs if needed
@@ -127,11 +129,11 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 	if feed.ChildHash == feed.LeaderHash {
 		leader.GetExecutable().SetFeedAt(
 			parent.GetExecutable().GetFeed(),
-			utils.NsSinceBootTimeToTime(feed.TimeStamp),
+			feedTimeStamp,
 		)
 		leader.GetInterpreter().SetFeedAt(
 			parent.GetInterpreter().GetFeed(),
-			utils.NsSinceBootTimeToTime(feed.TimeStamp),
+			feedTimeStamp,
 		)
 	}
 
@@ -151,7 +153,7 @@ func (pt *ProcessTree) FeedFromFork(feed ForkFeed) error {
 				Uid:         -1, // do not change the thread uid
 				Gid:         -1, // do not change the thread gid
 			},
-			utils.NsSinceBootTimeToTime(feed.TimeStamp),
+			feedTimeStamp,
 		)
 	}
 
@@ -224,7 +226,7 @@ func (pt *ProcessTree) FeedFromExec(feed ExecFeed) error {
 		process.SetParentHash(feed.ParentHash) // faster than checking if already set
 	}
 
-	execTimestamp := utils.NsSinceBootTimeToTime(feed.TimeStamp)
+	execTimestamp := traceetime.NsSinceEpochToTime(feed.TimeStamp)
 	basename := filepath.Base(feed.CmdPath)
 	comm := basename[:min(len(basename), COMM_LEN)]
 	process.GetInfo().SetNameAt(
@@ -243,11 +245,6 @@ func (pt *ProcessTree) FeedFromExec(feed ExecFeed) error {
 		execTimestamp,
 	)
 
-	// The interpreter and interp info are taking a lot of memory.
-	// As their usage is still unclear in the process tree, it was decided
-	// to not save their information until it was clear how they would be used.
-	// TODO: Decide whether remove the interpreter and interp from the tree or add them back.
-
 	return nil
 }
 

pkg/proctree/proctree_procfs.go

@@ -9,11 +9,13 @@ import (
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	traceetime "github.com/aquasecurity/tracee/pkg/time"
 	"github.com/aquasecurity/tracee/pkg/utils"
 	"github.com/aquasecurity/tracee/pkg/utils/proc"
 )
 
-const debugMsgs = false // debug messages can be too verbose, so they are disabled by default
+const debugMsgs = false                         // debug messages can be too verbose, so they are disabled by default
+const ProcfsClockId = traceetime.CLOCK_BOOTTIME // Procfs uses jiffies, which are based on boottime
 
 const (
 	AllPIDs = 0
@@ -107,7 +109,7 @@ func getProcessByPID(pt *ProcessTree, givenPid int) (*Process, error) {
 		return nil, errfmt.Errorf("%v", err)
 	}
 
-	startTimeNs := utils.ClockTicksToNsSinceBootTime(stat.StartTime)
+	startTimeNs := traceetime.ClockTicksToNsSinceBootTime(stat.StartTime)
 	hash := utils.HashTaskID(uint32(status.GetPid()), startTimeNs) // status pid == tid
 
 	return pt.GetOrCreateProcessByHash(hash), nil
@@ -149,7 +151,7 @@ func dealWithProc(pt *ProcessTree, givenPid int) error {
 	}
 
 	// process hash
-	startTimeNs := utils.ClockTicksToNsSinceBootTime(start)
+	startTimeNs := traceetime.ClockTicksToNsSinceBootTime(start)
 	hash := utils.HashTaskID(uint32(pid), startTimeNs)
 
 	// update tree for the given process
@@ -165,6 +167,8 @@ func dealWithProc(pt *ProcessTree, givenPid int) error {
 		}
 	}
 
+	procfsTimeStamp := uint64(pt.timeNormalizer.NormalizeTime(int(startTimeNs)))
+
 	procInfo.SetFeedAt(
 		TaskInfoFeed{
 			Name:        name,   // command name (add "procfs+" to debug if needed)
@@ -176,9 +180,9 @@ func dealWithProc(pt *ProcessTree, givenPid int) error {
 			NsPPid:      nsppid, // status: nsppid == nsppid
 			Uid:         -1,     // do not change the parent uid
 			Gid:         -1,     // do not change the parent gid
-			StartTimeNS: startTimeNs,
+			StartTimeNS: procfsTimeStamp,
 		},
-		utils.NsSinceBootTimeToTime(uint64(start)), // try to be the first changelog entry
+		traceetime.NsSinceEpochToTime(procfsTimeStamp), // try to be the first changelog entry
 	)
 
 	// TODO: Update executable with information from /proc/<pid>/exe
@@ -222,7 +226,7 @@ func dealWithThread(pt *ProcessTree, givenPid int, givenTid int) error {
 	}
 
 	// thread hash
-	startTimeNs := utils.ClockTicksToNsSinceBootTime(start)
+	startTimeNs := traceetime.ClockTicksToNsSinceBootTime(start)
 	hash := utils.HashTaskID(uint32(pid), startTimeNs)
 
 	// update tree for the given thread
@@ -234,6 +238,8 @@ func dealWithThread(pt *ProcessTree, givenPid int, givenTid int) error {
 		return nil
 	}
 
+	procfsTimeStamp := uint64(pt.timeNormalizer.NormalizeTime(int(startTimeNs)))
+
 	threadInfo.SetFeedAt(
 		TaskInfoFeed{
 			Name:        name,   // command name (add "procfs+" to debug if needed)
@@ -245,9 +251,9 @@ func dealWithThread(pt *ProcessTree, givenPid int, givenTid int) error {
 			NsPPid:      nsppid, // status: nsppid == nsppid
 			Uid:         -1,     // do not change the parent uid
 			Gid:         -1,     // do not change the parent gid
-			StartTimeNS: startTimeNs,
+			StartTimeNS: procfsTimeStamp,
 		},
-		utils.NsSinceBootTimeToTime(uint64(start)), // try to be the first changelog entry
+		traceetime.NsSinceEpochToTime(procfsTimeStamp), // try to be the first changelog entry
 	)
 
 	// thread group leader (leader tid is the same as the thread's pid, so we can find it)

pkg/proctree/taskinfo.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	ch "github.com/aquasecurity/tracee/pkg/changelog"
-	"github.com/aquasecurity/tracee/pkg/utils"
+	traceetime "github.com/aquasecurity/tracee/pkg/time"
 )
 
 // TaskInfoFeed allows external packages to set/get multiple values of a task at once.
@@ -360,40 +360,33 @@ func (ti *TaskInfo) GetGidAt(targetTime time.Time) int {
 	return ti.gid.Get(targetTime)
 }
 
-// GetStartTimeNS returns the startTimeNS of the task.
+// GetStartTimeNS returns the start time of the task in nanoseconds since epoch
 func (ti *TaskInfo) GetStartTimeNS() uint64 {
 	ti.mutex.RLock()
 	defer ti.mutex.RUnlock()
 	return ti.startTimeNS
 }
 
-// GetStartTime returns the "real" start time of the task.
+// GetStartTime returns the start time of the task.
 func (ti *TaskInfo) GetStartTime() time.Time {
 	ti.mutex.RLock()
 	defer ti.mutex.RUnlock()
 
-	// Returns a real "time" to be used for the task.
-	duration := time.Duration(int64(ti.startTimeNS))
-	bootTime := utils.GetBootTime()
-	return bootTime.Add(duration)
+	return traceetime.NsSinceEpochToTime(ti.startTimeNS)
 }
 
-// GetExitTimeNS returns the exitTime of the task.
+// GetExitTimeNS returns the exitTime of the task in nanoseconds since epoch
 func (ti *TaskInfo) GetExitTimeNS() uint64 {
 	ti.mutex.RLock()
 	defer ti.mutex.RUnlock()
 	return ti.exitTimeNS
 }
 
-// GetExitTime returns the "real" exit time of the task.
+// GetExitTime returns the exit time of the task.
 func (ti *TaskInfo) GetExitTime() time.Time {
 	ti.mutex.RLock()
 	defer ti.mutex.RUnlock()
-
-	// Returns a real "time" to be used for the task.
-	duration := time.Duration(int64(ti.exitTimeNS))
-	bootTime := utils.GetBootTime()
-	return bootTime.Add(duration)
+	return traceetime.NsSinceEpochToTime(ti.exitTimeNS)
 }
 
 // IsAlive returns true if the task has exited.
@@ -409,13 +402,13 @@ func (ti *TaskInfo) IsAliveAt(targetTime time.Time) bool {
 	ti.mutex.RLock()
 	defer ti.mutex.RUnlock()
 	if ti.exitTimeNS != 0 {
-		if targetTime.After(utils.NsSinceBootTimeToTime(ti.exitTimeNS)) {
+		if targetTime.After(traceetime.NsSinceEpochToTime(ti.exitTimeNS)) {
 			return false
 		}
 	}
 	// If start time is not initialized it will count as 0 ns, meaning it will be before any
 	// query time given.
-	if targetTime.Before(utils.NsSinceBootTimeToTime(ti.startTimeNS)) {
+	if targetTime.Before(traceetime.NsSinceEpochToTime(ti.startTimeNS)) {
 		return false
 	}
 	return true