Skip to content

fix: generate telemetry for host-mounted /sys/ paths in containers#2493

Open
asmit27rai wants to merge 5 commits intokubearmor:mainfrom
asmit27rai:1851
Open

fix: generate telemetry for host-mounted /sys/ paths in containers#2493
asmit27rai wants to merge 5 commits intokubearmor:mainfrom
asmit27rai:1851

Conversation

@asmit27rai
Copy link

@asmit27rai asmit27rai commented Mar 10, 2026

Problem

When a container has a host filesystem mount (e.g., /sys/kernel/security),
accessing files on that mount generates no alerts or system logs.

Root Cause

In KubeArmor/BPF/system_monitor.c, both kprobe__open and kprobe__openat
unconditionally dropped all file access events for paths starting with /sys/
via the isSysDir() check. This was intended to reduce host-level sysfs noise,
but it also silently dropped events from container processes accessing
host-mounted /sys/ paths.

Without save_args() being called in the kprobe, the corresponding kretprobe's
load_args() finds nothing → the event is never emitted → no telemetry.

Fix

  • Added is_container_context() BPF helper that checks
    pid_ns != PROC_PID_INIT_INO to determine if the current process
    is running inside a container.
  • Modified kprobe__open and kprobe__openat to only skip /sys/ paths
    for host processes. Container processes now have their /sys/ access
    events flow through normally.

Fixes #1851

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

no telemetry for host mount FS events

1 participant

@asmit27rai