From 30b33a4db248cdef77cfdc7886fa58ec5b657138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Fri, 27 Sep 2024 11:04:50 -0300 Subject: [PATCH] fix(ebpf): register processor conditionally Register SchedProcessFork processors, including normalizeTimeArg, only if proctree is enabled. --- pkg/ebpf/processor.go | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/pkg/ebpf/processor.go b/pkg/ebpf/processor.go index 788048888997..5c36300509b4 100644 --- a/pkg/ebpf/processor.go +++ b/pkg/ebpf/processor.go @@ -78,20 +78,6 @@ func (t *Tracee) RegisterEventProcessor(id events.ID, proc func(evt *trace.Event // registerEventProcessors registers all event processors, each to a specific event id. func (t *Tracee) registerEventProcessors() { - // - // Event Timestamps Normalization - // - - // Convert all time relate args to nanoseconds since epoch. - // NOTE: Make sure to convert time related args (of your event) in here, so that - // any later code has access to normalized time arguments. - t.RegisterEventProcessor(events.SchedProcessFork, t.normalizeTimeArg( - "start_time", - "parent_start_time", - "parent_process_start_time", - "leader_start_time", - )) - // // Process Tree Processors // @@ -99,6 +85,18 @@ func (t *Tracee) registerEventProcessors() { // Processors registered when proctree source "events" is enabled. switch t.config.ProcTree.Source { case proctree.SourceEvents, proctree.SourceBoth: + // Event Timestamps Normalization + // + // Convert all time relate args to nanoseconds since epoch. + // NOTE: Make sure to convert time related args (of your event) in here, so that + // any later code has access to normalized time arguments. + t.RegisterEventProcessor(events.SchedProcessFork, t.normalizeTimeArg( + "start_time", + "parent_start_time", + "parent_process_start_time", + "leader_start_time", + )) + t.RegisterEventProcessor(events.SchedProcessFork, t.procTreeForkProcessor) t.RegisterEventProcessor(events.SchedProcessExec, t.procTreeExecProcessor) t.RegisterEventProcessor(events.SchedProcessExit, t.procTreeExitProcessor)