fix(security): handle runc CLONE_INTO_CGROUP to fix cgroup ID propagation

safchain · lebauce · safchain · commit 1674767a0869 · 2026-03-12T19:17:50.000+01:00
Recent versions of runc use clone3(2) with CLONE_INTO_CGROUP when available, placing new container processes directly into the target cgroup at spawn time without writing the PID to cgroup.procs. This eliminates the CgroupWriteEventType event that the security agent was relying on to propagate cgroup context to newly created processes, causing incorrect cgroup ID assignment. Remove the parent cgroup inheritance via fill_cgroup_context during exec event handling. Instead, an empty CGroupContext is passed when inserting the exec entry, which causes the cgroup resolver to fall back to procfs (/proc/<pid>/cgroup) to resolve the correct cgroup ID. Also inline copy_proc_cache into its single call site in trace__cgroup_write. runc reference: opencontainers/runc@5af4dd4 Co-Authored-By: Sylvain Baubeau <sylvain.baubeau@datadoghq.com>
diff --git a/pkg/security/ebpf/c/include/helpers/process.h b/pkg/security/ebpf/c/include/helpers/process.h
@@ -36,11 +36,6 @@ void __attribute__((always_inline)) copy_proc_entry(struct process_entry_t *src,
     bpf_probe_read(dst->comm, TASK_COMM_LEN, src->comm);
 }
 
-void __attribute__((always_inline)) copy_proc_cache(struct proc_cache_t *src, struct proc_cache_t *dst) {
-    dst->cgroup = src->cgroup;
-    copy_proc_entry(&src->entry, &dst->entry);
-}
-
 void __attribute__((always_inline)) copy_pid_cache_except_exit_ts(struct pid_cache_t *src, struct pid_cache_t *dst) {
     dst->cookie = src->cookie;
     dst->user_session_id = src->user_session_id;
diff --git a/pkg/security/ebpf/c/include/hooks/cgroup.h b/pkg/security/ebpf/c/include/hooks/cgroup.h
@@ -60,8 +60,8 @@ static __attribute__((always_inline)) int trace__cgroup_write(ctx_t *ctx) {
         // Select the old cache entry
         old_entry = get_proc_from_cookie(cookie);
         if (old_entry) {
-            // copy cache data
-            copy_proc_cache(old_entry, &new_entry);
+            new_entry.cgroup = old_entry->cgroup;
+            copy_proc_entry(&old_entry->entry, &new_entry.entry);
         }
     } else {
         new_cookie = 1;
diff --git a/pkg/security/ebpf/c/include/hooks/exec.h b/pkg/security/ebpf/c/include/hooks/exec.h
@@ -781,9 +781,6 @@ int __attribute__((always_inline)) send_exec_event(ctx_t *ctx) {
         struct proc_cache_t *parent_pc = get_proc_from_cookie(parent_cookie);
         if (parent_pc) {
             parent_inode = parent_pc->entry.executable.path_key.ino;
-
-            // inherit the parent cgroup context
-            fill_cgroup_context(parent_pc, &pc.cgroup);
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -781,9 +781,6 @@ int __attribute__((always_inline)) send_exec_event(ctx_t *ctx) {`
`781`	`781`	`struct proc_cache_t *parent_pc = get_proc_from_cookie(parent_cookie);`
`782`	`782`	`if (parent_pc) {`
`783`	`783`	`parent_inode = parent_pc->entry.executable.path_key.ino;`
`784`		`-`
`785`		`- // inherit the parent cgroup context`
`786`		`- fill_cgroup_context(parent_pc, &pc.cgroup);`
`787`	`784`	`}`
`788`	`785`	`}`
`789`	`786`