fix(plugins/container): parse_exit_process_event

deepskyblue86 · poiana · commit f28adb7d1989 · 2025-07-24T14:29:40.000+02:00
Apply the same logic of libs ~user_group_updater

Signed-off-by: Angelo Puglisi &lt;angelopuglisi86@gmail.com&gt;
diff --git a/plugins/container/src/caps/parse/parse.cpp b/plugins/container/src/caps/parse/parse.cpp
@@ -173,19 +173,19 @@ bool my_plugin::parse_exit_process_event(
     auto thread_id = in.get_event_reader().get_tid();
     auto& tr = in.get_table_reader();
 
-    int64_t vpid;
-    std::string container_id;
-
     // retrieve the thread entry associated with this thread id,
     // check if vpid is 1, so if this is an init process,
     // then, fetch the container_id and if not empty,
     // remove its associated entry from the container cache.
     try
     {
         auto thread_entry = m_threads_table.get_entry(tr, thread_id);
+        int64_t vpid, vtid;
         m_threads_field_vpid.read_value(tr, thread_entry, vpid);
-        if(vpid == 1)
+        m_threads_field_vtid.read_value(tr, thread_entry, vtid);
+        if(vtid == vpid && vpid == 1)
         {
+            std::string container_id;
             m_container_id_field.read_value(tr, thread_entry, container_id);
             if(!container_id.empty())
             {
diff --git a/plugins/container/src/macros.h.in b/plugins/container/src/macros.h.in
@@ -78,6 +78,7 @@ limitations under the License.
 #define PIDNS_INIT_START_TS_FIELD_NAME "pidns_init_start_ts"
 #define CATEGORY_FIELD_NAME "category"
 #define VPID_FIELD_NAME "vpid"
+#define VTID_FIELD_NAME "vtid"
 #define PTID_FIELD_NAME "ptid"
 
 /////////////////////////
diff --git a/plugins/container/src/plugin.cpp b/plugins/container/src/plugin.cpp
@@ -103,6 +103,8 @@ bool my_plugin::init(falcosecurity::init_input& in)
         // entry
         m_threads_field_vpid = m_threads_table.get_field(
                 t.fields(), VPID_FIELD_NAME, st::SS_PLUGIN_ST_INT64);
+        m_threads_field_vtid = m_threads_table.get_field(
+                t.fields(), VTID_FIELD_NAME, st::SS_PLUGIN_ST_INT64);
         m_threads_field_ptid = m_threads_table.get_field(
                 t.fields(), PTID_FIELD_NAME, st::SS_PLUGIN_ST_INT64);
 
diff --git a/plugins/container/src/plugin.h b/plugins/container/src/plugin.h
@@ -148,6 +148,8 @@ class my_plugin
     falcosecurity::table_field m_threads_field_category;
     // Accessors to the thread table "vpid" field
     falcosecurity::table_field m_threads_field_vpid;
+    // Accessors to the thread table "vtid" field
+    falcosecurity::table_field m_threads_field_vtid;
     // Accessors to the thread table "ptid" field
     falcosecurity::table_field m_threads_field_ptid;
     // Accessors to the thread table "args" sub table
