[CWS] check inode before sending a kill (#33833)

DataDog · Feb 10, 2025 · 3863354 · 3863354
1 parent 267a096
commit 3863354
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -2643,6 +2643,18 @@ func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule) {
 			}
 
 			if p.processKiller.KillAndReport(action.Def.Kill, rule, ev, func(pid uint32, sig uint32) error {
+				// very last check to ensure that we kill the correct process
+				inode := ev.ProcessContext.FileEvent.Inode
+
+				procExecPath := utils.ProcExePath(pid)
+				stat, err := utils.UnixStat(procExecPath)
+				if err != nil {
+					return err
+				}
+				if stat.Ino != inode {
+					return fmt.Errorf("failed to kill process %d, incorrect inode %d vs %d", pid, stat.Ino, inode)
+				}
+
 				if p.supportsBPFSendSignal {
 					if err := p.killListMap.Put(uint32(pid), uint32(sig)); err != nil {
 						seclog.Warnf("failed to kill process with eBPF %d: %s", pid, err)