Skip to content

fix container procfs root errors#5271

Merged
geyslan merged 1 commit intoaquasecurity:mainfrom
ethical-buddy:fix/getprocessfsroot-errors
May 6, 2026
Merged

fix container procfs root errors#5271
geyslan merged 1 commit intoaquasecurity:mainfrom
ethical-buddy:fix/getprocessfsroot-errors

Conversation

@ethical-buddy
Copy link
Copy Markdown
Contributor

@ethical-buddy ethical-buddy commented Apr 7, 2026

1. Explain what the PR does

Fixes #5234.

This change makes ContainerPathResolver.GetHostAbsPath handle expected /proc//root access
failures more gracefully in the procfs fallback path.

Today, Tracee already skips stale or inaccessible cached PIDs when resolving a mount namespace root.
The gap was the fallback path: after GetAnyProcessInNS("mnt", mountNS) returns a PID, access to /
proc//root could still legitimately fail with:

  • permission denied
  • no such file or directory

Those cases are expected during event processing:

  • ENOENT can happen if the selected process exits between namespace lookup and procfs access.
  • EACCES can happen because of procfs/ptrace permission boundaries.

This PR changes that behavior so those expected failures are returned as ErrContainerFSUnreachable
instead of being treated as unexpected hard errors. Unexpected filesystem errors are still preserved
and returned.

The patch also preserves the underlying fs error chain in getProcessFSRoot, which is required for co
rrect errors.Is(..., fs.ErrPermission/fs.ErrNotExist) handling, and adds focused unit tests for:

  • fallback permission denied
  • fallback not found
  • unexpected fallback fs error
    "Replace me with make check-pr output"

2. Explain how to test it

Run the focused tests:

go test ./pkg/datastores/container -run 'TestPathResolver_(GetHostAbsPath_ExpectedProcFSRootErrors|
GetHostAbsPath_UnexpectedProcFSRootError)' -count=1

What to verify:

  • fs.ErrPermission from /proc//root is treated as ErrContainerFSUnreachable
  • fs.ErrNotExist from /proc//root is treated as ErrContainerFSUnreachable
  • unexpected fs errors are still returned as errors

If you want to exercise the runtime path, run Tracee with exec hash enrichment enabled and trigger
short-lived container processes. The important behavior is that transient /proc//root permission
denied / not found failures in container path resolution are treated as expected unreachable-
container cases rather than surfacing as hard resolver errors.

3. Other comments

###4. make check-pr
[2026-04-07T10:56:30.920359Z] [checkpatch.sh] [INFO] Tracee Checkpatch Script
[2026-04-07T10:56:30.924776Z] [checkpatch.sh] [INFO] Checking: HEAD
[2026-04-07T10:56:30.930741Z] [checkpatch.sh] [INFO] Comparing against: origin/main
[2026-04-07T10:56:30.941857Z] [checkpatch.sh] [INFO]
[2026-04-07T10:56:30.945734Z] [checkpatch.sh] [INFO] ==========================================
[2026-04-07T10:56:30.949514Z] [checkpatch.sh] [INFO] Dependency Check
[2026-04-07T10:56:30.953544Z] [checkpatch.sh] [INFO] ==========================================
[2026-04-07T10:56:30.958122Z] [checkpatch.sh] [INFO] Checking dependencies...
[2026-04-07T10:56:30.968601Z] [checkpatch.sh] [INFO] Adding Go bin directory to PATH: /home/suryansh/go/bin
[2026-04-07T10:56:30.981862Z] [checkpatch.sh] [INFO] Go version: go1.26
[2026-04-07T10:56:30.986259Z] [checkpatch.sh] [WARN] revive not found.
[2026-04-07T10:56:30.991212Z] [checkpatch.sh] [INFO] Install with: go install github.com/mgechev/revive@8ece20b0789c517bd3a6742db0daa4dd5928146d
[2026-04-07T10:56:30.995882Z] [checkpatch.sh] [WARN] staticcheck not found.
[2026-04-07T10:56:30.999844Z] [checkpatch.sh] [INFO] Install with: go install honnef.co/go/tools/cmd/staticcheck@5af2e5fc3b08ba46027eb48ebddeba34dc0bd02c
[2026-04-07T10:56:31.004388Z] [checkpatch.sh] [WARN] errcheck not found.
[2026-04-07T10:56:31.009256Z] [checkpatch.sh] [INFO] Install with: go install github.com/kisielk/errcheck@11c27a7ce69d583465d80d808817d22d6653ee34
[2026-04-07T10:56:31.013960Z] [checkpatch.sh] [WARN] govulncheck not found.
[2026-04-07T10:56:31.017718Z] [checkpatch.sh] [INFO] Install with: go install golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77
[2026-04-07T10:56:31.022070Z] [checkpatch.sh] [WARN] clang-format-12 not found.
[2026-04-07T10:56:31.026464Z] [checkpatch.sh] [INFO] Refer to your OS package manager Install via official package manager (e.g., 'sudo apt-get install clang-format-12')
[2026-04-07T10:56:31.030813Z] [checkpatch.sh] [WARN] goimports-reviser not found.
[2026-04-07T10:56:31.035181Z] [checkpatch.sh] [INFO] Install with: go install github.com/incu6us/goimports-reviser/v3@fa5587e51ba33c58734984cb41370a5b2582d5b7
[2026-04-07T10:56:31.040774Z] [checkpatch.sh] [INFO] [PASS] Dependencies check completed
[2026-04-07T10:56:31.045311Z] [checkpatch.sh] [INFO]
[2026-04-07T10:56:31.049589Z] [checkpatch.sh] [INFO] ==========================================
[2026-04-07T10:56:31.054023Z] [checkpatch.sh] [INFO] Documentation Verification
[2026-04-07T10:56:31.057837Z] [checkpatch.sh] [INFO] ==========================================
[2026-04-07T10:56:31.062265Z] [checkpatch.sh] [INFO] Verifying documentation synchronization...
[2026-04-07T10:56:31.083834Z] [verify_man_md_sync.sh] [INFO] ================================================================================
[2026-04-07T10:56:31.088391Z] [verify_man_md_sync.sh] [INFO] Comparing changes from origin/main to HEAD
[2026-04-07T10:56:31.093178Z] [verify_man_md_sync.sh] [INFO] ================================================================================
[2026-04-07T10:56:31.131223Z] [verify_man_md_sync.sh] [INFO] No changes in '.md' or '.1.md' files
[2026-04-07T10:56:31.135658Z] [verify_man_md_sync.sh] [INFO] No changes in '.1' files
[2026-04-07T10:56:31.150780Z] [verify_man_md_sync.sh] [INFO] Documentation files are consistent.
[2026-04-07T10:56:31.156240Z] [checkpatch.sh] [INFO] [PASS] Documentation Verification completed successfully
[2026-04-07T10:56:31.160455Z] [checkpatch.sh] [INFO]
[2026-04-07T10:56:31.164222Z] [checkpatch.sh] [INFO] ==========================================
[2026-04-07T10:56:31.168254Z] [checkpatch.sh] [INFO] Code Analysis
[2026-04-07T10:56:31.172673Z] [checkpatch.sh] [INFO] ==========================================
[2026-04-07T10:56:31.177142Z] [checkpatch.sh] [INFO] Verifying and analyzing code...
[2026-04-07T10:56:31.181478Z] [checkpatch.sh] [INFO] Running formatting checks...
[2026-04-07T10:56:31.291363Z] [checkpatch.sh] [ERROR] Code formatting failed
ERROR: clang-format version 22 found, but version 19 is required
Hint: Try installing clang-format-19 or ensure clang-format points to version 19
make[1]: *** [builder/Makefile.checkers:44: .check_clang-format] Error 1
[2026-04-07T10:56:31.301489Z] [checkpatch.sh] [ERROR] Code Analysis failed
make: *** [Makefile:1274: check-pr] Error 1

@ethical-buddy ethical-buddy requested review from a team and geyslan April 7, 2026 10:59
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 9, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@geyslan
Copy link
Copy Markdown
Member

geyslan commented Apr 10, 2026

@ethical-buddy tks for contributing. We'll be on this soon.

@geyslan geyslan force-pushed the fix/getprocessfsroot-errors branch from c3de4c9 to 2c950f1 Compare May 4, 2026 20:06
@geyslan
Copy link
Copy Markdown
Member

geyslan commented May 4, 2026

@ethical-buddy tks for contributing. I've pushed again and will see test resuls.

@geyslan
Copy link
Copy Markdown
Member

geyslan commented May 4, 2026

CLA assistant check Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.You have signed the CLA already but the status is still pending? Let us recheck it.

Do you mind signing it?

@geyslan geyslan force-pushed the fix/getprocessfsroot-errors branch from 2c950f1 to 192ece5 Compare May 4, 2026 21:10
@ethical-buddy @geyslan
fix(container): wrap procfs root errors with ErrContainerFSUnreachable
d1a4118 
Wrap ErrNotExist and ErrPermission from /proc/<pid>/root access with
ErrContainerFSUnreachable inside getProcessFSRoot, so all callers
can match a single sentinel to reduce log noise from transient or
policy-driven access failures (dead PIDs, user namespace boundaries,
non-dumpable processes).

The original cause is preserved via double-%w wrapping, so callers
that debug-log the error still see "permission denied" or "no such
file or directory" in the message.

Also switch error formatting from %v to %w throughout the path
resolver to keep the error chain inspectable with errors.Is.
@geyslan geyslan force-pushed the fix/getprocessfsroot-errors branch from 192ece5 to d1a4118 Compare May 4, 2026 21:37
@geyslan geyslan requested review from rscampos and trvll May 5, 2026 10:59
trvll
trvll approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@trvll trvll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@geyslan geyslan merged commit 9194542 into aquasecurity:main May 6, 2026
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geyslan geyslan geyslan approved these changes

@trvll trvll trvll approved these changes

@rscampos rscampos Awaiting requested review from rscampos

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

getProcessFSRoot error either for permission denied or not found file/dir

4 participants

@ethical-buddy @CLAassistant @geyslan @trvll