fix(driver): export euid, egid and loginuid from init user ns

ekoops · poiana · commit 296aedabe763 · 2026-05-19T17:53:06.000+02:00
The kernel module currently exports euids, egids and loginuids as seen
from the task's user namespace: this is inconsistent with the
(expected) behaviour implemented by the modern eBPF probe, that
exports the ones seen from the init user namespace. Make the kernel
module consistent by fixing its code to export the ones seen from the
init user namespace.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
diff --git a/driver/SCHEMA_VERSION b/driver/SCHEMA_VERSION
@@ -1 +1 @@
-4.5.0
+4.5.1
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -1043,8 +1043,8 @@ int f_proc_startupdate(struct event_filler_arguments *args) {
 		/*
 		 * clone-only parameters
 		 */
-		uint32_t euid = from_kuid_munged(current_user_ns(), current_euid());
-		uint32_t egid = from_kgid_munged(current_user_ns(), current_egid());
+		uint32_t euid = from_kuid(&init_user_ns, current_euid());
+		uint32_t egid = from_kgid(&init_user_ns, current_egid());
 		int64_t in_pidns = 0;
 		struct pid_namespace *pidns = task_active_pid_ns(current);
 
@@ -1213,7 +1213,7 @@ int f_proc_startupdate(struct event_filler_arguments *args) {
 		CHECK_RES(res);
 
 		/* Parameter 19: loginuid (type: PT_UID) */
-		loginuid = from_kuid(current_user_ns(), audit_get_loginuid(current));
+		loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
 		res = val_to_ring(args, loginuid, 0, false, 0);
 		CHECK_RES(res);
 
@@ -1356,7 +1356,7 @@ int f_proc_startupdate(struct event_filler_arguments *args) {
 		CHECK_RES(res);
 
 		/* Parameter 27: euid (type: PT_UID) */
-		euid = from_kuid_munged(current_user_ns(), current_euid());
+		euid = from_kuid(&init_user_ns, current_euid());
 		res = val_to_ring(args, euid, 0, false, 0);
 		CHECK_RES(res);
 
@@ -1369,7 +1369,7 @@ int f_proc_startupdate(struct event_filler_arguments *args) {
 		CHECK_RES(res);
 
 		/* Parameter 30: egid (type: PT_GID) */
-		egid = from_kgid_munged(current_user_ns(), current_egid());
+		egid = from_kgid(&init_user_ns, current_egid());
 		res = val_to_ring(args, egid, 0, false, 0);
 		CHECK_RES(res);
 
@@ -7756,7 +7756,7 @@ int f_sched_prog_exec(struct event_filler_arguments *args) {
 	CHECK_RES(res);
 
 	/* Parameter 19: loginuid (type: PT_UID) */
-	loginuid = from_kuid(current_user_ns(), audit_get_loginuid(current));
+	loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
 	res = val_to_ring(args, loginuid, 0, false, 0);
 	CHECK_RES(res);
 
@@ -7895,7 +7895,7 @@ int f_sched_prog_exec(struct event_filler_arguments *args) {
 	CHECK_RES(res);
 
 	/* Parameter 27: euid (type: PT_UID) */
-	euid = from_kuid_munged(current_user_ns(), current_euid());
+	euid = from_kuid(&init_user_ns, current_euid());
 	res = val_to_ring(args, euid, 0, false, 0);
 	CHECK_RES(res);
 
@@ -7908,7 +7908,7 @@ int f_sched_prog_exec(struct event_filler_arguments *args) {
 	CHECK_RES(res);
 
 	/* Parameter 30: egid (type: PT_GID) */
-	egid = from_kgid_munged(current_user_ns(), current_egid());
+	egid = from_kgid(&init_user_ns, current_egid());
 	res = val_to_ring(args, egid, 0, false, 0);
 	CHECK_RES(res);
 
@@ -7941,8 +7941,8 @@ int f_sched_prog_fork(struct event_filler_arguments *args) {
 	long swap = 0;
 	int available = STR_STORAGE_SIZE;
 	uint32_t flags = 0;
-	uint32_t euid = task_euid(child).val;
-	uint32_t egid = child->cred->egid.val;
+	uint32_t euid = from_kuid(&init_user_ns, task_euid(child));
+	uint32_t egid = from_kgid(&init_user_ns, child->cred->egid);
 	struct pid_namespace *pidns = task_active_pid_ns(child);
 	uint64_t pidns_init_start_time = 0;
 
