[WP] Add is_session_leader field to process events#48307
Closed
loresuso wants to merge 2 commits intoDataDog:mainfrom
Closed
[WP] Add is_session_leader field to process events#48307loresuso wants to merge 2 commits intoDataDog:mainfrom
loresuso wants to merge 2 commits intoDataDog:mainfrom
Conversation
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
from
5705414 to
d93f625
Compare
Contributor
|
All contributors have signed the CLA ✍️ ✅ |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5705414150
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
from
d93f625 to
71464db
Compare
safchain
reviewed
Mar 25, 2026
safchain
reviewed
Mar 25, 2026
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
2 times, most recently
from
6c88473 to
d56a9f8
Compare
safchain
added
category/improvement
qa/done
domalessi
approved these changes
Mar 25, 2026
Contributor
Author
|
I have read the CLA Document and I hereby sign the CLA |
Contributor
Author
|
recheck |
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
3 times, most recently
from
43addd7 to
b704d29
Compare
safchain
approved these changes
Mar 30, 2026
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
from
b704d29 to
0bef8b2
Compare
Contributor
Author
|
/merge |
|
View all feedbacks in Devflow UI.
PR already in the queue with status waiting |
Add a new boolean field `is_session_leader` to CWS process events that indicates whether a process is a session leader (PID == SID). The session ID is read from the kernel via: task->signal->pids[PIDTYPE_SID]->numbers[0].nr and compared against the process tgid. Two new kernel offset constants are introduced (task_struct_signal_offset, signal_struct_pids_offset) resolved via BTF at runtime. The field is exposed in SECL as process.is_session_leader and propagates to all process-related event types (exec, exit, signal, ptrace, etc.). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
from
0bef8b2 to
56ea633
Compare
- Use bitfield for is_kworker and is_session_leader in process_context_t, keeping the struct at 40 bytes instead of growing to 48 - Restore the original if/else in exec handler cookie update Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
loresuso
force-pushed
the
loresuso/add-is-session-leader
branch
from
56ea633 to
68c957f
Compare
Contributor
Author
|
closing in favor of a non-fork PR |
theop-dd
reviewed
Apr 2, 2026
| if (sid_pid) { | ||
| u32 sid = 0; | ||
| bpf_probe_read_kernel(&sid, sizeof(sid), (void *)sid_pid + get_pid_numbers_offset()); | ||
| fork_entry->is_session_leader = (sid != 0 && sid == tgid) ? 1 : 0; |
Contributor
There was a problem hiding this comment.
I'm wondering if it's not better to send the sid to the user space and then add the boolean field. We might use the sid at some point no?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new boolean field
is_session_leaderto CWS process events that indicates whether a process is a session leader (PID == SID).The session ID is read from the kernel via:
and compared against the process tgid. Two new kernel offset constants are introduced (task_struct_signal_offset, signal_struct_pids_offset) resolved via BTF at runtime.
The field is exposed in SECL as process.is_session_leader and propagates to all process-related event types (exec, exit, signal, ptrace, etc.).
Example of condition where this could be useful: spawning of a session leader shell from a not known binary (e.g. a shell given by the
shellcommand of a sliver C2 implant