process:bpf: report euid as the process.uid

Instead of reporting the real uid of the task that is the owner of
the task, let's report the effective uid that is used to calculate
the privileges of the current task when acting upon other objects.
This allows to be compatible with 'ps' too.

Usually the real uid is used to:
* Determine the owner or the uid that started the task.
* Retore the effective, saved and other uids back to the original
  uid that started the task, in case of setuid system calls.
* When mounting some file systems to auto fill up the owner of the fs.
* When a process is sending a signal, its real uid is used
  to fill up the siginfo_t.uid field
* When ptracing a target task.

Where the effective uid is used to determine the real privileges of
the task and how it can act on other objects.

All uids are reported inside process_exec.process.process_credentials
if tetragon is started with --enable-process-cred including the
real uid.

Signed-off-by: Djalal Harouni <[email protected]>

bpf/process/bpf_execve_event.c

@@ -214,7 +214,6 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	p->ktime = ktime_get_ns();
 	p->size = offsetof(struct msg_process, args);
 	p->auid = get_auid();
-	p->uid = get_current_uid_gid();
 	read_execve_shared_info(ctx, p, pid);
 
 	p->size += read_path(ctx, event, filename);
@@ -228,6 +227,13 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx)
 	BPF_CORE_READ_INTO(&event->kube.net_ns, task, nsproxy, net_ns, ns.inum);
 
 	get_current_subj_creds(&event->creds, task);
+	/**
+	 * Instead of showing the task owner, we want to display the effective
+	 * uid that is used to calculate the privileges of current task when
+	 * acting upon other objects. This allows to be compatible with the 'ps'
+	 * tool that reports a snapshot of the current processes.
+	 */
+	p->uid = event->creds.euid;
 	get_namespaces(&event->ns, task);
 	p->flags |= __event_get_cgroup_info(task, &event->kube);