feat: restore --cgroup_path CLI parameter for tls subcommand#975
Merged
Conversation
Re-add the --cgroup_path flag that was removed in v2, maintaining backward compatibility with v1.5.x. The flag validates cgroup v2 filesystem availability and supports fallback paths for CentOS. Closes #768 Agent-Logs-Url: https://github.com/gojue/ecapture/sessions/df752faa-293d-46ca-9966-84dcdcbeee8f Co-authored-by: cfc4n <709947+cfc4n@users.noreply.github.com>
…, add comments Agent-Logs-Url: https://github.com/gojue/ecapture/sessions/df752faa-293d-46ca-9966-84dcdcbeee8f Co-authored-by: cfc4n <709947+cfc4n@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix no pid or cgroup issue since version 2
feat: restore --cgroup_path CLI parameter for tls subcommand
Apr 5, 2026
✅ E2E Test Results: PASSEDTest Run: #23992335336 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit 57c553a |
- kern/common.h: Add target_cgroup_id volatile constant - kern/ecapture.h: Add cgroup ID check in filter_rejects() using bpf_get_current_cgroup_id() - internal/config/base_config.go: Move CGroupPath to BaseConfig (shared by all probes) with getter/setter methods - internal/domain/configuration.go: Add GetCGroupPath() to interface - pkg/util/ebpf/cgroup_linux.go: Add GetCgroupIdFromPath() using unix.NameToHandleAt to resolve cgroup path to kernel cgroup ID - pkg/util/ebpf/cgroup_ecandroid.go: No-op stub for Android - internal/probe/openssl/openssl_probe.go: Inject target_cgroup_id via ConstantEditor - internal/probe/gotls/gotls_probe.go: Inject target_cgroup_id via ConstantEditor - cli/cmd/gotls.go: Add --cgroup_path flag - cli/cmd/gnutls.go: Add --cgroup_path flag - cli/cmd/nss.go: Add --cgroup_path flag - Add unit tests for GetCgroupIdFromPath - Fix existing tests for CGroupPath field migration - All golangci-lint checks pass Agent-Logs-Url: https://github.com/gojue/ecapture/sessions/8759f567-9f4b-4449-8f15-0ede80d562a0 Co-authored-by: cfc4n <709947+cfc4n@users.noreply.github.com>
Agent-Logs-Url: https://github.com/gojue/ecapture/sessions/8759f567-9f4b-4449-8f15-0ede80d562a0 Co-authored-by: cfc4n <709947+cfc4n@users.noreply.github.com>
dosubot
Bot
added
size:L
✅ E2E Test Results: PASSEDTest Run: #23993335060 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit 321d433 |
There was a problem hiding this comment.
Pull request overview
Adds back cgroup-based filtering via a --cgroup_path CLI parameter by introducing a shared config field, a utility to resolve a cgroup v2 ID, and wiring that ID into eBPF constant editors so the kernel-side filter_rejects() can drop events outside the target cgroup.
Changes:
- Add
target_cgroup_ideBPF constant + cgroup check infilter_rejects()usingbpf_get_current_cgroup_id(). - Introduce
BaseConfig.CGroupPath+Configuration.GetCGroupPath()and plumb it into OpenSSL/GoTLS probes’ constant editors. - Add
GetCgroupIdFromPath()utility + tests; expose--cgroup_pathflags on multiple CLI subcommands.
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/util/ebpf/cgroup_test.go | Adds tests for GetCgroupIdFromPath() behavior. |
| pkg/util/ebpf/cgroup_linux.go | Implements cgroup v2 ID lookup via unix.NameToHandleAt. |
| pkg/util/ebpf/cgroup_ecandroid.go | Android stub implementation returning no filtering. |
| kern/ecapture.h | Adds cgroup-based rejection logic in filter_rejects(). |
| kern/common.h | Declares new target_cgroup_id volatile constant. |
| internal/probe/openssl/openssl_probe.go | Injects target_cgroup_id via constant editors. |
| internal/probe/openssl/config.go | Adds cgroup-path validation step to OpenSSL config validation. |
| internal/probe/openssl/config_test.go | Adds tests around CGroupPath defaults/serialization/validation. |
| internal/probe/openssl/config_linux.go | Implements Linux cgroup path validation/resolution logic. |
| internal/probe/openssl/config_ecandroid.go | Android no-op for cgroup-path validation. |
| internal/probe/gotls/gotls_probe.go | Injects target_cgroup_id via constant editors. |
| internal/domain/configuration.go | Extends configuration interface with GetCGroupPath(). |
| internal/config/base_config.go | Adds CGroupPath field + getters/setters in BaseConfig. |
| cli/cmd/tls.go | Adds --cgroup_path flag to OpenSSL (tls) subcommand. |
| cli/cmd/nss.go | Adds --cgroup_path flag to NSPR/NSS subcommand. |
| cli/cmd/gotls.go | Adds --cgroup_path flag to GoTLS subcommand. |
| cli/cmd/gnutls.go | Adds --cgroup_path flag to GnuTLS subcommand. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
1. checkCgroupPath now strictly validates cgroup v2 (CGROUP2_SUPER_MAGIC) instead of silently falling back to hardcoded paths (issues 1, 2, 4) 2. Fix misleading help text for --cgroup_path flags (issue 3) 3. Update comment to reflect cgroup v2-only support (issue 5) 4. Add test for invalid cgroup path Agent-Logs-Url: https://github.com/gojue/ecapture/sessions/9b93d099-ff11-43f8-b780-b5dc5138b39a Co-authored-by: cfc4n <709947+cfc4n@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
✅ E2E Test Results: PASSEDTest Run: #23994019225 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit d184950 |
The gotls probe called GetCgroupIdFromPath without first validating the path is on a cgroup v2 filesystem. The openssl probe had this validation in its own Config.Validate() via checkCgroupPath(). Move the cgroup2 filesystem type check (CGROUP2_SUPER_MAGIC) into GetCgroupIdFromPath itself, so all callers are protected automatically. Remove the now-redundant checkCgroupPath from the openssl config and delegate validateCgroupPath to the shared function. Agent-Logs-Url: https://github.com/gojue/ecapture/sessions/001d3691-f178-4956-b1eb-dbf374d9ed73 Co-authored-by: cfc4n <709947+cfc4n@users.noreply.github.com>
✅ E2E Test Results: PASSEDTest Run: #23994473654 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit 0fe2b5f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GetCgroupIdFromPath()inpkg/util/ebpf/cgroup_linux.gocheckCgroupPath/validateCgroupPathfrom openssl config