fix: cgroup filtering for TC hook and GoTLS uprobe

[Copilot]

Two independent bugs prevented cgroup filtering (--cgroup_path) from working correctly: GoTLS uprobe ignored all filters entirely, and TC's cgroup check used bpf_get_current_cgroup_id() in softirq context — which returns the cgroup of whatever process happens to be scheduled on that CPU, not the packet sender's cgroup.

kern/ecapture.h — split filter_rejects into two layers

• filter_rejects_base(pid, uid) — PID/UID only; safe to call from any BPF program type
• filter_rejects(pid, uid) — calls base then adds bpf_get_current_cgroup_id(); valid only in uprobe/kprobe context where execution context == traced process

kern/tc.h — correct cgroup filtering in TC path

• Add u64 cgroup_id to net_ctx_t
• Record bpf_get_current_cgroup_id() in trace_sendmsg() kprobe (semantically correct context) alongside PID/UID
• In capture_packets(), replace filter_rejects(net_ctx->pid, net_ctx->uid) with filter_rejects_base + direct net_ctx->cgroup_id comparison:

if (filter_rejects_base(net_ctx->pid, net_ctx->uid)) return TC_ACT_OK;
if (target_cgroup_id != 0 && net_ctx->cgroup_id != target_cgroup_id) return TC_ACT_OK;

kern/gotls_kern.c — add missing filter guards to GoTLS uprobe

gotls_write, gotls_read, and gotls_mastersecret were the only probe entry points not calling passes_filter(ctx), causing them to capture all processes regardless of --pid/--uid/--cgroup_path. Added the standard guard at the top of each.

---

[github-actions]

✅ E2E Test Results: PASSED

Test Run: #24137964017

Tests Executed:

• TLS/OpenSSL Module (curl → github.com)
• GnuTLS Module (wget/curl → github.com)
• GoTLS Module (Go client → github.com)
• ecaptureQ Module (WebSocket event streaming)

✅ All e2e tests passed successfully! The TLS capture functionality is working correctly.

---

Automated e2e test results for commit ac01c29

[cfc4n]

@skylar2826 试试这个PR的产物 解决了 #977

[Copilot]

Pull request overview

Fixes cgroup-based filtering (--cgroup_path) regressions across TC packet capture and GoTLS uprobes by separating “safe in any context” PID/UID filtering from “process-context-only” cgroup filtering, and ensuring GoTLS probes apply the standard filter guard.

Changes:

• Split filter logic into filter_rejects_base(pid, uid) and filter_rejects(pid, uid) (adds cgroup check via bpf_get_current_cgroup_id() only where context is reliable).
• Correct TC cgroup filtering by recording cgroup_id in the tcp_sendmsg/udp_sendmsg kprobe context and comparing it in the TC classifier.
• Add missing passes_filter(ctx) guards to GoTLS probe entrypoints (gotls_write, gotls_read, gotls_mastersecret).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
kern/ecapture.h	Introduces filter_rejects_base and redefines filter_rejects to keep cgroup checks out of TC-safe paths.
kern/tc.h	Stores per-flow cgroup_id at sendmsg time and uses it for TC filtering instead of bpf_get_current_cgroup_id() in softirq/TC context.
kern/gotls_kern.c	Ensures GoTLS probes respect PID/UID/cgroup filters by adding passes_filter(ctx) guards.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.