From 19d637b764a9adf3d56aa30ea5b926769dbee99d Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Wed, 20 Dec 2023 17:22:57 +0100
Subject: [PATCH] skip exec events with empty path

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
---
 .../v1/applicationprofile_manager.go                          | 4 ++++
 .../v1/applicationprofile_manager_test.go                     | 1 +
 2 files changed, 5 insertions(+)

diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
index a54d3415..1cfe8003 100644
--- a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
+++ b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
@@ -356,6 +356,10 @@ func (am *ApplicationProfileManager) ReportCapability(k8sContainerID, capability
 }
 
 func (am *ApplicationProfileManager) ReportFileExec(k8sContainerID, path string, args []string) {
+	// skip empty path
+	if path == "" {
+		return
+	}
 	execMap := am.execSets.Get(k8sContainerID)
 	if execMap.Has(path) {
 		execMap.Get(path).Append(args...)
diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go
index c3121143..cdd79ce2 100644
--- a/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go
+++ b/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go
@@ -52,6 +52,7 @@ func TestApplicationProfileManager(t *testing.T) {
 	// report capability
 	am.ReportCapability("ns/pod/cont", "NET_BIND_SERVICE")
 	// report file exec
+	am.ReportFileExec("ns/pod/cont", "", []string{"ls"})
 	am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls"})
 	// report file open
 	am.ReportFileOpen("ns/pod/cont", "/etc/passwd", []string{"O_RDONLY"})