prevent zombie processes

Signed-off-by: Predrag Rogic <prezha@users.noreply.github.com>

Author: prezha

events/syscall/contact_ec2_instance_metadata_from_container.go

@@ -17,7 +17,9 @@ limitations under the License.
 package syscall
 
 import (
+	"context"
 	"os/exec"
+	"time"
 
 	"github.com/falcosecurity/event-generator/events"
 )
@@ -48,7 +50,7 @@ func ContactEC2InstanceMetadataServiceFromContainer(h events.Helper) error {
 	// IP address from a container can indicate potential unauthorized access to
 	// sensitive cloud infrastructure metadata.
 	// note: executing the following command might fail, but enough to trigger the rule, so we ignore any error
-	if err := exec.Command("timeout", "1s", nc, "169.254.169.254", "80").Run(); err != nil {
+	if err := runCmd(context.Background(), 1*time.Second, nc, "169.254.169.254", "80"); err != nil {
 		h.Log().WithError(err).Debug("failed to run netcat command (might be ok)")
 	}
 

events/syscall/disallowed_ssh_connection_non_standard_port.go

@@ -15,7 +15,9 @@ limitations under the License.
 package syscall
 
 import (
+	"context"
 	"os/exec"
+	"time"
 
 	"github.com/falcosecurity/event-generator/events"
 )
@@ -32,7 +34,7 @@ func DisallowedSSHConnectionNonStandardPort(h events.Helper) error {
 	}
 
 	// note: executing the following command might fail, but enough to trigger the rule, so we ignore any error
-	if err := exec.Command("timeout", "1s", ssh, "user@example.com", "-p", "443").Run(); err != nil {
+	if err := runCmd(context.Background(), 1*time.Second, ssh, "user@example.com", "-p", "443"); err != nil {
 		h.Log().WithError(err).Debug("failed to run ssh command (this is expected)")
 	}
 

events/syscall/launch_suspicious_network_tool_in_container.go

@@ -15,7 +15,9 @@ limitations under the License.
 package syscall
 
 import (
+	"context"
 	"os/exec"
+	"time"
 
 	"github.com/falcosecurity/event-generator/events"
 )
@@ -40,7 +42,7 @@ func LaunchSuspiciousNetworkToolInContainer(h events.Helper) error {
 	}
 
 	// note: executing the following command might fail, but enough to trigger the rule, so we ignore any error
-	if err := exec.Command("timeout", "1s", nmap, "-sn", "192.168.1.0/24").Run(); err != nil {
+	if err := runCmd(context.Background(), 1*time.Second, nmap, "-sn", "192.168.1.0/24"); err != nil {
 		h.Log().WithError(err).Debug("failed to run nmap command (might be ok)")
 	}
 

events/syscall/launch_suspicious_network_tool_on_host.go

@@ -15,7 +15,9 @@ limitations under the License.
 package syscall
 
 import (
+	"context"
 	"os/exec"
+	"time"
 
 	"github.com/falcosecurity/event-generator/events"
 )
@@ -37,7 +39,7 @@ func LaunchSuspiciousNetworkToolOnHost(h events.Helper) error {
 	}
 
 	// note: executing the following command might fail, but enough to trigger the rule, so we ignore any error
-	if err := exec.Command("timeout", "1s", nmap, "-sn", "172.17.0.1/32").Run(); err != nil {
+	if err := runCmd(context.Background(), 1*time.Second, nmap, "-sn", "172.17.0.1/32"); err != nil {
 		h.Log().WithError(err).Debug("failed to run nmap command (might be ok)")
 	}
 

events/syscall/netcat_remote_code_execution_in_container.go

@@ -15,7 +15,9 @@ limitations under the License.
 package syscall
 
 import (
+	"context"
 	"os/exec"
+	"time"
 
 	"github.com/falcosecurity/event-generator/events"
 )
@@ -39,7 +41,7 @@ func NetcatRemoteCodeExecutionInContainer(h events.Helper) error {
 
 	// launch netcat (nc) with the -e flag for remote code execution
 	// note: executing the following command might fail, but enough to trigger the rule, so we ignore any error
-	if err := exec.Command("timeout", "1s", nc, "-e", "/bin/sh", "example.com", "22").Run(); err != nil {
+	if err := runCmd(context.Background(), 1*time.Second, nc, "-e", "/bin/sh", "example.com", "22"); err != nil {
 		h.Log().WithError(err).Debug("failed to run nc command (this is expected)")
 	}
 

events/syscall/ptrace_anti_debug_attempt.go

@@ -39,6 +39,8 @@ func PtraceAntiDebugAttempt(h events.Helper) error {
 		if err := cmd.Process.Kill(); err != nil {
 			h.Log().WithError(err).Error("failed to kill dummy process")
 		}
+		// wait for the dummy process to exit, to avoid creating a zombie
+		_ = cmd.Wait()
 	}()
 
 	return nil

events/syscall/ptrace_attached_to_process.go

@@ -41,6 +41,8 @@ func PtraceAttachedToProcess(h events.Helper) error {
 		if err := cmd.Process.Kill(); err != nil {
 			h.Log().WithError(err).Error("failed to kill dummy process")
 		}
+		// wait for the dummy process to exit, to avoid creating a zombie
+		_ = cmd.Wait()
 	}()
 
 	// attach to the target process using PTRACE_ATTACH

events/syscall/unexpected_udp_traffic.go

@@ -18,7 +18,9 @@ limitations under the License.
 package syscall
 
 import (
+	"context"
 	"os/exec"
+	"time"
 
 	"github.com/falcosecurity/event-generator/events"
 )
@@ -38,7 +40,7 @@ func UnexpectedUDPTraffic(h events.Helper) error {
 	}
 
 	// note: executing the following command might fail, but enough to trigger the rule, so we ignore any error
-	if err := exec.Command("timeout", "1s", nc, "-u", "example.com", "22").Run(); err != nil {
+	if err := runCmd(context.Background(), 1*time.Second, nc, "-u", "example.com", "22"); err != nil {
 		h.Log().WithError(err).Debug("failed to run nc command (this is expected)")
 	}
 

events/syscall/utils.go

@@ -14,7 +14,12 @@ limitations under the License.
 
 package syscall
 
-import "math/rand/v2"
+import (
+	"context"
+	"math/rand/v2"
+	"os/exec"
+	"time"
+)
 
 // randomString generates a random string of the given length.
 func randomString(length int) string {
@@ -28,3 +33,11 @@ func randomString(length int) string {
 
 	return string(bytes)
 }
+
+// runCmd runs a command with a timeout.
+func runCmd(ctx context.Context, timeout time.Duration, name string, args ...string) error {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	return exec.CommandContext(ctx, name, args...).Run()
+}