docs: document socket tracking limitations

puwun · puwun · commit 59e99aaca811 · 2026-01-14T17:19:11.000+05:30
Add documentation for socket tracking limitations as requested in issue #3493. The new 'Limitations' section covers: - LRU map overflow risks: Socket mappings use a fixed-size LRU hash that can evict old entries when full, potentially causing events to be attributed to the wrong process. - Socket sharing behavior: Sockets can be shared between processes via fork() or IPC, and Tetragon attributes activity to the creating process which may lead to stale mappings. Fixes: #3493 Signed-off-by: Pavan More <pavansmore05@gmail.com>
diff --git a/docs/content/en/docs/concepts/tracing-policy/hooks.md b/docs/content/en/docs/concepts/tracing-policy/hooks.md
@@ -771,6 +771,35 @@ See [`TrackSock`](/docs/concepts/tracing-policy/selectors/#tracksock-action) and
 
 Socket tracking is only available on kernels >=5.3.
 
+#### Limitations
+
+Socket tracking has the following limitations that users should be aware of:
+
+{{< warning >}}
+**LRU Map Overflow**: Socket mappings are stored in an LRU (Least Recently Used)
+hash map in the kernel with a fixed upper limit for entries. When the map is
+full, old entries are evicted to make space for new ones. This means that if
+many sockets are created in a short period, older socket mappings may be lost.
+When this happens, network events related to those sockets may be attributed to
+the wrong process. In adversarial scenarios, an attacker could intentionally
+create many sockets to overflow the map and evade proper attribution of their
+network activity.
+{{< /warning >}}
+
+{{< caution >}}
+**Socket Sharing Between Processes**: Sockets are not strictly owned by a single
+process—they can be shared between processes. This happens when:
+- A process calls `fork()` and both parent and child keep the file descriptor open
+- A process shares a file descriptor with another process via IPC mechanisms
+
+Tetragon attributes all socket activity to the process that originally created
+the socket. However, if that process exits while another process continues to
+use the socket, the mapping will reference a process that no longer exists. This
+can lead to events being associated with stale process information. In security
+contexts, an adversary might exploit this behavior to obscure the true source of
+network activity.
+{{< /caution >}}
+
 
 ## Lists
 
