From 0b782316ec34579e8dc52fef89d028b6d796f13f Mon Sep 17 00:00:00 2001
From: Olivier Valentin <ovalenti@redhat.com>
Date: Wed, 3 Sep 2025 11:45:56 +0200
Subject: [PATCH] Replace bpf_get_current_pid_tgid() by direct task access

---
 fact-ebpf/process.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fact-ebpf/process.h b/fact-ebpf/process.h
index 2ad9e795..b85d5cff 100644
--- a/fact-ebpf/process.h
+++ b/fact-ebpf/process.h
@@ -104,7 +104,8 @@ __always_inline static int64_t process_fill(process_t* p) {
   p->uid = uid_gid & 0xFFFFFFFF;
   p->gid = (uid_gid >> 32) & 0xFFFFFFFF;
   p->login_uid = BPF_CORE_READ(task, loginuid.val);
-  p->pid = (bpf_get_current_pid_tgid() >> 32) & 0xFFFFFFFF;
+  // bpf_get_current_pid_tgid() is not available for LSM programs prior to 6.8
+  p->pid = BPF_CORE_READ(task, tgid) & 0xFFFFFFFF;
   u_int64_t err = bpf_get_current_comm(p->comm, TASK_COMM_LEN);
   if (err != 0) {
     bpf_printk("Failed to fill task comm");