I'm using a BPF kprobe to find out when a task's UIDs, GIDs and namespaces change outside the syscalls that have the ability to change these values. For this, I update values[pid] when returning from execve(), execveat(), setns(), unshare(), set*uid(). And on entry to begin_new_exec(), I check whether the current task's values match values[pid].
In some cases the probes incorrectly report that the UID or nsproxy for a process has changed, indicating I've missed a place where I need to update the task's values.
Looking at begin_new_exec(), it replaces the task's credentials and wipes out the old executable. But after begin_new_exec() returns, load_elf_binary() can still return errors while trying to set up the new process image.
Do these late errors reach usermode ? Is there a scenario where sys_execve can fail after begin_new_exec returns, and the PID is not terminated ?