Skip to content

Commit

Permalink
Parse processes tty (#792)
Browse files Browse the repository at this point in the history
* Extract tty from /proc + kernel

* typo

* Proper include for 2.6.32

* A couple more initializations
  • Loading branch information
gianlucaborello authored and luca3m committed Mar 28, 2017
1 parent 139fd7c commit 88f6a1b
Show file tree
Hide file tree
Showing 11 changed files with 191 additions and 94 deletions.
4 changes: 3 additions & 1 deletion driver/event_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
/* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
};
4 changes: 3 additions & 1 deletion driver/ppm_events_public.h
Original file line number Diff line number Diff line change
Expand Up @@ -776,7 +776,9 @@ enum ppm_event_type {
PPME_SYSCALL_RMDIR_2_X = 279,
PPME_NOTIFICATION_E = 280,
PPME_NOTIFICATION_X = 281,
PPM_EVENT_MAX = 282
PPME_SYSCALL_EXECVE_17_E = 282,
PPME_SYSCALL_EXECVE_17_X = 283,
PPM_EVENT_MAX = 284
};
/*@}*/

Expand Down
65 changes: 61 additions & 4 deletions driver/ppm_fillers.c
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ along with sysdig. If not, see <http://www.gnu.org/licenses/>.
#include <linux/version.h>
#include <linux/module.h>
#include <linux/quota.h>
#include <linux/tty.h>
#include <linux/uaccess.h>
#ifdef CONFIG_CGROUPS
#include <linux/cgroup.h>
#endif
Expand Down Expand Up @@ -292,8 +294,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_DROP_X] = {f_sched_drop},
[PPME_SYSCALL_FCNTL_E] = {f_sched_fcntl_e},
[PPME_SYSCALL_FCNTL_X] = {f_sys_single_x},
[PPME_SYSCALL_EXECVE_16_E] = {f_sys_empty},
[PPME_SYSCALL_EXECVE_16_X] = {f_proc_startupdate},
[PPME_SYSCALL_EXECVE_17_E] = {f_sys_empty},
[PPME_SYSCALL_EXECVE_17_X] = {f_proc_startupdate},
[PPME_SYSCALL_CLONE_20_E] = {f_sys_empty},
[PPME_SYSCALL_CLONE_20_X] = {f_proc_startupdate},
[PPME_SYSCALL_BRK_4_E] = {PPM_AUTOFILL, 1, APT_REG, {{0} } },
Expand Down Expand Up @@ -1011,6 +1013,52 @@ static int compat_accumulate_argv_or_env(compat_uptr_t argv,

#endif

static int ppm_get_tty(void)
{
/* Locking of the signal structures seems too complicated across
* multiple kernel versions to get it right, so simply do protected
* memory accesses, and in the worst case we get some garbage,
* which is not the end of the world. In the vast majority of accesses,
* we'll be just fine.
*/
struct signal_struct *sig;
struct tty_struct *tty;
struct tty_driver *driver;
int major;
int minor_start;
int index;
int tty_nr = 0;

sig = current->signal;
if (!sig)
return 0;

if (unlikely(probe_kernel_read(&tty, &sig->tty, sizeof(tty))))
return 0;

if (!tty)
return 0;

if (unlikely(probe_kernel_read(&index, &tty->index, sizeof(index))))
return 0;

if (unlikely(probe_kernel_read(&driver, &tty->driver, sizeof(driver))))
return 0;

if (!driver)
return 0;

if (unlikely(probe_kernel_read(&major, &driver->major, sizeof(major))))
return 0;

if (unlikely(probe_kernel_read(&minor_start, &driver->minor_start, sizeof(minor_start))))
return 0;

tty_nr = new_encode_dev(MKDEV(major, minor_start) + index);

return tty_nr;
}

static int f_proc_startupdate(struct event_filler_arguments *args)
{
unsigned long val;
Expand All @@ -1035,7 +1083,7 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
return res;

if (unlikely(retval < 0 &&
args->event_type != PPME_SYSCALL_EXECVE_16_X)) {
args->event_type != PPME_SYSCALL_EXECVE_17_X)) {

/* The call failed, but this syscall has no exe, args
* anyway, so I report empty ones */
Expand Down Expand Up @@ -1311,11 +1359,12 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
if (unlikely(res != PPM_SUCCESS))
return res;

} else if (args->event_type == PPME_SYSCALL_EXECVE_16_X) {
} else if (args->event_type == PPME_SYSCALL_EXECVE_17_X) {
/*
* execve-only parameters
*/
long env_len = 0;
int tty_nr = 0;

if (likely(retval >= 0)) {
/*
Expand Down Expand Up @@ -1357,6 +1406,14 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
res = val_to_ring(args, (int64_t)(long)args->str_storage, env_len, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;

/*
* tty
*/
tty_nr = ppm_get_tty();
res = val_to_ring(args, tty_nr, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
}

return add_sentinel(args);
Expand Down
4 changes: 2 additions & 2 deletions driver/syscall_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
[__NR_brk - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
[__NR_read - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
[__NR_write - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
[__NR_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
[__NR_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
[__NR_clone - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
[__NR_fork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
[__NR_vfork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},
Expand Down Expand Up @@ -838,7 +838,7 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
[__NR_ia32_brk - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
[__NR_ia32_read - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
[__NR_ia32_write - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
[__NR_ia32_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
[__NR_ia32_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
[__NR_ia32_clone - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
[__NR_ia32_fork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
[__NR_ia32_vfork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},
Expand Down
4 changes: 3 additions & 1 deletion userspace/libscap/event_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
/* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
};
3 changes: 2 additions & 1 deletion userspace/libscap/scap.h
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,7 @@ typedef struct scap_threadinfo
int filtered_out; ///< nonzero if this entry should not be saved to file
scap_fdinfo* fdlist; ///< The fd table for this process
uint64_t clone_ts;
int32_t tty;

UT_hash_handle hh; ///< makes this structure hashable
}scap_threadinfo;
Expand Down Expand Up @@ -888,7 +889,7 @@ int32_t scap_proc_add(scap_t* handle, uint64_t tid, scap_threadinfo* tinfo);
int32_t scap_fd_add(scap_threadinfo* tinfo, uint64_t fd, scap_fdinfo* fdinfo);
scap_dumper_t *scap_memory_dump_open(scap_t *handle, uint8_t* targetbuf, uint64_t targetbufsize);
int32_t compr(uint8_t* dest, uint64_t* destlen, const uint8_t* source, uint64_t sourcelen, int level);
uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);

#ifdef __cplusplus
}
Expand Down
7 changes: 5 additions & 2 deletions userspace/libscap/scap_procs.c
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
uint32_t vmswap_kb;
uint64_t pfmajor;
uint64_t pfminor;
int32_t tty;
char line[512];
char tmpc;
char* s;
Expand All @@ -78,6 +79,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
tinfo->pfmajor = 0;
tinfo->pfminor = 0;
tinfo->filtered_out = 0;
tinfo->tty = 0;

snprintf(filename, sizeof(filename), "%sstatus", procdirname);

Expand Down Expand Up @@ -230,12 +232,12 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
//
// Extract the line content
//
if(sscanf(s + 2, "%c %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
if(sscanf(s + 2, "%c %" PRId64 " %" PRId64 " %" PRId64 " %" PRId32 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
&tmpc,
&tmp,
&sid,
&tmp,
&tmp,
&tty,
&tmp,
&tmp,
&pfminor,
Expand All @@ -250,6 +252,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
tinfo->pfmajor = pfmajor;
tinfo->pfminor = pfminor;
tinfo->sid = (uint64_t) sid;
tinfo->tty = tty;

fclose(f);
return SCAP_SUCCESS;
Expand Down
3 changes: 2 additions & 1 deletion userspace/libscap/scap_savefile.c
Original file line number Diff line number Diff line change
Expand Up @@ -950,7 +950,8 @@ static int32_t scap_read_proclist(scap_t *handle, gzFile f, uint32_t block_lengt
tinfo.root[0] = 0;
tinfo.sid = -1;
tinfo.clone_ts = 0;

tinfo.tty = 0;

while(((int32_t)block_length - (int32_t)totreadsize) >= 4)
{
//
Expand Down
26 changes: 26 additions & 0 deletions userspace/libsinsp/parsers.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,7 @@ void sinsp_parser::process_event(sinsp_evt *evt)
case PPME_SYSCALL_EXECVE_14_X:
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
case PPME_SYSCALL_EXECVE_17_X:
parse_execve_exit(evt);
break;
case PPME_PROCEXIT_E:
Expand Down Expand Up @@ -1116,6 +1117,8 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)

// Copy the session id from the parent
tinfo.m_sid = ptinfo->m_sid;

tinfo.m_tty = ptinfo->m_tty;
}
else
{
Expand Down Expand Up @@ -1148,6 +1151,7 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
tinfo.m_args = ptinfo->m_args;
tinfo.m_root = ptinfo->m_root;
tinfo.m_sid = ptinfo->m_sid;
tinfo.m_tty = ptinfo->m_tty;
}
else
{
Expand Down Expand Up @@ -1489,6 +1493,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
break;
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
case PPME_SYSCALL_EXECVE_17_X:
// Get the comm
parinfo = evt->get_param(13);
evt->m_tinfo->m_comm = parinfo->m_val;
Expand Down Expand Up @@ -1519,6 +1524,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
case PPME_SYSCALL_EXECVE_14_X:
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
case PPME_SYSCALL_EXECVE_17_X:
// Get the pgflt_maj
parinfo = evt->get_param(8);
ASSERT(parinfo->m_len == sizeof(uint64_t));
Expand Down Expand Up @@ -1564,6 +1570,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
evt->m_tinfo->set_env(parinfo->m_val, parinfo->m_len);
break;
case PPME_SYSCALL_EXECVE_16_X:
case PPME_SYSCALL_EXECVE_17_X:
// Get the environment
parinfo = evt->get_param(15);
evt->m_tinfo->set_env(parinfo->m_val, parinfo->m_len);
Expand All @@ -1588,6 +1595,25 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
ASSERT(false);
}

switch(etype)
{
case PPME_SYSCALL_EXECVE_8_X:
case PPME_SYSCALL_EXECVE_13_X:
case PPME_SYSCALL_EXECVE_14_X:
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
break;
case PPME_SYSCALL_EXECVE_17_X:
// Get the tty
parinfo = evt->get_param(16);
ASSERT(parinfo->m_len == sizeof(int32_t));
evt->m_tinfo->m_tty = *(int32_t *) parinfo->m_val;
break;
default:
ASSERT(false);
}


//
// execve starts with a clean fd list, so we get rid of the fd list that clone
// copied from the parent
Expand Down
Loading

0 comments on commit 88f6a1b

Please sign in to comment.