Parse processes tty (#792)

* Extract tty from /proc + kernel

* typo

* Proper include for 2.6.32

* A couple more initializations

Author: gianlucaborello

driver/event_table.c

@@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
-	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
+	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
+	/* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
 };

driver/ppm_events_public.h

@@ -776,7 +776,9 @@ enum ppm_event_type {
 	PPME_SYSCALL_RMDIR_2_X = 279,
 	PPME_NOTIFICATION_E = 280,
 	PPME_NOTIFICATION_X = 281,
-	PPM_EVENT_MAX = 282
+	PPME_SYSCALL_EXECVE_17_E = 282,
+	PPME_SYSCALL_EXECVE_17_X = 283,
+	PPM_EVENT_MAX = 284
 };
 /*@}*/
 

driver/ppm_fillers.c

@@ -34,6 +34,8 @@ along with sysdig.  If not, see <http://www.gnu.org/licenses/>.
 #include <linux/version.h>
 #include <linux/module.h>
 #include <linux/quota.h>
+#include <linux/tty.h>
+#include <linux/uaccess.h>
 #ifdef CONFIG_CGROUPS
 #include <linux/cgroup.h>
 #endif
@@ -292,8 +294,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_DROP_X] = {f_sched_drop},
 	[PPME_SYSCALL_FCNTL_E] = {f_sched_fcntl_e},
 	[PPME_SYSCALL_FCNTL_X] = {f_sys_single_x},
-	[PPME_SYSCALL_EXECVE_16_E] = {f_sys_empty},
-	[PPME_SYSCALL_EXECVE_16_X] = {f_proc_startupdate},
+	[PPME_SYSCALL_EXECVE_17_E] = {f_sys_empty},
+	[PPME_SYSCALL_EXECVE_17_X] = {f_proc_startupdate},
 	[PPME_SYSCALL_CLONE_20_E] = {f_sys_empty},
 	[PPME_SYSCALL_CLONE_20_X] = {f_proc_startupdate},
 	[PPME_SYSCALL_BRK_4_E] = {PPM_AUTOFILL, 1, APT_REG, {{0} } },
@@ -1011,6 +1013,52 @@ static int compat_accumulate_argv_or_env(compat_uptr_t argv,
 
 #endif
 
+static int ppm_get_tty(void)
+{
+	/* Locking of the signal structures seems too complicated across
+	 * multiple kernel versions to get it right, so simply do protected
+	 * memory accesses, and in the worst case we get some garbage,
+	 * which is not the end of the world. In the vast majority of accesses,
+	 * we'll be just fine.
+	 */
+	struct signal_struct *sig;
+	struct tty_struct *tty;
+	struct tty_driver *driver;
+	int major;
+	int minor_start;
+	int index;
+	int tty_nr = 0;
+
+	sig = current->signal;
+	if (!sig)
+		return 0;
+
+	if (unlikely(probe_kernel_read(&tty, &sig->tty, sizeof(tty))))
+		return 0;
+
+	if (!tty)
+		return 0;
+
+	if (unlikely(probe_kernel_read(&index, &tty->index, sizeof(index))))
+		return 0;
+
+	if (unlikely(probe_kernel_read(&driver, &tty->driver, sizeof(driver))))
+		return 0;
+
+	if (!driver)
+		return 0;
+
+	if (unlikely(probe_kernel_read(&major, &driver->major, sizeof(major))))
+		return 0;
+
+	if (unlikely(probe_kernel_read(&minor_start, &driver->minor_start, sizeof(minor_start))))
+		return 0;
+
+	tty_nr = new_encode_dev(MKDEV(major, minor_start) + index);
+
+	return tty_nr;
+}
+
 static int f_proc_startupdate(struct event_filler_arguments *args)
 {
 	unsigned long val;
@@ -1035,7 +1083,7 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
 		return res;
 
 	if (unlikely(retval < 0 &&
-		     args->event_type != PPME_SYSCALL_EXECVE_16_X)) {
+		     args->event_type != PPME_SYSCALL_EXECVE_17_X)) {
 
 		/* The call failed, but this syscall has no exe, args
 		 * anyway, so I report empty ones */
@@ -1311,11 +1359,12 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
 		if (unlikely(res != PPM_SUCCESS))
 			return res;
 
-	} else if (args->event_type == PPME_SYSCALL_EXECVE_16_X) {
+	} else if (args->event_type == PPME_SYSCALL_EXECVE_17_X) {
 		/*
 		 * execve-only parameters
 		 */
 		long env_len = 0;
+		int tty_nr = 0;
 
 		if (likely(retval >= 0)) {
 			/*
@@ -1357,6 +1406,14 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
 		res = val_to_ring(args, (int64_t)(long)args->str_storage, env_len, false, 0);
 		if (unlikely(res != PPM_SUCCESS))
 			return res;
+
+		/*
+		 * tty
+		 */
+		tty_nr = ppm_get_tty();
+		res = val_to_ring(args, tty_nr, 0, false, 0);
+		if (unlikely(res != PPM_SUCCESS))
+			return res;
 	}
 
 	return add_sentinel(args);

driver/syscall_table.c

@@ -52,7 +52,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_brk - SYSCALL_TABLE_ID0] =                        {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
 	[__NR_read - SYSCALL_TABLE_ID0] =                       {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
 	[__NR_write - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
-	[__NR_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
+	[__NR_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
 	[__NR_clone - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
 	[__NR_fork - SYSCALL_TABLE_ID0] =                       {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
 	[__NR_vfork - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},
@@ -838,7 +838,7 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_ia32_brk - SYSCALL_TABLE_ID0] =                        {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
 	[__NR_ia32_read - SYSCALL_TABLE_ID0] =                       {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
 	[__NR_ia32_write - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
-	[__NR_ia32_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
+	[__NR_ia32_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
 	[__NR_ia32_clone - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
 	[__NR_ia32_fork - SYSCALL_TABLE_ID0] =                       {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
 	[__NR_ia32_vfork - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},

userspace/libscap/event_table.c

@@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
-	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
+	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
+	/* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
 };

userspace/libscap/scap.h

@@ -220,6 +220,7 @@ typedef struct scap_threadinfo
 	int filtered_out; ///< nonzero if this entry should not be saved to file
 	scap_fdinfo* fdlist; ///< The fd table for this process
 	uint64_t clone_ts;
+	int32_t tty;
 
 	UT_hash_handle hh; ///< makes this structure hashable
 }scap_threadinfo;
@@ -888,7 +889,7 @@ int32_t scap_proc_add(scap_t* handle, uint64_t tid, scap_threadinfo* tinfo);
 int32_t scap_fd_add(scap_threadinfo* tinfo, uint64_t fd, scap_fdinfo* fdinfo);
 scap_dumper_t *scap_memory_dump_open(scap_t *handle, uint8_t* targetbuf, uint64_t targetbufsize);
 int32_t compr(uint8_t* dest, uint64_t* destlen, const uint8_t* source, uint64_t sourcelen, int level);
-uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
+uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
 
 #ifdef __cplusplus
 }

userspace/libscap/scap_procs.c

@@ -65,6 +65,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
 	uint32_t vmswap_kb;
 	uint64_t pfmajor;
 	uint64_t pfminor;
+	int32_t tty;
 	char line[512];
 	char tmpc;
 	char* s;
@@ -78,6 +79,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
 	tinfo->pfmajor = 0;
 	tinfo->pfminor = 0;
 	tinfo->filtered_out = 0;
+	tinfo->tty = 0;
 
 	snprintf(filename, sizeof(filename), "%sstatus", procdirname);
 
@@ -230,12 +232,12 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
 	//
 	// Extract the line content
 	//
-	if(sscanf(s + 2, "%c %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
+	if(sscanf(s + 2, "%c %" PRId64 " %" PRId64 " %" PRId64 " %" PRId32 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
 		&tmpc,
 		&tmp,
 		&sid,
 		&tmp,
-		&tmp,
+		&tty,
 		&tmp,
 		&tmp,
 		&pfminor,
@@ -250,6 +252,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
 	tinfo->pfmajor = pfmajor;
 	tinfo->pfminor = pfminor;
 	tinfo->sid = (uint64_t) sid;
+	tinfo->tty = tty;
 
 	fclose(f);
 	return SCAP_SUCCESS;

userspace/libscap/scap_savefile.c

@@ -950,7 +950,8 @@ static int32_t scap_read_proclist(scap_t *handle, gzFile f, uint32_t block_lengt
 	tinfo.root[0] = 0;
 	tinfo.sid = -1;
 	tinfo.clone_ts = 0;
-
+	tinfo.tty = 0;
+	
 	while(((int32_t)block_length - (int32_t)totreadsize) >= 4)
 	{
 		//

userspace/libsinsp/parsers.cpp

@@ -335,6 +335,7 @@ void sinsp_parser::process_event(sinsp_evt *evt)
 	case PPME_SYSCALL_EXECVE_14_X:
 	case PPME_SYSCALL_EXECVE_15_X:
 	case PPME_SYSCALL_EXECVE_16_X:
+	case PPME_SYSCALL_EXECVE_17_X:
 		parse_execve_exit(evt);
 		break;
 	case PPME_PROCEXIT_E:
@@ -1116,6 +1117,8 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
 
 		// Copy the session id from the parent
 		tinfo.m_sid = ptinfo->m_sid;
+
+		tinfo.m_tty = ptinfo->m_tty;
 	}
 	else
 	{
@@ -1148,6 +1151,7 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
 			tinfo.m_args = ptinfo->m_args;
 			tinfo.m_root = ptinfo->m_root;
 			tinfo.m_sid = ptinfo->m_sid;
+			tinfo.m_tty = ptinfo->m_tty;
 		}
 		else
 		{
@@ -1489,6 +1493,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 		break;
 	case PPME_SYSCALL_EXECVE_15_X:
 	case PPME_SYSCALL_EXECVE_16_X:
+	case PPME_SYSCALL_EXECVE_17_X:
 		// Get the comm
 		parinfo = evt->get_param(13);
 		evt->m_tinfo->m_comm = parinfo->m_val;
@@ -1519,6 +1524,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 	case PPME_SYSCALL_EXECVE_14_X:
 	case PPME_SYSCALL_EXECVE_15_X:
 	case PPME_SYSCALL_EXECVE_16_X:
+	case PPME_SYSCALL_EXECVE_17_X:
 		// Get the pgflt_maj
 		parinfo = evt->get_param(8);
 		ASSERT(parinfo->m_len == sizeof(uint64_t));
@@ -1564,6 +1570,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 		evt->m_tinfo->set_env(parinfo->m_val, parinfo->m_len);
 		break;
 	case PPME_SYSCALL_EXECVE_16_X:
+	case PPME_SYSCALL_EXECVE_17_X:
 		// Get the environment
 		parinfo = evt->get_param(15);
 		evt->m_tinfo->set_env(parinfo->m_val, parinfo->m_len);
@@ -1588,6 +1595,25 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 		ASSERT(false);
 	}
 
+	switch(etype)
+	{
+	case PPME_SYSCALL_EXECVE_8_X:
+	case PPME_SYSCALL_EXECVE_13_X:
+	case PPME_SYSCALL_EXECVE_14_X:
+	case PPME_SYSCALL_EXECVE_15_X:
+	case PPME_SYSCALL_EXECVE_16_X:
+		break;
+	case PPME_SYSCALL_EXECVE_17_X:
+		// Get the tty
+		parinfo = evt->get_param(16);
+		ASSERT(parinfo->m_len == sizeof(int32_t));
+		evt->m_tinfo->m_tty = *(int32_t *) parinfo->m_val;
+		break;
+	default:
+		ASSERT(false);
+	}
+
+
 	//
 	// execve starts with a clean fd list, so we get rid of the fd list that clone
 	// copied from the parent