From 0f6abff0923ad244d76b6e64df5104681accb81c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 19 Jan 2017 14:21:40 -0800 Subject: [PATCH] Add proc.pcmdline. (#721) Add proc.pcmdline, which returns the commandline of the parent process. This is useful for some cases like detecting ansible environments when you want to see the parent command line (in this case, ansible's use of python) to tell the difference between python and python-run-by-ansible. --- userspace/libsinsp/filterchecks.cpp | 49 +++++++++++++++++------- userspace/libsinsp/filterchecks.h | 59 +++++++++++++++-------------- 2 files changed, 65 insertions(+), 43 deletions(-) diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp index 29b5b89d91..829f75a668 100644 --- a/userspace/libsinsp/filterchecks.cpp +++ b/userspace/libsinsp/filterchecks.cpp @@ -1302,6 +1302,7 @@ const filtercheck_field_info sinsp_filter_check_thread_fields[] = {PT_UINT32, EPF_NONE, PF_DEC, "proc.nchilds", "the number of child threads that the process generating the event currently has. This excludes the main process thread."}, {PT_INT64, EPF_NONE, PF_ID, "proc.ppid", "the pid of the parent of the process generating the event."}, {PT_CHARBUF, EPF_NONE, PF_NA, "proc.pname", "the name (excluding the path) of the parent of the process generating the event."}, + {PT_CHARBUF, EPF_NONE, PF_NA, "proc.pcmdline", "the full command line (proc.name + proc.args) of the parent of the process generating the event."}, {PT_INT64, EPF_NONE, PF_ID, "proc.apid", "the pid of one of the process ancestors. E.g. proc.apid[1] returns the parent pid, proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the current process. proc.apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234."}, {PT_CHARBUF, EPF_NONE, PF_NA, "proc.aname", "the name (excluding the path) of one of the process ancestors. E.g. proc.aname[1] returns the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is the name of the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash."}, {PT_INT64, EPF_NONE, PF_ID, "proc.loginshellid", "the pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate different user sessions, and is useful in conjunction with chisels like spy_user."}, @@ -1567,6 +1568,23 @@ uint8_t* sinsp_filter_check_thread::extract_thread_cpu(sinsp_evt *evt, sinsp_thr return NULL; } +static void populate_cmdline(string &cmdline, sinsp_threadinfo *tinfo) +{ + cmdline = tinfo->get_comm() + " "; + + uint32_t j; + uint32_t nargs = (uint32_t)tinfo->m_args.size(); + + for(j = 0; j < nargs; j++) + { + cmdline += tinfo->m_args[j]; + if(j < nargs -1) + { + cmdline += ' '; + } + } +} + uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, bool sanitize_strings) { sinsp_threadinfo* tinfo = evt->get_thread_info(); @@ -1674,20 +1692,7 @@ uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, b } case TYPE_CMDLINE: { - m_tstr = tinfo->get_comm() + " "; - - uint32_t j; - uint32_t nargs = (uint32_t)tinfo->m_args.size(); - - for(j = 0; j < nargs; j++) - { - m_tstr += tinfo->m_args[j]; - if(j < nargs -1) - { - m_tstr += ' '; - } - } - + populate_cmdline(m_tstr, tinfo); *len = m_tstr.size(); return (uint8_t*)m_tstr.c_str(); } @@ -1802,6 +1807,22 @@ uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, b return NULL; } } + case TYPE_PCMDLINE: + { + sinsp_threadinfo* ptinfo = + m_inspector->get_thread(tinfo->m_ptid, false, true); + + if(ptinfo != NULL) + { + populate_cmdline(m_tstr, ptinfo); + *len = m_tstr.size(); + return (uint8_t*)m_tstr.c_str(); + } + else + { + return NULL; + } + } case TYPE_APID: { sinsp_threadinfo* mt = NULL; diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h index be2d7f1c6b..07952bcf29 100644 --- a/userspace/libsinsp/filterchecks.h +++ b/userspace/libsinsp/filterchecks.h @@ -340,35 +340,36 @@ class sinsp_filter_check_thread : public sinsp_filter_check TYPE_NCHILDS = 9, TYPE_PPID = 10, TYPE_PNAME = 11, - TYPE_APID = 12, - TYPE_ANAME = 13, - TYPE_LOGINSHELLID = 14, - TYPE_DURATION = 15, - TYPE_FDOPENCOUNT = 16, - TYPE_FDLIMIT = 17, - TYPE_FDUSAGE = 18, - TYPE_VMSIZE = 19, - TYPE_VMRSS = 20, - TYPE_VMSWAP = 21, - TYPE_PFMAJOR = 22, - TYPE_PFMINOR = 23, - TYPE_TID = 24, - TYPE_ISMAINTHREAD = 25, - TYPE_EXECTIME = 26, - TYPE_TOTEXECTIME = 27, - TYPE_CGROUPS = 28, - TYPE_CGROUP = 29, - TYPE_VTID = 30, - TYPE_VPID = 31, - TYPE_THREAD_CPU = 32, - TYPE_THREAD_CPU_USER = 33, - TYPE_THREAD_CPU_SYSTEM = 34, - TYPE_THREAD_VMSIZE = 35, - TYPE_THREAD_VMRSS = 36, - TYPE_THREAD_VMSIZE_B = 37, - TYPE_THREAD_VMRSS_B = 38, - TYPE_SID = 39, - TYPE_SNAME = 40, + TYPE_PCMDLINE = 12, + TYPE_APID = 13, + TYPE_ANAME = 14, + TYPE_LOGINSHELLID = 15, + TYPE_DURATION = 16, + TYPE_FDOPENCOUNT = 17, + TYPE_FDLIMIT = 18, + TYPE_FDUSAGE = 19, + TYPE_VMSIZE = 20, + TYPE_VMRSS = 21, + TYPE_VMSWAP = 22, + TYPE_PFMAJOR = 23, + TYPE_PFMINOR = 24, + TYPE_TID = 25, + TYPE_ISMAINTHREAD = 26, + TYPE_EXECTIME = 27, + TYPE_TOTEXECTIME = 28, + TYPE_CGROUPS = 29, + TYPE_CGROUP = 30, + TYPE_VTID = 31, + TYPE_VPID = 32, + TYPE_THREAD_CPU = 33, + TYPE_THREAD_CPU_USER = 34, + TYPE_THREAD_CPU_SYSTEM = 35, + TYPE_THREAD_VMSIZE = 36, + TYPE_THREAD_VMRSS = 37, + TYPE_THREAD_VMSIZE_B = 38, + TYPE_THREAD_VMRSS_B = 39, + TYPE_SID = 40, + TYPE_SNAME = 41, }; sinsp_filter_check_thread();