diff --git a/driver/event_table.c b/driver/event_table.c
index ebc28bf035..60334082e7 100644
--- a/driver/event_table.c
+++ b/driver/event_table.c
@@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
- /* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
+ /* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
+ /* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
+ /* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
};
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
index bcec9c8cb1..896eae18a4 100644
--- a/driver/ppm_events_public.h
+++ b/driver/ppm_events_public.h
@@ -776,7 +776,9 @@ enum ppm_event_type {
PPME_SYSCALL_RMDIR_2_X = 279,
PPME_NOTIFICATION_E = 280,
PPME_NOTIFICATION_X = 281,
- PPM_EVENT_MAX = 282
+ PPME_SYSCALL_EXECVE_17_E = 282,
+ PPME_SYSCALL_EXECVE_17_X = 283,
+ PPM_EVENT_MAX = 284
};
/*@}*/
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
index 563a731e69..a054371fa1 100644
--- a/driver/ppm_fillers.c
+++ b/driver/ppm_fillers.c
@@ -34,6 +34,8 @@ along with sysdig. If not, see .
#include
#include
#include
+#include
+#include
#ifdef CONFIG_CGROUPS
#include
#endif
@@ -292,8 +294,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_DROP_X] = {f_sched_drop},
[PPME_SYSCALL_FCNTL_E] = {f_sched_fcntl_e},
[PPME_SYSCALL_FCNTL_X] = {f_sys_single_x},
- [PPME_SYSCALL_EXECVE_16_E] = {f_sys_empty},
- [PPME_SYSCALL_EXECVE_16_X] = {f_proc_startupdate},
+ [PPME_SYSCALL_EXECVE_17_E] = {f_sys_empty},
+ [PPME_SYSCALL_EXECVE_17_X] = {f_proc_startupdate},
[PPME_SYSCALL_CLONE_20_E] = {f_sys_empty},
[PPME_SYSCALL_CLONE_20_X] = {f_proc_startupdate},
[PPME_SYSCALL_BRK_4_E] = {PPM_AUTOFILL, 1, APT_REG, {{0} } },
@@ -1011,6 +1013,52 @@ static int compat_accumulate_argv_or_env(compat_uptr_t argv,
#endif
+static int ppm_get_tty(void)
+{
+ /* Locking of the signal structures seems too complicated across
+ * multiple kernel versions to get it right, so simply do protected
+ * memory accesses, and in the worst case we get some garbage,
+ * which is not the end of the world. In the vast majority of accesses,
+ * we'll be just fine.
+ */
+ struct signal_struct *sig;
+ struct tty_struct *tty;
+ struct tty_driver *driver;
+ int major;
+ int minor_start;
+ int index;
+ int tty_nr = 0;
+
+ sig = current->signal;
+ if (!sig)
+ return 0;
+
+ if (unlikely(probe_kernel_read(&tty, &sig->tty, sizeof(tty))))
+ return 0;
+
+ if (!tty)
+ return 0;
+
+ if (unlikely(probe_kernel_read(&index, &tty->index, sizeof(index))))
+ return 0;
+
+ if (unlikely(probe_kernel_read(&driver, &tty->driver, sizeof(driver))))
+ return 0;
+
+ if (!driver)
+ return 0;
+
+ if (unlikely(probe_kernel_read(&major, &driver->major, sizeof(major))))
+ return 0;
+
+ if (unlikely(probe_kernel_read(&minor_start, &driver->minor_start, sizeof(minor_start))))
+ return 0;
+
+ tty_nr = new_encode_dev(MKDEV(major, minor_start) + index);
+
+ return tty_nr;
+}
+
static int f_proc_startupdate(struct event_filler_arguments *args)
{
unsigned long val;
@@ -1035,7 +1083,7 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
return res;
if (unlikely(retval < 0 &&
- args->event_type != PPME_SYSCALL_EXECVE_16_X)) {
+ args->event_type != PPME_SYSCALL_EXECVE_17_X)) {
/* The call failed, but this syscall has no exe, args
* anyway, so I report empty ones */
@@ -1311,11 +1359,12 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
if (unlikely(res != PPM_SUCCESS))
return res;
- } else if (args->event_type == PPME_SYSCALL_EXECVE_16_X) {
+ } else if (args->event_type == PPME_SYSCALL_EXECVE_17_X) {
/*
* execve-only parameters
*/
long env_len = 0;
+ int tty_nr = 0;
if (likely(retval >= 0)) {
/*
@@ -1357,6 +1406,14 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
res = val_to_ring(args, (int64_t)(long)args->str_storage, env_len, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
+
+ /*
+ * tty
+ */
+ tty_nr = ppm_get_tty();
+ res = val_to_ring(args, tty_nr, 0, false, 0);
+ if (unlikely(res != PPM_SUCCESS))
+ return res;
}
return add_sentinel(args);
diff --git a/driver/syscall_table.c b/driver/syscall_table.c
index ca8a8ed5be..95735daeb6 100644
--- a/driver/syscall_table.c
+++ b/driver/syscall_table.c
@@ -52,7 +52,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
[__NR_brk - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
[__NR_read - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
[__NR_write - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
- [__NR_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
+ [__NR_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
[__NR_clone - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
[__NR_fork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
[__NR_vfork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},
@@ -838,7 +838,7 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
[__NR_ia32_brk - SYSCALL_TABLE_ID0] = {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
[__NR_ia32_read - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
[__NR_ia32_write - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
- [__NR_ia32_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
+ [__NR_ia32_execve - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
[__NR_ia32_clone - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
[__NR_ia32_fork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
[__NR_ia32_vfork - SYSCALL_TABLE_ID0] = {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},
diff --git a/userspace/libscap/event_table.c b/userspace/libscap/event_table.c
index 6c7e85e072..7ca600d3e2 100644
--- a/userspace/libscap/event_table.c
+++ b/userspace/libscap/event_table.c
@@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
- /* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
+ /* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
+ /* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
+ /* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
};
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
index 1db2032d65..a1a9e99f7e 100644
--- a/userspace/libscap/scap.h
+++ b/userspace/libscap/scap.h
@@ -220,6 +220,7 @@ typedef struct scap_threadinfo
int filtered_out; ///< nonzero if this entry should not be saved to file
scap_fdinfo* fdlist; ///< The fd table for this process
uint64_t clone_ts;
+ int32_t tty;
UT_hash_handle hh; ///< makes this structure hashable
}scap_threadinfo;
@@ -888,7 +889,7 @@ int32_t scap_proc_add(scap_t* handle, uint64_t tid, scap_threadinfo* tinfo);
int32_t scap_fd_add(scap_threadinfo* tinfo, uint64_t fd, scap_fdinfo* fdinfo);
scap_dumper_t *scap_memory_dump_open(scap_t *handle, uint8_t* targetbuf, uint64_t targetbufsize);
int32_t compr(uint8_t* dest, uint64_t* destlen, const uint8_t* source, uint64_t sourcelen, int level);
-uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
+uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
#ifdef __cplusplus
}
diff --git a/userspace/libscap/scap_procs.c b/userspace/libscap/scap_procs.c
index 018ab01b08..0f36157bed 100644
--- a/userspace/libscap/scap_procs.c
+++ b/userspace/libscap/scap_procs.c
@@ -65,6 +65,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
uint32_t vmswap_kb;
uint64_t pfmajor;
uint64_t pfminor;
+ int32_t tty;
char line[512];
char tmpc;
char* s;
@@ -78,6 +79,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
tinfo->pfmajor = 0;
tinfo->pfminor = 0;
tinfo->filtered_out = 0;
+ tinfo->tty = 0;
snprintf(filename, sizeof(filename), "%sstatus", procdirname);
@@ -230,12 +232,12 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
//
// Extract the line content
//
- if(sscanf(s + 2, "%c %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
+ if(sscanf(s + 2, "%c %" PRId64 " %" PRId64 " %" PRId64 " %" PRId32 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
&tmpc,
&tmp,
&sid,
&tmp,
- &tmp,
+ &tty,
&tmp,
&tmp,
&pfminor,
@@ -250,6 +252,7 @@ int32_t scap_proc_fill_info_from_stats(char* procdirname, struct scap_threadinfo
tinfo->pfmajor = pfmajor;
tinfo->pfminor = pfminor;
tinfo->sid = (uint64_t) sid;
+ tinfo->tty = tty;
fclose(f);
return SCAP_SUCCESS;
diff --git a/userspace/libscap/scap_savefile.c b/userspace/libscap/scap_savefile.c
index f81b5e2295..4ce392b231 100755
--- a/userspace/libscap/scap_savefile.c
+++ b/userspace/libscap/scap_savefile.c
@@ -950,7 +950,8 @@ static int32_t scap_read_proclist(scap_t *handle, gzFile f, uint32_t block_lengt
tinfo.root[0] = 0;
tinfo.sid = -1;
tinfo.clone_ts = 0;
-
+ tinfo.tty = 0;
+
while(((int32_t)block_length - (int32_t)totreadsize) >= 4)
{
//
diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
index c820a3f3d5..a2faeccf6b 100644
--- a/userspace/libsinsp/parsers.cpp
+++ b/userspace/libsinsp/parsers.cpp
@@ -335,6 +335,7 @@ void sinsp_parser::process_event(sinsp_evt *evt)
case PPME_SYSCALL_EXECVE_14_X:
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
+ case PPME_SYSCALL_EXECVE_17_X:
parse_execve_exit(evt);
break;
case PPME_PROCEXIT_E:
@@ -1116,6 +1117,8 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
// Copy the session id from the parent
tinfo.m_sid = ptinfo->m_sid;
+
+ tinfo.m_tty = ptinfo->m_tty;
}
else
{
@@ -1148,6 +1151,7 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
tinfo.m_args = ptinfo->m_args;
tinfo.m_root = ptinfo->m_root;
tinfo.m_sid = ptinfo->m_sid;
+ tinfo.m_tty = ptinfo->m_tty;
}
else
{
@@ -1489,6 +1493,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
break;
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
+ case PPME_SYSCALL_EXECVE_17_X:
// Get the comm
parinfo = evt->get_param(13);
evt->m_tinfo->m_comm = parinfo->m_val;
@@ -1519,6 +1524,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
case PPME_SYSCALL_EXECVE_14_X:
case PPME_SYSCALL_EXECVE_15_X:
case PPME_SYSCALL_EXECVE_16_X:
+ case PPME_SYSCALL_EXECVE_17_X:
// Get the pgflt_maj
parinfo = evt->get_param(8);
ASSERT(parinfo->m_len == sizeof(uint64_t));
@@ -1564,6 +1570,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
evt->m_tinfo->set_env(parinfo->m_val, parinfo->m_len);
break;
case PPME_SYSCALL_EXECVE_16_X:
+ case PPME_SYSCALL_EXECVE_17_X:
// Get the environment
parinfo = evt->get_param(15);
evt->m_tinfo->set_env(parinfo->m_val, parinfo->m_len);
@@ -1588,6 +1595,25 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
ASSERT(false);
}
+ switch(etype)
+ {
+ case PPME_SYSCALL_EXECVE_8_X:
+ case PPME_SYSCALL_EXECVE_13_X:
+ case PPME_SYSCALL_EXECVE_14_X:
+ case PPME_SYSCALL_EXECVE_15_X:
+ case PPME_SYSCALL_EXECVE_16_X:
+ break;
+ case PPME_SYSCALL_EXECVE_17_X:
+ // Get the tty
+ parinfo = evt->get_param(16);
+ ASSERT(parinfo->m_len == sizeof(int32_t));
+ evt->m_tinfo->m_tty = *(int32_t *) parinfo->m_val;
+ break;
+ default:
+ ASSERT(false);
+ }
+
+
//
// execve starts with a clean fd list, so we get rid of the fd list that clone
// copied from the parent
diff --git a/userspace/libsinsp/threadinfo.cpp b/userspace/libsinsp/threadinfo.cpp
index b98bfab3a5..ca8513ed61 100644
--- a/userspace/libsinsp/threadinfo.cpp
+++ b/userspace/libsinsp/threadinfo.cpp
@@ -87,6 +87,7 @@ void sinsp_threadinfo::init()
m_program_hash_falco = 0;
m_lastevent_data = NULL;
m_parent_loop_detected = false;
+ m_tty = 0;
}
sinsp_threadinfo::~sinsp_threadinfo()
@@ -375,6 +376,7 @@ void sinsp_threadinfo::init(scap_threadinfo* pi)
m_vtid = pi->vtid;
m_vpid = pi->vpid;
m_clone_ts = pi->clone_ts;
+ m_tty = pi->tty;
set_cgroups(pi->cgroups, pi->cgroups_len);
m_root = pi->root;
@@ -876,9 +878,9 @@ void sinsp_threadinfo::args_to_scap(scap_threadinfo* sctinfo)
{
uint32_t len = a.size() + 1;
- strncpy(dst + tlen, a.c_str(), alen);
- tlen += len;
- alen -= len;
+ strncpy(dst + tlen, a.c_str(), alen);
+ tlen += len;
+ alen -= len;
}
sctinfo->args_len = tlen;
@@ -894,9 +896,9 @@ void sinsp_threadinfo::env_to_scap(scap_threadinfo* sctinfo)
{
uint32_t len = a.size() + 1;
- strncpy(dst + tlen, a.c_str(), alen);
- tlen += len;
- alen -= len;
+ strncpy(dst + tlen, a.c_str(), alen);
+ tlen += len;
+ alen -= len;
}
sctinfo->env_len = tlen;
@@ -913,9 +915,9 @@ void sinsp_threadinfo::cgroups_to_scap(scap_threadinfo* sctinfo)
string a = cg.first + "=" + cg.second;
uint32_t len = a.size() + 1;
- strncpy(dst + tlen, a.c_str(), alen);
- tlen += len;
- alen -= len;
+ strncpy(dst + tlen, a.c_str(), alen);
+ tlen += len;
+ alen -= len;
}
sctinfo->cgroups_len = tlen;
@@ -927,51 +929,51 @@ void sinsp_threadinfo::fd_to_scap(scap_fdinfo *dst, sinsp_fdinfo_t* src)
dst->ino = src->m_ino;
switch(dst->type)
- {
- case SCAP_FD_IPV4_SOCK:
- dst->info.ipv4info.sip = src->m_sockinfo.m_ipv4info.m_fields.m_sip;
- dst->info.ipv4info.dip = src->m_sockinfo.m_ipv4info.m_fields.m_dip;
- dst->info.ipv4info.sport = src->m_sockinfo.m_ipv4info.m_fields.m_sport;
- dst->info.ipv4info.dport = src->m_sockinfo.m_ipv4info.m_fields.m_dport;
- dst->info.ipv4info.l4proto = src->m_sockinfo.m_ipv4info.m_fields.m_l4proto;
- break;
- case SCAP_FD_IPV4_SERVSOCK:
- dst->info.ipv4serverinfo.ip = src->m_sockinfo.m_ipv4serverinfo.m_ip;
- dst->info.ipv4serverinfo.port = src->m_sockinfo.m_ipv4serverinfo.m_port;
- dst->info.ipv4serverinfo.l4proto = src->m_sockinfo.m_ipv4serverinfo.m_l4proto;
- break;
- case SCAP_FD_IPV6_SOCK:
- copy_ipv6_address(dst->info.ipv6info.sip, src->m_sockinfo.m_ipv6info.m_fields.m_sip);
- copy_ipv6_address(dst->info.ipv6info.dip, src->m_sockinfo.m_ipv6info.m_fields.m_dip);
- dst->info.ipv6info.sport = src->m_sockinfo.m_ipv6info.m_fields.m_sport;
- dst->info.ipv6info.dport = src->m_sockinfo.m_ipv6info.m_fields.m_dport;
- dst->info.ipv6info.l4proto = src->m_sockinfo.m_ipv6info.m_fields.m_l4proto;
- break;
- case SCAP_FD_IPV6_SERVSOCK:
- copy_ipv6_address(dst->info.ipv6serverinfo.ip, src->m_sockinfo.m_ipv6serverinfo.m_ip);
- dst->info.ipv6serverinfo.port = src->m_sockinfo.m_ipv6serverinfo.m_port;
- dst->info.ipv6serverinfo.l4proto = src->m_sockinfo.m_ipv6serverinfo.m_l4proto;
- break;
- case SCAP_FD_UNIX_SOCK:
- dst->info.unix_socket_info.source = src->m_sockinfo.m_unixinfo.m_fields.m_source;
- dst->info.unix_socket_info.destination = src->m_sockinfo.m_unixinfo.m_fields.m_dest;
- strncpy(dst->info.unix_socket_info.fname, src->m_name.c_str(), SCAP_MAX_PATH_SIZE);
- break;
- case SCAP_FD_FIFO:
- case SCAP_FD_FILE:
- case SCAP_FD_DIRECTORY:
- case SCAP_FD_UNSUPPORTED:
- case SCAP_FD_SIGNALFD:
- case SCAP_FD_EVENTPOLL:
- case SCAP_FD_EVENT:
- case SCAP_FD_INOTIFY:
- case SCAP_FD_TIMERFD:
- strncpy(dst->info.fname, src->m_name.c_str(), SCAP_MAX_PATH_SIZE);
- break;
- default:
- ASSERT(false);
- break;
- }
+ {
+ case SCAP_FD_IPV4_SOCK:
+ dst->info.ipv4info.sip = src->m_sockinfo.m_ipv4info.m_fields.m_sip;
+ dst->info.ipv4info.dip = src->m_sockinfo.m_ipv4info.m_fields.m_dip;
+ dst->info.ipv4info.sport = src->m_sockinfo.m_ipv4info.m_fields.m_sport;
+ dst->info.ipv4info.dport = src->m_sockinfo.m_ipv4info.m_fields.m_dport;
+ dst->info.ipv4info.l4proto = src->m_sockinfo.m_ipv4info.m_fields.m_l4proto;
+ break;
+ case SCAP_FD_IPV4_SERVSOCK:
+ dst->info.ipv4serverinfo.ip = src->m_sockinfo.m_ipv4serverinfo.m_ip;
+ dst->info.ipv4serverinfo.port = src->m_sockinfo.m_ipv4serverinfo.m_port;
+ dst->info.ipv4serverinfo.l4proto = src->m_sockinfo.m_ipv4serverinfo.m_l4proto;
+ break;
+ case SCAP_FD_IPV6_SOCK:
+ copy_ipv6_address(dst->info.ipv6info.sip, src->m_sockinfo.m_ipv6info.m_fields.m_sip);
+ copy_ipv6_address(dst->info.ipv6info.dip, src->m_sockinfo.m_ipv6info.m_fields.m_dip);
+ dst->info.ipv6info.sport = src->m_sockinfo.m_ipv6info.m_fields.m_sport;
+ dst->info.ipv6info.dport = src->m_sockinfo.m_ipv6info.m_fields.m_dport;
+ dst->info.ipv6info.l4proto = src->m_sockinfo.m_ipv6info.m_fields.m_l4proto;
+ break;
+ case SCAP_FD_IPV6_SERVSOCK:
+ copy_ipv6_address(dst->info.ipv6serverinfo.ip, src->m_sockinfo.m_ipv6serverinfo.m_ip);
+ dst->info.ipv6serverinfo.port = src->m_sockinfo.m_ipv6serverinfo.m_port;
+ dst->info.ipv6serverinfo.l4proto = src->m_sockinfo.m_ipv6serverinfo.m_l4proto;
+ break;
+ case SCAP_FD_UNIX_SOCK:
+ dst->info.unix_socket_info.source = src->m_sockinfo.m_unixinfo.m_fields.m_source;
+ dst->info.unix_socket_info.destination = src->m_sockinfo.m_unixinfo.m_fields.m_dest;
+ strncpy(dst->info.unix_socket_info.fname, src->m_name.c_str(), SCAP_MAX_PATH_SIZE);
+ break;
+ case SCAP_FD_FIFO:
+ case SCAP_FD_FILE:
+ case SCAP_FD_DIRECTORY:
+ case SCAP_FD_UNSUPPORTED:
+ case SCAP_FD_SIGNALFD:
+ case SCAP_FD_EVENTPOLL:
+ case SCAP_FD_EVENT:
+ case SCAP_FD_INOTIFY:
+ case SCAP_FD_TIMERFD:
+ strncpy(dst->info.fname, src->m_name.c_str(), SCAP_MAX_PATH_SIZE);
+ break;
+ default:
+ ASSERT(false);
+ break;
+ }
}
///////////////////////////////////////////////////////////////////////////////
@@ -1260,33 +1262,33 @@ void sinsp_thread_manager::to_scap()
//
// Fill in the thread data
//
- sctinfo->tid = tinfo.m_tid;
- sctinfo->pid = tinfo.m_pid;
- sctinfo->ptid = tinfo.m_ptid;
- sctinfo->sid = tinfo.m_sid;
-
- strncpy(sctinfo->comm, tinfo.m_comm.c_str(), SCAP_MAX_PATH_SIZE);
- strncpy(sctinfo->exe, tinfo.m_exe.c_str(), SCAP_MAX_PATH_SIZE);
- tinfo.args_to_scap(sctinfo);
- tinfo.env_to_scap(sctinfo);
- string tcwd = (tinfo.m_cwd == "")? "/": tinfo.m_cwd;
- strncpy(sctinfo->cwd, tcwd.c_str(), SCAP_MAX_PATH_SIZE);
- sctinfo->flags = tinfo.m_flags ;
- sctinfo->fdlimit = tinfo.m_fdlimit;
- sctinfo->uid = tinfo.m_uid;
- sctinfo->gid = tinfo.m_gid;
- sctinfo->vmsize_kb = tinfo.m_vmsize_kb;
- sctinfo->vmrss_kb = tinfo.m_vmrss_kb;
- sctinfo->vmswap_kb = tinfo.m_vmswap_kb;
- sctinfo->pfmajor = tinfo.m_pfmajor;
- sctinfo->pfminor = tinfo.m_pfminor;
- sctinfo->vtid = tinfo.m_vtid;
- sctinfo->vpid = tinfo.m_vpid;
- sctinfo->fdlist = NULL;
- tinfo.cgroups_to_scap(sctinfo);
- strncpy(sctinfo->root, tinfo.m_root.c_str(), SCAP_MAX_PATH_SIZE);
- sctinfo->filtered_out = false;
-
+ sctinfo->tid = tinfo.m_tid;
+ sctinfo->pid = tinfo.m_pid;
+ sctinfo->ptid = tinfo.m_ptid;
+ sctinfo->sid = tinfo.m_sid;
+
+ strncpy(sctinfo->comm, tinfo.m_comm.c_str(), SCAP_MAX_PATH_SIZE);
+ strncpy(sctinfo->exe, tinfo.m_exe.c_str(), SCAP_MAX_PATH_SIZE);
+ tinfo.args_to_scap(sctinfo);
+ tinfo.env_to_scap(sctinfo);
+ string tcwd = (tinfo.m_cwd == "")? "/": tinfo.m_cwd;
+ strncpy(sctinfo->cwd, tcwd.c_str(), SCAP_MAX_PATH_SIZE);
+ sctinfo->flags = tinfo.m_flags ;
+ sctinfo->fdlimit = tinfo.m_fdlimit;
+ sctinfo->uid = tinfo.m_uid;
+ sctinfo->gid = tinfo.m_gid;
+ sctinfo->vmsize_kb = tinfo.m_vmsize_kb;
+ sctinfo->vmrss_kb = tinfo.m_vmrss_kb;
+ sctinfo->vmswap_kb = tinfo.m_vmswap_kb;
+ sctinfo->pfmajor = tinfo.m_pfmajor;
+ sctinfo->pfminor = tinfo.m_pfminor;
+ sctinfo->vtid = tinfo.m_vtid;
+ sctinfo->vpid = tinfo.m_vpid;
+ sctinfo->fdlist = NULL;
+ tinfo.cgroups_to_scap(sctinfo);
+ strncpy(sctinfo->root, tinfo.m_root.c_str(), SCAP_MAX_PATH_SIZE);
+ sctinfo->filtered_out = false;
+
//
// Add the FDs
//
diff --git a/userspace/libsinsp/threadinfo.h b/userspace/libsinsp/threadinfo.h
index c21d8ce445..0114d3a39b 100644
--- a/userspace/libsinsp/threadinfo.h
+++ b/userspace/libsinsp/threadinfo.h
@@ -236,6 +236,7 @@ class SINSP_PUBLIC sinsp_threadinfo
string m_root;
size_t m_program_hash;
size_t m_program_hash_falco;
+ int32_t m_tty;
//
// State for multi-event processing