From aa82b2fb329ea97a8ade31590954ddaa675e1728 Mon Sep 17 00:00:00 2001
From: Loris Degioanni <loris@sysdig.com>
Date: Fri, 21 Dec 2018 12:38:44 -0800
Subject: [PATCH] make fd resolution work for getsockopt in sysdig (#1280)

* make fd resolution work for getsockopt in sysdig

* getsockopt needs the EF_MODIFIES_STATE flag

* make sure the fd.num filter check works with getsockinfo
---
 driver/event_table.c                |  4 ++--
 driver/flags_table.c                |  4 ++--
 userspace/libsinsp/filterchecks.cpp |  2 +-
 userspace/libsinsp/parsers.cpp      | 22 +++++++++++++---------
 4 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/driver/event_table.c b/driver/event_table.c
index c32aa66520..bf81e85c60 100644
--- a/driver/event_table.c
+++ b/driver/event_table.c
@@ -56,8 +56,8 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SOCKET_SOECKETPAIR_X */{"socketpair", EC_IPC, EF_CREATES_FD | EF_MODIFIES_STATE, 5, {{"res", PT_ERRNO, PF_DEC}, {"fd1", PT_FD, PF_DEC}, {"fd2", PT_FD, PF_DEC}, {"source", PT_UINT64, PF_HEX}, {"peer", PT_UINT64, PF_HEX} } },
 	/* PPME_SOCKET_SETSOCKOPT_E */{"setsockopt", EC_NET, EF_NONE, 0 },
 	/* PPME_SOCKET_SETSOCKOPT_X */{"setsockopt", EC_NET, EF_USES_FD, 6, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"level", PT_FLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_FLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}},
-	/* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_DROP_FALCO, 0 },
-	/* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_USES_FD | EF_DROP_FALCO, 6, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"level", PT_FLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_FLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}},
+	/* PPME_SOCKET_GETSOCKOPT_E */{"getsockopt", EC_NET, EF_MODIFIES_STATE | EF_DROP_FALCO, 0 },
+	/* PPME_SOCKET_GETSOCKOPT_X */{"getsockopt", EC_NET, EF_USES_FD | EF_MODIFIES_STATE| EF_DROP_FALCO, 6, {{"res", PT_ERRNO, PF_DEC}, {"fd", PT_FD, PF_DEC}, {"level", PT_FLAGS8, PF_DEC, sockopt_levels}, {"optname", PT_FLAGS8, PF_DEC, sockopt_options}, {"val", PT_DYN, PF_DEC, sockopt_dynamic_param, PPM_SOCKOPT_IDX_MAX}, {"optlen", PT_UINT32, PF_DEC}}},
 	/* PPME_SOCKET_SENDMSG_E */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 3, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA} } },
 	/* PPME_SOCKET_SENDMSG_X */{"sendmsg", EC_IO_WRITE, EF_USES_FD | EF_WRITES_TO_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"data", PT_BYTEBUF, PF_NA} } },
 	/* PPME_SOCKET_SENDMMSG_E */{"sendmmsg", EC_IO_WRITE, EF_DROP_FALCO, 0},
diff --git a/driver/flags_table.c b/driver/flags_table.c
index 4301776030..885ecfae29 100644
--- a/driver/flags_table.c
+++ b/driver/flags_table.c
@@ -260,7 +260,7 @@ const struct ppm_name_value sockopt_levels[] = {
 	{"SOL_SOCKET", PPM_SOCKOPT_LEVEL_SOL_SOCKET},
 	{"SOL_TCP", PPM_SOCKOPT_LEVEL_SOL_TCP},
 	{"UNKNOWN", PPM_SOCKOPT_LEVEL_UNKNOWN},
-	{ },
+	{0, 0},
 };
 
 const struct ppm_name_value sockopt_options[] = {
@@ -318,7 +318,7 @@ const struct ppm_name_value sockopt_options[] = {
 	{"SO_REUSEADDR", PPM_SOCKOPT_SO_REUSEADDR},
 	{"SO_DEBUG", PPM_SOCKOPT_SO_DEBUG},
 	{"UNKNOWN", PPM_SOCKOPT_UNKNOWN},
-	{ },
+	{0, 0},
 };
 
 const struct ppm_name_value ptrace_requests[] = {
diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
index 9a1e9c2c54..390850c12c 100644
--- a/userspace/libsinsp/filterchecks.cpp
+++ b/userspace/libsinsp/filterchecks.cpp
@@ -717,7 +717,7 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool
 			{
 				is_local = m_inspector->get_ifaddr_list()->is_ipv4addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv4info.m_fields.m_sip, m_tinfo);
 			}
-		        else
+			else
 			{
 				is_local = m_inspector->get_ifaddr_list()->is_ipv6addr_in_local_machine(m_fdinfo->m_sockinfo.m_ipv6info.m_fields.m_sip, m_tinfo);
 			}
diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
index 428d300260..d5720ae717 100644
--- a/userspace/libsinsp/parsers.cpp
+++ b/userspace/libsinsp/parsers.cpp
@@ -4669,6 +4669,18 @@ void sinsp_parser::parse_getsockopt_exit(sinsp_evt *evt)
 	int64_t fd;
 	int8_t level, optname;
 
+	if(!evt->m_tinfo)
+	{
+		return;
+	}
+
+	parinfo = evt->get_param(1);
+	fd = *(int64_t *)parinfo->m_val;
+	ASSERT(parinfo->m_len == sizeof(int64_t));
+
+	evt->m_fdinfo = evt->m_tinfo->get_main_thread()->get_fd(fd);
+	evt->m_tinfo->m_lastevent_fd = fd;
+
 	// right now we only parse getsockopt() for SO_ERROR options
 	// if that ever changes, move this check inside
 	// the `if (level == PPM_SOCKOPT_LEVEL_SOL_SOCKET ...)` block
@@ -4677,10 +4689,7 @@ void sinsp_parser::parse_getsockopt_exit(sinsp_evt *evt)
 		return;
 	}
 
-	if (!evt->m_tinfo)
-	{
-		return;
-	}
+	//evt->m_fdinfo = evt->m_tinfo->get_fd(evt->m_tinfo->m_lastevent_fd);
 
 	//
 	// Extract the return value
@@ -4704,11 +4713,6 @@ void sinsp_parser::parse_getsockopt_exit(sinsp_evt *evt)
 
 	if(level == PPM_SOCKOPT_LEVEL_SOL_SOCKET && optname == PPM_SOCKOPT_SO_ERROR)
 	{
-		parinfo = evt->get_param(1);
-		fd = *(int64_t *)parinfo->m_val;
-		ASSERT(parinfo->m_len == sizeof(int64_t));
-
-		evt->m_fdinfo = evt->m_tinfo->get_main_thread()->get_fd(fd);
 		if (!evt->m_fdinfo)
 		{
 			return;