wdig-specific process and path merging functionality

kinvolk · Dec 16, 2020 · 2b72d9d · 2b72d9d
1 parent 320026e
commit 2b72d9d
Show file tree

Hide file tree

Showing 9 changed files with 84 additions and 31 deletions.
diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c
@@ -236,9 +236,9 @@ static inline uint32_t get_fd_dev(int64_t fd)
 
 int f_sys_open_x(struct event_filler_arguments *args)
 {
-	unsigned long val;
-	unsigned long flags;
-	unsigned long modes;
+	syscall_arg_t val;
+	syscall_arg_t flags;
+	syscall_arg_t modes;
 	int res;
 	int64_t retval;
 

diff --git a/userspace/libsinsp/event.cpp b/userspace/libsinsp/event.cpp
@@ -1674,7 +1674,8 @@ const char* sinsp_evt::get_param_as_str(uint32_t id, OUT const char** resolved_s
 					(char*)cwd.c_str(),
 					(uint32_t)cwd.length(),
 					payload,
-					payload_len))
+					payload_len,
+					m_inspector->m_is_windows))
 				{
 					m_resolved_paramstr_storage[0] = 0;
 				}

diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -242,7 +242,8 @@ bool sinsp_filter_check_fd::extract_fdname_from_creator(sinsp_evt *evt, OUT uint
 				sdir.c_str(),
 				(uint32_t)sdir.length(),
 				name,
-				namelen);
+				namelen,
+				m_inspector->m_is_windows);
 
 			m_tstr = fullpath;
 			if(sanitize_strings)
@@ -3303,7 +3304,8 @@ uint8_t *sinsp_filter_check_event::extract_abspath(sinsp_evt *evt, OUT uint32_t
 	}
 
 	char fullname[SCAP_MAX_PATH_SIZE];
-	sinsp_utils::concatenate_paths(fullname, SCAP_MAX_PATH_SIZE, sdir.c_str(), (uint32_t)sdir.length(), path, pathlen);
+	sinsp_utils::concatenate_paths(fullname, SCAP_MAX_PATH_SIZE, sdir.c_str(), 
+		(uint32_t)sdir.length(), path, pathlen, m_inspector->m_is_windows);
 
 	m_strstorage = fullname;
 

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -1286,6 +1286,11 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
 
 	if(!(tinfo->m_flags & PPM_CL_CLONE_THREAD))
 	{
+		if(m_inspector->m_is_windows)
+		{
+			tinfo->m_flags |= PPM_CL_IS_MAIN_THREAD;
+		}
+
 		//
 		// Copy the fd list
 		// XXX this is a gross oversimplification that will need to be fixed.
@@ -1312,7 +1317,22 @@ void sinsp_parser::parse_clone_exit(sinsp_evt *evt)
 		//
 		// Not a thread, copy cwd
 		//
-		tinfo->m_cwd = ptinfo->get_cwd();
+		if(m_inspector->m_is_windows)
+		{
+			if(ptinfo->m_tid == 0 && ptinfo->m_pid == 0)
+			{
+				parinfo = evt->get_param(6);
+				tinfo->m_cwd = parinfo->m_val;
+			}
+			else
+			{
+				tinfo->m_cwd = ptinfo->get_cwd();
+			}
+		}
+		else
+		{
+			tinfo->m_cwd = ptinfo->get_cwd();
+		}
 	}
 	//if((tinfo->m_flags & (PPM_CL_CLONE_FILES)))
 	//{
@@ -1741,7 +1761,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 			{
 				sinsp_utils::concatenate_paths(fullpath, SCAP_MAX_PATH_SIZE,
 											   evt->m_tinfo->m_cwd.c_str(), (uint32_t)evt->m_tinfo->m_cwd.size(),
-											   parinfo->m_val, (uint32_t)parinfo->m_len);
+											   parinfo->m_val, (uint32_t)parinfo->m_len, m_inspector->m_is_windows);
 				evt->m_tinfo->m_exepath = fullpath;
 			}
 		}
@@ -1801,7 +1821,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt)
 	// and shell pipe flags
 	//
 
-	auto spf = evt->m_tinfo->m_flags & (PPM_CL_PIPE_SRC | PPM_CL_PIPE_DST);
+	auto spf = evt->m_tinfo->m_flags & (PPM_CL_PIPE_SRC | PPM_CL_PIPE_DST | PPM_CL_IS_MAIN_THREAD);
 	bool inverted = ((evt->m_tinfo->m_flags & PPM_CL_CLONE_INVERTED) != 0);
 
 	evt->m_tinfo->m_flags = PPM_CL_ACTIVE;
@@ -2118,7 +2138,8 @@ void sinsp_parser::parse_open_openat_creat_exit(sinsp_evt *evt)
 	//mode = *(uint32_t*)parinfo->m_val;
 
 	char fullpath[SCAP_MAX_PATH_SIZE];
-	sinsp_utils::concatenate_paths(fullpath, SCAP_MAX_PATH_SIZE, sdir.c_str(), (uint32_t)sdir.length(), name, namelen);
+	sinsp_utils::concatenate_paths(fullpath, SCAP_MAX_PATH_SIZE, sdir.c_str(), (uint32_t)sdir.length(), 
+		name, namelen, m_inspector->m_is_windows);
 
 	if(fd >= 0)
 	{

diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -284,6 +284,13 @@ void sinsp::init()
 		m_num_cpus = 0;
 	}
 
+	//
+	// XXX
+	// This will need to be integrated in the machine info
+	//
+	scap_os_platform platform = scap_get_os_platform(m_h);
+	m_is_windows = (platform == SCAP_PFORM_WINDOWS_I386 || platform == SCAP_PFORM_WINDOWS_X64);
+
 	//
 	// Attach the protocol decoders
 	//

diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h
@@ -1016,6 +1016,7 @@ VISIBILITY_PRIVATE
 	std::string m_input_filename;
 	bool m_bpf;
 	bool m_udig;
+	bool m_is_windows;
 	std::string m_bpf_probe;
 	bool m_isdebug_enabled;
 	bool m_isfatfile_enabled;

diff --git a/userspace/libsinsp/threadinfo.cpp b/userspace/libsinsp/threadinfo.cpp
@@ -787,7 +787,8 @@ void sinsp_threadinfo::set_cwd(const char* cwd, uint32_t cwdlen)
 			(char*)tinfo->m_cwd.c_str(),
 			(uint32_t)tinfo->m_cwd.size(),
 			cwd,
-			cwdlen);
+			cwdlen,
+			m_inspector->m_is_windows);
 
 		tinfo->m_cwd = tpath;
 

diff --git a/userspace/libsinsp/utils.cpp b/userspace/libsinsp/utils.cpp
@@ -717,7 +717,7 @@ void rewind_to_parent_path(char* targetbase, char** tc, const char** pc, uint32_
 //                following parent directories
 //  - path: the path to copy
 //
-void copy_and_sanitize_path(char* target, char* targetbase, const char* path)
+void copy_and_sanitize_path(char* target, char* targetbase, const char* path, char separator)
 {
 	char* tc = target;
 	const char* pc = path;
@@ -730,9 +730,9 @@ void copy_and_sanitize_path(char* target, char* targetbase, const char* path)
 			*tc = 0;
 
 			//
-			// If the path ends with a '/', remove it, as the OS does.
+			// If the path ends with a separator, remove it, as the OS does.
 			//
-			if((tc > (targetbase + 1)) && (*(tc - 1) == '/'))
+			if((tc > (targetbase + 1)) && (*(tc - 1) == separator))
 			{
 				*(tc - 1) = 0;
 			}
@@ -751,18 +751,18 @@ void copy_and_sanitize_path(char* target, char* targetbase, const char* path)
 		}
 		else
 		{
-			if(*pc == '.' && *(pc + 1) == '.' && *(pc + 2) == '/')
+			if(*pc == '.' && *(pc + 1) == '.' && *(pc + 2) == separator)
 			{
 				//
-				// '../', rewind to the previous '/'
+				// '../', rewind to the previous separator
 				//
 				rewind_to_parent_path(targetbase, &tc, &pc, 3);
 
 			}
 			else if(*pc == '.' && *(pc + 1) == '.')
 			{
 				//
-				// '..', with no '/'.
+				// '..', with no separator.
 				// This is valid if we are at the end of the string, and in that case we rewind.
 				// Otherwise it shouldn't happen and we leave the string intact
 				//
@@ -778,7 +778,7 @@ void copy_and_sanitize_path(char* target, char* targetbase, const char* path)
 					tc += 2;
 				}
 			}
-			else if(*pc == '.' && *(pc + 1) == '/')
+			else if(*pc == '.' && *(pc + 1) == separator)
 			{
 				//
 				// './', just skip it
@@ -788,7 +788,7 @@ void copy_and_sanitize_path(char* target, char* targetbase, const char* path)
 			else if(*pc == '.')
 			{
 				//
-				// '.', with no '/'.
+				// '.', with no separator.
 				// This is valid if we are at the end of the string, and in that case we rewind.
 				// Otherwise it shouldn't happen and we leave the string intact
 				//
@@ -803,12 +803,12 @@ void copy_and_sanitize_path(char* target, char* targetbase, const char* path)
 					pc++;
 				}
 			}
-			else if(*pc == '/')
+			else if(*pc == separator)
 			{
 				//
-				// '/', if the last char is already a '/', skip it
+				// separator, if the last char is already a separator, skip it
 				//
-				if(tc > targetbase && *(tc - 1) == '/')
+				if(tc > targetbase && *(tc - 1) == separator)
 				{
 					pc++;
 				}
@@ -840,25 +840,44 @@ bool sinsp_utils::concatenate_paths(char* target,
 									const char* path1,
 									uint32_t len1,
 									const char* path2,
-									uint32_t len2)
+									uint32_t len2,
+									bool windows_paths)
 {
 	if(targetlen < (len1 + len2 + 1))
 	{
 		strcpy(target, "/PATH_TOO_LONG");
 		return false;
 	}
 
-	if(len2 != 0 && path2[0] != '/')
+	if(windows_paths)
 	{
-		memcpy(target, path1, len1);
-		copy_and_sanitize_path(target + len1, target, path2);
-		return true;
+		if(len2 != 0 && path2[0] != '\\' && path2[1] != ':')
+		{
+			memcpy(target, path1, len1);
+			copy_and_sanitize_path(target + len1, target, path2, '\\');
+			return true;
+		}
+		else
+		{
+			target[0] = 0;
+			copy_and_sanitize_path(target, target, path2, '\\');
+			return false;
+		}
 	}
 	else
 	{
-		target[0] = 0;
-		copy_and_sanitize_path(target, target, path2);
-		return false;
+		if(len2 != 0 && path2[0] != '/')
+		{
+			memcpy(target, path1, len1);
+			copy_and_sanitize_path(target + len1, target, path2, '/');
+			return true;
+		}
+		else
+		{
+			target[0] = 0;
+			copy_and_sanitize_path(target, target, path2, '/');
+			return false;
+		}
 	}
 }
 

diff --git a/userspace/libsinsp/utils.h b/userspace/libsinsp/utils.h
@@ -82,8 +82,9 @@ class sinsp_utils
 	// If path2 is relative, the concatenation happens and the result is true.
 	// If path2 is absolute, the concatenation does not happen, target contains path2 and the result is false.
 	// Assumes that path1 is well formed.
+	// Supports both unix and windows paths. Use the windows_paths argument to specify which one you want.
 	//
-	static bool concatenate_paths(char* target, uint32_t targetlen, const char* path1, uint32_t len1, const char* path2, uint32_t len2);
+	static bool concatenate_paths(char* target, uint32_t targetlen, const char* path1, uint32_t len1, const char* path2, uint32_t len2, bool windows_paths);
 
 	//
 	// Determines if an IPv6 address is IPv4-mapped