Add the exit status code to the analysis output for commands executed by scripts.

[calebbrown]

This ability can help find places where the sandbox can be improved, or be used to identify when a command being executed succeeded for failed.

The strace output generated by GVisor includes can be parsed to pair execve syscalls with exit or exit_group syscalls to extract the exit status of the executed binary.

For example, below shows a sample of strace output from GVisor of syscall exits. Note the PID == 3, with TID 4 and 7 exiting explicitly using (exit), with the entire group being exited as well (exit_group)

I0303 03:30:37.681359     206 strace.go:629] [   3:   3] analyze.js X execve(0x7f782e606b40 /usr/local/bin/node ...
...
I0303 03:32:19.471116     206 strace.go:623] [   3:   4] node X exit(0x0) = 0 (0x0) (1.336µs)
I0303 03:32:19.471135     206 strace.go:623] [   3:   7] node X exit(0x0) = 0 (0x0) (1.413µs)
...
I0303 03:32:19.476033     206 strace.go:623] [   3:   3] node X exit_group(0x0) = 0 (0x0) (15.45µs)

The exit code is included as the strace arg to the syscall. For example, below the exit code is 0x7f or 127:

I0303 03:32:04.019615     206 strace.go:623] [  83:  83] ld-linux-x86-64 X exit_group(0x7f) = 0 (0x0) (1.823µs)

It is worth remembering in Linux that a process will first clone or fork itself and then call execve to hand execution over to the new binary. This means the PID and TID can be parsed from the square brackets before the name (e.g. [ 3: 7] corresponds to a PID of 3 and a TID of 7).