fix docker watch (broken after prety-print k8s fix)

Start building standalone falco kernel modules. (draios#789)

* Start building standalone falco kernel modules.

falcosecurity/falco#215 pointed out a problem with
compatibility between latest sysdig kernel module and falco 0.5.0. The
(newer) driver had different events than falco was expecting, causing a
crash.

To fix this, I'm changing falco to package its own driver. It was
already building its own driver, but the remaining changes are to change
the device name from sysdig to falco, module falco-probe, etc.

These changes will allow for automatically building the falco-probe
kernel module on a variety of kernel platforms and running
sysdig-probe-loader (under the name falco-probe-loader) to get a module
as needed.

While doing this, merge the nearly identical
build_{falco,sysdig,sysdigcloud} functions into build_probe. It now does
the work of checking out the right code based on the PROBE_* variables,
runs make driver from the main code repository, and verifies it can be
loaded.

* Add autoconf for falco builds.

The falco builds need autoconf so add it to the set of installed yum
packages.

Parse processes tty (draios#792)

* Extract tty from /proc + kernel

* typo

* Proper include for 2.6.32

* A couple more initializations

Fixed old kernel compilation errors on the new tty feature.
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com

Changed kernel version support, probe_kernel_read/probe_kernel_write were introduced in kernel 2.6.26
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com

Implement probe_kernel_read() for older kernels

Fixed old kernel compilation errors on the new tty feature.

sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com

Changed kernel version support, probe_kernel_read/probe_kernel_write were introduced in kernel 2.6.26
sysdig-CLA-1.0-contributing-entity: Amir Rossert
sysdig-CLA-1.0-signed-off-by: John Tsai johntsai@paypal.com

driver/event_table.c

@@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
-	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
+	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
+	/* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
 };

driver/ppm_events.c

@@ -208,6 +208,10 @@ inline u32 compute_snaplen(struct event_filler_arguments *args, char *buf, u32 l
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
 		if (file && file->f_inode) {
 			if (file->f_inode->i_rdev == PPM_NULL_RDEV) {
+		// Use f_dentry for older kernel versions
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,20)
+		if (file && file->f_dentry && file->f_dentry->d_inode) {
+			if (file->f_dentry->d_inode->i_rdev == PPM_NULL_RDEV) {
 #else
 		if (file && file->f_path.dentry && file->f_path.dentry->d_inode) {
 			if (file->f_path.dentry->d_inode->i_rdev == PPM_NULL_RDEV) {

driver/ppm_events_public.h

@@ -776,7 +776,9 @@ enum ppm_event_type {
 	PPME_SYSCALL_RMDIR_2_X = 279,
 	PPME_NOTIFICATION_E = 280,
 	PPME_NOTIFICATION_X = 281,
-	PPM_EVENT_MAX = 282
+	PPME_SYSCALL_EXECVE_17_E = 282,
+	PPME_SYSCALL_EXECVE_17_X = 283,
+	PPM_EVENT_MAX = 284
 };
 /*@}*/
 

driver/ppm_fillers.c

@@ -34,6 +34,8 @@ along with sysdig.  If not, see <http://www.gnu.org/licenses/>.
 #include <linux/version.h>
 #include <linux/module.h>
 #include <linux/quota.h>
+#include <linux/tty.h>
+#include <linux/uaccess.h>
 #ifdef CONFIG_CGROUPS
 #include <linux/cgroup.h>
 #endif
@@ -292,8 +294,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_DROP_X] = {f_sched_drop},
 	[PPME_SYSCALL_FCNTL_E] = {f_sched_fcntl_e},
 	[PPME_SYSCALL_FCNTL_X] = {f_sys_single_x},
-	[PPME_SYSCALL_EXECVE_16_E] = {f_sys_empty},
-	[PPME_SYSCALL_EXECVE_16_X] = {f_proc_startupdate},
+	[PPME_SYSCALL_EXECVE_17_E] = {f_sys_empty},
+	[PPME_SYSCALL_EXECVE_17_X] = {f_proc_startupdate},
 	[PPME_SYSCALL_CLONE_20_E] = {f_sys_empty},
 	[PPME_SYSCALL_CLONE_20_X] = {f_proc_startupdate},
 	[PPME_SYSCALL_BRK_4_E] = {PPM_AUTOFILL, 1, APT_REG, {{0} } },
@@ -1011,6 +1013,73 @@ static int compat_accumulate_argv_or_env(compat_uptr_t argv,
 
 #endif
 
+// probe_kernel_read() only added in kernel 2.6.26
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26)
+long probe_kernel_read(void *dst, const void *src, size_t size)
+{
+	long ret;
+	mm_segment_t old_fs = get_fs();
+
+	set_fs(KERNEL_DS);
+	pagefault_disable();
+	ret = __copy_from_user_inatomic(dst,
+									(__force const void __user *)src, size);
+	pagefault_enable();
+	set_fs(old_fs);
+
+	return ret ? -EFAULT : 0;
+}
+#endif
+
+static int ppm_get_tty(void)
+{
+	/* Locking of the signal structures seems too complicated across
+	 * multiple kernel versions to get it right, so simply do protected
+	 * memory accesses, and in the worst case we get some garbage,
+	 * which is not the end of the world. In the vast majority of accesses,
+	 * we'll be just fine.
+	 */
+	struct signal_struct *sig;
+	struct tty_struct *tty;
+	struct tty_driver *driver;
+	int major;
+	int minor_start;
+	int index;
+	int tty_nr = 0;
+
+	// probe_kernel_read() only added in kernel 2.6.26
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 26)
+	sig = current->signal;
+	if (!sig)
+		return 0;
+
+	if (unlikely(probe_kernel_read(&tty, &sig->tty, sizeof(tty))))
+		return 0;
+
+	if (!tty)
+		return 0;
+
+	if (unlikely(probe_kernel_read(&index, &tty->index, sizeof(index))))
+		return 0;
+
+	if (unlikely(probe_kernel_read(&driver, &tty->driver, sizeof(driver))))
+		return 0;
+
+	if (!driver)
+		return 0;
+
+	if (unlikely(probe_kernel_read(&major, &driver->major, sizeof(major))))
+		return 0;
+
+	if (unlikely(probe_kernel_read(&minor_start, &driver->minor_start, sizeof(minor_start))))
+		return 0;
+
+	tty_nr = new_encode_dev(MKDEV(major, minor_start) + index);
+#endif
+
+	return tty_nr;
+}
+
 static int f_proc_startupdate(struct event_filler_arguments *args)
 {
 	unsigned long val;
@@ -1035,7 +1104,7 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
 		return res;
 
 	if (unlikely(retval < 0 &&
-		     args->event_type != PPME_SYSCALL_EXECVE_16_X)) {
+		     args->event_type != PPME_SYSCALL_EXECVE_17_X)) {
 
 		/* The call failed, but this syscall has no exe, args
 		 * anyway, so I report empty ones */
@@ -1311,11 +1380,12 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
 		if (unlikely(res != PPM_SUCCESS))
 			return res;
 
-	} else if (args->event_type == PPME_SYSCALL_EXECVE_16_X) {
+	} else if (args->event_type == PPME_SYSCALL_EXECVE_17_X) {
 		/*
 		 * execve-only parameters
 		 */
 		long env_len = 0;
+		int tty_nr = 0;
 
 		if (likely(retval >= 0)) {
 			/*
@@ -1357,6 +1427,14 @@ static int f_proc_startupdate(struct event_filler_arguments *args)
 		res = val_to_ring(args, (int64_t)(long)args->str_storage, env_len, false, 0);
 		if (unlikely(res != PPM_SUCCESS))
 			return res;
+
+		/*
+		 * tty
+		 */
+		tty_nr = ppm_get_tty();
+		res = val_to_ring(args, tty_nr, 0, false, 0);
+		if (unlikely(res != PPM_SUCCESS))
+			return res;
 	}
 
 	return add_sentinel(args);

driver/syscall_table.c

@@ -52,7 +52,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_brk - SYSCALL_TABLE_ID0] =                        {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
 	[__NR_read - SYSCALL_TABLE_ID0] =                       {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
 	[__NR_write - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
-	[__NR_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
+	[__NR_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
 	[__NR_clone - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
 	[__NR_fork - SYSCALL_TABLE_ID0] =                       {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
 	[__NR_vfork - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},
@@ -838,7 +838,7 @@ const struct syscall_evt_pair g_syscall_ia32_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_ia32_brk - SYSCALL_TABLE_ID0] =                        {UF_USED | UF_ALWAYS_DROP, PPME_SYSCALL_BRK_4_E, PPME_SYSCALL_BRK_4_X},
 	[__NR_ia32_read - SYSCALL_TABLE_ID0] =                       {UF_USED, PPME_SYSCALL_READ_E, PPME_SYSCALL_READ_X},
 	[__NR_ia32_write - SYSCALL_TABLE_ID0] =                      {UF_USED, PPME_SYSCALL_WRITE_E, PPME_SYSCALL_WRITE_X},
-	[__NR_ia32_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_16_E, PPME_SYSCALL_EXECVE_16_X},
+	[__NR_ia32_execve - SYSCALL_TABLE_ID0] =                     {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_EXECVE_17_E, PPME_SYSCALL_EXECVE_17_X},
 	[__NR_ia32_clone - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_CLONE_20_E, PPME_SYSCALL_CLONE_20_X},
 	[__NR_ia32_fork - SYSCALL_TABLE_ID0] =                       {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_FORK_20_E, PPME_SYSCALL_FORK_20_X},
 	[__NR_ia32_vfork - SYSCALL_TABLE_ID0] =                      {UF_USED | UF_NEVER_DROP, PPME_SYSCALL_VFORK_20_E, PPME_SYSCALL_VFORK_20_X},

scripts/Dockerfile.ol6

@@ -5,6 +5,7 @@ RUN yum -y install \
     git \
     gcc \
     gcc-c++ \
+    autoconf \
     make \
     cmake \
     libdtrace-ctf \

scripts/Dockerfile.ol7

@@ -5,6 +5,7 @@ RUN yum -y install \
     git \
     gcc \
     gcc-c++ \
+    autoconf \
     make \
     cmake \
     libdtrace-ctf \

scripts/build-probe-binaries

@@ -29,106 +29,65 @@ if [ ! -d $BASEDIR/output ]; then
 	mkdir $BASEDIR/output
 fi
 
-function build_probe {
-	if [ "$PROBE_NAME" = "sysdig-probe" ]; then
-		build_sysdig
-	elif [ "$PROBE_NAME" = "sysdigcloud-probe" ]; then
-		build_sysdigcloud
-	else
-		exit 1
-	fi
-}
-
-function build_sysdig {
-
-	if [ ! -f $BASEDIR/output/$PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH.ko ] || [ ! -f $BASEDIR/output/$PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH_ORIG.ko ]; then
-
-		echo Building $PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH.ko [${FUNCNAME[1]}]
-
-		if [ ! -d sysdig ]; then
-			git clone git@github.com:draios/sysdig.git
-		fi
+if [ $PROBE_NAME = "sysdigcloud-probe" ]; then
+        PROBE_REPO_NAME="agent"
+else
+        PROBE_REPO_NAME=$(echo $PROBE_NAME | cut -f1 -d-)
+fi
 
-		cd sysdig
-		git checkout master
-		# The UEK builder container doesn't have git credentials
-		# It relies on the non-UEK builds doing the pull earlier
-		if [[ ! "$KERNEL_TYPE" =~ "UEK" ]]; then
-			git pull
-		fi
-		git checkout $PROBE_VERSION
-		make -C driver clean || true
-		rm -rf build || true
-		mkdir build
-		cd build
-		cmake -DCMAKE_BUILD_TYPE=Release -DSYSDIG_VERSION=$PROBE_VERSION ..
-		make driver
-		strip -g driver/$PROBE_NAME.ko
+function update_code_for {
+        repo=$1
+	if [ ! -d $repo ]; then
+                git clone git@github.com:draios/$repo.git
+	fi
 
-		KO_VERSION=$(/sbin/modinfo driver/$PROBE_NAME.ko | grep vermagic | tr -s " " | cut -d " " -f 2)
-		if [ "$KO_VERSION" != "$KERNEL_RELEASE" ]; then
-			echo "Corrupted probe, KO_VERSION " $KO_VERSION ", KERNEL_RELEASE " $KERNEL_RELEASE
-			exit 1
-		fi
+	cd $repo
+	git checkout master
+	# The UEK builder container doesn't have git credentials
+	# It relies on the non-UEK builds doing the pull earlier
+	if [[ ! "$KERNEL_TYPE" =~ "UEK" ]]; then
+	        git pull
+	fi
 
-		cp driver/$PROBE_NAME.ko $BASEDIR/output/$PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH.ko
-		cp driver/$PROBE_NAME.ko $BASEDIR/output/$PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH_ORIG.ko
+	if [ $PROBE_REPO_NAME = $repo ]; then
+	        git checkout $PROBE_VERSION
 	else
-		echo Skipping $PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH.ko \(already built\)
+	        git checkout $PROBE_REPO_NAME/$PROBE_VERSION
 	fi
 
-	cd $BASEDIR
+	# Remove everything other than the files actually belonging to
+	# the repo.
+	git clean -d -f -x
+
+	# Reset the state of the files belonging to the repo to the
+	# state associated with the tag.
+	git reset --hard
+
+	cd ..
 }
 
-function build_sysdigcloud {
+function build_probe {
 
 	if [ ! -f $BASEDIR/output/$PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH.ko ] || [ ! -f $BASEDIR/output/$PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH_ORIG.ko ]; then
 
 		echo Building $PROBE_NAME-$PROBE_VERSION-$ARCH-$KERNEL_RELEASE-$HASH.ko [${FUNCNAME[1]}]
 
-		if [ ! -d sysdig ]; then
-			git clone git@github.com:draios/sysdig.git
-		fi
-
-		if [ ! -d falco ]; then
-			git clone git@github.com:draios/falco.git
-		fi
+		update_code_for sysdig
 
-		if [ ! -d agent ]; then
-			git clone git@github.com:draios/agent.git
+		if [ $PROBE_NAME != "sysdig-probe" ]; then
+		        update_code_for falco
 		fi
 
-		cd sysdig
-		git checkout master
-		# The UEK builder container doesn't have git credentials
-		# It relies on the non-UEK builds doing the pull earlier
-		if [[ ! "$KERNEL_TYPE" =~ "UEK" ]]; then
-			git pull
+		if [ $PROBE_NAME = "sysdigcloud-probe" ]; then
+		        update_code_for agent
 		fi
-		git checkout agent/$PROBE_VERSION
-		make -C driver clean || true
-		rm -rf build || true
-		cd ..
 
-		cd falco
-		git checkout master
-		if [[ ! "$KERNEL_TYPE" =~ "UEK" ]]; then
-			git pull
-		fi
-		git checkout agent/$PROBE_VERSION
-		rm -fr build || true
-		cd ..
-
-		cd agent
-		git checkout master
-		if [[ ! "$KERNEL_TYPE" =~ "UEK" ]]; then
-			git pull
-		fi
-		git checkout $PROBE_VERSION
-		rm -rf build || true
+		cd $PROBE_REPO_NAME
 		mkdir build
 		cd build
-		cmake -DCMAKE_BUILD_TYPE=Release -DAGENT_VERSION=$PROBE_VERSION ..
+		version_name=-D$(echo $PROBE_REPO_NAME | tr [a-z] [A-Z])_VERSION
+
+		cmake -DCMAKE_BUILD_TYPE=Release $version_name=$PROBE_VERSION ..
 		make driver
 		strip -g driver/$PROBE_NAME.ko
 

scripts/sysdig-probe-loader

@@ -46,8 +46,12 @@ elif [ "$SCRIPT_NAME" = "sysdigcloud-probe-loader" ]; then
 	SYSDIG_VERSION=$(/opt/draios/bin/dragent --version)
 	PROBE_NAME="sysdigcloud-probe"
 	PACKAGE_NAME="draios-agent"
+elif [ "$SCRIPT_NAME" = "falco-probe-loader" ]; then
+	SYSDIG_VERSION=$(falco --version | cut -d' ' -f3)
+	PROBE_NAME="falco-probe"
+	PACKAGE_NAME="falco"
 else
-	echo "This script must be called as sysdig-probe-loader or sysdigcloud-probe-loader"
+	echo "This script must be called as sysdig-probe-loader, sysdigcloud-probe-loader, or falco-probe-loader"
 	exit 1
 fi
 

userspace/libscap/event_table.c

@@ -303,5 +303,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_RMDIR_2_E */{"rmdir", EC_FILE, EF_NONE, 0},
 	/* PPME_SYSCALL_RMDIR_2_X */{"rmdir", EC_FILE, EF_NONE, 2, {{"res", PT_ERRNO, PF_DEC}, {"path", PT_FSPATH, PF_NA} } },
 	/* PPME_NOTIFICATION_E */{"notification", EC_OTHER, EF_SKIPPARSERESET, 2, {{"id", PT_CHARBUF, PF_DEC}, {"desc", PT_CHARBUF, PF_NA}, } },
-	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0}
+	/* PPME_NOTIFICATION_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
+	/* PPME_SYSCALL_EXECVE_17_E */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 0},
+	/* PPME_SYSCALL_EXECVE_17_X */{"execve", EC_PROCESS, EF_MODIFIES_STATE, 17, {{"res", PT_ERRNO, PF_DEC}, {"exe", PT_CHARBUF, PF_NA}, {"args", PT_BYTEBUF, PF_NA}, {"tid", PT_PID, PF_DEC}, {"pid", PT_PID, PF_DEC}, {"ptid", PT_PID, PF_DEC}, {"cwd", PT_CHARBUF, PF_NA}, {"fdlimit", PT_UINT64, PF_DEC}, {"pgft_maj", PT_UINT64, PF_DEC}, {"pgft_min", PT_UINT64, PF_DEC}, {"vm_size", PT_UINT32, PF_DEC}, {"vm_rss", PT_UINT32, PF_DEC}, {"vm_swap", PT_UINT32, PF_DEC}, {"comm", PT_CHARBUF, PF_NA}, {"cgroups", PT_BYTEBUF, PF_NA}, {"env", PT_BYTEBUF, PF_NA}, {"tty", PT_INT32, PF_DEC} } }
 };

userspace/libscap/scap.h

@@ -220,6 +220,7 @@ typedef struct scap_threadinfo
 	int filtered_out; ///< nonzero if this entry should not be saved to file
 	scap_fdinfo* fdlist; ///< The fd table for this process
 	uint64_t clone_ts;
+	int32_t tty;
 
 	UT_hash_handle hh; ///< makes this structure hashable
 }scap_threadinfo;
@@ -888,7 +889,7 @@ int32_t scap_proc_add(scap_t* handle, uint64_t tid, scap_threadinfo* tinfo);
 int32_t scap_fd_add(scap_threadinfo* tinfo, uint64_t fd, scap_fdinfo* fdinfo);
 scap_dumper_t *scap_memory_dump_open(scap_t *handle, uint8_t* targetbuf, uint64_t targetbufsize);
 int32_t compr(uint8_t* dest, uint64_t* destlen, const uint8_t* source, uint64_t sourcelen, int level);
-uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
+uint8_t* scap_get_memorydumper_curpos(scap_dumper_t *d);
 
 #ifdef __cplusplus
 }