Add proc.pcmdline. (#721)

Add proc.pcmdline, which returns the commandline of the parent process. This is useful for some cases like detecting ansible environments when you want to see the parent command line (in this case, ansible's use of python) to tell the difference between python and python-run-by-ansible.
draios · Jan 19, 2017 · 0f6abff · 0f6abff
1 parent 8b2198f
commit 0f6abff
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 43 deletions.
diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -1302,6 +1302,7 @@ const filtercheck_field_info sinsp_filter_check_thread_fields[] =
 	{PT_UINT32, EPF_NONE, PF_DEC, "proc.nchilds", "the number of child threads that the process generating the event currently has. This excludes the main process thread."},
 	{PT_INT64, EPF_NONE, PF_ID, "proc.ppid", "the pid of the parent of the process generating the event."},
 	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pname", "the name (excluding the path) of the parent of the process generating the event."},
+	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pcmdline", "the full command line (proc.name + proc.args) of the parent of the process generating the event."},
 	{PT_INT64, EPF_NONE, PF_ID, "proc.apid", "the pid of one of the process ancestors. E.g. proc.apid[1] returns the parent pid, proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the current process. proc.apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234."},
 	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aname", "the name (excluding the path) of one of the process ancestors. E.g. proc.aname[1] returns the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is the name of the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash."},
 	{PT_INT64, EPF_NONE, PF_ID, "proc.loginshellid", "the pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate different user sessions, and is useful in conjunction with chisels like spy_user."},
@@ -1567,6 +1568,23 @@ uint8_t* sinsp_filter_check_thread::extract_thread_cpu(sinsp_evt *evt, sinsp_thr
 	return NULL;
 }
 
+static void populate_cmdline(string &cmdline, sinsp_threadinfo *tinfo)
+{
+	cmdline = tinfo->get_comm() + " ";
+
+	uint32_t j;
+	uint32_t nargs = (uint32_t)tinfo->m_args.size();
+
+	for(j = 0; j < nargs; j++)
+	{
+		cmdline += tinfo->m_args[j];
+		if(j < nargs -1)
+		{
+			cmdline += ' ';
+		}
+	}
+}
+
 uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, bool sanitize_strings)
 {
 	sinsp_threadinfo* tinfo = evt->get_thread_info();
@@ -1674,20 +1692,7 @@ uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, b
 		}
 	case TYPE_CMDLINE:
 		{
-			m_tstr = tinfo->get_comm() + " ";
-
-			uint32_t j;
-			uint32_t nargs = (uint32_t)tinfo->m_args.size();
-
-			for(j = 0; j < nargs; j++)
-			{
-				m_tstr += tinfo->m_args[j];
-				if(j < nargs -1)
-				{
-					m_tstr += ' ';
-				}
-			}
-
+			populate_cmdline(m_tstr, tinfo);
 			*len = m_tstr.size();
 			return (uint8_t*)m_tstr.c_str();
 		}
@@ -1802,6 +1807,22 @@ uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, b
 				return NULL;
 			}
 		}
+	case TYPE_PCMDLINE:
+		{
+			sinsp_threadinfo* ptinfo =
+				m_inspector->get_thread(tinfo->m_ptid, false, true);
+
+			if(ptinfo != NULL)
+			{
+				populate_cmdline(m_tstr, ptinfo);
+				*len = m_tstr.size();
+				return (uint8_t*)m_tstr.c_str();
+			}
+			else
+			{
+				return NULL;
+			}
+		}
 	case TYPE_APID:
 		{
 			sinsp_threadinfo* mt = NULL;

diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h
@@ -340,35 +340,36 @@ class sinsp_filter_check_thread : public sinsp_filter_check
 		TYPE_NCHILDS = 9,
 		TYPE_PPID = 10,
 		TYPE_PNAME = 11,
-		TYPE_APID = 12,
-		TYPE_ANAME = 13,
-		TYPE_LOGINSHELLID = 14,
-		TYPE_DURATION = 15,
-		TYPE_FDOPENCOUNT = 16,
-		TYPE_FDLIMIT = 17,
-		TYPE_FDUSAGE = 18,
-		TYPE_VMSIZE = 19,
-		TYPE_VMRSS = 20,
-		TYPE_VMSWAP = 21,
-		TYPE_PFMAJOR = 22,
-		TYPE_PFMINOR = 23,
-		TYPE_TID = 24,
-		TYPE_ISMAINTHREAD = 25,
-		TYPE_EXECTIME = 26,
-		TYPE_TOTEXECTIME = 27,
-		TYPE_CGROUPS = 28,
-		TYPE_CGROUP = 29,
-		TYPE_VTID = 30,
-		TYPE_VPID = 31,
-		TYPE_THREAD_CPU = 32,
-		TYPE_THREAD_CPU_USER = 33,
-		TYPE_THREAD_CPU_SYSTEM = 34,
-		TYPE_THREAD_VMSIZE = 35,
-		TYPE_THREAD_VMRSS = 36,
-		TYPE_THREAD_VMSIZE_B = 37,
-		TYPE_THREAD_VMRSS_B = 38,
-		TYPE_SID = 39,
-		TYPE_SNAME = 40,
+		TYPE_PCMDLINE = 12,
+		TYPE_APID = 13,
+		TYPE_ANAME = 14,
+		TYPE_LOGINSHELLID = 15,
+		TYPE_DURATION = 16,
+		TYPE_FDOPENCOUNT = 17,
+		TYPE_FDLIMIT = 18,
+		TYPE_FDUSAGE = 19,
+		TYPE_VMSIZE = 20,
+		TYPE_VMRSS = 21,
+		TYPE_VMSWAP = 22,
+		TYPE_PFMAJOR = 23,
+		TYPE_PFMINOR = 24,
+		TYPE_TID = 25,
+		TYPE_ISMAINTHREAD = 26,
+		TYPE_EXECTIME = 27,
+		TYPE_TOTEXECTIME = 28,
+		TYPE_CGROUPS = 29,
+		TYPE_CGROUP = 30,
+		TYPE_VTID = 31,
+		TYPE_VPID = 32,
+		TYPE_THREAD_CPU = 33,
+		TYPE_THREAD_CPU_USER = 34,
+		TYPE_THREAD_CPU_SYSTEM = 35,
+		TYPE_THREAD_VMSIZE = 36,
+		TYPE_THREAD_VMRSS = 37,
+		TYPE_THREAD_VMSIZE_B = 38,
+		TYPE_THREAD_VMRSS_B = 39,
+		TYPE_SID = 40,
+		TYPE_SNAME = 41,
 	};
 
 	sinsp_filter_check_thread();