Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Whitespace changes. Checking in separate from other changes. * Change glob matching to allow path separators. Change glob matching to allow *, ? to match the path separator /. This allows for matching /proc/* as anything starting with /proc instead of having to match all path components. * Add ability to detect/show privileged status. In sinsp_container_manager::parse_docker(), parse the Privileged field out of the json output and use it to set the instance variable m_privileged. Modify container_to_json/parse_container_json_evt to dump/read the privileged status from .scap files. New filtercheck container.privileged returns the privileged status as a boolean. Although other container types support the notion of privileged, I only support this filtercheck for docker containers. For non-docker containers, container.privileged returns NULL. Write privileged to/from scap files. * Add ability to display container mount info. In sinsp_container_manager::parse_docker(), parse the Mounts field into a vector of class container_mount_info objects. Modify container_to_json/parse_container_json_evt to dump/read the mount information from .scap files. New filtercheck container.mounts displays the mount information as a comma-separated list of mount tuples <source>:<dest>:<mode>:<rdwr>:<propagation>, for example: mounts=/tmp:/foo/tmp::true::,/var/lib/docker/volumes/51c63c9efcd052551dd4898736dffb2692acbf6afd8d3f4d2f0cb89a7f8ace4a/_data:/data::true:rprivate: Note how empty values for mode/propagation turn into empty strings. This output is pretty awkward and verbose, so there are additional filterchecks that allow you to select any given attribute from a single mount. New filterchecks container.mount.{source,dest,dest,mode,rdwr,propagation} allow selecting any of the mount information indexed either by mount id "container.mount.mode[0]" or mount source "container.mount.mode[/var/log]". container.mount.source is different in that it's indexed by the mount destination instead of the mount source. When selecting a mount by source/dest pathname, you can provide a glob match instead (e.g. container.mount.mode[/var/log/*]). In this case, the first matching mount is returned. You can also use this indexing to return all the mount information for a single mount. New filtercheck container.mount returns the tuple information for a single mount, indexed by number (container.mount[0]) or source path/glob (container.mount[/var/log]. This can also be used to test if a mount exists, like container.mount[/proc/*] to detect containers that mount /proc or other sensitive directories. Write mounts to/from .scap files.
- Loading branch information