Skip to content

Commit

Permalink
feat(process-tracker): include arguments in process info
Browse files Browse the repository at this point in the history
  • Loading branch information
@MatteoNardi
MatteoNardi committed Oct 6, 2022
1 parent ac4a56e commit c39136b
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 14 deletions.
1 change: 1 addition & 0 deletions modules/process-monitor/src/filtering/initializer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ pub(crate) async fn setup_events_filter(
pid: process.pid,
image: process.image.to_string(),
timestamp: Timestamp::from(0),
argv: Vec::new(),
});
}

Expand Down
26 changes: 19 additions & 7 deletions modules/process-monitor/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,13 +115,25 @@ pub mod pulsar {
},
ProcessEvent::Exec {
ref filename,
argc: _,
argv: _,
} => TrackerUpdate::Exec {
pid: event.pid,
image: filename.to_string(),
timestamp: event.timestamp,
},
argc,
ref argv,
} => {
let argv = extract_parameters(argv);
if argv.len() != argc as usize {
log::warn!(
"argc ({}) doens't match argv ({:?}) for {}",
argc,
argv,
event.pid
)
}
TrackerUpdate::Exec {
pid: event.pid,
image: filename.to_string(),
timestamp: event.timestamp,
argv,
}
}
ProcessEvent::Exit { .. } => TrackerUpdate::Exit {
pid: event.pid,
timestamp: event.timestamp,
Expand Down
1 change: 1 addition & 0 deletions pulsar-core/src/pdk/module.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ impl ModuleSender {
image,
ppid,
fork_time,
argv: _,
}) => {
header.image = image;
header.parent = ppid.as_raw();
Expand Down
28 changes: 21 additions & 7 deletions pulsar-core/src/pdk/process_tracker.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ pub enum TrackerUpdate {
pid: Pid,
timestamp: Timestamp,
image: String,
argv: Vec<String>,
},
Exit {
pid: Pid,
Expand Down Expand Up @@ -63,6 +64,7 @@ pub struct ProcessInfo {
pub image: String,
pub ppid: Pid,
pub fork_time: Timestamp,
pub argv: Vec<String>,
}

impl ProcessTrackerHandle {
Expand Down Expand Up @@ -108,6 +110,7 @@ struct ProcessData {
Timestamp, // exec event timestamp
String, // new image name
>,
argv: Vec<String>,
}

/// Cleanup timeout in nanoseconds. This is how long an exited process
Expand All @@ -130,6 +133,7 @@ impl ProcessTracker {
exit_time: None,
original_image: "kernel".to_string(),
exec_changes: BTreeMap::new(),
argv: Vec::new(),
},
);
Self {
Expand Down Expand Up @@ -189,7 +193,7 @@ impl ProcessTracker {
}
}

fn handle_update(&mut self, update: TrackerUpdate) {
fn handle_update(&mut self, mut update: TrackerUpdate) {
match update {
TrackerUpdate::Fork {
pid,
Expand All @@ -204,6 +208,7 @@ impl ProcessTracker {
exit_time: None,
original_image: self.get_image(ppid, timestamp),
exec_changes: BTreeMap::new(),
argv: Vec::new(),
},
);
if let Some(pending_updates) = self.pending_updates.remove(&pid) {
Expand All @@ -215,10 +220,12 @@ impl ProcessTracker {
TrackerUpdate::Exec {
pid,
timestamp,
ref image,
ref mut image,
ref mut argv,
} => {
if let Some(p) = self.data.get_mut(&pid) {
p.exec_changes.insert(timestamp, image.to_string());
p.exec_changes.insert(timestamp, std::mem::take(image));
p.argv = std::mem::take(argv)
} else {
// if exec arrived before the fork, we save the event as pending
log::debug!("(exec) Process {pid} not found in process tree, saving for later");
Expand Down Expand Up @@ -259,6 +266,7 @@ impl ProcessTracker {
image: self.get_image(pid, ts),
ppid: process.ppid,
fork_time: process.fork_time,
argv: process.argv.clone(),
})
}

Expand Down Expand Up @@ -360,6 +368,7 @@ mod tests {
pid: PID_2,
image: "/bin/after_exec".to_string(),
timestamp: 15.into(),
argv: Vec::new(),
});
process_tracker.update(TrackerUpdate::Exit {
pid: PID_2,
Expand All @@ -375,15 +384,17 @@ mod tests {
ProcessInfo {
image: String::new(),
ppid: PID_1,
fork_time: 10.into()
fork_time: 10.into(),
argv: Vec::new(),
}
);
assert_eq!(
process_tracker.get(PID_2, 15.into()).await.unwrap(),
ProcessInfo {
image: "/bin/after_exec".to_string(),
ppid: PID_1,
fork_time: 10.into()
fork_time: 10.into(),
argv: Vec::new(),
}
);
assert_eq!(
Expand All @@ -406,6 +417,7 @@ mod tests {
pid: PID_2,
image: "/bin/after_exec".to_string(),
timestamp: 15.into(),
argv: Vec::new(),
});
process_tracker.update(TrackerUpdate::Fork {
ppid: PID_1,
Expand All @@ -421,15 +433,17 @@ mod tests {
Ok(ProcessInfo {
image: "".to_string(),
ppid: PID_1,
fork_time: 10.into()
fork_time: 10.into(),
argv: Vec::new(),
})
);
assert_eq!(
process_tracker.get(PID_2, 17.into()).await,
Ok(ProcessInfo {
image: "/bin/after_exec".to_string(),
ppid: PID_1,
fork_time: 10.into()
fork_time: 10.into(),
argv: Vec::new(),
})
);
time::sleep(time::Duration::from_millis(1)).await;
Expand Down

0 comments on commit c39136b

Please sign in to comment.