Resolve falcosecurity/libs#932, use /proc/stat/ btime for boot time and /proc/1/cmdline for container start time

[happy-dude]

See #932 and #1003 (comment) for more context

Previous:

• change time of stat /proc/1 was used as boot time
• change time of stat /proc/<pid>/root/proc/1 was used as container start time

This PR:

• btime value inside /proc/stat is used as boot time
• change time of stat /proc/<pid>/root/proc/1/cmdline is used as container start time

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area libscap

Does this PR require a change in the driver versions?

No

What this PR does / why we need it:

Use the btime from /proc/stat as boot time.

Use the change time from /proc/1/cmdline to derive container start time; this is similar to how Docker does it.

Which issue(s) this PR fixes:

Fixes #932

Special notes for your reviewer:

cc @Andreagit97 and @FedeDP and @incertum

Does this PR introduce a user-facing change?:

fix: inaccurate timestamps in particular kernel configurations

[poiana]

Welcome @happy-dude! It looks like this is your first PR to falcosecurity/libs 🎉

[gnosek]

LGTM apart from one minor nit :)

[FedeDP]

Thank you for this!
And thanks for testing it on your systems!
It LGTM aside what Grzeg said!

[FedeDP]

/cc @incertum too :)

[FedeDP]

/milestone 0.11.0

[happy-dude]

I'll create a build internally with this patch and see if it fixes the incorrect-timestamp issue on all systems Falco is deployed on and validate this further 👍

[incertum]

@happy-dude thanks a lot for this patch, who would have thought, never surprised, always amazed!

Perhaps we could patch below cases as well in this PR?

diff --git a/userspace/libscap/linux/scap_procs.c b/userspace/libscap/linux/scap_procs.c
index 1b7d436e..3c872d61 100644
--- a/userspace/libscap/linux/scap_procs.c
+++ b/userspace/libscap/linux/scap_procs.c
@@ -501,11 +501,11 @@ int32_t scap_proc_fill_cgroups(char* error, int cgroup_version, struct scap_thre
 
 int32_t scap_proc_fill_pidns_start_ts(char* error, struct scap_threadinfo* tinfo, const char* procdirname)
 {
-       char filename[SCAP_MAX_PATH_SIZE];
+       char proc_cmdline_pidns[SCAP_MAX_PATH_SIZE];
        struct stat targetstat = {0};
 
-       snprintf(filename, sizeof(filename), "%sroot/proc/1", procdirname);
-       if(stat(filename, &targetstat) == 0)
+       snprintf(proc_cmdline_pidns, sizeof(proc_cmdline_pidns), "%sroot/proc/1/cmdline", procdirname);
+       if(stat(proc_cmdline_pidns, &targetstat) == 0)
        {
                tinfo->pidns_init_start_ts = targetstat.st_ctim.tv_sec * (uint64_t) 1000000000 + targetstat.st_ctim.tv_nsec;
                return SCAP_SUCCESS;
@@ -977,9 +977,11 @@ static int32_t scap_proc_add_from_proc(scap_t* handle, uint32_t tid, char* procd
                         dir_name, handle->m_lasterr);
        }
 
-       if(stat(dir_name, &dirstat) == 0)
+       char proc_cmdline[SCAP_MAX_PATH_SIZE];
+       snprintf(proc_cmdline, sizeof(proc_cmdline), "%scmdline", dir_name);
+       if(stat(proc_cmdline, &dirstat) == 0)
        {
-               tinfo->clone_ts = dirstat.st_ctim.tv_sec*1000000000 + dirstat.st_ctim.tv_nsec;
+               tinfo->clone_ts = dirstat.st_ctim.tv_sec * (uint64_t) 1000000000 + dirstat.st_ctim.tv_nsec;
        }

@gnosek and @FedeDP would you agree on adopting a consistent new approach?
Above includes a bit of a cleanup as well and extends Stanley's proposed naming convention.

[happy-dude]

I was about to note that a few test builds didn't fix the issue on my hosts 😅

BUT @incertum may have caught the missing pieces, so I'll create a build and see what it looks like from there!

[happy-dude]

An aside -- I'm not the best with git magic -- how do I give co-author credit to @incertum for her suggestions?

[happy-dude]

Unfortunate news:

The change didn't fix the timestamp on my nodes; it's possible that /proc/1/cmdline change may be insufficient in producing the right timestamp -- confirmed on both a x86-64 host and aarch64 host.

Changing this PR to (WIP) while we discuss further in the #932

[incertum]

I was about to note that a few test builds didn't fix the issue on my hosts

sad ... yes let's investigate further in the ticket and try a few options

An aside -- I'm not the best with git magic -- how do I give co-author credit to @incertum for her suggestions?

git commit -s

-> opens your editor, just add the line below above or below your signed off line or you could also append it via another git command, up to you, you can find the emails of any of us in a previous commit of the person

Co-authored-by: Melissa Kilby melissa.kilby.oss@gmail.com

[incertum]

Thank you @happy-dude also for adding the amazing comments. Pulled it and checked it. Times make sense on my end.

Perhaps @gnosek and @FedeDP you would have some other style preferences when parsing /proc/stat? Let's see.

Stanley could you test it once again on all your test servers just to be sure all issues are resolved?

[gnosek]

LGTM, except maybe the /proc/stat reading code (I left a comment, take it or leave it :))

[gnosek]

Just a note: with this implementation, the "container start time" for host processes will not be equal to the boot time but (presumably) to the time when the host init started.

I am completely fine with this (and it does make sense), just pointing this out since we spent the whole Friday discussing the subtle differences of various timestamps :)

[happy-dude]

Thanks; added a comment block in the latest commit + rebase! Please let me know if I missed anything.

#1003 (comment)

[incertum]

Agree with you @gnosek - but we can also polish this in a follow up PR.

[incertum]

@gnosek hmmm having problems with if (tinfo->vpid != tinfo->pid) to ever evaluate to true even when placing the check after those fields should have been parsed. Then also never got to else if(strstr(line, "NStgid:") == line) in scap_proc_fill_info_from_stats, so in summary yes it should be a follow up PR, something with that parser seems wonky as well!

[gnosek]

@incertum can you show me the code?

[incertum]

Just place that comparison if statement anywhere after vpid should have been populated or even add print or debug statements within that scap_proc_fill_info_from_stats parser, it never evaluated to true for me even though I was running containers etc with sleep processes. Is it working for you?

[Andreagit97]

LGTM!

[happy-dude]

Just made a fresh commit + rebase!

/userspace/libscap/scap.c:

• *boot_time = 0 at beginning of function
• drop outer strstr, don't scan line twice

/userspace/libscap/linux/scap_procs.c:

• added comment about container start time implementation
• define and use SECOND_TO_NS instead of 1000000000 for rest of file

Request: I'll make a fresh build with this PR and evaluate the change on my systems; this should help me confirm if this fixes the boot time issue.

However, can I get an assist evaluating the container-start-time change and ensuring those timestamps are correct/accurate as expected?

[incertum]

A follow up item for us, see https://github.com/falcosecurity/libs/pull/1003/files#r1149676712, but proposing to merge this first.

/approve

[poiana]

LGTM label has been added.

Git tree hash: 8a531afd35e813542b8fe75035761e30f50e5d3f

[happy-dude]

Confirming that all my test hosts (bare-metal) are reporting the right timestamps after applying this PR as a patch 👍

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, Happy-Dude, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment