Skip to content

cleanup(libsinsp): retrieve parameters from the prlimit exit events #2545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
poiana merged 1 commit into from
Jul 16, 2025
Merged

cleanup(libsinsp): retrieve parameters from the prlimit exit events #2545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions driver/event_table.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -871,13 +871,13 @@ const struct ppm_event_info g_event_info[] = {
{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
[PPME_SYSCALL_PRLIMIT_E] = {"prlimit",
EC_PROCESS | EC_SYSCALL,
EF_NONE,
EF_TMP_CONVERTER_MANAGED,
2,
{{"pid", PT_PID, PF_DEC},
{"resource", PT_ENUMFLAGS8, PF_DEC, rlimit_resources}}},
[PPME_SYSCALL_PRLIMIT_X] = {"prlimit",
EC_PROCESS | EC_SYSCALL,
EF_NONE,
EF_TMP_CONVERTER_MANAGED,
7,
{{"res", PT_ERRNO, PF_DEC},
{"newcur", PT_INT64, PF_DEC},
Expand Down
96 changes: 96 additions & 0 deletions test/libscap/test_suites/engines/savefile/converter.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -710,6 +710,102 @@ TEST_F(convert_event_test, PPME_SYSCALL_SETRLIMIT_X_to_4_params_with_enter) {
create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRLIMIT_X, 4, res, cur, max, resource));
}

////////////////////////////
// PRLIMIT
////////////////////////////

TEST_F(convert_event_test, PPME_SYSCALL_PRLIMIT_E_store) {
constexpr uint64_t ts = 12;
constexpr int64_t tid = 25;

constexpr int64_t pid = 10;
constexpr uint8_t resource = 20;

const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_PRLIMIT_E, 2, pid, resource);
assert_single_conversion_skip(evt);
assert_event_storage_presence(evt);
}

TEST_F(convert_event_test, PPME_SYSCALL_PRLIMIT_X_5_to_7_params_no_enter) {
constexpr uint64_t ts = 12;
constexpr int64_t tid = 25;

constexpr int64_t res = 66;
constexpr int64_t oldcur = 88;
constexpr int64_t oldmax = 89;
constexpr int64_t newcur = 90;
constexpr int64_t newmax = 91;

// Set to empty values
constexpr auto pid = empty_value<int64_t>();
constexpr auto resource = empty_value<uint8_t>();

const std::set<uint32_t> expected_empty_param_indexes{5, 6};

assert_single_conversion_success(CONVERSION_COMPLETED,
create_safe_scap_event(ts,
tid,
PPME_SYSCALL_PRLIMIT_X,
5,
res,
newcur,
newmax,
oldcur,
oldmax),
create_safe_scap_event(ts,
tid,
PPME_SYSCALL_PRLIMIT_X,
7,
res,
newcur,
newmax,
oldcur,
oldmax,
pid,
resource),
expected_empty_param_indexes);
}

TEST_F(convert_event_test, PPME_SYSCALL_PRLIMIT_X_5_to_7_params_with_enter) {
constexpr uint64_t ts = 12;
constexpr int64_t tid = 25;

constexpr int64_t pid = 10;
constexpr uint8_t resource = 20;
constexpr int64_t res = 66;
constexpr int64_t oldcur = 88;
constexpr int64_t oldmax = 89;
constexpr int64_t newcur = 90;
constexpr int64_t newmax = 91;

// After the first conversion we should have the storage
const auto evt = create_safe_scap_event(ts, tid, PPME_SYSCALL_PRLIMIT_E, 2, pid, resource);
assert_single_conversion_skip(evt);
assert_event_storage_presence(evt);

assert_single_conversion_success(CONVERSION_COMPLETED,
create_safe_scap_event(ts,
tid,
PPME_SYSCALL_PRLIMIT_X,
5,
res,
newcur,
newmax,
oldcur,
oldmax),
create_safe_scap_event(ts,
tid,
PPME_SYSCALL_PRLIMIT_X,
7,
res,
newcur,
newmax,
oldcur,
oldmax,
pid,
resource));
}

////////////////////////////
// FCNTL
////////////////////////////
Expand Down
7 changes: 7 additions & 0 deletions userspace/libscap/engine/savefile/converter/table.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,13 @@ const std::unordered_map<conversion_key, conversion_info> g_conversion_table = {
{conversion_key{PPME_SYSCALL_SETRLIMIT_E, 1}, conversion_info().action(C_ACTION_STORE)},
{conversion_key{PPME_SYSCALL_SETRLIMIT_X, 3},
conversion_info().action(C_ACTION_ADD_PARAMS).instrs({{C_INSTR_FROM_ENTER, 0}})},
/*====================== PRLIMIT ======================*/
{conversion_key{PPME_SYSCALL_PRLIMIT_E, 2}, conversion_info().action(C_ACTION_STORE)},
{conversion_key{PPME_SYSCALL_PRLIMIT_X, 5},
conversion_info()
.action(C_ACTION_ADD_PARAMS)
.instrs({{C_INSTR_FROM_ENTER, 0, CIF_FALLBACK_TO_EMPTY},
{C_INSTR_FROM_ENTER, 1, CIF_FALLBACK_TO_EMPTY}})},
/*====================== FCNTL ======================*/
{conversion_key{PPME_SYSCALL_FCNTL_E, 2}, conversion_info().action(C_ACTION_STORE)},
{conversion_key{PPME_SYSCALL_FCNTL_X, 1},
Expand Down
81 changes: 37 additions & 44 deletions userspace/libsinsp/parsers.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,6 @@ void sinsp_parser::process_event(sinsp_evt &evt, sinsp_parser_verdict &verdict)
case PPME_SYSCALL_LINK_E:
case PPME_SYSCALL_LINKAT_E:
case PPME_SYSCALL_RMDIR_E:
case PPME_SYSCALL_PRLIMIT_E:
case PPME_SYSCALL_UNLINK_E:
case PPME_SYSCALL_UNLINKAT_E:
case PPME_SYSCALL_EXECVE_18_E:
Expand Down Expand Up @@ -4035,67 +4034,61 @@ void sinsp_parser::parse_getrlimit_setrlimit_exit(sinsp_evt &evt) const {
}

void sinsp_parser::parse_prlimit_exit(sinsp_evt &evt) const {
int64_t retval;
sinsp_evt *enter_evt = &m_tmp_evt;
uint8_t resource;
int64_t newcur;
int64_t tid;

//
// Extract the return value
// Check if the syscall was successful
//
retval = evt.get_syscall_return_value();
if(evt.get_syscall_return_value() != 0) {
return;
}

//
// Check if the syscall was successful
// Extract the resource number
//
if(retval >= 0) {
const sinsp_evt_param *resource = evt.get_param(6);
if(resource->empty()) {
return;
}

if(resource->as<uint8_t>() == PPM_RLIMIT_NOFILE) {
//
// Load the enter event so we can access its arguments
// Extract the current value for the resource
//
if(!retrieve_enter_event(*enter_evt, evt)) {
newcur = evt.get_param(1)->as<uint64_t>();
if(newcur == -1) {
return;
}

//
// Extract the resource number
// Extract the tid and look for its process info
//
resource = enter_evt->get_param(1)->as<uint8_t>();

if(resource == PPM_RLIMIT_NOFILE) {
//
// Extract the current value for the resource
//
newcur = evt.get_param(1)->as<uint64_t>();

if(newcur != -1) {
//
// Extract the tid and look for its process info
//
tid = enter_evt->get_param(0)->as<int64_t>();

if(tid == 0) {
tid = evt.get_tid();
}
const sinsp_evt_param *tid_evt = evt.get_param(5);
if(tid_evt->empty()) {
return;
}
tid = tid_evt->as<int64_t>();
if(tid == 0) {
tid = evt.get_tid();
}

sinsp_threadinfo *ptinfo = m_thread_manager->get_thread_ref(tid, true, true).get();
/* If the thread info is invalid we cannot recover the main thread because we don't
* even have the `pid` of the thread.
*/
if(ptinfo == nullptr || ptinfo->is_invalid()) {
return;
}
sinsp_threadinfo *ptinfo = m_thread_manager->get_thread_ref(tid, true, true).get();
/* If the thread info is invalid we cannot recover the main thread because we don't
* even have the `pid` of the thread.
*/
if(ptinfo == nullptr || ptinfo->is_invalid()) {
return;
}

//
// update the process fdlimit
//
auto main_thread = ptinfo->get_main_thread();
if(main_thread == nullptr) {
return;
}
main_thread->m_fdlimit = newcur;
}
//
// update the process fdlimit
//
auto main_thread = ptinfo->get_main_thread();
if(main_thread == nullptr) {
return;
}
main_thread->m_fdlimit = newcur;
}
}

Expand Down
44 changes: 44 additions & 0 deletions userspace/libsinsp/test/scap_files/converter_tests.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ TEST_F(scap_file_test, same_number_of_events) {
{PPME_SYSCALL_MPROTECT_E, 584}, {PPME_SYSCALL_MPROTECT_X, 584},
{PPME_SYSCALL_UMOUNT2_E, 2}, {PPME_SYSCALL_UMOUNT2_X, 2},
{PPME_SYSCALL_INOTIFY_INIT_E, 1}, {PPME_SYSCALL_INOTIFY_INIT_X, 1},
{PPME_SYSCALL_PRLIMIT_E, 173}, {PPME_SYSCALL_PRLIMIT_X, 173},
// Add further checks regarding the expected number of events in this scap file here.
});

Expand Down Expand Up @@ -430,6 +431,49 @@ TEST_F(scap_file_test, setrlimit_x_check_final_converted_event) {
create_safe_scap_event(ts, tid, PPME_SYSCALL_SETRLIMIT_X, 4, res, cur, max, resource));
}

////////////////////////////
// PRLIMIT
////////////////////////////

TEST_F(scap_file_test, prlimit_x_check_final_converted_event) {
open_filename("kexec_x86.scap");

// Inside the scap-file the event `513076` is the following:
// - type=PPME_SYSCALL_PRLIMIT_X,
// - ts=1687889198695794034
// - tid=107452
// - args=res=0 newcur=-1 newmax=-1 oldcur=8388608 oldmax=-1
//
// And its corresponding enter event `513075` is the following:
// - type=PPME_SYSCALL_PRLIMIT_E
// - ts=1687889198695793141
// - tid=107452
// - args=pid=0 resource=3(RLIMIT_STACK)
//
// Let's see the new PPME_SYSCALL_PRLIMIT_X event!
constexpr uint64_t ts = 1687889198695794034;
constexpr int64_t tid = 107452;
constexpr int64_t res = 0;
constexpr int64_t newcur = -1;
constexpr int64_t newmax = -1;
constexpr int64_t oldcur = 8388608;
constexpr int64_t oldmax = -1;
constexpr int64_t pid = 0;
constexpr uint8_t resource = 3;

assert_event_presence(create_safe_scap_event(ts,
tid,
PPME_SYSCALL_PRLIMIT_X,
7,
res,
newcur,
newmax,
oldcur,
oldmax,
pid,
resource));
}

////////////////////////////
// FCNTL
////////////////////////////
Expand Down
Loading