update(sinsp) handle (deleted) in userspace

Signed-off-by: Andrea Terzolo <[email protected]>

userspace/libsinsp/parsers.cpp

@@ -1289,7 +1289,7 @@ void sinsp_parser::parse_clone_exit_caller(sinsp_evt *evt, int64_t child_tid) {
 	/* Take some further info from the caller */
 	if(valid_caller) {
 		/* We should trust the info we obtain from the caller, if it is valid */
-		child_tinfo->m_exepath = caller_tinfo->m_exepath;
+		child_tinfo->set_exepath(std::string(caller_tinfo->m_exepath));
 
 		child_tinfo->m_exe_writable = caller_tinfo->m_exe_writable;
 
@@ -1604,7 +1604,7 @@ void sinsp_parser::parse_clone_exit_child(sinsp_evt *evt) {
 		 * enrichment...
 		 */
 
-		child_tinfo->m_exepath = lookup_tinfo->m_exepath;
+		child_tinfo->set_exepath(std::string(lookup_tinfo->m_exepath));
 
 		child_tinfo->m_exe_writable = lookup_tinfo->m_exe_writable;
 
@@ -2089,8 +2089,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt) {
 		 */
 
 		/* Parameter 28: trusted_exepath (type: PT_FSPATH) */
-		parinfo = evt->get_param(27);
-		evt->get_tinfo()->m_exepath = parinfo->m_val;
+		evt->get_tinfo()->set_exepath(evt->get_param(27)->as<std::string>());
 	} else {
 		/* ONLY VALID FOR OLD SCAP-FILES:
 		 * In older event versions we can only rely on our userspace reconstruction
@@ -2191,7 +2190,7 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt) {
 					fullpath = sinsp_utils::concatenate_paths(sdir, pathname);
 				}
 			}
-			evt->get_tinfo()->m_exepath = fullpath;
+			evt->get_tinfo()->set_exepath(std::move(fullpath));
 		}
 	}
 

userspace/libsinsp/test/classes/sinsp_threadinfo.cpp

@@ -128,3 +128,58 @@ TEST_F(sinsp_with_test_input, THRD_INFO_assign_children_to_a_nullptr) {
 	ASSERT_THREAD_CHILDREN(p2_t1_tid, 0, 0);
 	ASSERT_THREAD_INFO_PIDS(p3_t1_tid, p3_t1_pid, 0);
 }
+
+TEST(sinsp_threadinfo, set_exepath) {
+	auto tinfo = std::make_shared<sinsp_threadinfo>();
+
+	{
+		// Nothing changes
+		std::string path = "no_suffix (del)";
+		size_t before_len = path.size();
+		tinfo->set_exepath(std::move(path));
+		ASSERT_EQ(tinfo->get_exepath().size(), before_len);
+	}
+
+	{
+		// Truncate it
+		std::string path = "no_suffix (deleted)";
+		size_t before_len = path.size();
+		tinfo->set_exepath(std::move(path));
+		ASSERT_NE(tinfo->get_exepath().size(), before_len);
+		ASSERT_EQ(tinfo->get_exepath(), "no_suffix");
+	}
+
+	{
+		// Nothing changes (this is not possible from the kernel)
+		std::string path = "no_suffix(deleted)";
+		size_t before_len = path.size();
+		tinfo->set_exepath(std::move(path));
+		ASSERT_EQ(tinfo->get_exepath().size(), before_len);
+	}
+
+	{
+		// Nothing changes (this is not possible from the kernel)
+		std::string path = "(deleted)";
+		size_t before_len = path.size();
+		tinfo->set_exepath(std::move(path));
+		ASSERT_EQ(tinfo->get_exepath().size(), before_len);
+	}
+
+	{
+		// Nothing changes (this is not possible from the kernel)
+		std::string path = " (deleted)";
+		size_t before_len = path.size();
+		tinfo->set_exepath(std::move(path));
+		ASSERT_EQ(tinfo->get_exepath().size(), before_len);
+	}
+
+	{
+		// Truncate it, please note that a double space from the kernel is not possible but here we
+		// just want to test it.
+		std::string path = "a  (deleted)";
+		size_t before_len = path.size();
+		tinfo->set_exepath(std::move(path));
+		ASSERT_NE(tinfo->get_exepath().size(), before_len);
+		ASSERT_EQ(tinfo->get_exepath(), "a ");
+	}
+}

userspace/libsinsp/test/filterchecks/proc.cpp

@@ -67,14 +67,16 @@ TEST_F(sinsp_with_test_input, PROC_FILTER_exepath) {
 	DEFAULT_TREE
 
 	/* Now we call an execve on p6_t1 */
-	auto evt = generate_execve_enter_and_exit_event(0,
-	                                                p6_t1_tid,
-	                                                p6_t1_tid,
-	                                                p6_t1_pid,
-	                                                p6_t1_ptid,
-	                                                "/good-exe",
-	                                                "good-exe",
-	                                                "/usr/bin/bad-exe");
+	auto evt =
+	        generate_execve_enter_and_exit_event(0,
+	                                             p6_t1_tid,
+	                                             p6_t1_tid,
+	                                             p6_t1_pid,
+	                                             p6_t1_ptid,
+	                                             "/good-exe",
+	                                             "good-exe",
+	                                             // Please note that the `deleted` will be removed.
+	                                             "/usr/bin/bad-exe (deleted)");
 
 	ASSERT_EQ(get_field_as_string(evt, "proc.exepath"), "/usr/bin/bad-exe");
 	ASSERT_EQ(get_field_as_string(evt, "proc.name"), "good-exe");

userspace/libsinsp/threadinfo.cpp

@@ -454,7 +454,7 @@ void sinsp_threadinfo::init(scap_threadinfo* pi) {
 	m_comm = pi->comm;
 	m_exe = pi->exe;
 	/* The exepath is extracted from `/proc/pid/exe`. */
-	m_exepath = pi->exepath;
+	set_exepath(std::string(pi->exepath));
 	m_exe_writable = pi->exe_writable;
 	m_exe_upper_layer = pi->exe_upper_layer;
 	m_exe_lower_layer = pi->exe_lower_layer;
@@ -1248,6 +1248,17 @@ void sinsp_threadinfo::update_main_fdtable() {
 	}
 }
 
+void sinsp_threadinfo::set_exepath(std::string&& exepath) {
+	constexpr char suffix[] = " (deleted)";
+	constexpr size_t suffix_len = sizeof(suffix) - 1;  // Exclude null terminator
+
+	m_exepath = exepath;
+	if(m_exepath.size() > suffix_len &&
+	   m_exepath.compare(m_exepath.size() - suffix_len, suffix_len, suffix) == 0) {
+		m_exepath.resize(m_exepath.size() - suffix_len);
+	}
+}
+
 static void fd_to_scap(scap_fdinfo* dst, sinsp_fdinfo* src) {
 	dst->type = src->m_type;
 	dst->ino = src->m_ino;

userspace/libsinsp/threadinfo.h

@@ -634,6 +634,8 @@ class SINSP_PUBLIC sinsp_threadinfo : public libsinsp::state::table_entry {
 
 	void update_main_fdtable();
 
+	void set_exepath(std::string&& exepath);
+
 private:
 	sinsp_threadinfo* get_cwd_root();
 	bool set_env_from_proc();