feat(userspace/libsinsp): improve recvmsg SCM_RIGHTS cmsg handling

Parse all control messages instead of parsing just the first one.
Leverage the new scap_get_fdinfo API to get info only from the file
in procfs associated to the file descriptor, instead of scanning each
time the entire procfs fd directory.

Signed-off-by: Leonardo Di Giovanna <[email protected]>
Co-authored-by: Roberto Scolaro <[email protected]>

userspace/libsinsp/parsers.cpp

@@ -3662,6 +3662,86 @@ void sinsp_parser::parse_fspath_related_exit(sinsp_evt *evt) {
 	}
 }
 
+#ifndef _WIN32
+
+// "No aligned" macros definitions. These macros are equivalent to the corresponding variants
+// without the "no aligned suffix" but avoid unaligned access to the underlaying data.
+extern struct cmsghdr *__cmsg_nxthdr_no_aligned(struct msghdr *__mhdr,
+                                                struct cmsghdr *__cmsg) __THROW;
+#define CMSG_NXTHDR_NO_ALIGNED(mhdr, cmsg) __cmsg_nxthdr_no_aligned(mhdr, cmsg)
+#ifdef __USE_EXTERN_INLINES
+#ifndef _EXTERN_INLINE
+#define _EXTERN_INLINE __extern_inline
+#endif
+_EXTERN_INLINE struct cmsghdr *__NTH(__cmsg_nxthdr_no_aligned(struct msghdr *__mhdr,
+                                                              struct cmsghdr *__cmsg)) {
+	size_t cmsg_len;
+	memcpy(&cmsg_len, __cmsg + offsetof(struct cmsghdr, cmsg_len), sizeof(size_t));
+	if((size_t)cmsg_len < sizeof(struct cmsghdr))
+		// The kernel header does this so there may be a reason.
+		return (struct cmsghdr *)0;
+
+	__cmsg = (struct cmsghdr *)((unsigned char *)__cmsg + CMSG_ALIGN(cmsg_len));
+	if((unsigned char *)(__cmsg + 1) >
+	           ((unsigned char *)__mhdr->msg_control + __mhdr->msg_controllen) ||
+	   ((unsigned char *)__cmsg + CMSG_ALIGN(cmsg_len) >
+	    ((unsigned char *)__mhdr->msg_control + __mhdr->msg_controllen)))
+		// No more entries.
+		return (struct cmsghdr *)0;
+	return __cmsg;
+}
+#endif  // Use `extern inline'.
+
+#if __glibc_c99_flexarr_available
+#define CMSG_DATA_NO_ALIGNED(cmsg) (cmsg + offsetof(struct cmsghdr, __cmsg_data))
+#else
+#define CMSG_DATA_NO_ALIGNED(cmsg) ((unsigned char *)((struct cmsghdr *)(cmsg) + 1))
+#endif
+
+inline void sinsp_parser::process_recvmsg_ancillary_data(sinsp_evt *evt,
+                                                         sinsp_evt_param const *parinfo) const {
+	// Create a msg header to be used with CMSG_* macros.
+	msghdr msgh;
+	msgh.msg_control = (void *)parinfo->m_val;
+	msgh.msg_controllen = parinfo->m_len;
+	// Seek for SCM_RIGHTS control message headers and extract passed file descriptors.
+	for(cmsghdr *cmsg = CMSG_FIRSTHDR(&msgh); cmsg != nullptr;
+	    cmsg = CMSG_NXTHDR_NO_ALIGNED(&msgh, cmsg)) {
+		cmsghdr c;
+		memcpy(&c, cmsg, sizeof(cmsghdr));
+		int const cmsg_type = c.cmsg_type;
+		size_t const cmsg_len = c.cmsg_len;
+		if(cmsg_type == SCM_RIGHTS) {
+			char error[SCAP_LASTERR_SIZE];
+			scap_threadinfo scap_tinfo{};
+			memset(&scap_tinfo, 0, sizeof(scap_tinfo));
+			m_inspector->m_thread_manager->thread_to_scap(*evt->get_tinfo(), &scap_tinfo);
+#define SCM_MAX_FD 253  // Taken from kernel.
+			int fds[SCM_MAX_FD];
+			unsigned long const data_size = cmsg_len - CMSG_LEN(0);
+			unsigned long const fds_len = data_size / sizeof(int);
+			// Guard against malformed event, by checking that data size is a multiple of
+			// sizeof(int) (file descriptor size) and the control message doesn't contain more data
+			// than allowed by kernel constraints.
+			if(data_size % sizeof(int) || fds_len > SCM_MAX_FD) {
+				continue;
+			}
+#undef SCM_MAX_FD
+			memcpy(&fds, CMSG_DATA_NO_ALIGNED(cmsg), data_size);
+			for(unsigned long i = 0; i < fds_len; i++) {
+				if(scap_get_fdinfo(m_inspector->get_scap_platform(), &scap_tinfo, fds[i], error) !=
+				   SCAP_SUCCESS) {
+					libsinsp_logger()->format(sinsp_logger::SEV_DEBUG,
+					                          "scap_get_fdinfo failed: %s, proc table will not be "
+					                          "updated with new fd.",
+					                          error);
+				}
+			}
+		}
+	}
+}
+#endif  // _WIN32
+
 void sinsp_parser::parse_rw_exit(sinsp_evt *evt) {
 	const sinsp_evt_param *parinfo;
 	int64_t retval;
@@ -3792,40 +3872,7 @@ void sinsp_parser::parse_rw_exit(sinsp_evt *evt) {
 
 			if(cmparam != -1) {
 				parinfo = evt->get_param(cmparam);
-				if(parinfo->m_len > sizeof(cmsghdr)) {
-					cmsghdr cmsg;
-					memcpy(&cmsg, parinfo->m_val, sizeof(cmsghdr));
-					if(cmsg.cmsg_type == SCM_RIGHTS) {
-						char error[SCAP_LASTERR_SIZE];
-						scap_threadinfo scap_tinfo{};
-
-						memset(&scap_tinfo, 0, sizeof(scap_tinfo));
-
-						m_inspector->m_thread_manager->thread_to_scap(*evt->get_tinfo(),
-						                                              &scap_tinfo);
-
-						// Store current fd; it might get changed by scap_get_fdlist below.
-						int64_t fd = -1;
-						if(evt->get_fd_info()) {
-							fd = evt->get_fd_info()->m_fd;
-						}
-
-						// Get the new fds. The callbacks we have registered populate the fd table
-						// with the new file descriptors.
-						if(scap_get_fdlist(m_inspector->get_scap_platform(), &scap_tinfo, error) !=
-						   SCAP_SUCCESS) {
-							libsinsp_logger()->format(sinsp_logger::SEV_DEBUG,
-							                          "scap_get_fdlist failed: %s, proc table will "
-							                          "not be updated with new fds.",
-							                          error);
-						}
-
-						// Force refresh event fdinfo
-						if(fd != -1) {
-							evt->set_fd_info(evt->get_tinfo()->get_fd(fd));
-						}
-					}
-				}
+				process_recvmsg_ancillary_data(evt, parinfo);
 			}
 #endif
 

userspace/libsinsp/parsers.h

@@ -134,6 +134,11 @@ class sinsp_parser {
 	inline void add_pipe(sinsp_evt* evt, int64_t fd, uint64_t ino, uint32_t openflags);
 	// Return false if the update didn't happen (for example because the tuple is NULL)
 	bool update_fd(sinsp_evt* evt, const sinsp_evt_param* parinfo);
+#ifndef _WIN32
+	// Process recvmsg ancillary data
+	inline void process_recvmsg_ancillary_data(sinsp_evt* evt,
+	                                           sinsp_evt_param const* parinfo) const;
+#endif
 
 	// Next 4 return false if the update didn't happen because the tuple is identical to the given
 	// address