fillers for chmod syscalls

[fntlnz]

I'm doing the fillers for chmod syscalls

• fchmodat
• fchmodat bpf
• chmod
• chmod bpf
• fchmod
• fchmod bpf

Todo checks before merge:

• test on ia32
• check the scap file

To be able to turn this:

sudo ./userspace/sysdig/sysdig  evt.type=fchmodat  -p" %evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info"
 4155 16:43:11.118737167 1 chmod (6992) > fchmodat
 4156 16:43:11.118764695 1 chmod (6992) < fchmodat

To this:

sudo ./userspace/sysdig/sysdig  evt.type=fchmodat  -p" %evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info"
 19492 16:37:31.888889616 0 chmod (6013) > fchmodat
 19493 16:37:31.888914324 0 chmod (6013) < fchmodat res=0 dirfd=-100(AT_FDCWD) filename=ciao(/home/ubuntu/sysdig/build/test) mode=1FD

To this:

sudo ./userspace/sysdig/sysdig  evt.type=fchmodat  -p" %evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info"
 49942 10:40:07.150453566 3 a.out (17383) > chmod
 49943 10:40:07.150461060 3 a.out (17383) < chmod res=0 filename=/tmp/test mode=04000(S_ISUID)

Signed-off-by: Lorenzo Fontana [email protected]

[gnosek]

LGTM modulo some nits (and I'm not sure we need to bump the scap file version for this change).

[krisnova]

Tests would be my only nag - but unsure how we handle tests yet - still learning the code base

[fntlnz]

Corrected the requirements:

We don't want mode to be reported in hex like mode=1FD nor as just the mode number like 04000 or 0777, we want the mode number and the breakdown of the modes names like 04000(S_ISUID) or mode=04111(S_IXOTH|S_IXGRP|S_IXUSR|S_ISUID) or mode=0777(S_IXOTH|S_IWOTH|S_IROTH|S_IXGRP|S_IWGRP|S_IRGRP|S_IXUSR|S_IWUSR|S_IRUSR)

[fntlnz]

Expected json output:

{
  "evt.cpu": 1,
  "evt.dir": ">",
  "evt.info": "",
  "evt.num": 72162,
  "evt.outputtime": 1565606887658010000,
  "evt.type": "chmod",
  "proc.name": "a.out",
  "thread.tid": 17912
}
{
  "evt.cpu": 1,
  "evt.dir": "<",
  "evt.info": "res=0 filename=/tmp/ciao mode=04000(S_ISUID) ",
  "evt.num": 72163,
  "evt.outputtime": 1565606887658017500,
  "evt.type": "chmod",
  "proc.name": "a.out",
  "thread.tid": 17912
}

[gnosek]

For the format change, I'd do this in a separate PR, adding PF_MODE (PF_FILEMODE? let's bikeshed) and possibly updating other users of PF_OCT to use it (off the top of my head, creat, open* and mkdir* could benefit from it as well). Thoughts?

[fntlnz]

PT_MODES is a type of option
PF_OCT is formatting the value as an octect

The way the additional information are handled is not based on the format but on the option type, as it is for PT_FLAGS32 and others, so I just added a PT_MODES for the file modes.

I agree that we can use it in other places where mode is used but let's leave that for another PR.

At the same moment I don't want to add PT_MODES in another PR because I need it to finish this one and it wouldn't make sense to me to close this one without PT_MODES because it's the center of it.

[mstemm]

Hopefully you knew about https://github.com/draios/sysdig/wiki/Adding-an-event-to-sysdig. But never worry, it looks you followed all the right steps!

Couple of small-ish comments about the event flag and management of the string representation of the event.

[mstemm]

One more iteration on the resizing and then I think it's ready!

[mstemm]

Lgtm!