main, external & tracee.bpf: introduce ProcessorID

r21gh · Feb 2, 2022 · 78f761b · 78f761b
1 parent c2f41ba
commit 78f761b
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 18 deletions.
diff --git a/pkg/external/external.go b/pkg/external/external.go
@@ -10,6 +10,7 @@ import (
 // Event is a user facing data structure representing a single event
 type Event struct {
 	Timestamp           int        `json:"timestamp"`
+	ProcessorID         int        `json:"processorId"`
 	ProcessID           int        `json:"processId"`
 	ThreadID            int        `json:"threadId"`
 	ParentProcessID     int        `json:"parentProcessId"`
@@ -71,6 +72,7 @@ func (e Event) ToUnstructured() (map[string]interface{}, error) {
 
 	return map[string]interface{}{
 		"timestamp":           json.Number(strconv.Itoa(e.Timestamp)),
+		"processorId":         json.Number(strconv.Itoa(e.ProcessorID)),
 		"processId":           json.Number(strconv.Itoa(e.ProcessID)),
 		"threadId":            json.Number(strconv.Itoa(e.ThreadID)),
 		"parentProcessId":     json.Number(strconv.Itoa(e.ParentProcessID)),

diff --git a/pkg/external/external_test.go b/pkg/external/external_test.go
@@ -171,6 +171,7 @@ func TestEvent_ToUnstructured(t *testing.T) {
 			name: "Should unstructure Event",
 			event: Event{
 				Timestamp:           7126141189,
+				ProcessorID:         0,
 				ProcessID:           1,
 				ThreadID:            1,
 				ParentProcessID:     4798,

diff --git a/tracee-ebpf/tracee/events_pipeline.go b/tracee-ebpf/tracee/events_pipeline.go
@@ -21,24 +21,25 @@ const maxStackDepth int = 20
 // NOTE: Integers want to be aligned in memory, so if changing the format of this struct
 // keep the 1-byte 'Argnum' as the final parameter before the padding (if padding is needed).
 type context struct {
-	Ts       uint64
-	CgroupID uint64
-	Pid      uint32
-	Tid      uint32
-	Ppid     uint32
-	HostPid  uint32
-	HostTid  uint32
-	HostPpid uint32
-	Uid      uint32
-	MntID    uint32
-	PidID    uint32
-	Comm     [16]byte
-	UtsName  [16]byte
-	EventID  int32
-	Retval   int64
-	StackID  uint32
-	Argnum   uint8
-	_        [3]byte //padding
+	Ts          uint64
+	CgroupID    uint64
+	ProcessorId uint64
+	Pid         uint32
+	Tid         uint32
+	Ppid        uint32
+	HostPid     uint32
+	HostTid     uint32
+	HostPpid    uint32
+	Uid         uint32
+	MntID       uint32
+	PidID       uint32
+	Comm        [16]byte
+	UtsName     [16]byte
+	EventID     int32
+	Retval      int64
+	StackID     uint32
+	Argnum      uint8
+	_           [3]byte //padding
 }
 
 // handleEvents is a high-level function that starts all operations related to events processing
@@ -114,6 +115,7 @@ func (t *Tracee) decodeEvents(outerCtx gocontext.Context) (<-chan *external.Even
 
 			evt := external.Event{
 				Timestamp:           int(ctx.Ts),
+				ProcessorID:         int(ctx.ProcessorId),
 				ProcessID:           int(ctx.Pid),
 				ThreadID:            int(ctx.Tid),
 				ParentProcessID:     int(ctx.Ppid),

diff --git a/tracee-ebpf/tracee/tracee.bpf.c b/tracee-ebpf/tracee/tracee.bpf.c
@@ -373,6 +373,7 @@ Copyright (C) Aqua Security inc.
 typedef struct event_context {
     u64 ts;                        // Timestamp
     u64 cgroup_id;
+    u64 processor_id;              // The ID of the processor which processed the event
     u32 pid;                       // PID as in the userspace term
     u32 tid;                       // TID as in the userspace term
     u32 ppid;                      // Parent PID as in the userspace term
@@ -1165,6 +1166,8 @@ static __always_inline int init_context(context_t *context, struct task_struct *
     // Clean Stack Trace ID
     context->stack_id = 0;
 
+    context->processor_id = bpf_get_smp_processor_id();
+
     return 0;
 }