feat(userspace/libsinsp)!: pass notify into set_user signature

ekoops · poiana · commit aaf688db334a · 2025-04-15T14:15:40.000+02:00
Pass `notify` as `sinsp_threadinfo::set_user()` flag to enable
external control over thread user update notification.

BREAKING CHANGE: update `sinsp_threadinfo::set_user()`,
`sinsp_threadinfo::init()` signatures and `user_group_updater`
constructor.

Signed-off-by: Leonardo Di Giovanna &lt;leonardodigiovanna1@gmail.com&gt;
diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -1171,7 +1171,7 @@ void sinsp_parser::parse_clone_exit_caller(sinsp_evt *evt, int64_t child_tid) {
 	default:
 		ASSERT(false);
 	}
-	child_tinfo->set_user(uid);
+	child_tinfo->set_user(uid, must_notify_thread_user_update());
 
 	/* gid */
 	int32_t gid = 0;
@@ -1691,7 +1691,7 @@ void sinsp_parser::parse_clone_exit_child(sinsp_evt *evt) {
 	default:
 		ASSERT(false);
 	}
-	child_tinfo->set_user(uid);
+	child_tinfo->set_user(uid, must_notify_thread_user_update());
 
 	/* gid */
 	int32_t gid = 0;
@@ -2174,7 +2174,8 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt) {
 
 	// Get uid
 	if(evt->get_num_params() > 26) {
-		evt->get_tinfo()->set_user(evt->get_param(26)->as<uint32_t>());
+		evt->get_tinfo()->set_user(evt->get_param(26)->as<uint32_t>(),
+		                           must_notify_thread_user_update());
 	}
 
 	// Get pgid
@@ -4524,7 +4525,7 @@ void sinsp_parser::parse_setresuid_exit(sinsp_evt *evt) {
 		if(new_euid < std::numeric_limits<uint32_t>::max()) {
 			sinsp_threadinfo *ti = evt->get_thread_info();
 			if(ti) {
-				ti->set_user(new_euid);
+				ti->set_user(new_euid, must_notify_thread_user_update());
 			}
 		}
 	}
@@ -4544,7 +4545,7 @@ void sinsp_parser::parse_setreuid_exit(sinsp_evt *evt) {
 		if(new_euid < std::numeric_limits<uint32_t>::max()) {
 			sinsp_threadinfo *ti = evt->get_thread_info();
 			if(ti) {
-				ti->set_user(new_euid);
+				ti->set_user(new_euid, must_notify_thread_user_update());
 			}
 		}
 	}
@@ -4604,7 +4605,7 @@ void sinsp_parser::parse_setuid_exit(sinsp_evt *evt) {
 		uint32_t new_euid = enter_evt->get_param(0)->as<uint32_t>();
 		sinsp_threadinfo *ti = evt->get_thread_info();
 		if(ti) {
-			ti->set_user(new_euid);
+			ti->set_user(new_euid, must_notify_thread_user_update());
 		}
 	}
 }
diff --git a/userspace/libsinsp/parsers.h b/userspace/libsinsp/parsers.h
@@ -193,6 +193,10 @@ class sinsp_parser {
 		return (m_sinsp_mode.is_live() || is_syscall_plugin_enabled()) && m_large_envs_enabled;
 	}
 
+	bool must_notify_thread_user_update() const {
+		return m_sinsp_mode.is_live() || is_syscall_plugin_enabled();
+	}
+
 	// TODO(ekoops): replace references and pointers with owned resources as we determine they
 	//   cannot change at runtime and/or are used only by the parser.
 	// The following fields are externally provided and access to them is expected to be read-only.
diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -903,7 +903,7 @@ void sinsp::on_new_entry_from_proc(void* context,
 
 		threadinfo_map_t::ptr_t sinsp_tinfo;
 		auto newti = m_threadinfo_factory.create();
-		newti->init(*tinfo, large_envs_enabled());
+		newti->init(*tinfo, large_envs_enabled(), must_notify_thread_user_update());
 		if(is_nodriver()) {
 			auto existing_tinfo = find_thread(tid, true);
 			if(existing_tinfo == nullptr || newti->m_clone_ts > existing_tinfo->m_clone_ts) {
@@ -976,8 +976,7 @@ void sinsp::on_new_entry_from_proc(void* context,
 			}
 
 			auto newti = m_threadinfo_factory.create();
-			newti->init(*tinfo, large_envs_enabled());
-
+			newti->init(*tinfo, large_envs_enabled(), must_notify_thread_user_update());
 			sinsp_tinfo = m_thread_manager->add_thread(std::move(newti), true);
 			if(sinsp_tinfo == nullptr) {
 				ASSERT(false);
@@ -1381,7 +1380,7 @@ int32_t sinsp::next(sinsp_evt** puevt) {
 		// upon threadinfo's container_id changes.
 		// Since the threadinfo state might get changed from a plugin parser,
 		// evaluate this one after all parsers get run.
-		user_group_updater usr_grp_updater(evt);
+		user_group_updater usr_grp_updater(evt, must_notify_thread_user_update());
 
 		if(!evt->is_filtered_out()) {
 			//
diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h
@@ -916,6 +916,8 @@ class SINSP_PUBLIC sinsp : public capture_stats_source {
 		return left == static_cast<uint64_t>(-1) || left <= right;
 	}
 
+	bool must_notify_thread_user_update() const { return m_mode.is_live() || is_syscall_plugin(); }
+
 	std::shared_ptr<sinsp_stats_v2> m_sinsp_stats_v2;
 	scap_t* m_h;
 	struct scap_platform* m_platform{};
diff --git a/userspace/libsinsp/thread_manager.cpp b/userspace/libsinsp/thread_manager.cpp
@@ -839,7 +839,10 @@ const threadinfo_map_t::ptr_t& sinsp_thread_manager::get_thread_ref(int64_t tid,
 		}
 
 		if(have_scap_proc) {
-			newti->init(scap_proc, m_inspector->large_envs_enabled());
+			const bool can_load_env_from_proc = m_inspector->large_envs_enabled();
+			const bool must_notify_user_update =
+			        m_inspector->is_live() || m_inspector->is_syscall_plugin();
+			newti->init(scap_proc, can_load_env_from_proc, must_notify_user_update);
 		} else {
 			//
 			// Add a fake entry to avoid a continuous lookup
diff --git a/userspace/libsinsp/threadinfo.cpp b/userspace/libsinsp/threadinfo.cpp
@@ -326,7 +326,9 @@ sinsp_fdinfo* sinsp_threadinfo::add_fd_from_scap(const scap_fdinfo& fdi,
 	return m_fdtable.add(fdi.fd, std::move(newfdi));
 }
 
-void sinsp_threadinfo::init(const scap_threadinfo& pinfo, const bool can_load_env_from_proc) {
+void sinsp_threadinfo::init(const scap_threadinfo& pinfo,
+                            const bool can_load_env_from_proc,
+                            const bool notify_user_update) {
 	init();
 
 	m_tid = pinfo.tid;
@@ -388,7 +390,7 @@ void sinsp_threadinfo::init(const scap_threadinfo& pinfo, const bool can_load_en
 	ASSERT(m_inspector);
 
 	set_group(pinfo.gid);
-	set_user(pinfo.uid);
+	set_user(pinfo.uid, notify_user_update);
 	set_loginuid((uint32_t)pinfo.loginuid);
 }
 
@@ -457,20 +459,20 @@ std::string sinsp_threadinfo::get_container_ip() {
 	return ip;
 }
 
-void sinsp_threadinfo::set_user(uint32_t uid) {
+void sinsp_threadinfo::set_user(const uint32_t uid, const bool notify) {
 	const auto container_id = get_container_id();
 	m_uid = uid;
-	if(const scap_userinfo* user = m_inspector->m_usergroup_manager->get_user(container_id, uid);
-	   !user) {
-		const auto notify = m_inspector->is_live() || m_inspector->is_syscall_plugin();
-		// For uid 0 force set root related infos
-		if(uid == 0) {
-			m_inspector->m_usergroup_manager
-			        ->add_user(container_id, m_pid, uid, m_gid, "root", "/root", {}, notify);
-		} else {
-			m_inspector->m_usergroup_manager
-			        ->add_user(container_id, m_pid, uid, m_gid, {}, {}, {}, notify);
-		}
+	// Do not notify if the user is already present.
+	if(m_inspector->m_usergroup_manager->get_user(container_id, uid)) {
+		return;
+	}
+	// For uid 0 force set root related infos
+	if(uid == 0) {
+		m_inspector->m_usergroup_manager
+		        ->add_user(container_id, m_pid, uid, m_gid, "root", "/root", {}, notify);
+	} else {
+		m_inspector->m_usergroup_manager
+		        ->add_user(container_id, m_pid, uid, m_gid, {}, {}, {}, notify);
 	}
 }
 
diff --git a/userspace/libsinsp/threadinfo.h b/userspace/libsinsp/threadinfo.h
@@ -409,7 +409,12 @@ class SINSP_PUBLIC sinsp_threadinfo : public libsinsp::state::table_entry {
 	 */
 	std::string get_path_for_dir_fd(int64_t dir_fd);
 
-	void set_user(uint32_t uid);
+	/*!
+	  \brief Set the thread user and optionally notify any interested component.
+	  \param uid The user id.
+	  \param notify A boolean indicating if any interested component must be notified of the update.
+	*/
+	void set_user(uint32_t uid, bool notify);
 	void set_group(uint32_t gid);
 	void set_loginuid(uint32_t loginuid);
 
@@ -529,7 +534,7 @@ class SINSP_PUBLIC sinsp_threadinfo : public libsinsp::state::table_entry {
 	}
 
 	void init();
-	void init(const scap_threadinfo& pinfo, bool can_load_env_from_proc);
+	void init(const scap_threadinfo& pinfo, bool can_load_env_from_proc, bool notify_user_update);
 	void fix_sockets_coming_from_proc(const std::set<uint16_t>& ipv4_server_ports,
 	                                  bool resolve_hostname_and_port);
 	sinsp_fdinfo* add_fd(int64_t fd, std::shared_ptr<sinsp_fdinfo>&& fdinfo);
diff --git a/userspace/libsinsp/user.h b/userspace/libsinsp/user.h
@@ -209,7 +209,10 @@ class sinsp_usergroup_manager {
 // RAII struct to manage threadinfos automatic user/group refresh
 // upon container_id updates.
 struct user_group_updater {
-	explicit user_group_updater(sinsp_evt *evt): m_check_cleanup(false), m_evt(nullptr) {
+	explicit user_group_updater(sinsp_evt *const evt, const bool must_notify_user_update):
+	        m_check_cleanup(false),
+	        m_evt(nullptr),
+	        m_must_notify_user_update{must_notify_user_update} {
 		switch(evt->get_type()) {
 		case PPME_PROCEXIT_E:
 		case PPME_PROCEXIT_1_E:
@@ -253,7 +256,7 @@ struct user_group_updater {
 			if(container_id != m_container_id) {
 				// Refresh user/group
 				tinfo->set_group(tinfo->m_gid);
-				tinfo->set_user(tinfo->m_uid);
+				tinfo->set_user(tinfo->m_uid, m_must_notify_user_update);
 			} else if(m_check_cleanup && !container_id.empty()) {
 				if(tinfo->m_vtid == tinfo->m_vpid && tinfo->m_vpid == 1) {
 					// main container process left, clean up user and groups for the container
@@ -270,6 +273,7 @@ struct user_group_updater {
 	bool m_check_cleanup;
 	sinsp_evt *m_evt;
 	std::string m_container_id;
+	bool m_must_notify_user_update;
 };
 
 #endif  // FALCOSECURITY_LIBS_USER_H

Original file line number	Diff line number	Diff line change
`@@ -1171,7 +1171,7 @@ void sinsp_parser::parse_clone_exit_caller(sinsp_evt *evt, int64_t child_tid) {`
`1171`	`1171`	`default:`
`1172`	`1172`	`ASSERT(false);`
`1173`	`1173`	`}`
`1174`		`- child_tinfo->set_user(uid);`
	`1174`	`+ child_tinfo->set_user(uid, must_notify_thread_user_update());`
`1175`	`1175`
`1176`	`1176`	`/* gid */`
`1177`	`1177`	`int32_t gid = 0;`
`@@ -1691,7 +1691,7 @@ void sinsp_parser::parse_clone_exit_child(sinsp_evt *evt) {`
`1691`	`1691`	`default:`
`1692`	`1692`	`ASSERT(false);`
`1693`	`1693`	`}`
`1694`		`- child_tinfo->set_user(uid);`
	`1694`	`+ child_tinfo->set_user(uid, must_notify_thread_user_update());`
`1695`	`1695`
`1696`	`1696`	`/* gid */`
`1697`	`1697`	`int32_t gid = 0;`
`@@ -2174,7 +2174,8 @@ void sinsp_parser::parse_execve_exit(sinsp_evt *evt) {`
`2174`	`2174`
`2175`	`2175`	`// Get uid`
`2176`	`2176`	`if(evt->get_num_params() > 26) {`
`2177`		`- evt->get_tinfo()->set_user(evt->get_param(26)->as<uint32_t>());`
	`2177`	`+ evt->get_tinfo()->set_user(evt->get_param(26)->as<uint32_t>(),`
	`2178`	`+ must_notify_thread_user_update());`
`2178`	`2179`	`}`
`2179`	`2180`
`2180`	`2181`	`// Get pgid`
`@@ -4524,7 +4525,7 @@ void sinsp_parser::parse_setresuid_exit(sinsp_evt *evt) {`
`4524`	`4525`	`if(new_euid < std::numeric_limits<uint32_t>::max()) {`
`4525`	`4526`	`sinsp_threadinfo *ti = evt->get_thread_info();`
`4526`	`4527`	`if(ti) {`
`4527`		`- ti->set_user(new_euid);`
	`4528`	`+ ti->set_user(new_euid, must_notify_thread_user_update());`
`4528`	`4529`	`}`
`4529`	`4530`	`}`
`4530`	`4531`	`}`
`@@ -4544,7 +4545,7 @@ void sinsp_parser::parse_setreuid_exit(sinsp_evt *evt) {`
`4544`	`4545`	`if(new_euid < std::numeric_limits<uint32_t>::max()) {`
`4545`	`4546`	`sinsp_threadinfo *ti = evt->get_thread_info();`
`4546`	`4547`	`if(ti) {`
`4547`		`- ti->set_user(new_euid);`
	`4548`	`+ ti->set_user(new_euid, must_notify_thread_user_update());`
`4548`	`4549`	`}`
`4549`	`4550`	`}`
`4550`	`4551`	`}`
`@@ -4604,7 +4605,7 @@ void sinsp_parser::parse_setuid_exit(sinsp_evt *evt) {`
`4604`	`4605`	`uint32_t new_euid = enter_evt->get_param(0)->as<uint32_t>();`
`4605`	`4606`	`sinsp_threadinfo *ti = evt->get_thread_info();`
`4606`	`4607`	`if(ti) {`
`4607`		`- ti->set_user(new_euid);`
	`4608`	`+ ti->set_user(new_euid, must_notify_thread_user_update());`
`4608`	`4609`	`}`
`4609`	`4610`	`}`
`4610`	`4611`	`}`
Original file line number	Diff line number	Diff line change
`@@ -916,6 +916,8 @@ class SINSP_PUBLIC sinsp : public capture_stats_source {`
`916`	`916`	`return left == static_cast<uint64_t>(-1) \|\| left <= right;`
`917`	`917`	`}`
`918`	`918`
	`919`	`+ bool must_notify_thread_user_update() const { return m_mode.is_live() \|\| is_syscall_plugin(); }`
	`920`	`+`
`919`	`921`	`std::shared_ptr<sinsp_stats_v2> m_sinsp_stats_v2;`
`920`	`922`	`scap_t* m_h;`
`921`	`923`	`struct scap_platform* m_platform{};`