From 3b49127845999ea2f7c834d327df9d1622c780bb Mon Sep 17 00:00:00 2001
From: Loris Degioanni <loris@sysdig.com>
Date: Fri, 26 Apr 2024 16:50:20 -0700
Subject: [PATCH] new field: fd.containerpidname, which can be used to get a
 true unique identifier for a file

Signed-off-by: Loris Degioanni <loris@sysdig.com>
---
 userspace/libsinsp/sinsp_filtercheck_fd.cpp | 19 +++++++++++++++++++
 userspace/libsinsp/sinsp_filtercheck_fd.h   |  1 +
 2 files changed, 20 insertions(+)

diff --git a/userspace/libsinsp/sinsp_filtercheck_fd.cpp b/userspace/libsinsp/sinsp_filtercheck_fd.cpp
index 5aae551fbc..2a31bf4948 100644
--- a/userspace/libsinsp/sinsp_filtercheck_fd.cpp
+++ b/userspace/libsinsp/sinsp_filtercheck_fd.cpp
@@ -94,6 +94,7 @@ static const filtercheck_field_info sinsp_filter_check_fd_fields[] =
 	{PT_INT64, EPF_NONE, PF_DEC, "fd.ino", "FD Inode Number", "inode number of the referenced file"},
 	{PT_CHARBUF, EPF_NONE, PF_NA, "fd.nameraw", "FD Name Raw", "FD full name raw. Just like fd.name, but only used if fd is a file path. File path is kept raw with limited sanitization and without deriving the absolute path."},
 	{PT_CHARBUF, EPF_IS_LIST | EPF_ARG_ALLOWED | EPF_NO_RHS | EPF_NO_TRANSFORMER, PF_DEC, "fd.types", "FD Type", "List of FD types in used. Can be passed an fd number e.g. fd.types[0] to get the type of stdout as a single item list."},
+	{PT_CHARBUF, EPF_TABLE_ONLY, PF_NA, "fd.containerpidname", "FD Container Pid Name", "chaining of the container ID, the pid and the FD name."},
 };
 
 sinsp_filter_check_fd::sinsp_filter_check_fd()
@@ -301,6 +302,18 @@ uint8_t* sinsp_filter_check_fd::extract_from_null_fd(sinsp_evt *evt, OUT uint32_
 			return NULL;
 		}
 	}
+	case TYPE_CONTAINERPIDNAME:
+	{
+		if(extract_fdname_from_creator(evt, len, sanitize_strings) == true)
+		{
+			m_tstr = m_tinfo->m_container_id + ':' + to_string(m_tinfo->m_pid) + ':' + m_tstr;
+			RETURN_EXTRACT_STRING(m_tstr);
+		}
+		else
+		{
+			return NULL;
+		}
+	}
 	case TYPE_DIRECTORY:
 	case TYPE_CONTAINERDIRECTORY:
 	{
@@ -483,6 +496,7 @@ uint8_t* sinsp_filter_check_fd::extract_single(sinsp_evt *evt, OUT uint32_t* len
 	{
 	case TYPE_FDNAME:
 	case TYPE_CONTAINERNAME:
+	case TYPE_CONTAINERPIDNAME:
 		if(m_fdinfo == NULL)
 		{
 			return extract_from_null_fd(evt, len, sanitize_strings);
@@ -503,6 +517,11 @@ uint8_t* sinsp_filter_check_fd::extract_single(sinsp_evt *evt, OUT uint32_t* len
 			ASSERT(m_tinfo != NULL);
 			m_tstr = m_tinfo->m_container_id + ':' + m_fdinfo->m_name;
 		}
+		else if(m_field_id == TYPE_CONTAINERPIDNAME)
+		{
+			ASSERT(m_tinfo != NULL);
+			m_tstr = m_tinfo->m_container_id + ':' + to_string(m_tinfo->m_pid) + ':' + m_fdinfo->m_name;
+		}
 		else
 		{
 			m_tstr = m_fdinfo->m_name;
diff --git a/userspace/libsinsp/sinsp_filtercheck_fd.h b/userspace/libsinsp/sinsp_filtercheck_fd.h
index 56b00a157f..a1e7281908 100644
--- a/userspace/libsinsp/sinsp_filtercheck_fd.h
+++ b/userspace/libsinsp/sinsp_filtercheck_fd.h
@@ -69,6 +69,7 @@ class sinsp_filter_check_fd : public sinsp_filter_check
 		TYPE_INO = 41,
 		TYPE_FDNAMERAW = 42,
 		TYPE_FDTYPES = 43,
+		TYPE_CONTAINERPIDNAME = 44,
 	};
 
 	sinsp_filter_check_fd();