Add a filtercheck for process tty. (draios#847)

Mark Stemm · web-flow · commit 45c677901e0d · 2017-05-24T09:44:05.000-07:00
This allows it to be used in falco rules.
diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -1340,7 +1340,8 @@ const filtercheck_field_info sinsp_filter_check_thread_fields[] =
 	{PT_UINT64, EPF_TABLE_ONLY, PF_DEC, "thread.vmsize.b", "For the process main thread, this is the total virtual memory for the process (in bytes). For the other threads, this field is zero."},
 	{PT_UINT64, EPF_TABLE_ONLY, PF_DEC, "thread.vmrss.b", "For the process main thread, this is the resident non-swapped memory for the process (in bytes). For the other threads, this field is zero."},
 	{PT_INT64, EPF_NONE, PF_ID, "proc.sid", "the session id of the process generating the event."},
-	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.sname", "the name of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process."}
+	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.sname", "the name of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process."},
+	{PT_INT32, EPF_NONE, PF_ID, "proc.tty", "The controlling terminal of the process. 0 for processes without a terminal."}
 };
 
 sinsp_filter_check_thread::sinsp_filter_check_thread()
@@ -1661,6 +1662,8 @@ uint8_t* sinsp_filter_check_thread::extract(sinsp_evt *evt, OUT uint32_t* len, b
 				return (uint8_t*)m_tstr.c_str();
 			}
 		}
+	case TYPE_TTY:
+		return (uint8_t*)&tinfo->m_tty;
 	case TYPE_NAME:
 		m_tstr = tinfo->get_comm();
 		*len = m_tstr.size();
diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h
@@ -370,6 +370,7 @@ class sinsp_filter_check_thread : public sinsp_filter_check
 		TYPE_THREAD_VMRSS_B = 39,
 		TYPE_SID = 40,
 		TYPE_SNAME = 41,
+		TYPE_TTY = 42,
 	};
 
 	sinsp_filter_check_thread();
