Implement entity_id. Issue #155

This implements the 12 byte entity id as defined in
https://www.elastic.co/docs/reference/ecs/ecs-process#field-process-entity-id

We can't depend on dynamic linking of md or openssl, so include a standlone MIT
licensed sha256 implementation from https://github.com/ilvn/SHA256, they claim
to be formally verified, so that's something.

We now also have to link against resolv so we can get the base64 functions,
that's ok, beats already links against it.

This is a WIP as I want to make sure we compute the very same entity_id as
gosysinfo and friends.

Author: haesbaert

Makefile

@@ -93,7 +93,8 @@ LIBQUARK_SRCS:=			\
 	compat.c		\
 	kprobe_queue.c		\
 	quark.c			\
-	qutil.c
+	qutil.c			\
+	sha256.c
 LIBQUARK_OBJS:= $(patsubst %.c,%.o,$(LIBQUARK_SRCS))
 LIBQUARK_STATIC:= libquark.a
 LIBQUARK_STATIC_BIG:= libquark_big.a
@@ -106,6 +107,9 @@ LIBQUARK_TARGET=$(LIBQUARK_STATIC)
 EXTRA_LDFLAGS+= -lbpf
 endif
 
+# for b64_ntop()
+EXTRA_LDFLAGS+= -lresolv
+
 # ZLIB
 ZLIB_SRC:= zlib
 ZLIB_FILES:= $(shell find $(ZLIB_SRC) \(\

quark.c

@@ -16,6 +16,8 @@
 #include <fcntl.h>
 #include <fts.h>
 #include <limits.h>
+#include <resolv.h>		/* for b64_ntop */
+#include <sha2.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -62,6 +64,7 @@ RB_GENERATE(raw_event_by_pidtime, raw_event,
 struct quark {
 	unsigned int	hz;
 	u64		boottime;
+	char		machine_id[1024];
 } quark;
 
 struct raw_event *
@@ -444,6 +447,43 @@ process_by_pid_cmp(struct quark_process *a, struct quark_process *b)
 	return (0);
 }
 
+static void
+process_entity_id(struct quark_queue *qq, struct quark_process *qp)
+{
+	sha256_context	ctx;
+	u64		pid64_le, start_le;
+	u8		digest[SHA256_SIZE_BYTES];
+	char		digest_p[45];
+	size_t		machine_len;
+
+	/* No proc_time_boot, bail */
+	if ((qp->flags & QUARK_F_PROC) == 0)
+		return;
+	/* Already known, bail */
+	if (qp->flags & QUARK_F_ENTITYID)
+		return;
+	/* No machine_id, bail */
+	if ((machine_len = strlen(quark.machine_id)) == 0)
+		return;
+
+	/* Historically little endian */
+	pid64_le = htole64(qp->pid);
+	start_le = htole64(qp->proc_time_boot);
+
+	sha256_init(&ctx);
+	sha256_hash(&ctx, quark.machine_id, machine_len);
+	sha256_hash(&ctx, &pid64_le, sizeof(pid64_le));
+	sha256_hash(&ctx, &start_le, sizeof(start_le));
+	sha256_done(&ctx, digest);
+
+	b64_ntop(digest, sizeof(digest), digest_p, sizeof(digest_p));
+	digest_p[sizeof(digest_p) - 1] = 0;
+
+	/* Let it truncate, entity_id is only 12 bytes */
+	(void)strlcpy(qp->entity_id, digest_p, sizeof(qp->entity_id));
+	qp->flags |= QUARK_F_ENTITYID;
+}
+
 /*
  * Socket stuff
  */
@@ -580,6 +620,8 @@ event_flag_str(u64 flag)
 		return "CMDLINE";
 	case QUARK_F_CWD:
 		return "CWD";
+	case QUARK_F_ENTITYID:
+		return "EID";
 	default:
 		return "?";
 	}
@@ -1012,6 +1054,10 @@ quark_event_dump(const struct quark_event *qev, FILE *f)
 		    entry_leader_type_str(qp->proc_entry_leader_type),
 		    qp->proc_entry_leader);
 	}
+	if (qp->flags & QUARK_F_ENTITYID) {
+		flagname = event_flag_str(QUARK_F_ENTITYID);
+		P("  %.4s\tentity_id=%s\n", flagname, qp->entity_id);
+	}
 	if (qp->flags & QUARK_F_CWD) {
 		flagname = event_flag_str(QUARK_F_CWD);
 		P("  %.4s\tcwd=%s\n", flagname, qp->cwd);
@@ -1258,6 +1304,9 @@ raw_event_process(struct quark_queue *qq, struct raw_event *src)
 
 		/* Don't set cwd as it's not valid on exit */
 		comm = raw_task->comm;
+
+		/* Depends on QUARK_F_PROC, idempotent */
+		process_entity_id(qq, qp);
 	}
 	if (raw_comm != NULL)
 		comm = raw_comm->comm; /* raw_comm always overrides */
@@ -1968,6 +2017,39 @@ fetch_boottime(void)
 	return (btime * NS_PER_S);
 }
 
+static int
+fetch_machine_id(char *buf, size_t len)
+{
+	int		  fd;
+	char		 *id;
+	const char 	**path, *all_paths[] = {
+		"/etc/machine-id",
+		"/var/lib/dbus/machine-id",
+		"/var/db/dbus/machine-id",
+		NULL
+	};
+
+	for (fd = -1, path = all_paths; *path != NULL; path++) {
+		fd = open("/etc/machine-id", O_RDONLY);
+		if (fd != -1)
+			break;
+	}
+	if (fd == -1)
+		return (-1);
+	/* Historically the final newline is included, so keep it. */
+	if ((id = load_file_nostat(fd, NULL)) == NULL) {
+		close(fd);
+		warnx("can't load machine_id");
+		return (-1);
+	}
+	close(fd);
+	
+	if (strlcpy(buf, id, len) >= len)
+		warnx("machine_id truncated, ignoring");
+
+	return (0);
+}
+
 /*
  * Aggregation is a relationship between a parent event and a child event. In a
  * fork+exec cenario, fork is the parent, exec is the child.
@@ -2028,6 +2110,12 @@ quark_init(void)
 		qwarn("can't fetch btime");
 		return (-1);
 	}
+	if (fetch_machine_id(quark.machine_id,
+	    sizeof(quark.machine_id)) == -1) {
+		qwarn("can't fetch machine id, ignoring");
+		quark.machine_id[0] = 0;
+	}
+
 	quark.hz = hz;
 	quark.boottime = boottime;
 

quark.h

@@ -17,6 +17,9 @@
 /* Compat, tree.h, queue.h */
 #include "compat.h"
 
+/* sha256 since we can't link against openssl */
+#include "sha256.h"
+
 /* Misc */
 #ifndef ALIGN_UP
 #define ALIGN_UP(_p, _b) (((u64)(_p) + ((_b) - 1)) & ~((_b) - 1))
@@ -381,6 +384,7 @@ struct quark_process {
 #define QUARK_F_FILENAME	(1 << 3)
 #define QUARK_F_CMDLINE		(1 << 4)
 #define QUARK_F_CWD		(1 << 5)
+#define QUARK_F_ENTITYID	(1 << 6)
 	u64	 flags;
 
 	/* QUARK_F_PROC */
@@ -419,6 +423,8 @@ struct quark_process {
 	char	*cmdline;
 	/* QUARK_F_CWD */
 	char	*cwd;
+	/* QUARK_F_ENTITY_ID */
+	char	 entity_id[13];
 };
 
 struct quark_process_iter {