socket_peer

#!/usr/bin/perl
# socket_peer
# https://github.com/lemonsqueeze/unix_sockets_peers
#
# Run find_gdb_offset script to find $struct_unix_sock__peer_offset value.

use File::Temp qw/ tempfile /;
use POSIX;

sub usage
{    
    print "Find pid of process connected to unix socket with inode socket_inode.\n";
    print "Usage: socket_peer  socket_inode\n";
    exit 1;
}

($ARGV[0] eq "--help") && usage();
(getuid() != 0) && die "must be root.";

#my $debug = 1;
#my $use_kernel_debug_symbols = 1;	# slooow

#######################################################################
# Use lsof to map pids/sockets/kernel addresses

my %inode_to_pid;
my %pid_to_name;
my %address_to_inode;
my %inode_to_address;

sub init_lsof
{
    my @lsof = split('\n', `lsof -U +c 0  2>/dev/null` || die "couldn't run lsof");
    shift @lsof;		 # remove header
    
    # COMMAND    PID       USER   FD   TYPE     DEVICE SIZE/OFF  NODE NAME
    # Xorg       982       root   31u  unix 0xed0b4400      0t0  6820 /tmp/.X11-unix/X0
    foreach my $str (@lsof)
    {
	$str =~ s/  */ /g;
	my ($name, $pid, $z, $z, $z, $address, $z, $inode) = split(' ', $str);
	
	$inode_to_pid{$inode} = $pid;
	$pid_to_name{$pid} = $name;	
	$address_to_inode{$address} = $inode;
	$inode_to_address{$inode} = $address;
	if ($debug) { print "inode $inode -> address $address ($pid $name)\n"; }
    }
}

#######################################################################
# lsof -U + gdb way

# Slow but sure way, if you have the kernel's debug symbols (vmlinux)
my $vmlinux = "/usr/src/linux/vmlinux";
sub get_address_gdb_debug_symbols
{ 
    my ($address) = @_;
    my $gdb_cmd="p (void *)((struct unix_sock*)$address)->peer\n";
    my ($fh, $temp_file) = tempfile("/tmp/netstat_unix.XXXXXXXX", UNLINK => 1);
    print $fh $gdb_cmd;   close($fh);
    return `gdb $vmlinux /proc/kcore  --batch -x $temp_file` || die "couldn't run gdb";
}

# Hack, find the right offset, then you don't need debugging symbols !
# (see find_gdb_offset script)
my $struct_unix_sock__peer_offset = 104;
sub get_address_gdb_no_symbols
{ 
    my ($address) = @_;
    my $gdb_cmd="p ((void **)$address)[$struct_unix_sock__peer_offset]\n";
    my ($fh, $temp_file) = tempfile("/tmp/netstat_unix.XXXXXXXX", UNLINK => 1);
    print $fh $gdb_cmd;   close($fh);
    return `gdb /dev/null /proc/kcore  --batch -x $temp_file 2>/dev/null` || die "couldn't run gdb";
}

sub find_peer_inode
{
    my ($inode) = @_;
    if ($debug) { print "running gdb ...\n"; }
    my $address = $inode_to_address{$inode} || die "$inode: couldn't map inode to address";
    my $gdb = ($use_kernel_debug_symbols ? get_address_gdb_debug_symbols($address) :
	                                   get_address_gdb_no_symbols($address) );
    
    if ($gdb =~ m|\(void \*\) (0x[0-9a-f]*)|)	#  $1 = (void *) 0xed289000
    { 
	my $peer_address = $1;
	my $peer_inode = $address_to_inode{$peer_address} || 
	    die ("$peer_address: couldn't map address to inode.\n" . 
		 "wrong hardcoded gdb offset ? check with find_gdb_offset script.");
	if ($debug) { print "[ inode $inode -> kernel $address ] --> [ kernel $peer_address -> inode $peer_inode ]\n"; }
	return $peer_inode;
    }
    die "failed to parse gdb output (bug?)";    
}


#######################################################################

sub find_peer_pid
{
    my ($inode) = @_;
    $inode_to_pid{$inode} || die("$inode: No process owns this socket. bad number ?\n");
    
    my $peer_inode = find_peer_inode($inode);
    my $peer_pid = $inode_to_pid{$peer_inode} || die "couldn't map inode to pid.";
    return $peer_pid;
}

#######################################################################

my $inode = @ARGV[0];
if (!($inode =~ m|[0-9]+|))
{  usage();  }

init_lsof();
my $pid = find_peer_pid($inode);
if ($pid)
{   print "$pid $pid_to_name{$pid}\n";   exit 0;  }

die "couldn't find peer process for unix socket $inode\n";