52 lines
1.4 KiB
C
52 lines
1.4 KiB
C
/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
|
|
/* Copyright (c) 2021 Hengqi Chen */
|
|
#include <vmlinux.h>
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_core_read.h>
|
|
#include "exitsnoop.h"
|
|
|
|
const volatile pid_t target_pid = 0;
|
|
const volatile bool trace_failed_only = false;
|
|
const volatile bool trace_by_process = true;
|
|
|
|
struct {
|
|
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
|
|
__uint(key_size, sizeof(__u32));
|
|
__uint(value_size, sizeof(__u32));
|
|
} events SEC(".maps");
|
|
|
|
SEC("tracepoint/sched/sched_process_exit")
|
|
int sched_process_exit(void *ctx)
|
|
{
|
|
__u64 pid_tgid = bpf_get_current_pid_tgid();
|
|
__u32 pid = pid_tgid >> 32;
|
|
__u32 tid = (__u32)pid_tgid;
|
|
int exit_code;
|
|
struct task_struct *task;
|
|
struct event event = {};
|
|
|
|
if (target_pid && target_pid != pid)
|
|
return 0;
|
|
|
|
if (trace_by_process && pid != tid)
|
|
return 0;
|
|
|
|
task = (struct task_struct *)bpf_get_current_task();
|
|
exit_code = BPF_CORE_READ(task, exit_code);
|
|
if (trace_failed_only && exit_code == 0)
|
|
return 0;
|
|
|
|
event.start_time = BPF_CORE_READ(task, start_time);
|
|
event.exit_time = bpf_ktime_get_ns();
|
|
event.pid = pid;
|
|
event.tid = tid;
|
|
event.ppid = BPF_CORE_READ(task, real_parent, tgid);
|
|
event.sig = exit_code & 0xff;
|
|
event.exit_code = exit_code >> 8;
|
|
bpf_get_current_comm(event.comm, sizeof(event.comm));
|
|
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
|
|
return 0;
|
|
}
|
|
|
|
char LICENSE[] SEC("license") = "Dual BSD/GPL";
|