rocnikovy-projekt

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

process_exit.bpf.c (2780B)

      1 #include "vmlinux.h"
      2 #include <bpf/bpf_tracing.h>
      3 #include <bpf/bpf_helpers.h>
      4 #include "process_exit.h"
      5 
      6 struct {
      7    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
      8    __uint(key_size, sizeof(u32));
      9    __uint(value_size, sizeof(u32));
     10 } output SEC(".maps");
     11 
     12 SEC("tracepoint/sched/sched_process_exit")
     13 int sched_process_exit(void* ctx)
     14 {
     15     struct task_struct* task = (typeof(task))bpf_get_current_task();
     16     struct data_t data = {};
     17 
     18     bpf_probe_read_kernel(&data.start_time, sizeof(data.start_time), &task->start_time);
     19     data.exit_time = bpf_ktime_get_ns(),
     20     bpf_probe_read_kernel(&data.utime, sizeof(data.utime), &task->utime);
     21     bpf_probe_read_kernel(&data.stime, sizeof(data.stime), &task->stime);
     22     bpf_probe_read_kernel(&data.tgid, sizeof(data.tgid), &task->tgid);
     23     bpf_probe_read_kernel(&data.pid, sizeof(data.pid), &task->pid);
     24 
     25     struct task_struct* real_parent = NULL;
     26     bpf_probe_read_kernel(&real_parent, sizeof(struct task_struct*), &task->real_parent);
     27     bpf_probe_read_kernel(&data.ppid, sizeof(data.ppid), &real_parent->pid);
     28 
     29     struct cred* real_cred = NULL;
     30     bpf_probe_read_kernel(&real_cred, sizeof(struct cred*), &task->real_cred);
     31     bpf_probe_read_kernel(&data.uid, sizeof(data.uid), &real_cred->uid);
     32 
     33     bpf_probe_read_kernel(&data.exit_code, sizeof(data.exit_code), &task->exit_code);
     34     bpf_probe_read_kernel(&data.exit_signal, sizeof(data.exit_signal), &task->exit_signal);
     35     bpf_probe_read_kernel(&data.nvcsw, sizeof(data.nvcsw), &task->nvcsw);
     36     bpf_probe_read_kernel(&data.nivcsw, sizeof(data.nivcsw), &task->nivcsw);
     37 
     38     struct signal_struct* sig = NULL;
     39     bpf_probe_read_kernel(&sig, sizeof(struct signal_struct*), &task->signal);
     40     bpf_probe_read_kernel(&data.cutime, sizeof(data.cutime), &sig->cutime);
     41     bpf_probe_read_kernel(&data.cstime, sizeof(data.cstime), &sig->cstime);
     42     bpf_probe_read_kernel(&data.inblock, sizeof(data.inblock), &sig->inblock);
     43     bpf_probe_read_kernel(&data.oublock, sizeof(data.oublock), &sig->oublock);
     44     bpf_probe_read_kernel(&data.cinblock, sizeof(data.cinblock), &sig->cinblock);
     45     bpf_probe_read_kernel(&data.coublock, sizeof(data.coublock), &sig->coublock);
     46 
     47     struct task_io_accounting* ioac = NULL;
     48     bpf_probe_read_kernel(&ioac, sizeof(struct ioac_accounting*), &task->ioac);
     49     __u64 read = 0;
     50     __u64 written = 0;
     51     bpf_probe_read_kernel(&read, sizeof(read), &ioac->read_bytes);
     52     bpf_probe_read_kernel(&written, sizeof(written), &ioac->write_bytes);
     53     data.inblock += read >> 9;
     54     data.oublock += written >> 9;
     55 
     56     bpf_get_current_comm(&data.task, sizeof(data.task));
     57 
     58     bpf_perf_event_output(ctx, &output, BPF_F_CURRENT_CPU,
     59                           &data, sizeof(data));
     60 
     61     return 0;
     62 }
     63 
     64 char LICENSE[] SEC("license") = "Dual BSD/GPL";