Skip to content

Instantly share code, notes, and snippets.

@aktau

aktau/forkexecsnoop.bt

Created July 27, 2022 12:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aktau/3cddaa07018a11feb37548c7555dc5c5 to your computer and use it in GitHub Desktop.
Save aktau/3cddaa07018a11feb37548c7555dc5c5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
forkexecsnoop.bt
#!/usr/bin/env bpftrace
/**
* See the implementations of forksnoop.bt and execsnoop.bt. This is just a
* combination of those two.
*/
#include <linux/sched.h>
BEGIN {
printf("%-7s ", "TIME(μs)");
printf("%-5s %-8s %-8s %-13s %-7s %-15s\n",
"TYPE", "PID", "TID", "PTID/RETV", "LAT(μs)", "COMM");
}
tracepoint:syscalls:sys_enter_clone /(args->clone_flags & CLONE_THREAD) == 0/ {
if ($1 >= 1) {
printf("%-7u ", elapsed / 1000);
printf("CLONE %-8d %-8d %-13s %-7s %-15s",
pid,
tid,
"N/A",
"N/A",
comm
);
$flags = args->clone_flags;
printf(" flags=(");
if ($flags & CLONE_CHILD_CLEARTID) { printf("CLONE_CHILD_CLEARTID|"); }
if ($flags & CLONE_CHILD_SETTID) { printf("CLONE_CHILD_SETTID|"); }
if ($flags & CLONE_FILES) { printf("CLONE_FILES|"); }
// if ($flags & CLONE_FS) { printf("CLONE_FS|"); }
if ($flags & CLONE_IO) { printf("CLONE_IO|"); }
if ($flags & CLONE_NEWCGROUP) { printf("CLONE_NEWCGROUP|"); }
if ($flags & CLONE_NEWIPC) { printf("CLONE_NEWIPC|"); }
if ($flags & CLONE_NEWNET) { printf("CLONE_NEWNET|"); }
if ($flags & CLONE_NEWNS) { printf("CLONE_NEWNS|"); }
if ($flags & CLONE_NEWPID) { printf("CLONE_NEWPID|"); }
if ($flags & CLONE_NEWUSER) { printf("CLONE_NEWUSER|"); }
if ($flags & CLONE_NEWUTS) { printf("CLONE_NEWUTS|"); }
if ($flags & CLONE_PARENT) { printf("CLONE_PARENT|"); }
if ($flags & CLONE_PARENT_SETTID) { printf("CLONE_PARENT_SETTID|"); }
if ($flags & CLONE_PTRACE) { printf("CLONE_PTRACE|"); }
if ($flags & CLONE_SETTLS) { printf("CLONE_SETTLS|"); }
if ($flags & CLONE_SIGHAND) { printf("CLONE_SIGHAND|"); }
if ($flags & CLONE_SYSVSEM) { printf("CLONE_SYSVSEM|"); }
if ($flags & CLONE_THREAD) { printf("CLONE_THREAD|"); }
if ($flags & CLONE_UNTRACED) { printf("CLONE_UNTRACED|"); }
if ($flags & CLONE_VFORK) { printf("CLONE_VFORK|"); }
if ($flags & CLONE_VM) { printf("CLONE_VM|"); }
printf(")\n");
}
@startforkparent[tid] = nsecs;
@startforkchild[tid] = nsecs;
}
// Child exit (ret == 0 and not a thread).
tracepoint:syscalls:sys_exit_clone /args->ret == 0 && @startforkchild[curtask->parent->pid]/ {
$ptid = curtask->parent->pid; // curtask->parent->pid is the parents tid.
printf("%-7u ", elapsed / 1000);
printf("CHILD %-8d %-8d ptid=%-8d %-7d %-15s\n",
pid,
tid,
$ptid,
(nsecs - @startforkchild[$ptid]) / 1000, // ELAPSED
comm
);
delete(@startforkchild[$ptid]);
}
// Parent exit (ret > 1 and not a thread clone return).
tracepoint:syscalls:sys_exit_clone /args->ret > 0 && @startforkparent[tid]/ {
printf("%-7u ", elapsed / 1000);
printf("PARNT %-8d %-8d retv=%-8d %-7d %-15s\n",
pid,
tid,
args->ret,
(nsecs - @startforkparent[tid]) / 1000, // ELAPSED
comm
);
delete(@startforkparent[tid]);
}
tracepoint:syscalls:sys_enter_execve {
@argvs[tid] = str(args->filename);
@start[tid] = nsecs;
}
tracepoint:syscalls:sys_exit_execve /@start[pid]/ {
printf("%-7u ", elapsed / 1000);
printf("EXEC %-8d %-8d %-13s %-7d %-15s\n",
pid,
tid,
"N/A",
(nsecs - @start[tid]) / 1000, // ELAPSED
@argvs[tid]
);
delete(@argvs[tid]);
delete(@start[tid]);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment