1 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
2 /* Copyright (c) 2021 Hengqi Chen */
3 #include <vmlinux.h>
4 #include <bpf/bpf_helpers.h>
5 #include <bpf/bpf_core_read.h>
6 #include "exitsnoop.h"
7
8 const volatile pid_t target_pid = 0;
9 const volatile bool trace_failed_only = false;
10 const volatile bool trace_by_process = true;
11
12 struct {
13 __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
14 __uint(key_size, sizeof(__u32));
15 __uint(value_size, sizeof(__u32));
16 } events SEC(".maps");
17
18 SEC("tracepoint/sched/sched_process_exit")
sched_process_exit(void * ctx)19 int sched_process_exit(void *ctx)
20 {
21 __u64 pid_tgid = bpf_get_current_pid_tgid();
22 __u32 pid = pid_tgid >> 32;
23 __u32 tid = (__u32)pid_tgid;
24 int exit_code;
25 struct task_struct *task;
26 struct event event = {};
27
28 if (target_pid && target_pid != pid)
29 return 0;
30
31 if (trace_by_process && pid != tid)
32 return 0;
33
34 task = (struct task_struct *)bpf_get_current_task();
35 exit_code = BPF_CORE_READ(task, exit_code);
36 if (trace_failed_only && exit_code == 0)
37 return 0;
38
39 event.start_time = BPF_CORE_READ(task, start_time);
40 event.exit_time = bpf_ktime_get_ns();
41 event.pid = pid;
42 event.tid = tid;
43 event.ppid = BPF_CORE_READ(task, real_parent, tgid);
44 event.sig = exit_code & 0xff;
45 event.exit_code = exit_code >> 8;
46 bpf_get_current_comm(event.comm, sizeof(event.comm));
47 bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
48 return 0;
49 }
50
51 char LICENSE[] SEC("license") = "Dual BSD/GPL";
52