diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c index f34c7df0..2b26dbab 100644 --- a/GPL/Events/Process/Probe.bpf.c +++ b/GPL/Events/Process/Probe.bpf.c @@ -195,24 +195,20 @@ int BPF_PROG(sched_process_exec, // The problem is taskstats_exit__enter happens before file descriptors are // closed in exit_files(), so instead of emiting the event here, record that we // saw group_dead and delay emiting the event until sched_process_exit(). -static int taskstats_exit__enter(const struct task_struct *task, int group_dead) -{ - struct ebpf_events_state state = {}; - - if (!group_dead || is_kernel_thread(task)) - return 0; - - ebpf_events_state__set(EBPF_EVENTS_STATE_GROUP_DEAD, &state); - - return 0; -} - -SEC("tp_btf/sched_process_exit") -int BPF_PROG(sched_process_exit, const struct task_struct *task) +// +// UPDATE: taskstats_exit can be compiled out of the kernel based on +// configuration. So, instead we use disassociate_ctty (guarded by CONFIG_TTY), +// which is hopefully less common of being compiled out. disassociate_ctty is +// called from do_exit() only when group_dead is true, and in that case, +// the parameter, on_exit, is set to true, and we can use current to populate +// event data. Finally, sched_process_exit() is not called after exit_files, +// but disassociate_ctty is. +static int disassociate_ctty__enter(int on_exit) { + const struct task_struct *task = (struct task_struct *)bpf_get_current_task(); struct ebpf_process_exit_event *event; - if (ebpf_events_state__get(EBPF_EVENTS_STATE_GROUP_DEAD) == NULL) + if (!on_exit || is_kernel_thread(task)) return 0; event = get_event_buffer(); @@ -247,16 +243,16 @@ int BPF_PROG(sched_process_exit, const struct task_struct *task) return 0; } -SEC("fentry/taskstats_exit") -int BPF_PROG(fentry__taskstats_exit, const struct task_struct *task, int group_dead) +SEC("fentry/disassociate_ctty") +int BPF_PROG(fentry__disassociate_ctty, int on_exit) { - return taskstats_exit__enter(task, group_dead); + return disassociate_ctty__enter(on_exit); } -SEC("kprobe/taskstats_exit") -int BPF_KPROBE(kprobe__taskstats_exit, const struct task_struct *task, int group_dead) +SEC("kprobe/disassociate_ctty") +int BPF_KPROBE(kprobe__disassociate_ctty, int on_exit) { - return taskstats_exit__enter(task, group_dead); + return disassociate_ctty__enter(on_exit); } // tracepoint/syscalls/sys_[enter/exit]_[name] tracepoints are not available diff --git a/GPL/Events/State.h b/GPL/Events/State.h index cf23e58e..82197bc4 100644 --- a/GPL/Events/State.h +++ b/GPL/Events/State.h @@ -21,7 +21,6 @@ enum ebpf_events_state_op { EBPF_EVENTS_STATE_WRITE = 7, EBPF_EVENTS_STATE_WRITEV = 8, EBPF_EVENTS_STATE_CHOWN = 9, - EBPF_EVENTS_STATE_GROUP_DEAD = 10, }; struct ebpf_events_key { @@ -92,7 +91,6 @@ struct ebpf_events_state { struct ebpf_events_write_state write; struct ebpf_events_writev_state writev; struct ebpf_events_chown_state chown; - /* struct ebpf_events_group_dead group_dead; nada */ }; }; diff --git a/non-GPL/Events/Lib/EbpfEvents.c b/non-GPL/Events/Lib/EbpfEvents.c index 90062a79..ffb39a0c 100644 --- a/non-GPL/Events/Lib/EbpfEvents.c +++ b/non-GPL/Events/Lib/EbpfEvents.c @@ -381,7 +381,7 @@ static int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj, uint6 err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__do_filp_open, false); err = err ?: bpf_program__set_autoload(obj->progs.kprobe__vfs_rename, false); err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__vfs_rename, false); - err = err ?: bpf_program__set_autoload(obj->progs.kprobe__taskstats_exit, false); + err = err ?: bpf_program__set_autoload(obj->progs.kprobe__disassociate_ctty, false); err = err ?: bpf_program__set_autoload(obj->progs.kprobe__commit_creds, false); err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__inet_csk_accept, false); err = err ?: bpf_program__set_autoload(obj->progs.kprobe__tcp_v4_connect, false); @@ -403,7 +403,7 @@ static int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj, uint6 err = err ?: bpf_program__set_autoload(obj->progs.fexit__do_filp_open, false); err = err ?: bpf_program__set_autoload(obj->progs.fentry__vfs_rename, false); err = err ?: bpf_program__set_autoload(obj->progs.fexit__vfs_rename, false); - err = err ?: bpf_program__set_autoload(obj->progs.fentry__taskstats_exit, false); + err = err ?: bpf_program__set_autoload(obj->progs.fentry__disassociate_ctty, false); err = err ?: bpf_program__set_autoload(obj->progs.fentry__commit_creds, false); err = err ?: bpf_program__set_autoload(obj->progs.fexit__inet_csk_accept, false); err = err ?: bpf_program__set_autoload(obj->progs.fexit__tcp_v4_connect, false); @@ -473,7 +473,7 @@ static bool system_has_bpf_tramp(void) {.code = BPF_EXIT | BPF_JMP, .dst_reg = 0, .src_reg = 0, .off = 0, .imm = 0}}; int insns_cnt = 2; - btf_id = btf__find_by_name(btf, "taskstats_exit"); + btf_id = btf__find_by_name(btf, "disassociate_ctty"); LIBBPF_OPTS(bpf_prog_load_opts, opts, .log_buf = NULL, .log_level = 0, .expected_attach_type = BPF_TRACE_FENTRY, .attach_btf_id = btf_id); prog_fd = bpf_prog_load(BPF_PROG_TYPE_TRACING, NULL, "GPL", insns, insns_cnt, &opts);