[tools/execsnoop] Try to get parent PID from current task's real parent. #1885
Conversation
|
Given what you said in #1883 , have you tested in another Kernel to make sure the BPF part works? Also, please update the |
|
[buildbot, ok to test] |
tools/execsnoop.py
Outdated
| task = (struct task_struct *)bpf_get_current_task(); | ||
| bpf_probe_read(&real_parent_task, sizeof(real_parent_task), &task->real_parent); | ||
| bpf_probe_read(&ppid, sizeof(ppid), &real_parent_task->tgid); | ||
| data.ppid = ppid; |
There was a problem hiding this comment.
You shouldn't need explicit calls to bpf_probe_read here:
daat.ppid = task->real_parent->tgid;bcc will handle the rewrite.
There was a problem hiding this comment.
ok, good to know, I tried that too and got similar results.
There was a problem hiding this comment.
Yep, that wouldn't change the issue with the parent PID. It translates to the same bytecode.
tools/execsnoop.py
Outdated
| task = (struct task_struct *)bpf_get_current_task(); | ||
| bpf_probe_read(&real_parent_task, sizeof(real_parent_task), &task->real_parent); | ||
| bpf_probe_read(&ppid, sizeof(ppid), &real_parent_task->tgid); | ||
| data.ppid = ppid; |
calavera
force-pushed
the
execsnoop_real_parent
branch
from
fdd9cc9
to
26025e2
Compare
Fallback to read the PPid from /proc if the real parent's TGID is 0. Signed-off-by: David Calavera <[email protected]>
calavera
force-pushed
the
execsnoop_real_parent
branch
from
26025e2
to
020bcd4
Compare
Signed-off-by: David Calavera <[email protected]>
|
Thanks for getting this done. Any further info on the kernel versions where task->real_parent->tgip sometimes returns zero? Just want to understand that caveat as I'm sure I'll run into it in the future too. |
|
I know for sure that 4.13.0-46-generic returns 0. I just tested 4.17.5 and it returns the real parent PID |
|
If you want to wait before merging this, I can test 4.14, 4.15 and 4.16 to have the minimum version that works. It might be good to have that information in the docs. I can also open an new PR with docs if you point me to the best place to have that kind of information. |
|
Since you're the first person to do ppid properly, I think people will copy-n-paste your code everywhere. So I'd put a comment with the code at least. :-) |
|
@calavera Thanks! I think it is not a minimum version, only 4.13 (and maybe 4.14) would have the problem and earlier Kernels should be fine as well. Is your Kernel the Ubuntu mainline 4.13? I will try debug see why the temporary fix didn't work~ |
Signed-off-by: David Calavera <[email protected]>
|
@brendangregg I've added an inline comment referencing the original issue I opened. |
|
It looks like the kernel that Jenkins use for tests in Xenial is too old and doesn't include |
@calavera You'll have to add a precondition to the test in the same way as |
bpf_get_current_task is only available in 4.8 and above. Signed-off-by: David Calavera <[email protected]>
|
Updated, thanks @pchaigno |
|
LGTM, thanks |
Fallback to read the PPid from /proc if the real parent's TGID is 0.
Related to #1883
Signed-off-by: David Calavera [email protected]