Add arg for filtering on signal

yezhengmao1 · May 26, 2020 · 076a354 · 076a354
1 parent ec64e6a
commit 076a354
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/tools/killsnoop.py b/tools/killsnoop.py
@@ -23,6 +23,7 @@
  ./killsnoop # trace all kill() signals
  ./killsnoop -x # only show failed kills
  ./killsnoop -p 181 # only trace PID 181
+ ./killsnoop -s 13 # only trace signal 13
 """
 parser = argparse.ArgumentParser(
  description="Trace signals issued by the kill() syscall",
@@ -32,6 +33,8 @@
  help="only show failed kill syscalls")
 parser.add_argument("-p", "--pid",
  help="trace this PID only")
+parser.add_argument("-s", "--signal",
+ help="trace this signal only")
 parser.add_argument("--ebpf", action="store_true",
  help=argparse.SUPPRESS)
 args = parser.parse_args()
@@ -63,7 +66,8 @@
 int syscall__kill(struct pt_regs *ctx, int tpid, int sig)
 {
  u32 pid = bpf_get_current_pid_tgid();
- FILTER
+ PID_FILTER
+ SIGNAL_FILTER
 
  struct val_t val = {.pid = pid};
  if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
@@ -100,10 +104,15 @@
 }
 """
 if args.pid:
- bpf_text = bpf_text.replace('FILTER',
+ bpf_text = bpf_text.replace('PID_FILTER',
  'if (pid != %s) { return 0; }' % args.pid)
 else:
- bpf_text = bpf_text.replace('FILTER', '')
+ bpf_text = bpf_text.replace('PID_FILTER', '')
+if args.signal:
+ bpf_text = bpf_text.replace('SIGNAL_FILTER',
+ 'if (sig != %s) { return 0; }' % args.signal)
+else:
+ bpf_text = bpf_text.replace('SIGNAL_FILTER', '')
 if debug or args.ebpf:
  print(bpf_text)
  if args.ebpf: