Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update killsnoop to use tracepoints #3592

Open
brendangregg opened this issue Aug 27, 2021 · 7 comments
Open

update killsnoop to use tracepoints #3592

brendangregg opened this issue Aug 27, 2021 · 7 comments
Assignees
@irenge
Labels
help wanted

Comments

@brendangregg
Copy link
Member

This is a request for help.

I wrote killsnoop back in 2015 before tracepoint support, and so I kprobe'd sys_kill(). It still does some derivation of that. But now there's a report it no longer works on Linux 5.11: #3572 (comment) CC @chenhengqi

Can someone please update killsnoop (both Python and libbpf-tools) to use tracepoints instead of kprobes (if it works as expected). All of these:

  syscalls:sys_enter_kill                            [Tracepoint event]
  syscalls:sys_enter_tgkill                          [Tracepoint event]
  syscalls:sys_enter_tkill                           [Tracepoint event]
  syscalls:sys_exit_kill                             [Tracepoint event]
  syscalls:sys_exit_tgkill                           [Tracepoint event]
  syscalls:sys_exit_tkill                            [Tracepoint event]
This was referenced Aug 27, 2021
Open
Merged
@chenhengqi
Copy link
Collaborator

I made a mistake. I think the behavior of killsnoop.py is correct.

The manpage of kill(2) has the following description:

If sig is 0, then no signal is sent, but existence and permission checks are still  performed;  this  can  be
used to check for the existence of a process ID or process group ID that the caller is permitted to signal.

And using strace also confirmed this:

kill(1240, 0)                           = -1 EPERM (Operation not permitted)
kill(2733, 0)                           = -1 EPERM (Operation not permitted)
kill(1396, 0)                           = 0
kill(11199, 0)                          = -1 EPERM (Operation not permitted)
kill(685, 0)                            = -1 EPERM (Operation not permitted)
kill(757, 0)                            = 0
kill(1449, 0)                           = -1 EPERM (Operation not permitted)
kill(839, 0)                            = 0
kill(686, 0)                            = -1 EPERM (Operation not permitted)
kill(715, 0)                            = -1 EPERM (Operation not permitted)
kill(721, 0)                            = 0
kill(1148, 0)                           = -1 EPERM (Operation not permitted)
kill(1168, 0)                           = -1 EPERM (Operation not permitted)
kill(754, 0)                            = 0
kill(758, 0)                            = 0
kill(1173, 0)                           = -1 EPERM (Operation not permitted)
kill(8680, 0)                           = -1 EPERM (Operation not permitted)
kill(11327, 0)                          = -1 EPERM (Operation not permitted)
kill(1162, 0)                           = -1 EPERM (Operation not permitted)
kill(38592, 0)                          = -1 EPERM (Operation not permitted)

chenhengqi added a commit to chenhengqi/bcc that referenced this issue Aug 29, 2021
@chenhengqi
bcc/tools: Update killsnoop to use tracepoints
504b7eb 
As suggested by @brendangregg in iovisor#3592, update killsnoop
to use tracepoints. This commit adds kill/tkill/tgkill as
tracing targets using tracepoints. The output looks the
same as using kprobe:

sudo ./killsnoop.py
TIME      PID    COMM             SIG  TPID   RESULT
00:17:54  151828 code             0    11326  0
00:17:54  151828 code             0    11326  0
00:17:54  834    containerd       23   40277  0

Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>
@chenhengqi chenhengqi mentioned this issue Aug 29, 2021
Open
@brendangregg
Copy link
Member Author

Yeah, the 0 signal (which has no name) is valid and used by a lot of software, and should be shown by killsnoop/sigsnoop.

chenhengqi added a commit to chenhengqi/bcc that referenced this issue Aug 30, 2021
@chenhengqi
bcc/tools: Update killsnoop to use tracepoints
7b6e429 
As suggested by @brendangregg in iovisor#3592, update killsnoop
to use tracepoints. This commit adds kill/tkill/tgkill as
tracing targets using tracepoints and a new option which
allows print signal name instead of signal number. The output
looks the same as using kprobe:

sudo ./killsnoop.py
TIME      PID    COMM             SIG  TPID   RESULT
00:17:54  151828 code             0    11326  0
00:17:54  151828 code             0    11326  0
00:17:54  834    containerd       23   40277  0

Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>
chenhengqi added a commit to chenhengqi/bcc that referenced this issue Sep 1, 2021
@chenhengqi
bcc/tools: Update killsnoop to use tracepoints
c9adfc8 
As suggested by @brendangregg in iovisor#3592, update killsnoop
to use tracepoints. This commit adds kill/tkill/tgkill as
tracing targets using tracepoints and a new option which
allows print signal name instead of signal number. The output
looks the same as using kprobe:

sudo ./killsnoop.py
TIME      PID    COMM             SIG  TPID   RESULT
00:17:54  151828 code             0    11326  0
00:17:54  151828 code             0    11326  0
00:17:54  834    containerd       23   40277  0

Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>
@irenge
Copy link

irenge commented Aug 30, 2022

is the issue closed ? im looking for issue to work on

@chenhengqi
Copy link
Collaborator

@irenge Just assign it to you.

@irenge
Copy link

irenge commented Sep 9, 2022

Thanks, I will work on it

@matthew-olson-intel
Copy link
Contributor

As far as a libbpf implementation of killsnoop with tracepoints, I've noticed that sigsnoop (which uses tracepoints) implements that functionality with -k, so that's covered.

@brendangregg
Copy link
Member Author

Thanks, so:

  • libbpf-tools: this is done as killsnoop is a symlink to sigsnoop, and sigsnoop.c checks the comm field and behaves as killsnoop if it was invoked as it.
  • killsnoop.py: this hasn't been done yet, and we haven't officially EOL'd the Python versions yet, so there's still time to fix this to be tracepoints.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@irenge irenge

Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brendangregg @irenge @chenhengqi @matthew-olson-intel