blob: 89ea5cd934ea40df1e9da565fed0bfaa44d81e2a [file] [log] [blame]
Brendan Greggd9e578b2015-09-21 11:59:42 -07001#!/usr/bin/python
Alexei Starovoitovbdf07732016-01-14 10:09:20 -08002# @lint-avoid-python-3-compatibility-imports
Brendan Greggd9e578b2015-09-21 11:59:42 -07003#
Alexei Starovoitovbdf07732016-01-14 10:09:20 -08004# killsnoop Trace signals issued by the kill() syscall.
5# For Linux, uses BCC, eBPF. Embedded C.
Brendan Greggd9e578b2015-09-21 11:59:42 -07006#
Junli Ou5eee5ff2016-08-13 17:12:45 +08007# USAGE: killsnoop [-h] [-x] [-p PID]
Brendan Greggd9e578b2015-09-21 11:59:42 -07008#
9# Copyright (c) 2015 Brendan Gregg.
10# Licensed under the Apache License, Version 2.0 (the "License")
11#
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080012# 20-Sep-2015 Brendan Gregg Created this.
mcaleavyaf5c40cb2016-02-19 23:02:39 +000013# 19-Feb-2016 Allan McAleavy migrated to BPF_PERF_OUTPUT
Brendan Greggd9e578b2015-09-21 11:59:42 -070014
15from __future__ import print_function
16from bcc import BPF
Brenden Blancoe8001c32018-07-23 08:15:56 -070017from bcc.utils import ArgString, printb
Brendan Greggd9e578b2015-09-21 11:59:42 -070018import argparse
Junli Ou5eee5ff2016-08-13 17:12:45 +080019from time import strftime
mcaleavyaf5c40cb2016-02-19 23:02:39 +000020import ctypes as ct
Brendan Greggd9e578b2015-09-21 11:59:42 -070021
22# arguments
23examples = """examples:
24 ./killsnoop # trace all kill() signals
Brendan Greggd9e578b2015-09-21 11:59:42 -070025 ./killsnoop -x # only show failed kills
26 ./killsnoop -p 181 # only trace PID 181
27"""
28parser = argparse.ArgumentParser(
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080029 description="Trace signals issued by the kill() syscall",
30 formatter_class=argparse.RawDescriptionHelpFormatter,
31 epilog=examples)
Brendan Greggd9e578b2015-09-21 11:59:42 -070032parser.add_argument("-x", "--failed", action="store_true",
Chris Down8ddcbdf2016-07-13 15:18:35 +010033 help="only show failed kill syscalls")
Brendan Greggd9e578b2015-09-21 11:59:42 -070034parser.add_argument("-p", "--pid",
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080035 help="trace this PID only")
Nathan Scottcf0792f2018-02-02 16:56:50 +110036parser.add_argument("--ebpf", action="store_true",
37 help=argparse.SUPPRESS)
Brendan Greggd9e578b2015-09-21 11:59:42 -070038args = parser.parse_args()
39debug = 0
40
41# define BPF program
42bpf_text = """
43#include <uapi/linux/ptrace.h>
mcaleavyaf5c40cb2016-02-19 23:02:39 +000044#include <linux/sched.h>
45
46struct val_t {
47 u64 pid;
mcaleavya6262f5d2016-02-19 23:48:20 +000048 int sig;
49 int tpid;
mcaleavyaf5c40cb2016-02-19 23:02:39 +000050 char comm[TASK_COMM_LEN];
51};
52
53struct data_t {
54 u64 pid;
Brendan Gregg12989982016-09-14 08:15:09 -070055 int tpid;
mcaleavyaf5c40cb2016-02-19 23:02:39 +000056 int sig;
57 int ret;
mcaleavyaf5c40cb2016-02-19 23:02:39 +000058 char comm[TASK_COMM_LEN];
59};
Brendan Greggd9e578b2015-09-21 11:59:42 -070060
mcaleavyaf5c40cb2016-02-19 23:02:39 +000061BPF_HASH(infotmp, u32, struct val_t);
62BPF_PERF_OUTPUT(events);
Brendan Greggd9e578b2015-09-21 11:59:42 -070063
yonghong-song2da34262018-06-13 06:12:22 -070064int syscall__kill(struct pt_regs *ctx, int tpid, int sig)
Brendan Greggd9e578b2015-09-21 11:59:42 -070065{
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080066 u32 pid = bpf_get_current_pid_tgid();
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080067 FILTER
Brendan Gregg12989982016-09-14 08:15:09 -070068
69 struct val_t val = {.pid = pid};
mcaleavyaf5c40cb2016-02-19 23:02:39 +000070 if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
mcaleavya6262f5d2016-02-19 23:48:20 +000071 val.tpid = tpid;
72 val.sig = sig;
mcaleavyaf5c40cb2016-02-19 23:02:39 +000073 infotmp.update(&pid, &val);
74 }
Brendan Greggd9e578b2015-09-21 11:59:42 -070075
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080076 return 0;
Brendan Greggd9e578b2015-09-21 11:59:42 -070077};
78
Yonghong Song64335692018-04-25 00:40:13 -070079int do_ret_sys_kill(struct pt_regs *ctx)
Brendan Greggd9e578b2015-09-21 11:59:42 -070080{
mcaleavyaf5c40cb2016-02-19 23:02:39 +000081 struct data_t data = {};
82 struct val_t *valp;
Alexei Starovoitovbdf07732016-01-14 10:09:20 -080083 u32 pid = bpf_get_current_pid_tgid();
Brendan Greggd9e578b2015-09-21 11:59:42 -070084
mcaleavyaf5c40cb2016-02-19 23:02:39 +000085 valp = infotmp.lookup(&pid);
86 if (valp == 0) {
87 // missed entry
88 return 0;
89 }
90
91 bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
92 data.pid = pid;
mcaleavya6262f5d2016-02-19 23:48:20 +000093 data.tpid = valp->tpid;
Naveen N. Rao4afa96a2016-05-03 14:54:21 +053094 data.ret = PT_REGS_RC(ctx);
mcaleavya6262f5d2016-02-19 23:48:20 +000095 data.sig = valp->sig;
mcaleavyaf5c40cb2016-02-19 23:02:39 +000096
97 events.perf_submit(ctx, &data, sizeof(data));
98 infotmp.delete(&pid);
Brendan Greggd9e578b2015-09-21 11:59:42 -070099
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800100 return 0;
Brendan Greggd9e578b2015-09-21 11:59:42 -0700101}
102"""
103if args.pid:
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800104 bpf_text = bpf_text.replace('FILTER',
105 'if (pid != %s) { return 0; }' % args.pid)
Brendan Greggd9e578b2015-09-21 11:59:42 -0700106else:
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800107 bpf_text = bpf_text.replace('FILTER', '')
Nathan Scottcf0792f2018-02-02 16:56:50 +1100108if debug or args.ebpf:
Alexei Starovoitovbdf07732016-01-14 10:09:20 -0800109 print(bpf_text)
Nathan Scottcf0792f2018-02-02 16:56:50 +1100110 if args.ebpf:
111 exit()
Brendan Greggd9e578b2015-09-21 11:59:42 -0700112
113# initialize BPF
114b = BPF(text=bpf_text)
Yonghong Song64335692018-04-25 00:40:13 -0700115kill_fnname = b.get_syscall_fnname("kill")
yonghong-song2da34262018-06-13 06:12:22 -0700116b.attach_kprobe(event=kill_fnname, fn_name="syscall__kill")
Yonghong Song64335692018-04-25 00:40:13 -0700117b.attach_kretprobe(event=kill_fnname, fn_name="do_ret_sys_kill")
118
Brendan Greggd9e578b2015-09-21 11:59:42 -0700119
mcaleavyaf5c40cb2016-02-19 23:02:39 +0000120TASK_COMM_LEN = 16 # linux/sched.h
121
122class Data(ct.Structure):
123 _fields_ = [
124 ("pid", ct.c_ulonglong),
Brendan Gregg12989982016-09-14 08:15:09 -0700125 ("tpid", ct.c_int),
mcaleavyaf5c40cb2016-02-19 23:02:39 +0000126 ("sig", ct.c_int),
127 ("ret", ct.c_int),
mcaleavyaf5c40cb2016-02-19 23:02:39 +0000128 ("comm", ct.c_char * TASK_COMM_LEN)
129 ]
130
Brendan Greggd9e578b2015-09-21 11:59:42 -0700131# header
Junli Ou5eee5ff2016-08-13 17:12:45 +0800132print("%-9s %-6s %-16s %-4s %-6s %s" % (
133 "TIME", "PID", "COMM", "SIG", "TPID", "RESULT"))
Brendan Greggd9e578b2015-09-21 11:59:42 -0700134
mcaleavyaf5c40cb2016-02-19 23:02:39 +0000135# process event
136def print_event(cpu, data, size):
137 event = ct.cast(data, ct.POINTER(Data)).contents
Brendan Greggd9e578b2015-09-21 11:59:42 -0700138
Brendan Gregg12989982016-09-14 08:15:09 -0700139 if (args.failed and (event.ret >= 0)):
140 return
Brendan Greggd9e578b2015-09-21 11:59:42 -0700141
Brenden Blancoe8001c32018-07-23 08:15:56 -0700142 printb(b"%-9s %-6d %-16s %-4d %-6d %d" % (strftime("%H:%M:%S"),
143 event.pid, event.comm, event.sig, event.tpid, event.ret))
mcaleavyaf5c40cb2016-02-19 23:02:39 +0000144
145# loop with callback to print_event
146b["events"].open_perf_buffer(print_event)
147while 1:
Teng Qindbf00292018-02-28 21:47:50 -0800148 b.perf_buffer_poll()