1*387f9dfdSAndroid Build Coastguard Worker /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
2*387f9dfdSAndroid Build Coastguard Worker
3*387f9dfdSAndroid Build Coastguard Worker /*
4*387f9dfdSAndroid Build Coastguard Worker * exitsnoop Trace process termination.
5*387f9dfdSAndroid Build Coastguard Worker *
6*387f9dfdSAndroid Build Coastguard Worker * Copyright (c) 2021 Hengqi Chen
7*387f9dfdSAndroid Build Coastguard Worker *
8*387f9dfdSAndroid Build Coastguard Worker * Based on exitsnoop(8) from BCC by Arturo Martin-de-Nicolas & Jeroen Soeters.
9*387f9dfdSAndroid Build Coastguard Worker * 05-Aug-2021 Hengqi Chen Created this.
10*387f9dfdSAndroid Build Coastguard Worker */
11*387f9dfdSAndroid Build Coastguard Worker #include <argp.h>
12*387f9dfdSAndroid Build Coastguard Worker #include <errno.h>
13*387f9dfdSAndroid Build Coastguard Worker #include <signal.h>
14*387f9dfdSAndroid Build Coastguard Worker #include <string.h>
15*387f9dfdSAndroid Build Coastguard Worker #include <time.h>
16*387f9dfdSAndroid Build Coastguard Worker #include <fcntl.h>
17*387f9dfdSAndroid Build Coastguard Worker #include <unistd.h>
18*387f9dfdSAndroid Build Coastguard Worker
19*387f9dfdSAndroid Build Coastguard Worker #include <bpf/libbpf.h>
20*387f9dfdSAndroid Build Coastguard Worker #include <bpf/bpf.h>
21*387f9dfdSAndroid Build Coastguard Worker #include "exitsnoop.h"
22*387f9dfdSAndroid Build Coastguard Worker #include "exitsnoop.skel.h"
23*387f9dfdSAndroid Build Coastguard Worker #include "btf_helpers.h"
24*387f9dfdSAndroid Build Coastguard Worker #include "trace_helpers.h"
25*387f9dfdSAndroid Build Coastguard Worker
26*387f9dfdSAndroid Build Coastguard Worker #define PERF_BUFFER_PAGES 16
27*387f9dfdSAndroid Build Coastguard Worker #define PERF_POLL_TIMEOUT_MS 100
28*387f9dfdSAndroid Build Coastguard Worker #define warn(...) fprintf(stderr, __VA_ARGS__)
29*387f9dfdSAndroid Build Coastguard Worker
30*387f9dfdSAndroid Build Coastguard Worker static volatile sig_atomic_t exiting = 0;
31*387f9dfdSAndroid Build Coastguard Worker
32*387f9dfdSAndroid Build Coastguard Worker static bool emit_timestamp = false;
33*387f9dfdSAndroid Build Coastguard Worker static pid_t target_pid = 0;
34*387f9dfdSAndroid Build Coastguard Worker static bool trace_failed_only = false;
35*387f9dfdSAndroid Build Coastguard Worker static bool trace_by_process = true;
36*387f9dfdSAndroid Build Coastguard Worker static bool verbose = false;
37*387f9dfdSAndroid Build Coastguard Worker
38*387f9dfdSAndroid Build Coastguard Worker static struct env {
39*387f9dfdSAndroid Build Coastguard Worker char *cgroupspath;
40*387f9dfdSAndroid Build Coastguard Worker bool cg;
41*387f9dfdSAndroid Build Coastguard Worker } env;
42*387f9dfdSAndroid Build Coastguard Worker
43*387f9dfdSAndroid Build Coastguard Worker const char *argp_program_version = "exitsnoop 0.1";
44*387f9dfdSAndroid Build Coastguard Worker const char *argp_program_bug_address =
45*387f9dfdSAndroid Build Coastguard Worker "https://github.com/iovisor/bcc/tree/master/libbpf-tools";
46*387f9dfdSAndroid Build Coastguard Worker const char argp_program_doc[] =
47*387f9dfdSAndroid Build Coastguard Worker "Trace process termination.\n"
48*387f9dfdSAndroid Build Coastguard Worker "\n"
49*387f9dfdSAndroid Build Coastguard Worker "USAGE: exitsnoop [-h] [-t] [-x] [-p PID] [-T] [-c CG]\n"
50*387f9dfdSAndroid Build Coastguard Worker "\n"
51*387f9dfdSAndroid Build Coastguard Worker "EXAMPLES:\n"
52*387f9dfdSAndroid Build Coastguard Worker " exitsnoop # trace process exit events\n"
53*387f9dfdSAndroid Build Coastguard Worker " exitsnoop -t # include timestamps\n"
54*387f9dfdSAndroid Build Coastguard Worker " exitsnoop -x # trace error exits only\n"
55*387f9dfdSAndroid Build Coastguard Worker " exitsnoop -p 1216 # only trace PID 1216\n"
56*387f9dfdSAndroid Build Coastguard Worker " exitsnoop -T # trace by thread\n"
57*387f9dfdSAndroid Build Coastguard Worker " exitsnoop -c CG # Trace process under cgroupsPath CG\n";
58*387f9dfdSAndroid Build Coastguard Worker
59*387f9dfdSAndroid Build Coastguard Worker static const struct argp_option opts[] = {
60*387f9dfdSAndroid Build Coastguard Worker { "timestamp", 't', NULL, 0, "Include timestamp on output" },
61*387f9dfdSAndroid Build Coastguard Worker { "failed", 'x', NULL, 0, "Trace error exits only." },
62*387f9dfdSAndroid Build Coastguard Worker { "pid", 'p', "PID", 0, "Process ID to trace" },
63*387f9dfdSAndroid Build Coastguard Worker { "threaded", 'T', NULL, 0, "Trace by thread." },
64*387f9dfdSAndroid Build Coastguard Worker { "verbose", 'v', NULL, 0, "Verbose debug output" },
65*387f9dfdSAndroid Build Coastguard Worker { NULL, 'h', NULL, OPTION_HIDDEN, "Show the full help" },
66*387f9dfdSAndroid Build Coastguard Worker { "cgroup", 'c', "/sys/fs/cgroup/unified", 0, "Trace process in cgroup path"},
67*387f9dfdSAndroid Build Coastguard Worker {},
68*387f9dfdSAndroid Build Coastguard Worker };
69*387f9dfdSAndroid Build Coastguard Worker
parse_arg(int key,char * arg,struct argp_state * state)70*387f9dfdSAndroid Build Coastguard Worker static error_t parse_arg(int key, char *arg, struct argp_state *state)
71*387f9dfdSAndroid Build Coastguard Worker {
72*387f9dfdSAndroid Build Coastguard Worker long pid;
73*387f9dfdSAndroid Build Coastguard Worker
74*387f9dfdSAndroid Build Coastguard Worker switch (key) {
75*387f9dfdSAndroid Build Coastguard Worker case 'p':
76*387f9dfdSAndroid Build Coastguard Worker errno = 0;
77*387f9dfdSAndroid Build Coastguard Worker pid = strtol(arg, NULL, 10);
78*387f9dfdSAndroid Build Coastguard Worker if (errno || pid <= 0) {
79*387f9dfdSAndroid Build Coastguard Worker warn("Invalid PID: %s\n", arg);
80*387f9dfdSAndroid Build Coastguard Worker argp_usage(state);
81*387f9dfdSAndroid Build Coastguard Worker }
82*387f9dfdSAndroid Build Coastguard Worker target_pid = pid;
83*387f9dfdSAndroid Build Coastguard Worker break;
84*387f9dfdSAndroid Build Coastguard Worker case 't':
85*387f9dfdSAndroid Build Coastguard Worker emit_timestamp = true;
86*387f9dfdSAndroid Build Coastguard Worker break;
87*387f9dfdSAndroid Build Coastguard Worker case 'x':
88*387f9dfdSAndroid Build Coastguard Worker trace_failed_only = true;
89*387f9dfdSAndroid Build Coastguard Worker break;
90*387f9dfdSAndroid Build Coastguard Worker case 'T':
91*387f9dfdSAndroid Build Coastguard Worker trace_by_process = false;
92*387f9dfdSAndroid Build Coastguard Worker break;
93*387f9dfdSAndroid Build Coastguard Worker case 'v':
94*387f9dfdSAndroid Build Coastguard Worker verbose = true;
95*387f9dfdSAndroid Build Coastguard Worker break;
96*387f9dfdSAndroid Build Coastguard Worker case 'c':
97*387f9dfdSAndroid Build Coastguard Worker env.cgroupspath = arg;
98*387f9dfdSAndroid Build Coastguard Worker env.cg = true;
99*387f9dfdSAndroid Build Coastguard Worker break;
100*387f9dfdSAndroid Build Coastguard Worker case 'h':
101*387f9dfdSAndroid Build Coastguard Worker argp_state_help(state, stderr, ARGP_HELP_STD_HELP);
102*387f9dfdSAndroid Build Coastguard Worker break;
103*387f9dfdSAndroid Build Coastguard Worker default:
104*387f9dfdSAndroid Build Coastguard Worker return ARGP_ERR_UNKNOWN;
105*387f9dfdSAndroid Build Coastguard Worker }
106*387f9dfdSAndroid Build Coastguard Worker return 0;
107*387f9dfdSAndroid Build Coastguard Worker }
108*387f9dfdSAndroid Build Coastguard Worker
libbpf_print_fn(enum libbpf_print_level level,const char * format,va_list args)109*387f9dfdSAndroid Build Coastguard Worker static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
110*387f9dfdSAndroid Build Coastguard Worker {
111*387f9dfdSAndroid Build Coastguard Worker if (level == LIBBPF_DEBUG && !verbose)
112*387f9dfdSAndroid Build Coastguard Worker return 0;
113*387f9dfdSAndroid Build Coastguard Worker return vfprintf(stderr, format, args);
114*387f9dfdSAndroid Build Coastguard Worker }
115*387f9dfdSAndroid Build Coastguard Worker
sig_int(int signo)116*387f9dfdSAndroid Build Coastguard Worker static void sig_int(int signo)
117*387f9dfdSAndroid Build Coastguard Worker {
118*387f9dfdSAndroid Build Coastguard Worker exiting = 1;
119*387f9dfdSAndroid Build Coastguard Worker }
120*387f9dfdSAndroid Build Coastguard Worker
handle_event(void * ctx,int cpu,void * data,__u32 data_sz)121*387f9dfdSAndroid Build Coastguard Worker static void handle_event(void *ctx, int cpu, void *data, __u32 data_sz)
122*387f9dfdSAndroid Build Coastguard Worker {
123*387f9dfdSAndroid Build Coastguard Worker struct event *e = data;
124*387f9dfdSAndroid Build Coastguard Worker time_t t;
125*387f9dfdSAndroid Build Coastguard Worker struct tm *tm;
126*387f9dfdSAndroid Build Coastguard Worker char ts[32];
127*387f9dfdSAndroid Build Coastguard Worker double age;
128*387f9dfdSAndroid Build Coastguard Worker int sig, coredump;
129*387f9dfdSAndroid Build Coastguard Worker
130*387f9dfdSAndroid Build Coastguard Worker if (emit_timestamp) {
131*387f9dfdSAndroid Build Coastguard Worker time(&t);
132*387f9dfdSAndroid Build Coastguard Worker tm = localtime(&t);
133*387f9dfdSAndroid Build Coastguard Worker strftime(ts, sizeof(ts), "%H:%M:%S", tm);
134*387f9dfdSAndroid Build Coastguard Worker printf("%8s ", ts);
135*387f9dfdSAndroid Build Coastguard Worker }
136*387f9dfdSAndroid Build Coastguard Worker
137*387f9dfdSAndroid Build Coastguard Worker age = (e->exit_time - e->start_time) / 1e9;
138*387f9dfdSAndroid Build Coastguard Worker printf("%-16s %-7d %-7d %-7d %-7.2f ",
139*387f9dfdSAndroid Build Coastguard Worker e->comm, e->pid, e->ppid, e->tid, age);
140*387f9dfdSAndroid Build Coastguard Worker
141*387f9dfdSAndroid Build Coastguard Worker if (!e->sig) {
142*387f9dfdSAndroid Build Coastguard Worker if (!e->exit_code)
143*387f9dfdSAndroid Build Coastguard Worker printf("0\n");
144*387f9dfdSAndroid Build Coastguard Worker else
145*387f9dfdSAndroid Build Coastguard Worker printf("code %d\n", e->exit_code);
146*387f9dfdSAndroid Build Coastguard Worker } else {
147*387f9dfdSAndroid Build Coastguard Worker sig = e->sig & 0x7f;
148*387f9dfdSAndroid Build Coastguard Worker coredump = e->sig & 0x80;
149*387f9dfdSAndroid Build Coastguard Worker if (sig)
150*387f9dfdSAndroid Build Coastguard Worker printf("signal %d (%s)", sig, strsignal(sig));
151*387f9dfdSAndroid Build Coastguard Worker if (coredump)
152*387f9dfdSAndroid Build Coastguard Worker printf(", core dumped");
153*387f9dfdSAndroid Build Coastguard Worker printf("\n");
154*387f9dfdSAndroid Build Coastguard Worker }
155*387f9dfdSAndroid Build Coastguard Worker }
156*387f9dfdSAndroid Build Coastguard Worker
handle_lost_events(void * ctx,int cpu,__u64 lost_cnt)157*387f9dfdSAndroid Build Coastguard Worker static void handle_lost_events(void *ctx, int cpu, __u64 lost_cnt)
158*387f9dfdSAndroid Build Coastguard Worker {
159*387f9dfdSAndroid Build Coastguard Worker warn("lost %llu events on CPU #%d\n", lost_cnt, cpu);
160*387f9dfdSAndroid Build Coastguard Worker }
161*387f9dfdSAndroid Build Coastguard Worker
main(int argc,char ** argv)162*387f9dfdSAndroid Build Coastguard Worker int main(int argc, char **argv)
163*387f9dfdSAndroid Build Coastguard Worker {
164*387f9dfdSAndroid Build Coastguard Worker LIBBPF_OPTS(bpf_object_open_opts, open_opts);
165*387f9dfdSAndroid Build Coastguard Worker static const struct argp argp = {
166*387f9dfdSAndroid Build Coastguard Worker .options = opts,
167*387f9dfdSAndroid Build Coastguard Worker .parser = parse_arg,
168*387f9dfdSAndroid Build Coastguard Worker .doc = argp_program_doc,
169*387f9dfdSAndroid Build Coastguard Worker };
170*387f9dfdSAndroid Build Coastguard Worker struct perf_buffer *pb = NULL;
171*387f9dfdSAndroid Build Coastguard Worker struct exitsnoop_bpf *obj;
172*387f9dfdSAndroid Build Coastguard Worker int err;
173*387f9dfdSAndroid Build Coastguard Worker int idx, cg_map_fd;
174*387f9dfdSAndroid Build Coastguard Worker int cgfd = -1;
175*387f9dfdSAndroid Build Coastguard Worker
176*387f9dfdSAndroid Build Coastguard Worker err = argp_parse(&argp, argc, argv, 0, NULL, NULL);
177*387f9dfdSAndroid Build Coastguard Worker if (err)
178*387f9dfdSAndroid Build Coastguard Worker return err;
179*387f9dfdSAndroid Build Coastguard Worker
180*387f9dfdSAndroid Build Coastguard Worker libbpf_set_print(libbpf_print_fn);
181*387f9dfdSAndroid Build Coastguard Worker
182*387f9dfdSAndroid Build Coastguard Worker err = ensure_core_btf(&open_opts);
183*387f9dfdSAndroid Build Coastguard Worker if (err) {
184*387f9dfdSAndroid Build Coastguard Worker fprintf(stderr, "failed to fetch necessary BTF for CO-RE: %s\n", strerror(-err));
185*387f9dfdSAndroid Build Coastguard Worker return 1;
186*387f9dfdSAndroid Build Coastguard Worker }
187*387f9dfdSAndroid Build Coastguard Worker
188*387f9dfdSAndroid Build Coastguard Worker obj = exitsnoop_bpf__open_opts(&open_opts);
189*387f9dfdSAndroid Build Coastguard Worker if (!obj) {
190*387f9dfdSAndroid Build Coastguard Worker warn("failed to open BPF object\n");
191*387f9dfdSAndroid Build Coastguard Worker return 1;
192*387f9dfdSAndroid Build Coastguard Worker }
193*387f9dfdSAndroid Build Coastguard Worker
194*387f9dfdSAndroid Build Coastguard Worker obj->rodata->target_pid = target_pid;
195*387f9dfdSAndroid Build Coastguard Worker obj->rodata->trace_failed_only = trace_failed_only;
196*387f9dfdSAndroid Build Coastguard Worker obj->rodata->trace_by_process = trace_by_process;
197*387f9dfdSAndroid Build Coastguard Worker obj->rodata->filter_cg = env.cg;
198*387f9dfdSAndroid Build Coastguard Worker
199*387f9dfdSAndroid Build Coastguard Worker err = exitsnoop_bpf__load(obj);
200*387f9dfdSAndroid Build Coastguard Worker if (err) {
201*387f9dfdSAndroid Build Coastguard Worker warn("failed to load BPF object: %d\n", err);
202*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
203*387f9dfdSAndroid Build Coastguard Worker }
204*387f9dfdSAndroid Build Coastguard Worker
205*387f9dfdSAndroid Build Coastguard Worker /* update cgroup path fd to map */
206*387f9dfdSAndroid Build Coastguard Worker if (env.cg) {
207*387f9dfdSAndroid Build Coastguard Worker idx = 0;
208*387f9dfdSAndroid Build Coastguard Worker cg_map_fd = bpf_map__fd(obj->maps.cgroup_map);
209*387f9dfdSAndroid Build Coastguard Worker cgfd = open(env.cgroupspath, O_RDONLY);
210*387f9dfdSAndroid Build Coastguard Worker if (cgfd < 0) {
211*387f9dfdSAndroid Build Coastguard Worker fprintf(stderr, "Failed opening Cgroup path: %s", env.cgroupspath);
212*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
213*387f9dfdSAndroid Build Coastguard Worker }
214*387f9dfdSAndroid Build Coastguard Worker if (bpf_map_update_elem(cg_map_fd, &idx, &cgfd, BPF_ANY)) {
215*387f9dfdSAndroid Build Coastguard Worker fprintf(stderr, "Failed adding target cgroup to map");
216*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
217*387f9dfdSAndroid Build Coastguard Worker }
218*387f9dfdSAndroid Build Coastguard Worker }
219*387f9dfdSAndroid Build Coastguard Worker
220*387f9dfdSAndroid Build Coastguard Worker err = exitsnoop_bpf__attach(obj);
221*387f9dfdSAndroid Build Coastguard Worker if (err) {
222*387f9dfdSAndroid Build Coastguard Worker warn("failed to attach BPF programs: %d\n", err);
223*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
224*387f9dfdSAndroid Build Coastguard Worker }
225*387f9dfdSAndroid Build Coastguard Worker
226*387f9dfdSAndroid Build Coastguard Worker pb = perf_buffer__new(bpf_map__fd(obj->maps.events), PERF_BUFFER_PAGES,
227*387f9dfdSAndroid Build Coastguard Worker handle_event, handle_lost_events, NULL, NULL);
228*387f9dfdSAndroid Build Coastguard Worker if (!pb) {
229*387f9dfdSAndroid Build Coastguard Worker err = -errno;
230*387f9dfdSAndroid Build Coastguard Worker warn("failed to open perf buffer: %d\n", err);
231*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
232*387f9dfdSAndroid Build Coastguard Worker }
233*387f9dfdSAndroid Build Coastguard Worker
234*387f9dfdSAndroid Build Coastguard Worker if (signal(SIGINT, sig_int) == SIG_ERR) {
235*387f9dfdSAndroid Build Coastguard Worker warn("can't set signal handler: %s\n", strerror(errno));
236*387f9dfdSAndroid Build Coastguard Worker err = 1;
237*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
238*387f9dfdSAndroid Build Coastguard Worker }
239*387f9dfdSAndroid Build Coastguard Worker
240*387f9dfdSAndroid Build Coastguard Worker if (emit_timestamp)
241*387f9dfdSAndroid Build Coastguard Worker printf("%-8s ", "TIME(s)");
242*387f9dfdSAndroid Build Coastguard Worker printf("%-16s %-7s %-7s %-7s %-7s %-s\n",
243*387f9dfdSAndroid Build Coastguard Worker "PCOMM", "PID", "PPID", "TID", "AGE(s)", "EXIT_CODE");
244*387f9dfdSAndroid Build Coastguard Worker
245*387f9dfdSAndroid Build Coastguard Worker while (!exiting) {
246*387f9dfdSAndroid Build Coastguard Worker err = perf_buffer__poll(pb, PERF_POLL_TIMEOUT_MS);
247*387f9dfdSAndroid Build Coastguard Worker if (err < 0 && err != -EINTR) {
248*387f9dfdSAndroid Build Coastguard Worker warn("error polling perf buffer: %s\n", strerror(-err));
249*387f9dfdSAndroid Build Coastguard Worker goto cleanup;
250*387f9dfdSAndroid Build Coastguard Worker }
251*387f9dfdSAndroid Build Coastguard Worker /* reset err to return 0 if exiting */
252*387f9dfdSAndroid Build Coastguard Worker err = 0;
253*387f9dfdSAndroid Build Coastguard Worker }
254*387f9dfdSAndroid Build Coastguard Worker
255*387f9dfdSAndroid Build Coastguard Worker cleanup:
256*387f9dfdSAndroid Build Coastguard Worker perf_buffer__free(pb);
257*387f9dfdSAndroid Build Coastguard Worker exitsnoop_bpf__destroy(obj);
258*387f9dfdSAndroid Build Coastguard Worker cleanup_core_btf(&open_opts);
259*387f9dfdSAndroid Build Coastguard Worker if (cgfd > 0)
260*387f9dfdSAndroid Build Coastguard Worker close(cgfd);
261*387f9dfdSAndroid Build Coastguard Worker
262*387f9dfdSAndroid Build Coastguard Worker return err != 0;
263*387f9dfdSAndroid Build Coastguard Worker }
264