iovisor/bcc

update killsnoop to use tracepoints

Open

#3,592 opened on Aug 27, 2021

View on GitHub
 (7 comments) (0 reactions) (1 assignee)C (4,051 forks)batch import
help wanted

Repository metrics

Stars
 (22,409 stars)
PR merge metrics
 (Avg merge 12d 6h) (12 merged PRs in 30d)

Description

This is a request for help.

I wrote killsnoop back in 2015 before tracepoint support, and so I kprobe'd sys_kill(). It still does some derivation of that. But now there's a report it no longer works on Linux 5.11: https://github.com/iovisor/bcc/pull/3572#issuecomment-900357032 CC @chenhengqi

Can someone please update killsnoop (both Python and libbpf-tools) to use tracepoints instead of kprobes (if it works as expected). All of these:

  syscalls:sys_enter_kill                            [Tracepoint event]
  syscalls:sys_enter_tgkill                          [Tracepoint event]
  syscalls:sys_enter_tkill                           [Tracepoint event]
  syscalls:sys_exit_kill                             [Tracepoint event]
  syscalls:sys_exit_tgkill                           [Tracepoint event]
  syscalls:sys_exit_tkill                            [Tracepoint event]

Contributor guide