update killsnoop to use tracepoints · iovisor/bcc#3592

(7 comments) (0 reactions) (1 assignee)C (22,409 stars) (4,051 forks)batch import

help wanted

Description

This is a request for help.

I wrote killsnoop back in 2015 before tracepoint support, and so I kprobe'd sys_kill(). It still does some derivation of that. But now there's a report it no longer works on Linux 5.11: https://github.com/iovisor/bcc/pull/3572#issuecomment-900357032 CC @chenhengqi

Can someone please update killsnoop (both Python and libbpf-tools) to use tracepoints instead of kprobes (if it works as expected). All of these:

  syscalls:sys_enter_kill                            [Tracepoint event]
  syscalls:sys_enter_tgkill                          [Tracepoint event]
  syscalls:sys_enter_tkill                           [Tracepoint event]
  syscalls:sys_exit_kill                             [Tracepoint event]
  syscalls:sys_exit_tgkill                           [Tracepoint event]
  syscalls:sys_exit_tkill                            [Tracepoint event]

Contributor guide

Tech stack: cpython
Domain: observability
Issue type: feature
Difficulty: 3
Estimated time: 1-2 days
Activity status: active
Clarity: clear
Prerequisites: understanding of BPFknowledge of tracepointsfamiliarity with syscall hooks
Newbie friendliness: 40
Research direction: Examine the current killsnoop implementation in bcc/tools/killsnoop.py and libbpf tools/killsnoop.c. Look at other bcc tools that use tracepoints (e.g., execsnoop, opensnoop) for reference patterns. Test the new tracepoint based version on Linux 5.11+ to ensure correctness. Note that the issue mentions a previous report of breakage, so verify the fix works across kernel versions.