z-mitchell.bsky.social / proctrace
An eBPF-based profiler for process-lifecycle events.
zig ebpf profilers
fork atom

Only emit Exec event after a successful execve(at)_exit #1

open
opened by z-mitchell.bsky.social

Right now we emit separate ExecStart and ExecFinish events since you need to capture the exec arguments and return code at different times. This means that we emit two separate events for a successful exec when really would emit a single event.

Approach#

  • Rename ExecStart to Exec since we'll only have a single Exec event.
  • Update the exec_seen map to hold Exec instead of bool.
  • Instead of writing an Exec to events when observing execve(at)_enter, store it in exec_seen.
  • In the execve(at)_exit handler, write the Exec event to events if we saw it on the enter side and the return code is 0.
  • Clear the entry for this PID in exec_seen.

Considerations#

There's a race condition where another thread could possible call exec between execve(at)_enter and execve(at)_exit of a previous exec call.

  • Where does the second thread store its Exec event?
sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:fskp5s77tusjogicituzaerm/sh.tangled.repo.issue/3m6pkplchxt22