tetragon: Hook exit sensor on acct_process

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
cilium · Sep 26, 2023 · 76fbd3d · 76fbd3d
1 parent 2a6972b
commit 76fbd3d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 24 deletions.
diff --git a/bpf/process/bpf_exit.c b/bpf/process/bpf_exit.c
@@ -8,12 +8,9 @@
 char _license[] __attribute__((section("license"), used)) = "GPL";
 
 /*
- * Hooking on do_task_dead kernel function, which is the last one the
- * task would execute after exiting. It's stable since v4.19, so it's
- * safe to hook for us.
- *
- * To find out if we are the last thread of execution in the task we
- * use current->signal->live counter (thanks Djalal! ;-) )
+ * Hooking on acct_process kernel function, which is called on the task's
+ * exit path once the task is the last one in the group. It's stable since
+ * v4.19, so it's safe to hook for us.
  *
  * It's initialized for thread leader:
  *
@@ -35,29 +32,21 @@ char _license[] __attribute__((section("license"), used)) = "GPL";
  * Decremented for each exiting thread:
  *
  *   do_exit {
- *     atomic_dec_and_test(&tsk->signal->live);
+ *     group_dead = atomic_dec_and_test(&tsk->signal->live);
+ *     ...
+ *     if (group_dead)
+ *              acct_process();
  *     ...
- *     do_task_dead
- *       __schedule
- *       BUG
  *   }
  *
- * If task->signal->live == 0 we are the last thread of execution and we
- * won't race with another clone, because there's no other thread to call
- * it (current thread is in do_exit).
+ * Hooking to acct_process we ensure tsk->signal->live is 0 and
+ * we are the last one of the thread group.
  */
-__attribute__((section("kprobe/do_task_dead"), used)) int
+__attribute__((section("kprobe/acct_process"), used)) int
 event_exit(struct pt_regs *ctx)
 {
-	struct task_struct *task = (struct task_struct *)get_current_task();
 	__u64 pid_tgid = get_current_pid_tgid();
-	struct signal_struct *signal;
-	atomic_t live;
-
-	probe_read(&signal, sizeof(signal), _(&task->signal));
-	probe_read(&live, sizeof(live), _(&signal->live));
 
-	if (live.counter == 0)
-		event_exit_send(ctx, pid_tgid >> 32);
+	event_exit_send(ctx, pid_tgid >> 32);
 	return 0;
 }
diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go
@@ -20,8 +20,8 @@ var (
 
 	Exit = program.Builder(
 		"bpf_exit.o",
-		"do_task_dead",
-		"kprobe/do_task_dead",
+		"acct_process",
+		"kprobe/acct_process",
 		"event_exit",
 		"kprobe",
 	)