libbpf-tools: sigsnoop: display target process's comm (#5272)

Rtoax · web-flow · commit 6ea2a0efa526 · 2025-04-10T20:33:05.000-07:00
Directly print the comm of the target process to display information more intuitively, without having to use commands such as 'ps' to query the comm information of the pid process again. $ sudo ./sigsnoop -n TIME PID COMM SIG TPID TCOMM RESULT 11:29:06 1128124 vte-urlencode-c SIGCHLD 1127674 bash 0 11:29:08 1128126 ls SIGCHLD 1127674 bash 0 11:29:08 1128127 vte-urlencode-c SIGCHLD 1127674 bash 0 11:29:08 1881 Xorg SIGALRM 1881 Xorg 0 11:29:11 0 swapper/3 SIGNAL-34 2545 sssd_kcm 0 11:29:21 1127194 kworker/u48:6 SIGINT 1127674 bash 0 11:29:21 1127674 bash SIGINT 1127674 bash 0 11:29:21 1128130 vte-urlencode-c SIGCHLD 1127674 bash 0 11:29:21 1881 Xorg SIGALRM 1881 Xorg 0 11:29:21 0 swapper/1 SIGNAL-34 2545 sssd_kcm 0 ^^^^^^^^^^^^^^^^ If current kernel is unsupport bpf_task_from_pid(), linux < v6.1 [1], the TCOMM field displays 'N/A': $ sudo ./sigsnoop -n WARNING: Current kernel not support bpf_task_from_pid(), ignore TCOMM field TIME PID COMM SIG TPID TCOMM RESULT 15:01:24 289689 pmsleep SIGCHLD 289348 N/A 0 15:01:24 289691 expr SIGCHLD 289348 N/A 0 15:01:25 289693 pmprobe SIGCHLD 289692 N/A 0 15:01:25 289694 gawk SIGCHLD 289692 N/A 0 15:01:25 289692 pmlogger_check SIGCHLD 289348 N/A 0 15:01:25 289695 pmsleep SIGCHLD 289348 N/A 0 15:01:25 289696 expr SIGCHLD 289348 N/A 0 ^^^^^^^^^^^^^^^^ Link: torvalds/linux@3f0e6f2b41d3 [1] Signed-off-by: Rong Tao <rongtao@cestc.cn>
diff --git a/libbpf-tools/sigsnoop.bpf.c b/libbpf-tools/sigsnoop.bpf.c
@@ -23,14 +23,31 @@ struct {
 	__uint(value_size, sizeof(__u32));
 } events SEC(".maps");
 
-static __always_inline bool is_target_signal(int sig) {
-  if (target_signals == 0)
-    return true;
+static __always_inline bool is_target_signal(int sig)
+{
+	if (target_signals == 0)
+		return true;
+
+	if ((target_signals & (1 << (sig - 1))) == 0)
+		return false;
 
-  if ((target_signals & (1 << (sig - 1))) == 0)
-    return false;
+	return true;
+}
 
-  return true;
+static __always_inline void get_tcomm(pid_t tpid, char *tcomm, __u32 size)
+{
+	if (bpf_ksym_exists(bpf_task_from_pid)) {
+		struct task_struct *ttask = bpf_task_from_pid(tpid);
+		if (ttask) {
+			bpf_probe_read_kernel(tcomm, size, ttask->comm);
+			bpf_task_release(ttask);
+			return;
+		}
+	}
+	tcomm[0] = 'N';
+	tcomm[1] = '/';
+	tcomm[2] = 'A';
+	tcomm[3] = '\0';
 }
 
 static int probe_entry(pid_t tpid, int sig)
@@ -48,6 +65,8 @@ static int probe_entry(pid_t tpid, int sig)
 	if (filtered_pid && pid != filtered_pid)
 		return 0;
 
+	get_tcomm(tpid, event.tcomm, sizeof(event.tcomm));
+
 	event.pid = pid;
 	event.tpid = tpid;
 	event.sig = sig;
@@ -142,6 +161,8 @@ int sig_trace(struct trace_event_raw_signal_generate *ctx)
 	if (filtered_pid && pid != filtered_pid)
 		return 0;
 
+	get_tcomm(tpid, event.tcomm, sizeof(event.tcomm));
+
 	event.pid = pid;
 	event.tpid = tpid;
 	event.sig = sig;
diff --git a/libbpf-tools/sigsnoop.c b/libbpf-tools/sigsnoop.c
@@ -13,6 +13,7 @@
 #include <time.h>
 
 #include <bpf/bpf.h>
+#include <bpf/btf.h>
 #include "sigsnoop.h"
 #include "sigsnoop.skel.h"
 
@@ -189,6 +190,23 @@ static void alias_parse(char *prog)
 	}
 }
 
+/**
+ * since linux commit 3f0e6f2b41d3 ("bpf: Add bpf_task_from_pid() kfunc")
+ * v6.1-rc4-1163-g3f0e6f2b41d3 support bpf_task_from_pid() helper.
+ */
+static bool support_bpf_task_from_pid(void)
+{
+	const struct btf *btf = btf__load_vmlinux_btf();
+	int type_id;
+
+	type_id = btf__find_by_name_kind(btf, "bpf_task_from_pid",
+					 BTF_KIND_FUNC);
+	if (type_id < 0)
+		return false;
+
+	return true;
+}
+
 static void sig_int(int signo)
 {
 	exiting = 1;
@@ -205,11 +223,11 @@ static void handle_event(void *ctx, int cpu, void *data, __u32 data_sz)
 	tm = localtime(&t);
 	strftime(ts, sizeof(ts), "%H:%M:%S", tm);
 	if (signal_name && e->sig < ARRAY_SIZE(sig_name))
-		printf("%-8s %-7d %-16s %-12s %-7d %-6d\n",
-		       ts, e->pid, e->comm, sig_name[e->sig], e->tpid, e->ret);
+		printf("%-8s %-7d %-16s %-12s %-7d %-16s %-6d\n",
+		       ts, e->pid, e->comm, sig_name[e->sig], e->tpid, e->tcomm, e->ret);
 	else
-		printf("%-8s %-7d %-16s %-12d %-7d %-6d\n",
-		       ts, e->pid, e->comm, e->sig, e->tpid, e->ret);
+		printf("%-8s %-7d %-16s %-12d %-7d %-16s %-6d\n",
+		       ts, e->pid, e->comm, e->sig, e->tpid, e->tcomm, e->ret);
 }
 
 static void handle_lost_events(void *ctx, int cpu, __u64 lost_cnt)
@@ -281,8 +299,12 @@ int main(int argc, char **argv)
 		goto cleanup;
 	}
 
-	printf("%-8s %-7s %-16s %-12s %-7s %-6s\n",
-	       "TIME", "PID", "COMM", "SIG", "TPID", "RESULT");
+	if (!support_bpf_task_from_pid())
+		fprintf(stderr, "WARNING: Current kernel not support "\
+				"bpf_task_from_pid(), ignore TCOMM field\n");
+
+	printf("%-8s %-7s %-16s %-12s %-7s %-16s %-6s\n",
+	       "TIME", "PID", "COMM", "SIG", "TPID", "TCOMM", "RESULT");
 
 	while (!exiting) {
 		err = perf_buffer__poll(pb, PERF_POLL_TIMEOUT_MS);
diff --git a/libbpf-tools/sigsnoop.h b/libbpf-tools/sigsnoop.h
@@ -11,6 +11,7 @@ struct event {
 	int sig;
 	int ret;
 	char comm[TASK_COMM_LEN];
+	char tcomm[TASK_COMM_LEN];
 };
 
 #endif /* __SIGSNOOP_H */
