1 /* SPDX-License-Identifier: LGPL-2.1 WITH Linux-syscall-note */
2 /*
3 * cn_proc.h - process events connector
4 *
5 * Copyright (C) Matt Helsley, IBM Corp. 2005
6 * Based on cn_fork.h by Nguyen Anh Quynh and Guillaume Thouvenin
7 * Copyright (C) 2005 Nguyen Anh Quynh <aquynh@gmail.com>
8 * Copyright (C) 2005 Guillaume Thouvenin <guillaume.thouvenin@bull.net>
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of version 2.1 of the GNU Lesser General Public License
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it would be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
17 */
18
19 #ifndef _UAPICN_PROC_H
20 #define _UAPICN_PROC_H
21
22 #include <linux/types.h>
23
24 /*
25 * Userspace sends this enum to register with the kernel that it is listening
26 * for events on the connector.
27 */
28 enum proc_cn_mcast_op {
29 PROC_CN_MCAST_LISTEN = 1,
30 PROC_CN_MCAST_IGNORE = 2
31 };
32
33 #define PROC_EVENT_ALL (PROC_EVENT_FORK | PROC_EVENT_EXEC | PROC_EVENT_UID | \
34 PROC_EVENT_GID | PROC_EVENT_SID | PROC_EVENT_PTRACE | \
35 PROC_EVENT_COMM | PROC_EVENT_NONZERO_EXIT | \
36 PROC_EVENT_COREDUMP | PROC_EVENT_EXIT)
37
38 /*
39 * If you add an entry in proc_cn_event, make sure you add it in
40 * PROC_EVENT_ALL above as well.
41 */
42 enum proc_cn_event {
43 /* Use successive bits so the enums can be used to record
44 * sets of events as well
45 */
46 PROC_EVENT_NONE = 0x00000000,
47 PROC_EVENT_FORK = 0x00000001,
48 PROC_EVENT_EXEC = 0x00000002,
49 PROC_EVENT_UID = 0x00000004,
50 PROC_EVENT_GID = 0x00000040,
51 PROC_EVENT_SID = 0x00000080,
52 PROC_EVENT_PTRACE = 0x00000100,
53 PROC_EVENT_COMM = 0x00000200,
54 /* "next" should be 0x00000400 */
55 /* "last" is the last process event: exit,
56 * while "next to last" is coredumping event
57 * before that is report only if process dies
58 * with non-zero exit status
59 */
60 PROC_EVENT_NONZERO_EXIT = 0x20000000,
61 PROC_EVENT_COREDUMP = 0x40000000,
62 PROC_EVENT_EXIT = 0x80000000
63 };
64
65 struct proc_input {
66 enum proc_cn_mcast_op mcast_op;
67 enum proc_cn_event event_type;
68 };
69
valid_event(enum proc_cn_event ev_type)70 static inline enum proc_cn_event valid_event(enum proc_cn_event ev_type)
71 {
72 ev_type &= PROC_EVENT_ALL;
73 return ev_type;
74 }
75
76 /*
77 * From the user's point of view, the process
78 * ID is the thread group ID and thread ID is the internal
79 * kernel "pid". So, fields are assigned as follow:
80 *
81 * In user space - In kernel space
82 *
83 * parent process ID = parent->tgid
84 * parent thread ID = parent->pid
85 * child process ID = child->tgid
86 * child thread ID = child->pid
87 */
88
89 struct proc_event {
90 enum proc_cn_event what;
91 __u32 cpu;
92 __u64 __attribute__((aligned(8))) timestamp_ns;
93 /* Number of nano seconds since system boot */
94 union { /* must be last field of proc_event struct */
95 struct {
96 __u32 err;
97 } ack;
98
99 struct fork_proc_event {
100 __kernel_pid_t parent_pid;
101 __kernel_pid_t parent_tgid;
102 __kernel_pid_t child_pid;
103 __kernel_pid_t child_tgid;
104 } fork;
105
106 struct exec_proc_event {
107 __kernel_pid_t process_pid;
108 __kernel_pid_t process_tgid;
109 } exec;
110
111 struct id_proc_event {
112 __kernel_pid_t process_pid;
113 __kernel_pid_t process_tgid;
114 union {
115 __u32 ruid; /* task uid */
116 __u32 rgid; /* task gid */
117 } r;
118 union {
119 __u32 euid;
120 __u32 egid;
121 } e;
122 } id;
123
124 struct sid_proc_event {
125 __kernel_pid_t process_pid;
126 __kernel_pid_t process_tgid;
127 } sid;
128
129 struct ptrace_proc_event {
130 __kernel_pid_t process_pid;
131 __kernel_pid_t process_tgid;
132 __kernel_pid_t tracer_pid;
133 __kernel_pid_t tracer_tgid;
134 } ptrace;
135
136 struct comm_proc_event {
137 __kernel_pid_t process_pid;
138 __kernel_pid_t process_tgid;
139 char comm[16];
140 } comm;
141
142 struct coredump_proc_event {
143 __kernel_pid_t process_pid;
144 __kernel_pid_t process_tgid;
145 __kernel_pid_t parent_pid;
146 __kernel_pid_t parent_tgid;
147 } coredump;
148
149 struct exit_proc_event {
150 __kernel_pid_t process_pid;
151 __kernel_pid_t process_tgid;
152 __u32 exit_code, exit_signal;
153 __kernel_pid_t parent_pid;
154 __kernel_pid_t parent_tgid;
155 } exit;
156
157 } event_data;
158 };
159
160 #endif /* _UAPICN_PROC_H */
161