1 /* SPDX-License-Identifier: LGPL-2.1 WITH Linux-syscall-note */
2 /*
3  * cn_proc.h - process events connector
4  *
5  * Copyright (C) Matt Helsley, IBM Corp. 2005
6  * Based on cn_fork.h by Nguyen Anh Quynh and Guillaume Thouvenin
7  * Copyright (C) 2005 Nguyen Anh Quynh <aquynh@gmail.com>
8  * Copyright (C) 2005 Guillaume Thouvenin <guillaume.thouvenin@bull.net>
9  *
10  * This program is free software; you can redistribute it and/or modify it
11  * under the terms of version 2.1 of the GNU Lesser General Public License
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it would be useful, but
15  * WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
17  */
18 
19 #ifndef _UAPICN_PROC_H
20 #define _UAPICN_PROC_H
21 
22 #include <linux/types.h>
23 
24 /*
25  * Userspace sends this enum to register with the kernel that it is listening
26  * for events on the connector.
27  */
28 enum proc_cn_mcast_op {
29 	PROC_CN_MCAST_LISTEN = 1,
30 	PROC_CN_MCAST_IGNORE = 2
31 };
32 
33 #define PROC_EVENT_ALL (PROC_EVENT_FORK | PROC_EVENT_EXEC | PROC_EVENT_UID |  \
34 			PROC_EVENT_GID | PROC_EVENT_SID | PROC_EVENT_PTRACE | \
35 			PROC_EVENT_COMM | PROC_EVENT_NONZERO_EXIT |           \
36 			PROC_EVENT_COREDUMP | PROC_EVENT_EXIT)
37 
38 /*
39  * If you add an entry in proc_cn_event, make sure you add it in
40  * PROC_EVENT_ALL above as well.
41  */
42 enum proc_cn_event {
43 	/* Use successive bits so the enums can be used to record
44 	 * sets of events as well
45 	 */
46 	PROC_EVENT_NONE = 0x00000000,
47 	PROC_EVENT_FORK = 0x00000001,
48 	PROC_EVENT_EXEC = 0x00000002,
49 	PROC_EVENT_UID  = 0x00000004,
50 	PROC_EVENT_GID  = 0x00000040,
51 	PROC_EVENT_SID  = 0x00000080,
52 	PROC_EVENT_PTRACE = 0x00000100,
53 	PROC_EVENT_COMM = 0x00000200,
54 	/* "next" should be 0x00000400 */
55 	/* "last" is the last process event: exit,
56 	 * while "next to last" is coredumping event
57 	 * before that is report only if process dies
58 	 * with non-zero exit status
59 	 */
60 	PROC_EVENT_NONZERO_EXIT = 0x20000000,
61 	PROC_EVENT_COREDUMP = 0x40000000,
62 	PROC_EVENT_EXIT = 0x80000000
63 };
64 
65 struct proc_input {
66 	enum proc_cn_mcast_op mcast_op;
67 	enum proc_cn_event event_type;
68 };
69 
valid_event(enum proc_cn_event ev_type)70 static inline enum proc_cn_event valid_event(enum proc_cn_event ev_type)
71 {
72 	ev_type &= PROC_EVENT_ALL;
73 	return ev_type;
74 }
75 
76 /*
77  * From the user's point of view, the process
78  * ID is the thread group ID and thread ID is the internal
79  * kernel "pid". So, fields are assigned as follow:
80  *
81  *  In user space     -  In  kernel space
82  *
83  * parent process ID  =  parent->tgid
84  * parent thread  ID  =  parent->pid
85  * child  process ID  =  child->tgid
86  * child  thread  ID  =  child->pid
87  */
88 
89 struct proc_event {
90 	enum proc_cn_event what;
91 	__u32 cpu;
92 	__u64 __attribute__((aligned(8))) timestamp_ns;
93 		/* Number of nano seconds since system boot */
94 	union { /* must be last field of proc_event struct */
95 		struct {
96 			__u32 err;
97 		} ack;
98 
99 		struct fork_proc_event {
100 			__kernel_pid_t parent_pid;
101 			__kernel_pid_t parent_tgid;
102 			__kernel_pid_t child_pid;
103 			__kernel_pid_t child_tgid;
104 		} fork;
105 
106 		struct exec_proc_event {
107 			__kernel_pid_t process_pid;
108 			__kernel_pid_t process_tgid;
109 		} exec;
110 
111 		struct id_proc_event {
112 			__kernel_pid_t process_pid;
113 			__kernel_pid_t process_tgid;
114 			union {
115 				__u32 ruid; /* task uid */
116 				__u32 rgid; /* task gid */
117 			} r;
118 			union {
119 				__u32 euid;
120 				__u32 egid;
121 			} e;
122 		} id;
123 
124 		struct sid_proc_event {
125 			__kernel_pid_t process_pid;
126 			__kernel_pid_t process_tgid;
127 		} sid;
128 
129 		struct ptrace_proc_event {
130 			__kernel_pid_t process_pid;
131 			__kernel_pid_t process_tgid;
132 			__kernel_pid_t tracer_pid;
133 			__kernel_pid_t tracer_tgid;
134 		} ptrace;
135 
136 		struct comm_proc_event {
137 			__kernel_pid_t process_pid;
138 			__kernel_pid_t process_tgid;
139 			char           comm[16];
140 		} comm;
141 
142 		struct coredump_proc_event {
143 			__kernel_pid_t process_pid;
144 			__kernel_pid_t process_tgid;
145 			__kernel_pid_t parent_pid;
146 			__kernel_pid_t parent_tgid;
147 		} coredump;
148 
149 		struct exit_proc_event {
150 			__kernel_pid_t process_pid;
151 			__kernel_pid_t process_tgid;
152 			__u32 exit_code, exit_signal;
153 			__kernel_pid_t parent_pid;
154 			__kernel_pid_t parent_tgid;
155 		} exit;
156 
157 	} event_data;
158 };
159 
160 #endif /* _UAPICN_PROC_H */
161