侦听Linux内核模块中的新进程 [英] Listening for new Processes in Linux Kernel Module
问题描述
是否有可能在执行新进程,关闭新进程以及状态更改(例如,停止,分页等)时(通过回调或类似方法)得到通知?在用户领域,在/proc上设置目录侦听器很容易.
Is it possible to get notified (via callback or similar) when a new process is executed, when one is closed, and when state changes (ie. stopped, paged, etc)? In user-land, it would be easy to set up a directory listener on /proc.
推荐答案
您是否考虑过kprobes?您可以在执行某些内核代码时使用kprobes执行回调函数.例如,您可以添加do_fork kprobe,以在创建新进程时发出警报,如
Have you considered kprobes? You can use kprobes to execute a callback function when some kernel code is executed. E.g., you could add a do_fork kprobe to alert when new processes are created as in this example.
类似地,您可以为do_exit()添加一个探针,以在进程退出时进行捕获.
Similarly, you can add a probe for do_exit() to catch when processes exit.
要更改状态,可以在sched_switch()上有一个返回探针,并在状态更改时捕获.根据您的应用程序,这可能会增加过多的开销.
For changing state, you could have have a return probe on sched_switch() and catch when the state changes. Depending on your application, this may add too much overhead.
如果您只希望收集数据,进行一些轻处理并且不希望对内核模块做更多的事情,那么systemtap可能是编写内核模块的一个不错的选择:
If you only wish to collect data, perform some light processing, and aren't looking to do much more with the kernel module, systemtap may be a good alternative to writing a kernel module: https://sourceware.org/systemtap/documentation.html
有关kprobes的更多详细信息: https://www.kernel.org/doc/Documentation/kprobes.txt
More details on kprobes: https://www.kernel.org/doc/Documentation/kprobes.txt
sched_switch() systemtap示例:
https://sourceware.org/systemtap/examples/profiling/sched_switch.stp
sched_switch() systemtap example:
https://sourceware.org/systemtap/examples/profiling/sched_switch.stp
这篇关于侦听Linux内核模块中的新进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
