update killsnoop to use tracepoints

[brendangregg]

This is a request for help.

I wrote killsnoop back in 2015 before tracepoint support, and so I kprobe'd sys_kill(). It still does some derivation of that. But now there's a report it no longer works on Linux 5.11: https://github.com/iovisor/bcc/pull/3572#issuecomment-900357032 CC @chenhengqi

Can someone please update killsnoop (both Python and libbpf-tools) to use tracepoints instead of kprobes (if it works as expected). All of these:

  syscalls:sys_enter_kill                            [Tracepoint event]
  syscalls:sys_enter_tgkill                          [Tracepoint event]
  syscalls:sys_enter_tkill                           [Tracepoint event]
  syscalls:sys_exit_kill                             [Tracepoint event]
  syscalls:sys_exit_tgkill                           [Tracepoint event]
  syscalls:sys_exit_tkill                            [Tracepoint event]

[chenhengqi]

I made a mistake. I think the behavior of killsnoop.py is correct.

The manpage of kill(2) has the following description:

If sig is 0, then no signal is sent, but existence and permission checks are still  performed;  this  can  be
used to check for the existence of a process ID or process group ID that the caller is permitted to signal.

And using strace also confirmed this:

kill(1240, 0)                           = -1 EPERM (Operation not permitted)
kill(2733, 0)                           = -1 EPERM (Operation not permitted)
kill(1396, 0)                           = 0
kill(11199, 0)                          = -1 EPERM (Operation not permitted)
kill(685, 0)                            = -1 EPERM (Operation not permitted)
kill(757, 0)                            = 0
kill(1449, 0)                           = -1 EPERM (Operation not permitted)
kill(839, 0)                            = 0
kill(686, 0)                            = -1 EPERM (Operation not permitted)
kill(715, 0)                            = -1 EPERM (Operation not permitted)
kill(721, 0)                            = 0
kill(1148, 0)                           = -1 EPERM (Operation not permitted)
kill(1168, 0)                           = -1 EPERM (Operation not permitted)
kill(754, 0)                            = 0
kill(758, 0)                            = 0
kill(1173, 0)                           = -1 EPERM (Operation not permitted)
kill(8680, 0)                           = -1 EPERM (Operation not permitted)
kill(11327, 0)                          = -1 EPERM (Operation not permitted)
kill(1162, 0)                           = -1 EPERM (Operation not permitted)
kill(38592, 0)                          = -1 EPERM (Operation not permitted)

[brendangregg]

Yeah, the 0 signal (which has no name) is valid and used by a lot of software, and should be shown by killsnoop/sigsnoop.

[irenge]

is the issue closed ? im looking for issue to work on

[chenhengqi]

@irenge Just assign it to you.

[irenge]

Thanks, I will work on it

[matthew-olson-intel]

As far as a libbpf implementation of killsnoop with tracepoints, I've noticed that sigsnoop (which uses tracepoints) implements that functionality with -k, so that's covered.

[brendangregg]

Thanks, so:

• libbpf-tools: this is done as killsnoop is a symlink to sigsnoop, and sigsnoop.c checks the comm field and behaves as killsnoop if it was invoked as it.
• killsnoop.py: this hasn't been done yet, and we haven't officially EOL'd the Python versions yet, so there's still time to fix this to be tracepoints.