1 /* SPDX-License-Identifier: LGPL-2.1 WITH Linux-syscall-note */
2 /*
3  * cn_proc.h - process events connector
4  *
5  * Copyright (C) Matt Helsley, IBM Corp. 2005
6  * Based on cn_fork.h by Nguyen Anh Quynh and Guillaume Thouvenin
7  * Copyright (C) 2005 Nguyen Anh Quynh <aquynh@gmail.com>
8  * Copyright (C) 2005 Guillaume Thouvenin <guillaume.thouvenin@bull.net>
9  *
10  * This program is free software; you can redistribute it and/or modify it
11  * under the terms of version 2.1 of the GNU Lesser General Public License
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it would be useful, but
15  * WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
17  */
18 
19 #ifndef _UAPICN_PROC_H
20 #define _UAPICN_PROC_H
21 
22 #include <linux/types.h>
23 
24 /*
25  * Userspace sends this enum to register with the kernel that it is listening
26  * for events on the connector.
27  */
28 enum proc_cn_mcast_op {
29 	PROC_CN_MCAST_LISTEN = 1,
30 	PROC_CN_MCAST_IGNORE = 2
31 };
32 
33 #define PROC_EVENT_ALL (PROC_EVENT_FORK | PROC_EVENT_EXEC | PROC_EVENT_UID |  \
34 			PROC_EVENT_GID | PROC_EVENT_SID | PROC_EVENT_PTRACE | \
35 			PROC_EVENT_COMM | PROC_EVENT_NONZERO_EXIT |           \
36 			PROC_EVENT_COREDUMP | PROC_EVENT_EXIT)
37 
38 /*
39  * If you add an entry in proc_cn_event, make sure you add it in
40  * PROC_EVENT_ALL above as well.
41  */
42 enum proc_cn_event {
43 	/* Use successive bits so the enums can be used to record
44 	 * sets of events as well
45 	 */
46 	PROC_EVENT_NONE = 0x00000000,
47 	PROC_EVENT_FORK = 0x00000001,
48 	PROC_EVENT_EXEC = 0x00000002,
49 	PROC_EVENT_UID  = 0x00000004,
50 	PROC_EVENT_GID  = 0x00000040,
51 	PROC_EVENT_SID  = 0x00000080,
52 	PROC_EVENT_PTRACE = 0x00000100,
53 	PROC_EVENT_COMM = 0x00000200,
54 	/* "next" should be 0x00000400 */
55 	/* "last" is the last process event: exit,
56 	 * while "next to last" is coredumping event
57 	 * before that is report only if process dies
58 	 * with non-zero exit status
59 	 */
60 	PROC_EVENT_NONZERO_EXIT = 0x20000000,
61 	PROC_EVENT_COREDUMP = 0x40000000,
62 	PROC_EVENT_EXIT = 0x80000000
63 };
64 
65 struct proc_input {
66 	enum proc_cn_mcast_op mcast_op;
67 	enum proc_cn_event event_type;
68 };
69 
valid_event(enum proc_cn_event ev_type)70 static inline enum proc_cn_event valid_event(enum proc_cn_event ev_type)
71 {
72 	return (enum proc_cn_event)(ev_type & PROC_EVENT_ALL);
73 }
74 
75 /*
76  * From the user's point of view, the process
77  * ID is the thread group ID and thread ID is the internal
78  * kernel "pid". So, fields are assigned as follow:
79  *
80  *  In user space     -  In  kernel space
81  *
82  * parent process ID  =  parent->tgid
83  * parent thread  ID  =  parent->pid
84  * child  process ID  =  child->tgid
85  * child  thread  ID  =  child->pid
86  */
87 
88 struct proc_event {
89 	enum proc_cn_event what;
90 	__u32 cpu;
91 	__u64 __attribute__((aligned(8))) timestamp_ns;
92 		/* Number of nano seconds since system boot */
93 	union { /* must be last field of proc_event struct */
94 		struct {
95 			__u32 err;
96 		} ack;
97 
98 		struct fork_proc_event {
99 			__kernel_pid_t parent_pid;
100 			__kernel_pid_t parent_tgid;
101 			__kernel_pid_t child_pid;
102 			__kernel_pid_t child_tgid;
103 		} fork;
104 
105 		struct exec_proc_event {
106 			__kernel_pid_t process_pid;
107 			__kernel_pid_t process_tgid;
108 		} exec;
109 
110 		struct id_proc_event {
111 			__kernel_pid_t process_pid;
112 			__kernel_pid_t process_tgid;
113 			union {
114 				__u32 ruid; /* task uid */
115 				__u32 rgid; /* task gid */
116 			} r;
117 			union {
118 				__u32 euid;
119 				__u32 egid;
120 			} e;
121 		} id;
122 
123 		struct sid_proc_event {
124 			__kernel_pid_t process_pid;
125 			__kernel_pid_t process_tgid;
126 		} sid;
127 
128 		struct ptrace_proc_event {
129 			__kernel_pid_t process_pid;
130 			__kernel_pid_t process_tgid;
131 			__kernel_pid_t tracer_pid;
132 			__kernel_pid_t tracer_tgid;
133 		} ptrace;
134 
135 		struct comm_proc_event {
136 			__kernel_pid_t process_pid;
137 			__kernel_pid_t process_tgid;
138 			char           comm[16];
139 		} comm;
140 
141 		struct coredump_proc_event {
142 			__kernel_pid_t process_pid;
143 			__kernel_pid_t process_tgid;
144 			__kernel_pid_t parent_pid;
145 			__kernel_pid_t parent_tgid;
146 		} coredump;
147 
148 		struct exit_proc_event {
149 			__kernel_pid_t process_pid;
150 			__kernel_pid_t process_tgid;
151 			__u32 exit_code, exit_signal;
152 			__kernel_pid_t parent_pid;
153 			__kernel_pid_t parent_tgid;
154 		} exit;
155 
156 	} event_data;
157 };
158 
159 #endif /* _UAPICN_PROC_H */
160