tools/execsnoop: Add -M,--print-pcomm argument

Rtoax · yonghong-song · commit 4578cd9daa88 · 2024-06-21T19:46:22.000-07:00
Sometimes the parent process is executed instantly, tracing the parent command
would be a good choice know who executed the command. Thus, add PCOMM. At the
same time, rename the original PCOMM to COMM, and use PCOMM as the parent
command.

Before:

    $ sudo ./execsnoop.py
    COMM             PID     PPID    RET ARGS
    sh               44789   44682     0 /bin/sh -c cd /home/...
    gcc              44788   44682     0 /usr/bin/gcc -DCAPST...

After:

    $ sudo ./execsnoop.py -M
    COMM             PID     PCOMM            PPID    RET ARGS
    sh               44789   make             44682     0 /bin/sh -c cd /home/...
    gcc              44788   make             44682     0 /usr/bin/gcc -DCAPST...
                             ^^^^^^^^^^^^^^^^

Signed-off-by: Jiang Guirong &lt;rtoax@foxmail.com&gt;
Signed-off-by: Rong Tao &lt;rongtao@cestc.cn&gt;
diff --git a/tools/execsnoop.py b/tools/execsnoop.py
@@ -55,6 +55,7 @@ def parse_uid(user):
     ./execsnoop -P 181               # only trace new processes whose parent PID is 181
     ./execsnoop -U                   # include UID
     ./execsnoop -C                   # include CPU
+    ./execsnoop -M                   # include PCOMM
     ./execsnoop -u 1000              # only trace UID 1000
     ./execsnoop -u user              # get user UID and trace only them
     ./execsnoop -t                   # include timestamps
@@ -93,6 +94,8 @@ def parse_uid(user):
     help="print UID column")
 parser.add_argument("-C", "--print-cpu", action="store_true",
     help="print CPU column")
+parser.add_argument("-M", "--print-pcomm", action="store_true",
+    help="print parent command")
 parser.add_argument("--max-args", default="20",
     help="maximum number of arguments parsed and displayed, defaults to 20")
 parser.add_argument("-P", "--ppid",
@@ -131,6 +134,7 @@ def check_cpu_filed():
     u32 uid;
     u32 cpu;
     char comm[TASK_COMM_LEN];
+    char pcomm[TASK_COMM_LEN];
     enum event_type type;
     char argv[ARGSIZE];
     int retval;
@@ -180,6 +184,7 @@ def check_cpu_filed():
     // as the real_parent->tgid.
     // We use the get_ppid function as a fallback in those cases. (#1883)
     data.ppid = task->real_parent->tgid;
+    bpf_probe_read_kernel_str(&data.pcomm, sizeof(data.pcomm), task->real_parent->comm);
 
     PPID_FILTER
 
@@ -222,6 +227,7 @@ def check_cpu_filed():
     // as the real_parent->tgid.
     // We use the get_ppid function as a fallback in those cases. (#1883)
     data.ppid = task->real_parent->tgid;
+    bpf_probe_read_kernel_str(&data.pcomm, sizeof(data.pcomm), task->real_parent->comm);
     data.cpu = CPU_RUNNING_ON;
 
     PPID_FILTER
@@ -275,10 +281,13 @@ def check_cpu_filed():
     print("%-8s" % ("TIME(s)"), end="")
 if args.print_uid:
     print("%-6s" % ("UID"), end="")
+print("%-16s %-7s " % ("COMM", "PID"), end="")
+if args.print_pcomm:
+    print("%-16s " % ("PCOMM"), end="")
+print("%-7s " % ("PPID"), end="")
 if args.print_cpu:
-    print("%-16s %-7s %-7s %-4s %3s %s" % ("PCOMM", "PID", "PPID", "CPU", "RET", "ARGS"))
-else:
-    print("%-16s %-7s %-7s %3s %s" % ("PCOMM", "PID", "PPID", "RET", "ARGS"))
+    print("%-4s " % ("CPU"), end="")
+print("%3s %s" % ("RET", "ARGS"))
 
 class EventType(object):
     EVENT_ARG = 0
@@ -332,12 +341,13 @@ def print_event(cpu, data, size):
             ppid = event.ppid if event.ppid > 0 else get_ppid(event.pid)
             ppid = b"%d" % ppid if ppid > 0 else b"?"
             argv_text = b' '.join(argv[event.pid]).replace(b'\n', b'\\n')
+            printb(b"%-16s %-7d " % (event.comm, event.pid), nl="")
+            if args.print_pcomm:
+                printb(b"%-16s " % (event.pcomm), nl="")
+            printb(b"%-7s " % (ppid), nl="")
             if args.print_cpu:
-                printb(b"%-16s %-7d %-7s %-4d %3d %s" % (event.comm, event.pid,
-                   ppid, event.cpu, event.retval, argv_text))
-            else:
-                printb(b"%-16s %-7d %-7s %3d %s" % (event.comm, event.pid,
-                    ppid, event.retval, argv_text))
+                printb(b"%-4d " % (event.cpu), nl="")
+            printb(b"%3d %s" % (event.retval, argv_text))
         try:
             del(argv[event.pid])
         except Exception:
diff --git a/tools/execsnoop_example.txt b/tools/execsnoop_example.txt
@@ -5,7 +5,7 @@ execsnoop traces new processes. For example, tracing the commands invoked when
 running "man ls":
 
 # ./execsnoop
-PCOMM            PID    RET ARGS
+COMM             PID    RET ARGS
 bash             15887    0 /usr/bin/man ls
 preconv          15894    0 /usr/bin/preconv -e UTF-8
 man              15896    0 /usr/bin/tbl
@@ -16,8 +16,8 @@ nroff            15901    0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -
 groff            15902    0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8
 groff            15903    0 /usr/bin/grotty
 
-The output shows the parent process/command name (PCOMM), the PID, the return
-value of the exec() (RET), and the filename with arguments (ARGS).
+The output shows the process/command name (COMM), the PID, the return value of
+the exec() (RET), and the filename with arguments (ARGS).
 
 This works by traces the execve() system call (commonly used exec() variant),
 and shows details of the arguments and return value. This catches new processes
@@ -29,7 +29,7 @@ processes, which won't be included in the execsnoop output.
 The -x option can be used to include failed exec()s. For example:
 
 # ./execsnoop -x
-PCOMM            PID    RET ARGS
+COMM             PID    RET ARGS
 supervise        9660     0 ./run
 supervise        9661     0 ./run
 mkdir            9662     0 /bin/mkdir -p ./main
@@ -57,7 +57,7 @@ are allowed.
 For example, matching commands containing "mount":
 
 # ./execsnoop -Ttn mount
-TIME     TIME(s) PCOMM            PID    PPID  RET ARGS
+TIME     TIME(s) COMM             PID    PPID  RET ARGS
 14:08:23 2.849   mount            18049  1045    0 /bin/mount -p
 
 The -l option can be used to only show command where one of the arguments
@@ -66,7 +66,7 @@ arguments of the command. For example, matching all command where one of the arg
 is "testpkg":
 
 # ./execsnoop.py -l testpkg
-PCOMM            PID    PPID   RET ARGS
+COMM             PID    PPID   RET ARGS
 service          3344535 4146419   0 /usr/sbin/service testpkg status
 systemctl        3344535 4146419   0 /bin/systemctl status testpkg.service
 yum              3344856 4146419   0 /usr/local/bin/yum remove testpkg
@@ -89,15 +89,15 @@ The -U option include UID on output:
 
 # ./execsnoop -U
 
-UID   PCOMM            PID    PPID   RET ARGS
+UID   COMM             PID    PPID   RET ARGS
 1000  ls               171318 133702   0 /bin/ls --color=auto
 1000  w                171322 133702   0 /usr/bin/w
 
 The -u options filters output based process UID. You also can use username as
 argument, in that cause UID will be looked up using getpwnam (see man 3 getpwnam).
 
 # ./execsnoop -Uu 1000
-UID   PCOMM            PID    PPID   RET ARGS
+UID   COMM             PID    PPID   RET ARGS
 1000  ls               171335 133702   0 /bin/ls --color=auto
 1000  man              171340 133702   0 /usr/bin/man getpwnam
 1000  bzip2            171341 171340   0 /bin/bzip2 -dc
