问题描述

是否有可能在执行新进程，关闭新进程以及状态更改(例如，停止，分页等)时(通过回调或类似方法)得到通知?在用户领域，在/proc上设置目录侦听器很容易.

Is it possible to get notified (via callback or similar) when a new process is executed, when one is closed, and when state changes (ie. stopped, paged, etc)? In user-land, it would be easy to set up a directory listener on /proc.

推荐答案

您是否考虑过kprobes?您可以在执行某些内核代码时使用kprobes执行回调函数.例如，您可以添加do_fork kprobe，以在创建新进程时发出警报，如此示例.

Have you considered kprobes? You can use kprobes to execute a callback function when some kernel code is executed. E.g., you could add a do_fork kprobe to alert when new processes are created as in this example.

类似地，您可以为do_exit()添加一个探针，以在进程退出时进行捕获.

Similarly, you can add a probe for do_exit() to catch when processes exit.

要更改状态，可以在sched_switch()上有一个返回探针，并在状态更改时捕获.根据您的应用程序，这可能会增加过多的开销.

For changing state, you could have have a return probe on sched_switch() and catch when the state changes. Depending on your application, this may add too much overhead.

如果您只希望收集数据，进行一些轻处理并且不希望对内核模块做更多的事情，那么systemtap可能是编写内核模块的一个不错的选择: https://sourceware.org/systemtap/documentation.html

If you only wish to collect data, perform some light processing, and aren't looking to do much more with the kernel module, systemtap may be a good alternative to writing a kernel module: https://sourceware.org/systemtap/documentation.html

有关kprobes的更多详细信息: https://www.kernel.org/doc/Documentation/kprobes.txt

More details on kprobes:https://www.kernel.org/doc/Documentation/kprobes.txt

sched_switch() systemtap示例: https://sourceware.org/systemtap/examples/profiling/sched_switch.stp

sched_switch() systemtap example:https://sourceware.org/systemtap/examples/profiling/sched_switch.stp

这篇关于侦听Linux内核模块中的新进程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！