Avoid taskstats_exit and sched_process_exit

taskstats_exit can be compiled out based on kernel configuration.
Instead use disassociate_ctty(1) as an indication that group_dead
has been set. sched_process_exit is called before exit_files, so it's
possible that a socket disconnect event could be emitted after
a process termination. instead use exit_task_namespaces to emit the
exit event. we had little choice in the matter since sched_process_exit
is executed before disassociate_ctty, but sched_process_exit was still
the incorrect spot to emit an exit event and worth noting.

Author: nicholasberlin

GPL/Events/Process/Probe.bpf.c

@@ -195,20 +195,42 @@ int BPF_PROG(sched_process_exec,
 // The problem is taskstats_exit__enter happens before file descriptors are
 // closed in exit_files(), so instead of emiting the event here, record that we
 // saw group_dead and delay emiting the event until sched_process_exit().
-static int taskstats_exit__enter(const struct task_struct *task, int group_dead)
+//
+// UPDATE: taskstats_exit can be compiled out of the kernel based on configuration.
+// So, instead we use disassociate_ctty and exit_task_namespaces which are always
+// present. disassociate_ctty is called from do_exit() only when group_dead is true,
+// and in that case, the parameter, on_exit, is set to true. exit_task_namespaces
+// is called after diassociate_ctty in do_exit() unconditionally, so we can use it to
+// emit the event if we "saw" group_dead, i.e. disassociate_ctty was called.
+// Finally, sched_process_exit() is not called after exit_files, but exit_task_namespaces
+// is.
+static int disassociate_ctty__enter(int on_exit)
 {
     struct ebpf_events_state state = {};
+    const struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 
-    if (!group_dead || is_kernel_thread(task))
+    if (!on_exit || is_kernel_thread(task))
         return 0;
 
     ebpf_events_state__set(EBPF_EVENTS_STATE_GROUP_DEAD, &state);
 
     return 0;
 }
 
-SEC("tp_btf/sched_process_exit")
-int BPF_PROG(sched_process_exit, const struct task_struct *task)
+SEC("fentry/disassociate_ctty")
+int BPF_PROG(fentry__disassociate_ctty, int on_exit)
+{
+    return disassociate_ctty__enter(on_exit);
+}
+
+
+SEC("kprobe/disassociate_ctty")
+int BPF_KPROBE(kprobe__disassociate_ctty, int on_exit)
+{
+    return disassociate_ctty__enter(on_exit);
+}
+
+static int exit_task_namespaces__enter(const struct task_struct *task)
 {
     struct ebpf_process_exit_event *event;
 
@@ -247,18 +269,19 @@ int BPF_PROG(sched_process_exit, const struct task_struct *task)
     return 0;
 }
 
-SEC("fentry/taskstats_exit")
-int BPF_PROG(fentry__taskstats_exit, const struct task_struct *task, int group_dead)
+SEC("fentry/exit_task_namespaces")
+int BPF_PROG(fentry__exit_task_namespaces, const struct task_struct *task)
 {
-    return taskstats_exit__enter(task, group_dead);
+    return exit_task_namespaces__enter(task);
 }
 
-SEC("kprobe/taskstats_exit")
-int BPF_KPROBE(kprobe__taskstats_exit, const struct task_struct *task, int group_dead)
+SEC("kprobe/exit_task_namespaces")
+int BPF_KPROBE(kprobe__exit_task_namespaces, const struct task_struct *task)
 {
-    return taskstats_exit__enter(task, group_dead);
+    return exit_task_namespaces__enter(task);
 }
 
+
 // tracepoint/syscalls/sys_[enter/exit]_[name] tracepoints are not available
 // with BTF type information, so we must use a non-BTF tracepoint
 SEC("tracepoint/syscalls/sys_exit_setsid")

non-GPL/Events/Lib/EbpfEvents.c

@@ -381,7 +381,8 @@ static int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj, uint6
         err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__do_filp_open, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kprobe__vfs_rename, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__vfs_rename, false);
-        err = err ?: bpf_program__set_autoload(obj->progs.kprobe__taskstats_exit, false);
+        err = err ?: bpf_program__set_autoload(obj->progs.kprobe__disassociate_ctty, false);
+        err = err ?: bpf_program__set_autoload(obj->progs.kprobe__exit_task_namespaces, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kprobe__commit_creds, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kretprobe__inet_csk_accept, false);
         err = err ?: bpf_program__set_autoload(obj->progs.kprobe__tcp_v4_connect, false);
@@ -403,7 +404,8 @@ static int probe_set_autoload(struct btf *btf, struct EventProbe_bpf *obj, uint6
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__do_filp_open, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fentry__vfs_rename, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__vfs_rename, false);
-        err = err ?: bpf_program__set_autoload(obj->progs.fentry__taskstats_exit, false);
+        err = err ?: bpf_program__set_autoload(obj->progs.fentry__disassociate_ctty, false);
+        err = err ?: bpf_program__set_autoload(obj->progs.fentry__exit_task_namespaces, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fentry__commit_creds, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__inet_csk_accept, false);
         err = err ?: bpf_program__set_autoload(obj->progs.fexit__tcp_v4_connect, false);
@@ -473,7 +475,7 @@ static bool system_has_bpf_tramp(void)
         {.code = BPF_EXIT | BPF_JMP, .dst_reg = 0, .src_reg = 0, .off = 0, .imm = 0}};
     int insns_cnt = 2;
 
-    btf_id = btf__find_by_name(btf, "taskstats_exit");
+    btf_id = btf__find_by_name(btf, "disassociate_ctty");
     LIBBPF_OPTS(bpf_prog_load_opts, opts, .log_buf = NULL, .log_level = 0,
                 .expected_attach_type = BPF_TRACE_FENTRY, .attach_btf_id = btf_id);
     prog_fd = bpf_prog_load(BPF_PROG_TYPE_TRACING, NULL, "GPL", insns, insns_cnt, &opts);