Add inline comment about issue in 4.13 kernels.

Signed-off-by: David Calavera <david.calavera@gmail.com>

Add inline comment about issue in 4.13 kernels.
Signed-off-by: David Calavera <david.calavera@gmail.com>
4fae4975 · David Calavera · dee18fe9 · 4fae4975
Commit 4fae4975 authored Jul 13, 2018 by David Calavera
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

tools/execsnoop.py tools/execsnoop.py +7 -1

No files found.
--- a/tools/execsnoop.py
+++ b/tools/execsnoop.py
@@ -111,6 +111,9 @@ int syscall__execve(struct pt_regs *ctx,
    data.pid = bpf_get_current_pid_tgid() >> 32;

    task = (struct task_struct *)bpf_get_current_task();
+    // Some kernels, like Ubuntu 4.13.0-generic, return 0
+    // as the real_parent->tgid.
+    // We use the get_ppid function as a fallback in those cases. (#1883)
    data.ppid = task->real_parent->tgid;

    bpf_get_current_comm(&data.comm, sizeof(data.comm));
@@ -140,6 +143,9 @@ int do_ret_sys_execve(struct pt_regs *ctx)
    data.pid = bpf_get_current_pid_tgid() >> 32;

    task = (struct task_struct *)bpf_get_current_task();
+    // Some kernels, like Ubuntu 4.13.0-generic, return 0
+    // as the real_parent->tgid.
+    // We use the get_ppid function as a fallback in those cases. (#1883)
    data.ppid = task->real_parent->tgid;

    bpf_get_current_comm(&data.comm, sizeof(data.comm));
@@ -187,7 +193,7 @@ class EventType(object):
 start_ts = time.time()
 argv = defaultdict(list)

-# TODO: This is best-effort PPID matching. Short-lived processes may exit
+# This is best-effort PPID matching. Short-lived processes may exit
 # before we get a chance to read the PPID.
 # This is a fallback for when fetching the PPID from task->real_parent->tgip
 # returns 0, which happens in some kernel versions.