1*387f9dfdSAndroid Build Coastguard Worker#!/usr/bin/env python 2*387f9dfdSAndroid Build Coastguard Worker# @lint-avoid-python-3-compatibility-imports 3*387f9dfdSAndroid Build Coastguard Worker# 4*387f9dfdSAndroid Build Coastguard Worker# capable Trace security capabilitiy checks (cap_capable()). 5*387f9dfdSAndroid Build Coastguard Worker# For Linux, uses BCC, eBPF. Embedded C. 6*387f9dfdSAndroid Build Coastguard Worker# 7*387f9dfdSAndroid Build Coastguard Worker# USAGE: capable [-h] [-v] [-p PID] [-K] [-U] 8*387f9dfdSAndroid Build Coastguard Worker# 9*387f9dfdSAndroid Build Coastguard Worker# Copyright 2016 Netflix, Inc. 10*387f9dfdSAndroid Build Coastguard Worker# Licensed under the Apache License, Version 2.0 (the "License") 11*387f9dfdSAndroid Build Coastguard Worker# 12*387f9dfdSAndroid Build Coastguard Worker# 13-Sep-2016 Brendan Gregg Created this. 13*387f9dfdSAndroid Build Coastguard Worker 14*387f9dfdSAndroid Build Coastguard Workerfrom __future__ import print_function 15*387f9dfdSAndroid Build Coastguard Workerfrom os import getpid 16*387f9dfdSAndroid Build Coastguard Workerfrom functools import partial 17*387f9dfdSAndroid Build Coastguard Workerfrom bcc import BPF 18*387f9dfdSAndroid Build Coastguard Workerfrom bcc.containers import filter_by_containers 19*387f9dfdSAndroid Build Coastguard Workerimport errno 20*387f9dfdSAndroid Build Coastguard Workerimport argparse 21*387f9dfdSAndroid Build Coastguard Workerfrom time import strftime 22*387f9dfdSAndroid Build Coastguard Worker 23*387f9dfdSAndroid Build Coastguard Worker# arguments 24*387f9dfdSAndroid Build Coastguard Workerexamples = """examples: 25*387f9dfdSAndroid Build Coastguard Worker ./capable # trace capability checks 26*387f9dfdSAndroid Build Coastguard Worker ./capable -v # verbose: include non-audit checks 27*387f9dfdSAndroid Build Coastguard Worker ./capable -p 181 # only trace PID 181 28*387f9dfdSAndroid Build Coastguard Worker ./capable -K # add kernel stacks to trace 29*387f9dfdSAndroid Build Coastguard Worker ./capable -U # add user-space stacks to trace 30*387f9dfdSAndroid Build Coastguard Worker ./capable -x # extra fields: show TID and INSETID columns 31*387f9dfdSAndroid Build Coastguard Worker ./capable --unique # don't repeat stacks for the same pid or cgroup 32*387f9dfdSAndroid Build Coastguard Worker ./capable --cgroupmap mappath # only trace cgroups in this BPF map 33*387f9dfdSAndroid Build Coastguard Worker ./capable --mntnsmap mappath # only trace mount namespaces in the map 34*387f9dfdSAndroid Build Coastguard Worker""" 35*387f9dfdSAndroid Build Coastguard Workerparser = argparse.ArgumentParser( 36*387f9dfdSAndroid Build Coastguard Worker description="Trace security capability checks", 37*387f9dfdSAndroid Build Coastguard Worker formatter_class=argparse.RawDescriptionHelpFormatter, 38*387f9dfdSAndroid Build Coastguard Worker epilog=examples) 39*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("-v", "--verbose", action="store_true", 40*387f9dfdSAndroid Build Coastguard Worker help="include non-audit checks") 41*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("-p", "--pid", 42*387f9dfdSAndroid Build Coastguard Worker help="trace this PID only") 43*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("-K", "--kernel-stack", action="store_true", 44*387f9dfdSAndroid Build Coastguard Worker help="output kernel stack trace") 45*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("-U", "--user-stack", action="store_true", 46*387f9dfdSAndroid Build Coastguard Worker help="output user stack trace") 47*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("-x", "--extra", action="store_true", 48*387f9dfdSAndroid Build Coastguard Worker help="show extra fields in TID and INSETID columns") 49*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("--cgroupmap", 50*387f9dfdSAndroid Build Coastguard Worker help="trace cgroups in this BPF map only") 51*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("--mntnsmap", 52*387f9dfdSAndroid Build Coastguard Worker help="trace mount namespaces in this BPF map only") 53*387f9dfdSAndroid Build Coastguard Workerparser.add_argument("--unique", action="store_true", 54*387f9dfdSAndroid Build Coastguard Worker help="don't repeat stacks for the same pid or cgroup") 55*387f9dfdSAndroid Build Coastguard Workerargs = parser.parse_args() 56*387f9dfdSAndroid Build Coastguard Workerdebug = 0 57*387f9dfdSAndroid Build Coastguard Worker 58*387f9dfdSAndroid Build Coastguard Worker# capabilities to names, generated from (and will need updating): 59*387f9dfdSAndroid Build Coastguard Worker# awk '/^#define.CAP_.*[0-9]$/ { print " " $3 ": \"" $2 "\"," }' \ 60*387f9dfdSAndroid Build Coastguard Worker# include/uapi/linux/capability.h 61*387f9dfdSAndroid Build Coastguard Workercapabilities = { 62*387f9dfdSAndroid Build Coastguard Worker 0: "CAP_CHOWN", 63*387f9dfdSAndroid Build Coastguard Worker 1: "CAP_DAC_OVERRIDE", 64*387f9dfdSAndroid Build Coastguard Worker 2: "CAP_DAC_READ_SEARCH", 65*387f9dfdSAndroid Build Coastguard Worker 3: "CAP_FOWNER", 66*387f9dfdSAndroid Build Coastguard Worker 4: "CAP_FSETID", 67*387f9dfdSAndroid Build Coastguard Worker 5: "CAP_KILL", 68*387f9dfdSAndroid Build Coastguard Worker 6: "CAP_SETGID", 69*387f9dfdSAndroid Build Coastguard Worker 7: "CAP_SETUID", 70*387f9dfdSAndroid Build Coastguard Worker 8: "CAP_SETPCAP", 71*387f9dfdSAndroid Build Coastguard Worker 9: "CAP_LINUX_IMMUTABLE", 72*387f9dfdSAndroid Build Coastguard Worker 10: "CAP_NET_BIND_SERVICE", 73*387f9dfdSAndroid Build Coastguard Worker 11: "CAP_NET_BROADCAST", 74*387f9dfdSAndroid Build Coastguard Worker 12: "CAP_NET_ADMIN", 75*387f9dfdSAndroid Build Coastguard Worker 13: "CAP_NET_RAW", 76*387f9dfdSAndroid Build Coastguard Worker 14: "CAP_IPC_LOCK", 77*387f9dfdSAndroid Build Coastguard Worker 15: "CAP_IPC_OWNER", 78*387f9dfdSAndroid Build Coastguard Worker 16: "CAP_SYS_MODULE", 79*387f9dfdSAndroid Build Coastguard Worker 17: "CAP_SYS_RAWIO", 80*387f9dfdSAndroid Build Coastguard Worker 18: "CAP_SYS_CHROOT", 81*387f9dfdSAndroid Build Coastguard Worker 19: "CAP_SYS_PTRACE", 82*387f9dfdSAndroid Build Coastguard Worker 20: "CAP_SYS_PACCT", 83*387f9dfdSAndroid Build Coastguard Worker 21: "CAP_SYS_ADMIN", 84*387f9dfdSAndroid Build Coastguard Worker 22: "CAP_SYS_BOOT", 85*387f9dfdSAndroid Build Coastguard Worker 23: "CAP_SYS_NICE", 86*387f9dfdSAndroid Build Coastguard Worker 24: "CAP_SYS_RESOURCE", 87*387f9dfdSAndroid Build Coastguard Worker 25: "CAP_SYS_TIME", 88*387f9dfdSAndroid Build Coastguard Worker 26: "CAP_SYS_TTY_CONFIG", 89*387f9dfdSAndroid Build Coastguard Worker 27: "CAP_MKNOD", 90*387f9dfdSAndroid Build Coastguard Worker 28: "CAP_LEASE", 91*387f9dfdSAndroid Build Coastguard Worker 29: "CAP_AUDIT_WRITE", 92*387f9dfdSAndroid Build Coastguard Worker 30: "CAP_AUDIT_CONTROL", 93*387f9dfdSAndroid Build Coastguard Worker 31: "CAP_SETFCAP", 94*387f9dfdSAndroid Build Coastguard Worker 32: "CAP_MAC_OVERRIDE", 95*387f9dfdSAndroid Build Coastguard Worker 33: "CAP_MAC_ADMIN", 96*387f9dfdSAndroid Build Coastguard Worker 34: "CAP_SYSLOG", 97*387f9dfdSAndroid Build Coastguard Worker 35: "CAP_WAKE_ALARM", 98*387f9dfdSAndroid Build Coastguard Worker 36: "CAP_BLOCK_SUSPEND", 99*387f9dfdSAndroid Build Coastguard Worker 37: "CAP_AUDIT_READ", 100*387f9dfdSAndroid Build Coastguard Worker 38: "CAP_PERFMON", 101*387f9dfdSAndroid Build Coastguard Worker 39: "CAP_BPF", 102*387f9dfdSAndroid Build Coastguard Worker 40: "CAP_CHECKPOINT_RESTORE", 103*387f9dfdSAndroid Build Coastguard Worker} 104*387f9dfdSAndroid Build Coastguard Worker 105*387f9dfdSAndroid Build Coastguard Workerclass Enum(set): 106*387f9dfdSAndroid Build Coastguard Worker def __getattr__(self, name): 107*387f9dfdSAndroid Build Coastguard Worker if name in self: 108*387f9dfdSAndroid Build Coastguard Worker return name 109*387f9dfdSAndroid Build Coastguard Worker raise AttributeError 110*387f9dfdSAndroid Build Coastguard Worker 111*387f9dfdSAndroid Build Coastguard Worker# Stack trace types 112*387f9dfdSAndroid Build Coastguard WorkerStackType = Enum(("Kernel", "User",)) 113*387f9dfdSAndroid Build Coastguard Worker 114*387f9dfdSAndroid Build Coastguard Worker# define BPF program 115*387f9dfdSAndroid Build Coastguard Workerbpf_text = """ 116*387f9dfdSAndroid Build Coastguard Worker#include <uapi/linux/ptrace.h> 117*387f9dfdSAndroid Build Coastguard Worker#include <linux/sched.h> 118*387f9dfdSAndroid Build Coastguard Worker#include <linux/security.h> 119*387f9dfdSAndroid Build Coastguard Worker 120*387f9dfdSAndroid Build Coastguard Workerstruct data_t { 121*387f9dfdSAndroid Build Coastguard Worker u32 tgid; 122*387f9dfdSAndroid Build Coastguard Worker u32 pid; 123*387f9dfdSAndroid Build Coastguard Worker u32 uid; 124*387f9dfdSAndroid Build Coastguard Worker int cap; 125*387f9dfdSAndroid Build Coastguard Worker int audit; 126*387f9dfdSAndroid Build Coastguard Worker int insetid; 127*387f9dfdSAndroid Build Coastguard Worker char comm[TASK_COMM_LEN]; 128*387f9dfdSAndroid Build Coastguard Worker#ifdef KERNEL_STACKS 129*387f9dfdSAndroid Build Coastguard Worker int kernel_stack_id; 130*387f9dfdSAndroid Build Coastguard Worker#endif 131*387f9dfdSAndroid Build Coastguard Worker#ifdef USER_STACKS 132*387f9dfdSAndroid Build Coastguard Worker int user_stack_id; 133*387f9dfdSAndroid Build Coastguard Worker#endif 134*387f9dfdSAndroid Build Coastguard Worker}; 135*387f9dfdSAndroid Build Coastguard Worker 136*387f9dfdSAndroid Build Coastguard WorkerBPF_PERF_OUTPUT(events); 137*387f9dfdSAndroid Build Coastguard Worker 138*387f9dfdSAndroid Build Coastguard Worker#if UNIQUESET 139*387f9dfdSAndroid Build Coastguard Workerstruct repeat_t { 140*387f9dfdSAndroid Build Coastguard Worker int cap; 141*387f9dfdSAndroid Build Coastguard Worker u32 tgid; 142*387f9dfdSAndroid Build Coastguard Worker#if CGROUPSET 143*387f9dfdSAndroid Build Coastguard Worker u64 cgroupid; 144*387f9dfdSAndroid Build Coastguard Worker#endif 145*387f9dfdSAndroid Build Coastguard Worker#ifdef KERNEL_STACKS 146*387f9dfdSAndroid Build Coastguard Worker int kernel_stack_id; 147*387f9dfdSAndroid Build Coastguard Worker#endif 148*387f9dfdSAndroid Build Coastguard Worker#ifdef USER_STACKS 149*387f9dfdSAndroid Build Coastguard Worker int user_stack_id; 150*387f9dfdSAndroid Build Coastguard Worker#endif 151*387f9dfdSAndroid Build Coastguard Worker}; 152*387f9dfdSAndroid Build Coastguard WorkerBPF_HASH(seen, struct repeat_t, u64); 153*387f9dfdSAndroid Build Coastguard Worker#endif 154*387f9dfdSAndroid Build Coastguard Worker 155*387f9dfdSAndroid Build Coastguard Worker#if defined(USER_STACKS) || defined(KERNEL_STACKS) 156*387f9dfdSAndroid Build Coastguard WorkerBPF_STACK_TRACE(stacks, 2048); 157*387f9dfdSAndroid Build Coastguard Worker#endif 158*387f9dfdSAndroid Build Coastguard Worker 159*387f9dfdSAndroid Build Coastguard Workerint kprobe__cap_capable(struct pt_regs *ctx, const struct cred *cred, 160*387f9dfdSAndroid Build Coastguard Worker struct user_namespace *targ_ns, int cap, int cap_opt) 161*387f9dfdSAndroid Build Coastguard Worker{ 162*387f9dfdSAndroid Build Coastguard Worker u64 __pid_tgid = bpf_get_current_pid_tgid(); 163*387f9dfdSAndroid Build Coastguard Worker u32 tgid = __pid_tgid >> 32; 164*387f9dfdSAndroid Build Coastguard Worker u32 pid = __pid_tgid; 165*387f9dfdSAndroid Build Coastguard Worker int audit; 166*387f9dfdSAndroid Build Coastguard Worker int insetid; 167*387f9dfdSAndroid Build Coastguard Worker 168*387f9dfdSAndroid Build Coastguard Worker #ifdef CAP_OPT_NONE 169*387f9dfdSAndroid Build Coastguard Worker audit = (cap_opt & 0b10) == 0; 170*387f9dfdSAndroid Build Coastguard Worker insetid = (cap_opt & 0b100) != 0; 171*387f9dfdSAndroid Build Coastguard Worker #else 172*387f9dfdSAndroid Build Coastguard Worker audit = cap_opt; 173*387f9dfdSAndroid Build Coastguard Worker insetid = -1; 174*387f9dfdSAndroid Build Coastguard Worker #endif 175*387f9dfdSAndroid Build Coastguard Worker 176*387f9dfdSAndroid Build Coastguard Worker FILTER1 177*387f9dfdSAndroid Build Coastguard Worker FILTER2 178*387f9dfdSAndroid Build Coastguard Worker FILTER3 179*387f9dfdSAndroid Build Coastguard Worker 180*387f9dfdSAndroid Build Coastguard Worker if (container_should_be_filtered()) { 181*387f9dfdSAndroid Build Coastguard Worker return 0; 182*387f9dfdSAndroid Build Coastguard Worker } 183*387f9dfdSAndroid Build Coastguard Worker 184*387f9dfdSAndroid Build Coastguard Worker u32 uid = bpf_get_current_uid_gid(); 185*387f9dfdSAndroid Build Coastguard Worker 186*387f9dfdSAndroid Build Coastguard Worker struct data_t data = {}; 187*387f9dfdSAndroid Build Coastguard Worker 188*387f9dfdSAndroid Build Coastguard Worker data.tgid = tgid; 189*387f9dfdSAndroid Build Coastguard Worker data.pid = pid; 190*387f9dfdSAndroid Build Coastguard Worker data.uid = uid; 191*387f9dfdSAndroid Build Coastguard Worker data.cap = cap; 192*387f9dfdSAndroid Build Coastguard Worker data.audit = audit; 193*387f9dfdSAndroid Build Coastguard Worker data.insetid = insetid; 194*387f9dfdSAndroid Build Coastguard Worker#ifdef KERNEL_STACKS 195*387f9dfdSAndroid Build Coastguard Worker data.kernel_stack_id = stacks.get_stackid(ctx, 0); 196*387f9dfdSAndroid Build Coastguard Worker#endif 197*387f9dfdSAndroid Build Coastguard Worker#ifdef USER_STACKS 198*387f9dfdSAndroid Build Coastguard Worker data.user_stack_id = stacks.get_stackid(ctx, BPF_F_USER_STACK); 199*387f9dfdSAndroid Build Coastguard Worker#endif 200*387f9dfdSAndroid Build Coastguard Worker 201*387f9dfdSAndroid Build Coastguard Worker#if UNIQUESET 202*387f9dfdSAndroid Build Coastguard Worker struct repeat_t repeat = {0,}; 203*387f9dfdSAndroid Build Coastguard Worker repeat.cap = cap; 204*387f9dfdSAndroid Build Coastguard Worker#if CGROUP_ID_SET 205*387f9dfdSAndroid Build Coastguard Worker repeat.cgroupid = bpf_get_current_cgroup_id(); 206*387f9dfdSAndroid Build Coastguard Worker#else 207*387f9dfdSAndroid Build Coastguard Worker repeat.tgid = tgid; 208*387f9dfdSAndroid Build Coastguard Worker#endif 209*387f9dfdSAndroid Build Coastguard Worker#ifdef KERNEL_STACKS 210*387f9dfdSAndroid Build Coastguard Worker repeat.kernel_stack_id = data.kernel_stack_id; 211*387f9dfdSAndroid Build Coastguard Worker#endif 212*387f9dfdSAndroid Build Coastguard Worker#ifdef USER_STACKS 213*387f9dfdSAndroid Build Coastguard Worker repeat.user_stack_id = data.user_stack_id; 214*387f9dfdSAndroid Build Coastguard Worker#endif 215*387f9dfdSAndroid Build Coastguard Worker if (seen.lookup(&repeat) != NULL) { 216*387f9dfdSAndroid Build Coastguard Worker return 0; 217*387f9dfdSAndroid Build Coastguard Worker } 218*387f9dfdSAndroid Build Coastguard Worker u64 zero = 0; 219*387f9dfdSAndroid Build Coastguard Worker seen.update(&repeat, &zero); 220*387f9dfdSAndroid Build Coastguard Worker#endif 221*387f9dfdSAndroid Build Coastguard Worker 222*387f9dfdSAndroid Build Coastguard Worker bpf_get_current_comm(&data.comm, sizeof(data.comm)); 223*387f9dfdSAndroid Build Coastguard Worker events.perf_submit(ctx, &data, sizeof(data)); 224*387f9dfdSAndroid Build Coastguard Worker 225*387f9dfdSAndroid Build Coastguard Worker return 0; 226*387f9dfdSAndroid Build Coastguard Worker}; 227*387f9dfdSAndroid Build Coastguard Worker""" 228*387f9dfdSAndroid Build Coastguard Workerif args.pid: 229*387f9dfdSAndroid Build Coastguard Worker bpf_text = bpf_text.replace('FILTER1', 230*387f9dfdSAndroid Build Coastguard Worker 'if (pid != %s) { return 0; }' % args.pid) 231*387f9dfdSAndroid Build Coastguard Workerif not args.verbose: 232*387f9dfdSAndroid Build Coastguard Worker bpf_text = bpf_text.replace('FILTER2', 'if (audit == 0) { return 0; }') 233*387f9dfdSAndroid Build Coastguard Workerif args.kernel_stack: 234*387f9dfdSAndroid Build Coastguard Worker bpf_text = "#define KERNEL_STACKS\n" + bpf_text 235*387f9dfdSAndroid Build Coastguard Workerif args.user_stack: 236*387f9dfdSAndroid Build Coastguard Worker bpf_text = "#define USER_STACKS\n" + bpf_text 237*387f9dfdSAndroid Build Coastguard Workerbpf_text = bpf_text.replace('FILTER1', '') 238*387f9dfdSAndroid Build Coastguard Workerbpf_text = bpf_text.replace('FILTER2', '') 239*387f9dfdSAndroid Build Coastguard Workerbpf_text = bpf_text.replace('FILTER3', 240*387f9dfdSAndroid Build Coastguard Worker 'if (pid == %s) { return 0; }' % getpid()) 241*387f9dfdSAndroid Build Coastguard Workerbpf_text = filter_by_containers(args) + bpf_text 242*387f9dfdSAndroid Build Coastguard Workerif args.unique: 243*387f9dfdSAndroid Build Coastguard Worker bpf_text = bpf_text.replace('UNIQUESET', '1') 244*387f9dfdSAndroid Build Coastguard Workerelse: 245*387f9dfdSAndroid Build Coastguard Worker bpf_text = bpf_text.replace('UNIQUESET', '0') 246*387f9dfdSAndroid Build Coastguard Workerif debug: 247*387f9dfdSAndroid Build Coastguard Worker print(bpf_text) 248*387f9dfdSAndroid Build Coastguard Worker 249*387f9dfdSAndroid Build Coastguard Worker# initialize BPF 250*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=bpf_text) 251*387f9dfdSAndroid Build Coastguard Worker 252*387f9dfdSAndroid Build Coastguard Worker# header 253*387f9dfdSAndroid Build Coastguard Workerif args.extra: 254*387f9dfdSAndroid Build Coastguard Worker print("%-9s %-6s %-6s %-6s %-16s %-4s %-20s %-6s %s" % ( 255*387f9dfdSAndroid Build Coastguard Worker "TIME", "UID", "PID", "TID", "COMM", "CAP", "NAME", "AUDIT", "INSETID")) 256*387f9dfdSAndroid Build Coastguard Workerelse: 257*387f9dfdSAndroid Build Coastguard Worker print("%-9s %-6s %-6s %-16s %-4s %-20s %-6s" % ( 258*387f9dfdSAndroid Build Coastguard Worker "TIME", "UID", "PID", "COMM", "CAP", "NAME", "AUDIT")) 259*387f9dfdSAndroid Build Coastguard Worker 260*387f9dfdSAndroid Build Coastguard Workerdef stack_id_err(stack_id): 261*387f9dfdSAndroid Build Coastguard Worker # -EFAULT in get_stackid normally means the stack-trace is not available, 262*387f9dfdSAndroid Build Coastguard Worker # Such as getting kernel stack trace in userspace code 263*387f9dfdSAndroid Build Coastguard Worker return (stack_id < 0) and (stack_id != -errno.EFAULT) 264*387f9dfdSAndroid Build Coastguard Worker 265*387f9dfdSAndroid Build Coastguard Workerdef print_stack(bpf, stack_id, stack_type, tgid): 266*387f9dfdSAndroid Build Coastguard Worker if stack_id_err(stack_id): 267*387f9dfdSAndroid Build Coastguard Worker print(" [Missed %s Stack]" % stack_type) 268*387f9dfdSAndroid Build Coastguard Worker return 269*387f9dfdSAndroid Build Coastguard Worker stack = list(bpf.get_table("stacks").walk(stack_id)) 270*387f9dfdSAndroid Build Coastguard Worker for addr in stack: 271*387f9dfdSAndroid Build Coastguard Worker print(" ", end="") 272*387f9dfdSAndroid Build Coastguard Worker print("%s" % (bpf.sym(addr, tgid, show_module=True, show_offset=True))) 273*387f9dfdSAndroid Build Coastguard Worker 274*387f9dfdSAndroid Build Coastguard Worker# process event 275*387f9dfdSAndroid Build Coastguard Workerdef print_event(bpf, cpu, data, size): 276*387f9dfdSAndroid Build Coastguard Worker event = b["events"].event(data) 277*387f9dfdSAndroid Build Coastguard Worker 278*387f9dfdSAndroid Build Coastguard Worker if event.cap in capabilities: 279*387f9dfdSAndroid Build Coastguard Worker name = capabilities[event.cap] 280*387f9dfdSAndroid Build Coastguard Worker else: 281*387f9dfdSAndroid Build Coastguard Worker name = "?" 282*387f9dfdSAndroid Build Coastguard Worker if args.extra: 283*387f9dfdSAndroid Build Coastguard Worker print("%-9s %-6d %-6d %-6d %-16s %-4d %-20s %-6d %s" % (strftime("%H:%M:%S"), 284*387f9dfdSAndroid Build Coastguard Worker event.uid, event.pid, event.tgid, event.comm.decode('utf-8', 'replace'), 285*387f9dfdSAndroid Build Coastguard Worker event.cap, name, event.audit, str(event.insetid) if event.insetid != -1 else "N/A")) 286*387f9dfdSAndroid Build Coastguard Worker else: 287*387f9dfdSAndroid Build Coastguard Worker print("%-9s %-6d %-6d %-16s %-4d %-20s %-6d" % (strftime("%H:%M:%S"), 288*387f9dfdSAndroid Build Coastguard Worker event.uid, event.pid, event.comm.decode('utf-8', 'replace'), 289*387f9dfdSAndroid Build Coastguard Worker event.cap, name, event.audit)) 290*387f9dfdSAndroid Build Coastguard Worker if args.kernel_stack: 291*387f9dfdSAndroid Build Coastguard Worker print_stack(bpf, event.kernel_stack_id, StackType.Kernel, -1) 292*387f9dfdSAndroid Build Coastguard Worker if args.user_stack: 293*387f9dfdSAndroid Build Coastguard Worker print_stack(bpf, event.user_stack_id, StackType.User, event.tgid) 294*387f9dfdSAndroid Build Coastguard Worker 295*387f9dfdSAndroid Build Coastguard Worker# loop with callback to print_event 296*387f9dfdSAndroid Build Coastguard Workercallback = partial(print_event, b) 297*387f9dfdSAndroid Build Coastguard Workerb["events"].open_perf_buffer(callback) 298*387f9dfdSAndroid Build Coastguard Workerwhile 1: 299*387f9dfdSAndroid Build Coastguard Worker try: 300*387f9dfdSAndroid Build Coastguard Worker b.perf_buffer_poll() 301*387f9dfdSAndroid Build Coastguard Worker except KeyboardInterrupt: 302*387f9dfdSAndroid Build Coastguard Worker exit() 303