5

I'm wondering if there is a hook that could be used in a Linux Kernel Module that is fired when a user space application/process is killed ?

ZedTuX
  • 2,859
  • 3
  • 28
  • 58
  • Is it only for a specific process or all processes ? Are you interested in the process receiving certain signals or the process just exiting gracefully as well ? – Tuxdude Mar 02 '13 at 19:25
  • 1
    On **ARM**, `#include ` and `thread_register_notifier()`. Use `THREAD_NOTIFY_EXIT`. See: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/include/asm/thread_notify.h – artless noise Mar 02 '13 at 20:13
  • @Tuxdude: It is for all processes and for any signals. In my case my kernel module is saving some data based on the PID and it have to be cleaned as soon as the process die. – ZedTuX Mar 03 '13 at 11:10
  • @BillPringlemeir thank you for this I'm looking at your link and try to see if I can do something on non-ARM architectures :) – ZedTuX Mar 03 '13 at 11:11
  • Until now having a look at kernel sources and I found that LSM has a task_free hook.. but unfortunately I can't hook on it. Now I'm looking at cgroups after having looking that link: http://linux-kernel.2935.n7.nabble.com/Notification-when-a-task-is-created-exits-td342592.html. Also I found this link: http://stackoverflow.com/questions/13863270/linux-module-being-notified-about-task-creation-and-destruction but it looks ugly to me :-(. – ZedTuX Mar 05 '13 at 20:06
  • Another solution could be to use inotify on /proc/... – ZedTuX Mar 06 '13 at 10:16
  • Interesting ... indeed it seems that `do_exit()` is quite a mess because all subsystems with "interest" in exit hooks put a function call of their own into the (long) list. The ARM one above is called from there through `exit_thread()` - which is an architecture-specific exit hook. – FrankH. Mar 07 '13 at 16:14
  • Alright inotify can't watch the /proc as it isn't a real folder and sub folders but just a window to the kernel structures. – ZedTuX Mar 07 '13 at 18:09
  • This seems to be impossible... or nobody needed this before ;-( – ZedTuX Jul 21 '13 at 09:23

1 Answers1

2

You could first register for a notifier chain within your kernel module.

Inside get_signal_to_deliver(kernel/signal.c), any process which has just (this being a relative term IMHO) been killed has its PF_SIGNALED flag being set. Here you could check for the name of the current process using its tcomm field like so:

char tcomm[sizeof(current->comm)];
get_task_comm(tcomm, current);

If it is indeed the process under question, you could just fire the notification chain which will awaken your module which has been waiting on that chain.

AjB
  • 890
  • 13
  • 34