Clever Geek Handbook

Detect new process creation instantly in Linux

I am trying to create a user space application that sets process affinity. I would like the program to start immediately every time the kernel starts a new pid / tid. I'm trying to write to a node file under / proc from the do_fork () method in the kernel, but I feel like it might have too much overhead.

Does anyone know of any alternatives for detecting a new creation process immediately after it appears?

If monitoring do_fork () is the way to go, would calling back to a user-space program with a system call be faster than using fs node for communication?

+5


source to share


3 answers


Use a socket with NETLINK_CONNECTOR. The kernel will tell you about process events, including fork () s and exec () s. Your kernel must have CONFIG_CONNECTOR and CONFIG_PROC_EVENTS enabled.

Here is a related question with more details:

Detect running programs on Linux platform

For a complete NETLINK_CONNECTOR socket example see:



http://bewareofgeek.livejournal.com/2945.html

As an aside, Inotify doesn't work. It won't work in / proc / to detect new processes:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/454722

+6


source


Forkstat is the program that registers the fork () process [by the way] Install it:

$ sudo apt-get install forkstat


Use it to log fork events:

$ forkstat -e fork
+5


source


For a complete NETLINK_CONNECTOR socket example see:

http://bewareofgeek.livejournal.com/2945.html

The example above works on x86 linux / ubuntu. The same code I cross-compiled for embedded Linux / arm / atom platform with CONFIG_CONNECTOR and CONFIG_PROC_EVENTS enabled in kernel, I see "socket: Protocol not supported" error.

Kernel version: 3.12.14 busybox version: v1.22.1

Any other config should be enabled?

0


source






More articles:


All Articles