Sindbad~EG File Manager

@__private30 global _target_set # map: target-set-pid -> ancestor-pid

/**
 * sfunction target_set_pid - Does pid descend from target process?
 *
 * @pid: The pid of the process to query
 *
 * Description: This function returns whether the given process-id is
 * within the "target set", that is whether it is a descendant of the
 * top-level target() process.
 */
function target_set_pid (pid)
{
	return ([pid] in _target_set)
}

probe init
{
	if (target())
		_target_set[target()] = stp_pid()
}


# pre-2.6.18 systems don't support dwarfless probes,
# so we'll use 'syscall' probes instead of 'nd_syscall' probes.

probe process.begin !,
%( kernel_v >= "2.6.18" %?
      nd_syscall.fork.return ?, nd_syscall.vfork.return ?,
      nd_syscall.clone.return !,
%)
      syscall.fork.return, syscall.vfork.return, syscall.clone.return
{
	if (is_return()) {
		# fork.return runs in parent context
		pid = @choose_defined($return, returnval())
		ppid = pid()
	} else {
		# process.begin runs in child context
		pid = pid()
		ppid = ppid()
	}

	# NB: when using process.*, if target() execs we'll see a process.end
	# (removing it) then a new process.begin.  The target's ppid (stp_pid)
	# is not part of the target set, so check for this case.
	if (pid == target() || ppid in _target_set)
		_target_set[pid] = ppid
}

probe process.end !,
%( kernel_v >= "2.6.18" %?
      nd_syscall.exit !,
%)
      syscall.exit
{
	delete _target_set[pid()]
}


/**
 * sfunction target_set_report - Print a report about the target set
 *
 * Description: This function prints a report about the processes in the
 * target set, and their ancestry.
 */
function target_set_report ()
{
	printf("target set:\n")
	foreach (pid in _target_set+)
		printf("%d begat %d\n", _target_set[pid], pid)
}