问题
Is it possible to get notified (via callback or similar) when a new process is executed, when one is closed, and when state changes (ie. stopped, paged, etc)? In user-land, it would be easy to set up a directory listener on /proc.
回答1:
Have you considered kprobes? You can use kprobes to execute a callback function when some kernel code is executed. E.g., you could add a do_fork kprobe to alert when new processes are created as in this example.
Similarly, you can add a probe for do_exit() to catch when processes exit.
For changing state, you could have have a return probe on sched_switch() and catch when the state changes. Depending on your application, this may add too much overhead.
If you only wish to collect data, perform some light processing, and aren't looking to do much more with the kernel module, systemtap may be a good alternative to writing a kernel module: https://sourceware.org/systemtap/documentation.html
More details on kprobes: https://www.kernel.org/doc/Documentation/kprobes.txt
sched_switch() systemtap example:
https://sourceware.org/systemtap/examples/profiling/sched_switch.stp
来源:https://stackoverflow.com/questions/26243638/listening-for-new-processes-in-linux-kernel-module