#! /usr/bin/env stap
# 
#  Copyright (C) 2018 Kyle Walker <kwalker@redhat.com>
#  
#  This copyrighted material is made available to anyone wishing to use,
#  modify, copy, or redistribute it subject to the terms and conditions
#  of the GNU General Public License, either version 2 of the License, or
#  (at your option) any later version
# 
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software Foundation,
#  Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
# 
#  Description:
#      Monitors for process termination signals and returns parentage
#      information for the process that is issuing the signal.
# 
#  Author: Kyle Walker <kwalker@redhat.com>
#
#  ChangeLog:
#   * Thu Dec 27 2018 Kyle Walker <kwalker@redhat.com>
#   - Renamed the utility to termination-signal-grabber.stp
#   - Added the SIGTERM and SIGABRT signals to the script
#   - Corrected the script example output
#   - Made the syscall.kill operation only match for termination signals
#
#   * Wed Sep 05 2018 Kyle Walker <kwalker@redhat.com>
#   - Initial release.
#
# Example of usage:
#
#  # stap termination-signal-grabber.stp &
#  Thu Dec 27 08:43:53 2018 EST: Now monitoring for process termination signals
#  # killall stap
#  Thu Dec 27 08:44:00 2018 EST: sys.kill: swapper[0] -> init[1] -> sshd[1617] -> sshd[1805] -> sshd[1808] -> bash[1809] -> sudo[1826] -> su[1827] -> killall(5762) called kill 5462, SIGTERM killed stap
#  Thu Dec 27 08:44:00 2018 EST: sig.send: SIGTERM was sent to stap (pid:5462) by swapper[0] -> init[1] -> sshd[1617] -> sshd[1805] -> sshd[1808] -> bash[1809] -> sudo[1826] -> su[1827] -> killall (pid:5762) uid:0 using signal_generate
#  Thu Dec 27 08:44:00 2018 EST: sys.kill: swapper[0] -> init[1] -> sshd[1617] -> sshd[1805] -> sshd[1808] -> bash[1809] -> sudo[1826] -> su[1827] -> stap(5462) called kill 5759, SIGTERM killed stapio
#  Thu Dec 27 08:44:00 2018 EST: sig.send: SIGTERM was sent to stapio (pid:5759) by swapper[0] -> init[1] -> sshd[1617] -> sshd[1805] -> sshd[1808] -> bash[1809] -> sudo[1826] -> su[1827] -> stap (pid:5462) uid:0 using signal_generate

probe begin {
	printf("%-25s: Now monitoring for process termination signals", tz_ctime(gettimeofday_s()))
}

function get_parents () {
    retstr = "";
    currenttask = task_current();
    parent = task_parent(currenttask);

    while (task_pid(parent) >= 1) {
        parent = task_parent(parent);
        retstr = sprintf("%s[%d] -> %s", task_execname(parent), task_pid(parent), retstr);
    }

    return retstr;
}

probe signal.send
{
        if(sig == 9 || sig == 15 || sig == 6)
	{
	        printf("%-25s: sig.send: %s was sent to %s (pid:%d) by %s%s (pid:%d) uid:%u using %s\n",tz_ctime(gettimeofday_s()),sig_name,pid_name,sig_pid,get_parents(),execname(),pid(),uid(),name)
	}
}

probe syscall.kill
{
        if(sig == 9 || sig == 15 || sig == 6)
	{
		destpid=strtol(tokenize(argstr," "),10);
        	printf("%-25s: sys.kill: %s%s(%d) called kill %s killed %s\n",tz_ctime(gettimeofday_s()),get_parents(),execname(),pid(),argstr,pid2execname(destpid));
	}
}