@@ -2710,6 +2710,23 @@ union bpf_attr {
* **-EPERM** if no permission to send the *sig*.
*
* **-EAGAIN** if bpf program can try again.
+ *
+ * int bpf_descendant_of(pid_t pid)
+ * Description
+ * Determine if the process identified by *pid* is an ancestor
+ * (or equal) of the user process executed in this tracing
+ * context. This is useful when filtering events happening
+ * to a process and all of its descendants.
+ *
+ * Note that *pid* must be the pid from the global namespace
+ * as the pids of the process chain will be resolved using the
+ * initial pid namespace viewer context.
+ * Return
+ * * 1 if the process identified by *pid* is an ancestor, or equal,
+ * of the currently executing process within the global pid
+ * namespace
+ *
+ * * 0 otherwise.
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -2821,7 +2838,8 @@ union bpf_attr {
FN(strtoul), \
FN(sk_storage_get), \
FN(sk_storage_delete), \
- FN(send_signal),
+ FN(send_signal), \
+ FN(descendant_of),
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call
Sync kernel uapi headers. Signed-off-by: Javier Honduvilla Coto <javierhonduco@fb.com> --- tools/include/uapi/linux/bpf.h | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-)