Hi Steve,
Currently, auditing active Ftrace event filters or triggers requires userspace
to recursively traverse the "events/" directory and read the "filter" or
"trigger" file for every individual event. For monitoring tools, security
auditors, or developers debugging complex tracing setups, this O(n) traversal
is inefficient and cumbersome.
This series introduces two new files at the trace root directory to provide
a consolidated, system-wide view of active event configurations:
1. show_event_filters: Displays all events with an active filter
2. show_event_triggers: Displays all events with active triggers
Both files utilise the system:event [tab] config format, allowing for easy
parsing by standard tools (e.g., awk) or custom monitoring agents.
The patches leverage the existing trace_event_file iterators to ensure atomic
and efficient traversal of the event list. Scope-based RCU protection
(guard(rcu)) is used for filter string access, whilst the existing event_mutex
protection within the iterator ensures safe traversal of the event trigger
lists. For triggers, we utilise the internal cmd_ops->print() callbacks to
guarantee that the consolidated output remains consistent with the legacy
per-event interface.
Changes since v1 [1]:
- Clarified that all events with filters are listed, regardless of
enablement state (Steven Rostedt)
- Optimise filter display logic by utilising the guard(rcu) macro for cleaner
scope-based RCU protection and early return (Steven Rostedt)
- Add show_event_triggers to expose event triggers alongside filters
(Steven Rostedt)
[1]: https://lore.kernel.org/lkml/[email protected]/
Aaron Tomlin (2):
tracing: Add show_event_filters to expose active event filters
tracing: Add show_event_triggers to expose active event triggers
Documentation/trace/ftrace.rst | 16 +++++
kernel/trace/trace_events.c | 122 +++++++++++++++++++++++++++++++++
2 files changed, 138 insertions(+)
--
2.51.0
