1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
//! Kernel constants for the Linux Process Event Connector.
//!
//! All values are derived from Linux kernel headers:
//! - `<linux/netlink.h>`
//! - `<linux/connector.h>`
//! - `<linux/cn_proc.h>`
// ---------------------------------------------------------------------------
// Netlink protocol constants
// ---------------------------------------------------------------------------
/// Netlink protocol family for the Connector.
pub const NETLINK_CONNECTOR: i32 = 11;
// NLMSG_* message types
pub const NLMSG_NOOP: u16 = 1;
pub const NLMSG_ERROR: u16 = 2;
pub const NLMSG_DONE: u16 = 3;
pub const NLMSG_OVERRUN: u16 = 4;
/// Minimum valid message type for application-specific messages.
pub const NLMSG_MIN_TYPE: u16 = 16;
pub const NLMSG_ALIGNTO: usize = 4;
/// Round `len` up to the nearest multiple of `NLMSG_ALIGNTO`.
pub const
/// Total header length of `nlmsghdr` after alignment.
pub const
/// Full message length: `len` bytes of payload plus aligned header.
pub const
/// Size of `struct nlmsghdr` in bytes (without alignment).
pub const SIZE_NLMSGHDR: usize = 16;
const
// Netlink socket options
pub const NETLINK_NO_ENOBUFS: i32 = 5;
// NLM_F flags
pub const NLM_F_REQUEST: u16 = 1;
// ---------------------------------------------------------------------------
// Connector constants
// ---------------------------------------------------------------------------
/// Connector index for process events.
pub const CN_IDX_PROC: u32 = 1;
/// Connector value for process events.
pub const CN_VAL_PROC: u32 = 1;
/// Multicast operation: start listening.
pub const PROC_CN_MCAST_LISTEN: u32 = 1;
/// Multicast operation: stop listening.
pub const PROC_CN_MCAST_IGNORE: u32 = 2;
/// Size of `struct cn_msg` header (excluding flexible `data` array).
pub const SIZE_CN_MSG: usize = 20;
/// Maximum message size for the connector protocol.
pub const CONNECTOR_MAX_MSG_SIZE: usize = 16384;
// ---------------------------------------------------------------------------
// Process event constants
// ---------------------------------------------------------------------------
/// A process was forked.
pub const PROC_EVENT_FORK: u32 = 0x00000001;
/// A process executed a new program (exec).
pub const PROC_EVENT_EXEC: u32 = 0x00000002;
/// Real/effective UID changed.
pub const PROC_EVENT_UID: u32 = 0x00000004;
/// Real/effective GID changed.
pub const PROC_EVENT_GID: u32 = 0x00000040;
/// Session ID changed.
pub const PROC_EVENT_SID: u32 = 0x00000080;
/// ptrace attach/detach.
pub const PROC_EVENT_PTRACE: u32 = 0x00000100;
/// Process name (comm) changed.
pub const PROC_EVENT_COMM: u32 = 0x00000200;
/// Process dumped core.
pub const PROC_EVENT_COREDUMP: u32 = 0x40000000;
/// Process exited.
pub const PROC_EVENT_EXIT: u32 = 0x80000000;
// ---------------------------------------------------------------------------
// proc_event struct layout helpers
// ---------------------------------------------------------------------------
/// Offset from `proc_event` base to `event_data` union.
///
/// `proc_event` layout:
/// - `what` (u32, 4 bytes)
/// - `cpu` (u32, 4 bytes)
/// - `timestamp_ns` (u64, 8 bytes)
/// - `event_data` (union, varies)
pub const PROC_EVENT_HEADER_SIZE: usize = 16;
/// Per-event sub-structure sizes (all within the `event_data` union):
pub const SIZE_FORK_EVENT: usize = 16; // 4 × i32 (pid/tgid)
pub const SIZE_EXEC_EVENT: usize = 8; // 2 × i32
pub const SIZE_ID_EVENT: usize = 16; // 2 × i32 + ruid/rgid(union) + euid/egid(union)
pub const SIZE_SID_EVENT: usize = 8; // 2 × i32
pub const SIZE_PTRACE_EVENT: usize = 16; // 4 × i32
pub const SIZE_COMM_EVENT: usize = 24; // 2 × i32 + char[16]
pub const SIZE_COREDUMP_EVENT: usize = 16; // 4 × i32
pub const SIZE_EXIT_EVENT: usize = 24; // 4 × i32 + u32 + u32
// ---------------------------------------------------------------------------
// proc_event sub-struct field offsets (relative to event_data union base)
// ---------------------------------------------------------------------------
// --- fork ---
pub const FORK_PARENT_PID: usize = 0;
pub const FORK_PARENT_TGID: usize = 4;
pub const FORK_CHILD_PID: usize = 8;
pub const FORK_CHILD_TGID: usize = 12;
// --- exec ---
pub const EXEC_PID: usize = 0;
pub const EXEC_TGID: usize = 4;
// --- id (uid/gid share same layout) ---
pub const ID_PID: usize = 0;
pub const ID_TGID: usize = 4;
pub const ID_RUID_RGID: usize = 8;
pub const ID_EUID_EGID: usize = 12;
// --- sid ---
pub const SID_PID: usize = 0;
pub const SID_TGID: usize = 4;
// --- ptrace ---
pub const PTRACE_PID: usize = 0;
pub const PTRACE_TGID: usize = 4;
pub const PTRACE_TRACER_PID: usize = 8;
pub const PTRACE_TRACER_TGID: usize = 12;
// --- comm ---
pub const COMM_PID: usize = 0;
pub const COMM_TGID: usize = 4;
pub const COMM_DATA: usize = 8;
// --- coredump ---
pub const COREDUMP_PID: usize = 0;
pub const COREDUMP_TGID: usize = 4;
pub const COREDUMP_PARENT_PID: usize = 8;
pub const COREDUMP_PARENT_TGID: usize = 12;
// --- exit ---
pub const EXIT_PID: usize = 0;
pub const EXIT_TGID: usize = 4;
pub const EXIT_CODE: usize = 8;
pub const EXIT_SIGNAL: usize = 12;
pub const EXIT_PARENT_PID: usize = 16;
pub const EXIT_PARENT_TGID: usize = 20;