Skip to main content

ProcEvent

proc_connector

Enum ProcEvent 

Source 
pub enum ProcEvent {
    Exec {
        pid: u32,
        tgid: u32,
        timestamp_ns: u64,
    },
    Fork {
        parent_pid: u32,
        parent_tgid: u32,
        child_pid: u32,
        child_tgid: u32,
        timestamp_ns: u64,
    },
    Exit {
        pid: u32,
        tgid: u32,
        exit_code: u32,
        exit_signal: u32,
        timestamp_ns: u64,
    },
    Uid {
        pid: u32,
        tgid: u32,
        ruid: u32,
        euid: u32,
        timestamp_ns: u64,
    },
    Gid {
        pid: u32,
        tgid: u32,
        rgid: u32,
        egid: u32,
        timestamp_ns: u64,
    },
    Sid {
        pid: u32,
        tgid: u32,
        timestamp_ns: u64,
    },
    Ptrace {
        pid: u32,
        tgid: u32,
        tracer_pid: u32,
        tracer_tgid: u32,
        timestamp_ns: u64,
    },
    Comm {
        pid: u32,
        tgid: u32,
        comm: [u8; 16],
        timestamp_ns: u64,
    },
    Coredump {
        pid: u32,
        tgid: u32,
        timestamp_ns: u64,
    },
    Unknown {
        what: u32,
        raw_data: Vec<u8>,
    },
}
Expand description

A parsed process event from the Linux Proc Connector.

Each variant corresponds to a PROC_EVENT_* constant from <linux/cn_proc.h>, with all relevant fields extracted into named fields.

The Unknown variant provides forward compatibility: if the kernel emits an event type this version of the library does not know about, it is returned as Unknown with the raw payload.

§Example: pattern matching

use proc_connector::ProcEvent;

fn describe(event: &ProcEvent) -> String {
    match event {
        ProcEvent::Exec { pid, .. } => format!("process {pid} exec'd"),
        ProcEvent::Fork { child_pid, .. } => format!("forked child {child_pid}"),
        ProcEvent::Exit { pid, exit_code, .. } => {
            format!("process {pid} exited with code {exit_code}")
        }
        ProcEvent::Uid { pid, ruid, euid, .. } => {
            format!("process {pid} uid changed {ruid}->{euid}")
        }
        ProcEvent::Gid { pid, rgid, egid, .. } => {
            format!("process {pid} gid changed {rgid}->{egid}")
        }
        ProcEvent::Sid { pid, .. } => format!("process {pid} session changed"),
        ProcEvent::Ptrace { pid, tracer_pid, .. } => {
            format!("process {pid} traced by {tracer_pid}")
        }
        ProcEvent::Comm { pid, comm, .. } => {
            let name = String::from_utf8_lossy(comm);
            let name = name.trim_end_matches('\0');
            format!("process {pid} renamed to {name}")
        }
        ProcEvent::Coredump { pid, .. } => format!("process {pid} dumped core"),
        ProcEvent::Unknown { what, .. } => format!("unknown event 0x{what:08x}"),
    }
}

let exec = ProcEvent::Exec { pid: 42, tgid: 42, timestamp_ns: 0 };
assert_eq!(describe(&exec), "process 42 exec'd");

let exit = ProcEvent::Exit { pid: 7, tgid: 7, exit_code: 0, exit_signal: 17, timestamp_ns: 0 };
assert_eq!(describe(&exit), "process 7 exited with code 0");

§Example: Display formatting

use proc_connector::ProcEvent;

let event = ProcEvent::Fork {
    parent_pid: 100,
    parent_tgid: 100,
    child_pid: 200,
    child_tgid: 200,
    timestamp_ns: 0,
};
assert_eq!(event.to_string(), "FORK parent=(100,100) child=(200,200) ts=0");

Variants§

§

Exec

A process called execve(2).

Fields

§pid: u32
§tgid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Fork

A new process was created via fork/clone.

Fields

§parent_pid: u32
§parent_tgid: u32
§child_pid: u32
§child_tgid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Exit

A process exited.

Fields

§pid: u32
§tgid: u32
§exit_code: u32
§exit_signal: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Uid

Real or effective UID changed.

Fields

§pid: u32
§tgid: u32
§ruid: u32
§euid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Gid

Real or effective GID changed.

Fields

§pid: u32
§tgid: u32
§rgid: u32
§egid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Sid

Session ID changed (setsid).

Fields

§pid: u32
§tgid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Ptrace

ptrace attach or detach.

Fields

§pid: u32
§tgid: u32
§tracer_pid: u32
§tracer_tgid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Comm

Process name (comm) changed (max 16 bytes, may include trailing NUL).

Fields

§pid: u32
§tgid: u32
§comm: [u8; 16]

The new process name (up to 16 bytes, usually NUL-terminated).

§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Coredump

A core dump occurred.

Fields

§pid: u32
§tgid: u32
§timestamp_ns: u64

Kernel timestamp (nanoseconds since boot).

§

Unknown

An unknown event type (forward-compatibility).

Fields

§what: u32

The raw what field value.

§raw_data: Vec<u8>

Raw bytes of the event_data union (may be empty).

Trait Implementations§

Source§

impl Clone for ProcEvent

Source§

fn clone(&self) -> ProcEvent

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ProcEvent

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for ProcEvent

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Eq for ProcEvent

Source§

impl PartialEq for ProcEvent

Source§

fn eq(&self, other: &ProcEvent) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl StructuralPartialEq for ProcEvent

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.