proc_connector/consts.rs
1//! Kernel constants for the Linux Process Event Connector.
2//!
3//! All values are derived from Linux kernel headers:
4//! - `<linux/netlink.h>`
5//! - `<linux/connector.h>`
6//! - `<linux/cn_proc.h>`
7
8// ---------------------------------------------------------------------------
9// Netlink protocol constants
10// ---------------------------------------------------------------------------
11
12/// Netlink protocol family for the Connector.
13pub const NETLINK_CONNECTOR: i32 = 11;
14
15// NLMSG_* message types
16pub const NLMSG_NOOP: u16 = 1;
17pub const NLMSG_ERROR: u16 = 2;
18pub const NLMSG_DONE: u16 = 3;
19pub const NLMSG_OVERRUN: u16 = 4;
20/// Minimum valid message type for application-specific messages.
21pub const NLMSG_MIN_TYPE: u16 = 16;
22
23pub const NLMSG_ALIGNTO: usize = 4;
24
25/// Round `len` up to the nearest multiple of `NLMSG_ALIGNTO`.
26#[inline]
27pub const fn nlmsg_align(len: usize) -> usize {
28 (len + NLMSG_ALIGNTO - 1) & !(NLMSG_ALIGNTO - 1)
29}
30
31/// Total header length of `nlmsghdr` after alignment.
32#[inline]
33pub const fn nlmsg_hdrlen() -> usize {
34 nlmsg_align(size_of_nlmsghdr())
35}
36
37/// Full message length: `len` bytes of payload plus aligned header.
38#[inline]
39pub const fn nlmsg_length(len: usize) -> usize {
40 len + nlmsg_hdrlen()
41}
42
43/// Size of `struct nlmsghdr` in bytes (without alignment).
44pub const SIZE_NLMSGHDR: usize = 16;
45
46#[inline]
47const fn size_of_nlmsghdr() -> usize {
48 SIZE_NLMSGHDR
49}
50
51// Netlink socket options
52pub const NETLINK_NO_ENOBUFS: i32 = 5;
53
54// NLM_F flags
55pub const NLM_F_REQUEST: u16 = 1;
56
57// ---------------------------------------------------------------------------
58// Connector constants
59// ---------------------------------------------------------------------------
60
61/// Connector index for process events.
62pub const CN_IDX_PROC: u32 = 1;
63/// Connector value for process events.
64pub const CN_VAL_PROC: u32 = 1;
65
66/// Multicast operation: start listening.
67pub const PROC_CN_MCAST_LISTEN: u32 = 1;
68/// Multicast operation: stop listening.
69pub const PROC_CN_MCAST_IGNORE: u32 = 2;
70
71/// Size of `struct cn_msg` header (excluding flexible `data` array).
72pub const SIZE_CN_MSG: usize = 20;
73
74/// Maximum message size for the connector protocol.
75pub const CONNECTOR_MAX_MSG_SIZE: usize = 16384;
76
77// ---------------------------------------------------------------------------
78// Process event constants
79// ---------------------------------------------------------------------------
80
81/// A process was forked.
82pub const PROC_EVENT_FORK: u32 = 0x00000001;
83/// A process executed a new program (exec).
84pub const PROC_EVENT_EXEC: u32 = 0x00000002;
85/// Real/effective UID changed.
86pub const PROC_EVENT_UID: u32 = 0x00000004;
87/// Real/effective GID changed.
88pub const PROC_EVENT_GID: u32 = 0x00000040;
89/// Session ID changed.
90pub const PROC_EVENT_SID: u32 = 0x00000080;
91/// ptrace attach/detach.
92pub const PROC_EVENT_PTRACE: u32 = 0x00000100;
93/// Process name (comm) changed.
94pub const PROC_EVENT_COMM: u32 = 0x00000200;
95/// Process dumped core.
96pub const PROC_EVENT_COREDUMP: u32 = 0x40000000;
97/// Process exited.
98pub const PROC_EVENT_EXIT: u32 = 0x80000000;
99
100// ---------------------------------------------------------------------------
101// proc_event struct layout helpers
102// ---------------------------------------------------------------------------
103
104/// Offset from `proc_event` base to `event_data` union.
105///
106/// `proc_event` layout:
107/// - `what` (u32, 4 bytes)
108/// - `cpu` (u32, 4 bytes)
109/// - `timestamp_ns` (u64, 8 bytes)
110/// - `event_data` (union, varies)
111pub const PROC_EVENT_HEADER_SIZE: usize = 16;
112
113/// Per-event sub-structure sizes (all within the `event_data` union):
114pub const SIZE_FORK_EVENT: usize = 16; // 4 × i32 (pid/tgid)
115pub const SIZE_EXEC_EVENT: usize = 8; // 2 × i32
116pub const SIZE_ID_EVENT: usize = 16; // 2 × i32 + ruid/rgid(union) + euid/egid(union)
117pub const SIZE_SID_EVENT: usize = 8; // 2 × i32
118pub const SIZE_PTRACE_EVENT: usize = 16; // 4 × i32
119pub const SIZE_COMM_EVENT: usize = 24; // 2 × i32 + char[16]
120pub const SIZE_COREDUMP_EVENT: usize = 16; // 4 × i32
121pub const SIZE_EXIT_EVENT: usize = 24; // 4 × i32 + u32 + u32
122
123// ---------------------------------------------------------------------------
124// proc_event sub-struct field offsets (relative to event_data union base)
125// ---------------------------------------------------------------------------
126
127// --- fork ---
128pub const FORK_PARENT_PID: usize = 0;
129pub const FORK_PARENT_TGID: usize = 4;
130pub const FORK_CHILD_PID: usize = 8;
131pub const FORK_CHILD_TGID: usize = 12;
132
133// --- exec ---
134pub const EXEC_PID: usize = 0;
135pub const EXEC_TGID: usize = 4;
136
137// --- id (uid/gid share same layout) ---
138pub const ID_PID: usize = 0;
139pub const ID_TGID: usize = 4;
140pub const ID_RUID_RGID: usize = 8;
141pub const ID_EUID_EGID: usize = 12;
142
143// --- sid ---
144pub const SID_PID: usize = 0;
145pub const SID_TGID: usize = 4;
146
147// --- ptrace ---
148pub const PTRACE_PID: usize = 0;
149pub const PTRACE_TGID: usize = 4;
150pub const PTRACE_TRACER_PID: usize = 8;
151pub const PTRACE_TRACER_TGID: usize = 12;
152
153// --- comm ---
154pub const COMM_PID: usize = 0;
155pub const COMM_TGID: usize = 4;
156pub const COMM_DATA: usize = 8;
157
158// --- coredump ---
159pub const COREDUMP_PID: usize = 0;
160pub const COREDUMP_TGID: usize = 4;
161pub const COREDUMP_PARENT_PID: usize = 8;
162pub const COREDUMP_PARENT_TGID: usize = 12;
163
164// --- exit ---
165pub const EXIT_PID: usize = 0;
166pub const EXIT_TGID: usize = 4;
167pub const EXIT_CODE: usize = 8;
168pub const EXIT_SIGNAL: usize = 12;
169pub const EXIT_PARENT_PID: usize = 16;
170pub const EXIT_PARENT_TGID: usize = 20;