conf.sh: base insensitive for even less typing

README.adoc

@@ -2682,6 +2682,11 @@ TODO: why does this produce no output?
 * https://serverfault.com/questions/199654/does-anyone-know-a-simple-way-to-monitor-root-process-spawn
 * https://unix.stackexchange.com/questions/260162/how-to-track-newly-created-processes
 
+TODO can you get process data such as UID and process arguments? It seems not since `exec_proc_event` contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from `/proc`, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable.
+
+* https://unix.stackexchange.com/questions/163681/print-pids-and-names-of-processes-as-they-are-created/163689 requests process name
+* https://serverfault.com/questions/199654/does-anyone-know-a-simple-way-to-monitor-root-process-spawn requests UID
+
 ===== CONFIG_PROC_EVENTS aarch64
 
 0111ca406bdfa6fd65a2605d353583b4c4051781 was failing with:
@@ -2747,7 +2752,7 @@ cd /sys/kernel/debug/tracing/
 echo 0 > tracing_on
 
 # Clear previous trace.
-echo '' > trace
+echo > trace
 
 # List the available tracers, and pick one.
 cat available_tracers
@@ -2831,9 +2836,15 @@ TODO: what do `+` and `!` mean?
 
 Each `enable` under the `events/` tree enables a certain set of functions, the higher the `enable` more functions are enabled.
 
+TODO: can you get function arguments? https://stackoverflow.com/questions/27608752/does-ftrace-allow-capture-of-system-call-arguments-to-the-linux-kernel-or-only
+
 ==== Kprobes
 
-Inject arbitrary code at a given address in a trap instruction. Oh the good old kernel. :-)
+Inject arbitrary code at a given address in a trap instruction, much like GDB. Oh the good old kernel. :-)
+
+I don't think your code can refer to the surrounding kernel code however: the only visible thing is the value of the registers.
+
+Maybe you can then hack it up to read the stack and read argument values, but do you really want to?
 
 ....
 ./build -c 'CONFIG_KPROBES=y'

kernel_module/user/proc_events.c

@@ -11,24 +11,20 @@ int main() {}
 #else
 
 #define _XOPEN_SOURCE 700
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <linux/connector.h>
-#include <linux/cn_proc.h>
-#include <signal.h>
 #include <errno.h>
+#include <linux/cn_proc.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <signal.h>
 #include <stdbool.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
 #include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
 
 static volatile bool need_exit = false;
 
-/*
-* connect to netlink
-* returns netlink socket, or -1 on error
-*/
 static int nl_connect()
 {
 	int rc;
@@ -52,9 +48,6 @@ static int nl_connect()
 	return nl_sock;
 }
 
-/*
-* subscribe on proc events (process notifications)
-*/
 static int set_proc_ev_listen(int nl_sock, bool enable)
 {
 	int rc;
@@ -86,9 +79,6 @@ static int set_proc_ev_listen(int nl_sock, bool enable)
 	return 0;
 }
 
-/*
-* handle a single process event
-*/
 static int handle_proc_ev(int nl_sock)
 {
 	int rc;
@@ -102,7 +92,6 @@ static int handle_proc_ev(int nl_sock)
 	while (!need_exit) {
 		rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0);
 		if (rc == 0) {
-			/* shutdown? */
 			return 0;
 		} else if (rc == -1) {
 			if (errno == EINTR) continue;

rootfs_overlay/conf.sh

@@ -1,2 +1,2 @@
 #!/bin/sh
-zcat /proc/config.gz | grep "${1:-}"
+zcat /proc/config.gz | grep -Ei "${1:-}"