4

In the Linux kernel we have a sk_buff structure in the network stack from which we get the inode and from this inode we want to get the pid of the process that created the inode. There is a pid field in the sk_buff but it is always set to 0.

Is there any way from inside the kernel to know the pid from the inode?

kyle
  • 197
  • 1
  • 2
  • 11
  • possible duplicate of [Finding a process ID given a socket and inode in Python 3](http://stackoverflow.com/questions/14667215/finding-a-process-id-given-a-socket-and-inode-in-python-3) – user590028 Mar 03 '15 at 20:55
  • 3
    I am asking for a solution in kernel space not user space though. – kyle Mar 03 '15 at 21:48

2 Answers2

4

You can read PID from skb using

skb->sk->socket->file->f_owner->pid

For some older kernel versions you can read PID as

skb->sk->socket->file->f_owner

Venkatesh Parthasarathy
  • 349
  • 4
  • 17
  • 2
    Though technically won't give you the PID owner of the socket, rather than the PID of the process that created the skbuff? e.g. if process A creates the socket, then `exec`'s process B which writes to the socket, I think the result will be A. – abligh Jul 29 '15 at 06:23
0
int pid = current->tgid;

When a network system call is made in the kernel, similar to sendto, it will carry this tgid, which is the pid of the caller.

But it doesn't always have the correct value, if it's a retransmission, it's not correct, you need some mechanism to record the tgid of the earliest call.

Good luck.

user3530989
  • 11