Skip to content

Exit

Intro

exit -- Cause normal process termination

Description

The exit() syscall is used to terminate the process that called it. All the resources held by the process, such as open files and memory mappings, are released as part of the process termination. The status code is passed to other processes to inform them about the termination of the process.

Arguments

  • status:int - The status code of process which is returned to the parent process. The lower 8 bits of the status code contains the exiting status (please check the manual for more details). The higher 8 bit bits of the status code contain certain flags.

Available Tags

  • K - Originated from kernel-space.
  • TOCTOU - vulnerable to TOCTOU (time of check, time of use)

Hooks

do_exit

Type

Kprobe

Purpose

Hook the kernel entry point to trace process termination.

Example Use Case

Analyzing the exit status code of children processes.

Issues

None

The fork() and exec() syscalls are related to this event since they are used to create and load a new process which will eventually terminate with the exit() syscall.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.