wait4 - wait for a process to change state.
wait4() system call suspends execution of the calling process until a
specified process has changed state, or until a signal is received, or until the
delay, as specified by an argument, has passed. This syscall allows to retrieve
information about the child process which changed from the provided parameters.
The main purpose of this call is to allow the process to wait for the termination
of a child that it created using one of the
fork() syscall family functions.
wait4() syscall attempts to return the exit status of the process
pid is equal to -1, it matches any process whose
process group ID is equal to the process group ID of the caller, or any process
when it is not a member of a process group.
options is set to 0, the status is returned immediately. If
pid is equal
wait4() matches any process with the same process group ID as the caller.
rusage is not NULL, the resource usage of the terminating process and its
children is returned as part of
pid_t[K] - the process ID of a child process for which status is requested.
int*[K] - the address of a buffer where the status of the terminated process is to be stored.
int[K] - the options argument can be used to change the behavior of
struct rusage*[K] - a pointer to a
struct rusagewhere the resource usage information of the terminated process (and its children) will be stored.
- K - Originated from kernel-space.
Kprobe + Kretprobe
Hooked to trace information about a process and collect the return code value of
Example Use Case¶
wait4() syscall is useful whenever processes need to be monitored. It can
be used to track the execution of a child process and react accordingly if it
fails. For example, an Alert rule can be triggered if the child process leaves
the system in an unexpected state.
It should be noted that
wait4()'s status value is the same as that of the
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.