Add support for dynamically adding forked processes to the active pid list

[aymericDD]

Ebpfault does not inject child process of a program. If an application creates a fork and this fork open a file, ebpfault will not catch the event. Example:

bash -c "echo 'create file to read from: /mnt/data/disk-read-file' && dd if=/dev/zero of=/mnt/data/disk-read-file bs=10k count=1; while true; do time dd if=/mnt/data/disk-read-file of=/dev/null iflag=direct; sleep 1; done"

The previous command will not be impacted by ebpfault because the dd command will be executed in a child process:

strace  -e trace=openat -p xxx
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=16039, si_uid=0, si_status=0, si_utime=0, si_stime=1} ---
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=16042, si_uid=0, si_status=0, si_utime=1, si_stime=0} ---

Do you think we can implement this feature (We could add a flag like -f --follow)?

[zouyonghao]

Any idea for this? Is it possible to generate a new BPF program when a new process found?