I'm trying to extract things from a weird makefile, and I found that systemtap is a potential good solution so here I am:
I can get correct pid() ppid() called from the new process when probing with nd_syscall.clone.return, however this doesn't include all the vforks I've found in my target script.
So when I use the probe nd_syscall.vfork.return, I've found that the message has clone caller's pid() and ppid() only, I've tried to get the return value of vfork but it doesn't seem to be the new pid (that I've seen from many related execve events).
I cannot use kprocess since I don't want to install debug info.
What's some way to get the correct new_pid from vfork? Did I miss some args? Or did I use the wrong probe function? There has to be a way, thanks!
P.S. I've tried sysdig but it skips a lot of events BTW.
Have you tried kernel tracepoint probes?