*** empty log message ***

author: hunt <hunt> 2005-03-21 21:11:13 +0000
committer: hunt <hunt> 2005-03-21 21:11:13 +0000
commit: 854d896bebf48714b6e14b73d4eab6d9c856aa52 (patch)
tree: 1d524e16590c348de6f8ca27884f4f74ea34eadf /runtime/probes/shellsnoop
parent: e10ae0b0a445c70eafed2e6a7e8991191f023445 (diff)
download: systemtap-steved-854d896bebf48714b6e14b73d4eab6d9c856aa52.tar.gz
systemtap-steved-854d896bebf48714b6e14b73d4eab6d9c856aa52.tar.xz
systemtap-steved-854d896bebf48714b6e14b73d4eab6d9c856aa52.zip
4 files changed, 219 insertions, 0 deletions
diff --git a/runtime/probes/shellsnoop/Makefile b/runtime/probes/shellsnoop/Makefile
new file mode 100644
index 00000000..8fff0dc4
--- /dev/null
+++ b/runtime/probes/shellsnoop/Makefile
@@ -0,0 +1,11 @@
+# Makefile
+#
+#
+# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt
+
+CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \
+	-D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP)
+obj-m := dtr.o
+
+clean:
+	/bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions
diff --git a/runtime/probes/shellsnoop/README b/runtime/probes/shellsnoop/README
new file mode 100644
index 00000000..fee5e4c1
--- /dev/null
+++ b/runtime/probes/shellsnoop/README
@@ -0,0 +1,67 @@
+Sample probe.
+
+This is a translation of on an old dtr probe:
+
+# shellsnoop.probe - snoop shell execution as it occurs.
+# clone of dtrace shellsnoop example
+
+global {
+  long @pids[long];
+}
+
+probe do_execve:entry {
+  char __user *vstr;
+  char str[256];
+  int len;
+
+  /* watch shells only */
+  /* FIXME: detect more shells, like csh, tcsh, zsh */
+
+  if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
+      || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
+    {
+      dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
+      @pids[current->pid] = 1;
+
+      /* print out argv, ignoring argv[0] */
+      if (argv) argv++;
+      while (argv != NULL)
+        {
+          if (get_user (vstr, argv))
+            break;
+          if (!vstr)
+            break;
+          len = dtr_strncpy_from_user(str, vstr, 256);
+          str[len] = 0;
+          printk ("%s ", str);
+          argv++;
+        }
+      printk ("\n");
+    }
+}
+
+# use filp_open because copy_from_user not needed there
+probe filp_open:entry {
+  if (@pids[current->pid])
+    dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
+}
+
+probe sys_read:entry {
+  if (@pids[current->pid])
+    dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
+}
+
+probe sys_write:entry {
+  size_t len;
+  char str[256];
+  if (@pids[current->pid])
+    {
+      if (count < 64) len = count;
+      else len = 64;
+      if (len = dtr_strncpy_from_user(str, buf, len)) {
+        str[len] = 0;
+        dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
+        }
+    }
+}
+
diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build
new file mode 100755
index 00000000..3713f08a
--- /dev/null
+++ b/runtime/probes/shellsnoop/build
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+KVERSION=`uname -r`
+echo $KVERSION
+KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'`
+KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'`
+
+make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \
+	KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \
+	KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \
+	STP_RUNTIME=`pwd`/../..
+
+
+
+
+
diff --git a/runtime/probes/shellsnoop/dtr.c b/runtime/probes/shellsnoop/dtr.c
new file mode 100644
index 00000000..12fddaa8
--- /dev/null
+++ b/runtime/probes/shellsnoop/dtr.c
@@ -0,0 +1,125 @@
+#define HASH_TABLE_BITS 8
+#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
+#define BUCKETS 16 /* largest histogram width */
+
+#include "runtime.h"
+#include "io.c"
+#include "map.c"
+#include "copy.c"
+#include "probes.c"
+
+MODULE_DESCRIPTION("SystemTap probe: shellsnoop");
+MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>");
+
+MAP pids, arglist ;
+
+int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs)
+{
+  struct map_node_str *ptr;
+
+  /* watch shells only */
+  /* FIXME: detect more shells, like csh, tcsh, zsh */
+  
+  if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
+      || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
+    {
+      dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
+
+      _stp_map_key_long (pids, current->pid);
+      _stp_map_set_int64 (pids, 1);
+      
+      _stp_copy_argv_from_user (arglist, argv);
+      foreach (arglist, ptr)
+	printk ("%s ", ptr->str);
+      printk ("\n");
+    }
+  jprobe_return();
+  return 0;
+}
+
+struct file * inst_filp_open (const char * filename, int flags, int mode)
+{
+  _stp_map_key_long (pids, current->pid);
+  if (_stp_map_get_int64 (pids))
+    dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
+  
+  jprobe_return();
+  return 0;
+}
+
+asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
+{
+  _stp_map_key_long (pids, current->pid);
+  if (_stp_map_get_int64 (pids))
+    dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
+  
+  jprobe_return();
+  return 0;
+}
+
+asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
+{
+  size_t len;
+  char str[256];
+  _stp_map_key_long (pids, current->pid);
+  if (_stp_map_get_int64 (pids))
+    {
+      if (count < 64) 
+	len = count;
+      else 
+	len = 64;
+      len = _stp_strncpy_from_user(str, buf, len);
+      if (len < 0) len = 0;
+      str[len] = 0;
+      dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
+    }
+  
+  jprobe_return();
+  return 0;
+}
+
+static struct jprobe dtr_probes[] = {
+  {
+    .kp.addr = (kprobe_opcode_t *)"do_execve",
+    .entry = (kprobe_opcode_t *) inst_do_execve
+  },
+  {
+    .kp.addr = (kprobe_opcode_t *)"filp_open",
+    .entry = (kprobe_opcode_t *) inst_filp_open
+  },
+  {
+    .kp.addr = (kprobe_opcode_t *)"sys_read",
+    .entry = (kprobe_opcode_t *) inst_sys_read
+  },
+  {
+    .kp.addr = (kprobe_opcode_t *)"sys_write",
+    .entry = (kprobe_opcode_t *) inst_sys_write
+  },
+};
+
+#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
+
+static int init_dtr(void)
+{
+  int ret;
+
+  pids = _stp_map_new (10000, INT64);
+  arglist = _stp_list_new (10, STRING);
+
+  ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE);
+
+  dlog("instrumentation is enabled...\n");
+  return ret;
+}
+
+static void cleanup_dtr(void)
+{
+  _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE);
+  _stp_map_del (pids);
+  dlog("EXIT\n");
+}
+
+module_init(init_dtr);
+module_exit(cleanup_dtr);
+MODULE_LICENSE("GPL");
+
author	hunt <hunt>	2005-03-21 21:11:13 +0000
committer	hunt <hunt>	2005-03-21 21:11:13 +0000
commit	854d896bebf48714b6e14b73d4eab6d9c856aa52 (patch)
tree	1d524e16590c348de6f8ca27884f4f74ea34eadf /runtime/probes/shellsnoop
parent	e10ae0b0a445c70eafed2e6a7e8991191f023445 (diff)
download	systemtap-steved-854d896bebf48714b6e14b73d4eab6d9c856aa52.tar.gz systemtap-steved-854d896bebf48714b6e14b73d4eab6d9c856aa52.tar.xz systemtap-steved-854d896bebf48714b6e14b73d4eab6d9c856aa52.zip