diff options
| -rw-r--r-- | runtime/probes/shellsnoop/Makefile | 20 | ||||
| -rwxr-xr-x | runtime/probes/shellsnoop/build | 17 | ||||
| -rw-r--r-- | runtime/probes/shellsnoop/shellprobe.c (renamed from runtime/probes/shellsnoop/dtr.c) | 68 | ||||
| -rwxr-xr-x | runtime/probes/shellsnoop/stp | 6 |
4 files changed, 46 insertions, 65 deletions
diff --git a/runtime/probes/shellsnoop/Makefile b/runtime/probes/shellsnoop/Makefile index 12a0f65f..f34e0c85 100644 --- a/runtime/probes/shellsnoop/Makefile +++ b/runtime/probes/shellsnoop/Makefile @@ -1,11 +1,23 @@ # Makefile -# -# -# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +PWD := $(shell pwd) +KVERSION := $(shell uname -r) +KDIR := /lib/modules/$(KVERSION)/build include + +KALLSYMS_LOOKUP_NAME := $(firstword $(shell grep " kallsyms_lookup_name" /boot/System.map-$(KVERSION))) +KALLSYMS_LOOKUP := $(firstword $(shell grep " kallsyms_lookup$$" /boot/System.map-$(KVERSION))) +KTA := $(firstword $(shell grep "__kernel_text_address" /boot/System.map-$(KVERSION))) CFLAGS += -I $(STP_RUNTIME) -I $(STP_RUNTIME)/relayfs -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) -obj-m := dtr.o + +obj-m := shellprobe.o + +default: + $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules \ + KALLSYMS_LOOKUP_NAME=0x$(KALLSYMS_LOOKUP_NAME) \ + KALLSYMS_LOOKUP=0x$(KALLSYMS_LOOKUP) KTA=0x$(KTA)\ + STP_RUNTIME=$(PWD)/../.. clean: /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build deleted file mode 100755 index fb344b37..00000000 --- a/runtime/probes/shellsnoop/build +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -KVERSION=`uname -r` -echo $KVERSION -KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` -KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` -KTA=`grep "__kernel_text_address" /boot/System.map-$KVERSION |awk '{print $1}'` - -make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ - KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ - KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP KTA=0x$KTA\ - STP_RUNTIME=`pwd`/../.. - - - - - diff --git a/runtime/probes/shellsnoop/dtr.c b/runtime/probes/shellsnoop/shellprobe.c index b857a618..c257de5d 100644 --- a/runtime/probes/shellsnoop/dtr.c +++ b/runtime/probes/shellsnoop/shellprobe.c @@ -1,12 +1,18 @@ -#define HASH_TABLE_BITS 8 -#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS) -#define BUCKETS 16 /* largest histogram width */ - #define STP_NETLINK_ONLY #define STP_NUM_STRINGS 1 #include "runtime.h" -#include "map.c" + +#define KEY1_TYPE INT64 +#include "map-keys.c" + +#define VALUE_TYPE INT64 +#include "map-values.c" + +#define VALUE_TYPE STRING +#include "map-values.c" + +#include "list.c" #include "copy.c" #include "probes.c" @@ -17,8 +23,7 @@ MAP pids, arglist ; int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs) { - struct map_node_str *ptr; - + struct map_node *ptr; /* watch shells only */ /* FIXME: detect more shells, like csh, tcsh, zsh */ @@ -27,14 +32,14 @@ int inst_do_execve (char * filename, char __user *__user *argv, char __user *__u { _stp_printf ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); - _stp_map_key_long (pids, current->pid); + _stp_map_key_int64 (pids, current->pid); _stp_map_set_int64 (pids, 1); _stp_list_clear (arglist); _stp_copy_argv_from_user (arglist, argv); foreach (arglist, ptr) - _stp_printf ("%s ", ptr->str); + _stp_printf ("%s ", _stp_get_str(ptr)); _stp_print_flush(); } @@ -44,7 +49,7 @@ int inst_do_execve (char * filename, char __user *__user *argv, char __user *__u struct file * inst_filp_open (const char * filename, int flags, int mode) { - _stp_map_key_long (pids, current->pid); + _stp_map_key_int64 (pids, current->pid); if (_stp_map_get_int64 (pids)) _stp_printf ("%d\t%d\t%s\tO %s", current->pid, current->parent->pid, current->comm, filename); @@ -55,7 +60,7 @@ struct file * inst_filp_open (const char * filename, int flags, int mode) asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) { - _stp_map_key_long (pids, current->pid); + _stp_map_key_int64 (pids, current->pid); if (_stp_map_get_int64 (pids)) _stp_printf ("%d\t%d\t%s\tR %d", current->pid, current->parent->pid, current->comm, fd); @@ -66,12 +71,13 @@ asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t cou asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) { - _stp_map_key_long (pids, current->pid); + _stp_map_key_int64 (pids, current->pid); if (_stp_map_get_int64 (pids)) { String str = _stp_string_init (0); _stp_string_from_user(str, buf, count); - _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, current->comm, str->buf); + _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, + current->comm, _stp_string_ptr(str)); _stp_print_flush(); } @@ -79,7 +85,7 @@ asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, siz return 0; } -static struct jprobe dtr_probes[] = { +static struct jprobe stp_probes[] = { { .kp.addr = (kprobe_opcode_t *)"do_execve", .entry = (kprobe_opcode_t *) inst_do_execve @@ -98,67 +104,49 @@ static struct jprobe dtr_probes[] = { }, }; -#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe)) - -static unsigned n_subbufs = 4; -module_param(n_subbufs, uint, 0); -MODULE_PARM_DESC(n_subbufs, "number of sub-buffers per per-cpu buffer"); +#define MAX_STP_ROUTINE (sizeof(stp_probes)/sizeof(struct jprobe)) -static unsigned subbuf_size = 65536; -module_param(subbuf_size, uint, 0); -MODULE_PARM_DESC(subbuf_size, "size of each per-cpu sub-buffers"); static int pid; module_param(pid, int, 0); MODULE_PARM_DESC(pid, "daemon pid"); -static int init_dtr(void) +int init_module(void) { int ret; if (!pid) { - printk("init_dtr: Can't start without daemon pid\n"); + printk("init_module: Can't start without daemon pid\n"); return -1; } if (_stp_transport_open(n_subbufs, subbuf_size, pid) < 0) { - printk("init_dtr: Couldn't open transport\n"); + printk("init_module: Couldn't open transport\n"); return -1; } - pids = _stp_map_new (10000, INT64); + pids = _stp_map_new_int64 (10000, INT64); arglist = _stp_list_new (10, STRING); - ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE); + ret = _stp_register_jprobes (stp_probes, MAX_STP_ROUTINE); printk("instrumentation is enabled... %s\n", __this_module.name); return ret; } -static int exited; /* FIXME: this is a stopgap - if we don't do this - * and are manually removed, bad things happen */ static void probe_exit (void) { - exited = 1; - - _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE); - - _stp_print ("In probe_exit now."); + _stp_unregister_jprobes (stp_probes, MAX_STP_ROUTINE); _stp_map_del (pids); _stp_print_flush(); } -static void cleanup_dtr(void) +void cleanup_module(void) { - if (!exited) - probe_exit(); - _stp_transport_close(); } -module_init(init_dtr); -module_exit(cleanup_dtr); MODULE_LICENSE("GPL"); diff --git a/runtime/probes/shellsnoop/stp b/runtime/probes/shellsnoop/stp index 14e8f47a..4a278ac2 100755 --- a/runtime/probes/shellsnoop/stp +++ b/runtime/probes/shellsnoop/stp @@ -7,8 +7,8 @@ else exit fi -RELAYFS=`lsmod | grep relayfs |awk '{print $1}'` -if [ "$RELAYFS" != "relayfs" ] +RELAYFS=`grep " relayfs_mmap" /proc/kallsyms` +if [ "$RELAYFS" == "" ] then /sbin/insmod ../../relayfs/relayfs.ko fi @@ -47,5 +47,3 @@ fi # no screen or log #../../stpd/stpd -q -b 8192 -n 4 -# stpd will remove module when it exits -#/sbin/rmmod $modulename |