1 files changed, 85 insertions, 0 deletions

diff --git a/runtime/docs/html/probes_2shellsnoop_2README-source.html b/runtime/docs/html/probes_2shellsnoop_2README-source.html
new file mode 100644
index 00000000..2a2ac71d
--- /dev/null
+++ b/runtime/docs/html/probes_2shellsnoop_2README-source.html
@@ -0,0 +1,85 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
+<title>SystemTap: probes/shellsnoop/README Source File</title>
+<link href="doxygen.css" rel="stylesheet" type="text/css">
+</head><body>
+<!-- Generated by Doxygen 1.4.1 -->
+<div class="qindex"><a class="qindex" href="index.html">Main&nbsp;Page</a> | <a class="qindex" href="annotated.html">Data&nbsp;Structures</a> | <a class="qindex" href="dirs.html">Directories</a> | <a class="qindex" href="files.html">File&nbsp;List</a> | <a class="qindex" href="functions.html">Data&nbsp;Fields</a> | <a class="qindex" href="globals.html">Globals</a> | <a class="qindex" href="pages.html">Related&nbsp;Pages</a></div>
+<div class="nav">
+<a class="el" href="dir_000000.html">probes</a>&nbsp;/&nbsp;<a class="el" href="dir_000001.html">shellsnoop</a></div>
+<h1>README</h1><div class="fragment"><pre class="fragment">00001 <span class="comment">/** @dir shellsnoop</span>
+00002 <span class="comment">Snoops on what commands are being run by shells.</span>
+00003 <span class="comment"></span>
+00004 <span class="comment">This is a translation of on an old dtr probe. It demonstrates maps,</span>
+00005 <span class="comment">lists, and how to use _stp_copy_argv_from_user() and  _stp_strncpy_from_user().</span>
+00006 <span class="comment"></span>
+00007 <span class="comment">Original dtr source:</span>
+00008 <span class="comment"></span>
+00009 <span class="comment">\verbatim</span>
+00010 <span class="comment"># shellsnoop.probe - snoop shell execution as it occurs.</span>
+00011 <span class="comment"># clone of dtrace shellsnoop example</span>
+00012 <span class="comment"></span>
+00013 <span class="comment">global {</span>
+00014 <span class="comment">  long @pids[long];</span>
+00015 <span class="comment">}</span>
+00016 <span class="comment"></span>
+00017 <span class="comment">probe do_execve:entry {</span>
+00018 <span class="comment">  char __user *vstr;</span>
+00019 <span class="comment">  char str[256];</span>
+00020 <span class="comment">  int len;</span>
+00021 <span class="comment"></span>
+00022 <span class="comment">  /* watch shells only */</span>
+00023   <span class="comment">/* FIXME: detect more shells, like csh, tcsh, zsh */</span>
+00024 
+00025   <span class="keywordflow">if</span> (!strcmp(current-&gt;comm,<span class="stringliteral">"bash"</span>) || !strcmp(current-&gt;comm,<span class="stringliteral">"sh"</span>) || !strcmp(current-&gt;comm, <span class="stringliteral">"zsh"</span>)
+00026       || !strcmp(current-&gt;comm, <span class="stringliteral">"tcsh"</span>) || !strcmp(current-&gt;comm, <span class="stringliteral">"pdksh"</span>))
+00027     {
+00028       dlog (<span class="stringliteral">"%d\t%d\t%d\t%s "</span>, current-&gt;uid, current-&gt;pid, current-&gt;parent-&gt;pid, filename);
+00029       @pids[current-&gt;pid] = 1;
+00030 
+00031       <span class="comment">/* print out argv, ignoring argv[0] */</span>
+00032       <span class="keywordflow">if</span> (argv) argv++;
+00033       while (argv != NULL)
+00034         {
+00035           <span class="keywordflow">if</span> (get_user (vstr, argv))
+00036             break;
+00037           if (!vstr)
+00038             break;
+00039           len = dtr_strncpy_from_user(str, vstr, 256);
+00040           str[len] = 0;
+00041           printk ("%s ", str);
+00042           argv++;
+00043         }
+00044       printk ("\n");
+00045     }
+00046 }
+00047 
+00048 # use filp_open because copy_from_user not needed there
+00049 probe filp_open:entry {
+00050   <span class="keywordflow">if</span> (@pids[current-&gt;pid])
+00051     dlog ("%d\t%d\t%s\tO %s\n", current-&gt;pid, current-&gt;parent-&gt;pid, current-&gt;comm, filename);
+00052 }
+00053 
+00054 probe sys_read:entry {
+00055   <span class="keywordflow">if</span> (@pids[current-&gt;pid])
+00056     dlog ("%d\t%d\t%s\tR %d\n", current-&gt;pid, current-&gt;parent-&gt;pid, current-&gt;comm, fd);
+00057 }
+00058 
+00059 probe sys_write:entry {
+00060   size_t len;
+00061   <span class="keywordtype">char</span> str[256];
+00062   <span class="keywordflow">if</span> (@pids[current-&gt;pid])
+00063     {
+00064       <span class="keywordflow">if</span> (count &lt; 64) len = count;
+00065       else len = 64;
+00066       if (len = dtr_strncpy_from_user(str, buf, len)) {
+00067         str[len] = 0;
+00068         dlog (<span class="stringliteral">"%d\t%d\t%s\tW %s\n"</span>, current-&gt;pid, current-&gt;parent-&gt;pid, current-&gt;comm, str);
+00069         }
+00070     }
+00071 }
+00072 \endverbatim
+00073 */
+</pre></div><hr size="1"><address style="align: right;"><small>
+Generated on Tue Mar 22 00:32:02 2005 for SystemTap.</small></body>
+</html>