diff options
Diffstat (limited to 'runtime/probes/shellsnoop')
| -rw-r--r-- | runtime/probes/shellsnoop/Makefile | 2 | ||||
| -rwxr-xr-x | runtime/probes/shellsnoop/build | 3 | ||||
| -rw-r--r-- | runtime/probes/shellsnoop/dtr.c | 54 | ||||
| -rwxr-xr-x | runtime/probes/shellsnoop/stp | 39 |
4 files changed, 75 insertions, 23 deletions
diff --git a/runtime/probes/shellsnoop/Makefile b/runtime/probes/shellsnoop/Makefile index 8fff0dc4..12a0f65f 100644 --- a/runtime/probes/shellsnoop/Makefile +++ b/runtime/probes/shellsnoop/Makefile @@ -3,7 +3,7 @@ # # make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt -CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ +CFLAGS += -I $(STP_RUNTIME) -I $(STP_RUNTIME)/relayfs -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) obj-m := dtr.o diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build index 3713f08a..fb344b37 100755 --- a/runtime/probes/shellsnoop/build +++ b/runtime/probes/shellsnoop/build @@ -4,10 +4,11 @@ KVERSION=`uname -r` echo $KVERSION KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` +KTA=`grep "__kernel_text_address" /boot/System.map-$KVERSION |awk '{print $1}'` make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ - KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \ + KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP KTA=0x$KTA\ STP_RUNTIME=`pwd`/../.. diff --git a/runtime/probes/shellsnoop/dtr.c b/runtime/probes/shellsnoop/dtr.c index 92b3221f..e529b054 100644 --- a/runtime/probes/shellsnoop/dtr.c +++ b/runtime/probes/shellsnoop/dtr.c @@ -2,8 +2,10 @@ #define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS) #define BUCKETS 16 /* largest histogram width */ +#define STP_NETLINK_ONLY +#define STP_NUM_STRINGS 1 + #include "runtime.h" -#include "io.c" #include "map.c" #include "copy.c" #include "probes.c" @@ -23,16 +25,18 @@ int inst_do_execve (char * filename, char __user *__user *argv, char __user *__u if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) { - dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + _stp_printf ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); _stp_map_key_long (pids, current->pid); _stp_map_set_int64 (pids, 1); _stp_list_clear (arglist); _stp_copy_argv_from_user (arglist, argv); + foreach (arglist, ptr) - printk ("%s ", ptr->str); - printk ("\n"); + _stp_printf ("%s ", ptr->str); + + _stp_print_flush(); } jprobe_return(); return 0; @@ -42,8 +46,9 @@ struct file * inst_filp_open (const char * filename, int flags, int mode) { _stp_map_key_long (pids, current->pid); if (_stp_map_get_int64 (pids)) - dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); - + _stp_printf ("%d\t%d\t%s\tO %s", current->pid, current->parent->pid, current->comm, filename); + + _stp_print_flush(); jprobe_return(); return 0; } @@ -52,27 +57,22 @@ asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t cou { _stp_map_key_long (pids, current->pid); if (_stp_map_get_int64 (pids)) - dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); + _stp_printf ("%d\t%d\t%s\tR %d", current->pid, current->parent->pid, current->comm, fd); + _stp_print_flush(); jprobe_return(); return 0; } asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) { - size_t len; - char str[256]; _stp_map_key_long (pids, current->pid); if (_stp_map_get_int64 (pids)) { - if (count < 64) - len = count; - else - len = 64; - len = _stp_strncpy_from_user(str, buf, len); - if (len < 0) len = 0; - str[len] = 0; - dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); + String str = _stp_string_init (0); + _stp_string_from_user(str, buf, count); + _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, current->comm, str->buf); + _stp_print_flush(); } jprobe_return(); @@ -95,7 +95,7 @@ static struct jprobe dtr_probes[] = { { .kp.addr = (kprobe_opcode_t *)"sys_write", .entry = (kprobe_opcode_t *) inst_sys_write - }, + }, }; #define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe)) @@ -104,20 +104,32 @@ static int init_dtr(void) { int ret; + if (_stp_netlink_open() < 0) + return -1; + pids = _stp_map_new (10000, INT64); arglist = _stp_list_new (10, STRING); ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE); - dlog("instrumentation is enabled...\n"); + _stp_log("instrumentation is enabled... %s\n", __this_module.name); return ret; } -static void cleanup_dtr(void) +static void probe_exit (void) { _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE); + + _stp_print ("In probe_exit now."); _stp_map_del (pids); - dlog("EXIT\n"); + _stp_print_flush(); +} + + +static void cleanup_dtr(void) +{ + _stp_netlink_close(); + } module_init(init_dtr); diff --git a/runtime/probes/shellsnoop/stp b/runtime/probes/shellsnoop/stp new file mode 100755 index 00000000..d10fcaab --- /dev/null +++ b/runtime/probes/shellsnoop/stp @@ -0,0 +1,39 @@ +#!/bin/bash +if [ -n "$1" ] +then + modulename=$1 +else + echo "Usage: stp modulename" + exit +fi + +RELAYFS=`lsmod | grep relayfs |awk '{print $1}'` +if [ "$RELAYFS" != "relayfs" ] +then + /sbin/insmod ../../relayfs/relayfs.ko +fi + +if [ ! -d "/mnt/relay" ] +then + mkdir /mnt/relay +fi + +MOUNT=`mount | grep relayfs |awk '{print $1}'` +if [ "$MOUNT" != "relayfs" ] +then + mount -t relayfs relayfs /mnt/relay +fi + +/sbin/insmod $modulename + +# print to screen only, 4 8K buffers +#../../stpd/stpd -p -b 8192 -n 4 + +# print to screen and log to files, 4 8K buffers +../../stpd/stpd -b 8192 -n 4 + +# no screen or log +#../../stpd/stpd -q -b 8192 -n 4 + +# stpd will remove module when it exits +#/sbin/rmmod $modulename |