diff options
Diffstat (limited to 'runtime/probes/shellsnoop')
| -rw-r--r-- | runtime/probes/shellsnoop/README | 73 | ||||
| -rwxr-xr-x | runtime/probes/shellsnoop/build | 2 | ||||
| -rw-r--r-- | runtime/probes/shellsnoop/shellsnoop.c | 161 | ||||
| -rw-r--r-- | runtime/probes/shellsnoop/targets | 1 |
4 files changed, 0 insertions, 237 deletions
diff --git a/runtime/probes/shellsnoop/README b/runtime/probes/shellsnoop/README deleted file mode 100644 index 70b5e614..00000000 --- a/runtime/probes/shellsnoop/README +++ /dev/null @@ -1,73 +0,0 @@ -/** @dir shellsnoop -Snoops on what commands are being run by shells. - -This is a translation of on an old dtr probe. It demonstrates maps, -lists, and how to use _stp_copy_argv_from_user() and _stp_strncpy_from_user(). - -Original dtr source: - -\verbatim -# shellsnoop.probe - snoop shell execution as it occurs. -# clone of dtrace shellsnoop example - -global { - long @pids[long]; -} - -probe do_execve:entry { - char __user *vstr; - char str[256]; - int len; - - /* watch shells only */ - /* FIXME: detect more shells, like csh, tcsh, zsh */ - - if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") - || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) - { - dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); - @pids[current->pid] = 1; - - /* print out argv, ignoring argv[0] */ - if (argv) argv++; - while (argv != NULL) - { - if (get_user (vstr, argv)) - break; - if (!vstr) - break; - len = dtr_strncpy_from_user(str, vstr, 256); - str[len] = 0; - printk ("%s ", str); - argv++; - } - printk ("\n"); - } -} - -# use filp_open because copy_from_user not needed there -probe filp_open:entry { - if (@pids[current->pid]) - dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); -} - -probe sys_read:entry { - if (@pids[current->pid]) - dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); -} - -probe sys_write:entry { - size_t len; - char str[256]; - if (@pids[current->pid]) - { - if (count < 64) len = count; - else len = 64; - if (len = dtr_strncpy_from_user(str, buf, len)) { - str[len] = 0; - dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); - } - } -} -\endverbatim -*/ diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build deleted file mode 100755 index f3e83244..00000000 --- a/runtime/probes/shellsnoop/build +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -../build_probe $* diff --git a/runtime/probes/shellsnoop/shellsnoop.c b/runtime/probes/shellsnoop/shellsnoop.c deleted file mode 100644 index dd0c81b9..00000000 --- a/runtime/probes/shellsnoop/shellsnoop.c +++ /dev/null @@ -1,161 +0,0 @@ -//#define STP_RELAYFS -#define STP_NUM_STRINGS 1 -#define STP_STRING_SIZE 8192 -#include "runtime.h" - -#define VALUE_TYPE INT64 -#define KEY1_TYPE INT64 -#include "map-gen.c" - -#define VALUE_TYPE STRING -#define KEY1_TYPE INT64 -#include "map-gen.c" - -#include "map.c" -#include "copy.c" -#include "probes.c" - -MODULE_DESCRIPTION("SystemTap probe: shellsnoop"); -MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>"); - -MAP pids, arglist ; - -void _stp_copy_argv_from_user (MAP list, char __user *__user *argv) -{ - char str[128]; - char __user *vstr; - int len, i = 0; - - if (argv) - argv++; - - while (argv != NULL) { - if (get_user (vstr, argv)) - break; - - if (vstr == NULL) - break; - - len = _stp_strncpy_from_user(str, vstr, 128); - str[len] = 0; - _stp_map_set_is (list, i++, str); - argv++; - } -} - -int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs) -{ - struct map_node *ptr; - - /* watch shells only */ - /* FIXME: detect more shells, like csh, tcsh, zsh */ - - if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") - || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) - { - _stp_printf ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); - - _stp_map_set_ii (pids, current->pid, 1); - - _stp_map_clear (arglist); - _stp_copy_argv_from_user (arglist, argv); - - foreach (arglist, ptr) - _stp_printf ("%s ", _stp_get_str(ptr)); - _stp_print("\n"); - - _stp_print_flush(); - } - jprobe_return(); - return 0; -} - -struct file * inst_filp_open (const char * filename, int flags, int mode) -{ - if (_stp_map_get_ii (pids, current->pid)) { - _stp_printf ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); - _stp_print_flush(); - } - jprobe_return(); - return 0; -} - -asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) -{ - if (_stp_map_get_ii (pids, current->pid)) { - _stp_printf ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); - _stp_print_flush(); - } - jprobe_return(); - return 0; -} - -asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) -{ - if (_stp_map_get_ii (pids, current->pid)) { - String str = _stp_string_init (0); - _stp_string_from_user(str, buf, count); - _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, - current->comm, _stp_string_ptr(str)); - _stp_print_flush(); - } - - jprobe_return(); - return 0; -} - -static struct jprobe stp_probes[] = { - { - .kp.addr = (kprobe_opcode_t *)"do_execve", - .entry = (kprobe_opcode_t *) inst_do_execve - }, - { - .kp.addr = (kprobe_opcode_t *)"filp_open", - .entry = (kprobe_opcode_t *) inst_filp_open - }, - { - .kp.addr = (kprobe_opcode_t *)"sys_read", - .entry = (kprobe_opcode_t *) inst_sys_read - }, - { - .kp.addr = (kprobe_opcode_t *)"sys_write", - .entry = (kprobe_opcode_t *) inst_sys_write - }, -}; - -#define MAX_STP_ROUTINE (sizeof(stp_probes)/sizeof(struct jprobe)) - - -int probe_start(void) -{ - int ret; - - /* now initialize any data or variables */ - pids = _stp_map_new_ii(10000); - arglist = _stp_map_new_is (10); - - /* now we are ready to enable the probes */ - ret = _stp_register_jprobes (stp_probes, MAX_STP_ROUTINE); - - if (ret < 0) { - _stp_map_del (pids); - _stp_map_del (arglist); - return ret; - } - - _stp_printf("instrumentation is enabled... %s\n", __this_module.name); - _stp_print_flush(); - return ret; -} - - -void probe_exit (void) -{ - _stp_unregister_jprobes (stp_probes, MAX_STP_ROUTINE); - _stp_map_del (pids); - _stp_map_del (arglist); - _stp_printf("\nDropped %d packets\n", atomic_read(&_stp_transport_failures)); - _stp_print_flush(); -} - - diff --git a/runtime/probes/shellsnoop/targets b/runtime/probes/shellsnoop/targets deleted file mode 100644 index fdd0d724..00000000 --- a/runtime/probes/shellsnoop/targets +++ /dev/null @@ -1 +0,0 @@ -shellsnoop |