From 01850eb90df234d6eeeb6ddbb511e9051dbb0c13 Mon Sep 17 00:00:00 2001 From: hunt Date: Tue, 17 May 2005 06:18:44 +0000 Subject: Renamed dtr.c as shellprobe.c. Now build shellprobe.ko. --- runtime/probes/shellsnoop/Makefile | 20 +++- runtime/probes/shellsnoop/build | 17 ---- runtime/probes/shellsnoop/dtr.c | 164 --------------------------------- runtime/probes/shellsnoop/shellprobe.c | 152 ++++++++++++++++++++++++++++++ runtime/probes/shellsnoop/stp | 6 +- 5 files changed, 170 insertions(+), 189 deletions(-) delete mode 100755 runtime/probes/shellsnoop/build delete mode 100644 runtime/probes/shellsnoop/dtr.c create mode 100644 runtime/probes/shellsnoop/shellprobe.c (limited to 'runtime') diff --git a/runtime/probes/shellsnoop/Makefile b/runtime/probes/shellsnoop/Makefile index 12a0f65f..f34e0c85 100644 --- a/runtime/probes/shellsnoop/Makefile +++ b/runtime/probes/shellsnoop/Makefile @@ -1,11 +1,23 @@ # Makefile -# -# -# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +PWD := $(shell pwd) +KVERSION := $(shell uname -r) +KDIR := /lib/modules/$(KVERSION)/build include + +KALLSYMS_LOOKUP_NAME := $(firstword $(shell grep " kallsyms_lookup_name" /boot/System.map-$(KVERSION))) +KALLSYMS_LOOKUP := $(firstword $(shell grep " kallsyms_lookup$$" /boot/System.map-$(KVERSION))) +KTA := $(firstword $(shell grep "__kernel_text_address" /boot/System.map-$(KVERSION))) CFLAGS += -I $(STP_RUNTIME) -I $(STP_RUNTIME)/relayfs -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) -obj-m := dtr.o + +obj-m := shellprobe.o + +default: + $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules \ + KALLSYMS_LOOKUP_NAME=0x$(KALLSYMS_LOOKUP_NAME) \ + KALLSYMS_LOOKUP=0x$(KALLSYMS_LOOKUP) KTA=0x$(KTA)\ + STP_RUNTIME=$(PWD)/../.. clean: /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build deleted file mode 100755 index fb344b37..00000000 --- a/runtime/probes/shellsnoop/build +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -KVERSION=`uname -r` -echo $KVERSION -KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` -KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` -KTA=`grep "__kernel_text_address" /boot/System.map-$KVERSION |awk '{print $1}'` - -make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ - KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ - KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP KTA=0x$KTA\ - STP_RUNTIME=`pwd`/../.. - - - - - diff --git a/runtime/probes/shellsnoop/dtr.c b/runtime/probes/shellsnoop/dtr.c deleted file mode 100644 index b857a618..00000000 --- a/runtime/probes/shellsnoop/dtr.c +++ /dev/null @@ -1,164 +0,0 @@ -#define HASH_TABLE_BITS 8 -#define HASH_TABLE_SIZE (1<"); - -MAP pids, arglist ; - -int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs) -{ - struct map_node_str *ptr; - - /* watch shells only */ - /* FIXME: detect more shells, like csh, tcsh, zsh */ - - if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") - || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) - { - _stp_printf ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); - - _stp_map_key_long (pids, current->pid); - _stp_map_set_int64 (pids, 1); - - _stp_list_clear (arglist); - _stp_copy_argv_from_user (arglist, argv); - - foreach (arglist, ptr) - _stp_printf ("%s ", ptr->str); - - _stp_print_flush(); - } - jprobe_return(); - return 0; -} - -struct file * inst_filp_open (const char * filename, int flags, int mode) -{ - _stp_map_key_long (pids, current->pid); - if (_stp_map_get_int64 (pids)) - _stp_printf ("%d\t%d\t%s\tO %s", current->pid, current->parent->pid, current->comm, filename); - - _stp_print_flush(); - jprobe_return(); - return 0; -} - -asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) -{ - _stp_map_key_long (pids, current->pid); - if (_stp_map_get_int64 (pids)) - _stp_printf ("%d\t%d\t%s\tR %d", current->pid, current->parent->pid, current->comm, fd); - - _stp_print_flush(); - jprobe_return(); - return 0; -} - -asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) -{ - _stp_map_key_long (pids, current->pid); - if (_stp_map_get_int64 (pids)) - { - String str = _stp_string_init (0); - _stp_string_from_user(str, buf, count); - _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, current->comm, str->buf); - _stp_print_flush(); - } - - jprobe_return(); - return 0; -} - -static struct jprobe dtr_probes[] = { - { - .kp.addr = (kprobe_opcode_t *)"do_execve", - .entry = (kprobe_opcode_t *) inst_do_execve - }, - { - .kp.addr = (kprobe_opcode_t *)"filp_open", - .entry = (kprobe_opcode_t *) inst_filp_open - }, - { - .kp.addr = (kprobe_opcode_t *)"sys_read", - .entry = (kprobe_opcode_t *) inst_sys_read - }, - { - .kp.addr = (kprobe_opcode_t *)"sys_write", - .entry = (kprobe_opcode_t *) inst_sys_write - }, -}; - -#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe)) - -static unsigned n_subbufs = 4; -module_param(n_subbufs, uint, 0); -MODULE_PARM_DESC(n_subbufs, "number of sub-buffers per per-cpu buffer"); - -static unsigned subbuf_size = 65536; -module_param(subbuf_size, uint, 0); -MODULE_PARM_DESC(subbuf_size, "size of each per-cpu sub-buffers"); - -static int pid; -module_param(pid, int, 0); -MODULE_PARM_DESC(pid, "daemon pid"); - -static int init_dtr(void) -{ - int ret; - - if (!pid) { - printk("init_dtr: Can't start without daemon pid\n"); - return -1; - } - - if (_stp_transport_open(n_subbufs, subbuf_size, pid) < 0) { - printk("init_dtr: Couldn't open transport\n"); - return -1; - } - - pids = _stp_map_new (10000, INT64); - arglist = _stp_list_new (10, STRING); - - ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE); - - printk("instrumentation is enabled... %s\n", __this_module.name); - - return ret; -} - -static int exited; /* FIXME: this is a stopgap - if we don't do this - * and are manually removed, bad things happen */ - -static void probe_exit (void) -{ - exited = 1; - - _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE); - - _stp_print ("In probe_exit now."); - _stp_map_del (pids); - _stp_print_flush(); -} - -static void cleanup_dtr(void) -{ - if (!exited) - probe_exit(); - - _stp_transport_close(); -} - -module_init(init_dtr); -module_exit(cleanup_dtr); -MODULE_LICENSE("GPL"); - diff --git a/runtime/probes/shellsnoop/shellprobe.c b/runtime/probes/shellsnoop/shellprobe.c new file mode 100644 index 00000000..c257de5d --- /dev/null +++ b/runtime/probes/shellsnoop/shellprobe.c @@ -0,0 +1,152 @@ +#define STP_NETLINK_ONLY +#define STP_NUM_STRINGS 1 + +#include "runtime.h" + +#define KEY1_TYPE INT64 +#include "map-keys.c" + +#define VALUE_TYPE INT64 +#include "map-values.c" + +#define VALUE_TYPE STRING +#include "map-values.c" + +#include "list.c" +#include "copy.c" +#include "probes.c" + +MODULE_DESCRIPTION("SystemTap probe: shellsnoop"); +MODULE_AUTHOR("Martin Hunt "); + +MAP pids, arglist ; + +int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs) +{ + struct map_node *ptr; + /* watch shells only */ + /* FIXME: detect more shells, like csh, tcsh, zsh */ + + if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") + || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) + { + _stp_printf ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + + _stp_map_key_int64 (pids, current->pid); + _stp_map_set_int64 (pids, 1); + + _stp_list_clear (arglist); + _stp_copy_argv_from_user (arglist, argv); + + foreach (arglist, ptr) + _stp_printf ("%s ", _stp_get_str(ptr)); + + _stp_print_flush(); + } + jprobe_return(); + return 0; +} + +struct file * inst_filp_open (const char * filename, int flags, int mode) +{ + _stp_map_key_int64 (pids, current->pid); + if (_stp_map_get_int64 (pids)) + _stp_printf ("%d\t%d\t%s\tO %s", current->pid, current->parent->pid, current->comm, filename); + + _stp_print_flush(); + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) +{ + _stp_map_key_int64 (pids, current->pid); + if (_stp_map_get_int64 (pids)) + _stp_printf ("%d\t%d\t%s\tR %d", current->pid, current->parent->pid, current->comm, fd); + + _stp_print_flush(); + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) +{ + _stp_map_key_int64 (pids, current->pid); + if (_stp_map_get_int64 (pids)) + { + String str = _stp_string_init (0); + _stp_string_from_user(str, buf, count); + _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, + current->comm, _stp_string_ptr(str)); + _stp_print_flush(); + } + + jprobe_return(); + return 0; +} + +static struct jprobe stp_probes[] = { + { + .kp.addr = (kprobe_opcode_t *)"do_execve", + .entry = (kprobe_opcode_t *) inst_do_execve + }, + { + .kp.addr = (kprobe_opcode_t *)"filp_open", + .entry = (kprobe_opcode_t *) inst_filp_open + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_read", + .entry = (kprobe_opcode_t *) inst_sys_read + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_write", + .entry = (kprobe_opcode_t *) inst_sys_write + }, +}; + +#define MAX_STP_ROUTINE (sizeof(stp_probes)/sizeof(struct jprobe)) + + +static int pid; +module_param(pid, int, 0); +MODULE_PARM_DESC(pid, "daemon pid"); + +int init_module(void) +{ + int ret; + + if (!pid) { + printk("init_module: Can't start without daemon pid\n"); + return -1; + } + + if (_stp_transport_open(n_subbufs, subbuf_size, pid) < 0) { + printk("init_module: Couldn't open transport\n"); + return -1; + } + + pids = _stp_map_new_int64 (10000, INT64); + arglist = _stp_list_new (10, STRING); + + ret = _stp_register_jprobes (stp_probes, MAX_STP_ROUTINE); + + printk("instrumentation is enabled... %s\n", __this_module.name); + + return ret; +} + + +static void probe_exit (void) +{ + _stp_unregister_jprobes (stp_probes, MAX_STP_ROUTINE); + _stp_map_del (pids); + _stp_print_flush(); +} + +void cleanup_module(void) +{ + _stp_transport_close(); +} + +MODULE_LICENSE("GPL"); + diff --git a/runtime/probes/shellsnoop/stp b/runtime/probes/shellsnoop/stp index 14e8f47a..4a278ac2 100755 --- a/runtime/probes/shellsnoop/stp +++ b/runtime/probes/shellsnoop/stp @@ -7,8 +7,8 @@ else exit fi -RELAYFS=`lsmod | grep relayfs |awk '{print $1}'` -if [ "$RELAYFS" != "relayfs" ] +RELAYFS=`grep " relayfs_mmap" /proc/kallsyms` +if [ "$RELAYFS" == "" ] then /sbin/insmod ../../relayfs/relayfs.ko fi @@ -47,5 +47,3 @@ fi # no screen or log #../../stpd/stpd -q -b 8192 -n 4 -# stpd will remove module when it exits -#/sbin/rmmod $modulename -- cgit