summaryrefslogtreecommitdiffstats
path: root/runtime/docs/html/probes_2shellsnoop_2README-source.html
blob: f629ded87c157f08da6f463ab8a6a6393f49d11d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
<title>SystemTap: probes/shellsnoop/README Source File</title>
<link href="doxygen.css" rel="stylesheet" type="text/css">
</head><body>
<!-- Generated by Doxygen 1.4.1 -->
<div class="qindex"><a class="qindex" href="index.html">Main&nbsp;Page</a> | <a class="qindex" href="modules.html">Modules</a> | <a class="qindex" href="annotated.html">Data&nbsp;Structures</a> | <a class="qindex" href="dirs.html">Directories</a> | <a class="qindex" href="files.html">File&nbsp;List</a> | <a class="qindex" href="functions.html">Data&nbsp;Fields</a> | <a class="qindex" href="globals.html">Globals</a> | <a class="qindex" href="pages.html">Related&nbsp;Pages</a></div>
<div class="nav">
<a class="el" href="dir_000000.html">probes</a>&nbsp;/&nbsp;<a class="el" href="dir_000001.html">shellsnoop</a></div>
<h1>README</h1><div class="fragment"><pre class="fragment">00001 <span class="comment">/** @dir shellsnoop</span>
00002 <span class="comment">Snoops on what commands are being run by shells.</span>
00003 <span class="comment"></span>
00004 <span class="comment">This is a translation of on an old dtr probe. It demonstrates maps,</span>
00005 <span class="comment">lists, and how to use _stp_copy_argv_from_user() and  _stp_strncpy_from_user().</span>
00006 <span class="comment"></span>
00007 <span class="comment">Original dtr source:</span>
00008 <span class="comment"></span>
00009 <span class="comment">\verbatim</span>
00010 <span class="comment"># shellsnoop.probe - snoop shell execution as it occurs.</span>
00011 <span class="comment"># clone of dtrace shellsnoop example</span>
00012 <span class="comment"></span>
00013 <span class="comment">global {</span>
00014 <span class="comment">  long @pids[long];</span>
00015 <span class="comment">}</span>
00016 <span class="comment"></span>
00017 <span class="comment">probe do_execve:entry {</span>
00018 <span class="comment">  char __user *vstr;</span>
00019 <span class="comment">  char str[256];</span>
00020 <span class="comment">  int len;</span>
00021 <span class="comment"></span>
00022 <span class="comment">  /* watch shells only */</span>
00023   <span class="comment">/* FIXME: detect more shells, like csh, tcsh, zsh */</span>
00024 
00025   <span class="keywordflow">if</span> (!strcmp(current-&gt;comm,<span class="stringliteral">"bash"</span>) || !strcmp(current-&gt;comm,<span class="stringliteral">"sh"</span>) || !strcmp(current-&gt;comm, <span class="stringliteral">"zsh"</span>)
00026       || !strcmp(current-&gt;comm, <span class="stringliteral">"tcsh"</span>) || !strcmp(current-&gt;comm, <span class="stringliteral">"pdksh"</span>))
00027     {
00028       <a class="code" href="group__io.html#ga0">dlog</a> (<span class="stringliteral">"%d\t%d\t%d\t%s "</span>, current-&gt;uid, current-&gt;pid, current-&gt;parent-&gt;pid, filename);
00029       @pids[current-&gt;pid] = 1;
00030 
00031       <span class="comment">/* print out argv, ignoring argv[0] */</span>
00032       <span class="keywordflow">if</span> (argv) argv++;
00033       while (argv != NULL)
00034         {
00035           <span class="keywordflow">if</span> (get_user (vstr, argv))
00036             break;
00037           if (!vstr)
00038             break;
00039           len = dtr_strncpy_from_user(str, vstr, 256);
00040           str[len] = 0;
00041           printk ("%s ", str);
00042           argv++;
00043         }
00044       printk ("\n");
00045     }
00046 }
00047 
00048 # use filp_open because copy_from_user not needed there
00049 probe filp_open:entry {
00050   <span class="keywordflow">if</span> (@pids[current-&gt;pid])
00051     dlog ("%d\t%d\t%s\tO %s\n", current-&gt;pid, current-&gt;parent-&gt;pid, current-&gt;comm, filename);
00052 }
00053 
00054 probe sys_read:entry {
00055   <span class="keywordflow">if</span> (@pids[current-&gt;pid])
00056     dlog ("%d\t%d\t%s\tR %d\n", current-&gt;pid, current-&gt;parent-&gt;pid, current-&gt;comm, fd);
00057 }
00058 
00059 probe sys_write:entry {
00060   size_t len;
00061   <span class="keywordtype">char</span> str[256];
00062   <span class="keywordflow">if</span> (@pids[current-&gt;pid])
00063     {
00064       <span class="keywordflow">if</span> (count &lt; 64) len = count;
00065       else len = 64;
00066       if (len = dtr_strncpy_from_user(str, buf, len)) {
00067         str[len] = 0;
00068         <a class="code" href="group__io.html#ga0">dlog</a> (<span class="stringliteral">"%d\t%d\t%s\tW %s\n"</span>, current-&gt;pid, current-&gt;parent-&gt;pid, current-&gt;comm, str);
00069         }
00070     }
00071 }
00072 \endverbatim
00073 */
</pre></div></body></html>
generated by cgit (git 2.34.1) at 2025-07-31 08:04:32 +0000