1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
<title>SystemTap: probes/shellsnoop/dtr.c Source File</title>
<link href="doxygen.css" rel="stylesheet" type="text/css">
</head><body>
<!-- Generated by Doxygen 1.4.1 -->
<div class="qindex"><a class="qindex" href="index.html">Main Page</a> | <a class="qindex" href="modules.html">Modules</a> | <a class="qindex" href="dirs.html">Directories</a> | <a class="qindex" href="files.html">File List</a> | <a class="qindex" href="globals.html">Globals</a> | <a class="qindex" href="pages.html">Related Pages</a></div>
<div class="nav">
<a class="el" href="dir_000000.html">probes</a> / <a class="el" href="dir_000001.html">shellsnoop</a></div>
<h1>dtr.c</h1><div class="fragment"><pre class="fragment">00001 <span class="preprocessor">#define HASH_TABLE_BITS 8</span>
00002 <span class="preprocessor"></span><span class="preprocessor">#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)</span>
00003 <span class="preprocessor"></span><span class="preprocessor">#define BUCKETS 16 </span><span class="comment">/* largest histogram width */</span>
00004
00005 <span class="preprocessor">#define STP_NETLINK_ONLY</span>
00006 <span class="preprocessor"></span><span class="preprocessor">#define STP_NUM_STRINGS 1</span>
00007 <span class="preprocessor"></span>
00008 <span class="preprocessor">#include "<a class="code" href="runtime_8h.html">runtime.h</a>"</span>
00009 <span class="preprocessor">#include "<a class="code" href="map_8c.html">map.c</a>"</span>
00010 <span class="preprocessor">#include "<a class="code" href="copy_8c.html">copy.c</a>"</span>
00011 <span class="preprocessor">#include "<a class="code" href="probes_8c.html">probes.c</a>"</span>
00012
00013 MODULE_DESCRIPTION(<span class="stringliteral">"SystemTap probe: shellsnoop"</span>);
00014 MODULE_AUTHOR(<span class="stringliteral">"Martin Hunt <hunt@redhat.com>"</span>);
00015
00016 <a class="code" href="group__maps.html#ga1">MAP</a> pids, arglist ;
00017
00018 <span class="keywordtype">int</span> inst_do_execve (<span class="keywordtype">char</span> * filename, <span class="keywordtype">char</span> __user *__user *argv, <span class="keywordtype">char</span> __user *__user *envp, <span class="keyword">struct</span> pt_regs * regs)
00019 {
00020 <span class="keyword">struct </span>map_node_str *ptr;
00021
00022 <span class="comment">/* watch shells only */</span>
00023 <span class="comment">/* FIXME: detect more shells, like csh, tcsh, zsh */</span>
00024
00025 <span class="keywordflow">if</span> (!strcmp(current->comm,<span class="stringliteral">"bash"</span>) || !strcmp(current->comm,<span class="stringliteral">"sh"</span>) || !strcmp(current->comm, <span class="stringliteral">"zsh"</span>)
00026 || !strcmp(current->comm, <span class="stringliteral">"tcsh"</span>) || !strcmp(current->comm, <span class="stringliteral">"pdksh"</span>))
00027 {
00028 <a class="code" href="group__print.html#ga3">_stp_printf</a> (<span class="stringliteral">"%d\t%d\t%d\t%s "</span>, current->uid, current->pid, current->parent->pid, filename);
00029
00030 <a class="code" href="group__maps.html#ga13">_stp_map_key_long</a> (pids, current->pid);
00031 <a class="code" href="group__maps.html#ga16">_stp_map_set_int64</a> (pids, 1);
00032
00033 <a class="code" href="group__lists.html#ga1">_stp_list_clear</a> (arglist);
00034 <a class="code" href="group__copy.html#ga3">_stp_copy_argv_from_user</a> (arglist, argv);
00035
00036 <a class="code" href="group__maps.html#ga32">foreach</a> (arglist, ptr)
00037 _stp_printf ("%s ", ptr->str);
00038
00039 _stp_print_flush();
00040 }
00041 jprobe_return();
00042 return 0;
00043 }
00044
00045 struct file * inst_filp_open (const <span class="keywordtype">char</span> * filename, <span class="keywordtype">int</span> flags, <span class="keywordtype">int</span> mode)
00046 {
00047 <a class="code" href="group__maps.html#ga13">_stp_map_key_long</a> (pids, current->pid);
00048 <span class="keywordflow">if</span> (_stp_map_get_int64 (pids))
00049 <a class="code" href="group__print.html#ga3">_stp_printf</a> (<span class="stringliteral">"%d\t%d\t%s\tO %s"</span>, current->pid, current->parent->pid, current->comm, filename);
00050
00051 <a class="code" href="group__print.html#ga2">_stp_print_flush</a>();
00052 jprobe_return();
00053 <span class="keywordflow">return</span> 0;
00054 }
00055
00056 asmlinkage ssize_t inst_sys_read (<span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> fd, <span class="keywordtype">char</span> __user * buf, size_t count)
00057 {
00058 <a class="code" href="group__maps.html#ga13">_stp_map_key_long</a> (pids, current->pid);
00059 <span class="keywordflow">if</span> (_stp_map_get_int64 (pids))
00060 <a class="code" href="group__print.html#ga3">_stp_printf</a> (<span class="stringliteral">"%d\t%d\t%s\tR %d"</span>, current->pid, current->parent->pid, current->comm, fd);
00061
00062 <a class="code" href="group__print.html#ga2">_stp_print_flush</a>();
00063 jprobe_return();
00064 <span class="keywordflow">return</span> 0;
00065 }
00066
00067 asmlinkage ssize_t inst_sys_write (<span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> fd, <span class="keyword">const</span> <span class="keywordtype">char</span> __user * buf, size_t count)
00068 {
00069 <a class="code" href="group__maps.html#ga13">_stp_map_key_long</a> (pids, current->pid);
00070 <span class="keywordflow">if</span> (_stp_map_get_int64 (pids))
00071 {
00072 String str = <a class="code" href="group__string.html#ga2">_stp_string_init</a> (0);
00073 <a class="code" href="group__copy.html#ga1">_stp_string_from_user</a>(str, buf, count);
00074 <a class="code" href="group__print.html#ga3">_stp_printf</a> (<span class="stringliteral">"%d\t%d\t%s\tW %s"</span>, current->pid, current->parent->pid, current->comm, str->buf);
00075 <a class="code" href="group__print.html#ga2">_stp_print_flush</a>();
00076 }
00077
00078 jprobe_return();
00079 <span class="keywordflow">return</span> 0;
00080 }
00081
00082 <span class="keyword">static</span> <span class="keyword">struct </span>jprobe dtr_probes[] = {
00083 {
00084 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"do_execve"</span>,
00085 .entry = (kprobe_opcode_t *) inst_do_execve
00086 },
00087 {
00088 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"filp_open"</span>,
00089 .entry = (kprobe_opcode_t *) inst_filp_open
00090 },
00091 {
00092 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"sys_read"</span>,
00093 .entry = (kprobe_opcode_t *) inst_sys_read
00094 },
00095 {
00096 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"sys_write"</span>,
00097 .entry = (kprobe_opcode_t *) inst_sys_write
00098 },
00099 };
00100
00101 <span class="preprocessor">#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))</span>
00102 <span class="preprocessor"></span>
00103 <span class="keyword">static</span> <span class="keywordtype">int</span> init_dtr(<span class="keywordtype">void</span>)
00104 {
00105 <span class="keywordtype">int</span> ret;
00106
00107 <span class="keywordflow">if</span> (<a class="code" href="group__io.html#ga7">_stp_netlink_open</a>() < 0)
00108 return -1;
00109
00110 pids = _stp_map_new (10000, INT64);
00111 arglist = _stp_list_new (10, STRING);
00112
00113 ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE);
00114
00115 _stp_log("instrumentation is enabled... %s\n", __this_module.name);
00116 return ret;
00117 }
00118
00119 static <span class="keywordtype">void</span> probe_exit (<span class="keywordtype">void</span>)
00120 {
00121 <a class="code" href="probes_8c.html#a2">_stp_unregister_jprobes</a> (dtr_probes, MAX_DTR_ROUTINE);
00122
00123 <a class="code" href="group__print.html#ga11">_stp_print</a> (<span class="stringliteral">"In probe_exit now."</span>);
00124 <a class="code" href="group__maps.html#ga7">_stp_map_del</a> (pids);
00125 <a class="code" href="group__print.html#ga2">_stp_print_flush</a>();
00126 }
00127
00128
00129 <span class="keyword">static</span> <span class="keywordtype">void</span> cleanup_dtr(<span class="keywordtype">void</span>)
00130 {
00131 <a class="code" href="group__io.html#ga8">_stp_netlink_close</a>();
00132
00133 }
00134
00135 module_init(init_dtr);
00136 module_exit(cleanup_dtr);
00137 MODULE_LICENSE(<span class="stringliteral">"GPL"</span>);
00138
</pre></div></body></html>
|
