1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
<title>SystemTap: probes/shellsnoop/dtr.c Source File</title>
<link href="doxygen.css" rel="stylesheet" type="text/css">
</head><body>
<!-- Generated by Doxygen 1.4.1 -->
<div class="qindex"><a class="qindex" href="index.html">Main Page</a> | <a class="qindex" href="annotated.html">Data Structures</a> | <a class="qindex" href="dirs.html">Directories</a> | <a class="qindex" href="files.html">File List</a> | <a class="qindex" href="functions.html">Data Fields</a> | <a class="qindex" href="globals.html">Globals</a> | <a class="qindex" href="pages.html">Related Pages</a></div>
<div class="nav">
<a class="el" href="dir_000000.html">probes</a> / <a class="el" href="dir_000001.html">shellsnoop</a></div>
<h1>dtr.c</h1><div class="fragment"><pre class="fragment">00001 <span class="preprocessor">#define HASH_TABLE_BITS 8</span>
00002 <span class="preprocessor"></span><span class="preprocessor">#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)</span>
00003 <span class="preprocessor"></span><span class="preprocessor">#define BUCKETS 16 </span><span class="comment">/* largest histogram width */</span>
00004
00005 <span class="preprocessor">#include "runtime.h"</span>
00006 <span class="preprocessor">#include "<a class="code" href="io_8c.html">io.c</a>"</span>
00007 <span class="preprocessor">#include "<a class="code" href="map_8c.html">map.c</a>"</span>
00008 <span class="preprocessor">#include "<a class="code" href="copy_8c.html">copy.c</a>"</span>
00009 <span class="preprocessor">#include "<a class="code" href="probes_8c.html">probes.c</a>"</span>
00010
00011 MODULE_DESCRIPTION(<span class="stringliteral">"SystemTap probe: shellsnoop"</span>);
00012 MODULE_AUTHOR(<span class="stringliteral">"Martin Hunt <hunt@redhat.com>"</span>);
00013
00014 <a class="code" href="structmap__root.html">MAP</a> pids, arglist ;
00015
00016 <span class="keywordtype">int</span> inst_do_execve (<span class="keywordtype">char</span> * filename, <span class="keywordtype">char</span> __user *__user *argv, <span class="keywordtype">char</span> __user *__user *envp, <span class="keyword">struct</span> pt_regs * regs)
00017 {
00018 <span class="keyword">struct </span><a class="code" href="structmap__node__str.html">map_node_str</a> *ptr;
00019
00020 <span class="comment">/* watch shells only */</span>
00021 <span class="comment">/* FIXME: detect more shells, like csh, tcsh, zsh */</span>
00022
00023 <span class="keywordflow">if</span> (!strcmp(current->comm,<span class="stringliteral">"bash"</span>) || !strcmp(current->comm,<span class="stringliteral">"sh"</span>) || !strcmp(current->comm, <span class="stringliteral">"zsh"</span>)
00024 || !strcmp(current->comm, <span class="stringliteral">"tcsh"</span>) || !strcmp(current->comm, <span class="stringliteral">"pdksh"</span>))
00025 {
00026 <a class="code" href="io_8c.html#a4">dlog</a> (<span class="stringliteral">"%d\t%d\t%d\t%s "</span>, current->uid, current->pid, current->parent->pid, filename);
00027
00028 <a class="code" href="map_8c.html#a14">_stp_map_key_long</a> (pids, current->pid);
00029 <a class="code" href="map_8c.html#a17">_stp_map_set_int64</a> (pids, 1);
00030
00031 <a class="code" href="map_8c.html#a26">_stp_list_clear</a> (arglist);
00032 <a class="code" href="copy_8c.html#a2">_stp_copy_argv_from_user</a> (arglist, argv);
00033 <a class="code" href="map_8h.html#a8">foreach</a> (arglist, ptr)
00034 printk ("%s ", ptr->str);
00035 printk ("\n");
00036 }
00037 jprobe_return();
00038 return 0;
00039 }
00040
00041 struct file * inst_filp_open (const <span class="keywordtype">char</span> * filename, <span class="keywordtype">int</span> flags, <span class="keywordtype">int</span> mode)
00042 {
00043 <a class="code" href="map_8c.html#a14">_stp_map_key_long</a> (pids, current->pid);
00044 <span class="keywordflow">if</span> (_stp_map_get_int64 (pids))
00045 <a class="code" href="io_8c.html#a4">dlog</a> (<span class="stringliteral">"%d\t%d\t%s\tO %s\n"</span>, current->pid, current->parent->pid, current->comm, filename);
00046
00047 jprobe_return();
00048 <span class="keywordflow">return</span> 0;
00049 }
00050
00051 asmlinkage ssize_t inst_sys_read (<span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> fd, <span class="keywordtype">char</span> __user * buf, size_t count)
00052 {
00053 <a class="code" href="map_8c.html#a14">_stp_map_key_long</a> (pids, current->pid);
00054 <span class="keywordflow">if</span> (_stp_map_get_int64 (pids))
00055 <a class="code" href="io_8c.html#a4">dlog</a> (<span class="stringliteral">"%d\t%d\t%s\tR %d\n"</span>, current->pid, current->parent->pid, current->comm, fd);
00056
00057 jprobe_return();
00058 <span class="keywordflow">return</span> 0;
00059 }
00060
00061 asmlinkage ssize_t inst_sys_write (<span class="keywordtype">unsigned</span> <span class="keywordtype">int</span> fd, <span class="keyword">const</span> <span class="keywordtype">char</span> __user * buf, size_t count)
00062 {
00063 size_t len;
00064 <span class="keywordtype">char</span> str[256];
00065 <a class="code" href="map_8c.html#a14">_stp_map_key_long</a> (pids, current->pid);
00066 <span class="keywordflow">if</span> (_stp_map_get_int64 (pids))
00067 {
00068 <span class="keywordflow">if</span> (count < 64)
00069 len = count;
00070 else
00071 len = 64;
00072 len = _stp_strncpy_from_user(str, buf, len);
00073 if (len < 0) len = 0;
00074 str[len] = 0;
00075 dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
00076 }
00077
00078 jprobe_return();
00079 return 0;
00080 }
00081
00082 static struct jprobe dtr_probes[] = {
00083 {
00084 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"do_execve"</span>,
00085 .entry = (kprobe_opcode_t *) inst_do_execve
00086 },
00087 {
00088 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"filp_open"</span>,
00089 .entry = (kprobe_opcode_t *) inst_filp_open
00090 },
00091 {
00092 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"sys_read"</span>,
00093 .entry = (kprobe_opcode_t *) inst_sys_read
00094 },
00095 {
00096 .kp.addr = (kprobe_opcode_t *)<span class="stringliteral">"sys_write"</span>,
00097 .entry = (kprobe_opcode_t *) inst_sys_write
00098 },
00099 };
00100
00101 <span class="preprocessor">#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))</span>
00102 <span class="preprocessor"></span>
00103 <span class="keyword">static</span> <span class="keywordtype">int</span> init_dtr(<span class="keywordtype">void</span>)
00104 {
00105 <span class="keywordtype">int</span> ret;
00106
00107 pids = <a class="code" href="map_8c.html#a3">_stp_map_new</a> (10000, INT64);
00108 arglist = <a class="code" href="map_8c.html#a25">_stp_list_new</a> (10, STRING);
00109
00110 ret = <a class="code" href="probes_8c.html#a2">_stp_register_jprobes</a> (dtr_probes, MAX_DTR_ROUTINE);
00111
00112 <a class="code" href="io_8c.html#a4">dlog</a>(<span class="stringliteral">"instrumentation is enabled...\n"</span>);
00113 <span class="keywordflow">return</span> ret;
00114 }
00115
00116 <span class="keyword">static</span> <span class="keywordtype">void</span> cleanup_dtr(<span class="keywordtype">void</span>)
00117 {
00118 <a class="code" href="probes_8c.html#a1">_stp_unregister_jprobes</a> (dtr_probes, MAX_DTR_ROUTINE);
00119 <a class="code" href="map_8c.html#a8">_stp_map_del</a> (pids);
00120 <a class="code" href="io_8c.html#a4">dlog</a>(<span class="stringliteral">"EXIT\n"</span>);
00121 }
00122
00123 module_init(init_dtr);
00124 module_exit(cleanup_dtr);
00125 MODULE_LICENSE(<span class="stringliteral">"GPL"</span>);
00126
</pre></div><hr size="1"><address style="align: right;"><small>
Generated on Tue Mar 22 10:27:36 2005 for SystemTap.</small></body>
</html>
|
