Monitoring inode activity

Problem

This is a sample from the systemtap tutorial. It aims to help answering the question: "who's messing with my file?".

Scripts

probe kernel.function ("vfs_write"),
      kernel.function ("vfs_read")
{
  dev_nr = $file->f_dentry->d_inode->i_sb->s_dev
  inode_nr = $file->f_dentry->d_inode->i_ino

  if (dev_nr == ($1 << 20 | $2) # major/minor device
      && inode_nr == $3)
    printf ("%s(%d) %s 0x%x/%u\n",
      execname(), pid(), probefunc(), dev_nr, inode_nr)
}

Output

# stat -c '%D %i' /etc/crontab
803 988136
# stap inode-watch.stp 8 3 988136
crond(2419) vfs_read 0x800003/988136
crond(2419) vfs_read 0x800003/988136
crond(2419) vfs_read 0x800003/988136

Lessons

While probing reads/writes is all good, not all file operations go through the vfs_* series of functions. For example, permission modifications are done in helper functions very close to the system call layer. See WSFileMonitor2.

Notes

Eugene: Using kernel 2.6.21-1.3194.fc7, I have to change the code slightly:

  dev_nr = $file->f_path->dentry->d_inode->i_sb->s_dev
  inode_nr = $file->f_path->dentry->d_inode->i_ino

instead of:

  dev_nr = $file->f_dentry->d_inode->i_sb->s_dev
  inode_nr = $file->f_dentry->d_inode->i_ino


WarStories

None: WSFileMonitor (last edited 2008-01-10 19:47:34 by localhost)