Monitoring inode activity
Problem
This is a sample from the systemtap tutorial. It aims to help answering the question: "who's messing with my file?".
Scripts
probe kernel.function ("vfs_write"),
kernel.function ("vfs_read")
{
dev_nr = $file->f_dentry->d_inode->i_sb->s_dev
inode_nr = $file->f_dentry->d_inode->i_ino
if (dev_nr == ($1 << 20 | $2) # major/minor device
&& inode_nr == $3)
printf ("%s(%d) %s 0x%x/%u\n",
execname(), pid(), probefunc(), dev_nr, inode_nr)
}
Output
# stat -c '%D %i' /etc/crontab 803 988136 # stap inode-watch.stp 8 3 988136 crond(2419) vfs_read 0x800003/988136 crond(2419) vfs_read 0x800003/988136 crond(2419) vfs_read 0x800003/988136
Lessons
While probing reads/writes is all good, not all file operations go through the vfs_* series of functions. For example, permission modifications are done in helper functions very close to the system call layer. See WSFileMonitor2.
Notes
Eugene: Using kernel 2.6.21-1.3194.fc7, I have to change the code slightly:
dev_nr = $file->f_path->dentry->d_inode->i_sb->s_dev inode_nr = $file->f_path->dentry->d_inode->i_ino
instead of:
dev_nr = $file->f_dentry->d_inode->i_sb->s_dev inode_nr = $file->f_dentry->d_inode->i_ino