Differences between revisions 5 and 6
Revision 5 as of 2007-06-12 06:56:50
Size: 1822
Editor: EugeneTeo
Comment:
Revision 6 as of 2008-01-10 19:47:34
Size: 1822
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 41: Line 41:
While probing reads/writes is all good, not all file operations go through the `vfs_*` series of functions. For example, permission modifications are done in helper functions very close to the system call layer. See ["WSFileMonitor2"]. While probing reads/writes is all good, not all file operations go through the `vfs_*` series of functions. For example, permission modifications are done in helper functions very close to the system call layer. See [[WSFileMonitor2]].

Monitoring inode activity

Problem

This is a sample from the systemtap tutorial. It aims to help answering the question: "who's messing with my file?".

Scripts

probe kernel.function ("vfs_write"),
      kernel.function ("vfs_read")
{
  dev_nr = $file->f_dentry->d_inode->i_sb->s_dev
  inode_nr = $file->f_dentry->d_inode->i_ino

  if (dev_nr == ($1 << 20 | $2) # major/minor device
      && inode_nr == $3)
    printf ("%s(%d) %s 0x%x/%u\n",
      execname(), pid(), probefunc(), dev_nr, inode_nr)
}

Output

# stat -c '%D %i' /etc/crontab
803 988136
# stap inode-watch.stp 8 3 988136
crond(2419) vfs_read 0x800003/988136
crond(2419) vfs_read 0x800003/988136
crond(2419) vfs_read 0x800003/988136

Lessons

While probing reads/writes is all good, not all file operations go through the vfs_* series of functions. For example, permission modifications are done in helper functions very close to the system call layer. See WSFileMonitor2.

Notes

Eugene: Using kernel 2.6.21-1.3194.fc7, I have to change the code slightly:

  dev_nr = $file->f_path->dentry->d_inode->i_sb->s_dev
  inode_nr = $file->f_path->dentry->d_inode->i_ino

instead of:

  dev_nr = $file->f_dentry->d_inode->i_sb->s_dev
  inode_nr = $file->f_dentry->d_inode->i_ino


WarStories

None: WSFileMonitor (last edited 2008-01-10 19:47:34 by localhost)