+++ /dev/null
-# Makefile
-#
-# make -C path/to/kernel/src M=`pwd` modules
-
-obj-m := dtr.o
-
-
-
-
+++ /dev/null
-Sample probe.
-
-To build, edit the path in buildit and the addresses in struct dtr_probes
-in dtr.c Then "source buildit"
-
-This is a translation of on an old dtr probe:
-
-# shellsnoop.probe - snoop shell execution as it occurs.
-# clone of dtrace shellsnoop example
-
-global {
- long @pids[long];
-}
-
-probe do_execve:entry {
- char __user *vstr;
- char str[256];
- int len;
-
- /* watch shells only */
- /* FIXME: detect more shells, like csh, tcsh, zsh */
-
- if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
- || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
- {
- dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
- @pids[current->pid] = 1;
-
- /* print out argv, ignoring argv[0] */
- if (argv) argv++;
- while (argv != NULL)
- {
- if (get_user (vstr, argv))
- break;
- if (!vstr)
- break;
- len = dtr_strncpy_from_user(str, vstr, 256);
- str[len] = 0;
- printk ("%s ", str);
- argv++;
- }
- printk ("\n");
- }
-}
-
-# use filp_open because copy_from_user not needed there
-probe filp_open:entry {
- if (@pids[current->pid])
- dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
-}
-
-probe sys_read:entry {
- if (@pids[current->pid])
- dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
-}
-
-probe sys_write:entry {
- size_t len;
- char str[256];
- if (@pids[current->pid])
- {
- if (count < 64) len = count;
- else len = 64;
- if (len = dtr_strncpy_from_user(str, buf, len)) {
- str[len] = 0;
- dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
- }
- }
-}
-
+++ /dev/null
-make -C /lib/modules/2.6.10-1.770_FC3smp/build M=`pwd`
+++ /dev/null
-#define HASH_TABLE_BITS 8
-#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
-#define BUCKETS 16 /* largest histogram width */
-#include "../../runtime.h"
-
-#include "../../io.c"
-#include "../../map.c"
-#include "../../copy.c"
-
-MODULE_PARM_DESC(dtr, "\n");
-
-MAP pids, arglist ;
-
-int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs)
-{
- struct map_node_str *ptr;
-
- /* watch shells only */
- /* FIXME: detect more shells, like csh, tcsh, zsh */
-
- if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
- || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
- {
- dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
-
- _stp_map_key_long (pids, current->pid);
- _stp_map_set_int64 (pids, 1);
-
- _stp_copy_argv_from_user (arglist, argv);
- foreach (arglist, ptr)
- printk ("%s ", ptr->str);
- printk ("\n");
- }
- jprobe_return();
- return 0;
-}
-
-struct file * inst_filp_open (const char * filename, int flags, int mode)
-{
- _stp_map_key_long (pids, current->pid);
- if (_stp_map_get_int64 (pids))
- dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
-
- jprobe_return();
- return 0;
-}
-
-asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
-{
- _stp_map_key_long (pids, current->pid);
- if (_stp_map_get_int64 (pids))
- dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
-
- jprobe_return();
- return 0;
-}
-
-asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
-{
- size_t len;
- char str[256];
- _stp_map_key_long (pids, current->pid);
- if (_stp_map_get_int64 (pids))
- {
- if (count < 64)
- len = count;
- else
- len = 64;
- len = _stp_strncpy_from_user(str, buf, len);
- if (len < 0) len = 0;
- str[len] = 0;
- dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
- }
-
- jprobe_return();
- return 0;
-}
-
-static struct jprobe dtr_probes[] = {
- {
- .kp.addr = (kprobe_opcode_t *)0xffffffff8017b034,
- .entry = (kprobe_opcode_t *) inst_do_execve
- },
- {
- .kp.addr = (kprobe_opcode_t *)0xffffffff80170706,
- .entry = (kprobe_opcode_t *) inst_filp_open
- },
- {
- .kp.addr = (kprobe_opcode_t *)0xffffffff801711dd,
- .entry = (kprobe_opcode_t *) inst_sys_read
- },
- {
- .kp.addr = (kprobe_opcode_t *)0xffffffff8017124b,
- .entry = (kprobe_opcode_t *) inst_sys_write
- },
-};
-
-#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
-
-static int init_dtr(void)
-{
- int i;
-
- pids = _stp_map_new (10000, INT64);
- arglist = _stp_list_new (10, STRING);
-
- for (i = 0; i < MAX_DTR_ROUTINE; i++) {
- printk("DTR: plant jprobe at %p, handler addr %p\n",
- dtr_probes[i].kp.addr, dtr_probes[i].entry);
- register_jprobe(&dtr_probes[i]);
- }
- printk("DTR: instrumentation is enabled...\n");
- return 0;
-}
-
-static void cleanup_dtr(void)
-{
- int i;
-
- for (i = 0; i < MAX_DTR_ROUTINE; i++)
- unregister_jprobe(&dtr_probes[i]);
-
- _stp_map_del (pids);
- printk("DTR: EXIT\n");
-}
-
-module_init(init_dtr);
-module_exit(cleanup_dtr);
-MODULE_LICENSE("GPL");
-
+++ /dev/null
-# Makefile
-#
-# make -C path/to/kernel/src M=`pwd` modules
-
-obj-m := dtr.o
-
-
-
-
+++ /dev/null
-Sample probe.
-
-To build, edit the path in buildit and the addresses in struct dtr_probes
-in dtr.c Then "source buildit"
-
-This is a translation of on an old dtr probe:
-
-global {
- long @opens[string];
- sum @reads[string], @writes[string];
-}
-
-probe sys_open:entry {
- @opens[current->comm]++;
-}
-
-probe sys_read:entry {
- @reads[current->comm] << count;
-}
-
-probe sys_write:entry {
- @writes[current->comm] << count;
-}
+++ /dev/null
-make -C /lib/modules/2.6.10-1.770_FC3smp/build M=`pwd`
+++ /dev/null
-#define HASH_TABLE_BITS 8
-#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
-#define BUCKETS 16 /* largest histogram width */
-#include "../../runtime.h"
-
-#include "../../io.c"
-#include "../../map.c"
-
-
-MODULE_PARM_DESC(dtr, "\n");
-
-MAP opens, reads, writes;
-
-asmlinkage long inst_sys_open (const char __user * filename, int flags, int mode)
-{
- _stp_map_key_str (opens, current->comm);
- _stp_map_set_int64 (opens, _stp_map_get_int64(opens) + 1);
- jprobe_return();
- return 0;
-}
-
-asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
-{
- _stp_map_key_str (reads, current->comm);
- _stp_map_stat_add (reads, count);
- jprobe_return();
- return 0;
-}
-
-asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
-{
- _stp_map_key_str (writes, current->comm);
- _stp_map_stat_add (writes, count);
- jprobe_return();
- return 0;
-}
-
-static struct jprobe dtr_probes[] = {
- {
- .kp.addr = (kprobe_opcode_t *)0xc0166f32,
- .entry = (kprobe_opcode_t *) inst_sys_open
- },
- {
- .kp.addr = (kprobe_opcode_t *)0xc0167b93,
- .entry = (kprobe_opcode_t *) inst_sys_read
- },
- {
- .kp.addr = (kprobe_opcode_t *)0xc0167bf5,
- .entry = (kprobe_opcode_t *) inst_sys_write
- },
-};
-
-#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
-
-static int init_dtr(void)
-{
- int i;
-
- opens = _stp_map_new (1000, INT64);
- reads = _stp_map_new (1000, STAT);
- writes = _stp_map_new (1000, STAT);
-
- for (i = 0; i < MAX_DTR_ROUTINE; i++) {
- printk("DTR: plant jprobe at %p, handler addr %p\n",
- dtr_probes[i].kp.addr, dtr_probes[i].entry);
- register_jprobe(&dtr_probes[i]);
- }
- printk("DTR: instrumentation is enabled...\n");
- return 0;
-}
-
-static void cleanup_dtr(void)
-{
- int i;
- struct map_node_stat *st;
- struct map_node_int64 *ptr;
-
- for (i = 0; i < MAX_DTR_ROUTINE; i++)
- unregister_jprobe(&dtr_probes[i]);
-
- for (ptr = (struct map_node_int64 *)_stp_map_start(opens); ptr;
- ptr = (struct map_node_int64 *)_stp_map_iter (opens,(struct map_node *)ptr))
- dlog ("opens[%s] = %lld\n", key1str(ptr), ptr->val);
- dlog ("\n");
-
- for (st = (struct map_node_stat *)_stp_map_start(reads); st;
- st = (struct map_node_stat *)_stp_map_iter (reads,(struct map_node *)st))
- dlog ("reads[%s] = [count=%lld sum=%lld min=%lld max=%lld]\n", key1str(st), st->stats.count, st->stats.sum,
- st->stats.min, st->stats.max);
- dlog ("\n");
-
- for (st = (struct map_node_stat *)_stp_map_start(writes); st;
- st = (struct map_node_stat *)_stp_map_iter (writes,(struct map_node *)st))
- dlog ("writes[%s] = [count=%lld sum=%lld min=%lld max=%lld]\n", key1str(st), st->stats.count, st->stats.sum,
- st->stats.min, st->stats.max);
- dlog ("\n");
-
- _stp_map_del (opens);
- _stp_map_del (reads);
- _stp_map_del (writes);
-
- printk("DTR: EXIT\n");
-}
-
-module_init(init_dtr);
-module_exit(cleanup_dtr);
-MODULE_LICENSE("GPL");
-
git://sourceware.org / systemtap.git / commitdiff