From: hunt Date: Mon, 21 Mar 2005 21:11:13 +0000 (+0000) Subject: *** empty log message *** X-Git-Tag: release-0.2.2~237 X-Git-Url: https://sourceware.org/git/?a=commitdiff_plain;h=854d896bebf48714b6e14b73d4eab6d9c856aa52;p=systemtap.git *** empty log message *** --- diff --git a/runtime/probes/shellsnoop/Makefile b/runtime/probes/shellsnoop/Makefile new file mode 100644 index 000000000..8fff0dc4e --- /dev/null +++ b/runtime/probes/shellsnoop/Makefile @@ -0,0 +1,11 @@ +# Makefile +# +# +# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ + -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) +obj-m := dtr.o + +clean: + /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/shellsnoop/README b/runtime/probes/shellsnoop/README new file mode 100644 index 000000000..fee5e4c11 --- /dev/null +++ b/runtime/probes/shellsnoop/README @@ -0,0 +1,67 @@ +Sample probe. + +This is a translation of on an old dtr probe: + +# shellsnoop.probe - snoop shell execution as it occurs. +# clone of dtrace shellsnoop example + +global { + long @pids[long]; +} + +probe do_execve:entry { + char __user *vstr; + char str[256]; + int len; + + /* watch shells only */ + /* FIXME: detect more shells, like csh, tcsh, zsh */ + + if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") + || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) + { + dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + @pids[current->pid] = 1; + + /* print out argv, ignoring argv[0] */ + if (argv) argv++; + while (argv != NULL) + { + if (get_user (vstr, argv)) + break; + if (!vstr) + break; + len = dtr_strncpy_from_user(str, vstr, 256); + str[len] = 0; + printk ("%s ", str); + argv++; + } + printk ("\n"); + } +} + +# use filp_open because copy_from_user not needed there +probe filp_open:entry { + if (@pids[current->pid]) + dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); +} + +probe sys_read:entry { + if (@pids[current->pid]) + dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); +} + +probe sys_write:entry { + size_t len; + char str[256]; + if (@pids[current->pid]) + { + if (count < 64) len = count; + else len = 64; + if (len = dtr_strncpy_from_user(str, buf, len)) { + str[len] = 0; + dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); + } + } +} + diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build new file mode 100755 index 000000000..3713f08a9 --- /dev/null +++ b/runtime/probes/shellsnoop/build @@ -0,0 +1,16 @@ +#!/bin/bash + +KVERSION=`uname -r` +echo $KVERSION +KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` +KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` + +make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ + KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ + KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \ + STP_RUNTIME=`pwd`/../.. + + + + + diff --git a/runtime/probes/shellsnoop/dtr.c b/runtime/probes/shellsnoop/dtr.c new file mode 100644 index 000000000..12fddaa8d --- /dev/null +++ b/runtime/probes/shellsnoop/dtr.c @@ -0,0 +1,125 @@ +#define HASH_TABLE_BITS 8 +#define HASH_TABLE_SIZE (1<"); + +MAP pids, arglist ; + +int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs) +{ + struct map_node_str *ptr; + + /* watch shells only */ + /* FIXME: detect more shells, like csh, tcsh, zsh */ + + if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") + || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) + { + dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + + _stp_map_key_long (pids, current->pid); + _stp_map_set_int64 (pids, 1); + + _stp_copy_argv_from_user (arglist, argv); + foreach (arglist, ptr) + printk ("%s ", ptr->str); + printk ("\n"); + } + jprobe_return(); + return 0; +} + +struct file * inst_filp_open (const char * filename, int flags, int mode) +{ + _stp_map_key_long (pids, current->pid); + if (_stp_map_get_int64 (pids)) + dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); + + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) +{ + _stp_map_key_long (pids, current->pid); + if (_stp_map_get_int64 (pids)) + dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); + + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) +{ + size_t len; + char str[256]; + _stp_map_key_long (pids, current->pid); + if (_stp_map_get_int64 (pids)) + { + if (count < 64) + len = count; + else + len = 64; + len = _stp_strncpy_from_user(str, buf, len); + if (len < 0) len = 0; + str[len] = 0; + dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); + } + + jprobe_return(); + return 0; +} + +static struct jprobe dtr_probes[] = { + { + .kp.addr = (kprobe_opcode_t *)"do_execve", + .entry = (kprobe_opcode_t *) inst_do_execve + }, + { + .kp.addr = (kprobe_opcode_t *)"filp_open", + .entry = (kprobe_opcode_t *) inst_filp_open + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_read", + .entry = (kprobe_opcode_t *) inst_sys_read + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_write", + .entry = (kprobe_opcode_t *) inst_sys_write + }, +}; + +#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe)) + +static int init_dtr(void) +{ + int ret; + + pids = _stp_map_new (10000, INT64); + arglist = _stp_list_new (10, STRING); + + ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE); + + dlog("instrumentation is enabled...\n"); + return ret; +} + +static void cleanup_dtr(void) +{ + _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE); + _stp_map_del (pids); + dlog("EXIT\n"); +} + +module_init(init_dtr); +module_exit(cleanup_dtr); +MODULE_LICENSE("GPL"); + diff --git a/runtime/probes/tasklet/Makefile b/runtime/probes/tasklet/Makefile new file mode 100644 index 000000000..369929c49 --- /dev/null +++ b/runtime/probes/tasklet/Makefile @@ -0,0 +1,11 @@ +# Makefile +# +# +# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME)\ + -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) +obj-m := stp_tasklet.o + +clean: + /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/tasklet/README b/runtime/probes/tasklet/README new file mode 100644 index 000000000..12efdc467 --- /dev/null +++ b/runtime/probes/tasklet/README @@ -0,0 +1,6 @@ +Sample probe. Useful for interrupt context testing. + +> ./build +> insmod stp_tasklet.ko +> rmmod stp_tasklet.ko + diff --git a/runtime/probes/tasklet/build b/runtime/probes/tasklet/build new file mode 100755 index 000000000..3713f08a9 --- /dev/null +++ b/runtime/probes/tasklet/build @@ -0,0 +1,16 @@ +#!/bin/bash + +KVERSION=`uname -r` +echo $KVERSION +KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` +KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` + +make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ + KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ + KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \ + STP_RUNTIME=`pwd`/../.. + + + + + diff --git a/runtime/probes/tasklet/stp_tasklet.c b/runtime/probes/tasklet/stp_tasklet.c new file mode 100644 index 000000000..aadb0c4cb --- /dev/null +++ b/runtime/probes/tasklet/stp_tasklet.c @@ -0,0 +1,48 @@ +/* Framework for putting a jprobe in a tasklet. */ +/* Useful for testing probes in interrupt context. */ +/* Doesn't do anything useful as is. Put test code in the inst func */ + +#define HASH_TABLE_BITS 8 +#define HASH_TABLE_SIZE (1<"); + +void inst__rcu_process_callbacks(struct rcu_ctrlblk *rcp, + struct rcu_state *rsp, struct rcu_data *rdp) +{ + dlog ("interrupt=%d\n", in_interrupt()); + jprobe_return(); +} + +static struct jprobe stp_probes[] = { + { + .kp.addr = (kprobe_opcode_t *)"__rcu_process_callbacks", + .entry = (kprobe_opcode_t *) inst__rcu_process_callbacks + }, +}; +#define MAX_STP_PROBES (sizeof(stp_probes)/sizeof(struct jprobe)) + + +static int init_stp(void) +{ + int ret = _stp_register_jprobes (stp_probes, MAX_STP_PROBES); + dlog("instrumentation is enabled...\n"); + return ret; +} + +static void cleanup_stp(void) +{ + _stp_unregister_jprobes (stp_probes, MAX_STP_PROBES); + dlog ("EXIT\n"); +} + +module_init(init_stp); +module_exit(cleanup_stp); +MODULE_LICENSE("GPL"); + diff --git a/runtime/probes/test4/Makefile b/runtime/probes/test4/Makefile new file mode 100644 index 000000000..8fff0dc4e --- /dev/null +++ b/runtime/probes/test4/Makefile @@ -0,0 +1,11 @@ +# Makefile +# +# +# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ + -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) +obj-m := dtr.o + +clean: + /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/test4/README b/runtime/probes/test4/README new file mode 100644 index 000000000..20a1ad23b --- /dev/null +++ b/runtime/probes/test4/README @@ -0,0 +1,20 @@ +Sample probe. + +This is a translation of on an old dtr probe: + +global { + long @opens[string]; + sum @reads[string], @writes[string]; +} + +probe sys_open:entry { + @opens[current->comm]++; +} + +probe sys_read:entry { + @reads[current->comm] << count; +} + +probe sys_write:entry { + @writes[current->comm] << count; +} diff --git a/runtime/probes/test4/build b/runtime/probes/test4/build new file mode 100755 index 000000000..3713f08a9 --- /dev/null +++ b/runtime/probes/test4/build @@ -0,0 +1,16 @@ +#!/bin/bash + +KVERSION=`uname -r` +echo $KVERSION +KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` +KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` + +make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ + KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ + KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \ + STP_RUNTIME=`pwd`/../.. + + + + + diff --git a/runtime/probes/test4/dtr.c b/runtime/probes/test4/dtr.c new file mode 100644 index 000000000..1c8d8f053 --- /dev/null +++ b/runtime/probes/test4/dtr.c @@ -0,0 +1,105 @@ +#define HASH_TABLE_BITS 8 +#define HASH_TABLE_SIZE (1<"); + +MAP opens, reads, writes; + +asmlinkage long inst_sys_open (const char __user * filename, int flags, int mode) +{ + _stp_map_key_str (opens, current->comm); + _stp_map_set_int64 (opens, _stp_map_get_int64(opens) + 1); + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) +{ + _stp_map_key_str (reads, current->comm); + _stp_map_stat_add (reads, count); + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) +{ + _stp_map_key_str (writes, current->comm); + _stp_map_stat_add (writes, count); + jprobe_return(); + return 0; +} + +static struct jprobe dtr_probes[] = { + { + .kp.addr = (kprobe_opcode_t *)"sys_open", + .entry = (kprobe_opcode_t *) inst_sys_open + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_read", + .entry = (kprobe_opcode_t *) inst_sys_read + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_write", + .entry = (kprobe_opcode_t *) inst_sys_write + }, +}; + +#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe)) + +static int init_dtr(void) +{ + int ret; + + opens = _stp_map_new (1000, INT64); + reads = _stp_map_new (1000, STAT); + writes = _stp_map_new (1000, STAT); + + ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE); + + dlog("instrumentation is enabled...\n"); + return ret; + +} + +static void cleanup_dtr(void) +{ + struct map_node_stat *st; + struct map_node_int64 *ptr; + + _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE); + + for (ptr = (struct map_node_int64 *)_stp_map_start(opens); ptr; + ptr = (struct map_node_int64 *)_stp_map_iter (opens,(struct map_node *)ptr)) + dlog ("opens[%s] = %lld\n", key1str(ptr), ptr->val); + dlog ("\n"); + + for (st = (struct map_node_stat *)_stp_map_start(reads); st; + st = (struct map_node_stat *)_stp_map_iter (reads,(struct map_node *)st)) + dlog ("reads[%s] = [count=%lld sum=%lld min=%lld max=%lld]\n", key1str(st), st->stats.count, st->stats.sum, + st->stats.min, st->stats.max); + dlog ("\n"); + + for (st = (struct map_node_stat *)_stp_map_start(writes); st; + st = (struct map_node_stat *)_stp_map_iter (writes,(struct map_node *)st)) + dlog ("writes[%s] = [count=%lld sum=%lld min=%lld max=%lld]\n", key1str(st), st->stats.count, st->stats.sum, + st->stats.min, st->stats.max); + dlog ("\n"); + + _stp_map_del (opens); + _stp_map_del (reads); + _stp_map_del (writes); + + dlog("EXIT\n"); +} + +module_init(init_dtr); +module_exit(cleanup_dtr); +MODULE_LICENSE("GPL"); + diff --git a/runtime/probes/where_func/Makefile b/runtime/probes/where_func/Makefile new file mode 100644 index 000000000..1e6b9d2e7 --- /dev/null +++ b/runtime/probes/where_func/Makefile @@ -0,0 +1,11 @@ +# Makefile +# +# +# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ + -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) +obj-m := kprobe_where_funct.o + +clean: + /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/where_func/README b/runtime/probes/where_func/README new file mode 100644 index 000000000..0df3d7193 --- /dev/null +++ b/runtime/probes/where_func/README @@ -0,0 +1,19 @@ +This is a silly little instrumentation routine to instrument functions +entry by name. It makes use of the SystemTap runime libraries break +down the number of times the function by caller. It also uses +__print_symbol to map the address back to locations in functions. + +By default it instruments schedule(). + +The instrumentation module is built by having the kernel that is going +to be instrumented currently on the machine and doing "./build" + +The instrumentation is inserted as root with: + +/sbin/insmod kprobe_funct_where.ko funct_name=function_name + +The instrumentation is removed as root with: + +/sbin/rmmod kprobe_funct_where + +-Will Cohen diff --git a/runtime/probes/where_func/build b/runtime/probes/where_func/build new file mode 100755 index 000000000..3713f08a9 --- /dev/null +++ b/runtime/probes/where_func/build @@ -0,0 +1,16 @@ +#!/bin/bash + +KVERSION=`uname -r` +echo $KVERSION +KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` +KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` + +make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ + KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ + KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \ + STP_RUNTIME=`pwd`/../.. + + + + + diff --git a/runtime/probes/where_func/kprobe_where_funct.c b/runtime/probes/where_func/kprobe_where_funct.c new file mode 100644 index 000000000..f90f71bc1 --- /dev/null +++ b/runtime/probes/where_func/kprobe_where_funct.c @@ -0,0 +1,78 @@ +/* kprobe_where_funct.c + this is a simple module to get information about calls to a function that is passed as a module option + Will Cohen +*/ + +#define HASH_TABLE_BITS 8 +#define HASH_TABLE_SIZE (1<val, key1int(ptr), _stp_pbuf); + } + + _stp_map_del(funct_locations); +} + +MODULE_LICENSE("GPL");