This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: How to get correct filename in probe.execve


I tried the following

global EXEC_FILENAME%

probe kprocess.exec
{
        printf("exec pid=%u ts=%u filename=%s arg1=%s args=%s\n",
pid(), gettimeofday_ns(), filename, user_string_quoted(ulong_arg(1)),
argstr)
        EXEC_FILENAME[pid(),tid()] = ulong_arg(1)
}


probe kprocess.exec_complete
{
        printf("exec_complete pid=%d, u_filename=%s\n", pid(),
user_string_quoted(EXEC_FILENAME[pid(), tid()]))
}

probe kernel.function("do_filp_open").call
{
        if ([pid(), tid()] in EXEC_FILENAME)
        {
                printf("do_filp_open pid=%d %s\n", pid(),
user_string_quoted(EXEC_FILENAME[pid(), tid()]))
        }
}

I am getting this marvel:

exec pid=30825 ts=1484976492960517468 filename=00007f32db232177
arg1=00007f32db232177 args=00007f32db232177, [00007f32db23217c,
00007f32db232174, "echo Hello"], [/* 20 vars */]
do_filp_open pid=30825 "/bin/sh"
do_filp_open pid=30825 "/bin/sh"
exec_complete pid=30825, u_filename=00007f32db232177

Will this approach work across the kernel versions? How reliable it is
going to be?

Thanks.

On Fri, Jan 20, 2017 at 4:28 PM, David Smith <dsmith@redhat.com> wrote:
> On 01/19/2017 06:34 PM, Arkady wrote:
>> I appreciate the valuable responses.
>>
>> I have modified the scripts a little bit
>>
>> stap -e 'probe kprocess.exec { { printf("exec pid=%u ts=%u filename=%s
>> args=%s\n", pid(), gettimeofday_ns(), filename, argstr) } }'
>>
>> import os
>> os.system("echo Hello")
>> os.system("echo Hello")
>> os.system("ls /tmp")
>> os.system("ls /tmp")
>>
>> and the output is:
>>
>> exec pid=2578 ts=1484871567781365344 filename="/usr/bin/python"
>> args="/usr/bin/python", ["python", "echo.py"], [/* 20 vars */]
>> exec pid=2579 ts=1484871567790241888 filename=00007fd509724177
>> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "echo
>> Hello"], [/* 20 vars */]
>> exec pid=2580 ts=1484871567791230838 filename=00007fd509724177
>> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "echo
>> Hello"], [/* 20 vars */]
>>
>> exec pid=2581 ts=1484871567792359834 filename=00007fd509724177
>> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "ls
>> /tmp"], [/* 20 vars */]
>> exec pid=2582 ts=1484871567793112384 filename="/bin/ls"
>> args="/bin/ls", ["ls", "/tmp"], [/* 20 vars */]
>> exec pid=2583 ts=1484871567794590362 filename=00007fd509724177
>> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "ls
>> /tmp"], [/* 20 vars */]
>> exec pid=2584 ts=1484871567795367498 filename="/bin/ls"
>> args="/bin/ls", ["ls", "/tmp"], [/* 20 vars */]
>>
>> When running under strace I see execve. When I check the generated by
>> the SystemTap C source code I see a probe in execveat in the file
>> fs/exec.c. Does the probe kprocess.exec hooks all "exec" syscalls?
>
> If you are running with systemtap 2.5+, kprocess.exec is an alias for
> syscall.execve. If you wanted to be sure to catch all the execve
> variants, you should probe on: syscall.execve, syscall.compat_execve,
> syscall.execveat, syscall.compat_execveat.
>
>> In the syscall.accept the sockaddress argument is an address to the
>> user space buffer. Shall I expect to hit a not loaded page from time
>> to time?
>
> It is possible, depending on the how syscall.accept is implemented on
> your kernel. On some kernels, accept() is a true function call. On those
> kernels, the sockaddress should always be available, since it is one of
> the parameters. On other kernels, accept() has been multiplexed into
> socketcall(). On those kernels, systemtap does have to read user memory
> and you might hit an address that hasn't been paged in yet.
>
> --
> David Smith
> dsmith@redhat.com
> Red Hat
> http://www.redhat.com
> 256.217.0141 (direct)
> 256.837.0057 (fax)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]