This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: How to get correct filename in probe.execve
This is what I did
global ARRAY_EXEC_DOEXECVE_FILENAME%
global ARRAY_EXEC_DOEXECVE_ARGSTR%
probe kprocess.exec
{
tid = tid()
if (stringat(filename,0) == 0x22) // filename starts with a quotation mark
{
argstr = sprintf("%s, %s", filename, args)
pid = pid()
printf("pid=%d filename='%s', args='%s' kprocess.exec\n", pid,
filename, argstr);
}
else // failed to recog the filename, trigger do_execve
{
ARRAY_EXEC_DOEXECVE_FILENAME[tid] = @choose_defined($filename, $name)
ARRAY_EXEC_DOEXECVE_ARGSTR[tid] = @choose_defined($__argv, $argv)
}
}
probe kernel.function("do_execve")
{
tid = tid()
if (tid in ARRAY_EXEC_DOEXECVE_FILENAME) // unlikely
{
filename = user_string_quoted(ARRAY_EXEC_DOEXECVE_FILENAME[tid])
args = __get_argv(ARRAY_EXEC_DOEXECVE_ARGSTR[tid], 0)
argstr = sprintf("%s, %s", filename, args)
delete ARRAY_EXEC_DOEXECVE_FILENAME[tid]
delete ARRAY_EXEC_DOEXECVE_ARGSTR[tid]
pid = pid()
printf("pid=%d filename='%s', args='%s' do_execve\n", pid,
filename, argstr);
}
}
Does it make sense?
Is there a better way than "if (stringat(filename,0) == 0x22)" to
figure out that fetching a failename from the user space failed?
I am dropping the env_str by "argstr = sprintf("%s, %s", filename,
args)". Is it the best way to get the string of arguments?
Thanks
On Sat, Jan 21, 2017 at 4:02 PM, Frank Ch. Eigler <fche@redhat.com> wrote:
>
> larytet wrote:
>
>> [...]
>> I am trying to ensure that I keep an integer in the EXEC_FILENAME.
>> If I do
>> EXEC_FILENAME=filename
>> SystemTap assumes a (zero terminated) string. [...]
>
> BTW, you could still use $filename (the context variable, which is an
> integer/char*) instead of filename (the script level variable, which is
> a string).
>
>
> - FChE