File: procmod_watcher.stp

package info (click to toggle)
systemtap 4.4-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 38,260 kB
  • sloc: cpp: 77,147; ansic: 61,828; xml: 49,277; exp: 42,244; sh: 11,046; python: 2,772; perl: 2,252; tcl: 1,305; makefile: 1,086; lisp: 105; java: 102; awk: 101; asm: 91; sed: 16
file content (83 lines) | stat: -rw-r--r-- 2,411 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
#! /usr/bin/env stap

/*
 * Copyright (C) 2014, 2016 Red Hat Inc.
 *
 * This copyrighted material is made available to anyone wishing to use,
 * modify, copy, or redistribute it subject to the terms and conditions
 * of the GNU General Public License v.2.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * Print out all calls to fork(), exec(), exit(), init_module(), and
 * delete_module(). This script does not require debuginfo.
 *
 * Format is:
 * timestamp: EVENT: ( pid) <event details>
 *
 * 2.843626: FORK: ( 410) firewalld: pid 868
 * 2.843831: EXEC: ( 868) firewalld: file /sbin/iptables
 * 2.844514: EXIT: ( 868) iptables: exit code 0
 * 2.844829: FORK: ( 410) firewalld: pid 869
 * 2.845034: EXEC: ( 869) firewalld: file /sbin/iptables
 * 2.845722: EXIT: ( 869) iptables: exit code 0
 * 2.846036: FORK: ( 410) firewalld: pid 870
 * 2.846240: EXEC: ( 870) firewalld: file /sbin/iptables
 *
 */

function print_time() {
   timer = read_stopwatch_us("timer")
   printf("%4d.%.6d: ", timer/1000000, timer%1000000)
}

probe begin {
   start_stopwatch("timer")
   printf("   0.000000: Started procmod_watcher on %s\n",
          ctime(gettimeofday_s()))
}

probe nd_syscall.execve {
   print_time()
   printf("EXEC: (%4d) %s: file %s\n",
          pid(), execname(), argstr)
}

probe nd_syscall.fork.return ?, nd_syscall.clone.return ? {
   print_time()
   printf("FORK: (%4d) %s: pid %s\n",
          pid(), execname(), retstr)
}

probe nd_syscall.exit, nd_syscall.exit_group {
   print_time()
   sig = status & 0x7F
   code = sig ? sig : status >> 8
   printf("EXIT: (%4d) %s: %s %d\n",
          pid(), execname(),
          sig ? "signal" : "exit code", code)
}

probe kernel.trace("module_load") {
   print_time()
   printf("LOAD: (%4d) %s: module %s",
          pid(), execname(),
          kernel_string(@cast($mod, "struct module", "kernel<linux/module.h>")->name))
   args = kernel_string(@cast($mod, "struct module", "kernel<linux/module.h>")->args)
   if (args != "")
      printf(" with args \"%s\"", args)
   println("")
}

probe nd_syscall.delete_module {
   print_time()
   printf("UNLD: (%4d) %s: module %s with flags 0x%x\n",
          pid(), execname(), name_user, flags);
}

probe end {
   print_time()
   printf("Exiting procmod_watcher on %s\n",
          ctime(gettimeofday_s()))
}