#!/usr/bin/env stap # Copyright 2018 Mimecast Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This script captures I/O syscalls for replay via the ioriot utility. # # Updated for modern kernels (6.x+): uses tapset variable names instead of raw # kernel $variables, saves entry values in global arrays for use in return probes, # and uses "kernel" module specifier for @cast lookups. # # Output format: one line per syscall with ';:,' separated key=value pairs. # See format key documentation in the original version. global PROBE_ENTRY_TIMES%[8096] # Global arrays to carry tapset variable values from entry to return probes. # Keyed by [tid(), probe_name] like PROBE_ENTRY_TIMES. global ENTRY_PATH%[8096] global ENTRY_PATH2%[8096] global ENTRY_FD%[8096] global ENTRY_FD2%[8096] global ENTRY_FLAGS%[8096] global ENTRY_MODE%[8096] global ENTRY_OFFSET%[8096] global ENTRY_WHENCE%[8096] global ENTRY_CMD%[8096] global ENTRY_ARG%[8096] global ENTRY_COUNT%[8096] global ENTRY_NBYTES%[8096] global ENTRY_OWNER%[8096] global ENTRY_GROUP%[8096] global ENTRY_ADDR%[8096] global ENTRY_ADDR2%[8096] global ENTRY_LEN%[8096] global ENTRY_PROT%[8096] global ENTRY_PGOFF%[8096] global ENTRY_NEWSIZE%[8096] # Return the full qualified version of path function absolute_path:string (path:string) { # Is it already a full qualified path? if (substr(path,0,1) == "/") { return path; } # Look into the Kernel task structure to look up the corresponding # mount point and directory entry, specifying "kernel" module for @cast tc = task_current() pwd_dentry = @cast(tc, "task_struct", "kernel")->fs->pwd->dentry pwd_mnt = @cast(tc, "task_struct", "kernel")->fs->pwd->mnt # Construct a full qualified path from it! return task_dentry_path(tc, pwd_dentry, pwd_mnt) . "/" . path; } function task_file_handle_d_path:string (task:long, fd:long) { path = "" try { file = task_fd_lookup(task, fd) if (file) path = fullpath_struct_file(task, file) } catch { } return path } function absolute_path_at:string (path:string, dirfd:long) { if (substr(path,0,1) == "/") return path; if (dirfd == @const("AT_FDCWD")) return absolute_path(path); tc = task_current(); dir_path = task_file_handle_d_path(tc, dirfd); if (strlen(dir_path) > 0) return dir_path . "/" . path; return absolute_path(path); } # Stop probing after 1h (for safety) probe timer.s(3600) { exit(); } probe begin { printf("#|capture_version=%d|\n", 3); } # --- open --- # Tapset entry vars: filename_unquoted, flags, mode probe syscall.open { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = filename_unquoted ENTRY_FLAGS[tid(),name] = flags ENTRY_MODE[tid(),name] = mode } } probe syscall.open.return { if (pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,p=%s;:,f=%d;:,m=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, retval, absolute_path(ENTRY_PATH[tid(),name]), ENTRY_FLAGS[tid(),name], ENTRY_MODE[tid(),name]); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_FLAGS[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- openat --- # Tapset entry vars: dfd, filename_unquoted, flags, mode probe syscall.openat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dfd ENTRY_PATH[tid(),name] = filename_unquoted ENTRY_FLAGS[tid(),name] = flags ENTRY_MODE[tid(),name] = mode } } probe syscall.openat.return { if (pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,p=%s;:,f=%d;:,m=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, retval, absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), ENTRY_FLAGS[tid(),name], ENTRY_MODE[tid(),name]); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_FLAGS[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- lseek --- # Tapset entry vars: fildes, offset, whence probe syscall.lseek { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fildes ENTRY_OFFSET[tid(),name] = offset ENTRY_WHENCE[tid(),name] = whence } } probe syscall.lseek.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,O=%d;:,W=%d;:,b=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_OFFSET[tid(),name], ENTRY_WHENCE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_OFFSET[tid(),name] delete ENTRY_WHENCE[tid(),name] } } # --- llseek --- # Tapset entry vars: fd, offset_high, offset_low, whence probe syscall.llseek { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd ENTRY_OFFSET[tid(),name] = (offset_high << 32 | offset_low) ENTRY_WHENCE[tid(),name] = whence } } probe syscall.llseek.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,O=%d;:,W=%d;:,b=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_OFFSET[tid(),name], ENTRY_WHENCE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_OFFSET[tid(),name] delete ENTRY_WHENCE[tid(),name] } } # --- fcntl --- # Tapset entry vars: fd, cmd, arg probe syscall.fcntl { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd ENTRY_CMD[tid(),name] = cmd ENTRY_ARG[tid(),name] = arg } } probe syscall.fcntl.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,F=%d;:,G=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_CMD[tid(),name], ENTRY_ARG[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_CMD[tid(),name] delete ENTRY_ARG[tid(),name] } } # --- creat --- # Tapset entry vars: pathname_unquoted, mode probe syscall.creat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = pathname_unquoted ENTRY_MODE[tid(),name] = mode } } probe syscall.creat.return { if (pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,p=%s;:,m=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, retval, absolute_path(ENTRY_PATH[tid(),name]), ENTRY_MODE[tid(),name]); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- write/writev --- # Tapset entry vars: fd probe syscall.write, syscall.writev { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.write.return, syscall.writev.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,b=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- unlink --- # Tapset entry vars: pathname_unquoted probe syscall.unlink { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = pathname_unquoted } } probe syscall.unlink.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- unlinkat --- # Tapset entry vars: dfd, pathname_str_unquoted, flag probe syscall.unlinkat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dfd ENTRY_PATH[tid(),name] = pathname_str_unquoted ENTRY_FLAGS[tid(),name] = flag } } probe syscall.unlinkat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,p=%s;:,f=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), ENTRY_FLAGS[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_FLAGS[tid(),name] } } # --- rename --- # Tapset entry vars: oldpath_unquoted, newpath_unquoted probe syscall.rename { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = oldpath_unquoted ENTRY_PATH2[tid(),name] = newpath_unquoted } } probe syscall.rename.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,P=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), absolute_path(ENTRY_PATH2[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_PATH2[tid(),name] } } # --- renameat/renameat2 --- # Tapset entry vars: olddfd, oldname_str_unquoted, newdfd, newname_str_unquoted probe syscall.renameat, syscall.renameat2 { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = olddfd ENTRY_FD2[tid(),name] = newdfd ENTRY_PATH[tid(),name] = oldname_str_unquoted ENTRY_PATH2[tid(),name] = newname_str_unquoted } } probe syscall.renameat.return, syscall.renameat2.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,P=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), absolute_path_at(ENTRY_PATH2[tid(),name], ENTRY_FD2[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_FD2[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_PATH2[tid(),name] } } # --- read/readv --- # Tapset entry vars: fd probe syscall.read, syscall.readv { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.read.return, syscall.readv.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,b=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- readahead --- # Tapset entry vars: fd, offset, count probe syscall.readahead { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd ENTRY_OFFSET[tid(),name] = offset ENTRY_COUNT[tid(),name] = count } } probe syscall.readahead.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,b=%ld;:,O=%ld;:,c=%ld;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval, ENTRY_OFFSET[tid(),name], ENTRY_COUNT[tid(),name]); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_OFFSET[tid(),name] delete ENTRY_COUNT[tid(),name] } } # --- readdir --- # Tapset entry vars: fd probe syscall.readdir { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.readdir.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- readlink --- # Tapset entry vars: path_unquoted probe syscall.readlink { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = path_unquoted } } probe syscall.readlink.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- readlinkat --- # Tapset entry vars: dfd, path_unquoted probe syscall.readlinkat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dfd ENTRY_PATH[tid(),name] = path_unquoted } } probe syscall.readlinkat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- fdatasync/fsync --- # Tapset entry vars: fd probe syscall.fdatasync, syscall.fsync { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.fdatasync.return, syscall.fsync.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- sync_file_range --- # Tapset entry vars: fd, offset, nbytes probe syscall.sync_file_range { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd ENTRY_OFFSET[tid(),name] = offset ENTRY_NBYTES[tid(),name] = nbytes } } probe syscall.sync_file_range.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,O=%ld;:,b=%ld;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_OFFSET[tid(),name], ENTRY_NBYTES[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_OFFSET[tid(),name] delete ENTRY_NBYTES[tid(),name] } } # --- sync --- probe syscall.sync { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() } } probe syscall.sync.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, retval); delete PROBE_ENTRY_TIMES[tid(),name] } } # --- syncfs --- # Tapset entry vars: fd probe syscall.syncfs { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.syncfs.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- close --- # Tapset entry vars: fd probe syscall.close { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.close.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- getdents --- # Tapset entry vars: fd, count probe syscall.getdents { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd ENTRY_COUNT[tid(),name] = count } } probe syscall.getdents.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,c=%d;:,b=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_COUNT[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_COUNT[tid(),name] } } # --- mkdir --- # Tapset entry vars: pathname_unquoted, mode probe syscall.mkdir { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = pathname_unquoted ENTRY_MODE[tid(),name] = mode } } probe syscall.mkdir.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,m=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), ENTRY_MODE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- rmdir --- # Tapset entry vars: pathname_unquoted probe syscall.rmdir { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = pathname_unquoted } } probe syscall.rmdir.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- mkdirat --- # Tapset entry vars: dirfd, pathname_unquoted, mode probe syscall.mkdirat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dirfd ENTRY_PATH[tid(),name] = pathname_unquoted ENTRY_MODE[tid(),name] = mode } } probe syscall.mkdirat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,p=%s;:,m=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), ENTRY_MODE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- stat --- # Tapset entry vars: filename_unquoted probe syscall.stat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = filename_unquoted } } probe syscall.stat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- statfs/statfs64 --- # Tapset entry vars: path_unquoted probe syscall.statfs, syscall.statfs64 { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = path_unquoted } } probe syscall.statfs.return, syscall.statfs64.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- fstatfs/fstatfs64 --- # Tapset entry vars: fd probe syscall.fstatfs, syscall.fstatfs64 { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd } } probe syscall.fstatfs.return, syscall.fstatfs64.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- lstat --- # Tapset entry vars: path_unquoted probe syscall.lstat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = path_unquoted } } probe syscall.lstat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] } } # --- fstat --- # Tapset entry vars: filedes probe syscall.fstat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = filedes } } probe syscall.fstat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] } } # --- fstatat --- # Tapset entry vars: dirfd, path_unquoted, flags probe syscall.fstatat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dirfd ENTRY_PATH[tid(),name] = path_unquoted ENTRY_FLAGS[tid(),name] = flags } } probe syscall.fstatat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%ld;:,p=%s;:,f=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), ENTRY_FLAGS[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_FLAGS[tid(),name] } } # --- chmod --- # Tapset entry vars: path_unquoted, mode probe syscall.chmod { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = path_unquoted ENTRY_MODE[tid(),name] = mode } } probe syscall.chmod.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,m=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), ENTRY_MODE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- fchmodat --- # Tapset entry vars: dirfd, pathname_unquoted, mode probe syscall.fchmodat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dirfd ENTRY_PATH[tid(),name] = pathname_unquoted ENTRY_MODE[tid(),name] = mode } } probe syscall.fchmodat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,m=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), ENTRY_MODE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- fchmod --- # Tapset entry vars: fildes, mode probe syscall.fchmod { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fildes ENTRY_MODE[tid(),name] = mode } } probe syscall.fchmod.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%d;:,m=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_MODE[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_MODE[tid(),name] } } # --- chown/lchown --- # Tapset entry vars: path_unquoted, owner, group # Note: chown16/lchown16 do not exist on x86_64 probe syscall.chown, syscall.lchown { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_PATH[tid(),name] = path_unquoted ENTRY_OWNER[tid(),name] = owner ENTRY_GROUP[tid(),name] = group } } probe syscall.chown.return, syscall.lchown.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,O=%d;:,G=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path(ENTRY_PATH[tid(),name]), ENTRY_OWNER[tid(),name], ENTRY_GROUP[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_OWNER[tid(),name] delete ENTRY_GROUP[tid(),name] } } # --- fchown --- # Tapset entry vars: fd, owner, group # Note: fchown16 does not exist on x86_64 probe syscall.fchown { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = fd ENTRY_OWNER[tid(),name] = owner ENTRY_GROUP[tid(),name] = group } } probe syscall.fchown.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,d=%ld;:,O=%d;:,G=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_FD[tid(),name], ENTRY_OWNER[tid(),name], ENTRY_GROUP[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_OWNER[tid(),name] delete ENTRY_GROUP[tid(),name] } } # --- fchownat --- # Tapset entry vars: dirfd, pathname_unquoted, owner, group, flags probe syscall.fchownat { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_FD[tid(),name] = dirfd ENTRY_PATH[tid(),name] = pathname_unquoted ENTRY_OWNER[tid(),name] = owner ENTRY_GROUP[tid(),name] = group ENTRY_FLAGS[tid(),name] = flags } } probe syscall.fchownat.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,p=%s;:,O=%d;:,G=%d;:,f=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, absolute_path_at(ENTRY_PATH[tid(),name], ENTRY_FD[tid(),name]), ENTRY_OWNER[tid(),name], ENTRY_GROUP[tid(),name], ENTRY_FLAGS[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PATH[tid(),name] delete ENTRY_OWNER[tid(),name] delete ENTRY_GROUP[tid(),name] delete ENTRY_FLAGS[tid(),name] } } # --- mmap2 --- # Tapset entry vars: start, length, prot, flags, fd, pgoffset probe syscall.mmap2 { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_ADDR[tid(),name] = start ENTRY_LEN[tid(),name] = length ENTRY_PROT[tid(),name] = prot ENTRY_FLAGS[tid(),name] = flags ENTRY_FD[tid(),name] = fd ENTRY_PGOFF[tid(),name] = pgoffset } } probe syscall.mmap2.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,a=%ld;:,b=%ld;:,m=%d;:,f=%d;:,d=%d;:,O=%ld;:,A=%ld;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_ADDR[tid(),name], ENTRY_LEN[tid(),name], ENTRY_PROT[tid(),name], ENTRY_FLAGS[tid(),name], ENTRY_FD[tid(),name], ENTRY_PGOFF[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_ADDR[tid(),name] delete ENTRY_LEN[tid(),name] delete ENTRY_PROT[tid(),name] delete ENTRY_FLAGS[tid(),name] delete ENTRY_FD[tid(),name] delete ENTRY_PGOFF[tid(),name] } } # --- mremap --- # Tapset entry vars: old_address, old_size, new_size, flags, new_address probe syscall.mremap { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_ADDR[tid(),name] = new_address ENTRY_ADDR2[tid(),name] = old_address ENTRY_NEWSIZE[tid(),name] = new_size ENTRY_FLAGS[tid(),name] = flags } } probe syscall.mremap.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,a=%ld;:,A=%ld;:,b=%ld;:,f=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_ADDR[tid(),name], ENTRY_ADDR2[tid(),name], ENTRY_NEWSIZE[tid(),name], ENTRY_FLAGS[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_ADDR[tid(),name] delete ENTRY_ADDR2[tid(),name] delete ENTRY_NEWSIZE[tid(),name] delete ENTRY_FLAGS[tid(),name] } } # --- munmap --- # Tapset entry vars: start, length probe syscall.munmap { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_ADDR[tid(),name] = start ENTRY_LEN[tid(),name] = length } } probe syscall.munmap.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,a=%ld;:,b=%ld;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_ADDR[tid(),name], ENTRY_LEN[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_ADDR[tid(),name] delete ENTRY_LEN[tid(),name] } } # --- msync --- # Tapset entry vars: start, length, flags probe syscall.msync { if (pid() == target()) { PROBE_ENTRY_TIMES[tid(),name] = gettimeofday_ns() ENTRY_ADDR[tid(),name] = start ENTRY_LEN[tid(),name] = length ENTRY_FLAGS[tid(),name] = flags } } probe syscall.msync.return { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,a=%ld;:,b=%ld;:,f=%d;:,s=%d;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name, ENTRY_ADDR[tid(),name], ENTRY_LEN[tid(),name], ENTRY_FLAGS[tid(),name], retval); delete PROBE_ENTRY_TIMES[tid(),name] delete ENTRY_ADDR[tid(),name] delete ENTRY_LEN[tid(),name] delete ENTRY_FLAGS[tid(),name] } } # --- exit_group --- probe syscall.exit_group { if(pid() == target()) { ns = gettimeofday_ns() printf("t=%ld;:,D=%ld;:,i=%d:%d;:,o=%s;:,\n", ns, ns-PROBE_ENTRY_TIMES[tid(),name], pid(), tid(), name); delete PROBE_ENTRY_TIMES[tid(),name] } } # vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4