Monitoring more inode activity

Problem

Further to WSFileMonitor, let's probe inode attribute changes.

Scripts

# from include/linux/fs.h

global ATTR_MODE = 1 # ....

probe kernel.function("inode_setattr") {
  dev_nr = $inode->i_sb->s_dev
  inode_nr = $inode->i_ino

  if (dev_nr == ($1 << 20 | $2) # major/minor device
      && inode_nr == $3
      && $attr->ia_valid & ATTR_MODE)
    printf ("%s(%d) %s 0x%x/%u %o\n",
      execname(), pid(), probefunc(), dev_nr, inode_nr, $attr->ia_mode)
}

Output

% stat -c '%D %i' .
900 15106747

% ./stap ../src/examples/inode_setattr.stp 9 0 15106747  # while chmod'ing in other window
chmod(28203) inode_setattr 0x900000/15106747 40755
chmod(28215) inode_setattr 0x900000/15106747 40755
chmod(28245) inode_setattr 0x900000/15106747 40555
chmod(28256) inode_setattr 0x900000/15106747 40755

Lessons

It is obvious how to modify the script to look for changes to other attributes such as the timestamps.


WarStories

None: WSFileMonitor2 (last edited 2008-01-10 19:47:26 by localhost)