This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: How to get correct filename in probe.execve
- From: David Smith <dsmith at redhat dot com>
- To: Arkady <larytet at gmail dot com>, "Frank Ch. Eigler" <fche at redhat dot com>
- Cc: systemtap at sourceware dot org
- Date: Fri, 20 Jan 2017 08:28:27 -0600
- Subject: Re: How to get correct filename in probe.execve
- Authentication-results: sourceware.org; auth=none
- References: <CANA-60q=SyAPsa3645iBW1JpvixQPLaVA1dUYN5g+L+HWu5bKg@mail.gmail.com> <y0mefzzf69v.fsf@fche.csb> <CANA-60qHj=KJkA+k=P5OmVuxp_zdFq85Hn_sa_rN-UgOfP0P=A@mail.gmail.com>
On 01/19/2017 06:34 PM, Arkady wrote:
> I appreciate the valuable responses.
>
> I have modified the scripts a little bit
>
> stap -e 'probe kprocess.exec { { printf("exec pid=%u ts=%u filename=%s
> args=%s\n", pid(), gettimeofday_ns(), filename, argstr) } }'
>
> import os
> os.system("echo Hello")
> os.system("echo Hello")
> os.system("ls /tmp")
> os.system("ls /tmp")
>
> and the output is:
>
> exec pid=2578 ts=1484871567781365344 filename="/usr/bin/python"
> args="/usr/bin/python", ["python", "echo.py"], [/* 20 vars */]
> exec pid=2579 ts=1484871567790241888 filename=00007fd509724177
> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "echo
> Hello"], [/* 20 vars */]
> exec pid=2580 ts=1484871567791230838 filename=00007fd509724177
> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "echo
> Hello"], [/* 20 vars */]
>
> exec pid=2581 ts=1484871567792359834 filename=00007fd509724177
> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "ls
> /tmp"], [/* 20 vars */]
> exec pid=2582 ts=1484871567793112384 filename="/bin/ls"
> args="/bin/ls", ["ls", "/tmp"], [/* 20 vars */]
> exec pid=2583 ts=1484871567794590362 filename=00007fd509724177
> args=00007fd509724177, [00007fd50972417c, 00007fd509724174, "ls
> /tmp"], [/* 20 vars */]
> exec pid=2584 ts=1484871567795367498 filename="/bin/ls"
> args="/bin/ls", ["ls", "/tmp"], [/* 20 vars */]
>
> When running under strace I see execve. When I check the generated by
> the SystemTap C source code I see a probe in execveat in the file
> fs/exec.c. Does the probe kprocess.exec hooks all "exec" syscalls?
If you are running with systemtap 2.5+, kprocess.exec is an alias for
syscall.execve. If you wanted to be sure to catch all the execve
variants, you should probe on: syscall.execve, syscall.compat_execve,
syscall.execveat, syscall.compat_execveat.
> In the syscall.accept the sockaddress argument is an address to the
> user space buffer. Shall I expect to hit a not loaded page from time
> to time?
It is possible, depending on the how syscall.accept is implemented on
your kernel. On some kernels, accept() is a true function call. On those
kernels, the sockaddress should always be available, since it is one of
the parameters. On other kernels, accept() has been multiplexed into
socketcall(). On those kernels, systemtap does have to read user memory
and you might hit an address that hasn't been paged in yet.
--
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)