This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: How to get correct filename in probe.execve

From: Arkady <larytet at gmail dot com>
To: "Frank Ch. Eigler" <fche at redhat dot com>
Cc: David Smith <dsmith at redhat dot com>, systemtap at sourceware dot org
Date: Sun, 22 Jan 2017 16:50:37 +0200
Subject: Re: How to get correct filename in probe.execve
Authentication-results: sourceware.org; auth=none
References: <CANA-60q=SyAPsa3645iBW1JpvixQPLaVA1dUYN5g+L+HWu5bKg@mail.gmail.com> <y0mefzzf69v.fsf@fche.csb> <CANA-60qHj=KJkA+k=P5OmVuxp_zdFq85Hn_sa_rN-UgOfP0P=A@mail.gmail.com> <fba52f17-7761-8381-f67d-cbb483e5655d@redhat.com> <CANA-60rt-Fy8y-KfiSeoioA4Crva=BnFiNbX3B18s-LnJGgsfw@mail.gmail.com> <20170121065215.GI20931@redhat.com> <CANA-60oArdC1ts4GHSsqhsyVgoCAZuu3fV5i7-dxhog519h2RA@mail.gmail.com> <y0my3y4ecj0.fsf@fche.csb> <CANA-60pJ08-y1YQeMbirQQkyNqU2jrpXDOJsKUTpj1D3Hh=oSg@mail.gmail.com>

... and another question. What are pros and cons of using probe
kprocess.exec vs probe kernel.function("do_execve") ?
Thanks

On Sun, Jan 22, 2017 at 1:11 PM, Arkady <larytet@gmail.com> wrote:
> This is what I did
>
> global ARRAY_EXEC_DOEXECVE_FILENAME%
> global ARRAY_EXEC_DOEXECVE_ARGSTR%
>
> probe kprocess.exec
> {
>   tid = tid()
>   if (stringat(filename,0) == 0x22) // filename starts with a quotation mark
>   {
>       argstr = sprintf("%s, %s", filename, args)
>       pid = pid()
>       printf("pid=%d filename='%s', args='%s' kprocess.exec\n", pid,
> filename, argstr);
>   }
>   else  // failed to recog the filename, trigger do_execve
>   {
>      ARRAY_EXEC_DOEXECVE_FILENAME[tid] = @choose_defined($filename, $name)
>      ARRAY_EXEC_DOEXECVE_ARGSTR[tid] = @choose_defined($__argv, $argv)
>   }
> }
>
> probe kernel.function("do_execve")
> {
>   tid = tid()
>   if (tid in ARRAY_EXEC_DOEXECVE_FILENAME)  // unlikely
>   {
>      filename = user_string_quoted(ARRAY_EXEC_DOEXECVE_FILENAME[tid])
>      args = __get_argv(ARRAY_EXEC_DOEXECVE_ARGSTR[tid], 0)
>      argstr = sprintf("%s, %s", filename, args)
>      delete ARRAY_EXEC_DOEXECVE_FILENAME[tid]
>      delete ARRAY_EXEC_DOEXECVE_ARGSTR[tid]
>
>      pid = pid()
>      printf("pid=%d filename='%s', args='%s' do_execve\n", pid,
> filename, argstr);
>   }
> }
>
>
> Does it make sense?
> Is there a better way than "if (stringat(filename,0) == 0x22)" to
> figure out that fetching a failename from the user space failed?
> I am dropping the env_str by "argstr = sprintf("%s, %s", filename,
> args)". Is it the best way to get the string of arguments?
>
> Thanks
>
> On Sat, Jan 21, 2017 at 4:02 PM, Frank Ch. Eigler <fche@redhat.com> wrote:
>>
>> larytet wrote:
>>
>>> [...]
>>> I am trying to ensure that I keep an integer in the EXEC_FILENAME.
>>> If I do
>>> EXEC_FILENAME=filename
>>> SystemTap assumes a (zero terminated) string. [...]
>>
>> BTW, you could still use $filename (the context variable, which is an
>> integer/char*) instead of filename (the script level variable, which is
>> a string).
>>
>>
>> - FChE

Follow-Ups:
- Re: How to get correct filename in probe.execve
  - From: David Smith

References:
- How to get correct filename in probe.execve
  - From: Arkady
- Re: How to get correct filename in probe.execve
  - From: Frank Ch. Eigler
- Re: How to get correct filename in probe.execve
  - From: Arkady
- Re: How to get correct filename in probe.execve
  - From: David Smith
- Re: How to get correct filename in probe.execve
  - From: Arkady
- Re: How to get correct filename in probe.execve
  - From: Frank Ch. Eigler
- Re: How to get correct filename in probe.execve
  - From: Arkady
- Re: How to get correct filename in probe.execve
  - From: Frank Ch. Eigler
- Re: How to get correct filename in probe.execve
  - From: Arkady

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]