Commit f8990370 authored by takumakume's avatar takumakume

opensnoop: supported uid options

parent dccc4f28
...@@ -27,6 +27,9 @@ Print usage message. ...@@ -27,6 +27,9 @@ Print usage message.
\-T \-T
Include a timestamp column. Include a timestamp column.
.TP .TP
\-U
Show UID.
.TP
\-x \-x
Only print failed opens. Only print failed opens.
.TP .TP
...@@ -36,6 +39,9 @@ Trace this process ID only (filtered in-kernel). ...@@ -36,6 +39,9 @@ Trace this process ID only (filtered in-kernel).
\-t TID \-t TID
Trace this thread ID only (filtered in-kernel). Trace this thread ID only (filtered in-kernel).
.TP .TP
\-u UID
Trace this UID only (filtered in-kernel).
.TP
\-d DURATION \-d DURATION
Total duration of trace in seconds. Total duration of trace in seconds.
.TP .TP
...@@ -61,6 +67,10 @@ Trace all open() syscalls, and include timestamps: ...@@ -61,6 +67,10 @@ Trace all open() syscalls, and include timestamps:
# #
.B opensnoop \-T .B opensnoop \-T
.TP .TP
Show UID:
#
.B opensnoop \-U
.TP
Trace only open() syscalls that failed: Trace only open() syscalls that failed:
# #
.B opensnoop \-x .B opensnoop \-x
...@@ -69,6 +79,10 @@ Trace PID 181 only: ...@@ -69,6 +79,10 @@ Trace PID 181 only:
# #
.B opensnoop \-p 181 .B opensnoop \-p 181
.TP .TP
Trace UID 1000 only:
#
.B opensnoop \-u 1000
.TP
Trace all open() syscalls from processes where its name partially matches 'ed': Trace all open() syscalls from processes where its name partially matches 'ed':
# #
.B opensnoop \-n ed .B opensnoop \-n ed
...@@ -85,6 +99,9 @@ Only print calls for writing: ...@@ -85,6 +99,9 @@ Only print calls for writing:
TIME(s) TIME(s)
Time of the call, in seconds. Time of the call, in seconds.
.TP .TP
UID
User ID
.TP
PID PID
Process ID Process ID
.TP .TP
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
# 29-Apr-2016 Allan McAleavy Updated for BPF_PERF_OUTPUT. # 29-Apr-2016 Allan McAleavy Updated for BPF_PERF_OUTPUT.
# 08-Oct-2016 Dina Goldshtein Support filtering by PID and TID. # 08-Oct-2016 Dina Goldshtein Support filtering by PID and TID.
# 28-Dec-2018 Tim Douglas Print flags argument, enable filtering # 28-Dec-2018 Tim Douglas Print flags argument, enable filtering
# 06-Jan-2019 Takuma Kume Support filtering by UID
from __future__ import print_function from __future__ import print_function
from bcc import ArgString, BPF from bcc import ArgString, BPF
...@@ -25,9 +26,11 @@ import os ...@@ -25,9 +26,11 @@ import os
examples = """examples: examples = """examples:
./opensnoop # trace all open() syscalls ./opensnoop # trace all open() syscalls
./opensnoop -T # include timestamps ./opensnoop -T # include timestamps
./opensnoop -U # include UID
./opensnoop -x # only show failed opens ./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181 ./opensnoop -p 181 # only trace PID 181
./opensnoop -t 123 # only trace TID 123 ./opensnoop -t 123 # only trace TID 123
./opensnoop -u 1000 # only trace UID 1000
./opensnoop -d 10 # trace for 10 seconds only ./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -n main # only print process names containing "main" ./opensnoop -n main # only print process names containing "main"
./opensnoop -e # show extended fields ./opensnoop -e # show extended fields
...@@ -39,12 +42,16 @@ parser = argparse.ArgumentParser( ...@@ -39,12 +42,16 @@ parser = argparse.ArgumentParser(
epilog=examples) epilog=examples)
parser.add_argument("-T", "--timestamp", action="store_true", parser.add_argument("-T", "--timestamp", action="store_true",
help="include timestamp on output") help="include timestamp on output")
parser.add_argument("-U", "--print-uid", action="store_true",
help="print UID column")
parser.add_argument("-x", "--failed", action="store_true", parser.add_argument("-x", "--failed", action="store_true",
help="only show failed opens") help="only show failed opens")
parser.add_argument("-p", "--pid", parser.add_argument("-p", "--pid",
help="trace this PID only") help="trace this PID only")
parser.add_argument("-t", "--tid", parser.add_argument("-t", "--tid",
help="trace this TID only") help="trace this TID only")
parser.add_argument("-u", "--uid",
help="trace this UID only")
parser.add_argument("-d", "--duration", parser.add_argument("-d", "--duration",
help="total duration of trace in seconds") help="total duration of trace in seconds")
parser.add_argument("-n", "--name", parser.add_argument("-n", "--name",
...@@ -85,6 +92,7 @@ struct val_t { ...@@ -85,6 +92,7 @@ struct val_t {
struct data_t { struct data_t {
u64 id; u64 id;
u64 ts; u64 ts;
u32 uid;
int ret; int ret;
char comm[TASK_COMM_LEN]; char comm[TASK_COMM_LEN];
char fname[NAME_MAX]; char fname[NAME_MAX];
...@@ -100,8 +108,10 @@ int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename, int f ...@@ -100,8 +108,10 @@ int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename, int f
u64 id = bpf_get_current_pid_tgid(); u64 id = bpf_get_current_pid_tgid();
u32 pid = id >> 32; // PID is higher part u32 pid = id >> 32; // PID is higher part
u32 tid = id; // Cast and get the lower part u32 tid = id; // Cast and get the lower part
u32 uid = bpf_get_current_uid_gid();
PID_TID_FILTER PID_TID_FILTER
UID_FILTER
FLAGS_FILTER FLAGS_FILTER
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) { if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
val.id = id; val.id = id;
...@@ -130,6 +140,7 @@ int trace_return(struct pt_regs *ctx) ...@@ -130,6 +140,7 @@ int trace_return(struct pt_regs *ctx)
bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname); bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
data.id = valp->id; data.id = valp->id;
data.ts = tsp / 1000; data.ts = tsp / 1000;
data.uid = bpf_get_current_uid_gid();
data.flags = valp->flags; // EXTENDED_STRUCT_MEMBER data.flags = valp->flags; // EXTENDED_STRUCT_MEMBER
data.ret = PT_REGS_RC(ctx); data.ret = PT_REGS_RC(ctx);
...@@ -147,6 +158,11 @@ elif args.pid: ...@@ -147,6 +158,11 @@ elif args.pid:
'if (pid != %s) { return 0; }' % args.pid) 'if (pid != %s) { return 0; }' % args.pid)
else: else:
bpf_text = bpf_text.replace('PID_TID_FILTER', '') bpf_text = bpf_text.replace('PID_TID_FILTER', '')
if args.uid:
bpf_text = bpf_text.replace('UID_FILTER',
'if (uid != %s) { return 0; }' % args.uid)
else:
bpf_text = bpf_text.replace('UID_FILTER', '')
if args.flag_filter: if args.flag_filter:
bpf_text = bpf_text.replace('FLAGS_FILTER', bpf_text = bpf_text.replace('FLAGS_FILTER',
'if (!(flags & %d)) { return 0; }' % flag_filter_mask) 'if (!(flags & %d)) { return 0; }' % flag_filter_mask)
...@@ -172,6 +188,7 @@ class Data(ct.Structure): ...@@ -172,6 +188,7 @@ class Data(ct.Structure):
_fields_ = [ _fields_ = [
("id", ct.c_ulonglong), ("id", ct.c_ulonglong),
("ts", ct.c_ulonglong), ("ts", ct.c_ulonglong),
("uid", ct.c_uint32),
("ret", ct.c_int), ("ret", ct.c_int),
("comm", ct.c_char * TASK_COMM_LEN), ("comm", ct.c_char * TASK_COMM_LEN),
("fname", ct.c_char * NAME_MAX), ("fname", ct.c_char * NAME_MAX),
...@@ -183,6 +200,8 @@ initial_ts = 0 ...@@ -183,6 +200,8 @@ initial_ts = 0
# header # header
if args.timestamp: if args.timestamp:
print("%-14s" % ("TIME(s)"), end="") print("%-14s" % ("TIME(s)"), end="")
if args.print_uid:
print("%-6s" % ("UID"), end="")
print("%-6s %-16s %4s %3s " % print("%-6s %-16s %4s %3s " %
("TID" if args.tid else "PID", "COMM", "FD", "ERR"), end="") ("TID" if args.tid else "PID", "COMM", "FD", "ERR"), end="")
if args.extended_fields: if args.extended_fields:
...@@ -215,6 +234,9 @@ def print_event(cpu, data, size): ...@@ -215,6 +234,9 @@ def print_event(cpu, data, size):
delta = event.ts - initial_ts delta = event.ts - initial_ts
print("%-14.9f" % (float(delta) / 1000000), end="") print("%-14.9f" % (float(delta) / 1000000), end="")
if args.print_uid:
print("%-6d" % event.uid, end="")
print("%-6d %-16s %4d %3d " % print("%-6d %-16s %4d %3d " %
(event.id & 0xffffffff if args.tid else event.id >> 32, (event.id & 0xffffffff if args.tid else event.id >> 32,
event.comm.decode('utf-8', 'replace'), fd_s, err), end="") event.comm.decode('utf-8', 'replace'), fd_s, err), end="")
......
...@@ -65,6 +65,27 @@ This shows the supervise process is opening the status.new file twice every ...@@ -65,6 +65,27 @@ This shows the supervise process is opening the status.new file twice every
second. second.
The -U option include UID on output:
# ./opensnoop -U
UID PID COMM FD ERR PATH
0 27063 vminfo 5 0 /var/run/utmp
103 628 dbus-daemon -1 2 /usr/local/share/dbus-1/system-services
103 628 dbus-daemon 18 0 /usr/share/dbus-1/system-services
103 628 dbus-daemon -1 2 /lib/dbus-1/system-services
The -u option filtering UID:
# ./opensnoop -Uu 1000
UID PID COMM FD ERR PATH
1000 30240 ls 3 0 /etc/ld.so.cache
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libc.so.6
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libdl.so.2
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
The -x option only prints failed opens: The -x option only prints failed opens:
# ./opensnoop -x # ./opensnoop -x
...@@ -172,9 +193,11 @@ Trace open() syscalls ...@@ -172,9 +193,11 @@ Trace open() syscalls
optional arguments: optional arguments:
-h, --help show this help message and exit -h, --help show this help message and exit
-T, --timestamp include timestamp on output -T, --timestamp include timestamp on output
-U, --print-uid include UID on output
-x, --failed only show failed opens -x, --failed only show failed opens
-p PID, --pid PID trace this PID only -p PID, --pid PID trace this PID only
-t TID, --tid TID trace this TID only -t TID, --tid TID trace this TID only
-u UID, --uid UID trace this UID only
-d DURATION, --duration DURATION -d DURATION, --duration DURATION
total duration of trace in seconds total duration of trace in seconds
-n NAME, --name NAME only print process names containing this name -n NAME, --name NAME only print process names containing this name
...@@ -186,9 +209,11 @@ optional arguments: ...@@ -186,9 +209,11 @@ optional arguments:
examples: examples:
./opensnoop # trace all open() syscalls ./opensnoop # trace all open() syscalls
./opensnoop -T # include timestamps ./opensnoop -T # include timestamps
./opensnoop -U # include UID
./opensnoop -x # only show failed opens ./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181 ./opensnoop -p 181 # only trace PID 181
./opensnoop -t 123 # only trace TID 123 ./opensnoop -t 123 # only trace TID 123
./opensnoop -u 1000 # only trace UID 1000
./opensnoop -d 10 # trace for 10 seconds only ./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -n main # only print process names containing "main" ./opensnoop -n main # only print process names containing "main"
./opensnoop -e # show extended fields ./opensnoop -e # show extended fields
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment