Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
B
bcc
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
bcc
Commits
f8990370
Commit
f8990370
authored
Jan 02, 2019
by
takumakume
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
opensnoop: supported uid options
parent
dccc4f28
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
64 additions
and
0 deletions
+64
-0
man/man8/opensnoop.8
man/man8/opensnoop.8
+17
-0
tools/opensnoop.py
tools/opensnoop.py
+22
-0
tools/opensnoop_example.txt
tools/opensnoop_example.txt
+25
-0
No files found.
man/man8/opensnoop.8
View file @
f8990370
...
@@ -27,6 +27,9 @@ Print usage message.
...
@@ -27,6 +27,9 @@ Print usage message.
\-T
\-T
Include a timestamp column.
Include a timestamp column.
.TP
.TP
\-U
Show UID.
.TP
\-x
\-x
Only print failed opens.
Only print failed opens.
.TP
.TP
...
@@ -36,6 +39,9 @@ Trace this process ID only (filtered in-kernel).
...
@@ -36,6 +39,9 @@ Trace this process ID only (filtered in-kernel).
\-t TID
\-t TID
Trace this thread ID only (filtered in-kernel).
Trace this thread ID only (filtered in-kernel).
.TP
.TP
\-u UID
Trace this UID only (filtered in-kernel).
.TP
\-d DURATION
\-d DURATION
Total duration of trace in seconds.
Total duration of trace in seconds.
.TP
.TP
...
@@ -61,6 +67,10 @@ Trace all open() syscalls, and include timestamps:
...
@@ -61,6 +67,10 @@ Trace all open() syscalls, and include timestamps:
#
#
.B opensnoop \-T
.B opensnoop \-T
.TP
.TP
Show UID:
#
.B opensnoop \-U
.TP
Trace only open() syscalls that failed:
Trace only open() syscalls that failed:
#
#
.B opensnoop \-x
.B opensnoop \-x
...
@@ -69,6 +79,10 @@ Trace PID 181 only:
...
@@ -69,6 +79,10 @@ Trace PID 181 only:
#
#
.B opensnoop \-p 181
.B opensnoop \-p 181
.TP
.TP
Trace UID 1000 only:
#
.B opensnoop \-u 1000
.TP
Trace all open() syscalls from processes where its name partially matches 'ed':
Trace all open() syscalls from processes where its name partially matches 'ed':
#
#
.B opensnoop \-n ed
.B opensnoop \-n ed
...
@@ -85,6 +99,9 @@ Only print calls for writing:
...
@@ -85,6 +99,9 @@ Only print calls for writing:
TIME(s)
TIME(s)
Time of the call, in seconds.
Time of the call, in seconds.
.TP
.TP
UID
User ID
.TP
PID
PID
Process ID
Process ID
.TP
.TP
...
...
tools/opensnoop.py
View file @
f8990370
...
@@ -13,6 +13,7 @@
...
@@ -13,6 +13,7 @@
# 29-Apr-2016 Allan McAleavy Updated for BPF_PERF_OUTPUT.
# 29-Apr-2016 Allan McAleavy Updated for BPF_PERF_OUTPUT.
# 08-Oct-2016 Dina Goldshtein Support filtering by PID and TID.
# 08-Oct-2016 Dina Goldshtein Support filtering by PID and TID.
# 28-Dec-2018 Tim Douglas Print flags argument, enable filtering
# 28-Dec-2018 Tim Douglas Print flags argument, enable filtering
# 06-Jan-2019 Takuma Kume Support filtering by UID
from
__future__
import
print_function
from
__future__
import
print_function
from
bcc
import
ArgString
,
BPF
from
bcc
import
ArgString
,
BPF
...
@@ -25,9 +26,11 @@ import os
...
@@ -25,9 +26,11 @@ import os
examples
=
"""examples:
examples
=
"""examples:
./opensnoop # trace all open() syscalls
./opensnoop # trace all open() syscalls
./opensnoop -T # include timestamps
./opensnoop -T # include timestamps
./opensnoop -U # include UID
./opensnoop -x # only show failed opens
./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181
./opensnoop -p 181 # only trace PID 181
./opensnoop -t 123 # only trace TID 123
./opensnoop -t 123 # only trace TID 123
./opensnoop -u 1000 # only trace UID 1000
./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -n main # only print process names containing "main"
./opensnoop -n main # only print process names containing "main"
./opensnoop -e # show extended fields
./opensnoop -e # show extended fields
...
@@ -39,12 +42,16 @@ parser = argparse.ArgumentParser(
...
@@ -39,12 +42,16 @@ parser = argparse.ArgumentParser(
epilog
=
examples
)
epilog
=
examples
)
parser
.
add_argument
(
"-T"
,
"--timestamp"
,
action
=
"store_true"
,
parser
.
add_argument
(
"-T"
,
"--timestamp"
,
action
=
"store_true"
,
help
=
"include timestamp on output"
)
help
=
"include timestamp on output"
)
parser
.
add_argument
(
"-U"
,
"--print-uid"
,
action
=
"store_true"
,
help
=
"print UID column"
)
parser
.
add_argument
(
"-x"
,
"--failed"
,
action
=
"store_true"
,
parser
.
add_argument
(
"-x"
,
"--failed"
,
action
=
"store_true"
,
help
=
"only show failed opens"
)
help
=
"only show failed opens"
)
parser
.
add_argument
(
"-p"
,
"--pid"
,
parser
.
add_argument
(
"-p"
,
"--pid"
,
help
=
"trace this PID only"
)
help
=
"trace this PID only"
)
parser
.
add_argument
(
"-t"
,
"--tid"
,
parser
.
add_argument
(
"-t"
,
"--tid"
,
help
=
"trace this TID only"
)
help
=
"trace this TID only"
)
parser
.
add_argument
(
"-u"
,
"--uid"
,
help
=
"trace this UID only"
)
parser
.
add_argument
(
"-d"
,
"--duration"
,
parser
.
add_argument
(
"-d"
,
"--duration"
,
help
=
"total duration of trace in seconds"
)
help
=
"total duration of trace in seconds"
)
parser
.
add_argument
(
"-n"
,
"--name"
,
parser
.
add_argument
(
"-n"
,
"--name"
,
...
@@ -85,6 +92,7 @@ struct val_t {
...
@@ -85,6 +92,7 @@ struct val_t {
struct data_t {
struct data_t {
u64 id;
u64 id;
u64 ts;
u64 ts;
u32 uid;
int ret;
int ret;
char comm[TASK_COMM_LEN];
char comm[TASK_COMM_LEN];
char fname[NAME_MAX];
char fname[NAME_MAX];
...
@@ -100,8 +108,10 @@ int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename, int f
...
@@ -100,8 +108,10 @@ int trace_entry(struct pt_regs *ctx, int dfd, const char __user *filename, int f
u64 id = bpf_get_current_pid_tgid();
u64 id = bpf_get_current_pid_tgid();
u32 pid = id >> 32; // PID is higher part
u32 pid = id >> 32; // PID is higher part
u32 tid = id; // Cast and get the lower part
u32 tid = id; // Cast and get the lower part
u32 uid = bpf_get_current_uid_gid();
PID_TID_FILTER
PID_TID_FILTER
UID_FILTER
FLAGS_FILTER
FLAGS_FILTER
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
val.id = id;
val.id = id;
...
@@ -130,6 +140,7 @@ int trace_return(struct pt_regs *ctx)
...
@@ -130,6 +140,7 @@ int trace_return(struct pt_regs *ctx)
bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
data.id = valp->id;
data.id = valp->id;
data.ts = tsp / 1000;
data.ts = tsp / 1000;
data.uid = bpf_get_current_uid_gid();
data.flags = valp->flags; // EXTENDED_STRUCT_MEMBER
data.flags = valp->flags; // EXTENDED_STRUCT_MEMBER
data.ret = PT_REGS_RC(ctx);
data.ret = PT_REGS_RC(ctx);
...
@@ -147,6 +158,11 @@ elif args.pid:
...
@@ -147,6 +158,11 @@ elif args.pid:
'if (pid != %s) { return 0; }'
%
args
.
pid
)
'if (pid != %s) { return 0; }'
%
args
.
pid
)
else
:
else
:
bpf_text
=
bpf_text
.
replace
(
'PID_TID_FILTER'
,
''
)
bpf_text
=
bpf_text
.
replace
(
'PID_TID_FILTER'
,
''
)
if
args
.
uid
:
bpf_text
=
bpf_text
.
replace
(
'UID_FILTER'
,
'if (uid != %s) { return 0; }'
%
args
.
uid
)
else
:
bpf_text
=
bpf_text
.
replace
(
'UID_FILTER'
,
''
)
if
args
.
flag_filter
:
if
args
.
flag_filter
:
bpf_text
=
bpf_text
.
replace
(
'FLAGS_FILTER'
,
bpf_text
=
bpf_text
.
replace
(
'FLAGS_FILTER'
,
'if (!(flags & %d)) { return 0; }'
%
flag_filter_mask
)
'if (!(flags & %d)) { return 0; }'
%
flag_filter_mask
)
...
@@ -172,6 +188,7 @@ class Data(ct.Structure):
...
@@ -172,6 +188,7 @@ class Data(ct.Structure):
_fields_
=
[
_fields_
=
[
(
"id"
,
ct
.
c_ulonglong
),
(
"id"
,
ct
.
c_ulonglong
),
(
"ts"
,
ct
.
c_ulonglong
),
(
"ts"
,
ct
.
c_ulonglong
),
(
"uid"
,
ct
.
c_uint32
),
(
"ret"
,
ct
.
c_int
),
(
"ret"
,
ct
.
c_int
),
(
"comm"
,
ct
.
c_char
*
TASK_COMM_LEN
),
(
"comm"
,
ct
.
c_char
*
TASK_COMM_LEN
),
(
"fname"
,
ct
.
c_char
*
NAME_MAX
),
(
"fname"
,
ct
.
c_char
*
NAME_MAX
),
...
@@ -183,6 +200,8 @@ initial_ts = 0
...
@@ -183,6 +200,8 @@ initial_ts = 0
# header
# header
if
args
.
timestamp
:
if
args
.
timestamp
:
print
(
"%-14s"
%
(
"TIME(s)"
),
end
=
""
)
print
(
"%-14s"
%
(
"TIME(s)"
),
end
=
""
)
if
args
.
print_uid
:
print
(
"%-6s"
%
(
"UID"
),
end
=
""
)
print
(
"%-6s %-16s %4s %3s "
%
print
(
"%-6s %-16s %4s %3s "
%
(
"TID"
if
args
.
tid
else
"PID"
,
"COMM"
,
"FD"
,
"ERR"
),
end
=
""
)
(
"TID"
if
args
.
tid
else
"PID"
,
"COMM"
,
"FD"
,
"ERR"
),
end
=
""
)
if
args
.
extended_fields
:
if
args
.
extended_fields
:
...
@@ -215,6 +234,9 @@ def print_event(cpu, data, size):
...
@@ -215,6 +234,9 @@ def print_event(cpu, data, size):
delta
=
event
.
ts
-
initial_ts
delta
=
event
.
ts
-
initial_ts
print
(
"%-14.9f"
%
(
float
(
delta
)
/
1000000
),
end
=
""
)
print
(
"%-14.9f"
%
(
float
(
delta
)
/
1000000
),
end
=
""
)
if
args
.
print_uid
:
print
(
"%-6d"
%
event
.
uid
,
end
=
""
)
print
(
"%-6d %-16s %4d %3d "
%
print
(
"%-6d %-16s %4d %3d "
%
(
event
.
id
&
0xffffffff
if
args
.
tid
else
event
.
id
>>
32
,
(
event
.
id
&
0xffffffff
if
args
.
tid
else
event
.
id
>>
32
,
event
.
comm
.
decode
(
'utf-8'
,
'replace'
),
fd_s
,
err
),
end
=
""
)
event
.
comm
.
decode
(
'utf-8'
,
'replace'
),
fd_s
,
err
),
end
=
""
)
...
...
tools/opensnoop_example.txt
View file @
f8990370
...
@@ -65,6 +65,27 @@ This shows the supervise process is opening the status.new file twice every
...
@@ -65,6 +65,27 @@ This shows the supervise process is opening the status.new file twice every
second.
second.
The -U option include UID on output:
# ./opensnoop -U
UID PID COMM FD ERR PATH
0 27063 vminfo 5 0 /var/run/utmp
103 628 dbus-daemon -1 2 /usr/local/share/dbus-1/system-services
103 628 dbus-daemon 18 0 /usr/share/dbus-1/system-services
103 628 dbus-daemon -1 2 /lib/dbus-1/system-services
The -u option filtering UID:
# ./opensnoop -Uu 1000
UID PID COMM FD ERR PATH
1000 30240 ls 3 0 /etc/ld.so.cache
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libc.so.6
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libdl.so.2
1000 30240 ls 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
The -x option only prints failed opens:
The -x option only prints failed opens:
# ./opensnoop -x
# ./opensnoop -x
...
@@ -172,9 +193,11 @@ Trace open() syscalls
...
@@ -172,9 +193,11 @@ Trace open() syscalls
optional arguments:
optional arguments:
-h, --help show this help message and exit
-h, --help show this help message and exit
-T, --timestamp include timestamp on output
-T, --timestamp include timestamp on output
-U, --print-uid include UID on output
-x, --failed only show failed opens
-x, --failed only show failed opens
-p PID, --pid PID trace this PID only
-p PID, --pid PID trace this PID only
-t TID, --tid TID trace this TID only
-t TID, --tid TID trace this TID only
-u UID, --uid UID trace this UID only
-d DURATION, --duration DURATION
-d DURATION, --duration DURATION
total duration of trace in seconds
total duration of trace in seconds
-n NAME, --name NAME only print process names containing this name
-n NAME, --name NAME only print process names containing this name
...
@@ -186,9 +209,11 @@ optional arguments:
...
@@ -186,9 +209,11 @@ optional arguments:
examples:
examples:
./opensnoop # trace all open() syscalls
./opensnoop # trace all open() syscalls
./opensnoop -T # include timestamps
./opensnoop -T # include timestamps
./opensnoop -U # include UID
./opensnoop -x # only show failed opens
./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181
./opensnoop -p 181 # only trace PID 181
./opensnoop -t 123 # only trace TID 123
./opensnoop -t 123 # only trace TID 123
./opensnoop -u 1000 # only trace UID 1000
./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -n main # only print process names containing "main"
./opensnoop -n main # only print process names containing "main"
./opensnoop -e # show extended fields
./opensnoop -e # show extended fields
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment