Last active
July 16, 2020 22:29
-
-
Save dreness/5d8ddbc27573080c30e52f834b4a9cab to your computer and use it in GitHub Desktop.
Try to find out who is opening, reading from, writing to, deleting a file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/sbin/dtrace -s | |
#pragma D option quiet | |
#pragma D option switchrate=10hz | |
/* pass the filename to watch for as the only cli argument */ | |
dtrace:::BEGIN | |
{ | |
/* double dollar sign to stringify cli arg */ | |
fname = $$1; | |
printf("%-12s %6s %6s %-12.12s %-12s %s\n", "TIME(ms)", "UID", | |
"PID", "PROCESS", "CALL", "DIR/FILE"); | |
} | |
/* | |
extern errno_t VNOP_CREATE(vnode_t, vnode_t *, struct componentname *, struct vnode_attr *, vfs_context_t); | |
extern errno_t VNOP_REMOVE(vnode_t, vnode_t, struct componentname *, int, vfs_context_t); | |
*/ | |
/* | |
fbt knows the types of the structs, so we can say: | |
args[0]->v_name | |
instead of: | |
((struct vnode *)arg0)->v_name | |
*/ | |
fbt::VNOP_CREATE:entry, | |
fbt::VNOP_REMOVE:entry | |
/fname == stringof(args[2]->cn_nameptr)/ | |
{ | |
/* | |
this->path = ((struct vnode *)arg0)->v_name; | |
this->name = ((struct componentname *)arg2)->cn_nameptr; | |
*/ | |
this->path = args[0]->v_name; | |
this->name = args[2]->cn_nameptr; | |
printf("%-12d %6d %6d %-12.12s %-12s %s/%s\n", | |
timestamp / 1000000, uid, pid, execname, probefunc, | |
this->path != NULL ? stringof(this->path) : "<null>", | |
stringof(this->name)); | |
ustack(); | |
printf("\n"); | |
} | |
/* | |
extern errno_t VNOP_OPEN(vnode_t, int, vfs_context_t); | |
*/ | |
/* | |
fbt::VNOP_OPEN:entry | |
/fname == stringof(args[0]->v_name)/ | |
{ | |
printf("%-12d %6d %6d %-12.12s %-12s %s\n", | |
timestamp / 1000000, uid, pid, execname, probefunc, | |
stringof(args[0]->v_name)); | |
ustack(); | |
printf("\n"); | |
} | |
*/ | |
/* | |
open(const char *path, int oflag, ...); | |
returns int FD | |
*/ | |
syscall::open:entry, syscall::open_nocancel:entry, syscall::open_extended:entry | |
{ | |
self->pathp = arg0; | |
self->ok = 1; | |
self->theProc = pid; | |
} | |
syscall::open:return, syscall::open_nocancel:return, syscall::open_extended:return | |
/self->ok && errno == 0 && pid == self->theProc && fname == basename(copyinstr(self->pathp))/ | |
{ | |
self->fname = basename(copyinstr(self->pathp)); | |
printf("%-12d %6d %6d %-12.12s %-12s %s\n", | |
timestamp / 1000000, uid, pid, execname, probefunc, | |
self->pathp != NULL ? copyinstr(self->pathp) : "<null>"); | |
self->pathp = NULL; | |
self->ok = NULL; | |
self->fd = arg1; | |
self->e = errno; | |
/* ustack(); */ | |
printf("\n"); | |
} | |
/* | |
read(int fd, void *buf, size_t nbyte); | |
*/ | |
syscall::read:entry | |
/self->theProc == pid && arg0 == self->fd && self->e == 0/ | |
{ | |
self->traceRead = 1; | |
self->theFD = arg0; | |
self->buf = arg1; | |
self->fd = NULL; | |
self->nbyte = arg2; | |
} | |
syscall::read:return | |
/arg0 != 0 && self->theProc == pid && self->theFD && self->traceRead == 1 && self->e == 0 && errno == 0/ | |
{ | |
/* | |
printf("theFD is: %d\n",self->theFD); | |
printf("theProc is: %d\n",self->theProc); | |
*/ | |
printf("%-12d %6d %6d %-12.12s %s:%s\n", | |
timestamp / 1000000, uid, pid, execname, probefunc, probename); | |
printf("requested %d bytes, got %d bytes\n",self->nbyte, arg0); | |
printf("\n%S\n",stringof(copyin(self->buf, self->nbyte))); | |
/* self->e = 1; */ | |
printf("\n"); | |
/* self->buf += arg0; */ | |
} | |
syscall::read:return | |
/arg0 == 0 && self->theProc == pid && self->theFD && self->traceRead == 1 && self->e == 0 && errno == 0/ | |
{ | |
printf("EOF for fd %d\n",self->theFD); | |
self->theFD = NULL; | |
self->thePid = NULL; | |
self->traceRead = 0; | |
self->buf = NULL; | |
self->nbyte = NULL; | |
} | |
syscall::rename:entry | |
/fname == copyinstr(arg0) || fname == copyinstr(arg1)/ | |
{ | |
printf("%-12d %6d %6d %-12.12s %-12s %s --> %s\n", | |
timestamp / 1000000, uid, pid, execname, probefunc, | |
copyinstr(arg0), copyinstr(arg1)); | |
ustack(); | |
printf("\n"); | |
} | |
ERROR | |
{ | |
printf("Error tracing %s!\n", execname); | |
} | |
/* maybe useful for listening with a wider net... */ | |
/* | |
fbt::VNOP_*:entry | |
/ | |
execname != "dtrace" && | |
execname != "Terminal" && | |
execname != "logd" && | |
execname != "WindowServer" && | |
execname != "syslogd" && | |
execname != "suggestd" && | |
execname != "locationd" | |
/ | |
{ | |
printf("%-12d %6d %6d %-12.12s %-12s\n", | |
timestamp / 1000000, uid, pid, execname, probefunc); | |
} | |
*/ |
Author
dreness
commented
Aug 10, 2017
•
p.s. this is still not quite right, e.g.
Error tracing adid!
dtrace: error on enabled probe ID 7 (ID 163: syscall::open:return): invalid user access in predicate at DIF offset 12
Knowing which reads to trace requires state keeping across various dtrace providers, and I think I’m not quite doing it right.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment