erickt/gist:648131

## gistfile1.txt
function __task_file_handle_filp:long(task:long, fd:long) %{ /* pure */
  struct task_struct *p = (struct task_struct *)((long)THIS->task);
  struct files_struct *files;
  struct file *filp;

  rcu_read_lock();
  if ((files = kread(&p->files))) {
    if ((filp = fcheck_files(files, THIS->fd))) {
      THIS->__retvalue = (long)filp;
    }
  }
  CATCH_DEREF_FAULT();
  rcu_read_unlock();
%}


function __task_dentry_prepend:string(dentry:long,name:string)
{
  dname = d_name(dentry)

  /*
   * In case we are following down a mount point trigger, we can get
   * multiple instances of a root mount.
   */
  c = substr(name, strlen(name)-1, strlen(name)-1)
  if (dname == "/" && c == "/")
    return name

  if (name == "") {
    return dname;
  } else {
    return sprintf("%s/%s", dname, name)
  }
}


/**
 *   sfunction task_dentry_path - get the full dentry path
 *
 *   Returns the full dirent name (full path to the root), like
 *   the kernel d_path function.
 *   @task: task_struct pointer.
 *   @dentry: direntry pointer.
 *   @vfsmnt: vfsmnt pointer.
 */
function __task_dentry_path(task:long, dentry:long, vfsmnt:long)
{
  root = & @cast(task, "task_struct")->fs->root

  while (1) {
    if (dentry == @cast(root, "path")->dentry &&
        vfsmnt == @cast(root, "path")->mnt)
      break;

    if (dentry == @cast(vfsmnt, "vfsmount")->mnt_root ||
        __dentry_IS_ROOT(dentry)) {
      /* Global root? */
      if (@cast(vfsmnt, "vfsmount")->mnt_parent == vfsmnt) {
        return sprintf("/%s", name)
      }

      dentry = @cast(vfsmnt, "vfsmount")->mnt_mountpoint
      vfsmnt = @cast(vfsmnt, "vfsmount")->mnt_parent
      continue
    }

    name = __task_dentry_prepend(dentry, name)
    dentry = @cast(dentry, "dentry")->d_parent
  }

  return sprintf("/%s", name)
}


/**
 * sfunction task_file_handle_path - get the full path of a file descriptor
 *
 * Returns the full dirent name (full path to the root), like the kernel d_path function.
 * @task: task_struct pointer.
 * @fd: File descriptor.
 */
function task_file_handle_path:string(task:long, fd:long)
{
  filp = __task_file_handle_filp(task, fd)

  if (!filp) {
    return ""
  }

  dentry = (@defined(@cast(filp,"file")->f_path->dentry)
      ? @cast(filp,"file")->f_path->dentry
      : @cast(filp,"file")->f_dentry)
  vfsmnt = (@defined(@cast(filp,"file")->f_path->mnt)
      ? @cast(filp,"file")->f_path->mnt
      : @cast(filp,"file")->f_vfsmnt)

  return __task_dentry_path(task, dentry, vfsmnt)
}


function startswith:long (haystack:string, needle:string)
%{
  THIS->__retvalue = strncmp(THIS->haystack, THIS->needle, strlen(THIS->needle)) == 0;
%}


probe syscall.open.return
{
  if (uid() == $1 && $return >= 0) {
		filename = task_file_handle_path(task_current(), $return);

		if (startswith(filename, "/usr/") || startswith(filename, "/opt/")) {
			printf("%s:%d:%d:%s\n",
				execname(), pid(), gettimeofday_ms(), filename)
    }
  }
}
	function __task_file_handle_filp:long(task:long, fd:long) %{ /* pure */
	struct task_struct p = (struct task_struct )((long)THIS->task);
	struct files_struct *files;
	struct file *filp;

	rcu_read_lock();
	if ((files = kread(&p->files))) {
	if ((filp = fcheck_files(files, THIS->fd))) {
	THIS->__retvalue = (long)filp;
	}
	}
	CATCH_DEREF_FAULT();
	rcu_read_unlock();
	%}



	function __task_dentry_prepend:string(dentry:long,name:string)
	{
	dname = d_name(dentry)

	/*
	* In case we are following down a mount point trigger, we can get
	* multiple instances of a root mount.
	*/
	c = substr(name, strlen(name)-1, strlen(name)-1)
	if (dname == "/" && c == "/")
	return name

	if (name == "") {
	return dname;
	} else {
	return sprintf("%s/%s", dname, name)
	}
	}



	/**
	* sfunction task_dentry_path - get the full dentry path
	*
	* Returns the full dirent name (full path to the root), like
	* the kernel d_path function.
	* @task: task_struct pointer.
	* @dentry: direntry pointer.
	* @vfsmnt: vfsmnt pointer.
	*/
	function __task_dentry_path(task:long, dentry:long, vfsmnt:long)
	{
	root = & @cast(task, "task_struct")->fs->root

	while (1) {
	if (dentry == @cast(root, "path")->dentry &&
	vfsmnt == @cast(root, "path")->mnt)
	break;

	if (dentry == @cast(vfsmnt, "vfsmount")->mnt_root \|\|
	__dentry_IS_ROOT(dentry)) {
	/* Global root? */
	if (@cast(vfsmnt, "vfsmount")->mnt_parent == vfsmnt) {
	return sprintf("/%s", name)
	}

	dentry = @cast(vfsmnt, "vfsmount")->mnt_mountpoint
	vfsmnt = @cast(vfsmnt, "vfsmount")->mnt_parent
	continue
	}

	name = __task_dentry_prepend(dentry, name)
	dentry = @cast(dentry, "dentry")->d_parent
	}

	return sprintf("/%s", name)
	}



	/**
	* sfunction task_file_handle_path - get the full path of a file descriptor
	*
	* Returns the full dirent name (full path to the root), like the kernel d_path function.
	* @task: task_struct pointer.
	* @fd: File descriptor.
	*/
	function task_file_handle_path:string(task:long, fd:long)
	{
	filp = __task_file_handle_filp(task, fd)

	if (!filp) {
	return ""
	}

	dentry = (@defined(@cast(filp,"file")->f_path->dentry)
	? @cast(filp,"file")->f_path->dentry
	: @cast(filp,"file")->f_dentry)
	vfsmnt = (@defined(@cast(filp,"file")->f_path->mnt)
	? @cast(filp,"file")->f_path->mnt
	: @cast(filp,"file")->f_vfsmnt)

	return __task_dentry_path(task, dentry, vfsmnt)
	}



	function startswith:long (haystack:string, needle:string)
	%{
	THIS->__retvalue = strncmp(THIS->haystack, THIS->needle, strlen(THIS->needle)) == 0;
	%}



	probe syscall.open.return
	{
	if (uid() == $1 && $return >= 0) {
	filename = task_file_handle_path(task_current(), $return);

	if (startswith(filename, "/usr/") \|\| startswith(filename, "/opt/")) {
	printf("%s:%d:%d:%s\n",
	execname(), pid(), gettimeofday_ms(), filename)
	}
	}
	}