Skip to content

Instantly share code, notes, and snippets.

@leoluk
Last active Sep 27, 2019
Embed
What would you like to do?
#!/usr/bin/stap
global root_ns;
probe begin
{
root_ns = mnt_ns();
printf("root ns: %d", root_ns);
printf("\n%20s %6s %16s %6s %16s %40s %s\n", "PP", "UID", "MNT_NS", "PID", "COMM", "FLAGS", "PATH");
}
function mnt_ns:long() {
mnt_ns = @cast(task_current(), "struct task_struct")->nsproxy->mnt_ns;
return mnt_ns->ns->inum;
}
probe syscall.pivot_root {
printf("%20s %6d %16d %6d %16s %40s %s\n", name, uid(), mnt_ns(), pid(), execname(), old_root_str, new_root_str);
}
probe syscall.{clone*,exec*,mount*,unshare*,*write*,*read*,*at,*close*,dup*,rename,link,unlink,symlink,readlink,*chmod,*chown,*truncate,seccomp,ptrace,bpf} {
ns = mnt_ns();
if ((ns == root_ns) && (argstr !~ "/merged")) {
next
}
printf("%20s %6d %16d %6d %16s %40s %s\n", name, uid(), ns, pid(), execname(), "", argstr);
}
probe syscall.open*
{
ns = mnt_ns();
if ((ns != root_ns) && (filename =~ "/proc|/sys|/dev") && (filename !~ "/proc/[0-9]+/stat")) {
printf("%20s %6d %16d %6d %16s %40s %s\n", name, uid(), ns, pid(), execname(), flags_str, filename);
}
}
root ns: 4026531840
PP UID MNT_NS PID COMM FLAGS PATH
pivot_root 0 4026532240 16348 runc:[2:INIT] "." "."
mount 0 4026532240 16348 runc:[2:INIT] "", ".", "", MS_REC|MS_SLAVE, 0x0
close 0 4026532240 16348 runc:[2:INIT] 8
close 0 4026532240 16348 runc:[2:INIT] 6
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/dev/null", O_RDWR|O_CLOEXEC
openat 0 4026532240 16348 runc:[2:INIT] O_RDWR|O_CLOEXEC "/dev/null"
fstat 0 4026532240 16348 runc:[2:INIT] 6, 0xc0000ff160
fstat 0 4026532240 16348 runc:[2:INIT] 0, 0xc0000ff0d0
dup3 0 4026532240 16348 runc:[2:INIT] 6, 0, 0x0
fstat 0 4026532240 16348 runc:[2:INIT] 1, 0xc0000ff0d0
fstat 0 4026532240 16348 runc:[2:INIT] 2, 0xc0000ff0d0
close 0 4026532240 16348 runc:[2:INIT] 6
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/", 0xc0001536f8, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/proc/bus", "/proc/bus", "", MS_BIND|MS_REC, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/proc/fs", "/proc/fs", "", MS_BIND|MS_REC, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/proc/irq", "/proc/irq", "", MS_BIND|MS_REC, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/proc/sys", "/proc/sys", "", MS_BIND|MS_REC, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/proc/sysrq-trigger", "/proc/sysrq-trigger", "", MS_BIND|MS_REC, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/asound", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/acpi", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/kcore", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/keys", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/latency_stats", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/timer_list", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/timer_stats", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/sched_debug", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/proc/scsi", "", MS_BIND, 0x0
mount 0 4026532240 16348 runc:[2:INIT] "/dev/null", "/sys/firmware", "", MS_BIND, 0x0
write 0 4026532240 16348 runc:[2:INIT] 3, "{\"type\":\"procReady\"}", 20
read 0 4026532240 16348 runc:[2:INIT] 3, 0xc0000ce400, 512
seccomp 0 4026532240 16348 runc:[2:INIT] SECCOMP_SET_MODE_STRICT, SECCOMP_FILTER_FLAG_TSYNC, 0x0
seccomp 0 4026532240 16348 runc:[2:INIT] SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 0x0
seccomp 0 4026532240 16348 runc:[2:INIT] SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, 0x558391f57100
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/proc/self/fd", O_RDONLY|O_CLOEXEC
openat 0 4026532240 16348 runc:[2:INIT] O_RDONLY|O_CLOEXEC "/proc/self/fd"
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/proc/self/fd/5", 0xc0001537c8, AT_SYMLINK_NOFOLLOW
close 0 4026532240 16348 runc:[2:INIT] 6
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/proc/self/status", O_RDONLY|O_CLOEXEC
openat 0 4026532240 16348 runc:[2:INIT] O_RDONLY|O_CLOEXEC "/proc/self/status"
read 0 4026532240 16348 runc:[2:INIT] 6, 0xc000166000, 4096
close 0 4026532240 16348 runc:[2:INIT] 6
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC
read 0 4026532240 16348 runc:[2:INIT] 6, 0xc000167000, 4096
read 0 4026532240 16348 runc:[2:INIT] 6, 0xc000167154, 3756
read 0 4026532240 16348 runc:[2:INIT] 8, 0xc000168000, 4096
read 0 4026532240 16348 runc:[2:INIT] 8, 0xc000168133, 3789
close 0 4026532240 16348 runc:[2:INIT] 8
close 0 4026532240 16348 runc:[2:INIT] 6
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC
read 0 4026532240 16348 runc:[2:INIT] 6, 0xc000169000, 4096
read 0 4026532240 16348 runc:[2:INIT] 6, 0xc000169133, 3789
close 0 4026532240 16348 runc:[2:INIT] 6
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/dev/null", 0xc0000febb8, 0x0
fstat 0 4026532240 16348 runc:[2:INIT] 0, 0xc0000feb28
fstat 0 4026532240 16348 runc:[2:INIT] 2, 0xc0000feb28
fchown 0 4026532240 16348 runc:[2:INIT] 2, 0, 0
fstat 0 4026532240 16348 runc:[2:INIT] 1, 0xc0000feb28
fchown 0 4026532240 16348 runc:[2:INIT] 1, 0, 0
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/proc/self/setgroups", O_RDONLY|O_CLOEXEC
openat 0 4026532240 16348 runc:[2:INIT] O_RDONLY|O_CLOEXEC "/proc/self/setgroups"
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/usr/local/sbin/ls", 0xc000153898, 0x0
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/usr/local/bin/ls", 0xc000153968, 0x0
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/usr/sbin/ls", 0xc000153a38, 0x0
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/usr/bin/ls", 0xc000153b08, 0x0
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/sbin/ls", 0xc000153bd8, 0x0
fstatat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/bin/ls", 0xc000153ca8, 0x0
close 0 4026532240 16348 runc:[2:INIT] 3
openat 0 4026532240 16348 runc:[2:INIT] AT_FDCWD, "/proc/self/fd/5", O_WRONLY|O_CLOEXEC
openat 0 4026532240 16348 runc:[2:INIT] O_WRONLY|O_CLOEXEC "/proc/self/fd/5"
write 0 4026532240 16348 runc:[2:INIT] 3, "0", 1
close 0 4026532240 16348 runc:[2:INIT] 5
execve 0 4026532240 16348 runc:[2:INIT] "/bin/ls", ["ls", "-lisa", "/dev/shm/proc/self/fd"], ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "HOSTNAME=dev-leo-fedora", "HOME=/root"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment