Created
November 30, 2021 13:32
-
-
Save robbmanes/de00d8d1c3d7d37775b7fc1b798e968b to your computer and use it in GitHub Desktop.
Systemtap script to print details of `umount` system calls.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# unmount-watcher.stp | |
# Watches for filesystem unmounts and prints additional information about them. | |
# Authored by Robb Manes <robbmanes@protonmail.com> | |
# Execute by running: | |
# stap unmount-watcher.stp > unmount-watcher.out | |
# In containerized environments, the unmounting process may belong to a different process namespace, so it's useful to print the | |
# entire tree to determine where it came from. | |
# This is borrowed from https://sourceware.org/systemtap/examples/network/connect_stat.stp | |
function process_tree () { | |
cur_proc = task_current(); | |
parent_pid = task_pid(task_parent (cur_proc)); | |
printf("\t"); | |
while (parent_pid != 0) { | |
printf ("%s (%d),%d,%d -> ", task_execname(cur_proc), task_pid(cur_proc), task_uid(cur_proc),task_gid (cur_proc)); | |
cur_proc = task_parent(cur_proc); | |
parent_pid = task_pid(task_parent (cur_proc)); | |
} | |
# init process | |
if (task_pid (cur_proc) == 1) { | |
printf ("%s (%d),%d,%d\n", task_execname(cur_proc), task_pid(cur_proc), task_uid(cur_proc),task_gid (cur_proc)); | |
} | |
} | |
probe begin { | |
printf("Watching all \"umount\" system calls...\n"); | |
} | |
probe syscall.umount { | |
printf("[%s] Unmount of %s issued by process %s (PID %d)\n", | |
ctime(gettimeofday_s()), | |
target, | |
execname(), | |
pid()); | |
process_tree(); | |
} | |
probe end { | |
printf("Exiting \"umount\" watcher...\n"); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment