1294548Sdteske#!/usr/sbin/dtrace -s 2294548Sdteske/* - 3294888Sdteske * Copyright (c) 2014-2016 Devin Teske <dteske@FreeBSD.org> 4294548Sdteske * All rights reserved. 5294548Sdteske * Redistribution and use in source and binary forms, with or without 6294548Sdteske * modification, are permitted provided that the following conditions 7294548Sdteske * are met: 8294548Sdteske * 1. Redistributions of source code must retain the above copyright 9294548Sdteske * notice, this list of conditions and the following disclaimer. 10294548Sdteske * 2. Redistributions in binary form must reproduce the above copyright 11294548Sdteske * notice, this list of conditions and the following disclaimer in the 12294548Sdteske * documentation and/or other materials provided with the distribution. 13294548Sdteske * 14294548Sdteske * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15294548Sdteske * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16294548Sdteske * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17294548Sdteske * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18294548Sdteske * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19294548Sdteske * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20294548Sdteske * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21294548Sdteske * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22294548Sdteske * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23294548Sdteske * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24294548Sdteske * SUCH DAMAGE. 25294548Sdteske * 26294548Sdteske * $Title: dtrace(1) script to log process(es) entering syscall::kill $ 27294548Sdteske * $FreeBSD$ 28294548Sdteske */ 29294548Sdteske 30294548Sdteske#pragma D option quiet 31294548Sdteske#pragma D option dynvarsize=16m 32294548Sdteske#pragma D option switchrate=10hz 33294548Sdteske 34294548Sdteske/*********************************************************/ 35294548Sdteske 36294548Sdteskesyscall::execve:entry /* probe ID 1 */ 37294548Sdteske{ 38294548Sdteske this->caller_execname = execname; 39294548Sdteske} 40294548Sdteske 41294548Sdteske/*********************************************************/ 42294548Sdteske 43294888Sdteskesyscall::kill:entry /* probe ID 2 */ 44294548Sdteske{ 45294888Sdteske this->pid_to_kill = (pid_t)arg0; 46294888Sdteske this->kill_signal = (int)arg1; 47294548Sdteske 48294548Sdteske /* 49294548Sdteske * Examine process, parent process, and grandparent process details 50294548Sdteske */ 51294548Sdteske 52294548Sdteske /******************* CURPROC *******************/ 53294548Sdteske 54294548Sdteske this->proc = curthread->td_proc; 55294548Sdteske this->pid0 = this->proc->p_pid; 56294548Sdteske this->uid0 = this->proc->p_ucred->cr_uid; 57294548Sdteske this->gid0 = this->proc->p_ucred->cr_rgid; 58294548Sdteske this->p_args = this->proc->p_args; 59294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 60294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 61294548Sdteske 62294548Sdteske this->arg0_0 = this->ar_length > 0 ? 63294548Sdteske this->ar_args : stringof(this->proc->p_comm); 64294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 65294548Sdteske this->ar_args += this->len; 66294548Sdteske this->ar_length -= this->len; 67294548Sdteske 68294548Sdteske this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; 69294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 70294548Sdteske this->ar_args += this->len; 71294548Sdteske this->ar_length -= this->len; 72294548Sdteske 73294548Sdteske this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; 74294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 75294548Sdteske this->ar_args += this->len; 76294548Sdteske this->ar_length -= this->len; 77294548Sdteske 78294548Sdteske this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; 79294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 80294548Sdteske this->ar_args += this->len; 81294548Sdteske this->ar_length -= this->len; 82294548Sdteske 83294548Sdteske this->arg0_4 = this->ar_length > 0 ? "..." : ""; 84294548Sdteske 85294548Sdteske /******************* PPARENT *******************/ 86294548Sdteske 87294548Sdteske this->proc = this->proc->p_pptr; 88294548Sdteske this->pid1 = this->proc->p_pid; 89294548Sdteske this->uid1 = this->proc->p_ucred->cr_uid; 90294548Sdteske this->gid1 = this->proc->p_ucred->cr_rgid; 91294548Sdteske this->p_args = this->proc ? this->proc->p_args : 0; 92294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 93294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 94294548Sdteske 95294548Sdteske this->arg1_0 = this->ar_length > 0 ? 96294548Sdteske this->ar_args : stringof(this->proc->p_comm); 97294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 98294548Sdteske this->ar_args += this->len; 99294548Sdteske this->ar_length -= this->len; 100294548Sdteske 101294548Sdteske this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; 102294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 103294548Sdteske this->ar_args += this->len; 104294548Sdteske this->ar_length -= this->len; 105294548Sdteske 106294548Sdteske this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; 107294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 108294548Sdteske this->ar_args += this->len; 109294548Sdteske this->ar_length -= this->len; 110294548Sdteske 111294548Sdteske this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; 112294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 113294548Sdteske this->ar_args += this->len; 114294548Sdteske this->ar_length -= this->len; 115294548Sdteske 116294548Sdteske this->arg1_4 = this->ar_length > 0 ? "..." : ""; 117294548Sdteske 118294548Sdteske /******************* GPARENT *******************/ 119294548Sdteske 120294548Sdteske this->proc = this->proc->p_pptr; 121294548Sdteske this->pid2 = this->proc->p_pid; 122294548Sdteske this->uid2 = this->proc->p_ucred->cr_uid; 123294548Sdteske this->gid2 = this->proc->p_ucred->cr_rgid; 124294548Sdteske this->p_args = this->proc ? this->proc->p_args : 0; 125294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 126294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 127294548Sdteske 128294548Sdteske this->arg2_0 = this->ar_length > 0 ? 129294548Sdteske this->ar_args : stringof(this->proc->p_comm); 130294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 131294548Sdteske this->ar_args += this->len; 132294548Sdteske this->ar_length -= this->len; 133294548Sdteske 134294548Sdteske this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; 135294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 136294548Sdteske this->ar_args += this->len; 137294548Sdteske this->ar_length -= this->len; 138294548Sdteske 139294548Sdteske this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; 140294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 141294548Sdteske this->ar_args += this->len; 142294548Sdteske this->ar_length -= this->len; 143294548Sdteske 144294548Sdteske this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; 145294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 146294548Sdteske this->ar_args += this->len; 147294548Sdteske this->ar_length -= this->len; 148294548Sdteske 149294548Sdteske this->arg2_4 = this->ar_length > 0 ? "..." : ""; 150294548Sdteske 151294548Sdteske /******************* APARENT *******************/ 152294548Sdteske 153294548Sdteske this->proc = this->proc->p_pptr; 154294548Sdteske this->pid3 = this->proc->p_pid; 155294548Sdteske this->uid3 = this->proc->p_ucred->cr_uid; 156294548Sdteske this->gid3 = this->proc->p_ucred->cr_rgid; 157294548Sdteske this->p_args = this->proc ? this->proc->p_args : 0; 158294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 159294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 160294548Sdteske 161294548Sdteske this->arg3_0 = this->ar_length > 0 ? 162294548Sdteske this->ar_args : stringof(this->proc->p_comm); 163294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 164294548Sdteske this->ar_args += this->len; 165294548Sdteske this->ar_length -= this->len; 166294548Sdteske 167294548Sdteske this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; 168294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 169294548Sdteske this->ar_args += this->len; 170294548Sdteske this->ar_length -= this->len; 171294548Sdteske 172294548Sdteske this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; 173294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 174294548Sdteske this->ar_args += this->len; 175294548Sdteske this->ar_length -= this->len; 176294548Sdteske 177294548Sdteske this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; 178294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 179294548Sdteske this->ar_args += this->len; 180294548Sdteske this->ar_length -= this->len; 181294548Sdteske 182294548Sdteske this->arg3_4 = this->ar_length > 0 ? "..." : ""; 183294548Sdteske 184294548Sdteske /***********************************************/ 185294548Sdteske 186294548Sdteske /* 187294548Sdteske * Print process, parent, and grandparent details 188294548Sdteske */ 189294548Sdteske 190294548Sdteske printf("%Y %s[%d]: ", timestamp + 1406598400000000000, 191294548Sdteske this->caller_execname, this->pid1); 192294548Sdteske printf("%s", this->arg0_0); 193294548Sdteske printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 194294548Sdteske printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 195294548Sdteske printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 196294548Sdteske printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 197294548Sdteske printf(" (sending signal %u to pid %u)", 198294548Sdteske this->kill_signal, this->pid_to_kill); 199294548Sdteske printf("\n"); 200294548Sdteske 201294548Sdteske printf(" -+= %05d %d.%d %s", 202294548Sdteske this->pid3, this->uid3, this->gid3, this->arg3_0); 203294548Sdteske printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); 204294548Sdteske printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); 205294548Sdteske printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); 206294548Sdteske printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); 207294548Sdteske printf("%s", this->arg3_0 != "" ? "\n" : ""); 208294548Sdteske 209294548Sdteske printf(" \-+= %05d %d.%d %s", 210294548Sdteske this->pid2, this->uid2, this->gid2, this->arg2_0); 211294548Sdteske printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); 212294548Sdteske printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); 213294548Sdteske printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); 214294548Sdteske printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); 215294548Sdteske printf("%s", this->arg2_0 != "" ? "\n" : ""); 216294548Sdteske 217294548Sdteske printf(" \-+= %05d %d.%d %s", 218294548Sdteske this->pid1, this->uid1, this->gid1, this->arg1_0); 219294548Sdteske printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); 220294548Sdteske printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); 221294548Sdteske printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); 222294548Sdteske printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); 223294548Sdteske printf("%s", this->arg1_0 != "" ? "\n" : ""); 224294548Sdteske 225294548Sdteske printf(" \-+= %05d %d.%d %s", 226294548Sdteske this->pid0, this->uid0, this->gid0, this->arg0_0); 227294548Sdteske printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 228294548Sdteske printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 229294548Sdteske printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 230294548Sdteske printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 231294548Sdteske printf("%s", this->arg0_0 != "" ? "\n" : ""); 232294548Sdteske} 233