Add scripts for watching common entry points.

MFC after: 3 days X-MFC-to: stable/10
2016-01-22 07:19:30 +00:00 · 2016-01-22 07:19:30 +00:00 · 91dc0de665
commit 91dc0de665
parent 97c36a18ea
4 changed files with 940 additions and 1 deletions
--- a/share/dtrace/Makefile
+++ b/share/dtrace/Makefile
@ -22,7 +22,10 @@ SCRIPTS=	blocking \
 		tcpconn \
 		tcpstate \
 		tcptrack \
-		udptrack
+		udptrack \
+		watch_execve \
+		watch_kill \
+		watch_vop_remove

 SCRIPTSDIR= ${SHAREDIR}/dtrace

--- a/share/dtrace/watch_execve
+++ b/share/dtrace/watch_execve
@ -0,0 +1,227 @@
+#!/usr/sbin/dtrace -s
+/* -
+ * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org>
+ * All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Title: dtrace(1) script to log process(es) entering vfs::vop_remove $
+ * $FreeBSD$
+ */
+
+#pragma D option quiet
+#pragma D option dynvarsize=16m
+#pragma D option switchrate=10hz
+
+/*********************************************************/
+
+syscall::execve:entry /* probe ID 1 */
+{
+	this->caller_execname = execname;
+}
+
+/*********************************************************/
+
+syscall::execve:return /execname != this->caller_execname/ /* probe ID 2 */
+{
+	/*
+	 * Examine process, parent process, and grandparent process details
+	 */
+
+	/******************* CURPROC *******************/
+
+	this->proc = curthread->td_proc;
+	this->pid0 = this->proc->p_pid;
+	this->uid0 = this->proc->p_ucred->cr_uid;
+	this->gid0 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc->p_args;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg0_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* PPARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid1 = this->proc->p_pid;
+	this->uid1 = this->proc->p_ucred->cr_uid;
+	this->gid1 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg1_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* GPARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid2 = this->proc->p_pid;
+	this->uid2 = this->proc->p_ucred->cr_uid;
+	this->gid2 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg2_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* APARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid3 = this->proc->p_pid;
+	this->uid3 = this->proc->p_ucred->cr_uid;
+	this->gid3 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg3_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_4 = this->ar_length > 0 ? "..." : "";
+
+	/***********************************************/
+
+	/*
+	 * Print process, parent, and grandparent details
+	 */
+
+	printf("%Y %s[%d]: ", timestamp + 1406598400000000000,
+		this->caller_execname, this->pid1);
+	printf("%s", this->arg0_0);
+	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
+	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
+	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
+	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
+	printf("\n");
+
+	printf(" -+= %05d %d.%d %s",
+		this->pid3, this->uid3, this->gid3, this->arg3_0);
+	printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1);
+	printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2);
+	printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3);
+	printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4);
+	printf("%s", this->arg3_0 != "" ? "\n" : "");
+
+	printf("  \-+= %05d %d.%d %s",
+		this->pid2, this->uid2, this->gid2, this->arg2_0);
+	printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1);
+	printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2);
+	printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3);
+	printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4);
+	printf("%s", this->arg2_0 != "" ? "\n" : "");
+
+	printf("    \-+= %05d %d.%d %s",
+		this->pid1, this->uid1, this->gid1, this->arg1_0);
+	printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1);
+	printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2);
+	printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3);
+	printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4);
+	printf("%s", this->arg1_0 != "" ? "\n" : "");
+
+	printf("      \-+= %05d %d.%d %s",
+		this->pid0, this->uid0, this->gid0, this->arg0_0);
+	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
+	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
+	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
+	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
+	printf("%s", this->arg0_0 != "" ? "\n" : "");
+}
--- a/share/dtrace/watch_kill
+++ b/share/dtrace/watch_kill
@ -0,0 +1,233 @@
+#!/usr/sbin/dtrace -s
+/* -
+ * Copyright (c) 2014-2015 Devin Teske <dteske@FreeBSD.org>
+ * All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Title: dtrace(1) script to log process(es) entering syscall::kill $
+ * $FreeBSD$
+ */
+
+#pragma D option quiet
+#pragma D option dynvarsize=16m
+#pragma D option switchrate=10hz
+
+/*********************************************************/
+
+syscall::execve:entry /* probe ID 1 */
+{
+	this->caller_execname = execname;
+}
+
+/*********************************************************/
+
+fbt::kill:entry /* probe ID 2 */
+{
+	this->kill_args = (struct kill_args *)arg1;
+	this->pid_to_kill = this->kill_args->pid;
+	this->kill_signal = this->kill_args->signum;
+
+	/*
+	 * Examine process, parent process, and grandparent process details
+	 */
+
+	/******************* CURPROC *******************/
+
+	this->proc = curthread->td_proc;
+	this->pid0 = this->proc->p_pid;
+	this->uid0 = this->proc->p_ucred->cr_uid;
+	this->gid0 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc->p_args;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg0_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* PPARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid1 = this->proc->p_pid;
+	this->uid1 = this->proc->p_ucred->cr_uid;
+	this->gid1 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg1_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* GPARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid2 = this->proc->p_pid;
+	this->uid2 = this->proc->p_ucred->cr_uid;
+	this->gid2 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg2_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* APARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid3 = this->proc->p_pid;
+	this->uid3 = this->proc->p_ucred->cr_uid;
+	this->gid3 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg3_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg3_4 = this->ar_length > 0 ? "..." : "";
+
+	/***********************************************/
+
+	/*
+	 * Print process, parent, and grandparent details
+	 */
+
+	printf("%Y %s[%d]: ", timestamp + 1406598400000000000,
+		this->caller_execname, this->pid1);
+	printf("%s", this->arg0_0);
+	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
+	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
+	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
+	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
+	printf(" (sending signal %u to pid %u)",
+		this->kill_signal, this->pid_to_kill);
+	printf("\n");
+
+	printf(" -+= %05d %d.%d %s",
+		this->pid3, this->uid3, this->gid3, this->arg3_0);
+	printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1);
+	printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2);
+	printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3);
+	printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4);
+	printf("%s", this->arg3_0 != "" ? "\n" : "");
+
+	printf("  \-+= %05d %d.%d %s",
+		this->pid2, this->uid2, this->gid2, this->arg2_0);
+	printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1);
+	printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2);
+	printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3);
+	printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4);
+	printf("%s", this->arg2_0 != "" ? "\n" : "");
+
+	printf("    \-+= %05d %d.%d %s",
+		this->pid1, this->uid1, this->gid1, this->arg1_0);
+	printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1);
+	printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2);
+	printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3);
+	printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4);
+	printf("%s", this->arg1_0 != "" ? "\n" : "");
+
+	printf("      \-+= %05d %d.%d %s",
+		this->pid0, this->uid0, this->gid0, this->arg0_0);
+	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
+	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
+	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
+	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
+	printf("%s", this->arg0_0 != "" ? "\n" : "");
+}
--- a/share/dtrace/watch_vop_remove
+++ b/share/dtrace/watch_vop_remove
@ -0,0 +1,476 @@
+#!/usr/sbin/dtrace -s
+/* -
+ * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org>
+ * All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Title: dtrace(1) script to log process(es) entering vfs::vop_remove $
+ * $FreeBSD$
+ */
+
+#pragma D option quiet
+#pragma D option dynvarsize=16m
+#pragma D option switchrate=10hz
+
+/*********************************************************/
+
+vfs::vop_remove:entry /* probe ID 1 */
+{
+	this->vp = (struct vnode *)arg0;
+	this->ncp = &(this->vp->v_cache_dst) != NULL ?
+		this->vp->v_cache_dst.tqh_first : 0;
+        this->fi_name = args[1] ? (
+		args[1]->a_cnp != NULL ?
+			stringof(args[1]->a_cnp->cn_nameptr) : ""
+	) : "";
+	this->mount = this->vp->v_mount; /* ptr to vfs we are in */
+	this->fi_fs = this->mount != 0 ?
+		stringof(this->mount->mnt_stat.f_fstypename) : "";
+	this->fi_mount = this->mount != 0 ?
+		stringof(this->mount->mnt_stat.f_mntonname) : "";
+	this->d_name = args[0]->v_cache_dd != NULL ?
+		stringof(args[0]->v_cache_dd->nc_name) : "";
+}
+
+vfs::vop_remove:entry /this->vp == 0 || this->fi_fs == 0 ||
+	this->fi_fs == "devfs" || this->fi_fs == "" ||
+	this->fi_name == ""/ /* probe ID 2 */
+{
+	this->ncp = 0;
+}
+
+/*********************************************************/
+
+vfs::vop_remove:entry /this->ncp/ /* probe ID 3 (depth 1) */
+{
+	this->dvp = this->ncp->nc_dvp != NULL ? (
+		&(this->ncp->nc_dvp->v_cache_dst) != NULL ?
+			this->ncp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name1 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->name1 == 0 || this->fi_fs == 0 ||
+	this->fi_fs == "devfs" || this->fi_fs == "" ||
+	this->name1 == "/" || this->name1 == ""/ /* probe ID 4 */
+{
+	this->dvp = 0;
+}
+
+/*********************************************************/
+
+/*
+ * BEGIN Pathname-depth iterators (copy/paste as many times as-desired)
+ */
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 5 (depth 2) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name2 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 6 (depth 3) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name3 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 7 (depth 4) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name4 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 8 (depth 5) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name5 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 9 (depth 6) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name6 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 10 (depth 7) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name7 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 11 (depth 8) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name8 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 12 (depth 9) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name9 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 13 (depth 10) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name10 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 14 (depth 11) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name11 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 15 (depth 12) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name12 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 16 (depth 13) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name13 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 17 (depth 14) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name14 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 18 (depth 15) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name15 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 19 (depth 16) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name16 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 20 (depth 17) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name17 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 21 (depth 18) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name18 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 22 (depth 19) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name19 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+vfs::vop_remove:entry /this->dvp/ /* probe ID 23 (depth 20) */
+{
+	this->dvp = this->dvp->nc_dvp != NULL ? (
+		&(this->dvp->nc_dvp->v_cache_dst) != NULL ?
+			this->dvp->nc_dvp->v_cache_dst.tqh_first : 0
+	) : 0;
+	this->name20 = this->dvp != 0 ? (
+		this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : ""
+	) : "";
+}
+
+/*
+ * END Pathname-depth iterators
+ */
+
+/*********************************************************/
+
+vfs::vop_remove:entry /this->fi_mount != 0/ /* probe ID 24 */
+{
+	printf("%Y %s[%d]: ", timestamp + 1406598400000000000, execname, pid);
+
+	/*
+	 * Print full path of file to delete
+	 * NB: Up-to but not including the parent directory (printed below)
+	 */
+	printf("%s%s", this->fi_mount, this->fi_mount != 0 ? (
+		this->fi_mount == "/" ? "" : "/"
+	) : "/");
+	printf("%s%s", this->name = this->name20, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name19, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name18, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name17, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name16, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name15, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name14, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name13, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name12, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name11, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name10, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name9, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name8, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name7, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name6, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name5, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name4, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name3, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name2, this->name != "" ? "/" : "");
+	printf("%s%s", this->name = this->name1, this->name != "" ? "/" : "");
+
+	/* Print the parent directory name */
+	this->name = this->d_name != 0 ? this->d_name : "";
+	printf("%s%s", this->name, this->name != "" ? "/" : "");
+
+	/* Print the entry name */
+	this->name = this->fi_name != 0 ? this->fi_name : "";
+	printf("%s", this->name);
+
+	printf("\n");
+
+	/*
+	 * Examine process, parent process, and grandparent process details
+	 */
+
+	/******************* CURPROC *******************/
+
+	this->proc = curthread->td_proc;
+	this->pid0 = this->proc->p_pid;
+	this->uid0 = this->proc->p_ucred->cr_uid;
+	this->gid0 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc->p_args;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg0_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg0_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* PPARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid1 = this->proc->p_pid;
+	this->uid1 = this->proc->p_ucred->cr_uid;
+	this->gid1 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg1_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg1_4 = this->ar_length > 0 ? "..." : "";
+
+	/******************* GPARENT *******************/
+
+	this->proc = this->proc->p_pptr;
+	this->pid2 = this->proc->p_pid;
+	this->uid2 = this->proc->p_ucred->cr_uid;
+	this->gid2 = this->proc->p_ucred->cr_rgid;
+	this->p_args = this->proc ? this->proc->p_args : 0;
+	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
+	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
+
+	this->arg2_0 = this->ar_length > 0 ?
+		this->ar_args : stringof(this->proc->p_comm);
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_1 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_2 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_3 = this->ar_length > 0 ? this->ar_args : "";
+	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
+	this->ar_args += this->len;
+	this->ar_length -= this->len;
+
+	this->arg2_4 = this->ar_length > 0 ? "..." : "";
+
+	/***********************************************/
+
+	/*
+	 * Print process, parent, and grandparent details
+	 */
+
+	printf(" -+= %05d %d.%d %s",
+		this->pid2, this->uid2, this->gid2, this->arg2_0);
+	printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1);
+	printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2);
+	printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3);
+	printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4);
+	printf("%s", this->arg2_0 != "" ? "\n" : "");
+
+	printf("  \-+= %05d %d.%d %s",
+		this->pid1, this->uid1, this->gid1, this->arg1_0);
+	printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1);
+	printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2);
+	printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3);
+	printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4);
+	printf("%s", this->arg1_0 != "" ? "\n" : "");
+
+	printf("    \-+= %05d %d.%d %s",
+		this->pid0, this->uid0, this->gid0, this->arg0_0);
+	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
+	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
+	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
+	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
+	printf("%s", this->arg0_0 != "" ? "\n" : "");
+}