execsnoop: argument to change the number of arguments parsed

New argument to change the maximum number of arguments parsed and displayed.
pathtofile · Oct 12, 2017 · a0c9b48 · a0c9b48
1 parent b334702
commit a0c9b48
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 26 deletions.
diff --git a/man/man8/execsnoop.8 b/man/man8/execsnoop.8
@@ -35,6 +35,9 @@ Only print command lines matching this name (regex)
 .TP
 \-l LINE
 Only print commands where arg contains this line (regex)
+.TP
+\--max-args MAXARGS
+Maximum number of arguments parsed and displayed, defaults to 20
 .SH EXAMPLES
 .TP
 Trace all exec() syscalls:

diff --git a/tools/execsnoop.py b/tools/execsnoop.py
@@ -44,6 +44,8 @@
  help="only print commands matching this name (regex), any arg")
 parser.add_argument("-l", "--line",
  help="only print commands where arg contains this line (regex)")
+parser.add_argument("--max-args", default="20",
+ help="maximum number of arguments parsed and displayed, defaults to 20")
 args = parser.parse_args()
 
 # define BPF program
@@ -52,7 +54,6 @@
 #include <linux/sched.h>
 #include <linux/fs.h>
 
-#define MAXARG 20
 #define ARGSIZE 128
 
 enum event_type {
@@ -99,28 +100,12 @@
 
  __submit_arg(ctx, (void *)filename, &data);
 
- int i = 1; // skip first arg, as we submitted filename
-
- // unrolled loop to walk argv[] (MAXARG)
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; // X
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++;
- if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; // XX
+ // skip first arg, as we submitted filename
+ #pragma unroll
+ for (int i = 1; i < MAXARG; i++) {
+ if (submit_arg(ctx, (void *)&__argv[i], &data) == 0)
+ goto out;
+ }
 
  // handle truncated argument list
  char ellipsis[] = "...";
@@ -143,7 +128,7 @@
 """
 
 # initialize BPF
-b = BPF(text=bpf_text)
+b = BPF(text=bpf_text.replace("MAXARG", args.max_args))
 
 # header
 if args.timestamp:

diff --git a/tools/execsnoop_example.txt b/tools/execsnoop_example.txt
@@ -79,7 +79,7 @@ rpm 3345452 4146419 0 /bin/rpm -qa testpkg
 USAGE message:
 
 # ./execsnoop -h
-usage: execsnoop [-h] [-t] [-x] [-n NAME]
+usage: execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE] [--max-args MAX_ARGS]
 
 Trace exec() syscalls
 
@@ -91,10 +91,12 @@ optional arguments:
  arg
  -l LINE, --line LINE only print commands where arg contains this line
  (regex)
+ --max-args MAX_ARGS maximum number of arguments parsed and displayed,
+ defaults to 20
 
 examples:
  ./execsnoop # trace all exec() syscalls
- ./execsnoop -x # include failed exec()s 
+ ./execsnoop -x # include failed exec()s
  ./execsnoop -t # include timestamps
  ./execsnoop -n main # only print command lines containing "main"
  ./execsnoop -l tpkg # only print command where arguments contains "tpkg"