From a0c9b48b1ebc15ecbbf0f0b9742d53307c7b9e44 Mon Sep 17 00:00:00 2001 From: Paul Chaignon Date: Fri, 29 Sep 2017 13:42:18 +0200 Subject: [PATCH] execsnoop: argument to change the number of arguments parsed New argument to change the maximum number of arguments parsed and displayed. --- man/man8/execsnoop.8 | 3 +++ tools/execsnoop.py | 33 +++++++++------------------------ tools/execsnoop_example.txt | 6 ++++-- 3 files changed, 16 insertions(+), 26 deletions(-) diff --git a/man/man8/execsnoop.8 b/man/man8/execsnoop.8 index 488356ec31db..a694cede36d1 100644 --- a/man/man8/execsnoop.8 +++ b/man/man8/execsnoop.8 @@ -35,6 +35,9 @@ Only print command lines matching this name (regex) .TP \-l LINE Only print commands where arg contains this line (regex) +.TP +\--max-args MAXARGS +Maximum number of arguments parsed and displayed, defaults to 20 .SH EXAMPLES .TP Trace all exec() syscalls: diff --git a/tools/execsnoop.py b/tools/execsnoop.py index 6eafa10e3a71..db4e0baa6ea2 100755 --- a/tools/execsnoop.py +++ b/tools/execsnoop.py @@ -44,6 +44,8 @@ help="only print commands matching this name (regex), any arg") parser.add_argument("-l", "--line", help="only print commands where arg contains this line (regex)") +parser.add_argument("--max-args", default="20", + help="maximum number of arguments parsed and displayed, defaults to 20") args = parser.parse_args() # define BPF program @@ -52,7 +54,6 @@ #include #include -#define MAXARG 20 #define ARGSIZE 128 enum event_type { @@ -99,28 +100,12 @@ __submit_arg(ctx, (void *)filename, &data); - int i = 1; // skip first arg, as we submitted filename - - // unrolled loop to walk argv[] (MAXARG) - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; // X - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; - if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) goto out; i++; // XX + // skip first arg, as we submitted filename + #pragma unroll + for (int i = 1; i < MAXARG; i++) { + if (submit_arg(ctx, (void *)&__argv[i], &data) == 0) + goto out; + } // handle truncated argument list char ellipsis[] = "..."; @@ -143,7 +128,7 @@ """ # initialize BPF -b = BPF(text=bpf_text) +b = BPF(text=bpf_text.replace("MAXARG", args.max_args)) # header if args.timestamp: diff --git a/tools/execsnoop_example.txt b/tools/execsnoop_example.txt index a538165738ba..ad5f65b80e1a 100644 --- a/tools/execsnoop_example.txt +++ b/tools/execsnoop_example.txt @@ -79,7 +79,7 @@ rpm 3345452 4146419 0 /bin/rpm -qa testpkg USAGE message: # ./execsnoop -h -usage: execsnoop [-h] [-t] [-x] [-n NAME] +usage: execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE] [--max-args MAX_ARGS] Trace exec() syscalls @@ -91,10 +91,12 @@ optional arguments: arg -l LINE, --line LINE only print commands where arg contains this line (regex) + --max-args MAX_ARGS maximum number of arguments parsed and displayed, + defaults to 20 examples: ./execsnoop # trace all exec() syscalls - ./execsnoop -x # include failed exec()s + ./execsnoop -x # include failed exec()s ./execsnoop -t # include timestamps ./execsnoop -n main # only print command lines containing "main" ./execsnoop -l tpkg # only print command where arguments contains "tpkg"