3 * Copyright (c) 2014-2016 Devin Teske <dteske@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * $Title: dtrace(1) script to log process(es) entering syscall::kill $
30 #pragma D option quiet
31 #pragma D option dynvarsize=16m
32 #pragma D option switchrate=10hz
34 /*********************************************************/
36 syscall::execve:entry /* probe ID 1 */
38 this->caller_execname = execname;
41 /*********************************************************/
43 syscall::kill:entry /* probe ID 2 */
45 this->pid_to_kill = (pid_t)arg0;
46 this->kill_signal = (int)arg1;
49 * Examine process, parent process, and grandparent process details
52 /******************* CURPROC *******************/
54 this->proc = curthread->td_proc;
55 this->pid0 = this->proc->p_pid;
56 this->uid0 = this->proc->p_ucred->cr_uid;
57 this->gid0 = this->proc->p_ucred->cr_rgid;
58 this->p_args = this->proc->p_args;
59 this->ar_length = this->p_args ? this->p_args->ar_length : 0;
60 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
62 this->arg0_0 = this->ar_length > 0 ?
63 this->ar_args : stringof(this->proc->p_comm);
64 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
65 this->ar_args += this->len;
66 this->ar_length -= this->len;
68 this->arg0_1 = this->ar_length > 0 ? this->ar_args : "";
69 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
70 this->ar_args += this->len;
71 this->ar_length -= this->len;
73 this->arg0_2 = this->ar_length > 0 ? this->ar_args : "";
74 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
75 this->ar_args += this->len;
76 this->ar_length -= this->len;
78 this->arg0_3 = this->ar_length > 0 ? this->ar_args : "";
79 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
80 this->ar_args += this->len;
81 this->ar_length -= this->len;
83 this->arg0_4 = this->ar_length > 0 ? "..." : "";
85 /******************* PPARENT *******************/
87 this->proc = this->proc->p_pptr;
88 this->pid1 = this->proc->p_pid;
89 this->uid1 = this->proc->p_ucred->cr_uid;
90 this->gid1 = this->proc->p_ucred->cr_rgid;
91 this->p_args = this->proc ? this->proc->p_args : 0;
92 this->ar_length = this->p_args ? this->p_args->ar_length : 0;
93 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
95 this->arg1_0 = this->ar_length > 0 ?
96 this->ar_args : stringof(this->proc->p_comm);
97 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
98 this->ar_args += this->len;
99 this->ar_length -= this->len;
101 this->arg1_1 = this->ar_length > 0 ? this->ar_args : "";
102 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
103 this->ar_args += this->len;
104 this->ar_length -= this->len;
106 this->arg1_2 = this->ar_length > 0 ? this->ar_args : "";
107 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
108 this->ar_args += this->len;
109 this->ar_length -= this->len;
111 this->arg1_3 = this->ar_length > 0 ? this->ar_args : "";
112 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
113 this->ar_args += this->len;
114 this->ar_length -= this->len;
116 this->arg1_4 = this->ar_length > 0 ? "..." : "";
118 /******************* GPARENT *******************/
120 this->proc = this->proc->p_pptr;
121 this->pid2 = this->proc->p_pid;
122 this->uid2 = this->proc->p_ucred->cr_uid;
123 this->gid2 = this->proc->p_ucred->cr_rgid;
124 this->p_args = this->proc ? this->proc->p_args : 0;
125 this->ar_length = this->p_args ? this->p_args->ar_length : 0;
126 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
128 this->arg2_0 = this->ar_length > 0 ?
129 this->ar_args : stringof(this->proc->p_comm);
130 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
131 this->ar_args += this->len;
132 this->ar_length -= this->len;
134 this->arg2_1 = this->ar_length > 0 ? this->ar_args : "";
135 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
136 this->ar_args += this->len;
137 this->ar_length -= this->len;
139 this->arg2_2 = this->ar_length > 0 ? this->ar_args : "";
140 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
141 this->ar_args += this->len;
142 this->ar_length -= this->len;
144 this->arg2_3 = this->ar_length > 0 ? this->ar_args : "";
145 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
146 this->ar_args += this->len;
147 this->ar_length -= this->len;
149 this->arg2_4 = this->ar_length > 0 ? "..." : "";
151 /******************* APARENT *******************/
153 this->proc = this->proc->p_pptr;
154 this->pid3 = this->proc->p_pid;
155 this->uid3 = this->proc->p_ucred->cr_uid;
156 this->gid3 = this->proc->p_ucred->cr_rgid;
157 this->p_args = this->proc ? this->proc->p_args : 0;
158 this->ar_length = this->p_args ? this->p_args->ar_length : 0;
159 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);
161 this->arg3_0 = this->ar_length > 0 ?
162 this->ar_args : stringof(this->proc->p_comm);
163 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
164 this->ar_args += this->len;
165 this->ar_length -= this->len;
167 this->arg3_1 = this->ar_length > 0 ? this->ar_args : "";
168 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
169 this->ar_args += this->len;
170 this->ar_length -= this->len;
172 this->arg3_2 = this->ar_length > 0 ? this->ar_args : "";
173 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
174 this->ar_args += this->len;
175 this->ar_length -= this->len;
177 this->arg3_3 = this->ar_length > 0 ? this->ar_args : "";
178 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
179 this->ar_args += this->len;
180 this->ar_length -= this->len;
182 this->arg3_4 = this->ar_length > 0 ? "..." : "";
184 /***********************************************/
187 * Print process, parent, and grandparent details
190 printf("%Y %s[%d]: ", timestamp + 1406598400000000000,
191 this->caller_execname, this->pid1);
192 printf("%s", this->arg0_0);
193 printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
194 printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
195 printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
196 printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
197 printf(" (sending signal %u to pid %u)",
198 this->kill_signal, this->pid_to_kill);
201 printf(" -+= %05d %d.%d %s",
202 this->pid3, this->uid3, this->gid3, this->arg3_0);
203 printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1);
204 printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2);
205 printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3);
206 printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4);
207 printf("%s", this->arg3_0 != "" ? "\n" : "");
209 printf(" \-+= %05d %d.%d %s",
210 this->pid2, this->uid2, this->gid2, this->arg2_0);
211 printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1);
212 printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2);
213 printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3);
214 printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4);
215 printf("%s", this->arg2_0 != "" ? "\n" : "");
217 printf(" \-+= %05d %d.%d %s",
218 this->pid1, this->uid1, this->gid1, this->arg1_0);
219 printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1);
220 printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2);
221 printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3);
222 printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4);
223 printf("%s", this->arg1_0 != "" ? "\n" : "");
225 printf(" \-+= %05d %d.%d %s",
226 this->pid0, this->uid0, this->gid0, this->arg0_0);
227 printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
228 printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
229 printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
230 printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
231 printf("%s", this->arg0_0 != "" ? "\n" : "");