-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsofdsnoop.py
executable file
·334 lines (261 loc) · 8.06 KB
/
sofdsnoop.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
#!/usr/bin/env python
# @lint-avoid-python-3-compatibility-imports
#
# sofdsnoop traces file descriptors passed via socket
# For Linux, uses BCC, eBPF. Embedded C.
#
# USAGE: sofdsnoop
#
# Copyright (c) 2018 Jiri Olsa.
# Licensed under the Apache License, Version 2.0 (the "License")
#
# 30-Jul-2018 Jiri Olsa Created this.
from __future__ import print_function
from bcc import ArgString, BPF
import os
import argparse
from datetime import datetime, timedelta
# arguments
examples = """examples:
./sofdsnoop # trace passed file descriptors
./sofdsnoop -T # include timestamps
./sofdsnoop -p 181 # only trace PID 181
./sofdsnoop -t 123 # only trace TID 123
./sofdsnoop -d 10 # trace for 10 seconds only
./sofdsnoop -n main # only print process names containing "main"
"""
parser = argparse.ArgumentParser(
description="Trace file descriptors passed via socket",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
parser.add_argument("-T", "--timestamp", action="store_true",
help="include timestamp on output")
parser.add_argument("-p", "--pid",
help="trace this PID only")
parser.add_argument("-t", "--tid",
help="trace this TID only")
parser.add_argument("-n", "--name",
type=ArgString,
help="only print process names containing this name")
parser.add_argument("-d", "--duration",
help="total duration of trace in seconds")
args = parser.parse_args()
debug = 0
ACTION_SEND=0
ACTION_RECV=1
MAX_FD=10
if args.duration:
args.duration = timedelta(seconds=int(args.duration))
# define BPF program
bpf_text = """
#include <uapi/linux/ptrace.h>
#include <uapi/linux/limits.h>
#include <linux/sched.h>
#include <linux/socket.h>
#include <net/sock.h>
#define MAX_FD 10
#define ACTION_SEND 0
#define ACTION_RECV 1
struct val_t {
u64 id;
u64 ts;
int action;
int sock_fd;
int fd_cnt;
int fd[MAX_FD];
char comm[TASK_COMM_LEN];
};
BPF_HASH(detach_ptr, u64, struct cmsghdr *);
BPF_HASH(sock_fd, u64, int);
BPF_PERF_OUTPUT(events);
static void set_fd(int fd)
{
u64 id = bpf_get_current_pid_tgid();
sock_fd.update(&id, &fd);
}
static int get_fd(void)
{
u64 id = bpf_get_current_pid_tgid();
int *fd;
fd = sock_fd.lookup(&id);
return fd ? *fd : -1;
}
static void put_fd(void)
{
u64 id = bpf_get_current_pid_tgid();
sock_fd.delete(&id);
}
static int sent_1(struct pt_regs *ctx, struct val_t *val, int num, void *data)
{
val->fd_cnt = min(num, MAX_FD);
if (bpf_probe_read_kernel(&val->fd[0], MAX_FD * sizeof(int), data))
return -1;
events.perf_submit(ctx, val, sizeof(*val));
return 0;
}
#define SEND_1 \
if (sent_1(ctx, &val, num, (void *) data)) \
return 0; \
\
num -= MAX_FD; \
if (num < 0) \
return 0; \
\
data += MAX_FD;
#define SEND_2 SEND_1 SEND_1
#define SEND_4 SEND_2 SEND_2
#define SEND_8 SEND_4 SEND_4
#define SEND_260 SEND_8 SEND_8 SEND_8 SEND_2
static int send(struct pt_regs *ctx, struct cmsghdr *cmsg, int action)
{
struct val_t val = { 0 };
int *data, num, fd;
u64 tsp = bpf_ktime_get_ns();
data = (void *) ((char *) cmsg + sizeof(struct cmsghdr));
num = (cmsg->cmsg_len - sizeof(struct cmsghdr)) / sizeof(int);
val.id = bpf_get_current_pid_tgid();
val.action = action;
val.sock_fd = get_fd();
val.ts = tsp / 1000;
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) != 0)
return 0;
SEND_260
return 0;
}
static bool allow_pid(u64 id)
{
u32 pid = id >> 32; // PID is higher part
u32 tid = id; // Cast and get the lower part
FILTER
return 1;
}
int trace_scm_send_entry(struct pt_regs *ctx, struct socket *sock, struct msghdr *hdr)
{
struct cmsghdr *cmsg = NULL;
if (!allow_pid(bpf_get_current_pid_tgid()))
return 0;
if (hdr->msg_controllen >= sizeof(struct cmsghdr))
cmsg = hdr->msg_control;
if (!cmsg || (cmsg->cmsg_type != SCM_RIGHTS))
return 0;
return send(ctx, cmsg, ACTION_SEND);
};
int trace_scm_detach_fds_entry(struct pt_regs *ctx, struct msghdr *hdr)
{
struct cmsghdr *cmsg = NULL;
u64 id = bpf_get_current_pid_tgid();
if (!allow_pid(id))
return 0;
if (hdr->msg_controllen >= sizeof(struct cmsghdr))
cmsg = hdr->msg_control;
if (!cmsg)
return 0;
detach_ptr.update(&id, &cmsg);
return 0;
};
int trace_scm_detach_fds_return(struct pt_regs *ctx)
{
struct cmsghdr **cmsgp;
u64 id = bpf_get_current_pid_tgid();
if (!allow_pid(id))
return 0;
cmsgp = detach_ptr.lookup(&id);
if (!cmsgp)
return 0;
return send(ctx, *cmsgp, ACTION_RECV);
}
int syscall__sendmsg(struct pt_regs *ctx, u64 fd, u64 msg, u64 flags)
{
struct pt_regs p;
if (!allow_pid(bpf_get_current_pid_tgid()))
return 0;
set_fd(fd);
return 0;
}
int trace_sendmsg_return(struct pt_regs *ctx)
{
if (!allow_pid(bpf_get_current_pid_tgid()))
return 0;
put_fd();
return 0;
}
int syscall__recvmsg(struct pt_regs *ctx, u64 fd, u64 msg, u64 flags)
{
struct pt_regs p;
if (!allow_pid(bpf_get_current_pid_tgid()))
return 0;
fd = fd;
set_fd(fd);
return 0;
}
int trace_recvmsg_return(struct pt_regs *ctx)
{
if (!allow_pid(bpf_get_current_pid_tgid()))
return 0;
put_fd();
return 0;
}
"""
if args.tid: # TID trumps PID
bpf_text = bpf_text.replace('FILTER',
'if (tid != %s) { return 0; }' % args.tid)
elif args.pid:
bpf_text = bpf_text.replace('FILTER',
'if (pid != %s) { return 0; }' % args.pid)
else:
bpf_text = bpf_text.replace('FILTER', '')
# initialize BPF
b = BPF(text=bpf_text)
syscall_fnname = b.get_syscall_fnname("sendmsg")
if BPF.ksymname(syscall_fnname) != -1:
b.attach_kprobe(event=syscall_fnname, fn_name="syscall__sendmsg")
b.attach_kretprobe(event=syscall_fnname, fn_name="trace_sendmsg_return")
syscall_fnname = b.get_syscall_fnname("recvmsg")
if BPF.ksymname(syscall_fnname) != -1:
b.attach_kprobe(event=syscall_fnname, fn_name="syscall__recvmsg")
b.attach_kretprobe(event=syscall_fnname, fn_name="trace_recvmsg_return")
b.attach_kprobe(event="__scm_send", fn_name="trace_scm_send_entry")
b.attach_kprobe(event="scm_detach_fds", fn_name="trace_scm_detach_fds_entry")
b.attach_kretprobe(event="scm_detach_fds", fn_name="trace_scm_detach_fds_return")
initial_ts = 0
# header
if args.timestamp:
print("%-14s" % ("TIME(s)"), end="")
print("%-6s %-6s %-16s %-25s %-5s %s" %
("ACTION", "TID", "COMM", "SOCKET", "FD", "NAME"))
def get_file(pid, fd):
proc = "/proc/%d/fd/%d" % (pid, fd)
try:
return os.readlink(proc)
except OSError as err:
return "N/A"
# process event
def print_event(cpu, data, size):
event = b["events"].event(data)
tid = event.id & 0xffffffff;
cnt = min(MAX_FD, event.fd_cnt);
if args.name and bytes(args.name) not in event.comm:
return
for i in range(0, cnt):
global initial_ts
if not initial_ts:
initial_ts = event.ts
if args.timestamp:
delta = event.ts - initial_ts
print("%-14.9f" % (float(delta) / 1000000), end="")
print("%-6s %-6d %-16s " %
("SEND" if event.action == ACTION_SEND else "RECV",
tid, event.comm.decode()), end = '')
sock = "%d:%s" % (event.sock_fd, get_file(tid, event.sock_fd))
print("%-25s " % sock, end = '')
fd = event.fd[i]
fd_file = get_file(tid, fd) if event.action == ACTION_SEND else ""
print("%-5d %s" % (fd, fd_file))
# loop with callback to print_event
b["events"].open_perf_buffer(print_event, page_cnt=64)
start_time = datetime.now()
while not args.duration or datetime.now() - start_time < args.duration:
try:
b.perf_buffer_poll(timeout=1000)
except KeyboardInterrupt:
exit()