From 37743c40c3f9b089af0e6188fd0490c70e1d2d2c Mon Sep 17 00:00:00 2001 From: Ciro Santilli Date: Sun, 6 May 2018 11:28:54 +0100 Subject: [PATCH] conf.sh: base insensitive for even less typing --- README.adoc | 15 +++++++++++++-- kernel_module/user/proc_events.c | 27 ++++++++------------------- rootfs_overlay/conf.sh | 2 +- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/README.adoc b/README.adoc index 7981d0f..9abce6b 100644 --- a/README.adoc +++ b/README.adoc @@ -2682,6 +2682,11 @@ TODO: why does this produce no output? * https://serverfault.com/questions/199654/does-anyone-know-a-simple-way-to-monitor-root-process-spawn * https://unix.stackexchange.com/questions/260162/how-to-track-newly-created-processes +TODO can you get process data such as UID and process arguments? It seems not since `exec_proc_event` contains so little data: https://github.com/torvalds/linux/blob/v4.16/include/uapi/linux/cn_proc.h#L80 We could try to immediately read it from `/proc`, but there is a risk that the process finished and another one took its PID, so it wouldn't be reliable. + +* https://unix.stackexchange.com/questions/163681/print-pids-and-names-of-processes-as-they-are-created/163689 requests process name +* https://serverfault.com/questions/199654/does-anyone-know-a-simple-way-to-monitor-root-process-spawn requests UID + ===== CONFIG_PROC_EVENTS aarch64 0111ca406bdfa6fd65a2605d353583b4c4051781 was failing with: @@ -2747,7 +2752,7 @@ cd /sys/kernel/debug/tracing/ echo 0 > tracing_on # Clear previous trace. -echo '' > trace +echo > trace # List the available tracers, and pick one. cat available_tracers @@ -2831,9 +2836,15 @@ TODO: what do `+` and `!` mean? Each `enable` under the `events/` tree enables a certain set of functions, the higher the `enable` more functions are enabled. +TODO: can you get function arguments? https://stackoverflow.com/questions/27608752/does-ftrace-allow-capture-of-system-call-arguments-to-the-linux-kernel-or-only + ==== Kprobes -Inject arbitrary code at a given address in a trap instruction. Oh the good old kernel. :-) +Inject arbitrary code at a given address in a trap instruction, much like GDB. Oh the good old kernel. :-) + +I don't think your code can refer to the surrounding kernel code however: the only visible thing is the value of the registers. + +Maybe you can then hack it up to read the stack and read argument values, but do you really want to? .... ./build -c 'CONFIG_KPROBES=y' diff --git a/kernel_module/user/proc_events.c b/kernel_module/user/proc_events.c index 9dc3b91..dff8bb3 100644 --- a/kernel_module/user/proc_events.c +++ b/kernel_module/user/proc_events.c @@ -11,24 +11,20 @@ int main() {} #else #define _XOPEN_SOURCE 700 -#include -#include -#include -#include -#include #include +#include +#include +#include +#include #include -#include -#include -#include #include +#include +#include +#include +#include static volatile bool need_exit = false; -/* -* connect to netlink -* returns netlink socket, or -1 on error -*/ static int nl_connect() { int rc; @@ -52,9 +48,6 @@ static int nl_connect() return nl_sock; } -/* -* subscribe on proc events (process notifications) -*/ static int set_proc_ev_listen(int nl_sock, bool enable) { int rc; @@ -86,9 +79,6 @@ static int set_proc_ev_listen(int nl_sock, bool enable) return 0; } -/* -* handle a single process event -*/ static int handle_proc_ev(int nl_sock) { int rc; @@ -102,7 +92,6 @@ static int handle_proc_ev(int nl_sock) while (!need_exit) { rc = recv(nl_sock, &nlcn_msg, sizeof(nlcn_msg), 0); if (rc == 0) { - /* shutdown? */ return 0; } else if (rc == -1) { if (errno == EINTR) continue; diff --git a/rootfs_overlay/conf.sh b/rootfs_overlay/conf.sh index 5f6086e..2899b22 100755 --- a/rootfs_overlay/conf.sh +++ b/rootfs_overlay/conf.sh @@ -1,2 +1,2 @@ #!/bin/sh -zcat /proc/config.gz | grep "${1:-}" +zcat /proc/config.gz | grep -Ei "${1:-}"