#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014 Devin Teske * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering vfs::vop_remove $ * $FreeBSD: head/share/dtrace/watch_vop_remove 294548 2016-01-22 07:19:30Z dteske $ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ vfs::vop_remove:entry /* probe ID 1 */ { this->vp = (struct vnode *)arg0; this->ncp = &(this->vp->v_cache_dst) != NULL ? this->vp->v_cache_dst.tqh_first : 0; this->fi_name = args[1] ? ( args[1]->a_cnp != NULL ? stringof(args[1]->a_cnp->cn_nameptr) : "" ) : ""; this->mount = this->vp->v_mount; /* ptr to vfs we are in */ this->fi_fs = this->mount != 0 ? stringof(this->mount->mnt_stat.f_fstypename) : ""; this->fi_mount = this->mount != 0 ? stringof(this->mount->mnt_stat.f_mntonname) : ""; this->d_name = args[0]->v_cache_dd != NULL ? stringof(args[0]->v_cache_dd->nc_name) : ""; } vfs::vop_remove:entry /this->vp == 0 || this->fi_fs == 0 || this->fi_fs == "devfs" || this->fi_fs == "" || this->fi_name == ""/ /* probe ID 2 */ { this->ncp = 0; } /*********************************************************/ vfs::vop_remove:entry /this->ncp/ /* probe ID 3 (depth 1) */ { this->dvp = this->ncp->nc_dvp != NULL ? ( &(this->ncp->nc_dvp->v_cache_dst) != NULL ? this->ncp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name1 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->name1 == 0 || this->fi_fs == 0 || this->fi_fs == "devfs" || this->fi_fs == "" || this->name1 == "/" || this->name1 == ""/ /* probe ID 4 */ { this->dvp = 0; } /*********************************************************/ /* * BEGIN Pathname-depth iterators (copy/paste as many times as-desired) */ vfs::vop_remove:entry /this->dvp/ /* probe ID 5 (depth 2) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name2 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 6 (depth 3) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name3 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 7 (depth 4) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name4 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 8 (depth 5) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name5 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 9 (depth 6) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name6 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 10 (depth 7) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name7 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 11 (depth 8) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name8 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 12 (depth 9) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name9 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 13 (depth 10) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name10 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 14 (depth 11) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name11 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 15 (depth 12) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name12 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 16 (depth 13) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name13 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 17 (depth 14) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name14 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 18 (depth 15) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name15 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 19 (depth 16) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name16 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 20 (depth 17) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name17 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 21 (depth 18) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name18 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 22 (depth 19) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name19 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } vfs::vop_remove:entry /this->dvp/ /* probe ID 23 (depth 20) */ { this->dvp = this->dvp->nc_dvp != NULL ? ( &(this->dvp->nc_dvp->v_cache_dst) != NULL ? this->dvp->nc_dvp->v_cache_dst.tqh_first : 0 ) : 0; this->name20 = this->dvp != 0 ? ( this->dvp->nc_name != 0 ? stringof(this->dvp->nc_name) : "" ) : ""; } /* * END Pathname-depth iterators */ /*********************************************************/ vfs::vop_remove:entry /this->fi_mount != 0/ /* probe ID 24 */ { printf("%Y %s[%d]: ", timestamp + 1406598400000000000, execname, pid); /* * Print full path of file to delete * NB: Up-to but not including the parent directory (printed below) */ printf("%s%s", this->fi_mount, this->fi_mount != 0 ? ( this->fi_mount == "/" ? "" : "/" ) : "/"); printf("%s%s", this->name = this->name20, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name19, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name18, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name17, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name16, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name15, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name14, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name13, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name12, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name11, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name10, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name9, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name8, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name7, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name6, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name5, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name4, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name3, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name2, this->name != "" ? "/" : ""); printf("%s%s", this->name = this->name1, this->name != "" ? "/" : ""); /* Print the parent directory name */ this->name = this->d_name != 0 ? this->d_name : ""; printf("%s%s", this->name, this->name != "" ? "/" : ""); /* Print the entry name */ this->name = this->fi_name != 0 ? this->fi_name : ""; printf("%s", this->name); printf("\n"); /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf(" -+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); }