Add --uid option to filter by user ID (#3743)
* Add --uid option to filter by user ID
* update examples and man page of the trace tool
diff --git a/tools/trace.py b/tools/trace.py
index 40bb323..0f6d90e 100755
--- a/tools/trace.py
+++ b/tools/trace.py
@@ -37,6 +37,7 @@
print_address = False
tgid = -1
pid = -1
+ uid = -1
page_cnt = None
build_id_enabled = False
@@ -53,6 +54,7 @@
cls.first_ts_real = time.time()
cls.tgid = args.tgid or -1
cls.pid = args.pid or -1
+ cls.uid = args.uid or -1
cls.page_cnt = args.buffer_pages
cls.bin_cmp = args.bin_cmp
cls.build_id_enabled = args.sym_file_list is not None
@@ -401,6 +403,7 @@
%s
%s
%s
+ u32 uid;
};
BPF_PERF_OUTPUT(%s);
@@ -485,6 +488,13 @@
else:
pid_filter = ""
+ if Probe.uid != -1:
+ uid_filter = """
+ if (__uid != %d) { return 0; }
+ """ % Probe.uid
+ else:
+ uid_filter = ""
+
if self.cgroup_map_name is not None:
cgroup_filter = """
if (%s.check_current_task(0) <= 0) { return 0; }
@@ -530,6 +540,8 @@
u64 __pid_tgid = bpf_get_current_pid_tgid();
u32 __tgid = __pid_tgid >> 32;
u32 __pid = __pid_tgid; // implicit cast to u32 for bottom half
+ u32 __uid = bpf_get_current_uid_gid();
+ %s
%s
%s
%s
@@ -541,6 +553,7 @@
%s
__data.tgid = __tgid;
__data.pid = __pid;
+ __data.uid = __uid;
bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
%s
%s
@@ -548,7 +561,7 @@
return 0;
}
"""
- text = text % (pid_filter, cgroup_filter, prefix,
+ text = text % (pid_filter, uid_filter, cgroup_filter, prefix,
self._generate_usdt_filter_read(), self.filter,
self.struct_name, time_str, cpu_str, data_fields,
stack_trace, self.events_name, ctx_name)
@@ -686,11 +699,17 @@
Trace the open syscall and print a default trace message when entered
trace kfree_skb+0x12
Trace the kfree_skb kernel function after the instruction on the 0x12 offset
-trace 'do_sys_open "%s", arg2'
- Trace the open syscall and print the filename being opened
-trace 'do_sys_open "%s", arg2' -n main
+trace 'do_sys_open "%s", arg2@user'
+ Trace the open syscall and print the filename. being opened @user is
+ added to arg2 in kprobes to ensure that char * should be copied from
+ the userspace stack to the bpf stack. If not specified, previous
+ behaviour is expected.
+
+trace 'do_sys_open "%s", arg2@user' -n main
Trace the open syscall and only print event that process names containing "main"
-trace 'do_sys_open "%s", arg2' -f config
+trace 'do_sys_open "%s", arg2@user' --uid 1001
+ Trace the open syscall and only print event that processes with user ID 1001
+trace 'do_sys_open "%s", arg2@user' -f config
Trace the open syscall and print the filename being opened filtered by "config"
trace 'sys_read (arg3 > 20000) "read %d bytes", arg3'
Trace the read syscall and print a message for reads >20000 bytes
@@ -750,6 +769,8 @@
dest="tgid", help="id of the process to trace (optional)")
parser.add_argument("-L", "--tid", type=int, metavar="TID",
dest="pid", help="id of the thread to trace (optional)")
+ parser.add_argument("--uid", type=int, metavar="UID",
+ dest="uid", help="id of the user to trace (optional)")
parser.add_argument("-v", "--verbose", action="store_true",
help="print resulting BPF program code before executing")
parser.add_argument("-Z", "--string-size", type=int,