Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / 023154c7708087ddf6c2031cef5d25c2445b70c4 / . / tools / mountsnoop.py
blob: 667ea35cd9f13359bd2a602651122a096172671b [file] [log] [blame]
Alexey Ivanovcc01a9c2019-01-16 09:50:46 -0800[diff] [blame]1#!/usr/bin/python
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]2#
3# mountsnoop Trace mount() and umount syscalls.
4# For Linux, uses BCC, eBPF. Embedded C.
5#
6# USAGE: mountsnoop [-h]
7#
8# Copyright (c) 2016 Facebook, Inc.
9# Licensed under the Apache License, Version 2.0 (the "License")
10#
11# 14-Oct-2016 Omar Sandoval Created this.
12
13from __future__ import print_function
14import argparse
15import bcc
16import ctypes
17import errno
18import functools
19import sys
20
21
22bpf_text = r"""
23#include <uapi/linux/ptrace.h>
24#include <linux/sched.h>
25
26#include <linux/nsproxy.h>
27#include <linux/ns_common.h>
28
29/*
30 * XXX: struct mnt_namespace is defined in fs/mount.h, which is private to the
31 * VFS and not installed in any kernel-devel packages. So, let's duplicate the
32 * important part of the definition. There are actually more members in the
33 * real struct, but we don't need them, and they're more likely to change.
34 */
35struct mnt_namespace {
36 atomic_t count;
37 struct ns_common ns;
38};
39
40/*
41 * XXX: this could really use first-class string support in BPF. target is a
42 * NUL-terminated path up to PATH_MAX in length. source and type are
43 * NUL-terminated strings up to PAGE_SIZE in length. data is a weird case: it's
44 * almost always a NUL-terminated string, but for some filesystems (e.g., older
45 * NFS variants), it's a binary structure with plenty of NUL bytes, so the
46 * kernel always copies up to PAGE_SIZE bytes, stopping when it hits a fault.
47 *
48 * The best we can do with the existing BPF helpers is to copy as much of each
49 * argument as we can. Our stack space is limited, and we need to leave some
50 * headroom for the rest of the function, so this should be a decent value.
51 */
52#define MAX_STR_LEN 412
53
54enum event_type {
55 EVENT_MOUNT,
56 EVENT_MOUNT_SOURCE,
57 EVENT_MOUNT_TARGET,
58 EVENT_MOUNT_TYPE,
59 EVENT_MOUNT_DATA,
60 EVENT_MOUNT_RET,
61 EVENT_UMOUNT,
62 EVENT_UMOUNT_TARGET,
63 EVENT_UMOUNT_RET,
64};
65
66struct data_t {
67 enum event_type type;
68 pid_t pid, tgid;
69 union {
70 /* EVENT_MOUNT, EVENT_UMOUNT */
71 struct {
72 /* current->nsproxy->mnt_ns->ns.inum */
73 unsigned int mnt_ns;
74 char comm[TASK_COMM_LEN];
75 unsigned long flags;
76 } enter;
77 /*
78 * EVENT_MOUNT_SOURCE, EVENT_MOUNT_TARGET, EVENT_MOUNT_TYPE,
79 * EVENT_MOUNT_DATA, EVENT_UMOUNT_TARGET
80 */
81 char str[MAX_STR_LEN];
82 /* EVENT_MOUNT_RET, EVENT_UMOUNT_RET */
83 int retval;
84 };
85};
86
87BPF_PERF_OUTPUT(events);
88
yonghong-song2da34262018-06-13 06:12:22 -0700[diff] [blame]89int syscall__mount(struct pt_regs *ctx, char __user *source,
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]90 char __user *target, char __user *type,
Yonghong Song6ee245b2019-11-16 22:47:07 -0800[diff] [blame]91 unsigned long flags, char __user *data)
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]92{
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]93 struct data_t event = {};
94 struct task_struct *task;
95 struct nsproxy *nsproxy;
96 struct mnt_namespace *mnt_ns;
97
98 event.pid = bpf_get_current_pid_tgid() & 0xffffffff;
99 event.tgid = bpf_get_current_pid_tgid() >> 32;
100
101 event.type = EVENT_MOUNT;
102 bpf_get_current_comm(event.enter.comm, sizeof(event.enter.comm));
103 event.enter.flags = flags;
104 task = (struct task_struct *)bpf_get_current_task();
Paul Chaignon719e1002017-08-06 14:33:20 +0200[diff] [blame]105 nsproxy = task->nsproxy;
106 mnt_ns = nsproxy->mnt_ns;
107 event.enter.mnt_ns = mnt_ns->ns.inum;
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]108 events.perf_submit(ctx, &event, sizeof(event));
109
110 event.type = EVENT_MOUNT_SOURCE;
Prashant Bhole419a7db2019-01-11 06:03:21 +0900[diff] [blame]111 __builtin_memset(event.str, 0, sizeof(event.str));
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]112 bpf_probe_read_user(event.str, sizeof(event.str), source);
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]113 events.perf_submit(ctx, &event, sizeof(event));
114
115 event.type = EVENT_MOUNT_TARGET;
Prashant Bhole419a7db2019-01-11 06:03:21 +0900[diff] [blame]116 __builtin_memset(event.str, 0, sizeof(event.str));
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]117 bpf_probe_read_user(event.str, sizeof(event.str), target);
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]118 events.perf_submit(ctx, &event, sizeof(event));
119
120 event.type = EVENT_MOUNT_TYPE;
Prashant Bhole419a7db2019-01-11 06:03:21 +0900[diff] [blame]121 __builtin_memset(event.str, 0, sizeof(event.str));
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]122 bpf_probe_read_user(event.str, sizeof(event.str), type);
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]123 events.perf_submit(ctx, &event, sizeof(event));
124
125 event.type = EVENT_MOUNT_DATA;
Prashant Bhole419a7db2019-01-11 06:03:21 +0900[diff] [blame]126 __builtin_memset(event.str, 0, sizeof(event.str));
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]127 bpf_probe_read_user(event.str, sizeof(event.str), data);
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]128 events.perf_submit(ctx, &event, sizeof(event));
129
130 return 0;
131}
132
Yonghong Song64335692018-04-25 00:40:13 -0700[diff] [blame]133int do_ret_sys_mount(struct pt_regs *ctx)
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]134{
135 struct data_t event = {};
136
137 event.type = EVENT_MOUNT_RET;
138 event.pid = bpf_get_current_pid_tgid() & 0xffffffff;
139 event.tgid = bpf_get_current_pid_tgid() >> 32;
140 event.retval = PT_REGS_RC(ctx);
141 events.perf_submit(ctx, &event, sizeof(event));
142
143 return 0;
144}
145
yonghong-song2da34262018-06-13 06:12:22 -0700[diff] [blame]146int syscall__umount(struct pt_regs *ctx, char __user *target, int flags)
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]147{
148 struct data_t event = {};
149 struct task_struct *task;
150 struct nsproxy *nsproxy;
151 struct mnt_namespace *mnt_ns;
152
153 event.pid = bpf_get_current_pid_tgid() & 0xffffffff;
154 event.tgid = bpf_get_current_pid_tgid() >> 32;
155
156 event.type = EVENT_UMOUNT;
157 bpf_get_current_comm(event.enter.comm, sizeof(event.enter.comm));
158 event.enter.flags = flags;
159 task = (struct task_struct *)bpf_get_current_task();
Paul Chaignon719e1002017-08-06 14:33:20 +0200[diff] [blame]160 nsproxy = task->nsproxy;
161 mnt_ns = nsproxy->mnt_ns;
162 event.enter.mnt_ns = mnt_ns->ns.inum;
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]163 events.perf_submit(ctx, &event, sizeof(event));
164
165 event.type = EVENT_UMOUNT_TARGET;
Prashant Bhole419a7db2019-01-11 06:03:21 +0900[diff] [blame]166 __builtin_memset(event.str, 0, sizeof(event.str));
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]167 bpf_probe_read_user(event.str, sizeof(event.str), target);
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]168 events.perf_submit(ctx, &event, sizeof(event));
169
170 return 0;
171}
172
Yonghong Song64335692018-04-25 00:40:13 -0700[diff] [blame]173int do_ret_sys_umount(struct pt_regs *ctx)
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]174{
175 struct data_t event = {};
176
177 event.type = EVENT_UMOUNT_RET;
178 event.pid = bpf_get_current_pid_tgid() & 0xffffffff;
179 event.tgid = bpf_get_current_pid_tgid() >> 32;
180 event.retval = PT_REGS_RC(ctx);
181 events.perf_submit(ctx, &event, sizeof(event));
182
183 return 0;
184}
185"""
186
187# sys/mount.h
188MS_MGC_VAL = 0xc0ed0000
189MS_MGC_MSK = 0xffff0000
190MOUNT_FLAGS = [
191 ('MS_RDONLY', 1),
192 ('MS_NOSUID', 2),
193 ('MS_NODEV', 4),
194 ('MS_NOEXEC', 8),
195 ('MS_SYNCHRONOUS', 16),
196 ('MS_REMOUNT', 32),
197 ('MS_MANDLOCK', 64),
198 ('MS_DIRSYNC', 128),
199 ('MS_NOATIME', 1024),
200 ('MS_NODIRATIME', 2048),
201 ('MS_BIND', 4096),
202 ('MS_MOVE', 8192),
203 ('MS_REC', 16384),
204 ('MS_SILENT', 32768),
205 ('MS_POSIXACL', 1 << 16),
206 ('MS_UNBINDABLE', 1 << 17),
207 ('MS_PRIVATE', 1 << 18),
208 ('MS_SLAVE', 1 << 19),
209 ('MS_SHARED', 1 << 20),
210 ('MS_RELATIME', 1 << 21),
211 ('MS_KERNMOUNT', 1 << 22),
212 ('MS_I_VERSION', 1 << 23),
213 ('MS_STRICTATIME', 1 << 24),
214 ('MS_LAZYTIME', 1 << 25),
215 ('MS_ACTIVE', 1 << 30),
216 ('MS_NOUSER', 1 << 31),
217]
218UMOUNT_FLAGS = [
219 ('MNT_FORCE', 1),
220 ('MNT_DETACH', 2),
221 ('MNT_EXPIRE', 4),
222 ('UMOUNT_NOFOLLOW', 8),
223]
224
225
226TASK_COMM_LEN = 16 # linux/sched.h
227MAX_STR_LEN = 412
228
229
230class EventType(object):
231 EVENT_MOUNT = 0
232 EVENT_MOUNT_SOURCE = 1
233 EVENT_MOUNT_TARGET = 2
234 EVENT_MOUNT_TYPE = 3
235 EVENT_MOUNT_DATA = 4
236 EVENT_MOUNT_RET = 5
237 EVENT_UMOUNT = 6
238 EVENT_UMOUNT_TARGET = 7
239 EVENT_UMOUNT_RET = 8
240
241
242class EnterData(ctypes.Structure):
243 _fields_ = [
244 ('mnt_ns', ctypes.c_uint),
245 ('comm', ctypes.c_char * TASK_COMM_LEN),
246 ('flags', ctypes.c_ulong),
247 ]
248
249
250class DataUnion(ctypes.Union):
251 _fields_ = [
252 ('enter', EnterData),
253 ('str', ctypes.c_char * MAX_STR_LEN),
254 ('retval', ctypes.c_int),
255 ]
256
257
258class Event(ctypes.Structure):
259 _fields_ = [
260 ('type', ctypes.c_uint),
261 ('pid', ctypes.c_uint),
262 ('tgid', ctypes.c_uint),
263 ('union', DataUnion),
264 ]
265
266
267def _decode_flags(flags, flag_list):
268 str_flags = []
269 for flag, bit in flag_list:
270 if flags & bit:
271 str_flags.append(flag)
272 flags &= ~bit
273 if flags or not str_flags:
274 str_flags.append('0x{:x}'.format(flags))
275 return str_flags
276
277
278def decode_flags(flags, flag_list):
279 return '|'.join(_decode_flags(flags, flag_list))
280
281
282def decode_mount_flags(flags):
283 str_flags = []
284 if flags & MS_MGC_MSK == MS_MGC_VAL:
285 flags &= ~MS_MGC_MSK
286 str_flags.append('MS_MGC_VAL')
287 str_flags.extend(_decode_flags(flags, MOUNT_FLAGS))
288 return '|'.join(str_flags)
289
290
291def decode_umount_flags(flags):
292 return decode_flags(flags, UMOUNT_FLAGS)
293
294
295def decode_errno(retval):
296 try:
297 return '-' + errno.errorcode[-retval]
298 except KeyError:
299 return str(retval)
300
301
302_escape_chars = {
303 ord('\a'): '\\a',
304 ord('\b'): '\\b',
305 ord('\t'): '\\t',
306 ord('\n'): '\\n',
307 ord('\v'): '\\v',
308 ord('\f'): '\\f',
309 ord('\r'): '\\r',
310 ord('"'): '\\"',
311 ord('\\'): '\\\\',
312}
313
314
315def escape_character(c):
316 try:
317 return _escape_chars[c]
318 except KeyError:
319 if 0x20 <= c <= 0x7e:
320 return chr(c)
321 else:
322 return '\\x{:02x}'.format(c)
323
324
325if sys.version_info.major < 3:
326 def decode_mount_string(s):
327 return '"{}"'.format(''.join(escape_character(ord(c)) for c in s))
328else:
329 def decode_mount_string(s):
330 return '"{}"'.format(''.join(escape_character(c) for c in s))
331
332
333def print_event(mounts, umounts, cpu, data, size):
334 event = ctypes.cast(data, ctypes.POINTER(Event)).contents
335
336 try:
337 if event.type == EventType.EVENT_MOUNT:
338 mounts[event.pid] = {
339 'pid': event.pid,
340 'tgid': event.tgid,
341 'mnt_ns': event.union.enter.mnt_ns,
342 'comm': event.union.enter.comm,
343 'flags': event.union.enter.flags,
344 }
345 elif event.type == EventType.EVENT_MOUNT_SOURCE:
346 mounts[event.pid]['source'] = event.union.str
347 elif event.type == EventType.EVENT_MOUNT_TARGET:
348 mounts[event.pid]['target'] = event.union.str
349 elif event.type == EventType.EVENT_MOUNT_TYPE:
350 mounts[event.pid]['type'] = event.union.str
351 elif event.type == EventType.EVENT_MOUNT_DATA:
352 # XXX: data is not always a NUL-terminated string
353 mounts[event.pid]['data'] = event.union.str
354 elif event.type == EventType.EVENT_UMOUNT:
355 umounts[event.pid] = {
356 'pid': event.pid,
357 'tgid': event.tgid,
358 'mnt_ns': event.union.enter.mnt_ns,
359 'comm': event.union.enter.comm,
360 'flags': event.union.enter.flags,
361 }
362 elif event.type == EventType.EVENT_UMOUNT_TARGET:
363 umounts[event.pid]['target'] = event.union.str
364 elif (event.type == EventType.EVENT_MOUNT_RET or
365 event.type == EventType.EVENT_UMOUNT_RET):
366 if event.type == EventType.EVENT_MOUNT_RET:
367 syscall = mounts.pop(event.pid)
Sasha Goldshteinf41ae862016-10-19 01:14:30 +0300[diff] [blame]368 call = ('mount({source}, {target}, {type}, {flags}, {data}) ' +
369 '= {retval}').format(
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]370 source=decode_mount_string(syscall['source']),
371 target=decode_mount_string(syscall['target']),
372 type=decode_mount_string(syscall['type']),
373 flags=decode_mount_flags(syscall['flags']),
374 data=decode_mount_string(syscall['data']),
375 retval=decode_errno(event.union.retval))
376 else:
377 syscall = umounts.pop(event.pid)
378 call = 'umount({target}, {flags}) = {retval}'.format(
379 target=decode_mount_string(syscall['target']),
380 flags=decode_umount_flags(syscall['flags']),
381 retval=decode_errno(event.union.retval))
382 print('{:16} {:<7} {:<7} {:<11} {}'.format(
jeromemarchandb96ebcd2018-10-10 01:58:15 +0200[diff] [blame]383 syscall['comm'].decode('utf-8', 'replace'), syscall['tgid'],
384 syscall['pid'], syscall['mnt_ns'], call))
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]385 except KeyError:
386 # This might happen if we lost an event.
387 pass
388
389
390def main():
391 parser = argparse.ArgumentParser(
392 description='trace mount() and umount() syscalls'
393 )
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]394 parser.add_argument("--ebpf", action="store_true",
395 help=argparse.SUPPRESS)
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]396 args = parser.parse_args()
397
398 mounts = {}
399 umounts = {}
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]400 if args.ebpf:
401 print(bpf_text)
402 exit()
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]403 b = bcc.BPF(text=bpf_text)
Yonghong Song64335692018-04-25 00:40:13 -0700[diff] [blame]404 mount_fnname = b.get_syscall_fnname("mount")
yonghong-song2da34262018-06-13 06:12:22 -0700[diff] [blame]405 b.attach_kprobe(event=mount_fnname, fn_name="syscall__mount")
Yonghong Song64335692018-04-25 00:40:13 -0700[diff] [blame]406 b.attach_kretprobe(event=mount_fnname, fn_name="do_ret_sys_mount")
407 umount_fnname = b.get_syscall_fnname("umount")
yonghong-song2da34262018-06-13 06:12:22 -0700[diff] [blame]408 b.attach_kprobe(event=umount_fnname, fn_name="syscall__umount")
Yonghong Song64335692018-04-25 00:40:13 -0700[diff] [blame]409 b.attach_kretprobe(event=umount_fnname, fn_name="do_ret_sys_umount")
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]410 b['events'].open_perf_buffer(
411 functools.partial(print_event, mounts, umounts))
412 print('{:16} {:<7} {:<7} {:<11} {}'.format(
413 'COMM', 'PID', 'TID', 'MNT_NS', 'CALL'))
414 while True:
Jerome Marchand51671272018-12-19 01:57:24 +0100[diff] [blame]415 try:
416 b.perf_buffer_poll()
417 except KeyboardInterrupt:
418 exit()
419
Omar Sandovale822a812016-10-16 12:31:32 -0700[diff] [blame]420
421
422if __name__ == '__main__':
423 main()