D47127.id145149.diff
View Options

	diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
	--- a/sys/kern/kern_exec.c
	+++ b/sys/kern/kern_exec.c
	@@ -354,7 +354,11 @@
	exec_args_get_begin_envv(args) - args->begin_argv);
	AUDIT_ARG_ENVV(exec_args_get_begin_envv(args), args->envc,
	args->endp - exec_args_get_begin_envv(args));
	-
	+#ifdef KTRACE
	+ if (KTRPOINT(td, KTR_EXECVE_ARGS)) {
	+ ktrexecveargs(args);
	+ }
	+#endif
	/* Must have at least one argument. */
	if (args->argc == 0) {
	exec_free_args(args);
	diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
	--- a/sys/kern/kern_ktrace.c
	+++ b/sys/kern/kern_ktrace.c
	@@ -58,6 +58,7 @@
	#include <sys/sysent.h>
	#include <sys/syslog.h>
	#include <sys/sysproto.h>
	+#include <sys/imgact.h>

	#include <security/mac/mac_framework.h>

	@@ -124,6 +125,7 @@
	[KTR_FAULT] = sizeof(struct ktr_fault),
	[KTR_FAULTEND] = sizeof(struct ktr_faultend),
	[KTR_STRUCT_ARRAY] = sizeof(struct ktr_struct_array),
	+ [KTR_EXECVE_ARGS] = 0,
	};

	static STAILQ_HEAD(, ktr_request) ktr_free;
	@@ -559,6 +561,25 @@
	ktr_submitrequest(curthread, req);
	}

	+void
	+ktrexecveargs(struct image_args *args)
	+{
	+ struct ktr_request *req;
	+ int argc;
	+ char* buf = NULL;
	+
	+ argc = exec_args_get_begin_envv(args) - args->begin_argv;
	+ buf = malloc(argc, M_KTRACE, M_WAITOK);
	+ bcopy(args->begin_argv, buf, argc);
	+ req = ktr_getrequest(KTR_EXECVE_ARGS);
	+ if (req == NULL) {
	+ return;
	+ }
	+ req->ktr_header.ktr_len = argc;
	+ req->ktr_buffer = buf;
	+ ktr_submitrequest(curthread, req);
	+}
	+
	void
	ktrsysret(int code, int error, register_t retval)
	{
	diff --git a/sys/sys/ktrace.h b/sys/sys/ktrace.h
	--- a/sys/sys/ktrace.h
	+++ b/sys/sys/ktrace.h
	@@ -263,6 +263,8 @@
	*/
	};

	+#define KTR_EXECVE_ARGS 16
	+
	/*
	* KTR_DROP - If this bit is set in ktr_type, then at least one event
	* between the previous record and this record was dropped.
	@@ -295,6 +297,7 @@
	#define KTRFAC_FAULT (1<<KTR_FAULT)
	#define KTRFAC_FAULTEND (1<<KTR_FAULTEND)
	#define KTRFAC_STRUCT_ARRAY (1<<KTR_STRUCT_ARRAY)
	+#define KTRFAC_EXECVE_ARGS (1<<KTR_EXECVE_ARGS)

	/*
	* trace flags (also in p_traceflags)
	@@ -305,6 +308,7 @@

	#ifdef _KERNEL
	struct ktr_io_params;
	+struct image_args;

	#ifdef KTRACE
	struct vnode ktr_get_tracevp(struct proc , bool);
	@@ -335,6 +339,7 @@
	void ktrstruct_error(const char , const void , size_t, int);
	void ktrstructarray(const char , enum uio_seg, const void , int, size_t);
	void ktrcapfail(enum ktr_cap_violation, const void *);
	+void ktrexecveargs(struct image_args *);
	#define ktrcaprights(s) \
	ktrstruct("caprights", (s), sizeof(cap_rights_t))
	#define ktritimerval(s) \
	diff --git a/usr.bin/kdump/kdump.c b/usr.bin/kdump/kdump.c
	--- a/usr.bin/kdump/kdump.c
	+++ b/usr.bin/kdump/kdump.c
	@@ -117,6 +117,7 @@
	void ktrbitset(char , struct bitset , size_t);
	void ktrsyscall_freebsd(struct ktr_syscall ktr, register_t *resip,
	int resnarg, char resc, u_int sv_flags);
	+void ktrexecveargs(char* args, int num);
	void usage(void);

	#define TIMESTAMP_NONE 0x0
	@@ -515,6 +516,9 @@
	case KTR_STRUCT_ARRAY:
	ktrstructarray((struct ktr_struct_array *)m, ktrlen);
	break;
	+ case KTR_EXECVE_ARGS:
	+ ktrexecveargs((char*)m, ktrlen);
	+ break;
	default:
	printf("\n");
	break;
	@@ -699,6 +703,9 @@
	case KTR_FAULTEND:
	type = "PRET";
	break;
	+ case KTR_EXECVE_ARGS:
	+ type = "EXEC";
	+ break;
	default:
	sprintf(unknown, "UNKNOWN(%d)", kth->ktr_type);
	type = unknown;
	@@ -1646,6 +1653,23 @@
	printf("\"%.*s\"\n", len, cp);
	}

	+void
	+ktrexecveargs(char* args, int num)
	+{
	+ int i;
	+
	+ i = 0;
	+ printf("ARGS: ");
	+ while (i < num) {
	+ printf("\"%s\"", args + i);
	+ i += strlen(args + i) + 1;
	+ if (i != num) {
	+ printf(", ");
	+ }
	+ }
	+ printf("\n");
	+}
	+
	void
	hexdump(char *p, int len, int screenwidth)
	{
	diff --git a/usr.bin/ktrace/ktrace.h b/usr.bin/ktrace/ktrace.h
	--- a/usr.bin/ktrace/ktrace.h
	+++ b/usr.bin/ktrace/ktrace.h
	@@ -31,7 +31,8 @@

	#define DEF_POINTS (KTRFAC_SYSCALL \| KTRFAC_SYSRET \| KTRFAC_NAMEI \| \
	KTRFAC_GENIO \| KTRFAC_PSIG \| KTRFAC_USER \| \
	- KTRFAC_STRUCT \| KTRFAC_SYSCTL \| KTRFAC_STRUCT_ARRAY)
	+ KTRFAC_STRUCT \| KTRFAC_SYSCTL \| KTRFAC_STRUCT_ARRAY \| \
	+ KTRFAC_EXECVE_ARGS)

	#define PROC_ABI_POINTS (KTRFAC_PROCCTOR \| KTRFAC_PROCDTOR)

	diff --git a/usr.bin/ktrace/ktrace.1 b/usr.bin/ktrace/ktrace.1
	--- a/usr.bin/ktrace/ktrace.1
	+++ b/usr.bin/ktrace/ktrace.1
	@@ -142,6 +142,10 @@
	trace
	.Xr sysctl 3
	requests
	+.It Cm e
	+trace
	+.Xr execve 2
	+requests
	.It Cm +
	trace the default set of trace points -
	.Cm c , i , n , s , t , u , y
	diff --git a/usr.bin/ktrace/subr.c b/usr.bin/ktrace/subr.c
	--- a/usr.bin/ktrace/subr.c
	+++ b/usr.bin/ktrace/subr.c
	@@ -81,6 +81,9 @@
	case 'y':
	facs \|= KTRFAC_SYSCTL;
	break;
	+ case 'e':
	+ facs \|= KTRFAC_EXECVE_ARGS;
	+ break;
	case '+':
	facs \|= DEF_POINTS;
	break;

File Metadata

Mime Type: text/plain
Expires: Thu, Nov 7, 10:40 AM (20 h, 17 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 14509968
Default Alt Text: D47127.id145149.diff (4 KB)

D47127.id145149.diff
No OneTemporary
Actions

D47127.id145149.diff
View Options

File Metadata

Event Timeline

D47127.id145149.diffNo OneTemporaryActions

D47127.id145149.diffView Options

File Metadata

Event Timeline

D47127.id145149.diff
No OneTemporary
Actions

D47127.id145149.diff
View Options