TLDR
''''
To compile all code, enter:
make
any of the tools one wants to use, symlink the *.bash function to somewhere
in PATH; I have $HOME/bin in path, so I do:
ln -sr log-*.bash $HOME/bin
(then one can mv(1) away the -{num}.bash in $HOME/bin)
--
log-dlproc-life
'''''''''''''''
Attempt to log start and exit information of execution of dynamically
loadable binary executables.
This is done by adding init and fini functions, and some wrapper functions
to LD_PRELOADable file.
There are wrapper functions for fork, execve and wait* functions.
This catches what it catches; there may be other interesting syscalls
this is not wrapping; some libraries may do calls that are not catchable
by the LD_PRELOAD code this is implementing and finally -- the execve'd
process may not use dynamic loader at all (being "statically" linked).
Anyway, one may find this useful. Try it.
To try it, execute:
./log-dlproc-life-973.bash logpfx '.' env env env true
And then execute
${PAGER:-less} logpfx.js0n
to examine what got logged.
--
log-statopen
''''''''''''
This is quick addition to "mitigate" the problem with inotify(7) (and
fanotify(7)) which does not (cannot) notice *stat*(2) calls. The code
is "stripped" version of ldpreload-vsfa.so seen elsewhere -- the bash
wrapper is almost identical to the log-dlproc-life version, so
bringing the code here was seen like quick and easy option.
To try it, execute:
./log-statopen-974.bash statopens '.' stat /dev/null
And then execute
${PAGER:-less} statopens
to examine what got logged.
--
log-execs
'''''''''
This attempts to log execve() syscall and execv(), execvp(), execvpe(), and
execl(), execlp(), execle() c library calls (execl*() fn's use execv*() after
wrapped due to varargs...
To try it, execute:
sh more/execs.c
./log-execs-975.bash logexxs '.' ./execs
rm execs
And then execute
${PAGER:-less} logexxs.js0n
to examine what got logged.
--
The rest references log-dlproc-life. log-statopen can be thought to be
used in many of those cases, too...
====
Simplest way to "install" is to symlink log-dlproc-life-973.bash
(or more/log-dlproc-life-973.pl, informed below) to somewhere in
$PATH, and leave cloned repository lying around.
That's is how I do it.
(if, someday, we wanted "out of tree" .so build,
then that has to be thought further...)
--
Currently subdirectory ./more/ has the following files:
- more/log-dlproc-life-973.pl
- to do the same as log-dlproc-life-973.bash, using fd 973
- other shells (I tried) are not capable of redirecting fd's over 9
- more/minenv.sh
- wrapper to execute commandline with "minimal" environment variables
- does not change content of those.. but check in the script for more info
- more/sctime.c
- prints some approximation of the overhead this wrapper uses
- in my tries on one system showed took 1-2 microsecond for a syscall
- functions that are not syscalls time was <~100 nanoseconds
- if floating point accuracy is 10 microsecond in values of >1_000_000_000
then overhead is so large that the accuracy is good enough
- compile by executing sh more/sctime.c (writes ./sctime)
- more/execs.c
- executes all exec* functions ldpreload-log-execs.c wraps
.