2.2 Tracing System Calls

System calls are the interface between user programs and the kernel, which performs operations on the programs' behalf.

The next D program, syscalls.d, uses syscall probes to record open() system call activity on a system.

Example 2.2 syscalls.d: Record open() system calls on a system

/* syscalls.d -- Record open() system calls on a system */

syscall::open:entry
{
  printf("%-16s %-16s\n",execname,copyinstr(arg0));
}

In this example, we use the printf() function to display the name of the executable that is calling open() and the path name of the file that it is attempting to open.

Note

We use the copyinstr() function to convert the first argument (arg0) in the open() call to a string. Whenever a probe accesses a pointer to data in the address space of a user process, you must use one of the copyin(), copyinstr(), or copyinto() functions to copy the data from user space to a DTrace buffer in kernel space. In this example, it is appropriate to use copyinstr() as the pointer refers to a character array. If the string is not null-terminated, you also need to specify the length of the string to copyinstr(), for example: copyinstr(arg1, arg2) for a system call such as write(). For more information, see User Process Tracing in the Oracle Linux Dynamic Tracing Guide.

Before using dtrace to run the script, we load the systrace kernel module to enable the syscall provider probes. (This is only necessary if the module has not already been loaded.)

# modprobe systrace
# dtrace -q -s syscalls.d
udisks-daemon    /dev/sr0               
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/present
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/energy_now
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/voltage_max_design
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/voltage_min_design
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/status
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/current_now
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/voltage_now     
VBoxService      /var/run/utmp         
firefox          /home/guest/.mozilla/firefox/qeaojiol.default/sessionstore.js
firefox          /home/guest/.mozilla/firefox/qeaojiol.default/sessionstore-1.js
firefox          /home/guest/.mozilla/firefox/qeaojiol.default/sessionstore-1.js    
^C