Working on -e trace

Thu Feb 11 10:41:19 UTC 2016

On Thu, 11 Feb 2016 10:47:22 +0530
haris iqbal <haris.phnx at gmail.com> wrote:

> Hello,
> 
> I have understood a fair amount of working, how -e trace=option works.
> 
> Through the init() --> qualify()
> 
>     for (p = strtok(copy, ","); p; p = strtok(NULL, ",")) {
>         int n;
>         if (opt->bitflag == QUAL_TRACE && (n = lookup_class(p)) > 0) {
>             unsigned pers;
>             for (pers = 0; pers < SUPPORTED_PERSONALITIES; pers++) {
>                 for (i = 0; i < nsyscall_vec[pers]; i++)
>                     if (sysent_vec[pers][i].sys_flags & n)
>                         qualify_one(i, opt->bitflag, not, pers);
>             }
>             continue;
>         }
> 
> This piece of code is doing the magic. Now the lookupclass() uses the
> bit set by the macros which is used to set the bits in qual_vec.
> through qualify_one().
> 
> Although I am not understanding how the macros
> 
> TRACE_FILE, TRACE_IPC, TRACE_NETWORK, etc which corresponds to the
> bits 001, 002, 004, work and set the particular system call bit in
> qual_vec. I mean what will be the bit if I want to add TRACE_OPEN_LIKE
> or something like that.
> 
> Btw, I am still trying to understand how qual_vec is used to trace
> only particular system calls. May be the knowledge will help me
> contribute more.

You need to add another TRACE_* macro to defs.h, you should just find a
bit that is not used.

After that, you need to add in syscall.c the short name for your macro,
and use it in all the syscallent.h files.

> A Note. I saw at many critical places you are using wait4() system
> call to wait for the process. I read it is obsolete. Should we worry
> about it and think of changing it to waitpid() and getrusage() at
> places.

Imho this is not necessary, wait4() is will stay in the kernel anyway.

-- 
Gabriel Laskar