Re: [dtrace-discuss] need bulletproof method for getting absolute file paths

Sun, 02 Aug 2015 02:21:08 -0700 

On 08/01/15 23:52, Edward Peschko wrote:
get the current directory at the start of the process and the keep track of the chdir syscalls? 

regards,


All,


I would have thought this was a simple question, but apparently not. 
Is there a bulletproof method for getting absolute file paths, on for 
example an open system call?


Background - I tried the filebyproc.d one liner:

syscall::open*:entry { printf("%s %s", execname, copyinstr(arg0)); }



but arg0 in that case refers to the argument to open, i.e.: it is 
either absolute or relative.



So I went on to try to use curproc to get the path, as well as cwd.


        this->path = (curproc->p_fd->fd_cdir->v_name);



and then combine this with the relative path to get what looks like an 
absolute path. But that doesn't work apparently (it gives the path 
alright, but only one level of the path, at least on mac osx).




Finally I thought I might try cross-referencing the pid with what is 
in /proc/<pid> to lookup the information there in a script outside of 
dtrace, but that has issues with timing (i.e.: if the process exited 
before I could get the information in /proc/<pid> I was out of luck).




So that's where I stand. I'd like a nice, cross-platform way to get 
the absolute path of a file that is triggered by a call to open*:entry 
to catalog all file accesses to my machine in a way that is 
unambiguous and can be universally tracked. Is there a way to do this 
in dtrace proper?




Failing that - is there a way to make dtrace not do any buffering of 
output, i.e.: set auto flush on the dtrace script?  If I could catch 
and parse the line as it was immediately output, the chance of me 
having a pid close before having a chance to parse it would go down..



Thanks much for any help,


Ed



*dtrace-discuss* | Archives 
<https://www.listbox.com/member/archive/184261/=now> 
<https://www.listbox.com/member/archive/rss/184261/25083589-14c642fc> 
| Modify 
<https://www.listbox.com/member/?&;> 
Your Subscription 	[Powered by Listbox] <http://www.listbox.com>







-------------------------------------------
dtrace-discuss
Archives: https://www.listbox.com/member/archive/184261/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184261/25769126-e243886f
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769126&id_secret=25769126-8d47a7b2
Powered by Listbox: http://www.listbox.com






















					Reply via email to