#! /usr/bin/env stap
# 
#  Copyright (C) 2018 Kyle Walker <kwalker@redhat.com>
#  
#  This copyrighted material is made available to anyone wishing to use,
#  modify, copy, or redistribute it subject to the terms and conditions
#  of the GNU General Public License, either version 2 of the License, or
#  (at your option) any later version
# 
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software Foundation,
#  Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
# 
#  Description:
#      Takes a single argument and monitors for execve syscalls that
#      include that argument in the argv array.
# 
#  Author: Kyle Walker <kwalker@redhat.com>
#
#  ChangeLog:
#   * Thursday November 8 - Kyle Walker <kwalker@redhat.com>
#     Initial release.
#
# Example of usage:
#
#    # stap execve-monitor.stp test &
#    # Now monitoring for "test"
#    # /bin/echo test
#    test
#    # Thu Nov  8 09:31:03 2018 EST: execve: ["/bin/echo", "test"] was issued by swapper/0[0] -> systemd[1] -> sshd[1066] -> sshd[7718] -> sshd[7721] -> bash[7722] -> sudo[7762] -> su[7763] -> bash[2982]
#

probe begin {
	printf("Now monitoring for \"%s\"\n", @1)
}

function get_parents () {
    retstr = "";
    currenttask = task_current();
    parent = task_parent(currenttask);

    while (task_pid(parent) >= 1) {
        parent = task_parent(parent);
        retstr = sprintf("%s[%d] -> %s", task_execname(parent), task_pid(parent), retstr);
    }

    return retstr;
}

probe syscall.execve
{
    if (args =~ @1) {
        printf("%-25s: execve: %s was issued by %s%s[%d]\n",tz_ctime(gettimeofday_s()), args, get_parents(), execname(), pid())
    }
}