On Sun, 20 Nov 2022 23:47:19 -0800
Paul Allen Newell <pnewell0705(a)gmail.com> wrote:
On 11/20/22 20:17, Jerry James wrote:
> If you can't figure this out otherwise, here's a heavyweight
> solution. Install the systemtap package. Run "sudo stap-prep".
> Put this in a file named, say, events.stp, and replace "<username>"
> with your actual username:
>
> ```
> probe vfs.open
> {
> if (pathname == "/home/<username>/events.json")
> printf("events.json created by %s (pid %d, uid %d)\n",
> execname(), pid(), uid())
> }
> ```
>
> That's crude, because it doesn't check that the file is opened in
> create mode, but it will do for your case. Delete events.json, then
> run "sudo stap events.stp". Come back later and see if it has
> printed anything. If I run "touch events.json" in another shell,
> for example, it prints:
>
> events.json created by touch (pid 39957, uid 1000)
>
> Press Ctrl-C to exit from stap when you are done.
Jerry:
Can you give a bit more info on this. Where does "events.stp" need to
live and is the material in your ''' all that needs to be in the file
(the use of ''' implies there is something else either before and/or
after
This is from the stap man page:
The stap program is the front-end to the Systemtap tool. It accepts
probing instructions written in a simple domain-specific language,
translates those instructions into C code, compiles this C code, and
loads the resulting module into a running Linux kernel or a Dyninst
user-space mutator, to perform the requested system trace/probe
functions. You can supply the script in a named file (FILENAME),
from standard input (use - instead of FILENAME), or from the command
line (using -e SCRIPT). The program runs until it is interrupted by
the user, or if the script voluntarily invokes the exit() function, or
by sufficient number of soft errors.
This is just a snippet of code that stap will implement when you run it
on the file. I think the three ... are just markers to indicate the
code. As to where it should go, a file in your home directory is fine.
You would have to run the sudo stap events.stp in the directory where
it resides, or use a path to the executable. Or maybe
sudo stap -e events.stp
from what I can see in the manual.
Caveat: I haven't used stap, just got this from the extensive man page.