6

Underneath the Mac OS X directory /audit I have certain files which users can access and chmod to their liking.

I need to audit any chmod done on any files by recording the time, user and file being chmod, especially the latter.

I can dtrace -n 'syscall::chmod:entry' and detect the events, how do I read the first argument to chmod?

man 2 chmod tells me the path is in the first argument:

chmod(const char *path, mode_t mode);

but how can I read args[0]? I think I am doing this the wrong way around.. perhaps entry doesn't correspond to the actual syscall?

If I have a probe I can monitor, how can I check which parameters it offers for access and what types they are? I am assuming some pointers will need to be dereferenced based on their data layout..

clk
  • 2,116
  • 1
  • 17
  • 25
Robottinosino
  • 5,271
  • 12
  • 39
  • 51

1 Answers1

6

The argument's in arg0, but that's the caller's userspace address rather than the actual string. You need to wrap it with a copyinstr() as well:

dtrace -n 'syscall::chmod:entry { printf("%d %s", uid, copyinstr(arg0)); }'
Scott Lamb
  • 1,069
  • 6
  • 7
  • Can I also substitute arg0 with something else I prefer? Before or after the line executes? Can I prevent execution of the line altogether? – Robottinosino Sep 15 '11 at 06:19
  • I don't think you can substitute arg0. The only way I can see to prevent execution of the syscall altogether would be to use the [destructive action](http://download.oracle.com/docs/cd/E18752_01/html/817-6223/chp-actsub-4.html) raise(9) which would kill the process trying to do the chmod. – Scott Lamb Sep 15 '11 at 07:12
  • 1
    Instead of killing the "offender" one could temporarily substitute the filename with an empty string - in the `:entry` probe, use `copyin()` to remember the first byte of the name (into `self->t`, for example), then `copyout()` to overwrite it with `\0`, and in the `:return` probe restore the previous byte. It's not 100% safe to do that (again, destructive actions required) - if the offending process is multithreaded though, this can race if the memory where the filename is stored is used/accessed concurrently by multiple threads. – FrankH. Jan 30 '12 at 10:08