我正试图弄清楚execsnoop能不能捕捉到什么。\
ENV
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
5.15.0-48-generic
bpftrace v0.16.0
端子1
execsnoop.bt
端子2
ls
/usr/bin/echo
/usr/bin/echo a
strace echo a
echo a # Not showed in Terminal 1
echo # Not showed in Terminal 1
- 文档说它捕获了哪个事件调用exec((https://github.com/iovisor/bpftrace/blob/master/tools/execsnoop_example.txt。但命令
strace echo a实际调用它。https://github.com/iovisor/bpftrace/pull/1490/files\
>strace echo a
execve("/usr/bin/echo", ["echo", "a"], 0x7fff01460c38 /* 30 vars */) = 0
brk(NULL) = 0x55d40d778000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff0f437c90) = -1 EINVAL (Invalid argument)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f93860f4000
我的猜测是,strace echo a强制使用/usr/bin/echo,这是shellexec()使用的二进制文件,而只是在终端中运行普通echo使用shell内置的,因此不会触发exec()。
这就是为什么/usr/bin/echo a也能按预期工作的原因。
bash的info echo提到了内置的:
Due to shell aliases and built-in ‘echo’ functions, using an
unadorned ‘echo’ interactively or in a script may get you different
functionality than that described here. Invoke it via ‘env’ (i.e., ‘env
echo ...’) to avoid interference from the shell.
您还可能从echo --help和/usr/bin/echo --help获得不同的输出。