0

I'm trying to print out the environment from an execve call. I'm capturing this via:

syscall::exec*:entry {
  printf("%i %i %s %s\n", ppid, pid, execname, copyinstr(arg0));
}

But I can't seem to convince dtrace that arg2[0] is something that could be printed. How do I get the envp contents in this case?

viraptor
  • 33,322
  • 10
  • 107
  • 191
  • It's a bit hard to print a value such as `arg2[0]` that never appears in your code. How are you trying to print `arg2[0]`? – Andrew Henle Dec 18 '18 at 10:05
  • It's just an example of what I would expect to be possible. I want to print the environment from the `execve` call. You can ignore the `arg2[0]` bit if you find it confusing. – viraptor Dec 18 '18 at 10:15
  • Before or after the actual `exec()` call replaces the process? – Andrew Henle Dec 18 '18 at 10:17

1 Answers1

1

This should be possible using curpsinfo built-in variable, its pr_envp field. But it wouldn't be easy since it's array and dtrace doesn't support loops. Probably you can hack it by using famous newproc.d script and replacing there curpsinfo->pr_argv with curpsinfo->pr_envp but you should do something with count as well, i.e. this->argc - maybe set it to some high value? Anyway, check replies and discussion for this question on serverfault. I think the same applies to environment variables.

pmod
  • 10,450
  • 1
  • 37
  • 50