[RFC,v2,7/7] plugins: add syscall logging plugin sample

Message ID	152819519376.30857.17032517857304957536.stgit@pasha-ThinkPad-T60 (mailing list archive)
State	New, archived
Headers	show Return-Path: <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org> From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> To: qemu-devel@nongnu.org Date: Tue, 05 Jun 2018 13:39:53 +0300 Message-ID: <152819519376.30857.17032517857304957536.stgit@pasha-ThinkPad-T60> In-Reply-To: <152819515565.30857.16834004920507717324.stgit@pasha-ThinkPad-T60> References: <152819515565.30857.16834004920507717324.stgit@pasha-ThinkPad-T60> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] [RFC PATCH v2 7/7] plugins: add syscall logging plugin sample Precedence: list Cc: peter.maydell@linaro.org, maria.klimushenkova@ispras.ru, dovgaluk@ispras.ru, pavel.dovgaluk@ispras.ru, pbonzini@redhat.com, vilanova@ac.upc.edu Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Message ID

152819519376.30857.17032517857304957536.stgit@pasha-ThinkPad-T60 (mailing list archive)

State

New, archived

Headers

From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
To: qemu-devel@nongnu.org
Date: Tue, 05 Jun 2018 13:39:53 +0300
Message-ID: <152819519376.30857.17032517857304957536.stgit@pasha-ThinkPad-T60>
In-Reply-To: <152819515565.30857.16834004920507717324.stgit@pasha-ThinkPad-T60>
References: <152819515565.30857.16834004920507717324.stgit@pasha-ThinkPad-T60>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] [RFC PATCH v2 7/7] plugins: add syscall logging plugin
	sample
Precedence: list
Cc: peter.maydell@linaro.org, maria.klimushenkova@ispras.ru,
	dovgaluk@ispras.ru, 
	pavel.dovgaluk@ispras.ru, pbonzini@redhat.com, vilanova@ac.upc.edu
Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>

Commit Message

Pavel Dovgalyuk June 5, 2018, 10:39 a.m. UTC

This is an example of plugin which instruments only specific instructions:
sysenter and sysexit. When executing them, it prints system call id
and return code to the QEMU log.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
---
 plugins/syscall-log/Makefile      |   19 ++++++++++++++++
 plugins/syscall-log/syscall-log.c |   44 +++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 plugins/syscall-log/Makefile
 create mode 100644 plugins/syscall-log/syscall-log.c

Comments

Alex Bennée Sept. 7, 2018, 2:06 p.m. UTC | #1

Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> writes:

> This is an example of plugin which instruments only specific instructions:
> sysenter and sysexit. When executing them, it prints system call id
> and return code to the QEMU log.

Again I'm not sure this is a very useful example either. It doesn't
achieve anything we can't already do with the existing logging/strace
stuff and it is quite ugly in it's knowledge of a single architecture to
try and figure out what's going on.

>
> Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
> ---
>  plugins/syscall-log/Makefile      |   19 ++++++++++++++++
>  plugins/syscall-log/syscall-log.c |   44 +++++++++++++++++++++++++++++++++++++
>  2 files changed, 63 insertions(+)
>  create mode 100644 plugins/syscall-log/Makefile
>  create mode 100644 plugins/syscall-log/syscall-log.c
>
> diff --git a/plugins/syscall-log/Makefile b/plugins/syscall-log/Makefile
> new file mode 100644
> index 0000000..1bbdf04
> --- /dev/null
> +++ b/plugins/syscall-log/Makefile
> @@ -0,0 +1,19 @@
> +CFLAGS += -I../include -fno-PIE -fPIC -O3
> +LDFLAGS += -shared
> +# TODO: Windows
> +DSOSUF := .so
> +
> +NAME:= syscall-log
> +BIN := $(NAME)$(DSOSUF)
> +
> +FILES := syscall-log.o
> +
> +%.o: %.c
> +	$(CC) -c -o $@ $< $(CFLAGS)
> +
> +all: $(FILES)
> +	$(CC) $(LDFLAGS) -o $(BIN) $(FILES)
> +
> +clean:
> +	rm $(FILES)
> +	rm $(BIN)
> diff --git a/plugins/syscall-log/syscall-log.c b/plugins/syscall-log/syscall-log.c
> new file mode 100644
> index 0000000..1f5d55f
> --- /dev/null
> +++ b/plugins/syscall-log/syscall-log.c
> @@ -0,0 +1,44 @@
> +#include <stdint.h>
> +#include <stdio.h>
> +#include "plugins.h"
> +
> +bool plugin_init(const char *args)
> +{
> +    return true;
> +}
> +
> +bool plugin_needs_before_insn(uint64_t pc, void *cpu)
> +{
> +    uint8_t code = 0;
> +    if (!qemulib_read_memory(cpu, pc, &code, 1)
> +        && code == 0x0f) {
> +        if (qemulib_read_memory(cpu, pc + 1, &code, 1)) {
> +            return false;
> +        }
> +        if (code == 0x34) {
> +            /* sysenter */
> +            return true;
> +        }
> +        if (code == 0x35) {
> +            /* sysexit */
> +            return true;
> +        }
> +    }
> +    return false;
> +}
> +
> +void plugin_before_insn(uint64_t pc, void *cpu)
> +{
> +    uint8_t code = 0;
> +    uint32_t reg;
> +    qemulib_read_memory(cpu, pc + 1, &code, 1);
> +    /* Read EAX. There should be a header with register ids
> +       or a function for reading the register by the name */
> +    qemulib_read_register(cpu, (uint8_t*)&reg, 0);
> +    /* log system calls */
> +    if (code == 0x34) {
> +        qemulib_log("sysenter %x\n", reg);
> +    } else if (code == 0x35) {
> +        qemulib_log("sysexit %x\n", reg);
> +    }
> +}


--
Alex Bennée

Pavel Dovgalyuk Sept. 10, 2018, 9:18 a.m. UTC | #2

> From: Alex Bennée [mailto:alex.bennee@linaro.org]
> Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> writes:
> 
> > This is an example of plugin which instruments only specific instructions:
> > sysenter and sysexit. When executing them, it prints system call id
> > and return code to the QEMU log.
> 
> Again I'm not sure this is a very useful example either. It doesn't
> achieve anything we can't already do with the existing logging/strace
> stuff and it is quite ugly in it's knowledge of a single architecture to
> try and figure out what's going on.

Not exactly. strace is intrusive, when running within the VM.
And this plugin does not affect the emulated system at all (except the slowdown).

Pavel Dovgalyuk
> 
> >
> > Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
> > ---
> >  plugins/syscall-log/Makefile      |   19 ++++++++++++++++
> >  plugins/syscall-log/syscall-log.c |   44 +++++++++++++++++++++++++++++++++++++
> >  2 files changed, 63 insertions(+)
> >  create mode 100644 plugins/syscall-log/Makefile
> >  create mode 100644 plugins/syscall-log/syscall-log.c
> >
> > diff --git a/plugins/syscall-log/Makefile b/plugins/syscall-log/Makefile
> > new file mode 100644
> > index 0000000..1bbdf04
> > --- /dev/null
> > +++ b/plugins/syscall-log/Makefile
> > @@ -0,0 +1,19 @@
> > +CFLAGS += -I../include -fno-PIE -fPIC -O3
> > +LDFLAGS += -shared
> > +# TODO: Windows
> > +DSOSUF := .so
> > +
> > +NAME:= syscall-log
> > +BIN := $(NAME)$(DSOSUF)
> > +
> > +FILES := syscall-log.o
> > +
> > +%.o: %.c
> > +	$(CC) -c -o $@ $< $(CFLAGS)
> > +
> > +all: $(FILES)
> > +	$(CC) $(LDFLAGS) -o $(BIN) $(FILES)
> > +
> > +clean:
> > +	rm $(FILES)
> > +	rm $(BIN)
> > diff --git a/plugins/syscall-log/syscall-log.c b/plugins/syscall-log/syscall-log.c
> > new file mode 100644
> > index 0000000..1f5d55f
> > --- /dev/null
> > +++ b/plugins/syscall-log/syscall-log.c
> > @@ -0,0 +1,44 @@
> > +#include <stdint.h>
> > +#include <stdio.h>
> > +#include "plugins.h"
> > +
> > +bool plugin_init(const char *args)
> > +{
> > +    return true;
> > +}
> > +
> > +bool plugin_needs_before_insn(uint64_t pc, void *cpu)
> > +{
> > +    uint8_t code = 0;
> > +    if (!qemulib_read_memory(cpu, pc, &code, 1)
> > +        && code == 0x0f) {
> > +        if (qemulib_read_memory(cpu, pc + 1, &code, 1)) {
> > +            return false;
> > +        }
> > +        if (code == 0x34) {
> > +            /* sysenter */
> > +            return true;
> > +        }
> > +        if (code == 0x35) {
> > +            /* sysexit */
> > +            return true;
> > +        }
> > +    }
> > +    return false;
> > +}
> > +
> > +void plugin_before_insn(uint64_t pc, void *cpu)
> > +{
> > +    uint8_t code = 0;
> > +    uint32_t reg;
> > +    qemulib_read_memory(cpu, pc + 1, &code, 1);
> > +    /* Read EAX. There should be a header with register ids
> > +       or a function for reading the register by the name */
> > +    qemulib_read_register(cpu, (uint8_t*)&reg, 0);
> > +    /* log system calls */
> > +    if (code == 0x34) {
> > +        qemulib_log("sysenter %x\n", reg);
> > +    } else if (code == 0x35) {
> > +        qemulib_log("sysexit %x\n", reg);
> > +    }
> > +}
> 
> 
> --
> Alex Bennée

Alex Bennée Sept. 10, 2018, 1:58 p.m. UTC | #3

Pavel Dovgalyuk <dovgaluk@ispras.ru> writes:

>> From: Alex Bennée [mailto:alex.bennee@linaro.org]
>> Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> writes:
>>
>> > This is an example of plugin which instruments only specific instructions:
>> > sysenter and sysexit. When executing them, it prints system call id
>> > and return code to the QEMU log.
>>
>> Again I'm not sure this is a very useful example either. It doesn't
>> achieve anything we can't already do with the existing logging/strace
>> stuff and it is quite ugly in it's knowledge of a single architecture to
>> try and figure out what's going on.
>
> Not exactly. strace is intrusive, when running within the VM.
> And this plugin does not affect the emulated system at all (except the
> slowdown).

Ahh in system emulation of course. However its still seems pretty ugly
given we start poking around in memory to figure out if we want to trap
in or around this particular x86 instruction.

It would be nice to have a generalised interface to say "I want to hook
before/after a certain pattern is decoded" but I guess this is tricky
given the translator is free to end any block after an instruction and
it doesn't know what is coming up before you enter translation. I guess
that would involve splitting .translate_insn into a decode and translate
step and that would be quite messy for the non-regular instruction
decoders like x86.

Maybe the API is always destined to be a messy one?

>
> Pavel Dovgalyuk
>>
>> >
>> > Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
>> > ---
>> >  plugins/syscall-log/Makefile      |   19 ++++++++++++++++
>> >  plugins/syscall-log/syscall-log.c |   44 +++++++++++++++++++++++++++++++++++++
>> >  2 files changed, 63 insertions(+)
>> >  create mode 100644 plugins/syscall-log/Makefile
>> >  create mode 100644 plugins/syscall-log/syscall-log.c
>> >
>> > diff --git a/plugins/syscall-log/Makefile b/plugins/syscall-log/Makefile
>> > new file mode 100644
>> > index 0000000..1bbdf04
>> > --- /dev/null
>> > +++ b/plugins/syscall-log/Makefile
>> > @@ -0,0 +1,19 @@
>> > +CFLAGS += -I../include -fno-PIE -fPIC -O3
>> > +LDFLAGS += -shared
>> > +# TODO: Windows
>> > +DSOSUF := .so
>> > +
>> > +NAME:= syscall-log
>> > +BIN := $(NAME)$(DSOSUF)
>> > +
>> > +FILES := syscall-log.o
>> > +
>> > +%.o: %.c
>> > +	$(CC) -c -o $@ $< $(CFLAGS)
>> > +
>> > +all: $(FILES)
>> > +	$(CC) $(LDFLAGS) -o $(BIN) $(FILES)
>> > +
>> > +clean:
>> > +	rm $(FILES)
>> > +	rm $(BIN)
>> > diff --git a/plugins/syscall-log/syscall-log.c b/plugins/syscall-log/syscall-log.c
>> > new file mode 100644
>> > index 0000000..1f5d55f
>> > --- /dev/null
>> > +++ b/plugins/syscall-log/syscall-log.c
>> > @@ -0,0 +1,44 @@
>> > +#include <stdint.h>
>> > +#include <stdio.h>
>> > +#include "plugins.h"
>> > +
>> > +bool plugin_init(const char *args)
>> > +{
>> > +    return true;
>> > +}
>> > +
>> > +bool plugin_needs_before_insn(uint64_t pc, void *cpu)
>> > +{
>> > +    uint8_t code = 0;
>> > +    if (!qemulib_read_memory(cpu, pc, &code, 1)
>> > +        && code == 0x0f) {
>> > +        if (qemulib_read_memory(cpu, pc + 1, &code, 1)) {
>> > +            return false;
>> > +        }
>> > +        if (code == 0x34) {
>> > +            /* sysenter */
>> > +            return true;
>> > +        }
>> > +        if (code == 0x35) {
>> > +            /* sysexit */
>> > +            return true;
>> > +        }
>> > +    }
>> > +    return false;
>> > +}
>> > +
>> > +void plugin_before_insn(uint64_t pc, void *cpu)
>> > +{
>> > +    uint8_t code = 0;
>> > +    uint32_t reg;
>> > +    qemulib_read_memory(cpu, pc + 1, &code, 1);
>> > +    /* Read EAX. There should be a header with register ids
>> > +       or a function for reading the register by the name */
>> > +    qemulib_read_register(cpu, (uint8_t*)&reg, 0);
>> > +    /* log system calls */
>> > +    if (code == 0x34) {
>> > +        qemulib_log("sysenter %x\n", reg);
>> > +    } else if (code == 0x35) {
>> > +        qemulib_log("sysexit %x\n", reg);
>> > +    }
>> > +}
>>
>>
>> --
>> Alex Bennée


--
Alex Bennée

diff --git a/plugins/syscall-log/Makefile b/plugins/syscall-log/Makefile
new file mode 100644
index 0000000..1bbdf04
--- /dev/null
+++ b/plugins/syscall-log/Makefile
@@ -0,0 +1,19 @@ 
+CFLAGS += -I../include -fno-PIE -fPIC -O3
+LDFLAGS += -shared
+# TODO: Windows
+DSOSUF := .so
+
+NAME:= syscall-log
+BIN := $(NAME)$(DSOSUF)
+
+FILES := syscall-log.o
+
+%.o: %.c
+	$(CC) -c -o $@ $< $(CFLAGS)
+
+all: $(FILES)
+	$(CC) $(LDFLAGS) -o $(BIN) $(FILES)
+
+clean:
+	rm $(FILES)
+	rm $(BIN)
diff --git a/plugins/syscall-log/syscall-log.c b/plugins/syscall-log/syscall-log.c
new file mode 100644
index 0000000..1f5d55f
--- /dev/null
+++ b/plugins/syscall-log/syscall-log.c
@@ -0,0 +1,44 @@ 
+#include <stdint.h>
+#include <stdio.h>
+#include "plugins.h"
+
+bool plugin_init(const char *args)
+{
+    return true;
+}
+
+bool plugin_needs_before_insn(uint64_t pc, void *cpu)
+{
+    uint8_t code = 0;
+    if (!qemulib_read_memory(cpu, pc, &code, 1)
+        && code == 0x0f) {
+        if (qemulib_read_memory(cpu, pc + 1, &code, 1)) {
+            return false;
+        }
+        if (code == 0x34) {
+            /* sysenter */
+            return true;
+        }
+        if (code == 0x35) {
+            /* sysexit */
+            return true;
+        }
+    }
+    return false;
+}
+
+void plugin_before_insn(uint64_t pc, void *cpu)
+{
+    uint8_t code = 0;
+    uint32_t reg;
+    qemulib_read_memory(cpu, pc + 1, &code, 1);
+    /* Read EAX. There should be a header with register ids
+       or a function for reading the register by the name */
+    qemulib_read_register(cpu, (uint8_t*)&reg, 0);
+    /* log system calls */
+    if (code == 0x34) {
+        qemulib_log("sysenter %x\n", reg);
+    } else if (code == 0x35) {
+        qemulib_log("sysexit %x\n", reg);
+    }
+}

[RFC,v2,7/7] plugins: add syscall logging plugin sample

Commit Message

Comments

Patch