Anti-destruction destructive dtrace script and y2k9

A while ago I kludged up this ugly, ugly hack which demonstrates a destructive dtrace script which snapshots the filesystem whenever a destructive command is run (e.g. /usr/bin/rm). It isn't useful except maybe for demos, but the idea could be used for something else. For example, you could snapshot every keystroke on Monday mornings or after a particularly happy New Years Eve especially when transitioning to or from years containing a leap day or leap second...1

#!/usr/sbin/dtrace -s
#pragma D option quiet
#pragma D option destructive

BEGIN
{
  self->interested =0;
}

proc:::exec-success
/(execname =="rm") && (self->interested == 0) && (dirname(curpsinfo->pr_psargs) != ".")/
{
  self->interested = 1 ;
  printf("Someone is trying to delete %s\\n",dirname(curpsinfo->pr_psargs +3));
  printf("%s %d",dirname(curpsinfo->pr_psargs+3),timestamp);
  printf("Snapshotting  %s %d",dirname(curpsinfo->pr_psargs+3),timestamp);
  system("/usr/sbin/zfs snapshot rpool%s@%d",dirname(curpsinfo->pr_psargs+3),timestamp);
  stop();
  system("prun %d", pid);
}

1Sun's JDS 2 Linux distribution was based on a Linux 2.4 kernel and the following version (JDS3 beta) was to be based on a 2.6.19 kernel before Sun decided to drop the Linux kernel and focus on products based around the Solaris kernel. AFAIK the leap second bug appeared in the 2.6.22 Linux kernel. The 5000 year old time keeper at Newgrange also failed to work properly because of a bug caused by the presence of clouds between itself and the sun.

P.S. Don't ask me why we seem to get reoccurring bugs every decade, millennium, leap year and leap-second in what should have been a few score lines of date related code some of which could have been implemented a couple of thousand years ago Maybe Ptolomy's code was refined over a few hundred years without fear of patent reprisals or maybe he just spent more money on development and QA.

Comments:

Great idea! Reminded me of publishing my DTrace script for stopping processes, including those ones that live for a short time only.

Posted by Bernd Finger on January 23, 2009 at 05:55 AM GMT+00:00 #

Thanks but I don't think this quite fits into the great idea category, especially now that TimeSlider is in OpenSolaris!
http://java.dzone.com/news/killer-feature-opensolaris-200

On the other hand, it might be useful to detect activity coming from applications running on Linux/Windows/OSX accessing a resources on ZFS filesystem via SMB or NFS or even HTTP, and snapshotting the NFS filesystem based on this external activity.

Posted by bnitz on January 23, 2009 at 06:26 AM GMT+00:00 #

I mean snapshotting the ZFS filesystem based on activity coming from other operating systems.

Posted by bnitz on January 23, 2009 at 06:28 AM GMT+00:00 #

Very Interesting. Thanks for posting it.
I can see a lot of potential for security monitoring tools happening with Dtrace.

Posted by Mike La Spina on January 23, 2009 at 01:22 PM GMT+00:00 #

Post a Comment:
Comments are closed for this entry.
About

bnitz

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today