On Fri, 20 Oct 2023, Thomas Klausner wrote:
I'm trying to find out what a program does, and found it does a lot of
unlink syscalls, so I wanted to see what it unlinks.
[...]
What's the proper way to do this?
Here you go (written ages ago for 9.0, should still work on -HEAD):
```
#!/usr/sbin/dtrace -s
#pragma D option destructive
#pragma D option quiet
syscall::unlink:entry
{
/*
* NetBSD doesn't supply the ``cwd'' dtrace variable, so
* can't use an external program which does realpath(3)
* in order to check for files only in specific directories.
* Therefore, we just print everything and use fgrep(1)
* to pick filenames (relaive and absolute) we want.
*/
printf("%d %d %s %s\n", uid, pid, execname, copyinstr(arg0));
/*
printf("%d %d %s ", uid, pid, execname);
system("pr_realpath -p %d %s", pid, copyinstr(arg0));
printf("\n");
*/
}
syscall::unlinkat:entry
{
printf("%d %d %s 0x%x %s\n", uid, pid, execname, arg0, copyinstr(arg1));
}
```
-RVP
