summaryrefslogtreecommitdiffstats
path: root/tapset
diff options
context:
space:
mode:
Diffstat (limited to 'tapset')
-rw-r--r--tapset/context.stp4
-rw-r--r--tapset/i686/nd_syscalls.stp205
-rw-r--r--tapset/i686/syscalls.stp59
-rw-r--r--tapset/ia64/nd_syscalls.stp102
-rw-r--r--tapset/ia64/syscalls.stp14
-rw-r--r--tapset/nd_syscalls.stp3249
-rw-r--r--tapset/nd_syscalls2.stp4487
-rw-r--r--tapset/ppc64/nd_syscalls.stp738
-rw-r--r--tapset/ppc64/registers.stp6
-rw-r--r--tapset/ppc64/syscalls.stp218
-rw-r--r--tapset/s390x/nd_syscalls.stp187
-rw-r--r--tapset/s390x/registers.stp6
-rw-r--r--tapset/s390x/syscalls.stp28
-rw-r--r--tapset/syscalls.stp1594
-rw-r--r--tapset/syscalls2.stp1597
-rw-r--r--tapset/timestamp_gtod.stp17
-rw-r--r--tapset/ucontext-unwind.stp1
-rw-r--r--tapset/x86_64/nd_syscalls.stp187
-rw-r--r--tapset/x86_64/registers.stp6
-rw-r--r--tapset/x86_64/syscalls.stp54
20 files changed, 10105 insertions, 2654 deletions
diff --git a/tapset/context.stp b/tapset/context.stp
index 5d855f80..468421ae 100644
--- a/tapset/context.stp
+++ b/tapset/context.stp
@@ -70,9 +70,13 @@ function ppid:long () %{ /* pure */
* leader. Session ID is stored in the signal_struct since Kernel 2.6.0.
*/
function sid:long () %{ /* pure */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 24)
struct signal_struct *ss = kread( &(current->signal) );
THIS->__retvalue = kread ( &(ss->session) );
CATCH_DEREF_FAULT();
+#else
+ THIS->__retvalue = task_session_nr_ns(current, &init_pid_ns);
+#endif
%}
/**
diff --git a/tapset/i686/nd_syscalls.stp b/tapset/i686/nd_syscalls.stp
new file mode 100644
index 00000000..f19e54a9
--- /dev/null
+++ b/tapset/i686/nd_syscalls.stp
@@ -0,0 +1,205 @@
+# 32-bit x86-specific system calls
+# These are typically defined in arch/i386
+#
+
+# get_thread_area ____________________________________________
+/*
+ * asmlinkage int
+ * sys_get_thread_area(struct user_desc __user *u_info)
+ */
+probe nd_syscall.get_thread_area = kprobe.function("sys_get_thread_area")
+{
+ name = "get_thread_area"
+ // u_info_uaddr = $u_info
+ asmlinkage()
+ u_info_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", u_info_uaddr)
+}
+probe nd_syscall.get_thread_area.return = kprobe.function("sys_get_thread_area").return
+{
+ name = "get_thread_area"
+ retstr = returnstr(1)
+}
+
+# iopl _______________________________________________________
+# long sys_iopl(unsigned long unused)
+# NOTE. This function is only in i386 and x86_64 and its args vary
+# between those two archs.
+#
+probe nd_syscall.iopl = kprobe.function("sys_iopl")
+{
+ name = "iopl"
+ argstr = ""
+}
+probe nd_syscall.iopl.return = kprobe.function("sys_iopl").return
+{
+ name = "iopl"
+ retstr = returnstr(1)
+}
+
+# ipc ________________________________________________________
+# int sys_ipc (uint call, int first, int second, int third, void __user *ptr, long fifth)
+#
+probe nd_syscall.ipc = kprobe.function("sys_ipc") ?
+{
+ name = "ipc"
+ // call = $call
+ // first = $first
+ // second = $second
+ // third = $third
+ // ptr_uaddr = $ptr
+ // fifth = $fifth
+ // argstr = sprintf("%d, %d, %d, %d, %p, %d", $call, $first,
+ // $second, $third, $ptr, $fifth)
+ asmlinkage()
+ call = uint_arg(1)
+ first = int_arg(2)
+ second = int_arg(3)
+ third = int_arg(4)
+ ptr_uaddr = pointer_arg(5)
+ fifth = long_arg(6)
+ argstr = sprintf("%d, %d, %d, %d, %p, %d", call, first,
+ second, third, ptr_uaddr, fifth)
+}
+probe nd_syscall.ipc.return = kprobe.function("sys_ipc").return ?
+{
+ name = "ipc"
+ retstr = returnstr(1)
+}
+
+# mmap2 ____________________________________________
+# sys_mmap2(unsigned long addr, unsigned long len,
+# unsigned long prot, unsigned long flags,
+# unsigned long fd, unsigned long pgoff)
+#
+probe nd_syscall.mmap2 = kprobe.function("sys_mmap2") ?
+{
+ name = "mmap2"
+ // start = $addr
+ // length = $len
+ // prot = $prot
+ // flags = $flags
+ // fd = $fd
+ // pgoffset = $pgoff
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
+ // $len, _mprotect_prot_str($prot), _mmap_flags($flags),
+ // $fd, $pgoff)
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ prot = ulong_arg(3)
+ flags = ulong_arg(4)
+ fd = ulong_arg(5)
+ pgoffset = ulong_arg(6)
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", start,
+ length, _mprotect_prot_str(prot), _mmap_flags(flags),
+ fd, pgoffset)
+}
+probe nd_syscall.mmap2.return = kprobe.function("sys_mmap2").return ?
+{
+ name = "mmap2"
+ retstr = returnstr(2)
+}
+
+# set_thread_area ____________________________________________
+/*
+ * asmlinkage int
+ * sys_set_thread_area(struct user_desc __user *u_info)
+ */
+probe nd_syscall.set_thread_area = kprobe.function("sys_set_thread_area")
+{
+ name = "set_thread_area"
+ // u_info_uaddr = $u_info
+ asmlinkage()
+ u_info_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", u_info_uaddr)
+}
+probe nd_syscall.set_thread_area.return = kprobe.function("sys_set_thread_area").return
+{
+ name = "set_thread_area"
+ retstr = returnstr(1)
+}
+
+# set_zone_reclaim ___________________________________________
+/*
+ * asmlinkage long
+ * sys_set_zone_reclaim(unsigned int node,
+ * unsigned int zone,
+ * unsigned int state)
+ */
+probe nd_syscall.set_zone_reclaim = kprobe.function("sys_set_zone_reclaim") ?
+{
+ name = "set_zone_reclaim"
+ // node = $node
+ // zone = $zone
+ // state = $state
+ // argstr = sprintf("%d, %d, %d", $node, $zone, $state)
+ asmlinkage()
+ node = uint_arg(1)
+ zone = uint_arg(2)
+ state = uint_arg(3)
+ argstr = sprintf("%d, %d, %d", node, zone, state)
+}
+probe nd_syscall.set_zone_reclaim.return = kprobe.function("sys_set_zone_reclaim").return ?
+{
+ name = "set_zone_reclaim"
+ retstr = returnstr(1)
+}
+
+# sigaltstack ________________________________________________
+# int sys_sigaltstack(unsigned long ebx)
+#
+# NOTE: args vary between archs.
+#
+probe nd_syscall.sigaltstack = kprobe.function("sys_sigaltstack")
+{
+ name = "sigaltstack"
+ // ussp = %( kernel_vr < "2.6.25" %? $ebx %: %( kernel_vr < "2.6.29" %? $bx %: $regs->bx %) %)
+ // NB: no asmlinkage()
+ ussp = %( kernel_vr < "2.6.29" %? ulong_arg(1) %: @cast(ulong_arg(1), "pt_regs")->bx %)
+ argstr = sprintf("%p", ussp)
+}
+probe nd_syscall.sigaltstack.return = kprobe.function("sys_sigaltstack").return
+{
+ name = "sigaltstack"
+ retstr = returnstr(1)
+}
+
+# vm86 _______________________________________________________
+#
+# int sys_vm86(struct pt_regs regs)
+#
+probe nd_syscall.vm86 = kprobe.function("sys_vm86") ?
+{
+ name = "vm86"
+ /*
+ * unsupported type identifier '$regs'
+ * regs = $regs
+ */
+ argstr = ""
+}
+probe nd_syscall.vm86.return = kprobe.function("sys_vm86").return ?
+{
+ name = "vm86"
+ retstr = returnstr(1)
+}
+
+# vm86old ____________________________________________________
+#
+# int sys_vm86old(struct pt_regs regs)
+#
+probe nd_syscall.vm86old = kprobe.function("sys_vm86old") ?
+{
+ name = "vm86old"
+ /*
+ * unsupported type identifier '$regs'
+ * regs = $regs
+ */
+ argstr = ""
+}
+probe nd_syscall.vm86old.return = kprobe.function("sys_vm86old").return ?
+{
+ name = "vm86old"
+ retstr = returnstr(1)
+}
+
diff --git a/tapset/i686/syscalls.stp b/tapset/i686/syscalls.stp
index 2a89c19d..dec0aa97 100644
--- a/tapset/i686/syscalls.stp
+++ b/tapset/i686/syscalls.stp
@@ -7,13 +7,14 @@
* asmlinkage int
* sys_get_thread_area(struct user_desc __user *u_info)
*/
-probe syscall.get_thread_area = kernel.function("sys_get_thread_area") {
+probe syscall.get_thread_area = kernel.function("sys_get_thread_area")
+{
name = "get_thread_area"
u_info_uaddr = $u_info
argstr = sprintf("%p", u_info_uaddr)
}
-probe syscall.get_thread_area.return =
- kernel.function("sys_get_thread_area").return {
+probe syscall.get_thread_area.return = kernel.function("sys_get_thread_area").return
+{
name = "get_thread_area"
retstr = returnstr(1)
}
@@ -22,11 +23,13 @@ probe syscall.get_thread_area.return =
# NOTE. This function is only in i386 and x86_64 and its args vary
# between those two archs.
#
-probe syscall.iopl = kernel.function("sys_iopl") {
+probe syscall.iopl = kernel.function("sys_iopl")
+{
name = "iopl"
argstr = ""
}
-probe syscall.iopl.return = kernel.function("sys_iopl").return {
+probe syscall.iopl.return = kernel.function("sys_iopl").return
+{
name = "iopl"
retstr = returnstr(1)
}
@@ -34,7 +37,8 @@ probe syscall.iopl.return = kernel.function("sys_iopl").return {
# ipc ________________________________________________________
# int sys_ipc (uint call, int first, int second, int third, void __user *ptr, long fifth)
#
-probe syscall.ipc = kernel.function("sys_ipc") ? {
+probe syscall.ipc = kernel.function("sys_ipc") ?
+{
name = "ipc"
call = $call
first = $first
@@ -45,7 +49,8 @@ probe syscall.ipc = kernel.function("sys_ipc") ? {
argstr = sprintf("%d, %d, %d, %d, %p, %d", $call, $first,
$second, $third, $ptr, $fifth)
}
-probe syscall.ipc.return = kernel.function("sys_ipc").return ? {
+probe syscall.ipc.return = kernel.function("sys_ipc").return ?
+{
name = "ipc"
retstr = returnstr(1)
}
@@ -65,7 +70,7 @@ probe syscall.mmap2 = kernel.function("sys_mmap2") ?
flags = $flags
fd = $fd
pgoffset = $pgoff
- argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
$len, _mprotect_prot_str($prot), _mmap_flags($flags),
$fd, $pgoff)
}
@@ -80,14 +85,14 @@ probe syscall.mmap2.return = kernel.function("sys_mmap2").return ?
* asmlinkage int
* sys_set_thread_area(struct user_desc __user *u_info)
*/
-probe syscall.set_thread_area =
- kernel.function("sys_set_thread_area") {
+probe syscall.set_thread_area = kernel.function("sys_set_thread_area")
+{
name = "set_thread_area"
u_info_uaddr = $u_info
argstr = sprintf("%p", u_info_uaddr)
}
-probe syscall.set_thread_area.return =
- kernel.function("sys_set_thread_area").return {
+probe syscall.set_thread_area.return = kernel.function("sys_set_thread_area").return
+{
name = "set_thread_area"
retstr = returnstr(1)
}
@@ -98,16 +103,16 @@ probe syscall.set_thread_area.return =
* unsigned int zone,
* unsigned int state)
*/
-probe syscall.set_zone_reclaim =
- kernel.function("sys_set_zone_reclaim") ? {
+probe syscall.set_zone_reclaim = kernel.function("sys_set_zone_reclaim") ?
+{
name = "set_zone_reclaim"
node = $node
zone = $zone
state = $state
argstr = sprintf("%d, %d, %d", $node, $zone, $state)
}
-probe syscall.set_zone_reclaim.return =
- kernel.function("sys_set_zone_reclaim").return ? {
+probe syscall.set_zone_reclaim.return = kernel.function("sys_set_zone_reclaim").return ?
+{
name = "set_zone_reclaim"
retstr = returnstr(1)
}
@@ -117,12 +122,14 @@ probe syscall.set_zone_reclaim.return =
#
# NOTE: args vary between archs.
#
-probe syscall.sigaltstack = kernel.function("sys_sigaltstack") {
+probe syscall.sigaltstack = kernel.function("sys_sigaltstack")
+{
name = "sigaltstack"
ussp = %( kernel_vr < "2.6.25" %? $ebx %: %( kernel_vr < "2.6.29" %? $bx %: $regs->bx %) %)
argstr = sprintf("%p", ussp)
}
-probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return {
+probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return
+{
name = "sigaltstack"
retstr = returnstr(1)
}
@@ -131,7 +138,8 @@ probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return {
#
# int sys_vm86(struct pt_regs regs)
#
-probe syscall.vm86 = kernel.function("sys_vm86") ? {
+probe syscall.vm86 = kernel.function("sys_vm86") ?
+{
name = "vm86"
/*
* unsupported type identifier '$regs'
@@ -139,8 +147,9 @@ probe syscall.vm86 = kernel.function("sys_vm86") ? {
*/
argstr = ""
}
-probe syscall.vm86.return = kernel.function("sys_vm86").return ? {
- name = "vm86"
+probe syscall.vm86.return = kernel.function("sys_vm86").return ?
+{
+ name = "vm86"
retstr = returnstr(1)
}
@@ -148,15 +157,17 @@ probe syscall.vm86.return = kernel.function("sys_vm86").return ? {
#
# int sys_vm86old(struct pt_regs regs)
#
-probe syscall.vm86old = kernel.function("sys_vm86old") ? {
- name = "vm86old"
+probe syscall.vm86old = kernel.function("sys_vm86old") ?
+{
+ name = "vm86old"
/*
* unsupported type identifier '$regs'
* regs = $regs
*/
argstr = ""
}
-probe syscall.vm86old.return = kernel.function("sys_vm86old").return ? {
+probe syscall.vm86old.return = kernel.function("sys_vm86old").return ?
+{
name = "vm86old"
retstr = returnstr(1)
}
diff --git a/tapset/ia64/nd_syscalls.stp b/tapset/ia64/nd_syscalls.stp
new file mode 100644
index 00000000..d25423d1
--- /dev/null
+++ b/tapset/ia64/nd_syscalls.stp
@@ -0,0 +1,102 @@
+# IA64 system calls
+
+# mmap
+# sys_mmap (unsigned long addr, unsigned long len, int prot, int flags, int fd, long off)
+#
+probe nd_syscall.mmap = kprobe.function("sys_mmap") ?
+{
+ name = "mmap"
+ // start = $addr
+ // len = $len
+ // prot = $prot
+ // flags = $flags
+ // fd = $fd
+ // offset = $off
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
+ // _mprotect_prot_str($prot), _mmap_flags($flags), $fd, $off)
+ asmlinkage()
+ start = ulong_arg(1)
+ len = ulong_arg(2)
+ prot = int_arg(3)
+ flags = int_arg(4)
+ fd = int_arg(5)
+ offset = long_arg(6)
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", start, len,
+ _mprotect_prot_str(prot), _mmap_flags(flags), fd, offset)
+}
+
+probe nd_syscall.mmap.return = kprobe.function("sys_mmap").return ?
+{
+ name = "mmap"
+ retstr = returnstr(2)
+}
+
+# mmap2
+# sys_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, long pgoff)
+probe nd_syscall.mmap2 = kprobe.function("sys_mmap2") ?
+{
+ name = "mmap2"
+ // start = $addr
+ // length = $len
+ // prot = $prot
+ // flags = $flags
+ // fd = $fd
+ // pgoffset = $pgoff
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
+ // $len, _mprotect_prot_str($prot), _mmap_flags($flags),
+ // $fd, $pgoff)
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ prot = int_arg(3)
+ flags = int_arg(4)
+ fd = int_arg(5)
+ pgoffset = long_arg(6)
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", start, length,
+ _mprotect_prot_str(prot), _mmap_flags(flags), fd, pgoffset)
+}
+probe nd_syscall.mmap2.return = kprobe.function("sys_mmap2").return ?
+{
+ name = "mmap2"
+ retstr = returnstr(2)
+}
+
+# sigaltstack _______________________________________________
+# asmlinkage long
+# sys_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, long arg2,
+# long arg3, long arg4, long arg5, long arg6, long arg7,
+# struct pt_regs regs)
+#
+probe nd_syscall.sigaltstack = kprobe.function("sys_sigaltstack")
+{
+ name = "sigaltstack";
+ // ss_uaddr = $uss
+ // oss_uaddr = $uoss
+ // argstr = sprintf("%p, %p", $uss, $uoss)
+ asmlinkage()
+ ss_uaddr = pointer_arg(1)
+ oss_uaddr = pointer_arg(2)
+ argstr = sprintf("%p, %p", ss_uaddr, oss_uaddr)
+}
+probe nd_syscall.sigaltstack.return = kprobe.function("sys_sigaltstack").return
+{
+ name = "sigaltstack";
+ retstr = returnstr(1)
+}
+
+# sysctl _____________________________________________________
+#
+# long sys32_sysctl (struct sysctl32 __user *args)
+#
+probe nd_syscall.sysctl32 = kprobe.function("sys32_sysctl") ?
+{
+ name = "sysctl"
+ // argstr = sprintf("%p", $args)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sysctl32.return = kprobe.function("sys32_sysctl").return ?
+{
+ name = "sysctl"
+ retstr = returnstr(1)
+}
diff --git a/tapset/ia64/syscalls.stp b/tapset/ia64/syscalls.stp
index 7a508071..c57ab7e6 100644
--- a/tapset/ia64/syscalls.stp
+++ b/tapset/ia64/syscalls.stp
@@ -3,7 +3,8 @@
# mmap
# sys_mmap (unsigned long addr, unsigned long len, int prot, int flags, int fd, long off)
#
-probe syscall.mmap = kernel.function("sys_mmap") ? {
+probe syscall.mmap = kernel.function("sys_mmap") ?
+{
name = "mmap"
start = $addr
len = $len
@@ -15,7 +16,8 @@ probe syscall.mmap = kernel.function("sys_mmap") ? {
_mprotect_prot_str($prot), _mmap_flags($flags), $fd, $off)
}
-probe syscall.mmap.return = kernel.function("sys_mmap").return ? {
+probe syscall.mmap.return = kernel.function("sys_mmap").return ?
+{
name = "mmap"
retstr = returnstr(2)
}
@@ -31,7 +33,7 @@ probe syscall.mmap2 = kernel.function("sys_mmap2") ?
flags = $flags
fd = $fd
pgoffset = $pgoff
- argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
$len, _mprotect_prot_str($prot), _mmap_flags($flags),
$fd, $pgoff)
}
@@ -64,11 +66,13 @@ probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return
#
# long sys32_sysctl (struct sysctl32 __user *args)
#
-probe syscall.sysctl32 = kernel.function("sys32_sysctl") ? {
+probe syscall.sysctl32 = kernel.function("sys32_sysctl") ?
+{
name = "sysctl"
argstr = sprintf("%p", $args)
}
-probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ? {
+probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ?
+{
name = "sysctl"
retstr = returnstr(1)
}
diff --git a/tapset/nd_syscalls.stp b/tapset/nd_syscalls.stp
index a0e5286b..f9a6ffce 100644
--- a/tapset/nd_syscalls.stp
+++ b/tapset/nd_syscalls.stp
@@ -12,9 +12,6 @@
* nd_syscalls.stp is a copy of syscalls.stp, modified to refer to
* function arguments by number rather than name, so that this tapset
* can be used even when the probed kernel lacks debugging information.
- *
- * So far, the names-to-numbers conversion covers only syscall.a*
- * through syscall.c*, plus a few others.
*/
@@ -30,14 +27,16 @@
* braces are decoded structs.
*
* retstr - a string containing the return value in an easy-to-read format.
-* Set in return probes only.
+* Set in return probes only.
*/
# accept _____________________________________________________
# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
# int __user *upeer_addrlen)
-probe nd_syscall.accept = kernel.function("sys_accept") ? {
+probe nd_syscall.accept = kprobe.function("SyS_accept") ?,
+ kprobe.function("sys_accept") ?
+{
name = "accept"
// sockfd = $fd
// addr_uaddr = $upeer_sockaddr
@@ -49,14 +48,18 @@ probe nd_syscall.accept = kernel.function("sys_accept") ? {
addrlen_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr)
}
-probe nd_syscall.accept.return = kernel.function("sys_accept").return ? {
+probe nd_syscall.accept.return = kprobe.function("SyS_accept").return ?,
+ kprobe.function("sys_accept").return ?
+{
name = "accept"
retstr = returnstr(1)
}
# access _____________________________________________________
# long sys_access(const char __user * filename, int mode)
-probe nd_syscall.access = kernel.function("sys_access") {
+probe nd_syscall.access = kprobe.function("SyS_access") ?,
+ kprobe.function("sys_access") ?
+{
name = "access"
// pathname = user_string($filename)
// mode = $mode
@@ -68,22 +71,26 @@ probe nd_syscall.access = kernel.function("sys_access") {
mode_str = _access_mode_str(mode)
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str)
}
-probe nd_syscall.access.return = kernel.function("sys_access").return {
+probe nd_syscall.access.return = kprobe.function("SyS_access").return ?,
+ kprobe.function("sys_access").return ?
+{
name = "access"
retstr = returnstr(1)
}
# acct _______________________________________________________
# long sys_acct(const char __user *name)
-probe nd_syscall.acct = kernel.function("sys_acct") ? {
+probe nd_syscall.acct = kprobe.function("sys_acct") ?
+{
name = "acct"
- // filename = user_string($name)
+ // filename = user_string($name)
// argstr = user_string_quoted($name)
asmlinkage()
filename = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
+probe nd_syscall.acct.return = kprobe.function("sys_acct").return ?
+{
name = "acct"
retstr = returnstr(1)
}
@@ -95,17 +102,19 @@ probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
# size_t plen,
# key_serial_t ringid)
#
-probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
+probe nd_syscall.add_key = kprobe.function("SyS_add_key") ?,
+ kprobe.function("sys_add_key") ?
+{
name = "add_key"
// type_uaddr = $_type
// description_auddr = $_description
// payload_uaddr = $_payload
// plen = $plen
// ringid = $ringid
- // argstr = sprintf("%s, %s, %s, %d, %d",
+ // argstr = sprintf("%s, %s, %s, %d, %d",
// user_string_quoted($_type),
// user_string_quoted($_description),
- // text_strn(user_string($_payload),syscall_string_trunc,1),
+ // text_strn(user_string($_payload), syscall_string_trunc, 1),
// $plen, $ringid)
asmlinkage()
type_uaddr = pointer_arg(1)
@@ -113,52 +122,60 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
payload_uaddr = pointer_arg(3)
plen = ulong_arg(4)
ringid = int_arg(5)
- argstr = sprintf("%s, %s, %s, %d, %d",
- user_string_quoted(type_uaddr),
- user_string_quoted(description_uaddr),
- text_strn(user_string(payload_uaddr),syscall_string_trunc,1),
- plen, ringid)
-}
-probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? {
+ argstr = sprintf("%s, %s, %s, %d, %d",
+ user_string_quoted(type_uaddr),
+ user_string_quoted(description_uaddr),
+ text_strn(user_string(payload_uaddr), syscall_string_trunc, 1),
+ plen, ringid)
+}
+probe nd_syscall.add_key.return = kprobe.function("SyS_add_key").return ?,
+ kprobe.function("sys_add_key").return ?
+{
name = "add_key"
retstr = returnstr(1)
}
# adjtimex ___________________________________________________
# long sys_adjtimex(struct timex __user *txc_p)
-probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") {
+probe nd_syscall.adjtimex = kprobe.function("SyS_adjtimex") ?,
+ kprobe.function("sys_adjtimex") ?
+{
name = "adjtimex"
-
+
/*
- * buf_offset = __uget_timex_m($txc_p,1)
- * buf_freq = __uget_timex_m($txc_p,2)
- * buf_maxerror = __uget_timex_m($txc_p,3)
- * buf_esterror = __uget_timex_m($txc_p,4)
- * buf_status = __uget_timex_m($txc_p,5)
- * buf_constant = __uget_timex_m($txc_p,6)
- * buf_precision = __uget_timex_m($txc_p,7)
- * buf_tolerance = __uget_timex_m($txc_p,8)
- * buf_time_tv_sec = __uget_timex_m($txc_p,9)
- * buf_time_tv_usec = __uget_timex_m($txc_p,10)
- * buf_tick = __uget_timex_m($txc_p,11)
+ * buf_offset = __uget_timex_m($txc_p, 1)
+ * buf_freq = __uget_timex_m($txc_p, 2)
+ * buf_maxerror = __uget_timex_m($txc_p, 3)
+ * buf_esterror = __uget_timex_m($txc_p, 4)
+ * buf_status = __uget_timex_m($txc_p, 5)
+ * buf_constant = __uget_timex_m($txc_p, 6)
+ * buf_precision = __uget_timex_m($txc_p, 7)
+ * buf_tolerance = __uget_timex_m($txc_p, 8)
+ * buf_time_tv_sec = __uget_timex_m($txc_p, 9)
+ * buf_time_tv_usec = __uget_timex_m($txc_p, 10)
+ * buf_tick = __uget_timex_m($txc_p, 11)
*/
// argstr = sprintf("%p", $txc_p)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
-probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return {
+probe nd_syscall.adjtimex.return = kprobe.function("SyS_adjtimex").return ?,
+ kprobe.function("sys_adjtimex").return ?
+{
name = "adjtimex"
// retstr = _adjtimex_return_str($return)
retstr = _adjtimex_return_str(returnval())
}
# long compat_sys_adjtimex(struct compat_timex __user *utp)
-probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? {
+probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ?
+{
name = "compat_adjtimex"
// argstr = sprintf("%p", $utp)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
-probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? {
+probe nd_syscall.compat_adjtimex.return = kprobe.function("compat_sys_adjtimex").return ?
+{
name = "compat_adjtimex"
retstr = returnstr(1)
}
@@ -167,9 +184,9 @@ probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex")
# unsigned long sys_alarm (unsigned int seconds)
# long sys32_alarm(unsigned int seconds)
#
-probe nd_syscall.alarm =
- kernel.function("sys_alarm") ?,
- kernel.function("sys32_alarm") ?
+probe nd_syscall.alarm = kprobe.function("sys32_alarm") ?,
+ kprobe.function("SyS_alarm") ?,
+ kprobe.function("sys_alarm") ?
{
name = "alarm"
// seconds = $seconds
@@ -178,62 +195,70 @@ probe nd_syscall.alarm =
seconds = uint_arg(1)
argstr = sprint(seconds)
}
-probe nd_syscall.alarm.return =
- kernel.function("sys_alarm").return ?,
- kernel.function("sys32_alarm").return ?
+probe nd_syscall.alarm.return = kprobe.function("sys32_alarm").return ?,
+ kprobe.function("SyS_alarm").return ?,
+ kprobe.function("sys_alarm").return ?
{
name = "alarm"
retstr = returnstr(1)
}
# bdflush ____________________________________________________
-# long sys_bdflush(int func,long data)
-probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? {
+# long sys_bdflush(int func, long data)
+probe nd_syscall.bdflush = kprobe.function("SyS_bdflush") ?,
+ kprobe.function("sys_bdflush") ?
+{
name = "bdflush"
// func = $func
// data = $data
- // if (($func>=2)&&($func%2==0))
- // data_str = sprintf("%p", $data)
- // else
- // data_str = sprintf("%d", $data)
+ // if (($func >= 2) && ($func % 2 == 0))
+ // data_str = sprintf("%p", $data)
+ // else
+ // data_str = sprintf("%d", $data)
asmlinkage()
func = int_arg(1)
data = long_arg(2)
- if ((func>=2)&&(func%2==0))
- data_str = sprintf("%p", data)
- else
- data_str = sprintf("%d", data)
- argstr = sprintf("%d, %s",func, data_str)
+ if ((func >= 2) && (func % 2 == 0))
+ data_str = sprintf("%p", data)
+ else
+ data_str = sprintf("%d", data)
+ argstr = sprintf("%d, %s", func, data_str)
}
-probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? {
+probe nd_syscall.bdflush.return = kprobe.function("SyS_bdflush").return ?,
+ kprobe.function("sys_bdflush").return ?
+{
name = "bdflush"
retstr = returnstr(1)
}
# bind _______________________________________________________
# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
-probe nd_syscall.bind = kernel.function("sys_bind") ? {
+probe nd_syscall.bind = kprobe.function("SyS_bind") ?,
+ kprobe.function("sys_bind") ?
+{
name = "bind"
// sockfd = $fd
// my_addr_uaddr = $umyaddr
// addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
+ // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
my_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
- argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr,addrlen),addrlen)
+ argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr, addrlen), addrlen)
}
-probe nd_syscall.bind.return = kernel.function("sys_bind").return ? {
+probe nd_syscall.bind.return = kprobe.function("SyS_bind").return ?,
+ kprobe.function("sys_bind").return ?
+{
name = "bind"
retstr = returnstr(1)
}
# brk ________________________________________________________
# unsigned long sys_brk(unsigned long brk)
-probe nd_syscall.brk =
- kernel.function("sys_brk"),
- kernel.function("ia64_brk") ?
+probe nd_syscall.brk = kprobe.function("ia64_brk") ?,
+ kprobe.function("SyS_brk") ?,
+ kprobe.function("sys_brk") ?
{
name = "brk"
// brk = $brk
@@ -241,9 +266,9 @@ probe nd_syscall.brk =
brk = ulong_arg(1)
argstr = sprintf("%p", brk)
}
-probe nd_syscall.brk.return =
- kernel.function("sys_brk").return,
- kernel.function("ia64_brk").return ?
+probe nd_syscall.brk.return = kprobe.function("ia64_brk").return ?,
+ kprobe.function("SyS_brk").return ?,
+ kprobe.function("sys_brk").return ?
{
name = "brk"
retstr = returnstr(1)
@@ -262,7 +287,9 @@ probe nd_syscall.brk.return =
* functions to export.
*/
# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
-probe nd_syscall.capget = kernel.function("sys_capget") {
+probe nd_syscall.capget = kprobe.function("SyS_capget") ?,
+ kprobe.function("sys_capget") ?
+{
name = "capget"
// header_uaddr = $header
// data_uaddr = $dataptr
@@ -272,7 +299,9 @@ probe nd_syscall.capget = kernel.function("sys_capget") {
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
-probe nd_syscall.capget.return = kernel.function("sys_capget").return {
+probe nd_syscall.capget.return = kprobe.function("SyS_capget").return ?,
+ kprobe.function("sys_capget").return ?
+{
name = "capget"
retstr = returnstr(1)
}
@@ -289,7 +318,9 @@ probe nd_syscall.capget.return = kernel.function("sys_capget").return {
* functions to export.
*/
# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
-probe nd_syscall.capset = kernel.function("sys_capset") {
+probe nd_syscall.capset = kprobe.function("SyS_capset") ?,
+ kprobe.function("sys_capset") ?
+{
name = "capset"
// header_uaddr = $header
// data_uaddr = $data
@@ -299,14 +330,18 @@ probe nd_syscall.capset = kernel.function("sys_capset") {
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
-probe nd_syscall.capset.return = kernel.function("sys_capset").return {
+probe nd_syscall.capset.return = kprobe.function("SyS_capset").return ?,
+ kprobe.function("sys_capset").return ?
+{
name = "capset"
retstr = returnstr(1)
}
# chdir ______________________________________________________
# long sys_chdir(const char __user * filename)
-probe nd_syscall.chdir = kernel.function("sys_chdir") {
+probe nd_syscall.chdir = kprobe.function("SyS_chdir") ?,
+ kprobe.function("sys_chdir") ?
+{
name = "chdir"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
@@ -314,14 +349,18 @@ probe nd_syscall.chdir = kernel.function("sys_chdir") {
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.chdir.return = kernel.function("sys_chdir").return {
+probe nd_syscall.chdir.return = kprobe.function("SyS_chdir").return ?,
+ kprobe.function("sys_chdir").return ?
+{
name = "chdir"
retstr = returnstr(1)
}
# chmod ______________________________________________________
# long sys_chmod(const char __user * filename, mode_t mode)
-probe nd_syscall.chmod = kernel.function("sys_chmod") {
+probe nd_syscall.chmod = kprobe.function("SyS_chmod") ?,
+ kprobe.function("sys_chmod") ?
+{
name = "chmod"
// path = user_string($filename)
// mode = $mode
@@ -331,34 +370,41 @@ probe nd_syscall.chmod = kernel.function("sys_chmod") {
mode = uint_arg(2)
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
-probe nd_syscall.chmod.return = kernel.function("sys_chmod").return {
+probe nd_syscall.chmod.return = kprobe.function("SyS_chmod").return ?,
+ kprobe.function("sys_chmod").return ?
+{
name = "chmod"
retstr = returnstr(1)
}
# chown ______________________________________________________
# long sys_chown(const char __user * filename, uid_t user, gid_t group)
-probe nd_syscall.chown = kernel.function("sys_chown") {
+probe nd_syscall.chown = kprobe.function("SyS_chown") ?,
+ kprobe.function("sys_chown") ?
+{
name = "chown"
// path = user_string($filename)
// owner = __int32($user)
// group = __int32($group)
- // argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __int32(uint_arg(2))
group = __int32(uint_arg(3))
- argstr = sprintf("%s, %d, %d",user_string_quoted(pointer_arg(1)), owner, group)
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.chown.return = kernel.function("sys_chown").return {
+probe nd_syscall.chown.return = kprobe.function("SyS_chown").return ?,
+ kprobe.function("sys_chown").return ?
+{
name = "chown"
retstr = returnstr(1)
}
# chown16 ___________________________________________________
-# long sys_chown16(const char __user * filename, old_uid_t user,
+# long sys_chown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
+probe nd_syscall.chown16 = kprobe.function("sys_chown16") ?
+{
name = "chown16"
// path = user_string($filename)
// owner = __short($user)
@@ -370,14 +416,17 @@ probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
group = __short(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? {
+probe nd_syscall.chown16.return = kprobe.function("sys_chown16").return ?
+{
name = "chown16"
retstr = returnstr(1)
}
# chroot _____________________________________________________
# long sys_chroot(const char __user * filename)
-probe nd_syscall.chroot = kernel.function("sys_chroot") {
+probe nd_syscall.chroot = kprobe.function("SyS_chroot") ?,
+ kprobe.function("sys_chroot") ?
+{
name = "chroot"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
@@ -385,7 +434,9 @@ probe nd_syscall.chroot = kernel.function("sys_chroot") {
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
+probe nd_syscall.chroot.return = kprobe.function("SyS_chroot").return ?,
+ kprobe.function("sys_chroot").return ?
+{
name = "chroot"
retstr = returnstr(1)
}
@@ -393,10 +444,10 @@ probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
# clock_getres _______________________________________________
# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
# long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
-#
-probe nd_syscall.clock_getres =
- kernel.function("sys_clock_getres"),
- kernel.function("compat_clock_getres") ?
+#
+probe nd_syscall.clock_getres = kprobe.function("compat_clock_getres") ?,
+ kprobe.function("SyS_clock_getres") ?,
+ kprobe.function("sys_clock_getres") ?
{
name = "clock_getres"
// clk_id = $which_clock
@@ -409,9 +460,9 @@ probe nd_syscall.clock_getres =
res_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", clk_id_str, res_uaddr)
}
-probe nd_syscall.clock_getres.return =
- kernel.function("sys_clock_getres").return,
- kernel.function("compat_clock_getres").return ?
+probe nd_syscall.clock_getres.return = kprobe.function("compat_clock_getres").return ?,
+ kprobe.function("SyS_clock_getres").return ?,
+ kprobe.function("sys_clock_getres").return ?
{
name = "clock_getres"
retstr = returnstr(1)
@@ -420,8 +471,8 @@ probe nd_syscall.clock_getres.return =
# clock_gettime ______________________________________________
# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
#
-probe nd_syscall.clock_gettime =
- kernel.function("sys_clock_gettime")
+probe nd_syscall.clock_gettime = kprobe.function("SyS_clock_gettime") ?,
+ kprobe.function("sys_clock_gettime") ?
{
name = "clock_gettime"
// clk_id = $which_clock
@@ -432,7 +483,8 @@ probe nd_syscall.clock_gettime =
clk_id_str = _get_wc_str(clk_id)
argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2))
}
-probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return
+probe nd_syscall.clock_gettime.return = kprobe.function("SyS_clock_gettime").return ?,
+ kprobe.function("sys_clock_gettime").return ?
{
name = "clock_gettime"
retstr = returnstr(1)
@@ -444,14 +496,16 @@ probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").ret
# const struct timespec __user *rqtp,
# struct timespec __user *rmtp)
#
-probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
+probe nd_syscall.clock_nanosleep = kprobe.function("SyS_clock_nanosleep") ?,
+ kprobe.function("sys_clock_nanosleep") ?
+{
name = "clock_nanosleep"
// if ($flags == 1)
// flag_str = "TIMER_ABSTIME"
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_timespec_u($rqtp,1), $rmtp)
+ // _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
@@ -459,9 +513,11 @@ probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
- _struct_timespec_u(pointer_arg(3),1), pointer_arg(4))
+ _struct_timespec_u(pointer_arg(3), 1), pointer_arg(4))
}
-probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return {
+probe nd_syscall.clock_nanosleep.return = kprobe.function("SyS_clock_nanosleep").return ?,
+ kprobe.function("sys_clock_nanosleep").return ?
+{
name = "clock_nanosleep"
retstr = returnstr(1)
}
@@ -471,9 +527,8 @@ probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep")
# struct compat_timespec __user *rqtp,
# struct compat_timespec __user *rmtp)
#
-probe nd_syscall.compat_clock_nanosleep =
- kernel.function("compat_clock_nanosleep") ?,
- kernel.function("compat_sys_clock_nanosleep") ?
+probe nd_syscall.compat_clock_nanosleep = kprobe.function("compat_clock_nanosleep") ?,
+ kprobe.function("compat_sys_clock_nanosleep") ?
{
name = "compat_clock_nanosleep"
// if ($flags == 1)
@@ -481,7 +536,7 @@ probe nd_syscall.compat_clock_nanosleep =
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_compat_timespec_u($rqtp,1), $rmtp)
+ // _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
@@ -489,12 +544,11 @@ probe nd_syscall.compat_clock_nanosleep =
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
- _struct_compat_timespec_u(pointer_arg(3),1),
- pointer_arg(4))
+ _struct_compat_timespec_u(pointer_arg(3), 1),
+ pointer_arg(4))
}
-probe nd_syscall.compat_clock_nanosleep.return =
- kernel.function("compat_clock_nanosleep").return ?,
- kernel.function("compat_sys_clock_nanosleep").return ?
+probe nd_syscall.compat_clock_nanosleep.return = kprobe.function("compat_clock_nanosleep").return ?,
+ kprobe.function("compat_sys_clock_nanosleep").return ?
{
name = "compat_clock_nanosleep"
retstr = returnstr(1)
@@ -504,68 +558,83 @@ probe nd_syscall.compat_clock_nanosleep.return =
# long sys_clock_settime(clockid_t which_clock,
# const struct timespec __user *tp)
#
-probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") {
+probe nd_syscall.clock_settime = kprobe.function("SyS_clock_settime") ?,
+ kprobe.function("sys_clock_settime") ?
+{
name = "clock_settime"
// clk_id = $which_clock
// clk_id_str = _get_wc_str($which_clock)
// tp_uaddr = $tp
- // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1))
+ // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
tp_uaddr = pointer_arg(2)
- argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr,1))
+ argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr, 1))
}
-probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return {
+probe nd_syscall.clock_settime.return = kprobe.function("SyS_clock_settime").return ?,
+ kprobe.function("sys_clock_settime").return ?
+{
name = "clock_settime"
retstr = returnstr(1)
}
# close ______________________________________________________
# long sys_close(unsigned int fd)
-probe nd_syscall.close = kernel.function("sys_close") {
+probe nd_syscall.close = kprobe.function("SyS_close") ?,
+ kprobe.function("sys_close") ?
+{
name = "close"
// fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.close.return = kernel.function("sys_close").return {
+probe nd_syscall.close.return = kprobe.function("SyS_close").return ?,
+ kprobe.function("sys_close").return ?
+{
name = "close"
retstr = returnstr(1)
}
# connect ____________________________________________________
# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
-probe nd_syscall.connect = kernel.function("sys_connect") ? {
+probe nd_syscall.connect = kprobe.function("SyS_connect") ?,
+ kprobe.function("sys_connect") ?
+{
name = "connect"
// sockfd = $fd
// serv_addr_uaddr = $uservaddr
// addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
+ // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
serv_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
- argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr,addrlen),addrlen)
+ argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr, addrlen), addrlen)
}
-probe nd_syscall.connect.return = kernel.function("sys_connect").return ? {
+probe nd_syscall.connect.return = kprobe.function("SyS_connect").return ?,
+ kprobe.function("sys_connect").return ?
+{
name = "connect"
retstr = returnstr(1)
}
# creat
# long sys_creat(const char __user * pathname, int mode)
-probe nd_syscall.creat = kernel.function("sys_creat") ?
+probe nd_syscall.creat = kprobe.function("SyS_creat") ?,
+ kprobe.function("sys_creat") ?
{
name = "creat"
// mode = $mode
// pathname = user_string($pathname)
// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ asmlinkage()
mode = int_arg(2)
pathname = user_string(pointer_arg(1))
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
-probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
+probe nd_syscall.creat.return = kprobe.function("SyS_creat").return ?,
+ kprobe.function("sys_creat").return ?
{
name = "creat"
retstr = returnstr(1)
@@ -573,20 +642,30 @@ probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
# delete_module ______________________________________________
# long sys_delete_module(const char __user *name_user, unsigned int flags)
-probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? {
+probe nd_syscall.delete_module = kprobe.function("SyS_delete_module") ?,
+ kprobe.function("sys_delete_module") ?
+{
name = "delete_module"
- name_user = user_string($name_user)
- flags = $flags
- argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+ // name_user = user_string($name_user)
+ // flags = $flags
+ // argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+ asmlinkage()
+ name_user = user_string(pointer_arg(1))
+ flags = uint_arg(2)
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), _module_flags_str(uint_arg(2)))
}
-probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? {
+probe nd_syscall.delete_module.return = kprobe.function("SyS_delete_module").return ?,
+ kprobe.function("sys_delete_module").return ?
+{
name = "delete_module"
retstr = returnstr(1)
}
# dup ________________________________________________________
# long sys_dup(unsigned int fildes)
-probe nd_syscall.dup = kernel.function("sys_dup") {
+probe nd_syscall.dup = kprobe.function("SyS_dup") ?,
+ kprobe.function("sys_dup") ?
+{
name = "dup"
// oldfd = $fildes
// argstr = sprint($fildes)
@@ -594,32 +673,49 @@ probe nd_syscall.dup = kernel.function("sys_dup") {
old_fd = int_arg(1)
argstr = sprint(old_fd)
}
-probe nd_syscall.dup.return = kernel.function("sys_dup").return {
+probe nd_syscall.dup.return = kprobe.function("SyS_dup").return ?,
+ kprobe.function("sys_dup").return ?
+{
name = "dup"
retstr = returnstr(1)
}
# dup2 _______________________________________________________
# long sys_dup2(unsigned int oldfd, unsigned int newfd)
-probe nd_syscall.dup2 = kernel.function("sys_dup2") {
+probe nd_syscall.dup2 = kprobe.function("SyS_dup2") ?,
+ kprobe.function("sys_dup2") ?
+{
name = "dup2"
- oldfd = $oldfd
- newfd = $newfd
- argstr = sprintf("%d, %d", $oldfd, $newfd)
+ // oldfd = $oldfd
+ // newfd = $newfd
+ // argstr = sprintf("%d, %d", $oldfd, $newfd)
+ asmlinkage()
+ oldfd = int_arg(1)
+ newfd = int_arg(2)
+ argstr = sprintf("%d, %d", oldfd, newfd)
}
-probe nd_syscall.dup2.return = kernel.function("sys_dup2").return {
+probe nd_syscall.dup2.return = kprobe.function("SyS_dup2").return ?,
+ kprobe.function("sys_dup2").return ?
+{
name = "dup2"
retstr = returnstr(1)
}
# epoll_create _______________________________________________
# long sys_epoll_create(int size)
-probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? {
+probe nd_syscall.epoll_create = kprobe.function("SyS_epoll_create") ?,
+ kprobe.function("sys_epoll_create") ?
+{
name = "epoll_create"
- size = $size
- argstr = sprint($size)
+ // size = $size
+ // argstr = sprint($size)
+ asmlinkage()
+ size = int_arg(1)
+ argstr = sprint(size)
}
-probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? {
+probe nd_syscall.epoll_create.return = kprobe.function("SyS_epoll_create").return ?,
+ kprobe.function("sys_epoll_create").return ?
+{
name = "epoll_create"
retstr = returnstr(1)
}
@@ -630,21 +726,28 @@ probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").retur
# long compat_sys_epoll_ctl(int epfd, int op, int fd,
# struct compat_epoll_event __user *event)
#
-probe nd_syscall.epoll_ctl =
- kernel.function("sys_epoll_ctl") ?,
- kernel.function("compat_sys_epoll_ctl") ?
+probe nd_syscall.epoll_ctl = kprobe.function("compat_sys_epoll_ctl") ?,
+ kprobe.function("SyS_epoll_ctl") ?,
+ kprobe.function("sys_epoll_ctl") ?
{
name = "epoll_ctl"
- epfd = $epfd
- op = $op
- op_str = _opoll_op_str($op)
- fd = $fd
- event_uaddr = $event
- argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
-}
-probe nd_syscall.epoll_ctl.return =
- kernel.function("sys_epoll_ctl").return ?,
- kernel.function("compat_sys_epoll_ctl").return ?
+ // epfd = $epfd
+ // eop = $op
+ // eop_str = _opoll_op_str($op)
+ // efd = $fd
+ // eevent_uaddr = $event
+ // eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+ asmlinkage()
+ epfd = int_arg(1)
+ op = int_arg(2)
+ op_str = _opoll_op_str(op)
+ fd = int_arg(3)
+ event_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %s, %d, %p", epfd, op_str, fd, event_uaddr)
+}
+probe nd_syscall.epoll_ctl.return = kprobe.function("compat_sys_epoll_ctl").return ?,
+ kprobe.function("SyS_epoll_ctl").return ?,
+ kprobe.function("sys_epoll_ctl").return ?
{
name = "epoll_ctl"
retstr = returnstr(1)
@@ -661,17 +764,19 @@ probe nd_syscall.epoll_ctl.return =
# const compat_sigset_t __user *sigmask,
# compat_size_t sigsetsize)
#
-probe nd_syscall.epoll_pwait =
- kernel.function("sys_epoll_pwait") ?,
- kernel.function("compat_sys_epoll_pwait") ?
+probe nd_syscall.epoll_pwait = kprobe.function("compat_sys_epoll_pwait") ?,
+ kprobe.function("SyS_epoll_pwait") ?,
+ kprobe.function("sys_epoll_pwait") ?
{
name = "epoll_pwait"
+ asmlinkage()
argstr = sprintf("%d, %p, %d, %d, %p, %d",
- $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+// $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+ int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6))
}
-probe nd_syscall.epoll_pwait.return =
- kernel.function("sys_epoll_pwait").return ?,
- kernel.function("compat_sys_epoll_pwait").return ?
+probe nd_syscall.epoll_pwait.return = kprobe.function("compat_sys_epoll_pwait").return ?,
+ kprobe.function("SyS_epoll_pwait").return ?,
+ kprobe.function("sys_epoll_pwait").return ?
{
name = "epoll_pwait"
retstr = returnstr(1)
@@ -685,20 +790,26 @@ probe nd_syscall.epoll_pwait.return =
# struct compat_epoll_event __user *events,
# int maxevents, int timeout)
#
-probe nd_syscall.epoll_wait =
- kernel.function("sys_epoll_wait") ?,
- kernel.function("compat_sys_epoll_wait") ?
+probe nd_syscall.epoll_wait = kprobe.function("compat_sys_epoll_wait") ?,
+ kprobe.function("SyS_epoll_wait") ?,
+ kprobe.function("sys_epoll_wait") ?
{
name = "epoll_wait"
- epfd = $epfd
- events_uaddr = $events
- maxevents = $maxevents
- timeout = $timeout
- argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
-}
-probe nd_syscall.epoll_wait.return =
- kernel.function("sys_epoll_wait").return ?,
- kernel.function("compat_sys_epoll_wait").return ?
+ // epfd = $epfd
+ // events_uaddr = $events
+ // maxevents = $maxevents
+ // timeout = $timeout
+ // argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+ asmlinkage()
+ epfd = int_arg(1)
+ events_uaddr = pointer_arg(2)
+ maxevents = int_arg(3)
+ timeout = int_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", epfd, events_uaddr, maxevents, timeout)
+}
+probe nd_syscall.epoll_wait.return = kprobe.function("compat_sys_epoll_wait").return ?,
+ kprobe.function("SyS_epoll_wait").return ?,
+ kprobe.function("sys_epoll_wait").return ?
{
name = "epoll_wait"
retstr = returnstr(1)
@@ -707,11 +818,17 @@ probe nd_syscall.epoll_wait.return =
# eventfd _____________________________________________________
# long sys_eventfd(unsigned int count)
#
-probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? {
+probe nd_syscall.eventfd = kprobe.function("SyS_eventfd") ?,
+ kprobe.function("sys_eventfd") ?
+{
name = "eventfd"
- argstr = sprint($count)
+ // argstr = sprint($count)
+ asmlinkage()
+ argstr = sprint(uint_arg(1))
}
-probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
+probe nd_syscall.eventfd.return = kprobe.function("SyS_eventfd").return ?,
+ kprobe.function("sys_eventfd").return ?
+{
name = "eventfd"
retstr = returnstr(1)
}
@@ -723,18 +840,21 @@ probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
# char __user *__user *argv,
# char __user *__user *envp,
# struct pt_regs * regs)
-probe nd_syscall.execve = kernel.function("do_execve") {
+probe nd_syscall.execve = kprobe.function("do_execve")
+{
name = "execve"
// filename = kernel_string($filename)
// args = __get_argv($argv, 0)
// argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
+ asmlinkage()
filename = kernel_string(pointer_arg(1))
args = __get_argv(pointer_arg(2), 0)
argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1))
}
# v2.6.15-rc2 or earlier has problems with sys_execve return probes
# another reason to probe on do_execve
-probe nd_syscall.execve.return = kernel.function("do_execve").return {
+probe nd_syscall.execve.return = kprobe.function("do_execve").return
+{
name = "execve"
retstr = returnstr(1)
}
@@ -742,50 +862,104 @@ probe nd_syscall.execve.return = kernel.function("do_execve").return {
# compat_uptr_t __user *argv,
# compat_uptr_t __user *envp,
# struct pt_regs * regs)
-probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? {
+probe nd_syscall.compat_execve = kprobe.function("compat_do_execve") ?
+{
name = "compat_execve"
- filename = kernel_string($filename)
- args = __get_compat_argv($argv, 0)
- argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+ // filename = kernel_string($filename)
+ // args = __get_compat_argv($argv, 0)
+ // argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+ asmlinkage()
+ filename = kernel_string(pointer_arg(1))
+ args = __get_compat_argv(pointer_arg(2), 0)
+ argstr = sprintf("%s %s", filename, __get_compat_argv(pointer_arg(2), 1))
}
-probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return ? {
+probe nd_syscall.compat_execve.return = kprobe.function("compat_do_execve").return ?
+{
name = "compat_execve"
retstr = returnstr(1)
}
# exit _______________________________________________________
# long sys_exit(int error_code)
-probe nd_syscall.exit = kernel.function("do_exit") {
+probe nd_syscall.exit = kprobe.function("do_exit")
+{
name = "exit"
- status = $code
- argstr = sprint($code)
+ // status = $code
+ // argstr = sprint($code)
+ asmlinkage()
+ status = int_arg(1)
+ argstr = sprint(status)
}
-probe nd_syscall.exit.return = end {}
+# sys_exit() never returns, and is blacklisted for return probes,
+# so no alias here. See bz6588.
# exit_group _________________________________________________
# void sys_exit_group(int error_code)
#
-probe nd_syscall.exit_group = kernel.function("sys_exit_group") {
+probe nd_syscall.exit_group = kprobe.function("SyS_exit_group") ?,
+ kprobe.function("sys_exit_group") ?
+{
name = "exit_group"
- status = $error_code
- argstr = sprint($error_code)
+ // status = $error_code
+ // argstr = sprint($error_code)
+ asmlinkage()
+ status = int_arg(1)
+ argstr = sprint(status)
}
+# sys_exit_group() never returns, and is blacklisted for return probes,
+# so no alias here. See bz6588.
-probe nd_syscall.exit_group.return = end {}
+# faccessat __________________________________________________
+# new function with 2.6.16
+# long sys_faccessat(int dfd, const char __user *filename, int mode)
+probe nd_syscall.faccessat = kprobe.function("SyS_faccessat") ?,
+ kprobe.function("sys_faccessat") ?
+{
+ name = "faccessat"
+ // dirfd = $dfd
+ // dirfd_str = _dfd_str($dfd)
+ // pathname = user_string($filename)
+ // mode = $mode
+ // mode_str = _access_mode_str($mode)
+ // argstr = sprintf("%s, %s, %s", dirfd_str, user_string_quoted($filename), mode_str)
+ asmlinkage()
+ dirfd = int_arg(1)
+ dirfd_str = _dfd_str(dirfd)
+ pathname = user_string(pointer_arg(2))
+ mode = int_arg(3)
+ mode_str = _access_mode_str(mode)
+ argstr = sprintf("%s, %s, %s", dirfd_str, user_string_quoted(pointer_arg(2)), mode_str)
+}
+probe nd_syscall.faccessat.return = kprobe.function("SyS_faccessat").return ?,
+ kprobe.function("sys_faccessat").return ?
+{
+ name = "faccessat"
+ retstr = returnstr(1)
+}
%(arch != "x86_64" %?
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? {
+probe nd_syscall.fadvise64 = kprobe.function("SyS_fadvise64") ?,
+ kprobe.function("sys_fadvise64") ?
+{
name = "fadvise64"
- fs = $fd
- offset = $offset
- len = $len
- advice = $advice
- argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ // fd = $fd
+ // offset = $offset
+ // len = $len
+ // advice = $advice
+ // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ len = ulong_arg(3)
+ advice = int_arg(4)
+ argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
+probe nd_syscall.fadvise64.return = kprobe.function("SyS_fadvise64").return ?,
+ kprobe.function("sys_fadvise64").return ?
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -793,15 +967,25 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("SyS_fadvise64_64") ?,
+ kprobe.function("sys_fadvise64_64") ?
+{
name = "fadvise64_64"
- fs = $fd
- offset = $offset
- len = $len
- advice = $advice
- argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ // fd = $fd
+ // offset = $offset
+ // len = $len
+ // advice = $advice
+ // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ len = ulong_arg(3)
+ advice = int_arg(4)
+ argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
-probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return = kprobe.function("SyS_fadvise64_64").return ?,
+ kprobe.function("sys_fadvise64_64").return ?
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -811,15 +995,19 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") {
+probe nd_syscall.fadvise64 = kprobe.function("SyS_fadvise64") ?,
+ kprobe.function("sys_fadvise64") ?
+{
name = "fadvise64"
- fs = 0
+ fd = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
+probe nd_syscall.fadvise64.return = kprobe.function("SyS_fadvise64").return ?,
+ kprobe.function("sys_fadvise64").return ?
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -827,15 +1015,19 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("SyS_fadvise64_64") ?,
+ kprobe.function("sys_fadvise64_64") ?
+{
name = "fadvise64_64"
- fs = 0
+ fd = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
-probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return = kprobe.function("SyS_fadvise64_64").return ?,
+ kprobe.function("sys_fadvise64_64").return ?
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -843,81 +1035,179 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu
# fchdir _____________________________________________________
# long sys_fchdir(unsigned int fd)
-probe nd_syscall.fchdir = kernel.function("sys_fchdir") {
+probe nd_syscall.fchdir = kprobe.function("SyS_fchdir") ?,
+ kprobe.function("sys_fchdir") ?
+{
name = "fchdir"
- fd = $fd
- argstr = sprint($fd)
+ // fd = $fd
+ // argstr = sprint($fd)
+ asmlinkage()
+ fd = int_arg(1)
+ argstr = sprint(fd)
}
-probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return {
+probe nd_syscall.fchdir.return = kprobe.function("SyS_fchdir").return ?,
+ kprobe.function("sys_fchdir").return ?
+{
name = "fchdir"
retstr = returnstr(1)
}
# fchmod _____________________________________________________
# long sys_fchmod(unsigned int fd, mode_t mode)
-probe nd_syscall.fchmod = kernel.function("sys_fchmod") {
+probe nd_syscall.fchmod = kprobe.function("SyS_fchmod") ?,
+ kprobe.function("sys_fchmod") ?
+{
name = "fchmod"
- fildes = $fd
- mode = $mode
- argstr = sprintf("%d, %#o", $fd, $mode)
+ // fildes = $fd
+ // mode = $mode
+ asmlinkage()
+ fildes = int_arg(1)
+ mode = uint_arg(2) # SAFE?
+ argstr = sprintf("%d, %#o", fildes, mode)
}
-probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return {
+probe nd_syscall.fchmod.return = kprobe.function("SyS_fchmod").return ?,
+ kprobe.function("sys_fchmod").return ?
+{
name = "fchmod"
retstr = returnstr(1)
}
+# fchmodat ___________________________________________________
+# new function with 2.6.16
+# long sys_fchmodat(int dfd, const char __user *filename,
+# mode_t mode)
+probe nd_syscall.fchmodat = kprobe.function("SyS_fchmodat") ?,
+ kprobe.function("sys_fchmodat") ?
+{
+ name = "fchmodat"
+ // dirfd = $dfd
+ // dirfd_str = _dfd_str($dfd)
+ // pathname = user_string($filename)
+ // mode = $mode
+ // argstr = sprintf("%s, %s, %#o", dirfd_str, user_string_quoted($filename), $mode)
+ asmlinkage()
+ dirfd = int_arg(1)
+ dirfd_str = _dfd_str(dirfd)
+ pathname = user_string(pointer_arg(2))
+ mode = uint_arg(3)
+ argstr = sprintf("%s, %s, %#o", dirfd_str, user_string_quoted(pointer_arg(2)), mode)
+}
+probe nd_syscall.fchmodat.return = kprobe.function("SyS_fchmodat").return ?,
+ kprobe.function("sys_fchmodat").return ?
+{
+ name = "fchmodat"
+ retstr = returnstr(1)
+}
+
# fchown _____________________________________________________
# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
-probe nd_syscall.fchown = kernel.function("sys_fchown") {
+probe nd_syscall.fchown = kprobe.function("SyS_fchown") ?,
+ kprobe.function("sys_fchown") ?
+{
name = "fchown"
- fd = $fd
- owner = __int32($user)
- group = __int32($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ // fd = $fd
+ // owner = __int32($user)
+ // group = __int32($group)
+ // argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ asmlinkage()
+ fd = int_arg(1)
+ owner = __int32(uint_arg(2))
+ group = __int32(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", fd, owner, group)
}
-probe nd_syscall.fchown.return = kernel.function("sys_fchown").return {
+probe nd_syscall.fchown.return = kprobe.function("SyS_fchown").return ?,
+ kprobe.function("sys_fchown").return ?
+{
name = "fchown"
retstr = returnstr(1)
}
# fchown16 ___________________________________________________
# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
-probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? {
+probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ?
+{
name = "fchown16"
- fd = $fd
- owner = __short($user)
- group = __short($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ // fd = $fd
+ // owner = __short($user)
+ // group = __short($group)
+ // argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ asmlinkage()
+ fd = int_arg(1)
+ owner = __short(uint_arg(2))
+ group = __short(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", fd, owner, group)
}
-probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
+probe nd_syscall.fchown16.return = kprobe.function("sys_fchown16").return ?
+{
name = "fchown16"
retstr = returnstr(1)
}
+# fchownat ___________________________________________________
+# new function with 2.6.16
+# long sys_fchownat(int dfd, const char __user *filename,
+# uid_t user, gid_t group, int flag)
+probe nd_syscall.fchownat = kprobe.function("SyS_fchownat") ?,
+ kprobe.function("sys_fchownat") ?
+{
+ name = "fchownat"
+ // dirfd = $dfd
+ // dirfd_str = _dfd_str($dfd)
+ // pathname = user_string($filename)
+ // owner = __int32($user)
+ // group = __int32($group)
+ // flags = $flag
+ // flags_str = _at_flag_str($flag)
+ // argstr = sprintf("%s, %s, %d, %d, %s",
+ // dirfd_str, user_string_quoted($filename), owner, group, flags_str)
+ asmlinkage()
+ dirfd = int_arg(1)
+ dirfd_str = _dfd_str(dirfd)
+ pathname = user_string(pointer_arg(2))
+ owner = __int32(uint_arg(3))
+ group = __int32(uint_arg(4))
+ flags = int_arg(5)
+ flags_str = _at_flag_str(flags)
+ argstr = sprintf("%s, %s, %d, %d, %s",
+ dirfd_str, user_string_quoted(pointer_arg(2)), owner, group, flags_str)
+}
+probe nd_syscall.fchownat.return = kprobe.function("SyS_fchownat").return ?,
+ kprobe.function("sys_fchownat").return ?
+{
+ name = "fchownat"
+ retstr = returnstr(1)
+}
+
# fcntl ______________________________________________________
# long sys_fcntl(int fd, unsigned int cmd, unsigned long arg)
# long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe nd_syscall.fcntl =
- kernel.function("sys_fcntl") ?,
- kernel.function("sys_fcntl64") ?,
- kernel.function("compat_sys_fcntl") ?,
- kernel.function("compat_sys_fcntl64") ?
+probe nd_syscall.fcntl = kprobe.function("compat_sys_fcntl") ?,
+ kprobe.function("compat_sys_fcntl64") ?,
+ kprobe.function("sys_fcntl64") ?,
+ kprobe.function("SyS_fcntl") ?,
+ kprobe.function("sys_fcntl") ?
{
name = "fcntl"
- fd = $fd
- cmd = $cmd
- cmd_str = _fcntl_cmd_str($cmd)
- arg = $arg
- argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
-}
-probe nd_syscall.fcntl.return =
- kernel.function("sys_fcntl").return ?,
- kernel.function("sys_fcntl64").return ?,
- kernel.function("compat_sys_fcntl").return ?,
- kernel.function("compat_sys_fcntl64").return ?
+ // fd = $fd
+ // cmd = $cmd
+ // cmd_str = _fcntl_cmd_str($cmd)
+ // arg = $arg
+ // argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
+ asmlinkage()
+ fd = int_arg(1)
+ cmd = int_arg(2)
+ cmd_str = _fcntl_cmd_str(cmd)
+ arg = long_arg(3)
+ argstr = sprintf("%d, %s, %p", fd, cmd_str, arg)
+}
+probe nd_syscall.fcntl.return = kprobe.function("compat_sys_fcntl").return ?,
+ kprobe.function("compat_sys_fcntl64").return ?,
+ kprobe.function("sys_fcntl64").return ?,
+ kprobe.function("SyS_fcntl").return ?,
+ kprobe.function("sys_fcntl").return ?
{
name = "fcntl"
retstr = returnstr(1)
@@ -925,12 +1215,18 @@ probe nd_syscall.fcntl.return =
# fdatasync __________________________________________________
# long sys_fdatasync(unsigned int fd)
-probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") {
+probe nd_syscall.fdatasync = kprobe.function("SyS_fdatasync") ?,
+ kprobe.function("sys_fdatasync") ?
+{
name = "fdatasync"
- fd = $fd
+ // fd = $fd
+ asmlinkage()
+ fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
+probe nd_syscall.fdatasync.return = kprobe.function("SyS_fdatasync").return ?,
+ kprobe.function("sys_fdatasync").return ?
+{
name = "fdatasync"
retstr = returnstr(1)
}
@@ -938,47 +1234,74 @@ probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
# fgetxattr __________________________________________________
# ssize_t sys_fgetxattr(int fd, char __user *name,
# void __user *value, size_t size)
-probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") {
+probe nd_syscall.fgetxattr = kprobe.function("SyS_fgetxattr") ?,
+ kprobe.function("sys_fgetxattr") ?
+{
name = "fgetxattr"
- filedes = $fd
-#FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
-}
-probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return {
+ // filedes = $fd
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size)
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size)
+}
+probe nd_syscall.fgetxattr.return = kprobe.function("SyS_fgetxattr").return ?,
+ kprobe.function("sys_fgetxattr").return ?
+{
name = "fgetxattr"
retstr = returnstr(1)
}
# flistxattr _________________________________________________
# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
-probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") {
+probe nd_syscall.flistxattr = kprobe.function("SyS_flistxattr") ?,
+ kprobe.function("sys_flistxattr") ?
+{
name = "flistxattr"
- filedes = $fd
- list_uaddr = $list
- size = $size
+ // filedes = $fd
+ // list_uaddr = $list
+ // size = $size
+ asmlinkage()
+ filedes = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
}
-probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return {
+probe nd_syscall.flistxattr.return = kprobe.function("SyS_flistxattr").return ?,
+ kprobe.function("sys_flistxattr").return ?
+{
name = "flistxattr"
retstr = returnstr(1)
}
# flock ______________________________________________________
# long sys_flock(unsigned int fd, unsigned int cmd)
-probe nd_syscall.flock = kernel.function("sys_flock") {
+probe nd_syscall.flock = kprobe.function("SyS_flock") ?,
+ kprobe.function("sys_flock") ?
+{
name = "flock"
- fd = $fd
- operation = $cmd
+ // fd = $fd
+ // operation = $cmd
+ asmlinkage()
+ fd = int_arg(1)
+ operation = int_arg(2)
argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
}
-probe nd_syscall.flock.return = kernel.function("sys_flock").return {
+probe nd_syscall.flock.return = kprobe.function("SyS_flock").return ?,
+ kprobe.function("sys_flock").return ?
+{
name = "flock"
retstr = returnstr(1)
}
-function __is_user_regs:long (regs:long) %{ /* pure */
+function __is_user_regs:long (regs:long)
+%{
+ /* pure */
struct pt_regs * regs = (void *)((unsigned long)THIS->regs);
/* copied from asm/ptrace.h */
#if defined(__i386__)
@@ -1016,23 +1339,25 @@ CATCH_DEREF_FAULT();
# unsigned long stack_size,
# int __user *parent_tidptr,
# int __user *child_tidptr)
-probe nd_syscall.fork = kernel.function("do_fork") {
+probe nd_syscall.fork = kprobe.function("do_fork")
+{
// clone_flags = $clone_flags
// stack_start = $stack_start
// regs = $regs
// stack_size = $stack_size
// parent_tid_uaddr = $parent_tidptr
// child_tid_uaddr = $child_tidptr
+ asmlinkage()
clone_flags = ulong_arg(1)
stack_start = ulong_arg(2)
regs = pointer_arg(3)
stack_size = ulong_arg(4)
parent_tid_uaddr = pointer_arg(5)
child_tid_uaddr = pointer_arg(6)
-
+
if (!__is_user_regs(regs)) {
name = "fork_kernel_thread"
- argstr = __fork_flags(clone_flags)
+ argstr = __fork_flags(clone_flags)
} else if (clone_flags & 17)
name = "fork"
else if (clone_flags & 0x4000)
@@ -1042,19 +1367,29 @@ probe nd_syscall.fork = kernel.function("do_fork") {
argstr = __fork_flags(clone_flags)
}
}
-probe nd_syscall.fork.return = kernel.function("do_fork").return {
+probe nd_syscall.fork.return = kprobe.function("do_fork").return
+{
name = "fork"
retstr = returnstr(1)
}
# fremovexattr _______________________________________________
# long sys_fremovexattr(int fd, char __user *name)
-probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") {
+probe nd_syscall.fremovexattr = kprobe.function("SyS_fremovexattr") ?,
+ kprobe.function("sys_fremovexattr") ?
+{
name = "fremovexattr"
- filedes = $fd
- name_uaddr = $name
- argstr = sprintf("FIXME PLEASE")
+ // filedes = $fd
+ // name2 = user_string($name)
+ // argstr = sprintf("%d, %s", $fd, user_string_quoted($name))
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ argstr = sprintf("%d, %s", filedes, user_string_quoted(pointer_arg(2)))
}
-probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return {
+probe nd_syscall.fremovexattr.return = kprobe.function("SyS_fremovexattr").return ?,
+ kprobe.function("sys_fremovexattr").return ?
+{
name = "fremovexattr"
retstr = returnstr(1)
}
@@ -1068,17 +1403,28 @@ probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").retur
* size_t size,
* int flags)
*/
-probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") {
+probe nd_syscall.fsetxattr = kprobe.function("SyS_fsetxattr") ?,
+ kprobe.function("sys_fsetxattr") ?
+{
name = "fsetxattr"
- filedes = $fd
-# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- flags = $flags
- argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
-}
-probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
+ // filedes = $fd
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
+ argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size, flags)
+}
+probe nd_syscall.fsetxattr.return = kprobe.function("SyS_fsetxattr").return ?,
+ kprobe.function("sys_fsetxattr").return ?
+{
name = "fsetxattr"
retstr = returnstr(1)
}
@@ -1092,26 +1438,32 @@ probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
# struct oldabi_stat64 __user * statbuf)
# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
#
-probe nd_syscall.fstat =
- kernel.function("sys_fstat") ?,
- kernel.function("sys_fstat64") ?,
- kernel.function("sys32_fstat64") ?,
- kernel.function("sys_newfstat") ?,
- kernel.function("sys_oabi_fstat64") ?,
- kernel.function("compat_sys_newfstat") ?
+probe nd_syscall.fstat = kprobe.function("sys_fstat") ?,
+ kprobe.function("SyS_fstat64") ?,
+ kprobe.function("sys_fstat64") ?,
+ kprobe.function("sys32_fstat64") ?,
+ kprobe.function("SyS_newfstat") ?,
+ kprobe.function("sys_newfstat") ?,
+ kprobe.function("sys_oabi_fstat64") ?,
+ kprobe.function("compat_sys_newfstat") ?
{
name = "fstat"
- filedes = $fd
- buf_uaddr = $statbuf
- argstr = sprintf("%d, %p", $fd, $statbuf)
-}
-probe nd_syscall.fstat.return =
- kernel.function("sys_fstat").return ?,
- kernel.function("sys_fstat64").return ?,
- kernel.function("sys32_fstat64").return ?,
- kernel.function("sys_newfstat").return ?,
- kernel.function("sys_oabi_fstat64").return ?,
- kernel.function("compat_sys_newfstat").return ?
+ // filedes = $fd
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%d, %p", $fd, $statbuf)
+ asmlinkage()
+ filedes = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", filedes, buf_uaddr)
+}
+probe nd_syscall.fstat.return = kprobe.function("sys_fstat").return ?,
+ kprobe.function("SyS_fstat64").return ?,
+ kprobe.function("sys_fstat64").return ?,
+ kprobe.function("sys32_fstat64").return ?,
+ kprobe.function("SyS_newfstat").return ?,
+ kprobe.function("sys_newfstat").return ?,
+ kprobe.function("sys_oabi_fstat64").return ?,
+ kprobe.function("compat_sys_newfstat").return ?
{
name = "fstat"
retstr = returnstr(1)
@@ -1122,23 +1474,30 @@ probe nd_syscall.fstat.return =
# long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
# long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
# long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
-probe nd_syscall.fstatat =
- kernel.function("sys_fstatat64") ?,
- kernel.function("sys_newfstatat") ?,
- kernel.function("compat_sys_newfstatat") ?,
- kernel.function("sys32_fstatat64") ?
+probe nd_syscall.fstatat = kprobe.function("SyS_fstatat64") ?,
+ kprobe.function("sys_fstatat64") ?,
+ kprobe.function("SyS_newfstatat") ?,
+ kprobe.function("sys_newfstatat") ?,
+ kprobe.function("compat_sys_newfstatat") ?,
+ kprobe.function("sys32_fstatat64") ?
{
name = "fstatat"
- dirfd = $dfd
- path = user_string($filename)
- buf_uaddr = $statbuf
- argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
-}
-probe nd_syscall.fstatat.return =
- kernel.function("sys_fstatat64").return ?,
- kernel.function("sys_newfstatat").return ?,
- kernel.function("compat_sys_newfstatat").return ?,
- kernel.function("sys32_fstatat64").return ?
+ // dirfd = $dfd
+ // path = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+ asmlinkage()
+ dirfd = int_arg(1)
+ path = user_string(pointer_arg(2))
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %p, %s", _dfd_str(dirfd), user_string_quoted(pointer_arg(2)), buf_uaddr, _at_flag_str(int_arg(4)))
+}
+probe nd_syscall.fstatat.return = kprobe.function("SyS_fstatat64").return ?,
+ kprobe.function("sys_fstatat64").return ?,
+ kprobe.function("SyS_newfstatat").return ?,
+ kprobe.function("sys_newfstatat").return ?,
+ kprobe.function("compat_sys_newfstatat").return ?,
+ kprobe.function("sys32_fstatat64").return ?
{
name = "fstatat"
retstr = returnstr(1)
@@ -1148,18 +1507,22 @@ probe nd_syscall.fstatat.return =
# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
#
-probe nd_syscall.fstatfs =
- kernel.function("sys_fstatfs"),
- kernel.function("compat_sys_fstatfs") ?
+probe nd_syscall.fstatfs = kprobe.function("compat_sys_fstatfs") ?,
+ kprobe.function("SyS_fstatfs") ?,
+ kprobe.function("sys_fstatfs") ?
{
name = "fstatfs"
- fd = $fd
- buf_uaddr = $buf
- argstr = sprintf("%d, %p", $fd, $buf)
+ // fd = $fd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %p", $fd, $buf)
+ asmlinkage()
+ fd = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", fd, buf_uaddr)
}
-probe nd_syscall.fstatfs.return =
- kernel.function("sys_fstatfs").return,
- kernel.function("compat_sys_fstatfs").return ?
+probe nd_syscall.fstatfs.return = kprobe.function("compat_sys_fstatfs").return ?,
+ kprobe.function("SyS_fstatfs").return ?,
+ kprobe.function("sys_fstatfs").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1169,19 +1532,24 @@ probe nd_syscall.fstatfs.return =
# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
# long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
#
-probe nd_syscall.fstatfs64 =
- kernel.function("sys_fstatfs64") ?,
- kernel.function("compat_sys_fstatfs64") ?
+probe nd_syscall.fstatfs64 = kprobe.function("compat_sys_fstatfs64") ?,
+ kprobe.function("SyS_fstatfs64") ?,
+ kprobe.function("sys_fstatfs64") ?
{
name = "fstatfs"
- fd = $fd
- sz = $sz
- buf_uaddr = $buf
- argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+ // fd = $fd
+ // sz = $sz
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+ asmlinkage()
+ fd = int_arg(1)
+ sz = ulong_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr)
}
-probe nd_syscall.fstatfs64.return =
- kernel.function("sys_fstatfs64").return ?,
- kernel.function("compat_sys_fstatfs64").return ?
+probe nd_syscall.fstatfs64.return = kprobe.function("compat_sys_fstatfs64").return ?,
+ kprobe.function("SyS_fstatfs64").return ?,
+ kprobe.function("sys_fstatfs64").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1189,37 +1557,55 @@ probe nd_syscall.fstatfs64.return =
# fsync ______________________________________________________
# long sys_fsync(unsigned int fd)
-probe nd_syscall.fsync = kernel.function("sys_fsync") {
+probe nd_syscall.fsync = kprobe.function("SyS_fsync") ?,
+ kprobe.function("sys_fsync") ?
+{
name = "fsync"
- fd = $fd
+ // fd = $fd
+ asmlinkage()
+ fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.fsync.return = kernel.function("sys_fsync").return {
+probe nd_syscall.fsync.return = kprobe.function("SyS_fsync").return ?,
+ kprobe.function("sys_fsync").return ?
+{
name = "fsync"
retstr = returnstr(1)
}
# ftruncate __________________________________________________
# long sys_ftruncate(unsigned int fd, unsigned long length)
-probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") {
+probe nd_syscall.ftruncate = kprobe.function("SyS_ftruncate") ?,
+ kprobe.function("sys_ftruncate") ?
+{
name = "ftruncate"
- fd = $fd
- length = $length
+ // fd = $fd
+ // length = $length
+ asmlinkage()
+ fd = int_arg(1)
+ length = ulong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
-probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return {
+probe nd_syscall.ftruncate.return = kprobe.function("SyS_ftruncate").return ?,
+ kprobe.function("sys_ftruncate").return ?
+{
name = "ftruncate"
retstr = returnstr(1)
}
# ftruncate64 ________________________________________________
# long sys_ftruncate64(unsigned int fd, loff_t length)
-probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
+probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ?
+{
name = "ftruncate"
- fd = $fd
- length = $length
+ // fd = $fd
+ // length = $length
+ asmlinkage()
+ fd = int_arg(1)
+ length = longlong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
-probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
+probe nd_syscall.ftruncate64.return = kprobe.function("sys_ftruncate64").return ?
+{
name = "ftruncate"
retstr = returnstr(1)
}
@@ -1235,7 +1621,9 @@ probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return
# struct compat_timespec __user *utime, u32 __user *uaddr2,
# u32 val3)
#
-probe nd_syscall.futex = kernel.function("sys_futex") ? {
+probe nd_syscall.futex = kprobe.function("SyS_futex") ?,
+ kprobe.function("sys_futex") ?
+{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
@@ -1244,11 +1632,11 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
// uaddr2_uaddr = $uaddr2
// val3 = $val3
// if (op == 0)
- // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_timespec_u($utime,1))
+ // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
+ // $val, _struct_timespec_u($utime, 1))
// else
- // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
- // $val)
+ // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
+ // $val)
asmlinkage()
futex_uaddr = pointer_arg(1)
op = int_arg(2)
@@ -1259,16 +1647,19 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
- _struct_timespec_u(utime_uaddr,1))
+ _struct_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
- _futex_op_str(op), val)
+ _futex_op_str(op), val)
}
-probe nd_syscall.futex.return = kernel.function("sys_futex").return ? {
+probe nd_syscall.futex.return = kprobe.function("SyS_futex").return ?,
+ kprobe.function("sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
-probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
+probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ?
+{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
@@ -1277,11 +1668,11 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
// uaddr2_uaddr = $uaddr2
// val3 = $val3
// if (op == 0)
- // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_compat_timespec_u($utime,1))
+ // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
+ // $val, _struct_compat_timespec_u($utime, 1))
// else
- // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
- // $val)
+ // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
+ // $val)
asmlinkage()
futex_uaddr = pointer_arg(1)
op = int_arg(2)
@@ -1292,12 +1683,13 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
- _struct_compat_timespec_u(utime_uaddr,1))
+ _struct_compat_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
- _futex_op_str(op), val)
+ _futex_op_str(op), val)
}
-probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? {
+probe nd_syscall.compat_futex.return = kprobe.function("compat_sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
@@ -1308,69 +1700,103 @@ probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").retur
# long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t)
#
-probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? {
+probe nd_syscall.futimesat = kprobe.function("SyS_futimesat") ?,
+ kprobe.function("sys_futimesat") ?
+{
name = "futimesat"
- dirfd = $dfd
- filename_uaddr = $filename
- filename = user_string($filename)
- tvp_uaddr = $utimes
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- _struct_timeval_u($utimes, 2))
-}
-probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? {
+ // dirfd = $dfd
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ dirfd = int_arg(1)
+ filename_uaddr = pointer_arg(2)
+ filename = user_string(filename_uaddr)
+ tvp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %s", _dfd_str(dirfd), user_string_quoted(filename_uaddr),
+ _struct_timeval_u(tvp_uaddr, 2))
+}
+probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ?
+{
name = "futimesat"
- dirfd = $dfd
- filename_uaddr = $filename
- filename = user_string($filename)
- tvp_uaddr = $t
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- _struct_compat_timeval_u($t, 2))
-}
-probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? {
+ // dirfd = $dfd
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ dirfd = uint_arg(1)
+ filename_uaddr = pointer_arg(2)
+ filename = user_string(pointer_arg(2))
+ tvp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
+ _struct_compat_timeval_u(pointer_arg(3), 2))
+}
+probe nd_syscall.futimesat.return = kprobe.function("SyS_futimesat").return ?,
+ kprobe.function("sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
-probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? {
+probe nd_syscall.compat_futimesat.return = kprobe.function("compat_sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
# getcwd _____________________________________________________
# long sys_getcwd(char __user *buf, unsigned long size)
-probe nd_syscall.getcwd = kernel.function("sys_getcwd") {
+probe nd_syscall.getcwd = kprobe.function("SyS_getcwd") ?,
+ kprobe.function("sys_getcwd") ?
+{
name = "getcwd"
- buf_uaddr = $buf
- size = $size
+ // buf_uaddr = $buf
+ // size = $size
+ asmlinkage()
+ buf_uaddr = pointer_arg(1)
+ size = ulong_arg(2)
argstr = sprintf("%p, %d", buf_uaddr, size)
}
-probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return {
+probe nd_syscall.getcwd.return = kprobe.function("SyS_getcwd").return ?,
+ kprobe.function("sys_getcwd").return ?
+{
name = "getcwd"
retstr = returnstr(1)
}
# getdents ___________________________________________________
# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
-# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count)
+# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
#
-probe nd_syscall.getdents =
- kernel.function("sys_getdents") ?,
- kernel.function("sys_getdents64") ?,
- kernel.function("compat_sys_getdents") ?,
- kernel.function("compat_sys_getdents64") ?
+probe nd_syscall.getdents = kprobe.function("SyS_getdents") ?,
+ kprobe.function("sys_getdents") ?,
+ kprobe.function("SyS_getdents64") ?,
+ kprobe.function("sys_getdents64") ?,
+ kprobe.function("compat_sys_getdents") ?,
+ kprobe.function("compat_sys_getdents64") ?
{
name = "getdents"
- fd = $fd
- dirp_uaddr = $dirent
- count = $count
- argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
-}
-probe nd_syscall.getdents.return =
- kernel.function("sys_getdents").return ?,
- kernel.function("sys_getdents64").return ?,
- kernel.function("compat_sys_getdents").return ?,
- kernel.function("compat_sys_getdents64").return ?
+ // fd = $fd
+ // dirp_uaddr = $dirent
+ // count = $count
+ // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+ asmlinkage()
+ fd = int_arg(1)
+ dirp_uaddr = pointer_arg(2)
+ count = uint_arg(3)
+ argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
+}
+probe nd_syscall.getdents.return = kprobe.function("SyS_getdents").return ?,
+ kprobe.function("sys_getdents").return ?,
+ kprobe.function("SyS_getdents64").return ?,
+ kprobe.function("sys_getdents64").return ?,
+ kprobe.function("compat_sys_getdents").return ?,
+ kprobe.function("compat_sys_getdents64").return ?
{
name = "getdents"
retstr = returnstr(1)
@@ -1381,18 +1807,16 @@ probe nd_syscall.getdents.return =
# long sys_getegid16(void)
# long sys32_getegid16(void)
#
-probe nd_syscall.getegid =
- kernel.function("sys_getegid16") ?,
- kernel.function("sys32_getegid16") ?,
- kernel.function("sys_getegid")
+probe nd_syscall.getegid = kprobe.function("sys_getegid16") ?,
+ kprobe.function("sys32_getegid16") ?,
+ kprobe.function("sys_getegid")
{
name = "getegid"
argstr = ""
}
-probe nd_syscall.getegid.return =
- kernel.function("sys_getegid16").return ?,
- kernel.function("sys32_getegid16").return ?,
- kernel.function("sys_getegid").return
+probe nd_syscall.getegid.return = kprobe.function("sys_getegid16").return ?,
+ kprobe.function("sys32_getegid16").return ?,
+ kprobe.function("sys_getegid").return
{
name = "getegid"
retstr = returnstr(1)
@@ -1402,18 +1826,16 @@ probe nd_syscall.getegid.return =
# long sys_geteuid(void)
# long sys32_geteuid16(void)
#
-probe nd_syscall.geteuid =
- kernel.function("sys_geteuid16") ?,
- kernel.function("sys32_geteuid16") ?,
- kernel.function("sys_geteuid")
+probe nd_syscall.geteuid = kprobe.function("sys_geteuid16") ?,
+ kprobe.function("sys32_geteuid16") ?,
+ kprobe.function("sys_geteuid")
{
name = "geteuid"
argstr = ""
}
-probe nd_syscall.geteuid.return =
- kernel.function("sys_geteuid16").return ?,
- kernel.function("sys32_geteuid16").return ?,
- kernel.function("sys_geteuid").return
+probe nd_syscall.geteuid.return = kprobe.function("sys_geteuid16").return ?,
+ kprobe.function("sys32_geteuid16").return ?,
+ kprobe.function("sys_geteuid").return
{
name = "geteuid"
retstr = returnstr(1)
@@ -1423,18 +1845,16 @@ probe nd_syscall.geteuid.return =
# long sys_getgid(void)
# long sys32_getgid16(void)
#
-probe nd_syscall.getgid =
- kernel.function("sys_getgid16") ?,
- kernel.function("sys32_getgid16") ?,
- kernel.function("sys_getgid")
+probe nd_syscall.getgid = kprobe.function("sys_getgid16") ?,
+ kprobe.function("sys32_getgid16") ?,
+ kprobe.function("sys_getgid")
{
name = "getgid"
argstr = ""
}
-probe nd_syscall.getgid.return =
- kernel.function("sys_getgid16").return ?,
- kernel.function("sys32_getgid16").return ?,
- kernel.function("sys_getgid").return
+probe nd_syscall.getgid.return = kprobe.function("sys_getgid16").return ?,
+ kprobe.function("sys32_getgid16").return ?,
+ kprobe.function("sys_getgid").return
{
name = "getgid"
retstr = returnstr(1)
@@ -1445,20 +1865,24 @@ probe nd_syscall.getgid.return =
# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
#
-probe nd_syscall.getgroups =
- kernel.function("sys_getgroups") ?,
- kernel.function("sys_getgroups16") ?,
- kernel.function("sys32_getgroups16") ?
+probe nd_syscall.getgroups = kprobe.function("sys_getgroups16") ?,
+ kprobe.function("sys32_getgroups16") ?,
+ kprobe.function("SyS_getgroups") ?,
+ kprobe.function("sys_getgroups") ?
{
name = "getgroups"
- size = $gidsetsize
- list_uaddr = $grouplist
- argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
-}
-probe nd_syscall.getgroups.return =
- kernel.function("sys_getgroups").return ?,
- kernel.function("sys_getgroups16").return ?,
- kernel.function("sys32_getgroups16").return ?
+ // size = $gidsetsize
+ // list_uaddr = $grouplist
+ // argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+ asmlinkage()
+ size = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", size, list_uaddr)
+}
+probe nd_syscall.getgroups.return = kprobe.function("sys_getgroups16").return ?,
+ kprobe.function("sys32_getgroups16").return ?,
+ kprobe.function("SyS_getgroups").return ?,
+ kprobe.function("sys_getgroups").return ?
{
name = "getgroups"
retstr = returnstr(1)
@@ -1466,13 +1890,20 @@ probe nd_syscall.getgroups.return =
# gethostname ________________________________________________
# long sys_gethostname(char __user *name, int len)
-probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? {
+probe nd_syscall.gethostname = kprobe.function("SyS_gethostname") ?,
+ kprobe.function("sys_gethostname") ?
+{
name = "gethostname"
- name_uaddr = $name
- len = $len
+ // name_uaddr = $name
+ // len = $len
+ asmlinkage()
+ name_uaddr = pointer_arg(1)
+ len = int_arg(2)
argstr = sprintf ("%p, %d", name_uaddr, len)
}
-probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? {
+probe nd_syscall.gethostname.return = kprobe.function("SyS_gethostname").return ?,
+ kprobe.function("sys_gethostname").return ?
+{
name = "gethostname"
retstr = returnstr(1)
}
@@ -1480,24 +1911,38 @@ probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return
# getitimer __________________________________________________
# sys_getitimer(int which, struct itimerval __user *value)
#
-probe nd_syscall.getitimer = kernel.function("sys_getitimer") {
+probe nd_syscall.getitimer = kprobe.function("SyS_getitimer") ?,
+ kprobe.function("sys_getitimer") ?
+{
name = "getitimer"
- which = $which
- value_uaddr = $value
- argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ // which = $which
+ // value_uaddr = $value
+ // argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr)
}
-probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return {
+probe nd_syscall.getitimer.return = kprobe.function("SyS_getitimer").return ?,
+ kprobe.function("sys_getitimer").return ?
+{
name = "getitimer"
retstr = returnstr(1)
}
# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
-probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
+probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ?
+{
name = "getitimer"
- which = $which
- value_uaddr = $it
- argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ // which = $which
+ // value_uaddr = $it
+ // argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr)
}
-probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
+probe nd_syscall.compat_getitimer.return = kprobe.function("compat_sys_getitimer").return ?
+{
name = "getitimer"
retstr = returnstr(1)
}
@@ -1513,22 +1958,30 @@ probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer
# compat_ulong_t maxnode,
# compat_ulong_t addr, compat_ulong_t flags)
#
-probe nd_syscall.get_mempolicy =
- kernel.function("sys_get_mempolicy") ?,
- kernel.function("compat_sys_get_mempolicy") ?
+probe nd_syscall.get_mempolicy = kprobe.function("compat_sys_get_mempolicy") ?,
+ kprobe.function("SyS_get_mempolicy") ?,
+ kprobe.function("sys_get_mempolicy") ?
{
name = "get_mempolicy"
- policy_uaddr = $policy
- nmask_uaddr = $nmask
- maxnode = $maxnode
- addr = $addr
- flags = $flags
- argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
- $nmask, $maxnode, $addr, $flags)
-}
-probe nd_syscall.get_mempolicy.return =
- kernel.function("sys_get_mempolicy").return ?,
- kernel.function("compat_sys_get_mempolicy").return ?
+ // policy_uaddr = $policy
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // addr = $addr
+ // flags = $flags
+ // argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
+ // $nmask, $maxnode, $addr, $flags)
+ asmlinkage()
+ policy_uaddr = pointer_arg(1)
+ nmask_uaddr = pointer_arg(2)
+ maxnode = ulong_arg(3)
+ addr = ulong_arg(4)
+ flags = ulong_arg(5)
+ argstr = sprintf("%p, %p, %d, %p, 0x%x", policy_uaddr,
+ nmask_uaddr, maxnode, addr, flags)
+}
+probe nd_syscall.get_mempolicy.return = kprobe.function("compat_sys_get_mempolicy").return ?,
+ kprobe.function("SyS_get_mempolicy").return ?,
+ kprobe.function("sys_get_mempolicy").return ?
{
name = "get_mempolicy"
retstr = returnstr(1)
@@ -1537,72 +1990,101 @@ probe nd_syscall.get_mempolicy.return =
# getpeername ________________________________________________
# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
#
-probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? {
+probe nd_syscall.getpeername = kprobe.function("SyS_getpeername") ?,
+ kprobe.function("sys_getpeername") ?
+{
name = "getpeername"
- s = $fd
- name_uaddr = $usockaddr
- namelen_uaddr = $usockaddr_len
- argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ // s = $fd
+ // name_uaddr = $usockaddr
+ // namelen_uaddr = $usockaddr_len
+ // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ asmlinkage()
+ s = int_arg(1)
+ name_uaddr = pointer_arg(2)
+ namelen_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
-probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? {
+probe nd_syscall.getpeername.return = kprobe.function("SyS_getpeername").return ?,
+ kprobe.function("sys_getpeername").return ?
+{
name = "getpeername"
retstr = returnstr(1)
}
# getpgid ____________________________________________________
# long sys_getpgid(pid_t pid)
-probe nd_syscall.getpgid = kernel.function("sys_getpgid") {
+probe nd_syscall.getpgid = kprobe.function("SyS_getpgid") ?,
+ kprobe.function("sys_getpgid") ?
+{
name = "getpgid"
- pid = $pid
- argstr = sprintf("%d", $pid)
+ // pid = $pid
+ // argstr = sprintf("%d", $pid)
+ asmlinkage()
+ pid = int_arg(1)
+ argstr = sprintf("%d", pid)
}
-probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return {
+probe nd_syscall.getpgid.return = kprobe.function("SyS_getpgid").return ?,
+ kprobe.function("sys_getpgid").return ?
+{
name = "getpgid"
retstr = returnstr(1)
}
# getpgrp ____________________________________________________
# long sys_getpgrp(void)
-probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? {
+probe nd_syscall.getpgrp = kprobe.function("sys_getpgrp") ?
+{
name = "getpgrp"
argstr = ""
}
-probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? {
+probe nd_syscall.getpgrp.return = kprobe.function("sys_getpgrp").return ?
+{
name = "getpgrp"
retstr = returnstr(1)
}
# getpid _____________________________________________________
# long sys_getpid(void)
-probe nd_syscall.getpid = kernel.function("sys_getpid") {
+probe nd_syscall.getpid = kprobe.function("sys_getpid")
+{
name = "getpid"
argstr = ""
}
-probe nd_syscall.getpid.return = kernel.function("sys_getpid").return {
+probe nd_syscall.getpid.return = kprobe.function("sys_getpid").return
+{
name = "getpid"
retstr = returnstr(1)
}
# getppid ____________________________________________________
# long sys_getppid(void)
-probe nd_syscall.getppid = kernel.function("sys_getppid") {
+probe nd_syscall.getppid = kprobe.function("sys_getppid")
+{
name = "getppid"
argstr = ""
}
-probe nd_syscall.getppid.return = kernel.function("sys_getppid").return {
+probe nd_syscall.getppid.return = kprobe.function("sys_getppid").return
+{
name = "getppid"
retstr = returnstr(1)
}
# getpriority ________________________________________________
# long sys_getpriority(int which, int who)
-probe nd_syscall.getpriority = kernel.function("sys_getpriority") {
+probe nd_syscall.getpriority = kprobe.function("SyS_getpriority") ?,
+ kprobe.function("sys_getpriority") ?
+{
name = "getpriority"
- which = $which
- who = $who
+ // which = $which
+ // who = $who
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
argstr = sprintf("%s, %d", _priority_which_str(which), who)
}
-probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return {
+probe nd_syscall.getpriority.return = kprobe.function("SyS_getpriority").return ?,
+ kprobe.function("sys_getpriority").return ?
+{
name = "getpriority"
retstr = returnstr(1)
}
@@ -1614,41 +2096,51 @@ probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return
# long sys_getresgid16(old_uid_t __user *rgid,
# old_uid_t __user *egid,
# old_uid_t __user *sgid)
-probe nd_syscall.getresgid =
- kernel.function("sys_getresgid16") ?,
- kernel.function("sys_getresgid")
+probe nd_syscall.getresgid = kprobe.function("sys_getresgid16") ?,
+ kprobe.function("SyS_getresgid") ?,
+ kprobe.function("sys_getresgid") ?
{
name = "getresgid"
- rgid_uaddr = $rgid
- egid_uaddr = $egid
- sgid_uaddr = $sgid
- argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
-}
-probe nd_syscall.getresgid.return =
- kernel.function("sys_getresgid16").return ?,
- kernel.function("sys_getresgid").return
+ // rgid_uaddr = $rgid
+ // egid_uaddr = $egid
+ // sgid_uaddr = $sgid
+ // argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+ asmlinkage()
+ rgid_uaddr = pointer_arg(1)
+ egid_uaddr = pointer_arg(2)
+ sgid_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
+}
+probe nd_syscall.getresgid.return = kprobe.function("sys_getresgid16").return ?,
+ kprobe.function("SyS_getresgid").return ?,
+ kprobe.function("sys_getresgid").return ?
{
name = "getresgid"
retstr = returnstr(1)
}
# getresuid __________________________________________________
-# long sys_getresuid(uid_t __user *ruid,
+# long sys_getresuid(uid_t __user *ruid,
# uid_t __user *euid,
# uid_t __user *suid)
-probe nd_syscall.getresuid =
- kernel.function("sys_getresuid16") ?,
- kernel.function("sys_getresuid")
+probe nd_syscall.getresuid = kprobe.function("sys_getresuid16") ?,
+ kprobe.function("SyS_getresuid") ?,
+ kprobe.function("sys_getresuid") ?
{
name = "getresuid"
- ruid_uaddr = $ruid
- euid_uaddr = $euid
- suid_uaddr = $suid
- argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
-}
-probe nd_syscall.getresuid.return =
- kernel.function("sys_getresuid16").return ?,
- kernel.function("sys_getresuid").return
+ // ruid_uaddr = $ruid
+ // euid_uaddr = $euid
+ // suid_uaddr = $suid
+ // argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+ asmlinkage()
+ ruid_uaddr = pointer_arg(1)
+ euid_uaddr = pointer_arg(2)
+ suid_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
+}
+probe nd_syscall.getresuid.return = kprobe.function("sys_getresuid16").return ?,
+ kprobe.function("SyS_getresuid").return ?,
+ kprobe.function("sys_getresuid").return ?
{
name = "getresuid"
retstr = returnstr(1)
@@ -1658,18 +2150,26 @@ probe nd_syscall.getresuid.return =
# long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
-probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"),
- kernel.function("sys_old_getrlimit") ?,
- kernel.function("compat_sys_getrlimit") ?
+probe nd_syscall.getrlimit = kprobe.function("SyS_getrlimit") ?,
+ kprobe.function("sys_getrlimit") ?,
+ kprobe.function("SyS_old_getrlimit") ?,
+ kprobe.function("sys_old_getrlimit") ?,
+ kprobe.function("compat_sys_getrlimit") ?
{
name = "getrlimit"
- resource = $resource
- rlim_uaddr = $rlim
- argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
-}
-probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
- kernel.function("sys_old_getrlimit").return ?,
- kernel.function("compat_sys_getrlimit").return ?
+ // resource = $resource
+ // rlim_uaddr = $rlim
+ // argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+ asmlinkage()
+ resource = uint_arg(1)
+ rlim_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _rlimit_resource_str(resource), rlim_uaddr)
+}
+probe nd_syscall.getrlimit.return = kprobe.function("SyS_getrlimit").return ?,
+ kprobe.function("sys_getrlimit").return ?,
+ kprobe.function("SyS_old_getrlimit").return ?,
+ kprobe.function("sys_old_getrlimit").return ?,
+ kprobe.function("compat_sys_getrlimit").return ?
{
name = "getrlimit"
retstr = returnstr(1)
@@ -1677,46 +2177,48 @@ probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
# getrusage __________________________________________________
# long sys_getrusage(int who, struct rusage __user *ru)
-probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
+probe nd_syscall.getrusage = kprobe.function("SyS_getrusage") ?,
+ kprobe.function("sys_getrusage") ?
+{
name = "getrusage"
// who = $who
- // if($who==-2)
- // {
+ // if ($who == -2) {
// # RUSAGE_BOTH is not valid argument for sys_getrusage
// who_str = sprintf("UNKNOWN VALUE: %d", $who)
- // }
- // else
- // {
+ // } else
// who_str = _rusage_who_str($who)
- // }
// usage_uaddr = $ru
asmlinkage()
who = int_arg(1)
- if(who==-2)
- {
+ if (who == -2) {
# RUSAGE_BOTH is not valid argument for sys_getrusage
who_str = sprintf("UNKNOWN VALUE: %d", who)
- }
- else
- {
+ } else
who_str = _rusage_who_str(who)
- }
usage_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", who_str, usage_uaddr)
}
-probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return {
+probe nd_syscall.getrusage.return = kprobe.function("SyS_getrusage").return ?,
+ kprobe.function("sys_getrusage").return ?
+{
name = "getrusage"
retstr = returnstr(1)
}
# getsid _____________________________________________________
# long sys_getsid(pid_t pid)
-probe nd_syscall.getsid = kernel.function("sys_getsid") {
+probe nd_syscall.getsid = kprobe.function("SyS_getsid") ?,
+ kprobe.function("sys_getsid") ?
+{
name = "getsid"
- pid = $pid
+ // pid = $pid
+ asmlinkage()
+ pid = int_arg(1)
argstr = sprint(pid)
}
-probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
+probe nd_syscall.getsid.return = kprobe.function("SyS_getsid").return ?,
+ kprobe.function("sys_getsid").return ?
+{
name = "getsid"
retstr = returnstr(1)
}
@@ -1725,14 +2227,23 @@ probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
# long sys_getsockname(int fd,
# struct sockaddr __user *usockaddr,
# int __user *usockaddr_len)
-probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? {
+probe nd_syscall.getsockname = kprobe.function("SyS_getsockname") ?,
+ kprobe.function("sys_getsockname") ?
+{
name = "getsockname"
- s = $fd
- name_uaddr = $usockaddr
- namelen_uaddr = $usockaddr_len
- argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ // s = $fd
+ // name_uaddr = $usockaddr
+ // namelen_uaddr = $usockaddr_len
+ // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ asmlinkage()
+ s = int_arg(1)
+ name_uaddr = pointer_arg(2)
+ namelen_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
-probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? {
+probe nd_syscall.getsockname.return = kprobe.function("SyS_getsockname").return ?,
+ kprobe.function("sys_getsockname").return ?
+{
name = "getsockname"
retstr = returnstr(1)
}
@@ -1744,24 +2255,34 @@ probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return
# char __user *optval,
# int __user *optlen)
#
-probe nd_syscall.getsockopt =
- kernel.function("sys_getsockopt") ?,
- kernel.function("compat_sys_getsockopt") ?
+probe nd_syscall.getsockopt = kprobe.function("compat_sys_getsockopt") ?,
+ kprobe.function("SyS_getsockopt") ?,
+ kprobe.function("sys_getsockopt") ?
{
name = "getsockopt"
- fd = $fd
- level = $level
- level_str = _sockopt_level_str($level)
- optname = $optname
- optname_str = _sockopt_optname_str($optname)
- optval_uaddr = $optval
- optlen_uaddr = $optlen
- argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
- _sockopt_optname_str($optname), $optval, $optlen)
-}
-probe nd_syscall.getsockopt.return =
- kernel.function("sys_getsockopt").return ?,
- kernel.function("compat_sys_getsockopt").return ?
+ // fd = $fd
+ // level = $level
+ // level_str = _sockopt_level_str($level)
+ // optname = $optname
+ // optname_str = _sockopt_optname_str($optname)
+ // optval_uaddr = $optval
+ // optlen_uaddr = $optlen
+ // argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
+ // _sockopt_optname_str($optname), $optval, $optlen)
+ asmlinkage()
+ fd = int_arg(1)
+ level = int_arg(2)
+ level_str = _sockopt_level_str(level)
+ optname = int_arg(3)
+ optname_str = _sockopt_optname_str(optname)
+ optval_uaddr = pointer_arg(4)
+ optlen_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %s, %s, %p, %p", fd, _sockopt_level_str(level),
+ _sockopt_optname_str(optname), optval_uaddr, optlen_uaddr)
+}
+probe nd_syscall.getsockopt.return = kprobe.function("compat_sys_getsockopt").return ?,
+ kprobe.function("SyS_getsockopt").return ?,
+ kprobe.function("sys_getsockopt").return ?
{
name = "getsockopt"
retstr = returnstr(1)
@@ -1769,11 +2290,13 @@ probe nd_syscall.getsockopt.return =
# gettid _____________________________________________________
# long sys_gettid(void)
-probe nd_syscall.gettid = kernel.function("sys_gettid") {
+probe nd_syscall.gettid = kprobe.function("sys_gettid")
+{
name = "gettid"
argstr = ""
}
-probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
+probe nd_syscall.gettid.return = kprobe.function("sys_gettid").return
+{
name = "gettid"
retstr = returnstr(1)
}
@@ -1781,25 +2304,29 @@ probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
# gettimeofday _______________________________________________
# long sys_gettimeofday(struct timeval __user *tv,
# struct timezone __user *tz)
-# long sys32_gettimeofday(struct compat_timeval __user *tv,
+# long sys32_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
# long compat_sys_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
-probe nd_syscall.gettimeofday =
- kernel.function("sys_gettimeofday"),
- kernel.function("sys32_gettimeofday") ?,
- kernel.function("compat_sys_gettimeofday") ?
+probe nd_syscall.gettimeofday = kprobe.function("compat_sys_gettimeofday") ?,
+ kprobe.function("sys32_gettimeofday") ?,
+ kprobe.function("SyS_gettimeofday") ?,
+ kprobe.function("sys_gettimeofday") ?
{
name = "gettimeofday"
- tv_uaddr = $tv
- tz_uaddr = $tz
- argstr = sprintf("%p, %p", $tv, $tz)
+ // tv_uaddr = $tv
+ // tz_uaddr = $tz
+ // argstr = sprintf("%p, %p", $tv, $tz)
+ asmlinkage()
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+ argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr)
}
-probe nd_syscall.gettimeofday.return =
- kernel.function("sys_gettimeofday").return,
- kernel.function("sys32_gettimeofday").return ?,
- kernel.function("compat_sys_gettimeofday").return ?
+probe nd_syscall.gettimeofday.return = kprobe.function("compat_sys_gettimeofday").return ?,
+ kprobe.function("sys32_gettimeofday").return ?,
+ kprobe.function("SyS_gettimeofday").return ?,
+ kprobe.function("sys_gettimeofday").return ?
{
name = "gettimeofday"
retstr = returnstr(1)
@@ -1810,18 +2337,16 @@ probe nd_syscall.gettimeofday.return =
# long sys_getuid16(void)
# long sys32_getuid16(void)
#
-probe nd_syscall.getuid =
- kernel.function("sys_getuid16") ?,
- kernel.function("sys32_getuid16") ?,
- kernel.function("sys_getuid")
+probe nd_syscall.getuid = kprobe.function("sys_getuid16") ?,
+ kprobe.function("sys32_getuid16") ?,
+ kprobe.function("sys_getuid")
{
name = "getuid"
argstr = ""
}
-probe nd_syscall.getuid.return =
- kernel.function("sys_getuid16").return ?,
- kernel.function("sys32_getuid16").return ?,
- kernel.function("sys_getuid").return
+probe nd_syscall.getuid.return = kprobe.function("sys_getuid16").return ?,
+ kprobe.function("sys32_getuid16").return ?,
+ kprobe.function("sys_getuid").return
{
name = "getuid"
retstr = returnstr(1)
@@ -1830,19 +2355,40 @@ probe nd_syscall.getuid.return =
# getxattr ___________________________________________________
# ssize_t sys_getxattr(char __user *path, char __user *name,
# void __user *value, size_t size)
-probe nd_syscall.getxattr = kernel.function("sys_getxattr") {
+probe nd_syscall.getxattr = kprobe.function("SyS_getxattr") ?,
+ kprobe.function("sys_getxattr") ?
+{
name = "getxattr"
- path = user_string($path)
+ // %( kernel_v >= "2.6.27" %?
+ // path = user_string($pathname)
+ // %:
+ // path = user_string($path)
+ // %)
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%s, %s, %p, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, size)
+ asmlinkage()
+ path = pointer_arg(1)
# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- argstr = sprintf("%s, %s, %p, %d",
- user_string_quoted($path),
- user_string_quoted($name),
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ argstr = sprintf("%s, %s, %p, %d",
+ user_string_quoted(path),
+ user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
-probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
+probe nd_syscall.getxattr.return = kprobe.function("SyS_getxattr").return ?,
+ kprobe.function("sys_getxattr").return ?
+{
name = "getxattr"
retstr = returnstr(1)
}
@@ -1852,14 +2398,23 @@ probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
# unsigned long len,
# const char __user *uargs)
#
-probe nd_syscall.init_module = kernel.function("sys_init_module") ? {
+probe nd_syscall.init_module = kprobe.function("SyS_init_module") ?,
+ kprobe.function("sys_init_module") ?
+{
name = "init_module"
- umod_uaddr = $umod
- len = $len
- uargs = user_string($uargs)
- argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+ // umod_uaddr = $umod
+ // len = $len
+ // uargs = user_string($uargs)
+ // argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+ asmlinkage()
+ umod_uaddr = pointer_arg(1)
+ len = ulong_arg(2)
+ uargs = user_string(pointer_arg(3))
+ argstr = sprintf("%p, %d, %s", umod_uaddr, len, user_string_quoted(pointer_arg(4)))
}
-probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? {
+probe nd_syscall.init_module.return = kprobe.function("SyS_init_module").return ?,
+ kprobe.function("sys_init_module").return ?
+{
name = "init_module"
retstr = returnstr(1)
}
@@ -1868,15 +2423,31 @@ probe nd_syscall.init_module.return = kernel.function("sys_init_module").return
#
# long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
#
-probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? {
+probe nd_syscall.inotify_add_watch = kprobe.function("SyS_inotify_add_watch") ?,
+ kprobe.function("sys_inotify_add_watch") ?
+{
name = "inotify_add_watch"
- fd = $fd
- path_uaddr = $path
- path = user_string($path)
- mask = $mask
- argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+ // fd = $fd
+ // mask = $mask
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($pathname), $mask)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+ // %)
+ asmlinkage()
+ fd = int_arg(1)
+ path_uaddr = pointer_arg(2)
+ path = user_string(path_uaddr)
+ mask = uint_arg(3)
+ argstr = sprintf("%d, %s, %d", fd, user_string_quoted(path_uaddr), mask)
}
-probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? {
+probe nd_syscall.inotify_add_watch.return = kprobe.function("SyS_inotify_add_watch").return ?,
+ kprobe.function("sys_inotify_add_watch").return ?
+{
name = "inotify_add_watch"
retstr = returnstr(1)
}
@@ -1885,11 +2456,13 @@ probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_wat
#
# long sys_inotify_init(void)
#
-probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? {
+probe nd_syscall.inotify_init = kprobe.function("sys_inotify_init") ?
+{
name = "inotify_init"
argstr = ""
}
-probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? {
+probe nd_syscall.inotify_init.return = kprobe.function("sys_inotify_init").return ?
+{
name = "inotify_init"
retstr = returnstr(1)
}
@@ -1898,13 +2471,21 @@ probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").retur
#
# long sys_inotify_rm_watch(int fd, u32 wd)
#
-probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? {
+probe nd_syscall.inotify_rm_watch = kprobe.function("SyS_inotify_rm_watch") ?,
+ kprobe.function("sys_inotify_rm_watch") ?
+{
name = "inotify_rm_watch"
- fd = $fd
- wd = $wd
- argstr = sprintf("%d, %d", $fd, $wd)
+ // fd = $fd
+ // wd = $wd
+ // argstr = sprintf("%d, %d", $fd, $wd)
+ asmlinkage()
+ fd = int_arg(1)
+ wd = uint_arg(2)
+ argstr = sprintf("%d, %d", fd, wd)
}
-probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? {
+probe nd_syscall.inotify_rm_watch.return = kprobe.function("SyS_inotify_rm_watch").return ?,
+ kprobe.function("sys_inotify_rm_watch").return ?
+{
name = "inotify_rm_watch"
retstr = returnstr(1)
}
@@ -1913,14 +2494,22 @@ probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch
# long sys_io_cancel(aio_context_t ctx_id,
# struct iocb __user *iocb,
# struct io_event __user *result)
-probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") {
+probe nd_syscall.io_cancel = kprobe.function("SyS_io_cancel") ?,
+ kprobe.function("sys_io_cancel") ?
+{
name = "io_cancel"
- ctx_id = $ctx_id
- iocb_uaddr = $iocb
- result_uaddr = $result
- argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
+ // ctx_id = $ctx_id
+ // iocb_uaddr = $iocb
+ // result_uaddr = $result
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ iocb_uaddr = pointer_arg(2)
+ result_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
}
-probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
+probe nd_syscall.io_cancel.return = kprobe.function("SyS_io_cancel").return ?,
+ kprobe.function("sys_io_cancel").return ?
+{
name = "io_cancel"
retstr = returnstr(1)
}
@@ -1929,19 +2518,24 @@ probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe nd_syscall.ioctl =
- kernel.function("sys_ioctl") ?,
- kernel.function("compat_sys_ioctl") ?
+probe nd_syscall.ioctl = kprobe.function("compat_sys_ioctl") ?,
+ kprobe.function("SyS_ioctl") ?,
+ kprobe.function("sys_ioctl") ?
{
name = "ioctl"
- fd = $fd
- request = $cmd
- argp = $arg
- argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+ // fd = $fd
+ // request = $cmd
+ // argp = $arg
+ // argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+ asmlinkage()
+ fd = int_arg(1)
+ request = int_arg(2)
+ argp = ulong_arg(3)
+ argstr = sprintf("%d, %d, %p", fd, request, argp)
}
-probe nd_syscall.ioctl.return =
- kernel.function("sys_ioctl").return ?,
- kernel.function("compat_sys_ioctl").return ?
+probe nd_syscall.ioctl.return = kprobe.function("compat_sys_ioctl").return ?,
+ kprobe.function("SyS_ioctl").return ?,
+ kprobe.function("sys_ioctl").return ?
{
name = "ioctl"
retstr = returnstr(1)
@@ -1949,12 +2543,18 @@ probe nd_syscall.ioctl.return =
# io_destroy _________________________________________________
# long sys_io_destroy(aio_context_t ctx)
-probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") {
+probe nd_syscall.io_destroy = kprobe.function("SyS_io_destroy") ?,
+ kprobe.function("sys_io_destroy") ?
+{
name = "io_destroy"
- ctx = $ctx
+ // ctx = $ctx
+ asmlinkage()
+ ctx = ulong_arg(1)
argstr = sprintf("%d", ctx)
}
-probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
+probe nd_syscall.io_destroy.return = kprobe.function("SyS_io_destroy").return ?,
+ kprobe.function("sys_io_destroy").return ?
+{
name = "io_destroy"
retstr = returnstr(1)
}
@@ -1971,23 +2571,32 @@ probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
# struct io_event __user *events,
# struct compat_timespec __user *timeout)
#
-probe nd_syscall.io_getevents =
- kernel.function("sys_io_getevents") ?,
- kernel.function("compat_sys_io_getevents") ?
+probe nd_syscall.io_getevents = kprobe.function("compat_sys_io_getevents") ?,
+ kprobe.function("SyS_io_getevents") ?,
+ kprobe.function("sys_io_getevents") ?
{
name = "io_getevents"
- ctx_id = $ctx_id
- min_nr = $min_nr
- nr = $nr
- events_uaddr = $events
- timeout_uaddr = $timeout
- timestr = _struct_timespec_u($timeout,1)
- argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
- $nr, $events, $timeout, timestr)
-}
-probe nd_syscall.io_getevents.return =
- kernel.function("sys_io_getevents").return ?,
- kernel.function("compat_sys_io_getevents").return ?
+ // ctx_id = $ctx_id
+ // min_nr = $min_nr
+ // nr = $nr
+ // events_uaddr = $events
+ // timeout_uaddr = $timeout
+ // timestr = _struct_timespec_u($timeout, 1)
+ // argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
+ // $nr, $events, $timeout, timestr)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ min_nr = long_arg(2)
+ nr = long_arg(3)
+ events_uaddr = pointer_arg(4)
+ timeout_uaddr = pointer_arg(5)
+ timestr = _struct_timespec_u(timeout_uaddr, 1)
+ argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr,
+ nr, events_uaddr, timeout_uaddr, timestr)
+}
+probe nd_syscall.io_getevents.return = kprobe.function("compat_sys_io_getevents").return ?,
+ kprobe.function("SyS_io_getevents").return ?,
+ kprobe.function("sys_io_getevents").return ?
{
name = "io_getevents"
retstr = returnstr(1)
@@ -1996,42 +2605,63 @@ probe nd_syscall.io_getevents.return =
# ioperm _____________________________________________________
# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
#
-probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? {
+probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ?
+{
name = "ioperm"
- from = $from
- num = $num
- turn_on = $turn_on
- argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+ // from = $from
+ // num = $num
+ // turn_on = $turn_on
+ // argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+ asmlinkage()
+ from = ulong_arg(1)
+ num = ulong_arg(2)
+ turn_on = int_arg(3)
+ argstr = sprintf("%d, %d, %d", from, num, turn_on)
}
-probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
+probe nd_syscall.ioperm.return = kprobe.function("sys_ioperm").return ?
+{
name = "ioperm"
retstr = returnstr(1)
}
# io_setup ___________________________________________________
# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
-#
-probe nd_syscall.io_setup = kernel.function("sys_io_setup") {
+#
+probe nd_syscall.io_setup = kprobe.function("SyS_io_setup") ?,
+ kprobe.function("sys_io_setup") ?
+{
name = "io_setup"
- maxevents = $nr_events
- ctxp_uaddr = $ctxp
- argstr = sprintf("%d, %p", $nr_events, $ctxp)
+ // maxevents = $nr_events
+ // ctxp_uaddr = $ctxp
+ // argstr = sprintf("%d, %p", $nr_events, $ctxp)
+ asmlinkage()
+ maxevents = uint_arg(1)
+ ctxp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
-probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return {
+probe nd_syscall.io_setup.return = kprobe.function("SyS_io_setup").return ?,
+ kprobe.function("sys_io_setup").return ?
+{
name = "io_setup"
retstr = returnstr(1)
}
# long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
#
-probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? {
+probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ?
+{
name = "io_setup"
- maxevents = $nr_reqs
- ctxp_uaddr = $ctx32p
- argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+ // maxevents = $nr_reqs
+ // ctxp_uaddr = $ctx32p
+ // argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+ asmlinkage()
+ maxevents = uint_arg(1)
+ ctxp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
-probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? {
+probe nd_syscall.compat_io_setup.return = kprobe.function("compat_sys_io_setup").return ?
+{
name = "io_setup"
retstr = returnstr(1)
}
@@ -2039,27 +2669,43 @@ probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup")
# io_submit __________________________________________________
# long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
#
-probe nd_syscall.io_submit = kernel.function("sys_io_submit") {
+probe nd_syscall.io_submit = kprobe.function("SyS_io_submit") ?,
+ kprobe.function("sys_io_submit") ?
+{
name = "io_submit"
- ctx_id = $ctx_id
- nr = $nr
- iocbpp_uaddr = $iocbpp
- argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+ // ctx_id = $ctx_id
+ // nr = $nr
+ // iocbpp_uaddr = $iocbpp
+ // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ nr = long_arg(2)
+ iocbpp_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
-probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return {
+probe nd_syscall.io_submit.return = kprobe.function("SyS_io_submit").return ?,
+ kprobe.function("sys_io_submit").return ?
+{
name = "io_submit"
retstr = returnstr(1)
}
# long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
#
-probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? {
+probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ?
+{
name = "io_submit"
- ctx_id = $ctx_id
- nr = $nr
- iocbpp_uaddr = $iocb
- argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+ // ctx_id = $ctx_id
+ // nr = $nr
+ // iocbpp_uaddr = $iocb
+ // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ nr = int_arg(2)
+ iocbpp_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
-probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? {
+probe nd_syscall.compat_io_submit.return = kprobe.function("compat_sys_io_submit").return ?
+{
name = "io_submit"
retstr = returnstr(1)
}
@@ -2067,13 +2713,21 @@ probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit
# ioprio_get _________________________________________________
# long sys_ioprio_get(int which, int who)
#
-probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? {
+probe nd_syscall.ioprio_get = kprobe.function("SyS_ioprio_get") ?,
+ kprobe.function("sys_ioprio_get") ?
+{
name = "ioprio_get"
- which = $which
- who = $who
- argstr = sprintf("%d, %d", $which, $who)
+ // which = $which
+ // who = $who
+ // argstr = sprintf("%d, %d", $which, $who)
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
+ argstr = sprintf("%d, %d", which, who)
}
-probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? {
+probe nd_syscall.ioprio_get.return = kprobe.function("SyS_ioprio_get").return ?,
+ kprobe.function("sys_ioprio_get").return ?
+{
name = "ioprio_get"
retstr = returnstr(1)
}
@@ -2081,14 +2735,23 @@ probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ?
# ioprio_set _________________________________________________
# long sys_ioprio_set(int which, int who, int ioprio)
#
-probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? {
+probe nd_syscall.ioprio_set = kprobe.function("SyS_ioprio_set") ?,
+ kprobe.function("sys_ioprio_set") ?
+{
name = "ioprio_set"
- which = $which
- who = $who
- ioprio = $ioprio
- argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+ // which = $which
+ // who = $who
+ // ioprio = $ioprio
+ // argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
+ ioprio = int_arg(3)
+ argstr = sprintf("%d, %d, %d", which, who, ioprio)
}
-probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? {
+probe nd_syscall.ioprio_set.return = kprobe.function("SyS_ioprio_set").return ?,
+ kprobe.function("sys_ioprio_set").return ?
+{
name = "ioprio_set"
retstr = returnstr(1)
}
@@ -2103,23 +2766,29 @@ probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ?
# struct compat_kexec_segment __user *segments,
# unsigned long flags)
#
-probe nd_syscall.kexec_load =
- kernel.function("sys_kexec_load") ?,
- kernel.function("compat_sys_kexec_load") ?
+probe nd_syscall.kexec_load = kprobe.function("compat_sys_kexec_load") ?,
+ kprobe.function("SyS_kexec_load") ?,
+ kprobe.function("sys_kexec_load") ?
{
name = "kexec_load"
- entry = $entry
- nr_segments = $nr_segments
- segments_uaddr = $segments
- flags = $flags
- argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
-}
-probe nd_syscall.kexec_load.return =
- kernel.function("sys_kexec_load").return ?,
- kernel.function("compat_sys_kexec_load").return ?
+ // entry = $entry
+ // nr_segments = $nr_segments
+ // segments_uaddr = $segments
+ // flags = $flags
+ // argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+ asmlinkage()
+ entry = ulong_arg(1)
+ nr_segments = ulong_arg(2)
+ segments_uaddr = pointer_arg(3)
+ flags = ulong_arg(4)
+ argstr = sprintf("%p, %d, %p, %d", entry, nr_segments, segments_uaddr, flags)
+}
+probe nd_syscall.kexec_load.return = kprobe.function("compat_sys_kexec_load").return ?,
+ kprobe.function("SyS_kexec_load").return ?,
+ kprobe.function("sys_kexec_load").return ?
{
name = "kexec_load"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# keyctl _____________________________________________________
@@ -2130,17 +2799,19 @@ probe nd_syscall.kexec_load.return =
# unsigned long arg5)
# long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
#
-probe nd_syscall.keyctl =
- kernel.function("sys_keyctl") ?,
- kernel.function("compat_sys_keyctl") ?
+probe nd_syscall.keyctl = kprobe.function("compat_sys_keyctl") ?,
+ kprobe.function("SyS_keyctl") ?,
+ kprobe.function("sys_keyctl") ?
{
name = "keyctl"
- argstr = sprintf("%d, ...", $option)
+ // argstr = sprintf("%d, ...", $option)
+ asmlinkage()
+ argstr = sprintf("%d, ...", uint_arg(1))
}
-probe nd_syscall.keyctl.return =
- kernel.function("sys_keyctl").return ?,
- kernel.function("compat_sys_keyctl").return ?
+probe nd_syscall.keyctl.return = kprobe.function("compat_sys_keyctl").return ?,
+ kprobe.function("SyS_keyctl").return ?,
+ kprobe.function("sys_keyctl").return ?
{
name = "keyctl"
retstr = returnstr(1)
@@ -2148,13 +2819,21 @@ probe nd_syscall.keyctl.return =
# kill _______________________________________________________
# long sys_kill(int pid, int sig)
-probe nd_syscall.kill = kernel.function("sys_kill") {
+probe nd_syscall.kill = kprobe.function("SyS_kill") ?,
+ kprobe.function("sys_kill") ?
+{
name = "kill"
- pid = $pid
- sig = $sig
- argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ // pid = $pid
+ // sig = $sig
+ // argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ asmlinkage()
+ pid = int_arg(1)
+ sig = int_arg(2)
+ argstr = sprintf("%d, %s", pid, _signal_name(sig))
}
-probe nd_syscall.kill.return = kernel.function("sys_kill").return {
+probe nd_syscall.kill.return = kprobe.function("SyS_kill").return ?,
+ kprobe.function("sys_kill").return ?
+{
name = "kill"
retstr = returnstr(1)
}
@@ -2162,30 +2841,46 @@ probe nd_syscall.kill.return = kernel.function("sys_kill").return {
# lchown _____________________________________________________
# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
#
-probe nd_syscall.lchown = kernel.function("sys_lchown") {
+probe nd_syscall.lchown = kprobe.function("SyS_lchown") ?,
+ kprobe.function("sys_lchown") ?
+{
name = "lchown"
- path = user_string($filename)
- owner = __int32($user)
- group = __int32($group)
- argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
-}
-probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
+ // path = user_string($filename)
+ // owner = __int32($user)
+ // group = __int32($group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ owner = __int32(uint_arg(2))
+ group = __int32(uint_arg(3))
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
+}
+probe nd_syscall.lchown.return = kprobe.function("SyS_lchown").return ?,
+ kprobe.function("sys_lchown").return ?
+{
name = "lchown"
retstr = returnstr(1)
}
# lchown16 ___________________________________________________
-# long sys_lchown16(const char __user * filename, old_uid_t user,
+# long sys_lchown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? {
+probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ?
+{
name = "lchown16"
- path = user_string($filename)
- owner = __short($user)
- group = __short($group)
- argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ // path = user_string($filename)
+ // owner = __short($user)
+ // group = __short($group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ owner = __short(uint_arg(2))
+ group = __short(uint_arg(3))
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
+probe nd_syscall.lchown16.return = kprobe.function("sys_lchown16").return ?
+{
name = "lchown16"
retstr = returnstr(1)
}
@@ -2195,47 +2890,128 @@ probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
# void __user *value,
# size_t size)
#
-probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") {
+probe nd_syscall.lgetxattr = kprobe.function("SyS_lgetxattr") ?,
+ kprobe.function("sys_lgetxattr") ?
+{
name = "lgetxattr"
- path = user_string($path)
+ // %( kernel_v >= "2.6.27" %?
+ // path = user_string($pathname)
+ // %:
+ // path = user_string($path)
+ // %)
+ // # FIXME
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%s, %s, %p, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, size)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- argstr = sprintf("%s, %s, %p, %d",
- user_string_quoted($path),
- user_string_quoted($name),
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ argstr = sprintf("%s, %s, %p, %d",
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
-probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return {
+probe nd_syscall.lgetxattr.return = kprobe.function("SyS_lgetxattr").return ?,
+ kprobe.function("sys_lgetxattr").return ?
+{
name = "lgetxattr"
retstr = returnstr(1)
}
# link _______________________________________________________
# long sys_link(const char __user * oldname,
# const char __user * newname)
-probe nd_syscall.link = kernel.function("sys_link") {
+probe nd_syscall.link = kprobe.function("SyS_link") ?,
+ kprobe.function("sys_link") ?
+{
name = "link"
- oldpath = user_string($oldname)
- newpath = user_string($newname)
- argstr = sprintf("%s, %s",
- user_string_quoted($oldname),
- user_string_quoted($newname))
-}
-probe nd_syscall.link.return = kernel.function("sys_link").return {
+ // oldpath = user_string($oldname)
+ // newpath = user_string($newname)
+ // argstr = sprintf("%s, %s",
+ // user_string_quoted($oldname),
+ // user_string_quoted($newname))
+ asmlinkage()
+ oldpath = user_string(pointer_arg(1))
+ newpath = user_string(pointer_arg(2))
+ argstr = sprintf("%s, %s",
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.link.return = kprobe.function("SyS_link").return ?,
+ kprobe.function("sys_link").return ?
+{
name = "link"
- retstr = returnstr(1)
+ retstr = returnstr(1)
+}
+
+# linkat _____________________________________________________
+# new function with 2.6.16
+# long sys_linkat(int olddfd, const char __user *oldname,
+# int newdfd, const char __user *newname, int flags)
+probe nd_syscall.linkat = kprobe.function("SyS_linkat") ?,
+ kprobe.function("sys_linkat") ?
+{
+ name = "linkat"
+ // olddirfd = $olddfd
+ // olddirfd_str = _dfd_str($olddfd)
+ // oldpath = user_string($oldname)
+ // newdirfd = $newdfd
+ // newdirfd_str = _dfd_str($newdfd)
+ // newpath = user_string($newname)
+ // flags = $flags
+ // flags_str = _at_flag_str($flags)
+ // argstr = sprintf("%s, %s, %s, %s, %s",
+ // olddirfd_str, user_string_quoted($oldname),
+ // newdirfd_str, user_string_quoted($newname),
+ // flags_str)
+ asmlinkage()
+ olddirfd = int_arg(1)
+ olddirfd_str = _dfd_str(olddirfd)
+ oldpath = user_string(pointer_arg(2))
+ newdirfd = int_arg(3)
+ newdirfd_str = _dfd_str(newdirfd)
+ newpath = user_string(pointer_arg(4))
+ flags = int_arg(5)
+ flags_str = _at_flag_str(flags)
+ argstr = sprintf("%s, %s, %s, %s, %s",
+ olddirfd_str, user_string_quoted(pointer_arg(2)),
+ newdirfd_str, user_string_quoted(pointer_arg(4)),
+ flags_str)
+}
+probe nd_syscall.linkat.return = kprobe.function("SyS_linkat").return ?,
+ kprobe.function("sys_linkat").return ?
+{
+ name = "linkat"
+ retstr = returnstr(1)
}
# listen _____________________________________________________
# long sys_listen(int fd, int backlog)
-probe nd_syscall.listen = kernel.function("sys_listen") ? {
+probe nd_syscall.listen = kprobe.function("SyS_listen") ?,
+ kprobe.function("sys_listen") ?
+{
name = "listen"
- sockfd = $fd
- backlog = $backlog
- argstr = sprintf("%d, %d", $fd, $backlog)
-}
-probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
+ // sockfd = $fd
+ // backlog = $backlog
+ // argstr = sprintf("%d, %d", $fd, $backlog)
+ asmlinkage()
+ sockfd = int_arg(1)
+ backlog = int_arg(2)
+ argstr = sprintf("%d, %d", sockfd, backlog)
+}
+probe nd_syscall.listen.return = kprobe.function("SyS_listen").return ?,
+ kprobe.function("sys_listen").return ?
+{
name = "listen"
retstr = returnstr(1)
}
@@ -2243,15 +3019,31 @@ probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
# listxattr __________________________________________________
# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
#
-probe nd_syscall.listxattr = kernel.function("sys_listxattr") {
+probe nd_syscall.listxattr = kprobe.function("SyS_listxattr") ?,
+ kprobe.function("sys_listxattr") ?
+{
name = "listxattr"
- path_uaddr = $path
- path = user_string($path)
- list_uaddr = $list
- size = $size
- argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
-}
-probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
+ // list_uaddr = $list
+ // size = $size
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
+}
+probe nd_syscall.listxattr.return = kprobe.function("SyS_listxattr").return ?,
+ kprobe.function("sys_listxattr").return ?
+{
name = "listxattr"
retstr = returnstr(1)
}
@@ -2259,15 +3051,31 @@ probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
# llistxattr _________________________________________________
# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
#
-probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") {
+probe nd_syscall.llistxattr = kprobe.function("SyS_llistxattr") ?,
+ kprobe.function("sys_llistxattr") ?
+{
name = "llistxattr"
- path_uaddr = $path
- path = user_string($path)
- list_uaddr = $list
- size = $size
- argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
-}
-probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
+ // list_uaddr = $list
+ // size = $size
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
+}
+probe nd_syscall.llistxattr.return = kprobe.function("SyS_llistxattr").return ?,
+ kprobe.function("sys_llistxattr").return ?
+{
name = "llistxattr"
retstr = returnstr(1)
}
@@ -2278,18 +3086,31 @@ probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
# unsigned long offset_low,
# loff_t __user * result,
# unsigned int origin)
-probe nd_syscall.llseek = kernel.function("sys_llseek") ? {
+probe nd_syscall.llseek = kprobe.function("SyS_llseek") ?,
+ kprobe.function("sys_llseek") ?
+{
name = "llseek"
- fd = $fd
- offset_high = $offset_high
- offset_low = $offset_low
- result_uaddr = $result
- whence = $origin
- whence_str = _seek_whence_str($origin)
- argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
- $offset_low, $result, whence_str)
-}
-probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
+ // fd = $fd
+ // offset_high = $offset_high
+ // offset_low = $offset_low
+ // result_uaddr = $result
+ // whence = $origin
+ // whence_str = _seek_whence_str($origin)
+ // argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
+ // $offset_low, $result, whence_str)
+ asmlinkage()
+ fd = int_arg(1)
+ offset_high = ulong_arg(2)
+ offset_low = ulong_arg(3)
+ result_uaddr = pointer_arg(4)
+ whence = uint_arg(5)
+ whence_str = _seek_whence_str(whence)
+ argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
+ offset_low, result_uaddr, whence_str)
+}
+probe nd_syscall.llseek.return = kprobe.function("SyS_llseek").return ?,
+ kprobe.function("sys_llseek").return ?
+{
name = "llseek"
retstr = returnstr(1)
}
@@ -2297,14 +3118,23 @@ probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
# lookup_dcookie _____________________________________________
# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
#
-probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? {
+probe nd_syscall.lookup_dcookie = kprobe.function("SyS_lookup_dcookie") ?,
+ kprobe.function("sys_lookup_dcookie") ?
+{
name = "lookup_dcookie"
- cookie = $cookie64
- buffer_uaddr = $buf
- len = $len
- argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+ // cookie = $cookie64
+ // buffer_uaddr = $buf
+ // len = $len
+ // argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+ asmlinkage()
+ cookie = ulonglong_arg(1)
+ buffer_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", cookie, buffer_uaddr, len)
}
-probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? {
+probe nd_syscall.lookup_dcookie.return = kprobe.function("SyS_lookup_dcookie").return ?,
+ kprobe.function("sys_lookup_dcookie").return ?
+{
name = "lookup_dcookie"
retstr = returnstr(1)
}
@@ -2312,31 +3142,57 @@ probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").r
# lremovexattr _______________________________________________
# long sys_lremovexattr(char __user *path, char __user *name)
#
-probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") {
+probe nd_syscall.lremovexattr = kprobe.function("SyS_lremovexattr") ?,
+ kprobe.function("sys_lremovexattr") ?
+{
name = "lremovexattr"
- path_uaddr = $path
- path = user_string($path)
- name_uaddr = $name
- name2 = user_string($name)
- argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
-}
-probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return {
+ // name_uaddr = $name
+ // name2 = user_string($name)
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name))
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name2 = user_string(name_uaddr)
+ argstr = sprintf("%s, %s", user_string_quoted(path_uaddr), user_string_quoted(name_uaddr))
+}
+probe nd_syscall.lremovexattr.return = kprobe.function("SyS_lremovexattr").return ?,
+ kprobe.function("sys_lremovexattr").return ?
+{
name = "lremovexattr"
retstr = returnstr(1)
}
# lseek ______________________________________________________
# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
-probe nd_syscall.lseek = kernel.function("sys_lseek") {
+probe nd_syscall.lseek = kprobe.function("SyS_lseek") ?,
+ kprobe.function("sys_lseek") ?
+{
name = "lseek"
- fildes = $fd
-# offset = __int32($offset)
- offset = $offset
- whence = $origin
- whence_str = _seek_whence_str($origin)
- argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
-}
-probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
+ // fildes = $fd
+ // # offset = __int32($offset)
+ // offset = $offset
+ // whence = $origin
+ // whence_str = _seek_whence_str($origin)
+ // argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
+ asmlinkage()
+ fildes = int_arg(1)
+ offset = long_arg(2)
+ whence = uint_arg(3)
+ whence_str = _seek_whence_str(whence)
+ argstr = sprintf("%d, %d, %s", fildes, offset, whence_str)
+}
+probe nd_syscall.lseek.return = kprobe.function("SyS_lseek").return ?,
+ kprobe.function("sys_lseek").return ?
+{
name = "lseek"
retstr = returnstr(1)
}
@@ -2348,21 +3204,46 @@ probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
# size_t size,
# int flags)
#
-probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") {
+probe nd_syscall.lsetxattr = kprobe.function("SyS_lsetxattr") ?,
+ kprobe.function("sys_lsetxattr") ?
+{
name = "lsetxattr"
- path_uaddr = $path
- path = user_string($path)
- name_uaddr = $name
- name_str = user_string($name)
- value_uaddr = $value
- size = $size
- flags = $flags
- argstr = sprintf("%s, %s, %p, %d, %d",
- user_string_quoted($path),
- user_string_quoted($name),
- value_uaddr, $size, $flags)
-}
-probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // %)
+ // name_uaddr = $name
+ // name_str = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%s, %s, %p, %d, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, $size, $flags)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name_str = user_string(name_uaddr)
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
+ argstr = sprintf("%s, %s, %p, %d, %d",
+ user_string_quoted(path_uaddr),
+ user_string_quoted(name_uaddr),
+ value_uaddr, size, flags)
+}
+probe nd_syscall.lsetxattr.return = kprobe.function("SyS_lsetxattr").return ?,
+ kprobe.function("sys_lsetxattr").return ?
+{
name = "lsetxattr"
retstr = returnstr(1)
}
@@ -2376,27 +3257,33 @@ probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
# long sys_oabi_lstat64(char __user * filename,
# struct oldabi_stat64 __user * statbuf)
#
-probe nd_syscall.lstat =
- kernel.function("sys_lstat") ?,
- kernel.function("sys_newlstat") ?,
- kernel.function("compat_sys_newlstat") ?,
- kernel.function("sys32_lstat64") ?,
- kernel.function("sys_lstat64") ?,
- kernel.function("sys_oabi_lstat64") ?
+probe nd_syscall.lstat = kprobe.function("sys_lstat") ?,
+ kprobe.function("SyS_newlstat") ?,
+ kprobe.function("sys_newlstat") ?,
+ kprobe.function("compat_sys_newlstat") ?,
+ kprobe.function("sys32_lstat64") ?,
+ kprobe.function("SyS_lstat64") ?,
+ kprobe.function("sys_lstat64") ?,
+ kprobe.function("sys_oabi_lstat64") ?
{
name = "lstat"
- path = user_string($filename)
- buf_uaddr = $statbuf
- argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
-}
-probe nd_syscall.lstat.return =
- kernel.function("sys_lstat").return ?,
- kernel.function("sys_newlstat").return ?,
- kernel.function("compat_sys_newlstat").return ?,
- kernel.function("sys32_lstat64").return ?,
- kernel.function("sys_lstat64").return ?,
- kernel.function("sys_oabi_lstat64").return ?
-{
+ // path = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
+}
+probe nd_syscall.lstat.return = kprobe.function("sys_lstat").return ?,
+ kprobe.function("SyS_newlstat").return ?,
+ kprobe.function("sys_newlstat").return ?,
+ kprobe.function("compat_sys_newlstat").return ?,
+ kprobe.function("sys32_lstat64").return ?,
+ kprobe.function("SyS_lstat64").return ?,
+ kprobe.function("sys_lstat64").return ?,
+ kprobe.function("sys_oabi_lstat64").return ?
+{
name = "lstat"
retstr = returnstr(1)
}
@@ -2404,15 +3291,25 @@ probe nd_syscall.lstat.return =
# madvise ____________________________________________________
# long sys_madvise(unsigned long start, size_t len_in, int behavior)
#
-probe nd_syscall.madvise = kernel.function("sys_madvise") ? {
+probe nd_syscall.madvise = kprobe.function("SyS_madvise") ?,
+ kprobe.function("sys_madvise") ?
+{
name = "madvise"
- start = $start
- length = $len_in
- advice = $behavior
- advice_str = _madvice_advice_str($behavior)
- argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
-}
-probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
+ // start = $start
+ // length = $len_in
+ // advice = $behavior
+ // advice_str = _madvice_advice_str($behavior)
+ // argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ advice = int_arg(3)
+ advice_str = _madvice_advice_str(advice)
+ argstr = sprintf("%p, %d, %s", start, length, _madvice_advice_str(advice))
+}
+probe nd_syscall.madvise.return = kprobe.function("SyS_madvise").return ?,
+ kprobe.function("sys_madvise").return ?
+{
name = "madvise"
retstr = returnstr(1)
}
@@ -2432,23 +3329,32 @@ probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
# compat_ulong_t maxnode,
# compat_ulong_t flags)
#
-probe nd_syscall.mbind =
- kernel.function("sys_mbind") ?,
- kernel.function("compat_sys_mbind") ?
+probe nd_syscall.mbind = kprobe.function("compat_sys_mbind") ?,
+ kprobe.function("SyS_mbind") ?,
+ kprobe.function("sys_mbind") ?
{
name = "mbind"
- start = $start
- len = $len
- mode = $mode
- nmask_uaddr = $nmask
- maxnode = $maxnode
- flags = $flags
- argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
- $nmask, $maxnode, $flags)
-}
-probe nd_syscall.mbind.return =
- kernel.function("sys_mbind").return ?,
- kernel.function("compat_sys_mbind").return ?
+ // start = $start
+ // len = $len
+ // mode = $mode
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // flags = $flags
+ // argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
+ // $nmask, $maxnode, $flags)
+ asmlinkage()
+ start = ulong_arg(1)
+ len = long_arg(2)
+ mode = ulong_arg(3)
+ nmask_uaddr = pointer_arg(4)
+ maxnode = ulong_arg(5)
+ flags = uint_arg(6)
+ argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", start, len, mode,
+ nmask_uaddr, maxnode, flags)
+}
+probe nd_syscall.mbind.return = kprobe.function("compat_sys_mbind").return ?,
+ kprobe.function("SyS_mbind").return ?,
+ kprobe.function("sys_mbind").return ?
{
name = "mbind"
retstr = returnstr(1)
@@ -2458,11 +3364,17 @@ probe nd_syscall.mbind.return =
# long sys_migrate_pages(pid_t pid, unsigned long maxnode,
# const unsigned long __user *old_nodes,
# const unsigned long __user *new_nodes)
-probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? {
+probe nd_syscall.migrate_pages = kprobe.function("SyS_migrate_pages") ?,
+ kprobe.function("sys_migrate_pages") ?
+{
name = "migrate_pages"
- argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+ // argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4))
}
-probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? {
+probe nd_syscall.migrate_pages.return = kprobe.function("SyS_migrate_pages").return ?,
+ kprobe.function("sys_migrate_pages").return ?
+{
name = "migrate_pages"
retstr = returnstr(1)
}
@@ -2470,73 +3382,150 @@ probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").ret
# mincore ____________________________________________________
# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
#
-probe nd_syscall.mincore = kernel.function("sys_mincore") ? {
+probe nd_syscall.mincore = kprobe.function("SyS_mincore") ?,
+ kprobe.function("sys_mincore") ?
+{
name = "mincore"
- start = $start
- length = $len
- vec_uaddr = $vec
- argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+ // start = $start
+ // length = $len
+ // vec_uaddr = $vec
+ // argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ vec_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %d, %p", start, length, vec_uaddr)
}
-probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? {
+probe nd_syscall.mincore.return = kprobe.function("SyS_mincore").return ?,
+ kprobe.function("sys_mincore").return ?
+{
name = "mincore"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# mkdir ______________________________________________________
# long sys_mkdir(const char __user * pathname, int mode)
-probe nd_syscall.mkdir = kernel.function("sys_mkdir") {
+probe nd_syscall.mkdir = kprobe.function("SyS_mkdir") ?,
+ kprobe.function("sys_mkdir") ?
+{
name = "mkdir"
- pathname_uaddr = $pathname
- pathname = user_string($pathname)
- mode = $mode
- argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ // pathname_uaddr = $pathname
+ // pathname = user_string($pathname)
+ // mode = $mode
+ // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ asmlinkage()
+ pathname_uaddr = pointer_arg(1)
+ pathname = user_string(pathname_uaddr)
+ mode = int_arg(2)
+ argstr = sprintf("%s, %#o", user_string_quoted(pathname_uaddr), mode)
}
-probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
+probe nd_syscall.mkdir.return = kprobe.function("SyS_mkdir").return ?,
+ kprobe.function("sys_mkdir").return ?
+{
name = "mkdir"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# mkdirat ____________________________________________________
# new function with 2.6.16
# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
-probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? {
+probe nd_syscall.mkdirat = kprobe.function("SyS_mkdirat") ?,
+ kprobe.function("sys_mkdirat") ?
+{
name = "mkdirat"
- dirfd = $dfd
- pathname = user_string($pathname)
- mode = $mode
- argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+ // dirfd = $dfd
+ // pathname = user_string($pathname)
+ // mode = $mode
+ // argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+ asmlinkage()
+ dirfd = int_arg(1)
+ pathname = user_string(pointer_arg(2))
+ mode = int_arg(3)
+ argstr = sprintf("%d, %s, %#o", dirfd, user_string_quoted(pointer_arg(2)), mode)
}
-probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? {
+probe nd_syscall.mkdirat.return = kprobe.function("SyS_mkdirat").return ?,
+ kprobe.function("sys_mkdirat").return ?
+{
name = "mkdirat"
retstr = returnstr(1)
}
# mknod
# long sys_mknod(const char __user * filename, int mode, unsigned dev)
-probe nd_syscall.mknod = kernel.function("sys_mknod") {
+probe nd_syscall.mknod = kprobe.function("SyS_mknod") ?,
+ kprobe.function("sys_mknod") ?
+{
name = "mknod"
- pathname = user_string($filename)
- mode = $mode
- dev = $dev
- argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+ // pathname = user_string($filename)
+ // mode = $mode
+ // dev = $dev
+ // argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+ asmlinkage()
+ pathname = user_string(pointer_arg(1))
+ mode = int_arg(2)
+ dev = uint_arg(3)
+ argstr = sprintf("%s, %s, %p", user_string_quoted(pointer_arg(1)), _mknod_mode_str(mode), dev)
}
-probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
+probe nd_syscall.mknod.return = kprobe.function("SyS_mknod").return ?,
+ kprobe.function("sys_mknod").return ?
+{
name = "mknod"
retstr = returnstr(1)
}
+# mknodat ____________________________________________________
+# new function with 2.6.16
+# long sys_mknodat(int dfd, const char __user *filename,
+# int mode, unsigned dev)
+probe nd_syscall.mknodat = kprobe.function("SyS_mknodat") ?,
+ kprobe.function("sys_mknodat") ?
+{
+ name = "mknodat"
+ // dirfd = $dfd
+ // dirfd_str = _dfd_str($dfd)
+ // pathname = user_string($filename)
+ // mode = $mode
+ // mode_str = _mknod_mode_str($mode)
+ // dev = $dev
+ // argstr = sprintf("%s, %s, %s, %p",
+ // dirfd_str, user_string_quoted($filename), mode_str, $dev)
+ asmlinkage()
+ dirfd = int_arg(1)
+ dirfd_str = _dfd_str(dirfd)
+ pathname = user_string(pointer_arg(2))
+ mode = int_arg(3)
+ mode_str = _mknod_mode_str(mode)
+ dev = uint_arg(4)
+ argstr = sprintf("%s, %s, %s, %p",
+ dirfd_str, user_string_quoted(pointer_arg(2)), mode_str, dev)
+}
+probe nd_syscall.mknodat.return = kprobe.function("SyS_mknodat").return ?,
+ kprobe.function("sys_mknodat").return ?
+{
+ name = "mknodat"
+ retstr = returnstr(1)
+}
+
# mlock ______________________________________________________
#
# long sys_mlock(unsigned long start, size_t len)
#
-probe nd_syscall.mlock = kernel.function("sys_mlock") ? {
+probe nd_syscall.mlock = kprobe.function("SyS_mlock") ?,
+ kprobe.function("sys_mlock") ?
+{
name = "mlock"
- addr = $start
- len = $len
- argstr = sprintf("%p, %d", $start, $len)
+ // addr = $start
+ // len = $len
+ // argstr = sprintf("%p, %d", $start, $len)
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
+ argstr = sprintf("%p, %d", addr, len)
}
-probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
+probe nd_syscall.mlock.return = kprobe.function("SyS_mlock").return ?,
+ kprobe.function("sys_mlock").return ?
+{
name = "mlock"
retstr = returnstr(1)
}
@@ -2544,12 +3533,19 @@ probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
#
# long sys_mlockall(int flags)
#
-probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? {
+probe nd_syscall.mlockall = kprobe.function("SyS_mlockall") ?,
+ kprobe.function("sys_mlockall") ?
+{
name = "mlockall"
- flags = $flags
- argstr = _mlockall_flags_str($flags)
+ // flags = $flags
+ // argstr = _mlockall_flags_str($flags)
+ asmlinkage()
+ flags = int_arg(1)
+ argstr = _mlockall_flags_str(flags)
}
-probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
+probe nd_syscall.mlockall.return = kprobe.function("SyS_mlockall").return ?,
+ kprobe.function("sys_mlockall").return ?
+{
name = "mlockall"
retstr = returnstr(1)
}
@@ -2557,14 +3553,21 @@ probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
# modify_ldt _________________________________________________
# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
#
-probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
+probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ?
+{
name = "modify_ldt"
- func = $func
- ptr_uaddr = $ptr
- bytecount = $bytecount
- argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+ // func = $func
+ // ptr_uaddr = $ptr
+ // bytecount = $bytecount
+ // argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+ asmlinkage()
+ func = int_arg(1)
+ ptr_uaddr = pointer_arg(2)
+ bytecount = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", func, ptr_uaddr, bytecount)
}
-probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
+probe nd_syscall.modify_ldt.return = kprobe.function("sys_modify_ldt").return ?
+{
name = "modify_ldt"
retstr = returnstr(1)
}
@@ -2582,16 +3585,18 @@ probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ?
# int __user *status,
# int flags)
#
-probe nd_syscall.move_pages =
- kernel.function("sys_move_pages") ?,
- kernel.function("compat_sys_move_pages") ?
+probe nd_syscall.move_pages = kprobe.function("compat_sys_move_pages") ?,
+ kprobe.function("SyS_move_pages") ?,
+ kprobe.function("sys_move_pages") ?
{
name = "move_pages"
- argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+ // argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6))
}
-probe nd_syscall.move_pages.return =
- kernel.function("sys_move_pages").return ?,
- kernel.function("compat_sys_move_pages").return ?
+probe nd_syscall.move_pages.return = kprobe.function("compat_sys_move_pages").return ?,
+ kprobe.function("SyS_move_pages").return ?,
+ kprobe.function("sys_move_pages").return ?
{
name = "move_pages"
retstr = returnstr(1)
@@ -2603,31 +3608,43 @@ probe nd_syscall.move_pages.return =
# char __user * type,
# unsigned long flags,
# void __user * data)
-# long compat_sys_mount(char __user * dev_name,
+# long compat_sys_mount(char __user * dev_name,
# char __user * dir_name,
-# char __user * type,
-# unsigned long flags,
+# char __user * type,
+# unsigned long flags,
# void __user * data)
-probe nd_syscall.mount =
- kernel.function("sys_mount"),
- kernel.function("compat_sys_mount") ?
+probe nd_syscall.mount = kprobe.function("compat_sys_mount") ?,
+ kprobe.function("SyS_mount") ?,
+ kprobe.function("sys_mount") ?
{
name = "mount"
- source = user_string($dev_name)
- target = user_string($dir_name)
- filesystemtype = user_string($type)
- mountflags = $flags
- mountflags_str = _mountflags_str($flags)
- data = text_strn(user_string($data),syscall_string_trunc,1)
- argstr = sprintf("%s, %s, %s, %s, %s",
- user_string_quoted($dev_name),
- user_string_quoted($dir_name),
- user_string_quoted($type),
+ // source = user_string($dev_name)
+ // target = user_string($dir_name)
+ // filesystemtype = user_string($type)
+ // mountflags = $flags
+ // mountflags_str = _mountflags_str($flags)
+ // data = text_strn(user_string($data), syscall_string_trunc, 1)
+ // argstr = sprintf("%s, %s, %s, %s, %s",
+ // user_string_quoted($dev_name),
+ // user_string_quoted($dir_name),
+ // user_string_quoted($type),
+ // mountflags_str, data)
+ asmlinkage()
+ source = user_string(pointer_arg(1))
+ target = user_string(pointer_arg(2))
+ filesystemtype = user_string(pointer_arg(3))
+ mountflags = ulong_arg(4)
+ mountflags_str = _mountflags_str(mountflags)
+ data = text_strn(user_string(pointer_arg(5)), syscall_string_trunc, 1)
+ argstr = sprintf("%s, %s, %s, %s, %s",
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)),
+ user_string_quoted(pointer_arg(3)),
mountflags_str, data)
}
-probe nd_syscall.mount.return =
- kernel.function("sys_mount").return,
- kernel.function("compat_sys_mount").return ?
+probe nd_syscall.mount.return = kprobe.function("compat_sys_mount").return ?,
+ kprobe.function("SyS_mount").return ?,
+ kprobe.function("sys_mount").return ?
{
name = "mount"
retstr = returnstr(1)
@@ -2636,15 +3653,25 @@ probe nd_syscall.mount.return =
# mprotect ___________________________________________________
# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
#
-probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? {
+probe nd_syscall.mprotect = kprobe.function("SyS_mprotect") ?,
+ kprobe.function("sys_mprotect") ?
+{
name = "mprotect"
- addr = $start
- len = $len
- prot = $prot
- prot_str = _mprotect_prot_str($prot)
- argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
-}
-probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
+ // addr = $start
+ // len = $len
+ // prot = $prot
+ // prot_str = _mprotect_prot_str($prot)
+ // argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
+ prot = ulong_arg(3)
+ prot_str = _mprotect_prot_str(prot)
+ argstr = sprintf("%p, %d, %s", addr, len, _mprotect_prot_str(prot))
+}
+probe nd_syscall.mprotect.return = kprobe.function("SyS_mprotect").return ?,
+ kprobe.function("sys_mprotect").return ?
+{
name = "mprotect"
retstr = returnstr(1)
}
@@ -2657,19 +3684,24 @@ probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
# const struct compat_mq_attr __user *u_mqstat,
# struct compat_mq_attr __user *u_omqstat)
#
-probe nd_syscall.mq_getsetattr =
- kernel.function("sys_mq_getsetattr") ?,
- kernel.function("compat_sys_mq_getsetattr") ?
+probe nd_syscall.mq_getsetattr = kprobe.function("compat_sys_mq_getsetattr") ?,
+ kprobe.function("SyS_mq_getsetattr") ?,
+ kprobe.function("sys_mq_getsetattr") ?
{
name = "mq_getsetattr"
- mqdes = $mqdes
- u_mqstat_uaddr = $u_mqstat
- u_omqstat_uaddr = $u_omqstat
- argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
-}
-probe nd_syscall.mq_getsetattr.return =
- kernel.function("sys_mq_getsetattr").return ?,
- kernel.function("compat_sys_mq_getsetattr").return ?
+ // mqdes = $mqdes
+ // u_mqstat_uaddr = $u_mqstat
+ // u_omqstat_uaddr = $u_omqstat
+ // argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+ asmlinkage()
+ mqdes = int_arg(1)
+ u_mqstat_uaddr = pointer_arg(2)
+ u_omqstat_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", mqdes, u_mqstat_uaddr, u_omqstat_uaddr)
+}
+probe nd_syscall.mq_getsetattr.return = kprobe.function("compat_sys_mq_getsetattr").return ?,
+ kprobe.function("SyS_mq_getsetattr").return ?,
+ kprobe.function("sys_mq_getsetattr").return ?
{
name = "mq_getsetattr"
retstr = returnstr(1)
@@ -2679,18 +3711,22 @@ probe nd_syscall.mq_getsetattr.return =
# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
# long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
#
-probe nd_syscall.mq_notify =
- kernel.function("sys_mq_notify") ?,
- kernel.function("compat_sys_mq_notify") ?
+probe nd_syscall.mq_notify = kprobe.function("compat_sys_mq_notify") ?,
+ kprobe.function("SyS_mq_notify") ?,
+ kprobe.function("sys_mq_notify") ?
{
name = "mq_notify"
- mqdes = $mqdes
- notification_uaddr = $u_notification
- argstr = sprintf("%d, %p", $mqdes, $u_notification)
+ // mqdes = $mqdes
+ // notification_uaddr = $u_notification
+ // argstr = sprintf("%d, %p", $mqdes, $u_notification)
+ asmlinkage()
+ mqdes = int_arg(1)
+ notification_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", mqdes, notification_uaddr)
}
-probe nd_syscall.mq_notify.return =
- kernel.function("sys_mq_notify").return ?,
- kernel.function("compat_sys_mq_notify").return ?
+probe nd_syscall.mq_notify.return = kprobe.function("compat_sys_mq_notify").return ?,
+ kprobe.function("SyS_mq_notify").return ?,
+ kprobe.function("sys_mq_notify").return ?
{
name = "mq_notify"
retstr = returnstr(1)
@@ -2705,9 +3741,9 @@ probe nd_syscall.mq_notify.return =
# int oflag, compat_mode_t mode,
# struct compat_mq_attr __user *u_attr)
#
-probe nd_syscall.mq_open =
- kernel.function("sys_mq_open") ?,
- kernel.function("compat_sys_mq_open") ?
+probe nd_syscall.mq_open = kprobe.function("compat_sys_mq_open") ?,
+ kprobe.function("SyS_mq_open") ?,
+ kprobe.function("sys_mq_open") ?
{
name = "mq_open"
// name_uaddr = $u_name
@@ -2733,9 +3769,9 @@ probe nd_syscall.mq_open =
else
argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag))
}
-probe nd_syscall.mq_open.return =
- kernel.function("sys_mq_open").return ?,
- kernel.function("compat_sys_mq_open").return ?
+probe nd_syscall.mq_open.return = kprobe.function("compat_sys_mq_open").return ?,
+ kprobe.function("SyS_mq_open").return ?,
+ kprobe.function("sys_mq_open").return ?
{
name = "mq_open"
retstr = returnstr(1)
@@ -2752,22 +3788,30 @@ probe nd_syscall.mq_open.return =
# size_t msg_len, unsigned int __user *u_msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe nd_syscall.mq_timedreceive =
- kernel.function("sys_mq_timedreceive") ?,
- kernel.function("compat_sys_mq_timedreceive") ?
+probe nd_syscall.mq_timedreceive = kprobe.function("compat_sys_mq_timedreceive") ?,
+ kprobe.function("SyS_mq_timedreceive") ?,
+ kprobe.function("sys_mq_timedreceive") ?
{
name = "mq_timedreceive"
- mqdes = $mqdes
- msg_ptr_uaddr = $u_msg_ptr
- msg_len = $msg_len
- msg_prio_uaddr = $u_msg_prio
- abs_timout_uaddr = $u_abs_timeout
- argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
- $u_msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedreceive.return =
- kernel.function("sys_mq_timedreceive").return ?,
- kernel.function("compat_sys_mq_timedreceive").return ?
+ // mqdes = $mqdes
+ // msg_ptr_uaddr = $u_msg_ptr
+ // msg_len = $msg_len
+ // msg_prio_uaddr = $u_msg_prio
+ // abs_timout_uaddr = $u_abs_timeout
+ // argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
+ // $u_msg_prio, $u_abs_timeout)
+ asmlinkage()
+ mqdes = int_arg(1)
+ msg_ptr_uaddr = pointer_arg(2)
+ msg_len = ulong_arg(3)
+ msg_prio_uaddr = pointer_arg(4)
+ abs_timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %d, %p, %p", mqdes, msg_ptr_uaddr, msg_len,
+ msg_prio_uaddr, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedreceive.return = kprobe.function("compat_sys_mq_timedreceive").return ?,
+ kprobe.function("SyS_mq_timedreceive").return ?,
+ kprobe.function("sys_mq_timedreceive").return ?
{
name = "mq_timedreceive"
retstr = returnstr(1)
@@ -2784,22 +3828,30 @@ probe nd_syscall.mq_timedreceive.return =
# size_t msg_len, unsigned int msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe nd_syscall.mq_timedsend =
- kernel.function("sys_mq_timedsend") ?,
- kernel.function("compat_sys_mq_timedsend") ?
+probe nd_syscall.mq_timedsend = kprobe.function("compat_sys_mq_timedsend") ?,
+ kprobe.function("SyS_mq_timedsend") ?,
+ kprobe.function("sys_mq_timedsend") ?
{
name = "mq_timedsend"
- mqdes = $mqdes
- msg_ptr_uaddr = $u_msg_ptr
- msg_len = $msg_len
- msg_prio = $msg_prio
- abs_timeout_uaddr = $u_abs_timeout
- argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
- $msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedsend.return =
- kernel.function("sys_mq_timedsend").return ?,
- kernel.function("compat_sys_mq_timedsend").return ?
+ // mqdes = $mqdes
+ // msg_ptr_uaddr = $u_msg_ptr
+ // msg_len = $msg_len
+ // msg_prio = $msg_prio
+ // abs_timeout_uaddr = $u_abs_timeout
+ // argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
+ // $msg_prio, $u_abs_timeout)
+ asmlinkage()
+ mqdes = int_arg(1)
+ msg_ptr_uaddr = pointer_arg(2)
+ msg_len = ulong_arg(3)
+ msg_prio = uint_arg(4)
+ abs_timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %d, %d, %p", mqdes, msg_ptr_uaddr, msg_len,
+ msg_prio, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedsend.return = kprobe.function("compat_sys_mq_timedsend").return ?,
+ kprobe.function("SyS_mq_timedsend").return ?,
+ kprobe.function("sys_mq_timedsend").return ?
{
name = "mq_timedsend"
retstr = returnstr(1)
@@ -2808,13 +3860,21 @@ probe nd_syscall.mq_timedsend.return =
# mq_unlink __________________________________________________
# long sys_mq_unlink(const char __user *u_name)
#
-probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? {
+probe nd_syscall.mq_unlink = kprobe.function("SyS_mq_unlink") ?,
+ kprobe.function("sys_mq_unlink") ?
+{
name = "mq_unlink"
- u_name_uaddr = $u_name
- u_name = user_string($u_name)
- argstr = user_string_quoted($u_name)
+ // u_name_uaddr = $u_name
+ // u_name = user_string($u_name)
+ // argstr = user_string_quoted($u_name)
+ asmlinkage()
+ u_name_uaddr = pointer_arg(1)
+ u_name = user_string(u_name_uaddr)
+ argstr = user_string_quoted(u_name_uaddr)
}
-probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
+probe nd_syscall.mq_unlink.return = kprobe.function("SyS_mq_unlink").return ?,
+ kprobe.function("sys_mq_unlink").return ?
+{
name = "mq_unlink"
retstr = returnstr(1)
}
@@ -2826,22 +3886,30 @@ probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
# unsigned long flags,
# unsigned long new_addr)
#
-probe nd_syscall.mremap =
- kernel.function("sys_mremap") ?,
- kernel.function("ia64_mremap") ?
+probe nd_syscall.mremap = kprobe.function("ia64_mremap") ?,
+ kprobe.function("SyS_mremap") ?,
+ kprobe.function("sys_mremap") ?
{
name = "mremap"
- old_address = $addr
- old_size = $old_len
- new_size = $new_len
- flags = $flags
- new_address = $new_addr
- argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
- _mremap_flags($flags), $new_addr)
-}
-probe nd_syscall.mremap.return =
- kernel.function("sys_mremap").return ?,
- kernel.function("ia64_mremap").return ?
+ // old_address = $addr
+ // old_size = $old_len
+ // new_size = $new_len
+ // flags = $flags
+ // new_address = $new_addr
+ // argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
+ // _mremap_flags($flags), $new_addr)
+ asmlinkage()
+ old_address = ulong_arg(1)
+ old_size = ulong_arg(2)
+ new_size = ulong_arg(3)
+ flags = ulong_arg(4)
+ new_address = ulong_arg(5)
+ argstr = sprintf("%p, %d, %d, %s, %p", old_address, old_size, new_size,
+ _mremap_flags(flags), new_address)
+}
+probe nd_syscall.mremap.return = kprobe.function("ia64_mremap").return ?,
+ kprobe.function("SyS_mremap").return ?,
+ kprobe.function("sys_mremap").return ?
{
name = "mremap"
retstr = returnstr(2)
@@ -2850,14 +3918,23 @@ probe nd_syscall.mremap.return =
# msgctl _____________________________________________________
# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
#
-probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? {
+probe nd_syscall.msgctl = kprobe.function("SyS_msgctl") ?,
+ kprobe.function("sys_msgctl") ?
+{
name = "msgctl"
- msqid = $msqid
- cmd = $cmd
- buf_uaddr = $buf
- argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+ // msqid = $msqid
+ // cmd = $cmd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+ asmlinkage()
+ msqid = int_arg(1)
+ cmd = int_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", msqid, cmd, buf_uaddr)
}
-probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
+probe nd_syscall.msgctl.return = kprobe.function("SyS_msgctl").return ?,
+ kprobe.function("sys_msgctl").return ?
+{
name = "msgctl"
retstr = returnstr(1)
}
@@ -2865,11 +3942,15 @@ probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
#
# long compat_sys_msgctl(int first, int second, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? {
+probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ?
+{
name = "compat_sys_msgctl"
- argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ // argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p", int_arg(1), int_arg(2), pointer_arg(3))
}
-probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? {
+probe nd_syscall.compat_sys_msgctl.return = kprobe.function("compat_sys_msgctl").return ?
+{
name = "compat_sys_msgctl"
retstr = returnstr(1)
}
@@ -2877,14 +3958,23 @@ probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl")
# msgget _____________________________________________________
# long sys_msgget (key_t key, int msgflg)
#
-probe nd_syscall.msgget = kernel.function("sys_msgget") ? {
+probe nd_syscall.msgget = kprobe.function("SyS_msgget") ?,
+ kprobe.function("sys_msgget") ?
+{
name = "msgget"
- key = $key
- msgflg = $msgflg
- msgflg_str = _sys_open_flag_str($msgflg)
- argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+ // key = $key
+ // msgflg = $msgflg
+ // msgflg_str = _sys_open_flag_str($msgflg)
+ // argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+ asmlinkage()
+ key = int_arg(1)
+ msgflg = int_arg(2)
+ msgflg_str = _sys_open_flag_str(msgflg)
+ argstr = sprintf("%d, %s", key, _sys_open_flag_str(msgflg))
}
-probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
+probe nd_syscall.msgget.return = kprobe.function("SyS_msgget").return ?,
+ kprobe.function("sys_msgget").return ?
+{
name = "msgget"
retstr = returnstr(1)
}
@@ -2896,16 +3986,27 @@ probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
# long msgtyp,
# int msgflg)
#
-probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? {
+probe nd_syscall.msgrcv = kprobe.function("SyS_msgrcv") ?,
+ kprobe.function("sys_msgrcv") ?
+{
name = "msgrcv"
- msqid = $msqid
- msgp_uaddr = $msgp
- msgsz = $msgsz
- msgtyp = $msgtyp
- msgflg = $msgflg
- argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
-}
-probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
+ // msqid = $msqid
+ // msgp_uaddr = $msgp
+ // msgsz = $msgsz
+ // msgtyp = $msgtyp
+ // msgflg = $msgflg
+ // argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
+ asmlinkage()
+ msqid = int_arg(1)
+ msgp_uaddr = pointer_arg(2)
+ msgsz = ulong_arg(3)
+ msgtyp = long_arg(4)
+ msgflg = int_arg(5)
+ argstr = sprintf("%d, %p, %d, %d, %d", msqid, msgp_uaddr, msgsz, msgtyp, msgflg)
+}
+probe nd_syscall.msgrcv.return = kprobe.function("SyS_msgrcv").return ?,
+ kprobe.function("sys_msgrcv").return ?
+{
name = "msgrcv"
retstr = returnstr(1)
}
@@ -2914,11 +4015,15 @@ probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
# long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
# int version, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? {
+probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ?
+{
name = "compat_sys_msgrcv"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(5))
}
-probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? {
+probe nd_syscall.compat_sys_msgrcv.return = kprobe.function("compat_sys_msgrcv").return ?
+{
name = "compat_sys_msgrcv"
retstr = returnstr(1)
}
@@ -2929,15 +4034,25 @@ probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv")
# size_t msgsz,
# int msgflg)
#
-probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? {
+probe nd_syscall.msgsnd = kprobe.function("SyS_msgsnd") ?,
+ kprobe.function("sys_msgsnd") ?
+{
name = "msgsnd"
- msqid = $msqid
- msgp_uaddr = $msgp
- msgsz = $msgsz
- msgflg = $msgflg
- argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
-}
-probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
+ // msqid = $msqid
+ // msgp_uaddr = $msgp
+ // msgsz = $msgsz
+ // msgflg = $msgflg
+ // argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+ asmlinkage()
+ msqid = int_arg(1)
+ msgp_uaddr = pointer_arg(2)
+ msgsz = ulong_arg(3)
+ msgflg = int_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
+}
+probe nd_syscall.msgsnd.return = kprobe.function("SyS_msgsnd").return ?,
+ kprobe.function("sys_msgsnd").return ?
+{
name = "msgsnd"
retstr = returnstr(1)
}
@@ -2945,62 +4060,90 @@ probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
#
# long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? {
+probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ?
+{
name = "compat_sys_msgsnd"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4))
}
-probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? {
+probe nd_syscall.compat_sys_msgsnd.return = kprobe.function("compat_sys_msgsnd").return ?
+{
name = "compat_sys_msgsnd"
retstr = returnstr(1)
}
# msync ______________________________________________________
# long sys_msync(unsigned long start, size_t len, int flags)
-probe nd_syscall.msync = kernel.function("sys_msync") ? {
+probe nd_syscall.msync = kprobe.function("SyS_msync") ?,
+ kprobe.function("sys_msync") ?
+{
name = "msync"
- start = $start
- length = $len
- flags = $flags
- argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
+ // start = $start
+ // length = $len
+ // flags = $flags
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ flags = int_arg(3)
+ argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags))
}
-probe nd_syscall.msync.return = kernel.function("sys_msync").return ? {
+probe nd_syscall.msync.return = kprobe.function("SyS_msync").return ?,
+ kprobe.function("sys_msync").return ?
+{
name = "msync"
retstr = returnstr(1)
}
# munlock ____________________________________________________
# long sys_munlock(unsigned long start, size_t len)
-probe nd_syscall.munlock = kernel.function("sys_munlock") ? {
+probe nd_syscall.munlock = kprobe.function("SyS_munlock") ?,
+ kprobe.function("sys_munlock") ?
+{
name = "munlock"
- addr = $start
- len = $len
+ // addr = $start
+ // len = $len
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
argstr = sprintf("%p, %d", addr, len)
}
-probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? {
+probe nd_syscall.munlock.return = kprobe.function("SyS_munlock").return ?,
+ kprobe.function("sys_munlock").return ?
+{
name = "munlock"
retstr = returnstr(1)
}
# munlockall _________________________________________________
# long sys_munlockall(void)
-probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? {
+probe nd_syscall.munlockall = kprobe.function("sys_munlockall") ?
+{
name = "munlockall"
argstr = ""
}
-probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
+probe nd_syscall.munlockall.return = kprobe.function("sys_munlockall").return ?
+{
name = "munlockall"
retstr = returnstr(1)
}
# munmap _____________________________________________________
# long sys_munmap(unsigned long addr, size_t len)
-probe nd_syscall.munmap = kernel.function("sys_munmap") {
+probe nd_syscall.munmap = kprobe.function("SyS_munmap") ?,
+ kprobe.function("sys_munmap") ?
+{
name = "munmap"
- start = $addr
- length = $len
+ // start = $addr
+ // length = $len
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
argstr = sprintf("%p, %d", start, length)
}
-probe nd_syscall.munmap.return = kernel.function("sys_munmap").return {
+probe nd_syscall.munmap.return = kprobe.function("SyS_munmap").return ?,
+ kprobe.function("sys_munmap").return ?
+{
name = "munmap"
retstr = returnstr(1)
}
diff --git a/tapset/nd_syscalls2.stp b/tapset/nd_syscalls2.stp
new file mode 100644
index 00000000..c93bf9f7
--- /dev/null
+++ b/tapset/nd_syscalls2.stp
@@ -0,0 +1,4487 @@
+// syscalls tapset part 2 [N-Z]
+// Copyright (C) 2005 IBM Corp.
+// Copyright (C) 2005, 2006, 2007 Red Hat Inc.
+// Copyright (C) 2007 Quentin Barnes.
+//
+// This file is part of systemtap, and is free software. You can
+// redistribute it and/or modify it under the terms of the GNU General
+// Public License (GPL); either version 2, or (at your option) any
+// later version.
+
+/* Each syscall returns the calls parameters. In addition, the following
+* variables are set:
+*
+* name - generally the syscall name minus the "sys_".
+*
+* argstr - a string containing the decoded args in an easy-to-read format.
+* It doesn't need to contain everything, but should have all the
+* important args. Set in entry probes only.
+*
+* retstr - a string containing the return value in an easy-to-read format.
+* Set in return probes only.
+*/
+
+# nanosleep __________________________________________________
+#
+# long sys_nanosleep(struct timespec __user *rqtp,
+# struct timespec __user *rmtp)
+# long compat_sys_nanosleep(struct compat_timespec __user *rqtp,
+# struct compat_timespec __user *rmtp)
+#
+probe nd_syscall.nanosleep = kprobe.function("SyS_nanosleep") ?,
+ kprobe.function("sys_nanosleep") ?
+{
+ name = "nanosleep"
+ // req_uaddr = $rqtp
+ // rem_uaddr = $rmtp
+ // argstr = sprintf("%s, %p", _struct_timespec_u($rqtp, 1), $rmtp)
+ asmlinkage()
+ req_uaddr = pointer_arg(1)
+ rem_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _struct_timespec_u(req_uaddr, 1), rem_uaddr)
+}
+probe nd_syscall.nanosleep.return = kprobe.function("SyS_nanosleep").return ?,
+ kprobe.function("sys_nanosleep").return ?
+{
+ name = "nanosleep"
+ retstr = returnstr(1)
+}
+probe nd_syscall.compat_nanosleep = kprobe.function("compat_sys_nanosleep") ?
+{
+ name = "nanosleep"
+ // req_uaddr = $rqtp
+ // rem_uaddr = $rmtp
+ // argstr = sprintf("%s, %p", _struct_compat_timespec_u($rqtp, 1), $rmtp)
+ asmlinkage()
+ req_uaddr = pointer_arg(1)
+ rem_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _struct_compat_timespec_u(req_uaddr, 1), rem_uaddr)
+}
+probe nd_syscall.compat_nanosleep.return = kprobe.function("compat_sys_nanosleep").return ?
+{
+ name = "nanosleep"
+ retstr = returnstr(1)
+}
+
+# nfsservctl _________________________________________________
+#
+# long sys_nfsservctl(int cmd, struct nfsctl_arg __user *arg, void __user *res)
+# long compat_sys_nfsservctl(int cmd, struct compat_nfsctl_arg __user *arg,
+# union compat_nfsctl_res __user *res)
+#
+probe nd_syscall.nfsservctl = kprobe.function("sys_nfsservctl") ?,
+ kprobe.function("compat_sys_nfsservctl") ?
+{
+ name = "nfsservctl"
+ // cmd = $cmd
+ // argp_uaddr = $arg
+ // resp_uaddr = $res
+ // argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str($cmd), $arg, $res)
+ asmlinkage()
+ cmd = int_arg(1)
+ argp_uaddr = pointer_arg(2)
+ resp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str(cmd), argp_uaddr, resp_uaddr)
+}
+probe nd_syscall.nfsservctl.return = kprobe.function("sys_nfsservctl").return ?,
+ kprobe.function("compat_sys_nfsservctl").return ?
+{
+ name = "nfsservctl"
+ retstr = returnstr(1)
+}
+
+# nice _______________________________________________________
+# long sys_nice(int increment)
+#
+probe nd_syscall.nice = kprobe.function("SyS_nice") ?,
+ kprobe.function("sys_nice") ?
+{
+ name = "nice"
+ // inc = $increment
+ // argstr = sprintf("%d", $increment)
+ asmlinkage()
+ inc = int_arg(1)
+ argstr = sprintf("%d", inc)
+}
+probe nd_syscall.nice.return = kprobe.function("SyS_nice").return ?,
+ kprobe.function("sys_nice").return ?
+{
+ name = "nice"
+ retstr = returnstr(1)
+}
+
+# ni_syscall _________________________________________________
+#
+# long sys_ni_syscall(void)
+#
+probe nd_syscall.ni_syscall = kprobe.function("sys_ni_syscall")
+{
+ name = "ni_syscall"
+ argstr = ""
+}
+probe nd_syscall.ni_syscall.return = kprobe.function("sys_ni_syscall").return
+{
+ name = "ni_syscall"
+ retstr = returnstr(1)
+}
+
+# open _______________________________________________________
+# long sys_open(const char __user * filename, int flags, int mode)
+# (obsolete) long sys32_open(const char * filename, int flags, int mode)
+#
+probe nd_syscall.open = kprobe.function("compat_sys_open") ?,
+ kprobe.function("sys32_open") ?,
+ kprobe.function("SyS_open") ?,
+ kprobe.function("sys_open") ?
+{
+ name = "open"
+ // filename = user_string($filename)
+ // flags = $flags
+ // mode = $mode
+ // if (flags & 64)
+ // argstr = sprintf("%s, %s, %#o", user_string_quoted($filename),
+ // _sys_open_flag_str($flags), $mode)
+ // else
+ // argstr = sprintf("%s, %s", user_string_quoted($filename),
+ // _sys_open_flag_str($flags))
+ asmlinkage()
+ filename = user_string(pointer_arg(1))
+ flags = int_arg(2)
+ mode = int_arg(3)
+ if (flags & 64)
+ argstr = sprintf("%s, %s, %#o", user_string_quoted(pointer_arg(1)),
+ _sys_open_flag_str(flags), mode)
+ else
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+ _sys_open_flag_str(flags))
+}
+probe nd_syscall.open.return = kprobe.function("compat_sys_open").return ?,
+ kprobe.function("sys32_open").return ?,
+ kprobe.function("SyS_open").return ?,
+ kprobe.function("sys_open").return ?
+{
+ name = "open"
+ retstr = returnstr(1)
+}
+
+# openat _______________________________________________________
+# long sys_openat(int dfd, const char __user *filename, int flags, int mode)
+# long compat_sys_openat(unsigned int dfd, const char __user *filename, int flags, int mode)
+#
+probe nd_syscall.openat = kprobe.function("compat_sys_openat") ?,
+ kprobe.function("SyS_openat") ?,
+ kprobe.function("sys_openat") ?
+{
+ name = "openat"
+ // filename = user_string($filename)
+ // flags = $flags
+ // mode = $mode
+ // if ($flags & 64)
+ // argstr = sprintf("%s, %s, %s, %#o", _dfd_str($dfd),
+ // user_string_quoted($filename),
+ // _sys_open_flag_str($flags), $mode)
+ // else
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd),
+ // user_string_quoted($filename),
+ // _sys_open_flag_str($flags))
+ asmlinkage()
+ filename = user_string(pointer_arg(2))
+ flags = int_arg(3)
+ mode = int_arg(4)
+ if (flags & 64)
+ argstr = sprintf("%s, %s, %s, %#o", _dfd_str(int_arg(1)),
+ user_string_quoted(pointer_arg(2)),
+ _sys_open_flag_str(flags), mode)
+ else
+ argstr = sprintf("%s, %s, %s", _dfd_str(int_arg(1)),
+ user_string_quoted(pointer_arg(2)),
+ _sys_open_flag_str(flags))
+}
+probe nd_syscall.openat.return = kprobe.function("compat_sys_openat").return ?,
+ kprobe.function("SyS_openat").return ?,
+ kprobe.function("sys_openat").return ?
+{
+ name = "openat"
+ retstr = returnstr(1)
+}
+
+# pause ______________________________________________________
+#
+# sys_pause(void)
+#
+probe nd_syscall.pause = kprobe.function("sys_pause") ?,
+ kprobe.function("sys32_pause") ?,
+ kprobe.function("compat_sys_pause") ?
+{
+ name = "pause"
+ argstr = ""
+}
+probe nd_syscall.pause.return = kprobe.function("sys_pause").return ?,
+ kprobe.function("sys32_pause").return ?,
+ kprobe.function("compat_sys_pause").return ?
+{
+ name = "pause"
+ retstr = returnstr(1)
+}
+
+# pciconfig_iobase ___________________________________________
+#
+# asmlinkage long
+# sys_pciconfig_iobase(long which,
+# unsigned long bus,
+# unsigned long dfn)
+#
+#
+#probe nd_syscall.pciconfig_iobase = kprobe.function("sys_pciconfig_iobase")
+#{
+# name = "pciconfig_iobase"
+# which = $which
+# bus = $bus
+# dfn = $dfn
+# argstr = sprintf("%p, %p, %p", which, bus, dfn)
+#}
+#probe nd_syscall.pciconfig_iobase.return = kprobe.function("sys_pciconfig_iobase").return
+#{
+# name = "pciconfig_iobase"
+# retstr = returnstr(1)
+#}
+
+# pciconfig_read _____________________________________________
+#
+# asmlinkage int
+# sys_pciconfig_read(unsigned long bus,
+# unsigned long dfn,
+# unsigned long off,
+# unsigned long len,
+# unsigned char *buf)
+# { return 0; }
+#
+#
+#probe nd_syscall.pciconfig_read = kprobe.function("sys_pciconfig_read")
+#{
+# name = "pciconfig_read"
+# bus = $bus
+# dfn = $dfn
+# off = $off
+# len = $len
+# buf_uaddr = $buf
+# argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
+# len, buf_uaddr)
+#}
+#probe nd_syscall.pciconfig_read.return = kprobe.function("sys_pciconfig_read").return
+#{
+# name = "pciconfig_read"
+# retstr = returnstr(1)
+#}
+
+# pciconfig_write ____________________________________________
+#
+# asmlinkage int
+# sys_pciconfig_write(unsigned long bus,
+# unsigned long dfn,
+# unsigned long off,
+# unsigned long len,
+# unsigned char *buf)
+#
+#
+#probe nd_syscall.pciconfig_write = kprobe.function("sys_pciconfig_write")
+#{
+# name = "pciconfig_write"
+# bus = $bus
+# dfn = $dfn
+# off = $off
+# len = $len
+# buf_uaddr = $buf
+# argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
+# len, buf_uaddr)
+#}
+#probe nd_syscall.pciconfig_write.return = kprobe.function("sys_pciconfig_write").return
+#{
+# name = "pciconfig_write"
+# retstr = returnstr(1)
+#}
+
+# personality ________________________________________________
+#
+# asmlinkage long
+# sys_personality(u_long personality)
+#
+probe nd_syscall.personality = kprobe.function("SyS_personality") ?,
+ kprobe.function("sys_personality") ?
+{
+ name = "personality"
+ // persona = $personality
+ asmlinkage()
+ persona = ulong_arg(1)
+ argstr = sprintf("%p", persona);
+}
+probe nd_syscall.personality.return = kprobe.function("SyS_personality").return ?,
+ kprobe.function("sys_personality").return ?
+{
+ name = "personality"
+ retstr = returnstr(1)
+}
+
+# pipe _______________________________________________________
+#
+# asmlinkage int
+# sys_pipe(unsigned long __user * fildes)
+#
+probe nd_syscall.pipe = kprobe.function("SyS_pipe") ?,
+ kprobe.function("sys_pipe") ?
+{
+ name = "pipe"
+%( arch == "ia64" %?
+# ia64 just returns value directly, no fildes argument
+ argstr = ""
+%:
+ // fildes_uaddr = $fildes
+ // argstr = _fildes_u($fildes)
+ %( arch != "ppc64" %? asmlinkage() %)
+ fildes_uaddr = pointer_arg(1)
+ argstr = _fildes_u(fildes_uaddr)
+%)
+}
+
+probe nd_syscall.pipe.return = kprobe.function("SyS_pipe").return ?,
+ kprobe.function("sys_pipe").return ?
+{
+ name = "pipe"
+ retstr = returnstr(1)
+}
+
+# pivot_root _________________________________________________
+#
+# long sys_pivot_root(const char __user *new_root, const char __user *put_old)
+#
+probe nd_syscall.pivot_root = kprobe.function("SyS_pivot_root") ?,
+ kprobe.function("sys_pivot_root") ?
+{
+ name = "pivot_root"
+ // new_root_str = user_string($new_root)
+ // old_root_str = user_string($put_old)
+ // argstr = sprintf("%s, %s", user_string_quoted($new_root),
+ // user_string_quoted($put_old))
+ asmlinkage()
+ new_root_str = user_string(pointer_arg(1))
+ old_root_str = user_string(pointer_arg(2))
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.pivot_root.return = kprobe.function("SyS_pivot_root").return ?,
+ kprobe.function("sys_pivot_root").return ?
+{
+ name = "pivot_root"
+ retstr = returnstr(1)
+}
+
+# poll _______________________________________________________
+#
+# long sys_poll(struct pollfd __user * ufds, unsigned int nfds, long timeout)
+#
+probe nd_syscall.poll = kprobe.function("SyS_poll") ?,
+ kprobe.function("sys_poll") ?
+{
+ name = "poll"
+ // ufds_uaddr = $ufds
+ // nfds = $nfds
+ // timeout = $timeout
+ // argstr = sprintf("%p, %d, %d", $ufds, $nfds, timeout)
+ asmlinkage()
+ ufds_uaddr = pointer_arg(1)
+ nfds = uint_arg(2)
+ timeout = long_arg(3)
+ argstr = sprintf("%p, %d, %d", ufds_uaddr, nfds, timeout)
+}
+probe nd_syscall.poll.return = kprobe.function("SyS_poll").return ?,
+ kprobe.function("sys_poll").return ?
+{
+ name = "poll"
+ retstr = returnstr(1)
+}
+
+# ppoll _______________________________________________________
+#
+# long sys_ppoll(struct pollfd __user *ufds, unsigned int nfds,
+# struct timespec __user *tsp, const sigset_t __user *sigmask,
+# size_t sigsetsize)
+#
+probe nd_syscall.ppoll = kprobe.function("SyS_ppoll") ?,
+ kprobe.function("sys_ppoll") ?
+{
+ name = "ppoll"
+ // argstr = sprintf("%p, %d, %s, %p, %d",
+ // $ufds,
+ // $nfds,
+ // _struct_timespec_u($tsp, 1),
+ // $sigmask,
+ // $sigsetsize)
+ asmlinkage()
+ argstr = sprintf("%p, %d, %s, %p, %d",
+ pointer_arg(1),
+ uint_arg(2),
+ _struct_timespec_u(pointer_arg(3), 1),
+ pointer_arg(4),
+ ulong_arg(5))
+}
+probe nd_syscall.ppoll.return = kprobe.function("SyS_ppoll").return ?,
+ kprobe.function("sys_ppoll").return ?
+{
+ name = "ppoll"
+ retstr = returnstr(1)
+}
+# long compat_sys_ppoll(struct pollfd __user *ufds,
+# unsigned int nfds, struct compat_timespec __user *tsp,
+# const compat_sigset_t __user *sigmask, compat_size_t sigsetsize)
+#
+probe nd_syscall.compat_ppoll = kprobe.function("compat_sys_ppoll") ?
+{
+ name = "ppoll"
+ // argstr = sprintf("%p, %d, %s, %p, %d",
+ // $ufds,
+ // $nfds,
+ // _struct_compat_timespec_u($tsp, 1),
+ // $sigmask,
+ // $sigsetsize)
+ asmlinkage()
+ argstr = sprintf("%p, %d, %s, %p, %d",
+ pointer_arg(1),
+ uint_arg(2),
+ _struct_compat_timespec_u(pointer_arg(3), 1),
+ pointer_arg(4),
+ u32_arg(5))
+}
+probe nd_syscall.compat_ppoll.return = kprobe.function("compat_sys_ppoll").return ?
+{
+ name = "ppoll"
+ retstr = returnstr(1)
+}
+
+# prctl ______________________________________________________
+#
+# asmlinkage long
+# sys_prctl(int option,
+# unsigned long arg2,
+# unsigned long arg3,
+# unsigned long arg4,
+# unsigned long arg5)
+#
+probe nd_syscall.prctl = kprobe.function("SyS_prctl") ?,
+ kprobe.function("sys_prctl") ?
+{
+ name = "prctl"
+ // option = $option
+ // arg2 = $arg2
+ // arg3 = $arg3
+ // arg4 = $arg4
+ // arg5 = $arg5
+ asmlinkage()
+ option = int_arg(1)
+ arg2 = ulong_arg(2)
+ arg3 = ulong_arg(3)
+ arg4 = ulong_arg(4)
+ arg5 = ulong_arg(5)
+ argstr = sprintf("%p, %p, %p, %p, %p", option, arg2, arg3,
+ arg4, arg5)
+}
+probe nd_syscall.prctl.return = kprobe.function("SyS_prctl").return ?,
+ kprobe.function("sys_prctl").return ?
+{
+ name = "prctl"
+ retstr = returnstr(1)
+}
+
+# pread64 ____________________________________________________
+#
+# ssize_t sys_pread64(unsigned int fd,
+# char __user *buf,
+# size_t count,
+# loff_t pos)
+#
+probe nd_syscall.pread = kprobe.function("SyS_pread64") ?,
+ kprobe.function("sys_pread64") ?
+{
+ name = "pread"
+ // fd = $fd
+ // buf_uaddr = $buf
+ // count = $count
+ // offset = $pos
+ // argstr = sprintf("%d, %p, %d, %d", $fd, $buf, $count, $pos)
+ asmlinkage()
+ fd = uint_arg(1)
+ buf_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ offset = longlong_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", fd, buf_uaddr, count, offset)
+}
+probe nd_syscall.pread.return = kprobe.function("SyS_pread64").return ?,
+ kprobe.function("sys_pread64").return ?
+{
+ name = "pread"
+ retstr = returnstr(1)
+}
+
+# pselect6 _____________________________________________________
+#
+# long sys_pselect6(int n, fd_set __user *inp, fd_set __user *outp,
+# fd_set __user *exp, struct timespec __user *tsp, void __user *sig)
+#
+probe nd_syscall.pselect6 = kprobe.function("SyS_pselect6") ?,
+ kprobe.function("sys_pselect6") ?
+{
+ name = "pselect6"
+ // argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
+ // _struct_timespec_u($tsp, 1), $sig)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
+ _struct_timespec_u(pointer_arg(5), 1), pointer_arg(6))
+}
+probe nd_syscall.pselect6.return = kprobe.function("SyS_pselect6").return ?,
+ kprobe.function("sys_pselect6").return ?
+{
+ name = "pselect6"
+ retstr = returnstr(1)
+}
+probe nd_syscall.compat_pselect6 = kprobe.function("compat_sys_pselect6") ?
+{
+ name = "pselect6"
+ // argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
+ // _struct_compat_timespec_u($tsp, 1), $sig)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1), pointer_arg(2), pointer_arg(3), pointer_arg(4),
+ _struct_compat_timespec_u(pointer_arg(5), 1), pointer_arg(6))
+}
+probe nd_syscall.compat_pselect6.return = kprobe.function("compat_sys_pselect6").return ?
+{
+ name = "pselect6"
+ retstr = returnstr(1)
+}
+
+# pselect7 _____________________________________________________
+#
+# long sys_pselect7(int n, fd_set __user *inp, fd_set __user *outp,
+# fd_set __user *exp, struct timespec __user *tsp,
+# const sigset_t __user *sigmask, size_t sigsetsize)
+#
+probe nd_syscall.pselect7 = kprobe.function("sys_pselect7") ?
+{
+ name = "pselect7"
+ // argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
+ // _struct_timespec_u($tsp, 1), $sigmask, $sigsetsize)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
+ _struct_timespec_u(pointer_arg(5), 1), pointer_arg(6), ulong_arg(7))
+}
+probe nd_syscall.pselect7.return = kprobe.function("sys_pselect7").return ?
+{
+ name = "pselect7"
+ retstr = returnstr(1)
+}
+probe nd_syscall.compat_pselect7a = kprobe.function("compat_sys_pselect7") ?
+{
+ name = "pselect7"
+ //argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
+ // _struct_compat_timespec_u($tsp, 1), $sigmask, $sigsetsize)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
+ _struct_timespec_u(pointer_arg(5), 1), pointer_arg(6), ulong_arg(7))
+}
+probe nd_syscall.compat_pselect7.return = kprobe.function("compat_sys_pselect7").return ?
+{
+ name = "pselect7"
+ retstr = returnstr(1)
+}
+
+# ptrace _____________________________________________________
+#
+# int sys_ptrace(long request,
+# long pid,
+# long addr,
+# long data)
+#
+probe nd_syscall.ptrace = kprobe.function("SyS_ptrace") ?,
+ kprobe.function("sys_ptrace") ?
+{
+ name = "ptrace"
+ // request = $request
+ // pid = $pid
+ // addr = $addr
+ // data = $data
+ asmlinkage()
+ request = long_arg(1)
+ pid = long_arg(2)
+ addr = long_arg(3)
+ data = long_arg(4)
+ argstr = sprintf("%d, %d, %p, %p", request, pid, addr, data)
+}
+probe nd_syscall.ptrace.return = kprobe.function("SyS_ptrace").return ?,
+ kprobe.function("sys_ptrace").return ?
+{
+ name = "ptrace"
+ retstr = returnstr(1)
+}
+
+# pwrite64 ___________________________________________________
+#
+# ssize_t sys_pwrite64(unsigned int fd,
+# const char __user *buf,
+# size_t count,
+# loff_t pos)
+#
+probe nd_syscall.pwrite = kprobe.function("SyS_pwrite64") ?,
+ kprobe.function("sys_pwrite64") ?
+{
+ name = "pwrite"
+ // fd = $fd
+ // buf_uaddr = $buf
+ // count = $count
+ // offset = $pos
+ // argstr = sprintf("%d, %s, %d, %d", $fd,
+ // text_strn(user_string($buf), syscall_string_trunc, 1),
+ // $count, $pos)
+ asmlinkage()
+ fd = uint_arg(1)
+ buf_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ offset = longlong_arg(4)
+ argstr = sprintf("%d, %s, %d, %d", fd,
+ text_strn(user_string(buf_uaddr), syscall_string_trunc, 1),
+ count, offset)
+}
+probe nd_syscall.pwrite.return = kprobe.function("SyS_pwrite64").return ?,
+ kprobe.function("sys_pwrite64").return ?
+{
+ name = "pwrite"
+ retstr = returnstr(1)
+}
+# long sys32_pwrite64(unsigned int fd, const char __user *ubuf,
+# size_t count, u32 poshi, u32 poslo)
+probe nd_syscall.pwrite32 = kprobe.function("sys32_pwrite64") ?
+{
+ name = "pwrite"
+ // fd = $fd
+ // buf_uaddr = $buf
+ // count = $count
+ // offset = ($poshi << 32) + $poslo
+// %( arch == "s390x" %?
+ // buf_uaddr = $ubuf
+ // argstr = sprintf("%d, %s, %d, %d", $fd,
+ // text_strn(user_string($ubuf), syscall_string_trunc, 1),
+ // $count, ($poshi << 32) + $poslo)
+// %:
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %s, %d, %d", $fd,
+ // text_strn(user_string($buf), syscall_string_trunc, 1),
+ // $count, ($poshi << 32) + $poslo)
+// %)
+ asmlinkage()
+ fd = uint_arg(1)
+ buf_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ offset = (u32_arg(4) << 32) + u32_arg(5)
+ argstr = sprintf("%d, %s, %d, %d", fd,
+ text_strn(user_string(buf_uaddr), syscall_string_trunc, 1),
+ count, offset)
+}
+probe nd_syscall.pwrite32.return = kprobe.function("sys32_pwrite64").return ?
+{
+ name = "pwrite"
+ retstr = returnstr(1)
+}
+
+# quotactl ___________________________________________________
+#
+# long sys_quotactl(unsigned int cmd,
+# const char __user *special,
+# qid_t id,
+# void __user *addr)
+#
+probe nd_syscall.quotactl = kprobe.function("SyS_quotactl") ?,
+ kprobe.function("sys_quotactl") ?
+{
+ name = "quotactl"
+ // cmd = $cmd
+ // cmd_str = _quotactl_cmd_str($cmd)
+ // special = $special
+ // special_str = user_string($special)
+ // id = $id
+ // addr_uaddr = $addr
+ // argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, $id, $addr)
+ asmlinkage()
+ cmd = uint_arg(1)
+ cmd_str = _quotactl_cmd_str(cmd)
+ special = pointer_arg(2)
+ special_str = user_string(special)
+ id = uint_arg(3)
+ addr_uaddr = pointer_arg(4)
+ argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, id, addr_uaddr)
+}
+probe nd_syscall.quotactl.return = kprobe.function("SyS_quotactl").return ?,
+ kprobe.function("sys_quotactl").return ?
+{
+ name = "quotactl"
+ retstr = returnstr(1)
+}
+
+# read _______________________________________________________
+# ssize_t sys_read(unsigned int fd, char __user * buf, size_t count)
+probe nd_syscall.read = kprobe.function("SyS_read") ?,
+ kprobe.function("sys_read") ?
+{
+ name = "read"
+ // fd = $fd
+ // buf_uaddr = $buf
+ // count = $count
+ // argstr = sprintf("%d, %p, %d", $fd, $buf, $count)
+ asmlinkage()
+ fd = uint_arg(1)
+ buf_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", fd, buf_uaddr, count)
+}
+probe nd_syscall.read.return = kprobe.function("SyS_read").return ?,
+ kprobe.function("sys_read").return ?
+{
+ name = "read"
+ retstr = returnstr(1)
+}
+
+# readahead __________________________________________________
+#
+# asmlinkage ssize_t
+# sys_readahead(int fd,
+# loff_t offset,
+# size_t count)
+#
+probe nd_syscall.readahead = kprobe.function("SyS_readahead") ?,
+ kprobe.function("sys_readahead") ?
+{
+ name = "readahead"
+ // fd = $fd
+ // offset = $offset
+ // count = $count
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ count = ulong_arg(3)
+ argstr = sprintf("%d, %p, %p", fd, offset, count)
+}
+probe nd_syscall.readahead.return = kprobe.function("SyS_readahead").return ?,
+ kprobe.function("sys_readahead").return ?
+{
+ name = "readahead"
+ retstr = returnstr(1)
+}
+
+# readdir ___________________________________________________
+#
+# long compat_sys_old_readdir(unsigned int fd, struct compat_old_linux_dirent __user *dirent, unsigned int count)
+# int old32_readdir(unsigned int fd, struct old_linux_dirent32 *dirent, unsigned int count)
+#
+probe nd_syscall.readdir = kprobe.function("compat_sys_old_readdir") ?,
+ kprobe.function("old32_readdir") ?
+{
+ name = "readdir"
+ // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %d", uint_arg(1), pointer_arg(2), uint_arg(3))
+}
+probe nd_syscall.readdir.return = kprobe.function("compat_sys_old_readdir").return ?,
+ kprobe.function("old32_readdir").return ?
+{
+ name = "readdir"
+ retstr = returnstr(1)
+}
+
+# readlink ___________________________________________________
+#
+# long sys_readlink(const char __user * path,
+# char __user * buf,
+# int bufsiz)
+#
+probe nd_syscall.readlink = kprobe.function("SyS_readlink") ?,
+ kprobe.function("sys_readlink") ?
+{
+ name = "readlink"
+ // path = user_string($path)
+ // buf_uaddr = $buf
+ // bufsiz = $bufsiz
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path),
+ // $buf, $bufsiz)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ buf_uaddr = pointer_arg(2)
+ bufsiz = int_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(pointer_arg(1)),
+ buf_uaddr, bufsiz)
+}
+probe nd_syscall.readlink.return = kprobe.function("SyS_readlink").return ?,
+ kprobe.function("sys_readlink").return ?
+{
+ name = "readlink"
+ retstr = returnstr(1)
+}
+
+# readlinkat ___________________________________________________
+#
+# long sys_readlinkat(int dfd, const char __user * path,
+# char __user * buf,
+# int bufsiz)
+#
+probe nd_syscall.readlinkat = kprobe.function("SyS_readlinkat") ?,
+ kprobe.function("sys_readlinkat") ?
+{
+ name = "readlinkat"
+ //dfd = $dfd
+ // path = user_string($path)
+ // buf_uaddr = $buf
+ // bufsiz = $bufsiz
+ // argstr = sprintf("%s, %s, %p, %d", _dfd_str($dfd), user_string_quoted($path),
+ // $buf, $bufsiz)
+ asmlinkage()
+ dfd = int_arg(1)
+ path = user_string(pointer_arg(2))
+ buf_uaddr = pointer_arg(3)
+ bufsiz = int_arg(4)
+ argstr = sprintf("%s, %s, %p, %d", _dfd_str(dfd), user_string_quoted(pointer_arg(2)),
+ buf_uaddr, bufsiz)
+}
+probe nd_syscall.readlinkat.return = kprobe.function("SyS_readlinkat").return ?,
+ kprobe.function("sys_readlinkat").return ?
+{
+ name = "readlinkat"
+ retstr = returnstr(1)
+}
+
+# readv ______________________________________________________
+#
+# ssize_t sys_readv(unsigned long fd,
+# const struct iovec __user *vec,
+# unsigned long vlen)
+# ssize_t compat_sys_readv(unsigned long fd,
+# const struct compat_iovec __user *vec,
+# unsigned long vlen)
+#
+probe nd_syscall.readv = kprobe.function("compat_sys_readv") ?,
+ kprobe.function("SyS_readv") ?,
+ kprobe.function("sys_readv") ?
+{
+ name = "readv"
+ // vector_uaddr = $vec
+ // count = $vlen
+/* FIXME: RHEL4 U3 ppc64 can't resolve $fd */
+// %( arch != "ppc64" %?
+ // fd = $fd
+ // argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
+// %:
+ // argstr = sprintf("unknown fd, %p, %d", $vec, $vlen)
+// %)
+ asmlinkage()
+ vector_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ fd = ulong_arg(1)
+ argstr = sprintf("%d, %p, %d", fd, vector_uaddr, count)
+}
+probe nd_syscall.readv.return = kprobe.function("compat_sys_readv").return ?,
+ kprobe.function("SyS_readv").return ?,
+ kprobe.function("sys_readv").return ?
+{
+ name = "readv"
+ retstr = returnstr(1)
+}
+
+# reboot _____________________________________________________
+#
+# long sys_reboot(int magic1,
+# int magic2,
+# unsigned int cmd,
+# void __user * arg)
+#
+probe nd_syscall.reboot = kprobe.function("SyS_reboot") ?,
+ kprobe.function("sys_reboot") ?
+{
+ name = "reboot"
+ // magic = $magic1
+ // magic_str = _reboot_magic_str($magic1)
+ // magic2 = $magic2
+ // magic2_str =_reboot_magic_str($magic2)
+ // flag = $cmd
+ // flag_str = _reboot_flag_str($cmd)
+ // arg_uaddr = $arg
+ // argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
+ // flag_str, $arg)
+ asmlinkage()
+ magic = int_arg(1)
+ magic_str = _reboot_magic_str(magic)
+ magic2 = int_arg(2)
+ magic2_str =_reboot_magic_str(magic2)
+ flag = uint_arg(3)
+ flag_str = _reboot_flag_str(flag)
+ arg_uaddr = pointer_arg(4)
+ argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
+ flag_str, arg_uaddr)
+}
+probe nd_syscall.reboot.return = kprobe.function("SyS_reboot").return ?,
+ kprobe.function("sys_reboot").return ?
+{
+ name = "reboot"
+ retstr = returnstr(1)
+}
+
+# recv _______________________________________________________
+#
+# long sys_recv(int fd, void __user *ubuf, size_t size, unsigned flags)
+#
+probe nd_syscall.recv = kprobe.function("sys_recv") ?
+{
+ name = "recv"
+ // s = $fd
+ // buf_uaddr = $ubuf
+ // len = $size
+ // flags = $flags
+ // flags_str = _recvflags_str($flags)
+ // argstr = sprintf("%d, %p, %d, %s", $fd, $ubuf, $size, _recvflags_str($flags))
+ asmlinkage()
+ s = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ flags = uint_arg(4)
+ flags_str = _recvflags_str(flags)
+ argstr = sprintf("%d, %p, %d, %s", s, buf_uaddr, len, flags_str)
+}
+probe nd_syscall.recv.return = kprobe.function("sys_recv").return ?
+{
+ name = "recv"
+ retstr = returnstr(1)
+}
+
+# recvfrom ___________________________________________________
+#
+# long sys_recvfrom(int fd,
+# void __user * ubuf,
+# size_t size,
+# unsigned flags,
+# struct sockaddr __user *addr,
+# int __user *addr_len)
+#
+probe nd_syscall.recvfrom = kprobe.function("SyS_recvfrom") ?,
+ kprobe.function("sys_recvfrom") ?
+{
+ name = "recvfrom"
+ // s = $fd
+ // buf_uaddr = $ubuf
+ // len = $size
+ // flags = $flags
+ // flags_str = _recvflags_str($flags)
+ // addr_uaddr = $addr
+ // addrlen_uaddr = $addr_len
+ // argstr = sprintf("%d, %p, %d, %s, %p, %p",
+ // $fd, $ubuf, $size, _recvflags_str($flags), $addr, $addr_len)
+ asmlinkage()
+ s = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ flags = uint_arg(4)
+ flags_str = _recvflags_str(flags)
+ addr_uaddr = pointer_arg(5)
+ addrlen_uaddr = pointer_arg(6)
+ argstr = sprintf("%d, %p, %d, %s, %p, %p",
+ s, buf_uaddr, len, flags_str, addr_uaddr, addrlen_uaddr)
+}
+probe nd_syscall.recvfrom.return = kprobe.function("SyS_recvfrom").return ?,
+ kprobe.function("sys_recvfrom").return ?
+{
+ name = "recvfrom"
+ retstr = returnstr(1)
+}
+
+# recvmsg ____________________________________________________
+#
+# long sys_recvmsg(int fd,
+# struct msghdr __user *msg,
+# unsigned int flags)
+#
+probe nd_syscall.recvmsg = kprobe.function("SyS_recvmsg") ?,
+ kprobe.function("sys_recvmsg") ?
+{
+ name = "recvmsg"
+ // s = $fd
+ // msg_uaddr = $msg
+ // flags = $flags
+ // flags_str = _recvflags_str($flags)
+ // argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
+ asmlinkage()
+ s = int_arg(1)
+ msg_uaddr = pointer_arg(2)
+ flags = uint_arg(3)
+ flags_str = _recvflags_str(flags)
+ argstr = sprintf("%d, %p, %s", s, msg_uaddr, flags_str)
+}
+probe nd_syscall.recvmsg.return = kprobe.function("SyS_recvmsg").return ?,
+ kprobe.function("sys_recvmsg").return ?
+{
+ name = "recvmsg"
+ retstr = returnstr(1)
+}
+
+# compat_sys_recvmsg ________________________________________
+#
+# long compat_sys_recvmsg(int fd,
+# struct compat_msghdr __user *msg,
+# unsigned int flags)
+#
+probe nd_syscall.compat_sys_recvmsg = kprobe.function("compat_sys_recvmsg") ?
+{
+ name = "compat_sys_recvmsg"
+ // s = $fd
+ // msg_uaddr = $msg
+ // flags = $flags
+ // argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
+ asmlinkage()
+ s = int_arg(1)
+ msg_uaddr = pointer_arg(2)
+ flags = uint_arg(3)
+ argstr = sprintf("%d, %p, %s", s, msg_uaddr, _recvflags_str(flags))
+}
+probe nd_syscall.compat_sys_recvmsg.return = kprobe.function("compat_sys_recvmsg").return ?
+{
+ name = "compat_sys_recvmsg"
+ retstr = returnstr(1)
+}
+
+# remap_file_pages ___________________________________________
+#
+# long sys_remap_file_pages(unsigned long start,
+# unsigned long size,
+# unsigned long __prot,
+# unsigned long pgoff,
+# unsigned long flags)
+#
+probe nd_syscall.remap_file_pages = kprobe.function("SyS_remap_file_pages") ?,
+ kprobe.function("sys_remap_file_pages") ?
+{
+ name = "remap_file_pages"
+ // start = $start
+ // size = $size
+// %( kernel_vr >= "2.6.24" %?
+ // prot = $prot
+// %:
+ // prot = $__prot
+// %)
+ // pgoff = $pgoff
+ // flags = $flags
+ asmlinkage()
+ start = ulong_arg(1)
+ size = ulong_arg(2)
+ prot = ulong_arg(3)
+ pgoff = ulong_arg(4)
+ flags = ulong_arg(5)
+ argstr = sprintf("%p, %p, %p, %p, %p", start, size, prot,
+ pgoff, flags)
+}
+probe nd_syscall.remap_file_pages.return = kprobe.function("SyS_remap_file_pages").return ?,
+ kprobe.function("sys_remap_file_pages").return ?
+{
+ name = "remap_file_pages"
+ retstr = returnstr(1)
+}
+
+# removexattr ________________________________________________
+#
+# asmlinkage long
+# sys_removexattr(char __user *path,
+# char __user *name)
+#
+probe nd_syscall.removexattr = kprobe.function("SyS_removexattr") ?,
+ kprobe.function("sys_removexattr") ?
+{
+ name = "removexattr"
+ // path = user_string($path)
+ // name_str = user_string($name)
+ // argstr = sprintf("%s, %s", user_string_quoted($path),
+ // user_string_quoted($name))
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ name_str = user_string(pointer_arg(2))
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.removexattr.return = kprobe.function("SyS_removexattr").return ?,
+ kprobe.function("sys_removexattr").return ?
+{
+ name = "removexattr"
+ retstr = returnstr(1)
+}
+
+# rename _____________________________________________________
+#
+# asmlinkage long
+# sys_rename(const char __user * oldname,
+# const char __user * newname)
+#
+probe nd_syscall.rename = kprobe.function("SyS_rename") ?,
+ kprobe.function("sys_rename") ?
+{
+ name = "rename"
+ // oldpath = user_string($oldname)
+ // newpath = user_string($newname)
+ // argstr = sprintf("%s, %s", user_string_quoted($oldname),
+ // user_string_quoted($newname))
+ asmlinkage()
+ oldpath = user_string(pointer_arg(1))
+ newpath = user_string(pointer_arg(2))
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.rename.return = kprobe.function("SyS_rename").return ?,
+ kprobe.function("sys_rename").return ?
+{
+ name = "rename"
+ retstr = returnstr(1)
+}
+
+# renameat ___________________________________________________
+# new function with 2.6.16
+# long sys_renameat(int olddfd, const char __user *oldname,
+# int newdfd, const char __user *newname)
+probe nd_syscall.renameat = kprobe.function("SyS_renameat") ?,
+ kprobe.function("sys_renameat") ?
+{
+ name = "renameat"
+ // olddfd = $olddfd
+ // olddfd_str = _dfd_str($olddfd)
+ // oldname = $oldname
+ // oldname_str = user_string($oldname)
+ // newdfd = $newdfd
+ // newdfd_str = _dfd_str($newdfd)
+ // newname = $newname
+ // newname_str = user_string($newname)
+ // argstr = sprintf("%s, %s, %s, %s",
+ // olddfd_str, user_string_quoted($oldname),
+ // newdfd_str, user_string_quoted($newname))
+ asmlinkage()
+ olddfd = int_arg(1)
+ olddfd_str = _dfd_str(olddfd)
+ oldname = pointer_arg(2)
+ oldname_str = user_string(oldname)
+ newdfd = int_arg(3)
+ newdfd_str = _dfd_str(newdfd)
+ newname = pointer_arg(4)
+ newname_str = user_string(newname)
+ argstr = sprintf("%s, %s, %s, %s",
+ olddfd_str, user_string_quoted(oldname),
+ newdfd_str, user_string_quoted(newname))
+}
+probe nd_syscall.renameat.return = kprobe.function("SyS_renameat").return ?,
+ kprobe.function("sys_renameat").return ?
+{
+ name = "renameat"
+ retstr = returnstr(1)
+}
+
+# request_key ________________________________________________
+#
+# long sys_request_key(const char __user *_type,
+# const char __user *_description,
+# const char __user *_callout_info,
+# key_serial_t destringid)
+# compat_sys_request_key() calls sys_request_key, so don't need probe there.
+#
+probe nd_syscall.request_key = kprobe.function("SyS_request_key") ?,
+ kprobe.function("sys_request_key") ?
+{
+ name = "request_key"
+ // type_uaddr = $_type
+ // description_uaddr = $_description
+ // callout_info_uaddr = $_callout_info
+ // destringid = $destringid
+ // argstr = sprintf("%p, %p, %p, %p", $_type, $_description, $_callout_info, $destringid)
+ asmlinkage()
+ type_uaddr = pointer_arg(1)
+ description_uaddr = pointer_arg(2)
+ callout_info_uaddr = pointer_arg(3)
+ destringid = u32_arg(4)
+ argstr = sprintf("%p, %p, %p, %p", type_uaddr, description_uaddr, callout_info_uaddr, destringid)
+}
+probe nd_syscall.request_key.return = kprobe.function("SyS_request_key").return ?,
+ kprobe.function("sys_request_key").return ?
+{
+ name = "request_key"
+ retstr = returnstr(1)
+}
+
+# restart_syscall ____________________________________________
+#
+# asmlinkage long
+# sys_restart_syscall(void)
+#
+probe nd_syscall.restart_syscall = kprobe.function("sys_restart_syscall")
+{
+ name = "restart_syscall"
+ argstr = ""
+}
+probe nd_syscall.restart_syscall.return = kprobe.function("sys_restart_syscall").return
+{
+ name = "restart_syscall"
+ retstr = returnstr(1)
+}
+
+# rmdir ______________________________________________________
+#
+# asmlinkage long
+# sys_rmdir(const char __user * pathname)
+#
+probe nd_syscall.rmdir = kprobe.function("SyS_rmdir") ?,
+ kprobe.function("sys_rmdir") ?
+{
+ name = "rmdir"
+ // pathname = user_string($pathname)
+ // argstr = user_string_quoted($pathname)
+ asmlinkage()
+ pathname = user_string(pointer_arg(1))
+ argstr = user_string_quoted(pointer_arg(1))
+}
+probe nd_syscall.rmdir.return = kprobe.function("SyS_rmdir").return ?,
+ kprobe.function("sys_rmdir").return ?
+{
+ name = "rmdir"
+ retstr = returnstr(1)
+}
+
+# rt_sigaction _______________________________________________
+#
+# sys_rt_sigaction(int sig,
+# const struct sigaction __user *act,
+# struct sigaction __user *oact,
+# size_t sigsetsize)
+#
+probe nd_syscall.rt_sigaction = kprobe.function("SyS_rt_sigaction") ?,
+ kprobe.function("sys_rt_sigaction") ?
+{
+ name = "rt_sigaction"
+ // sig = $sig
+ // act_uaddr = $act
+ // oact_uaddr = $oact
+ // sigsetsize = $sigsetsize
+ // argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
+ // _struct_sigaction_u($act), $oact, $sigsetsize)
+ asmlinkage()
+ sig = int_arg(1)
+ act_uaddr = pointer_arg(2)
+ oact_uaddr = pointer_arg(3)
+ sigsetsize = ulong_arg(4)
+ argstr = sprintf("%s, {%s}, %p, %d", _signal_name(sig),
+ _struct_sigaction_u(act_uaddr), oact_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigaction.return = kprobe.function("SyS_rt_sigaction").return ?,
+ kprobe.function("sys_rt_sigaction").return ?
+{
+ name = "rt_sigaction"
+ retstr = returnstr(1)
+}
+
+#
+# long sys32_rt_sigaction(int sig,
+# struct sigaction32 __user *act,
+# struct sigaction32 __user *oact,
+# unsigned int sigsetsize)
+# ppc only
+# compat_sys_rt_sigaction(int sig,
+# const struct sigaction32 __user *act,
+# struct sigaction32 __user *oact,
+# size_t sigsetsize)
+
+probe nd_syscall.rt_sigaction32 = kprobe.function("sys32_rt_sigaction") ?,
+ kprobe.function("compat_sys_rt_sigaction") ?
+{
+ name = "rt_sigaction"
+ // sig = $sig
+ // act_uaddr = $act
+ // oact_uaddr = $oact
+ // sigsetsize = $sigsetsize
+ // argstr = sprintf("%s, %p, %p, %d", _signal_name($sig), $act, $oact, $sigsetsize)
+ asmlinkage()
+ sig = int_arg(1)
+ act_uaddr = pointer_arg(2)
+ oact_uaddr = pointer_arg(3)
+ sigsetsize = uint_arg(4)
+ argstr = sprintf("%s, %p, %p, %d", _signal_name(sig), act_uaddr, oact_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigaction32.return = kprobe.function("sys32_rt_sigaction").return ?,
+ kprobe.function("compat_sys_rt_sigaction").return ?
+{
+ name = "rt_sigaction"
+ retstr = returnstr(1)
+}
+
+# rt_sigpending ______________________________________________
+#
+# long sys_rt_sigpending(sigset_t __user *set, size_t sigsetsize)
+#
+probe nd_syscall.rt_sigpending = kprobe.function("SyS_rt_sigpending") ?,
+ kprobe.function("sys_rt_sigpending") ?
+{
+ name = "rt_sigpending"
+ // set_uaddr = $set
+ // sigsetsize = $sigsetsize
+ // argstr = sprintf("%p, %d", $set, $sigsetsize)
+ asmlinkage()
+ set_uaddr = pointer_arg(1)
+ sigsetsize = ulong_arg(2)
+ argstr = sprintf("%p, %d", set_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigpending.return = kprobe.function("SyS_rt_sigpending").return ?,
+ kprobe.function("sys_rt_sigpending").return ?
+{
+ name = "rt_sigpending"
+ retstr = returnstr(1)
+}
+
+# rt_sigprocmask _____________________________________________
+# long sys32_rt_sigprocmask(u32 how, compat_sigset_t __user *set, compat_sigset_t __user *oset, size_t sigsetsize)
+# long compat_sys_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, compat_size_t sigsetsize)
+# long sys_rt_sigprocmask(int how, sigset_t __user *set, sigset_t __user *oset, size_t sigsetsize)
+#
+probe nd_syscall.rt_sigprocmask = kprobe.function("sys32_rt_sigprocmask") ?,
+ kprobe.function("compat_sys_rt_sigprocmask") ?,
+ kprobe.function("SyS_rt_sigprocmask") ?,
+ kprobe.function("sys_rt_sigprocmask") ?
+{
+ name = "rt_sigprocmask"
+ // how = $how
+ // how_str = _sigprocmask_how_str($how)
+ // set_uaddr = $set
+ // oldset_uaddr = $oset
+ // argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u($set),
+ // $oset, $sigsetsize)
+ if (probefunc() != "compat_sys_rt_sigprocmask")
+ asmlinkage()
+ how = int_arg(1)
+ how_str = _sigprocmask_how_str(how)
+ set_uaddr = pointer_arg(2)
+ oldset_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u(set_uaddr),
+ oldset_uaddr, uint_arg(4))
+}
+probe nd_syscall.rt_sigprocmask.return = kprobe.function("sys32_rt_sigprocmask").return ?,
+ kprobe.function("compat_sys_rt_sigprocmask").return ?,
+ kprobe.function("SyS_rt_sigprocmask").return ?,
+ kprobe.function("sys_rt_sigprocmask").return ?
+{
+ name = "rt_sigprocmask"
+ retstr = returnstr(1)
+}
+
+# rt_sigqueueinfo ____________________________________________
+#
+# long sys_rt_sigqueueinfo(int pid, int sig, siginfo_t __user *uinfo)
+#
+probe nd_syscall.rt_sigqueueinfo = kprobe.function("SyS_rt_sigqueueinfo") ?,
+ kprobe.function("sys_rt_sigqueueinfo") ?
+{
+ name = "rt_sigqueueinfo"
+ // pid = $pid
+ // sig = $sig
+ // uinfo_uaddr = $uinfo
+ // argstr = sprintf("%d, %s, %p", $pid, _signal_name($sig), $uinfo)
+ asmlinkage()
+ pid = int_arg(1)
+ sig = int_arg(2)
+ uinfo_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %s, %p", pid, _signal_name(sig), uinfo_uaddr)
+}
+probe nd_syscall.rt_sigqueueinfo.return = kprobe.function("SyS_rt_sigqueueinfo").return ?,
+ kprobe.function("sys_rt_sigqueueinfo").return ?
+{
+ name = "rt_sigqueueinfo"
+ retstr = returnstr(1)
+}
+
+# rt_sigreturn _______________________________________________
+# int sys_rt_sigreturn(unsigned long __unused)
+#
+probe nd_syscall.rt_sigreturn = kprobe.function("sys_rt_sigreturn") ?,
+ kprobe.function("sys32_rt_sigreturn") ?
+{
+ name = "rt_sigreturn"
+ argstr = ""
+}
+probe nd_syscall.rt_sigreturn.return = kprobe.function("sys_rt_sigreturn").return ?,
+ kprobe.function("sys32_rt_sigreturn").return ?
+{
+ name = "rt_sigreturn"
+ retstr = returnstr(1)
+}
+
+# rt_sigsuspend ______________________________________________
+#
+# sys_rt_sigsuspend(struct pt_regs regs)
+#
+probe nd_syscall.rt_sigsuspend = kprobe.function("compat_sys_rt_sigsuspend") ?,
+ kprobe.function("ia64_rt_sigsuspend") ?,
+ kprobe.function("SyS_rt_sigsuspend") ?,
+ kprobe.function("sys_rt_sigsuspend") ?
+{
+ name = "rt_sigsuspend"
+ argstr = ""
+}
+probe nd_syscall.rt_sigsuspend.return = kprobe.function("compat_sys_rt_sigsuspend").return ?,
+ kprobe.function("ia64_rt_sigsuspend").return ?,
+ kprobe.function("SyS_rt_sigsuspend").return ?,
+ kprobe.function("sys_rt_sigsuspend").return ?
+{
+ name = "rt_sigsuspend"
+ retstr = returnstr(1)
+}
+
+# rt_sigtimedwait ____________________________________________
+#
+# long sys_rt_sigtimedwait(const sigset_t __user *uthese,
+# siginfo_t __user *uinfo,
+# const struct timespec __user *uts,
+# size_t sigsetsize)
+# long compat_sys_rt_sigtimedwait (compat_sigset_t __user *uthese,
+# struct compat_siginfo __user *uinfo,
+# struct compat_timespec __user *uts, compat_size_t sigsetsize)
+#
+probe nd_syscall.rt_sigtimedwait = kprobe.function("compat_sys_rt_sigtimedwait") ?,
+ kprobe.function("SyS_rt_sigtimedwait") ?,
+ kprobe.function("sys_rt_sigtimedwait") ?
+{
+ name = "rt_sigtimedwait"
+ // uthese_uaddr = $uthese
+ // uinfo_uaddr = $uinfo
+ // uts_uaddr = $uts
+ // sigsetsize = $sigsetsize
+ // argstr = sprintf("%p, %p, %p, %d", $uthese, $uinfo, $uts, $sigsetsize)
+ asmlinkage()
+ uthese_uaddr = pointer_arg(1)
+ uinfo_uaddr = pointer_arg(2)
+ uts_uaddr = pointer_arg(3)
+ if (probefunc() == "sys_rt_sigtimedwait")
+ sigsetsize = ulong_arg(4)
+ else
+ sigsetsize = u32_arg(4)
+ argstr = sprintf("%p, %p, %p, %d", uthese_uaddr, uinfo_uaddr, uts_uaddr, sigsetsize)
+}
+probe nd_syscall.rt_sigtimedwait.return = kprobe.function("compat_sys_rt_sigtimedwait").return ?,
+ kprobe.function("SyS_rt_sigtimedwait").return ?,
+ kprobe.function("sys_rt_sigtimedwait").return ?
+{
+ name = "rt_sigtimedwait"
+ retstr = returnstr(1)
+}
+
+# sched_getaffinity __________________________________________
+#
+# asmlinkage long
+# sys_sched_getaffinity(pid_t pid,
+# unsigned int len,
+# unsigned long __user *user_mask_ptr)
+#
+probe nd_syscall.sched_getaffinity = kprobe.function("SyS_sched_getaffinity") ?,
+ kprobe.function("sys_sched_getaffinity") ?
+{
+ name = "sched_getaffinity"
+ // pid = $pid
+ // len = $len
+ // mask_uaddr = $user_mask_ptr
+ asmlinkage()
+ pid = int_arg(1)
+ len = uint_arg(2)
+ mask_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", pid, len, mask_uaddr)
+}
+probe nd_syscall.sched_getaffinity.return = kprobe.function("SyS_sched_getaffinity").return ?,
+ kprobe.function("sys_sched_getaffinity").return ?
+{
+ name = "sched_getaffinity"
+ retstr = returnstr(1)
+}
+
+# sched_getparam _____________________________________________
+#
+# asmlinkage long
+# sys_sched_getparam(pid_t pid,
+# struct sched_param __user *param)
+#
+probe nd_syscall.sched_getparam = kprobe.function("SyS_sched_getparam") ?,
+ kprobe.function("sys_sched_getparam") ?
+{
+ name = "sched_getparam"
+ // pid = $pid
+ // p_uaddr = $param
+ asmlinkage()
+ pid = int_arg(1)
+ p_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", pid, p_uaddr)
+}
+probe nd_syscall.sched_getparam.return = kprobe.function("SyS_sched_getparam").return ?,
+ kprobe.function("sys_sched_getparam").return ?
+{
+ name = "sched_getparam"
+ retstr = returnstr(1)
+}
+
+# sched_get_priority_max _____________________________________
+#
+# asmlinkage long
+# sys_sched_get_priority_max(int policy)
+#
+probe nd_syscall.sched_get_priority_max = kprobe.function("SyS_sched_get_priority_max") ?,
+ kprobe.function("sys_sched_get_priority_max") ?
+{
+ name = "sched_get_priority_max"
+ // policy = $policy
+ asmlinkage()
+ policy = int_arg(1)
+ argstr = sprint(policy)
+}
+probe nd_syscall.sched_get_priority_max.return = kprobe.function("SyS_sched_get_priority_max").return ?,
+ kprobe.function("sys_sched_get_priority_max").return ?
+{
+ name = "sched_get_priority_max"
+ retstr = returnstr(1)
+}
+
+# sched_get_priority_min _____________________________________
+#
+# asmlinkage long
+# sys_sched_get_priority_min(int policy)
+#
+probe nd_syscall.sched_get_priority_min = kprobe.function("SyS_sched_get_priority_min") ?,
+ kprobe.function("sys_sched_get_priority_min") ?
+{
+ name = "sched_get_priority_min"
+ // policy = $policy
+ asmlinkage()
+ policy = int_arg(1)
+ argstr = sprint(policy)
+}
+probe nd_syscall.sched_get_priority_min.return = kprobe.function("SyS_sched_get_priority_min").return ?,
+ kprobe.function("sys_sched_get_priority_min").return ?
+{
+ name = "sched_get_priority_min"
+ retstr = returnstr(1)
+}
+
+# sched_getscheduler _________________________________________
+#
+# long sys_sched_getscheduler(pid_t pid)
+#
+probe nd_syscall.sched_getscheduler = kprobe.function("SyS_sched_getscheduler") ?,
+ kprobe.function("sys_sched_getscheduler") ?
+{
+ name = "sched_getscheduler"
+ // pid = $pid
+ // argstr = sprint($pid)
+ asmlinkage()
+ pid = int_arg(1)
+ argstr = sprint(pid)
+}
+probe nd_syscall.sched_getscheduler.return = kprobe.function("SyS_sched_getscheduler").return ?,
+ kprobe.function("sys_sched_getscheduler").return ?
+{
+ name = "sched_getscheduler"
+ retstr = returnstr(1)
+}
+
+# sched_rr_get_interval ______________________________________
+#
+# long sys_sched_rr_get_interval(pid_t pid, struct timespec __user *interval)
+#
+probe nd_syscall.sched_rr_get_interval = kprobe.function("SyS_sched_rr_get_interval") ?,
+ kprobe.function("sys_sched_rr_get_interval") ?
+{
+ name = "sched_rr_get_interval"
+ // pid = $pid
+ // tp_uaddr = $interval
+ // argstr = sprintf("%d, %s", $pid, _struct_timespec_u($interval, 1))
+ asmlinkage()
+ pid = int_arg(1)
+ tp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %s", pid, _struct_timespec_u(tp_uaddr, 1))
+}
+probe nd_syscall.sched_rr_get_interval.return = kprobe.function("SyS_sched_rr_get_interval").return ?,
+ kprobe.function("sys_sched_rr_get_interval").return ?
+{
+ name = "sched_rr_get_interval"
+ retstr = returnstr(1)
+}
+
+# sched_setaffinity __________________________________________
+# long sys_sched_setaffinity(pid_t pid,
+# unsigned int len,
+# unsigned long __user *user_mask_ptr)
+# FIXME: why the problem with x86_64?
+#
+%( arch != "x86_64" %?
+probe nd_syscall.sched_setaffinity = kprobe.function("SyS_sched_setaffinity") ?,
+ kprobe.function("sys_sched_setaffinity") ?
+{
+ name = "sched_setaffinity"
+ // pid = $pid
+ // len = $len
+ // mask_uaddr = $user_mask_ptr
+ // argstr = sprintf("%d, %d, %p", $pid, $len, $user_mask_ptr)
+ asmlinkage()
+ pid = int_arg(1)
+ len = uint_arg(2)
+ mask_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", pid, len, mask_uaddr)
+}
+%:
+probe nd_syscall.sched_setaffinity = kprobe.function("SyS_sched_setaffinity") ?,
+ kprobe.function("sys_sched_setaffinity") ?
+{
+ name = "sched_setaffinity"
+ // pid = $pid
+ // len = 0
+ // mask_uaddr = $user_mask_ptr
+ // argstr = sprintf("%d, <unknown>, %p", $pid, $user_mask_ptr)
+ asmlinkage()
+ pid = int_arg(1)
+ len = 0
+ mask_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, <unknown>, %p", pid, mask_uaddr)
+}
+%)
+probe nd_syscall.sched_setaffinity.return = kprobe.function("SyS_sched_setaffinity").return ?,
+ kprobe.function("sys_sched_setaffinity").return ?
+{
+ name = "sched_setaffinity"
+ retstr = returnstr(1)
+}
+
+# sched_setparam _____________________________________________
+#
+# long sys_sched_setparam(pid_t pid, struct sched_param __user *param)
+#
+probe nd_syscall.sched_setparam = kprobe.function("SyS_sched_setparam") ?,
+ kprobe.function("sys_sched_setparam") ?
+{
+ name = "sched_setparam"
+ // pid = $pid
+ // p_uaddr = $param
+ // argstr = sprintf("%d, %p", $pid, $param)
+ asmlinkage()
+ pid = int_arg(1)
+ p_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", pid, p_uaddr)
+}
+probe nd_syscall.sched_setparam.return = kprobe.function("SyS_sched_setparam").return ?,
+ kprobe.function("sys_sched_setparam").return ?
+{
+ name = "sched_setparam"
+ retstr = returnstr(1)
+}
+
+# sched_setscheduler _________________________________________
+#
+# long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param)
+#
+probe nd_syscall.sched_setscheduler = kprobe.function("SyS_sched_setscheduler") ?,
+ kprobe.function("sys_sched_setscheduler") ?
+{
+ name = "sched_setscheduler"
+ // pid = $pid
+ // policy = $policy
+ // policy_str = _sched_policy_str($policy)
+ // p_uaddr = $param
+ // argstr = sprintf("%d, %s, %p", $pid, policy_str, $param)
+ asmlinkage()
+ pid = int_arg(1)
+ policy = int_arg(2)
+ policy_str = _sched_policy_str(policy)
+ p_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %s, %p", pid, policy_str, p_uaddr)
+}
+probe nd_syscall.sched_setscheduler.return = kprobe.function("SyS_sched_setscheduler").return ?,
+ kprobe.function("sys_sched_setscheduler").return ?
+{
+ name = "sched_setscheduler"
+ retstr = returnstr(1)
+}
+
+# sched_yield ________________________________________________
+# long sys_sched_yield(void)
+#
+probe nd_syscall.sched_yield = kprobe.function("sys_sched_yield")
+{
+ name = "sched_yield"
+ argstr = ""
+}
+probe nd_syscall.sched_yield.return = kprobe.function("sys_sched_yield").return
+{
+ name = "sched_yield"
+ retstr = returnstr(1)
+}
+
+# select _____________________________________________________
+# long sys_select(int n,
+# fd_set __user *inp,
+# fd_set __user *outp,
+# fd_set __user *exp,
+# struct timeval __user *tvp)
+#
+probe nd_syscall.select = kprobe.function("SyS_select") ?,
+ kprobe.function("sys_select") ?
+{
+ name = "select"
+ // n = $n
+ // readfds_uaddr = $inp
+ // writefds_uaddr = $outp
+ // exceptfds_uaddr = $exp
+ // timeout_uaddr = $tvp
+ // argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
+ // _struct_timeval_u($tvp, 1))
+ asmlinkage()
+ n = int_arg(1)
+ readfds_uaddr = pointer_arg(2)
+ writefds_uaddr = pointer_arg(3)
+ exceptfds_uaddr = pointer_arg(4)
+ timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %p, %p, %s", n, readfds_uaddr, writefds_uaddr,
+ exceptfds_uaddr, _struct_timeval_u(timeout_uaddr, 1))
+}
+probe nd_syscall.select.return = kprobe.function("SyS_select").return ?,
+ kprobe.function("sys_select").return ?
+{
+ name = "select"
+ retstr = returnstr(1)
+}
+# long compat_sys_select(int n,
+# compat_ulong_t __user *inp,
+# compat_ulong_t __user *outp,
+# compat_ulong_t __user *exp,
+# struct compat_timeval __user *tvp)
+#
+probe nd_syscall.compat_select = kprobe.function("compat_sys_select") ?
+{
+ name = "select"
+ // n = $n
+ // readfds_uaddr = $inp
+ // writefds_uaddr = $outp
+ // exceptfds_uaddr = $exp
+ // timeout_uaddr = $tvp
+ // argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
+ // _struct_compat_timeval_u($tvp, 1))
+ asmlinkage()
+ n = int_arg(1)
+ readfds_uaddr = pointer_arg(2)
+ writefds_uaddr = pointer_arg(3)
+ exceptfds_uaddr = pointer_arg(4)
+ timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %p, %p, %s", n, readfds_uaddr, writefds_uaddr,
+ exceptfds_uaddr, _struct_timeval_u(timeout_uaddr, 1))
+}
+probe nd_syscall.compat_select.return = kprobe.function("compat_sys_select").return ?
+{
+ name = "select"
+ retstr = returnstr(1)
+}
+
+# semctl _____________________________________________________
+# long sys_semctl (int semid,
+# int semnum,
+# int cmd,
+# union semun arg)
+#
+probe nd_syscall.semctl = kprobe.function("SyS_semctl") ?,
+ kprobe.function("sys_semctl") ?
+{
+ name = "semctl"
+ // semid = $semid
+ // semnum = $semnum
+ // cmd = $cmd
+ /*
+ * unsupported type tag identifier '$arg'
+ * arg = $arg
+ */
+ // argstr = sprintf("%d, %d, %s", $semid, $semnum, _semctl_cmd($cmd))
+ asmlinkage()
+ semid = int_arg(1)
+ semnum = int_arg(2)
+ cmd = int_arg(3)
+ argstr = sprintf("%d, %d, %s", semid, semnum, _semctl_cmd(cmd))
+}
+probe nd_syscall.semctl.return = kprobe.function("SyS_semctl").return ?,
+ kprobe.function("sys_semctl").return ?
+{
+ name = "semctl"
+ retstr = returnstr(1)
+}
+# compat_sys_semctl ________________________________________
+#
+# long compat_sys_semctl(int first, int second, int third, void __user *uptr)
+#
+probe nd_syscall.compat_sys_semctl = kprobe.function("compat_sys_semctl") ?
+{
+ name = "compat_sys_semctl"
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // NB: no asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4))
+}
+probe nd_syscall.compat_sys_semctl.return = kprobe.function("compat_sys_semctl").return ?
+{
+ name = "compat_sys_semctl"
+ retstr = returnstr(1)
+}
+
+# semget _____________________________________________________
+# long sys_semget (key_t key, int nsems, int semflg)
+#
+probe nd_syscall.semget = kprobe.function("SyS_semget") ?,
+ kprobe.function("sys_semget") ?
+{
+ name = "semget"
+ // key = $key
+ // nsems = $nsems
+ // semflg = $semflg
+ // argstr = sprintf("%d, %d, %s", $key, $nsems, __sem_flags($semflg))
+ asmlinkage()
+ key = int_arg(1)
+ nsems = int_arg(2)
+ semflg = int_arg(3)
+ argstr = sprintf("%d, %d, %s", key, nsems, __sem_flags(semflg))
+}
+probe nd_syscall.semget.return = kprobe.function("SyS_semget").return ?,
+ kprobe.function("sys_semget").return ?
+{
+ name = "semget"
+ retstr = returnstr(1)
+}
+
+# semop ______________________________________________________
+#
+# long sys_semop (int semid,
+# struct sembuf __user *tsops,
+# unsigned nsops)
+#
+probe nd_syscall.semop = kprobe.function("SyS_semtimedop") ?,
+ kprobe.function("sys_semtimedop") ?
+{
+ name = "semop"
+ // semid = $semid
+ // tsops_uaddr = $tsops
+ // nsops = $nsops
+ // argstr = sprintf("%d, %p, %d", $semid, $tsops, $nsops)
+ asmlinkage()
+ semid = int_arg(1)
+ tsops_uaddr = pointer_arg(2)
+ nsops = uint_arg(3)
+ argstr = sprintf("%d, %p, %d", semid, tsops_uaddr, nsops)
+}
+probe nd_syscall.semop.return = kprobe.function("SyS_semtimedop").return ?,
+ kprobe.function("sys_semtimedop").return ?
+{
+ name = "semop"
+ retstr = returnstr(1)
+}
+
+# semtimedop _________________________________________________
+#
+# long sys_semtimedop(int semid,
+# struct sembuf __user *tsops,
+# unsigned nsops,
+# const struct timespec __user *timeout)
+#
+probe nd_syscall.semtimedop = kprobe.function("SyS_semtimedop") ?,
+ kprobe.function("sys_semtimedop") ?
+{
+ name = "semtimedop"
+ // semid = $semid
+ // sops_uaddr = $tsops
+ // nsops = $nsops
+ // timeout_uaddr = $timeout
+ // argstr = sprintf("%d, %p, %d, %s", $semid, $tsops, $nsops,
+ // _struct_timespec_u($timeout, 1))
+ asmlinkage()
+ semid = int_arg(1)
+ sops_uaddr = pointer_arg(2)
+ nsops = uint_arg(3)
+ timeout_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %p, %d, %s", semid, sops_uaddr, nsops,
+ _struct_timespec_u(timeout_uaddr, 1))
+}
+probe nd_syscall.semtimedop.return = kprobe.function("SyS_semtimedop").return ?,
+ kprobe.function("sys_semtimedop").return ?
+{
+ name = "semtimedop"
+ retstr = returnstr(1)
+}
+
+# compat_sys_semtimedop ________________________________________
+#
+# long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
+# unsigned nsops, const struct compat_timespec __user *timeout)
+#
+probe nd_syscall.compat_sys_semtimedop = kprobe.function("compat_sys_semtimedop") ?
+{
+ name = "compat_sys_semtimedop"
+ // semid = $semid
+ // sops_uaddr = $tsems
+ // nsops = $nsops
+ // timeout_uaddr = $timeout
+ // argstr = sprintf("%d, %p, %d, %s", $semid, $tsems, $nsops,
+ // _struct_compat_timespec_u($timeout, 1))
+ // no asmlinkage
+ semid = int_arg(1)
+ sops_uaddr = pointer_arg(2)
+ nsops = uint_arg(3)
+ timeout_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %p, %d, %s", semid, sops_uaddr, nsops,
+ _struct_compat_timespec_u(timeout_uaddr, 1))
+}
+probe nd_syscall.compat_sys_semtimedop.return = kprobe.function("compat_sys_semtimedop").return ?
+{
+ name = "compat_sys_semtimedop"
+ retstr = returnstr(1)
+}
+
+# send _______________________________________________________
+#
+# long sys_send(int fd,
+# void __user * buff,
+# size_t len,
+# unsigned flags)
+#
+probe nd_syscall.send = kprobe.function("SyS_send") ?,
+ kprobe.function("sys_send") ?
+{
+ name = "send"
+ // s = $fd
+ // buf_uaddr = $buff
+ // len = $len
+ // flags = $flags
+ // flags_str = _sendflags_str($flags)
+ // argstr = sprintf("%d, %p, %d, %s", $fd, $buff, $len, flags_str)
+ asmlinkage()
+ s = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ flags = uint_arg(4)
+ flags_str = _sendflags_str(flags)
+ argstr = sprintf("%d, %p, %d, %s", s, buf_uaddr, len, flags_str)
+}
+probe nd_syscall.send.return = kprobe.function("SyS_send").return ?,
+ kprobe.function("sys_send").return ?
+{
+ name = "send"
+ retstr = returnstr(1)
+}
+
+# sendfile ___________________________________________________
+#
+# ssize_t sys_sendfile[64](int out_fd,
+# int in_fd,
+# off_t __user *offset,
+# size_t count)
+#
+probe nd_syscall.sendfile = kprobe.function("SyS_sendfile") ?,
+ kprobe.function("sys_sendfile") ?,
+ kprobe.function("SyS_sendfile64") ?,
+ kprobe.function("sys_sendfile64") ?
+{
+ name = "sendfile"
+ // out_fd = $out_fd
+ // in_fd = $in_fd
+ // offset_uaddr = $offset
+ // count = $count
+ // argstr = sprintf("%d, %d, %p, %d", $out_fd, $in_fd, $offset,
+ // $count)
+ asmlinkage()
+ out_fd = int_arg(1)
+ in_fd = int_arg(2)
+ offset_uaddr = pointer_arg(3)
+ count = ulong_arg(4)
+ argstr = sprintf("%d, %d, %p, %d", out_fd, in_fd, offset_uaddr,
+ count)
+}
+probe nd_syscall.sendfile.return = kprobe.function("SyS_sendfile").return ?,
+ kprobe.function("sys_sendfile").return ?,
+ kprobe.function("SyS_sendfile64").return ?,
+ kprobe.function("sys_sendfile64").return ?
+{
+ name = "sendfile"
+ retstr = returnstr(1)
+}
+
+# sendmsg ____________________________________________________
+#
+# long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
+#
+probe nd_syscall.sendmsg = kprobe.function("SyS_sendmsg") ?,
+ kprobe.function("sys_sendmsg") ?
+{
+ name = "sendmsg"
+ // s = $fd
+ // msg_uaddr = $msg
+ // flags = $flags
+ // flags_str = _sendflags_str($flags)
+ // argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
+ asmlinkage()
+ s = int_arg(1)
+ msg_uaddr = pointer_arg(2)
+ flags = uint_arg(3)
+ flags_str = _sendflags_str(flags)
+ argstr = sprintf("%d, %p, %s", s, msg_uaddr, _sendflags_str(flags))
+}
+probe nd_syscall.sendmsg.return = kprobe.function("SyS_sendmsg").return ?,
+ kprobe.function("sys_sendmsg").return ?
+{
+ name = "sendmsg"
+ retstr = returnstr(1)
+}
+
+# compat_sys_sendmsg ________________________________________
+#
+# long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
+#
+probe nd_syscall.compat_sys_sendmsg = kprobe.function("compat_sys_sendmsg") ?
+{
+ name = "compat_sys_sendmsg"
+ // s = $fd
+ // msg_uaddr = $msg
+ // flags = $flags
+ // argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
+ asmlinkage()
+ s = int_arg(1)
+ msg_uaddr = pointer_arg(2)
+ flags = uint_arg(3)
+ argstr = sprintf("%d, %p, %s", s, msg_uaddr, _sendflags_str(flags))
+}
+probe nd_syscall.compat_sys_sendmsg.return = kprobe.function("compat_sys_sendmsg").return ?
+{
+ name = "compat_sys_sendmsg"
+ retstr = returnstr(1)
+}
+
+# sendto _____________________________________________________
+#
+# long sys_sendto(int fd,
+# void __user * buff,
+# size_t len,
+# unsigned flags,
+# struct sockaddr __user *addr,
+# int addr_len)
+#
+probe nd_syscall.sendto = kprobe.function("SyS_sendto") ?,
+ kprobe.function("sys_sendto") ?
+{
+ name = "sendto"
+ // s = $fd
+ // buf_uaddr = $buff
+ // len = $len
+ // flags = $flags
+ // flags_str = _sendflags_str($flags)
+ // to_uaddr = $addr
+ // tolen = $addr_len
+ // argstr = sprintf("%d, %p, %d, %s, %s, %d", $fd, $buff,
+ // $len, flags_str, _struct_sockaddr_u($addr, $addr_len), $addr_len)
+ asmlinkage()
+ s = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ flags = uint_arg(4)
+ flags_str = _sendflags_str(flags)
+ to_uaddr = pointer_arg(5)
+ tolen = int_arg(6)
+ argstr = sprintf("%d, %p, %d, %s, %s, %d", s, buf_uaddr,
+ len, flags_str, _struct_sockaddr_u(to_uaddr, tolen), tolen)
+}
+probe nd_syscall.sendto.return = kprobe.function("SyS_sendto").return ?,
+ kprobe.function("sys_sendto").return ?
+{
+ name = "sendto"
+ retstr = returnstr(1)
+}
+
+# setdomainname ______________________________________________
+#
+# asmlinkage long
+# sys_setdomainname(char __user *name,
+# int len)
+#
+probe nd_syscall.setdomainname = kprobe.function("SyS_setdomainname") ?,
+ kprobe.function("sys_setdomainname") ?
+{
+ name = "setdomainname"
+ // hostname_uaddr = $name
+ // len = $len
+ // argstr = sprintf("%p, %d", $name, $len)
+ asmlinkage()
+ hostname_uaddr = pointer_arg(1)
+ len = int_arg(2)
+ argstr = sprintf("%p, %d", hostname_uaddr, len)
+}
+probe nd_syscall.setdomainname.return = kprobe.function("SyS_setdomainname").return ?,
+ kprobe.function("sys_setdomainname").return ?
+{
+ name = "setdomainname"
+ retstr = returnstr(1)
+}
+
+# setfsgid ___________________________________________________
+# long sys_setfsgid(gid_t gid)
+# long sys_setfsgid16(old_gid_t gid)
+#
+probe nd_syscall.setfsgid = kprobe.function("sys_setfsgid16") ?,
+ kprobe.function("SyS_setfsgid") ?,
+ kprobe.function("sys_setfsgid") ?
+{
+ name = "setfsgid"
+ // fsgid = $gid
+ // argstr = sprint($gid)
+ asmlinkage()
+ fsgid = uint_arg(1)
+ argstr = sprint(fsgid)
+}
+probe nd_syscall.setfsgid.return = kprobe.function("sys_setfsgid16").return ?,
+ kprobe.function("SyS_setfsgid").return ?,
+ kprobe.function("sys_setfsgid").return ?
+{
+ name = "setfsgid"
+ retstr = returnstr(1)
+}
+
+# setfsuid ___________________________________________________
+# long sys_setfsuid(uid_t uid)
+# long sys_setfsuid16(old_uid_t uid)
+#
+probe nd_syscall.setfsuid = kprobe.function("sys_setfsuid16") ?,
+ kprobe.function("SyS_setfsuid") ?,
+ kprobe.function("sys_setfsuid") ?
+{
+ name = "setfsuid"
+ // fsuid = $uid
+ // argstr = sprint($uid)
+ asmlinkage()
+ fsuid = uint_arg(1)
+ argstr = sprint(fsuid)
+}
+probe nd_syscall.setfsuid.return = kprobe.function("sys_setfsuid16").return ?,
+ kprobe.function("SyS_setfsuid").return ?,
+ kprobe.function("sys_setfsuid").return ?
+{
+ name = "setfsuid"
+ retstr = returnstr(1)
+}
+
+# setgid _____________________________________________________
+#
+# long sys_setgid(gid_t gid)
+# long sys_setgid16(old_gid_t gid)
+#
+probe nd_syscall.setgid = kprobe.function("sys_setgid16") ?,
+ kprobe.function("SyS_setgid") ?,
+ kprobe.function("sys_setgid") ?
+{
+ name = "setgid"
+ // gid = $gid
+ // argstr = sprint($gid)
+ asmlinkage()
+ gid = uint_arg(1)
+ argstr = sprint(gid)
+}
+probe nd_syscall.setgid.return = kprobe.function("sys_setgid16").return ?,
+ kprobe.function("SyS_setgid").return ?,
+ kprobe.function("sys_setgid").return ?
+{
+ name = "setgid"
+ retstr = returnstr(1)
+}
+
+# setgroups __________________________________________________
+#
+# long sys_setgroups(int gidsetsize, gid_t __user *grouplist)
+# long sys_setgroups16(int gidsetsize, old_gid_t __user *grouplist)
+# long sys32_setgroups16(int gidsetsize, u16 __user *grouplist)
+#
+probe nd_syscall.setgroups = kprobe.function("sys_setgroups16") ?,
+ kprobe.function("sys32_setgroups16") ?,
+ kprobe.function("SyS_setgroups") ?,
+ kprobe.function("sys_setgroups") ?
+{
+ name = "setgroups"
+ // size = $gidsetsize
+ // list_uaddr = $grouplist
+ // argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+ asmlinkage()
+ size = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", size, list_uaddr)
+}
+probe nd_syscall.setgroups.return = kprobe.function("sys_setgroups16").return ?,
+ kprobe.function("sys32_setgroups16").return ?,
+ kprobe.function("SyS_setgroups").return ?,
+ kprobe.function("sys_setgroups").return ?
+{
+ name = "setgroups"
+ retstr = returnstr(1)
+}
+
+# sethostname ________________________________________________
+#
+# asmlinkage long
+# sys_sethostname(char __user *name,
+# int len)
+#
+probe nd_syscall.sethostname = kprobe.function("SyS_sethostname") ?,
+ kprobe.function("sys_sethostname") ?
+{
+ name = "sethostname"
+ // hostname_uaddr = $name
+ // name_str = user_string($name)
+ // len = $len
+ // argstr = sprintf("%s, %d", user_string_quoted($name), $len)
+ asmlinkage()
+ hostname_uaddr = pointer_arg(1)
+ name_str = user_string(hostname_uaddr)
+ len = int_arg(2)
+ argstr = sprintf("%s, %d", user_string_quoted(hostname_uaddr), len)
+}
+probe nd_syscall.sethostname.return = kprobe.function("SyS_sethostname").return ?,
+ kprobe.function("sys_sethostname").return ?
+{
+ name = "sethostname"
+ retstr = returnstr(1)
+}
+
+# setitimer __________________________________________________
+#
+# long sys_setitimer(int which,
+# struct itimerval __user *value,
+# struct itimerval __user *ovalue)
+#
+probe nd_syscall.setitimer = kprobe.function("SyS_setitimer") ?,
+ kprobe.function("sys_setitimer") ?
+{
+ name = "setitimer"
+ // which = $which
+ // value_uaddr = $value
+ // ovalue_uaddr = $ovalue
+ // argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
+ // _struct_itimerval_u($value), $ovalue)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ ovalue_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %p", _itimer_which_str(which),
+ _struct_itimerval_u(value_uaddr), ovalue_uaddr)
+}
+probe nd_syscall.setitimer.return = kprobe.function("SyS_setitimer").return ?,
+ kprobe.function("sys_setitimer").return ?
+{
+ name = "setitimer"
+ retstr = returnstr(1)
+}
+#
+# long compat_sys_setitimer(int which,
+# struct compat_itimerval __user *in,
+# struct compat_itimerval __user *out)
+#
+probe nd_syscall.compat_setitimer = kprobe.function("compat_sys_setitimer") ?
+{
+ name = "setitimer"
+ // which = $which
+ // value_uaddr = $in
+ // ovalue_uaddr = $out
+ // argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
+ // _struct_compat_itimerval_u($in), $out)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ ovalue_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %p", _itimer_which_str(which),
+ _struct_compat_itimerval_u(value_uaddr), ovalue_uaddr)
+}
+probe nd_syscall.compat_setitimer.return = kprobe.function("compat_sys_setitimer").return ?
+{
+ name = "setitimer"
+ retstr = returnstr(1)
+}
+
+# set_mempolicy ______________________________________________
+# long sys_set_mempolicy(int mode,
+# unsigned long __user *nmask,
+# unsigned long maxnode)
+#
+probe nd_syscall.set_mempolicy = kprobe.function("compat_sys_set_mempolicy") ?,
+ kprobe.function("SyS_set_mempolicy") ?,
+ kprobe.function("sys_set_mempolicy") ?
+{
+ name = "set_mempolicy"
+ // mode = $mode
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // argstr = sprintf("%d, %p, %d", $mode, $nmask, $maxnode)
+ asmlinkage()
+ mode = int_arg(1)
+ nmask_uaddr = pointer_arg(2)
+ maxnode = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", mode, nmask_uaddr, maxnode)
+}
+probe nd_syscall.set_mempolicy.return = kprobe.function("compat_sys_set_mempolicy").return ?,
+ kprobe.function("SyS_set_mempolicy").return ?,
+ kprobe.function("sys_set_mempolicy").return ?
+{
+ name = "set_mempolicy"
+ retstr = returnstr(1)
+}
+
+# setpgid ____________________________________________________
+#
+# asmlinkage long
+# sys_setpgid(pid_t pid,
+# pid_t pgid)
+#
+probe nd_syscall.setpgid = kprobe.function("SyS_setpgid") ?,
+ kprobe.function("sys_setpgid") ?
+{
+ name = "setpgid"
+ // pid = $pid
+ // pgid = $pgid
+ // argstr = sprintf("%d, %d", $pid, $pgid)
+ asmlinkage()
+ pid = int_arg(1)
+ pgid = int_arg(2)
+ argstr = sprintf("%d, %d", pid, pgid)
+}
+probe nd_syscall.setpgid.return = kprobe.function("SyS_setpgid").return ?,
+ kprobe.function("sys_setpgid").return ?
+{
+ name = "setpgid"
+ retstr = returnstr(1)
+}
+
+# setpriority ________________________________________________
+#
+# asmlinkage long
+# sys_setpriority(int which,
+# int who,
+# int niceval)
+#
+probe nd_syscall.setpriority = kprobe.function("SyS_setpriority") ?,
+ kprobe.function("sys_setpriority") ?
+{
+ name = "setpriority"
+ // which = $which
+ // which_str = _priority_which_str($which)
+ // who = $who
+ // prio = $niceval
+ // argstr = sprintf("%s, %d, %d", which_str, $who, $niceval)
+ asmlinkage()
+ which = int_arg(1)
+ which_str = _priority_which_str(which)
+ who = int_arg(2)
+ prio = int_arg(3)
+ argstr = sprintf("%s, %d, %d", which_str, who, prio)
+}
+probe nd_syscall.setpriority.return = kprobe.function("SyS_setpriority").return ?,
+ kprobe.function("sys_setpriority").return ?
+{
+ name = "setpriority"
+ retstr = returnstr(1)
+}
+
+# setregid ___________________________________________________
+# long sys_setregid(gid_t rgid, gid_t egid)
+#
+probe nd_syscall.setregid = kprobe.function("SyS_setregid") ?,
+ kprobe.function("sys_setregid") ?
+{
+ name = "setregid"
+ // rgid = __int32($rgid)
+ // egid = __int32($egid)
+ asmlinkage()
+ rgid = __int32(uint_arg(1))
+ egid = __int32(uint_arg(2))
+ argstr = sprintf("%d, %d", rgid, egid)
+}
+probe nd_syscall.setregid.return = kprobe.function("SyS_setregid").return ?,
+ kprobe.function("sys_setregid").return ?
+{
+ name = "setregid"
+ retstr = returnstr(1)
+}
+
+# setregid16 _________________________________________________
+# long sys_setregid16(old_gid_t rgid, old_gid_t egid)
+#
+probe nd_syscall.setregid16 = kprobe.function("sys_setregid16") ?
+{
+ name = "setregid"
+ // rgid = __short($rgid)
+ // egid = __short($egid)
+ asmlinkage()
+ rgid = __short(uint_arg(1))
+ egid = __short(uint_arg(2))
+ argstr = sprintf("%d, %d", rgid, egid)
+}
+probe nd_syscall.setregid16.return = kprobe.function("sys_setregid16").return ?
+{
+ name = "setregid"
+ retstr = returnstr(1)
+}
+
+# setresgid __________________________________________________
+# long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
+#
+probe nd_syscall.setresgid = kprobe.function("SyS_setresgid") ?,
+ kprobe.function("sys_setresgid") ?
+{
+ name = "setresgid"
+ // rgid = __int32($rgid)
+ // egid = __int32($egid)
+ // sgid = __int32($sgid)
+ asmlinkage()
+ rgid = __int32(uint_arg(1))
+ egid = __int32(uint_arg(2))
+ sgid = __int32(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
+}
+probe nd_syscall.setresgid.return = kprobe.function("SyS_setresgid").return ?,
+ kprobe.function("sys_setresgid").return ?
+{
+ name = "setresgid"
+ retstr = returnstr(1)
+}
+
+# setresgid16 ________________________________________________
+#
+# long sys_setresgid16(old_gid_t rgid,
+# old_gid_t egid,
+# old_gid_t sgid)
+#
+probe nd_syscall.setresgid16 = kprobe.function("sys_setresgid16") ?
+{
+ name = "setresgid"
+ // rgid = __short($rgid)
+ // egid = __short($egid)
+ // sgid = __short($sgid)
+ asmlinkage()
+ rgid = __short(uint_arg(1))
+ egid = __short(uint_arg(2))
+ sgid = __short(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
+}
+probe nd_syscall.setresgid16.return = kprobe.function("sys_setresgid16").return ?
+{
+ name = "setresgid16"
+ retstr = returnstr(1)
+}
+
+# setresuid __________________________________________________
+#
+# long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
+#
+probe nd_syscall.setresuid = kprobe.function("SyS_setresuid") ?,
+ kprobe.function("sys_setresuid") ?
+{
+ name = "setresuid"
+ // ruid = __int32($ruid)
+ // euid = __int32($euid)
+ // suid = __int32($suid)
+ asmlinkage()
+ ruid = __int32(uint_arg(1))
+ euid = __int32(uint_arg(2))
+ suid = __int32(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", ruid, euid, suid)
+}
+probe nd_syscall.setresuid.return = kprobe.function("SyS_setresuid").return ?,
+ kprobe.function("sys_setresuid").return ?
+{
+ name = "setresuid"
+ retstr = returnstr(1)
+}
+
+# setresuid16 ________________________________________________
+#
+# long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
+#
+probe nd_syscall.setresuid16 = kprobe.function("sys_setresuid16") ?
+{
+ name = "setresuid"
+ // ruid = __short($ruid)
+ // reuid = __short($euid)
+ // rsuid = __short($suid)
+ asmlinkage()
+ ruid = __short(uint_arg(1))
+ euid = __short(uint_arg(2))
+ suid = __short(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", ruid, euid, suid)
+}
+probe nd_syscall.setresuid16.return = kprobe.function("sys_setresuid16").return ?
+{
+ name = "setresuid"
+ retstr = returnstr(1)
+}
+
+# setreuid ___________________________________________________
+# long sys_setreuid(uid_t ruid, uid_t euid)
+#
+probe nd_syscall.setreuid = kprobe.function("SyS_setreuid") ?,
+ kprobe.function("sys_setreuid") ?
+{
+ name = "setreuid"
+ // ruid = __int32($ruid)
+ // euid = __int32($euid)
+ asmlinkage()
+ ruid = __int32(uint_arg(1))
+ euid = __int32(uint_arg(2))
+ argstr = sprintf("%d, %d", ruid, euid)
+}
+probe nd_syscall.setreuid.return = kprobe.function("SyS_setreuid").return ?,
+ kprobe.function("sys_setreuid").return ?
+{
+ name = "setreuid"
+ retstr = returnstr(1)
+}
+
+# setreuid16 _________________________________________________
+# long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
+#
+probe nd_syscall.setreuid16 = kprobe.function("sys_setreuid16") ?
+{
+ name = "setreuid"
+ // ruid = __short($ruid)
+ // euid = __short($euid)
+ asmlinkage()
+ ruid = __short(uint_arg(1))
+ euid = __short(uint_arg(2))
+ argstr = sprintf("%d, %d", ruid, euid)
+}
+probe nd_syscall.setreuid16.return = kprobe.function("sys_setreuid16").return ?
+{
+ name = "setreuid"
+ retstr = returnstr(1)
+}
+
+# setrlimit __________________________________________________
+#
+# asmlinkage long
+# sys_setrlimit(unsigned int resource,
+# struct rlimit __user *rlim)
+#
+probe nd_syscall.setrlimit = kprobe.function("SyS_setrlimit") ?,
+ kprobe.function("sys_setrlimit") ?
+{
+ name = "setrlimit"
+ // resource = $resource
+ // rlim_uaddr = $rlim
+ // argstr = sprintf("%s, %s", _rlimit_resource_str($resource),
+ // _struct_rlimit_u($rlim))
+ asmlinkage()
+ resource = uint_arg(1)
+ rlim_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %s", _rlimit_resource_str(resource),
+ _struct_rlimit_u(rlim_uaddr))
+}
+probe nd_syscall.setrlimit.return = kprobe.function("SyS_setrlimit").return ?,
+ kprobe.function("sys_setrlimit").return ?
+{
+ name = "setrlimit"
+ retstr = returnstr(1)
+}
+
+# setsid _____________________________________________________
+#
+# long sys_setsid(void)
+#
+probe nd_syscall.setsid = kprobe.function("sys_setsid")
+{
+ name = "setsid"
+ argstr = ""
+}
+probe nd_syscall.setsid.return = kprobe.function("sys_setsid").return
+{
+ name = "setsid"
+ retstr = returnstr(1)
+}
+
+# setsockopt _________________________________________________
+#
+# long sys_setsockopt(int fd,
+# int level,
+# int optname,
+# char __user *optval,
+# int optlen)
+#
+probe nd_syscall.setsockopt = kprobe.function("compat_sys_setsockopt") ?,
+ kprobe.function("SyS_setsockopt") ?,
+ kprobe.function("sys_setsockopt") ?
+{
+ name = "setsockopt"
+ // fd = $fd
+ // level = $level
+ // level_str = _sockopt_level_str($level)
+ // optname = $optname
+ // optname_str = _sockopt_optname_str($optname)
+ // optval_uaddr = $optval
+ // optlen = $optlen
+ // argstr = sprintf("%d, %s, %s, %p, %d", $fd, level_str,
+ // optname_str, $optval, $optlen)
+ asmlinkage()
+ fd = int_arg(1)
+ level = int_arg(2)
+ level_str = _sockopt_level_str(level)
+ optname = int_arg(3)
+ optname_str = _sockopt_optname_str(optname)
+ optval_uaddr = pointer_arg(4)
+ optlen = int_arg(5)
+ argstr = sprintf("%d, %s, %s, %p, %d", fd, level_str,
+ optname_str, optval_uaddr, optlen)
+}
+probe nd_syscall.setsockopt.return = kprobe.function("compat_sys_setsockopt").return ?,
+ kprobe.function("SyS_setsockopt").return ?,
+ kprobe.function("sys_setsockopt").return ?
+{
+ name = "setsockopt"
+ retstr = returnstr(1)
+}
+
+# set_tid_address ____________________________________________
+#
+# asmlinkage long
+# sys_set_tid_address(int __user *tidptr)
+#
+probe nd_syscall.set_tid_address = kprobe.function("SyS_set_tid_address") ?,
+ kprobe.function("sys_set_tid_address") ?
+{
+ name = "set_tid_address"
+ // tidptr_uaddr = $tidptr
+ asmlinkage()
+ tidptr_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", tidptr_uaddr)
+}
+probe nd_syscall.set_tid_address.return = kprobe.function("SyS_set_tid_address").return ?,
+ kprobe.function("sys_set_tid_address").return ?
+{
+ name = "set_tid_address"
+ retstr = returnstr(1)
+}
+
+# settimeofday _______________________________________________
+#
+# long sys_settimeofday(struct timeval __user *tv,
+# struct timezone __user *tz)
+#
+probe nd_syscall.settimeofday = kprobe.function("SyS_settimeofday") ?,
+ kprobe.function("sys_settimeofday") ?
+{
+ name = "settimeofday"
+ // ttv_uaddr = $tv
+ // ttz_uaddr = $tz
+ // targstr = sprintf("%s, %s", _struct_timeval_u($tv, 1), _struct_timezone_u($tz))
+ asmlinkage()
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %s", _struct_timeval_u(tv_uaddr, 1), _struct_timezone_u(tz_uaddr))
+}
+probe nd_syscall.settimeofday.return = kprobe.function("SyS_settimeofday").return ?,
+ kprobe.function("sys_settimeofday").return ?
+{
+ name = "settimeofday"
+ retstr = returnstr(1)
+}
+#
+# long sys32_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
+# long compat_sys_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
+#
+probe nd_syscall.settimeofday32 = kprobe.function("sys32_settimeofday") ?,
+ kprobe.function("compat_sys_settimeofday") ?
+{
+ name = "settimeofday"
+ // tv_uaddr = $tv
+ // tz_uaddr = $tz
+ // argstr = sprintf("%s, %s", _struct_compat_timeval_u($tv, 1), _struct_timezone_u($tz))
+ asmlinkage()
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %s", _struct_compat_timeval_u(tv_uaddr, 1), _struct_timezone_u(tz_uaddr))
+}
+probe nd_syscall.settimeofday32.return = kprobe.function("sys32_settimeofday").return ?,
+ kprobe.function("compat_sys_settimeofday").return ?
+{
+ name = "settimeofday"
+ retstr = returnstr(1)
+}
+
+# setuid _____________________________________________________
+#
+# long sys_setuid(uid_t uid)
+# long sys_setuid16(old_uid_t uid)
+#
+probe nd_syscall.setuid = kprobe.function("sys_setuid16") ?,
+ kprobe.function("SyS_setuid") ?,
+ kprobe.function("sys_setuid") ?
+{
+ name = "setuid"
+ // uid = $uid
+ // argstr = sprint($uid)
+ asmlinkage()
+ uid = uint_arg(1)
+ argstr = sprint(uid)
+}
+probe nd_syscall.setuid.return = kprobe.function("sys_setuid16").return ?,
+ kprobe.function("SyS_setuid").return ?,
+ kprobe.function("sys_setuid").return ?
+{
+ name = "setuid"
+ retstr = returnstr(1)
+}
+
+# setxattr ___________________________________________________
+# long sys_setxattr(char __user *path,
+# char __user *name,
+# void __user *value,
+# size_t size,
+# int flags)
+#
+probe nd_syscall.setxattr = kprobe.function("SyS_setxattr") ?,
+ kprobe.function("sys_setxattr") ?
+{
+ name = "setxattr"
+ // path_uaddr = $path
+ // path = user_string($path)
+ // name_uaddr = $name
+ // name_str = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%s, %s, %p, %d, %d",
+ // user_string_quoted($path),
+ // user_string_quoted($name),
+ // value_uaddr, $size, $flags)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name_str = user_string(name_uaddr)
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
+ argstr = sprintf("%s, %s, %p, %d, %d",
+ user_string_quoted(path_uaddr),
+ user_string_quoted(name_uaddr),
+ value_uaddr, size, flags)
+}
+probe nd_syscall.setxattr.return = kprobe.function("SyS_setxattr").return ?,
+ kprobe.function("sys_setxattr").return ?
+{
+ name = "setxattr"
+ retstr = returnstr(1)
+}
+
+# sgetmask ___________________________________________________
+#
+# sys_sgetmask(void)
+#
+probe nd_syscall.sgetmask = kprobe.function("sys_sgetmask") ?
+{
+ name = "sgetmask"
+ argstr = ""
+}
+probe nd_syscall.sgetmask.return = kprobe.function("sys_sgetmask").return ?
+{
+ name = "sgetmask"
+ retstr = returnstr(1)
+}
+
+# shmat ______________________________________________________
+#
+# long sys_shmat(int shmid, char __user *shmaddr, int shmflg)
+#
+probe nd_syscall.shmat = kprobe.function("SyS_shmat") ?,
+ kprobe.function("sys_shmat") ?
+{
+ name = "shmat"
+ // shmid = $shmid
+ // shmaddr_uaddr = $shmaddr
+ // shmflg = $shmflg
+ // argstr = sprintf("%d, %p, %s", $shmid, $shmaddr, _shmat_flags_str($shmflg))
+ asmlinkage()
+ shmid = int_arg(1)
+ shmaddr_uaddr = pointer_arg(2)
+ shmflg = int_arg(3)
+ argstr = sprintf("%d, %p, %s", shmid, shmaddr_uaddr, _shmat_flags_str(shmflg))
+}
+probe nd_syscall.shmat.return = kprobe.function("SyS_shmat").return ?,
+ kprobe.function("sys_shmat").return ?
+{
+ name = "shmat"
+ retstr = returnstr(1)
+}
+
+# compat_sys_shmat ________________________________________
+#
+# long compat_sys_shmat(int first, int second, compat_uptr_t third,
+# int version, void __user *uptr)
+#
+probe nd_syscall.compat_sys_shmat = kprobe.function("compat_sys_shmat") ?
+{
+ name = "compat_sys_shmat"
+ // first = $first
+ // second = $second
+ // third = $third
+ // uptr_uaddr = $uptr
+ // argstr = sprintf("%d, %d, %d, %d, %p", $first, $second, $third, $version, $uptr)
+ // no asmlinkage
+ first = int_arg(1)
+ second = int_arg(2)
+ third = u32_arg(3)
+ uptr_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %d, %d, %d, %p", first, second, third, int_arg(4), uptr_uaddr)
+}
+probe nd_syscall.compat_sys_shmat.return = kprobe.function("compat_sys_shmat").return ?
+{
+ name = "compat_sys_shmat"
+ retstr = returnstr(1)
+}
+
+# shmctl _____________________________________________________
+#
+# long sys_shmctl (int shmid,
+# int cmd,
+# struct shmid_ds __user *buf)
+#
+probe nd_syscall.shmctl = kprobe.function("SyS_shmctl") ?,
+ kprobe.function("sys_shmctl") ?
+{
+ name = "shmctl"
+ // shmid = $shmid
+ // cmd = $cmd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %s, %p", $shmid, _semctl_cmd($cmd), $buf)
+ asmlinkage()
+ shmid = int_arg(1)
+ cmd = int_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %s, %p", shmid, _semctl_cmd(cmd), buf_uaddr)
+}
+probe nd_syscall.shmctl.return = kprobe.function("SyS_shmctl").return ?,
+ kprobe.function("sys_shmctl").return ?
+{
+ name = "shmctl"
+ retstr = returnstr(1)
+}
+
+# compat_sys_shmctl ________________________________________
+#
+# long compat_sys_shmctl(int first, int second, void __user *uptr)
+#
+probe nd_syscall.compat_sys_shmctl = kprobe.function("compat_sys_shmctl") ?
+{
+ name = "compat_sys_shmctl"
+ // first = $first
+ // second = $second
+ // uptr_uaddr = $uptr
+ // argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ // no asmlinkages
+ first = int_arg(1)
+ second = int_arg(2)
+ uptr_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", first, second, uptr_uaddr)
+}
+probe nd_syscall.compat_sys_shmctl.return = kprobe.function("compat_sys_shmctl").return ?
+{
+ name = "compat_sys_shmctl"
+ retstr = returnstr(1)
+}
+
+# shmdt ______________________________________________________
+#
+# long sys_shmdt(char __user *shmaddr)
+#
+probe nd_syscall.shmdt = kprobe.function("SyS_shmdt") ?,
+ kprobe.function("sys_shmdt") ?
+{
+ name = "shmdt"
+ // shmaddr_uaddr = $shmaddr
+ // argstr = sprintf("%p", $shmaddr)
+ asmlinkage()
+ shmaddr_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", shmaddr_uaddr)
+}
+probe nd_syscall.shmdt.return = kprobe.function("SyS_shmdt").return ?,
+ kprobe.function("sys_shmdt").return ?
+{
+ name = "shmdt"
+ retstr = returnstr(1)
+}
+
+# shmget _____________________________________________________
+#
+# long sys_shmget (key_t key,
+# size_t size,
+# int shmflg)
+#
+probe nd_syscall.shmget = kprobe.function("SyS_shmget") ?,
+ kprobe.function("sys_shmget") ?
+{
+ name = "shmget"
+ // key = $key
+ // size = $size
+ // shmflg = $shmflg
+ // argstr = sprintf("%d, %d, %d", $key, $size, $shmflg)
+ asmlinkage()
+ key = int_arg(1)
+ size = ulong_arg(2)
+ shmflg = int_arg(3)
+ argstr = sprintf("%d, %d, %d", key, size, shmflg)
+}
+probe nd_syscall.shmget.return = kprobe.function("SyS_shmget").return ?,
+ kprobe.function("sys_shmget").return ?
+{
+ name = "shmget"
+ retstr = returnstr(1)
+}
+
+# shutdown ___________________________________________________
+#
+# long sys_shutdown(int fd, int how)
+#
+probe nd_syscall.shutdown = kprobe.function("SyS_shutdown") ?,
+ kprobe.function("sys_shutdown") ?
+{
+ name = "shutdown"
+ // s = $fd
+ // how = $how
+ // how_str = _shutdown_how_str($how)
+ // argstr = sprintf("%d, %s", $fd, how_str)
+ asmlinkage()
+ s = int_arg(1)
+ how = int_arg(2)
+ how_str = _shutdown_how_str(how)
+ argstr = sprintf("%d, %s", s, how_str)
+}
+probe nd_syscall.shutdown.return = kprobe.function("SyS_shutdown").return ?,
+ kprobe.function("sys_shutdown").return ?
+{
+ name = "shutdown"
+ retstr = returnstr(1)
+}
+
+# sigaction __________________________________________________
+# sys_sigaction(int sig, const struct old_sigaction __user *act, struct old_sigaction __user *oact)
+# sys32_sigaction(int sig, struct old_sigaction32 __user *act, struct old_sigaction32 __user *oact)
+#
+probe nd_syscall.sigaction = kprobe.function("sys_sigaction") ?
+{
+ name = "sigaction"
+ // sig = $sig
+ // act_uaddr = $act
+ // oact_uaddr = $oact
+ // argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_sigaction_u($act), $oact)
+ %( arch != "ppc64" %? asmlinkage() %)
+ sig = int_arg(1)
+ act_uaddr = pointer_arg(2)
+ oact_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, {%s}, %p", _signal_name(sig), _struct_sigaction_u(act_uaddr), oact_uaddr)
+}
+probe nd_syscall.sigaction.return = kprobe.function("sys_sigaction").return ?
+{
+ name = "sigaction"
+ retstr = returnstr(1)
+}
+probe nd_syscall.sigaction32 = kprobe.function("sys32_sigaction") ?
+{
+ name = "sigaction"
+ // sig = $sig
+ // sact_uaddr = $act
+ // soact_uaddr = $oact
+ // sargstr = sprintf("%s, %p, %p", _signal_name($sig), $act, $oact)
+ asmlinkage()
+ sig = int_arg(1)
+ act_uaddr = pointer_arg(2)
+ oact_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %p, %p", _signal_name(sig), act_uaddr, oact_uaddr)
+}
+probe nd_syscall.sigaction32.return = kprobe.function("sys32_sigaction").return ?
+{
+ name = "sigaction"
+ retstr = returnstr(1)
+}
+
+# signal _____________________________________________________
+# unsigned long sys_signal(int sig, __sighandler_t handler)
+#
+probe nd_syscall.signal = kprobe.function("SyS_signal") ?,
+ kprobe.function("sys_signal") ?
+{
+ name = "signal"
+ // sig = $sig
+ // handler = $handler
+ // argstr = sprintf("%s, %s", _signal_name($sig), _sighandler_str($handler))
+ asmlinkage()
+ sig = int_arg(1)
+ handler = pointer_arg(2)
+ argstr = sprintf("%s, %s", _signal_name(sig), _sighandler_str(handler))
+}
+probe nd_syscall.signal.return = kprobe.function("SyS_signal").return ?,
+ kprobe.function("sys_signal").return ?
+{
+ name = "signal"
+ retstr = returnstr(1)
+}
+
+# signalfd _____________________________________________________
+#
+# long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemask)
+# long compat_sys_signalfd(int ufd, const compat_sigset_t __user *sigmask,
+# compat_size_t sigsetsize)
+#
+probe nd_syscall.signalfd = kprobe.function("SyS_signalfd") ?,
+ kprobe.function("sys_signalfd") ?
+{
+ name = "signalfd"
+ // argstr = sprintf("%d, %p, %d", $ufd, $user_mask, $sizemask)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2), ulong_arg(3))
+}
+probe nd_syscall.signalfd.return = kprobe.function("SyS_signalfd").return ?,
+ kprobe.function("sys_signalfd").return ?
+{
+ name = "signalfd"
+ retstr = returnstr(1)
+}
+probe nd_syscall.compat_signalfd = kprobe.function("compat_sys_signalfd") ?
+{
+ name = "compat_signalfd"
+ // argstr = sprintf("%d, %p, %d", $ufd, $sigmask, $sigsetsize)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2), u32_arg(3))
+}
+probe nd_syscall.compat_signalfd.return = kprobe.function("compat_sys_signalfd").return ?
+{
+ name = "compat_signalfd"
+ retstr = returnstr(1)
+}
+
+# sigpending _________________________________________________
+# long sys_sigpending(old_sigset_t __user *set)
+#
+probe nd_syscall.sigpending = kprobe.function("SyS_sigpending") ?,
+ kprobe.function("sys_sigpending") ?
+{
+ name = "sigpending"
+ // argstr = sprintf("%p", $set)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sigpending.return = kprobe.function("SyS_sigpending").return ?,
+ kprobe.function("sys_sigpending").return ?
+{
+ name = "sigpending"
+ retstr = returnstr(1)
+}
+
+# sigprocmask ________________________________________________
+# long sys_sigprocmask(int how, old_sigset_t __user *set, old_sigset_t __user *oset)
+#
+probe nd_syscall.sigprocmask = kprobe.function("SyS_sigprocmask") ?,
+ kprobe.function("sys_sigprocmask") ?
+{
+ name = "sigprocmask"
+ // how = $how
+ // how_str = _sigprocmask_how_str($how)
+ // set_uaddr = $set
+ // oldset_uaddr = $oset
+ // argstr = sprintf("%s, %p, %p", how_str, $set, $oset)
+ asmlinkage()
+ how = int_arg(1)
+ how_str = _sigprocmask_how_str(how)
+ set_uaddr = pointer_arg(2)
+ oldset_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %p, %p", how_str, set_uaddr, oldset_uaddr)
+}
+probe nd_syscall.sigprocmask.return = kprobe.function("SyS_sigprocmask").return ?,
+ kprobe.function("sys_sigprocmask").return ?
+{
+ name = "sigprocmask"
+ retstr = returnstr(1)
+}
+
+# sigreturn __________________________________________________
+# int sys_sigreturn(unsigned long __unused)
+#
+probe nd_syscall.sigreturn = kprobe.function("sys_sigreturn") ?,
+ kprobe.function("sys32_sigreturn") ?
+{
+ name = "sigreturn"
+ argstr = ""
+}
+probe nd_syscall.sigreturn.return = kprobe.function("sys_sigreturn").return ?,
+ kprobe.function("sys32_sigreturn").return ?
+{
+ name = "sigreturn"
+ retstr = returnstr(1)
+}
+
+# sigsuspend _________________________________________________
+#
+probe nd_syscall.sigsuspend = kprobe.function("sys_sigsuspend") ?,
+ kprobe.function("sys32_sigsuspend") ?
+{
+ name = "sigsuspend"
+ argstr = ""
+}
+probe nd_syscall.sigsuspend.return = kprobe.function("sys_sigsuspend").return ?,
+ kprobe.function("sys32_sigsuspend").return ?
+{
+ name = "sigsuspend"
+ retstr = returnstr(1)
+}
+
+# socket _____________________________________________________
+# long sys_socket(int family, int type, int protocol)
+#
+probe nd_syscall.socket = kprobe.function("SyS_socket") ?,
+ kprobe.function("sys_socket") ?
+{
+ name = "socket"
+ // family = $family
+ // type = $type
+ // protocol = $protocol
+ // argstr = sprintf("%s, %s, %d", _sock_family_str($family),
+ // _sock_type_str($type),
+ // $protocol)
+ asmlinkage()
+ family = int_arg(1)
+ type = int_arg(2)
+ protocol = int_arg(3)
+ argstr = sprintf("%s, %s, %d", _sock_family_str(family),
+ _sock_type_str(type),
+ protocol)
+}
+probe nd_syscall.socket.return = kprobe.function("SyS_socket").return ?,
+ kprobe.function("sys_socket").return ?
+{
+ name = "socket"
+ retstr = returnstr(1)
+}
+
+# commented out because this seems redundant
+# socketcall _________________________________________________
+#
+# long sys_socketcall(int call, unsigned long __user *args)
+#
+#probe nd_syscall.socketcall = kprobe.function("sys_socketcall") ?
+#{
+# name = "socketcall"
+# call = $call
+# args_uaddr = $args
+# argstr = sprintf("%d, %p", $call, args_uaddr)
+#}
+#probe nd_syscall.socketcall.return = kprobe.function("sys_socketcall").return ?
+#{
+# name = "socketcall"
+# retstr = returnstr(1)
+#}
+
+# socketpair _________________________________________________
+# long sys_socketpair(int family,
+# int type,
+# int protocol,
+# int __user *usockvec)
+#
+probe nd_syscall.socketpair = kprobe.function("SyS_socketpair") ?,
+ kprobe.function("sys_socketpair") ?
+{
+ name = "socketpair"
+ // family = $family
+ // type = $type
+ // protocol = $protocol
+ // sv_uaddr = $usockvec
+ // argstr = sprintf("%s, %s, %d, %p",
+ // _sock_family_str($family),
+ // _sock_type_str($type),
+ // $protocol, sv_uaddr)
+ asmlinkage()
+ family = int_arg(1)
+ type = int_arg(2)
+ protocol = int_arg(3)
+ sv_uaddr = pointer_arg(4)
+ argstr = sprintf("%s, %s, %d, %p",
+ _sock_family_str(family),
+ _sock_type_str(type),
+ protocol, sv_uaddr)
+}
+probe nd_syscall.socketpair.return = kprobe.function("SyS_socketpair").return ?,
+ kprobe.function("sys_socketpair").return ?
+{
+ name = "socketpair"
+ retstr = returnstr(1)
+}
+
+# splice ___________________________________________________
+#
+# long sys_splice(int fd_in, loff_t __user *off_in,
+# int fd_out, loff_t __user *off_out,
+# size_t len, unsigned int flags)
+#
+probe nd_syscall.splice = kprobe.function("SyS_splice") ?,
+ kprobe.function("sys_splice") ?
+{
+ name = "splice"
+ // argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
+ // $fd_in, $off_in, $fd_out, $off_out, $len, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
+ int_arg(1), pointer_arg(2), int_arg(3), pointer_arg(4), ulong_arg(5), uint_arg(6))
+}
+probe nd_syscall.splice.return = kprobe.function("SyS_splice").return ?,
+ kprobe.function("sys_splice").return ?
+{
+ name = "splice"
+ retstr = returnstr(1)
+}
+
+# ssetmask ___________________________________________________
+#
+# long sys_ssetmask(int newmask)
+#
+probe nd_syscall.ssetmask = kprobe.function("SyS_ssetmask") ?,
+ kprobe.function("sys_ssetmask") ?
+{
+ name = "ssetmask"
+ // newmask = $newmask
+ // argstr = sprint($newmask)
+ asmlinkage()
+ newmask = int_arg(1)
+ argstr = sprint(newmask)
+}
+probe nd_syscall.ssetmask.return = kprobe.function("SyS_ssetmask").return ?,
+ kprobe.function("sys_ssetmask").return ?
+{
+ name = "ssetmask"
+ retstr = returnstr(1)
+}
+
+# stat _______________________________________________________
+# long sys_stat(char __user * filename, struct __old_stat __user * statbuf)
+# long sys32_stat64(char __user * filename, struct stat64 __user *statbuf)
+# long sys_stat64(char __user * filename, struct stat64 __user * statbuf)
+# long sys_oabi_stat64(char __user * filename, struct oldabi_stat64 __user * statbuf)
+# long compat_sys_newstat(char __user * filename, struct compat_stat __user *statbuf)
+probe nd_syscall.stat = kprobe.function("sys_stat") ?,
+ kprobe.function("SyS_newstat") ?,
+ kprobe.function("sys_newstat") ?,
+ kprobe.function("sys32_stat64") ?,
+ kprobe.function("SyS_stat64") ?,
+ kprobe.function("sys_stat64") ?,
+ kprobe.function("sys_oabi_stat64") ?,
+ kprobe.function("compat_sys_newstat") ?
+{
+ name = "stat"
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %p", user_string_quoted($filename), buf_uaddr)
+ asmlinkage()
+ filename_uaddr = pointer_arg(1)
+ filename = user_string(filename_uaddr)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", user_string_quoted(filename_uaddr), buf_uaddr)
+}
+probe nd_syscall.stat.return = kprobe.function("sys_stat").return ?,
+ kprobe.function("SyS_newstat").return ?,
+ kprobe.function("sys_newstat").return ?,
+ kprobe.function("sys32_stat64").return ?,
+ kprobe.function("SyS_stat64").return ?,
+ kprobe.function("sys_stat64").return ?,
+ kprobe.function("sys_oabi_stat64").return ?,
+ kprobe.function("compat_sys_newstat").return ?
+{
+ name = "stat"
+ retstr = returnstr(1)
+}
+
+# statfs _____________________________________________________
+# long sys_statfs(const char __user * path, struct statfs __user * buf)
+# long compat_sys_statfs(const char __user *path, struct compat_statfs __user *buf)
+#
+probe nd_syscall.statfs = kprobe.function("compat_sys_statfs") ?,
+ kprobe.function("SyS_statfs") ?,
+ kprobe.function("sys_statfs") ?
+{
+ name = "statfs"
+ // path = user_string($path)
+ // buf_uaddr = $buf
+ // argstr = sprintf("%s, %p", user_string_quoted($path), $buf)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
+}
+probe nd_syscall.statfs.return = kprobe.function("compat_sys_statfs").return ?,
+ kprobe.function("SyS_statfs").return ?,
+ kprobe.function("sys_statfs").return ?
+{
+ name = "statfs"
+ retstr = returnstr(1)
+}
+
+# statfs64 ___________________________________________________
+#
+# long sys_statfs64(const char __user *path, size_t sz, struct statfs64 __user *buf)
+# long compat_sys_statfs64(const char __user *path, compat_size_t sz, struct compat_statfs64 __user *buf)
+#
+probe nd_syscall.statfs64 = kprobe.function("compat_sys_statfs64") ?,
+ kprobe.function("SyS_statfs64") ?,
+ kprobe.function("sys_statfs64") ?
+{
+ name = "statfs"
+ // path = user_string($path)
+ // sz = $sz
+ // buf_uaddr = $buf
+ // argstr = sprintf("%s, %d, %p", user_string_quoted($path), $sz, $buf)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ sz = ulong_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %d, %p", user_string_quoted(pointer_arg(1)), sz, buf_uaddr)
+}
+probe nd_syscall.statfs64.return = kprobe.function("compat_sys_statfs64").return ?,
+ kprobe.function("SyS_statfs64").return ?,
+ kprobe.function("sys_statfs64").return ?
+{
+ name = "statfs"
+ retstr = returnstr(1)
+}
+
+# stime ______________________________________________________
+#
+# long sys_stime(time_t __user *tptr)
+# long compat_sys_stime(compat_time_t __user *tptr)
+#
+probe nd_syscall.stime = kprobe.function("compat_sys_stime") ?,
+ kprobe.function("SyS_stime") ?,
+ kprobe.function("sys_stime") ?
+{
+ name = "stime"
+ // t_uaddr = $tptr
+ /* FIXME. Decode time */
+ // argstr = sprintf("%p", $tptr)
+ asmlinkage()
+ t_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", t_uaddr)
+}
+probe nd_syscall.stime.return = kprobe.function("compat_sys_stime").return ?,
+ kprobe.function("SyS_stime").return ?,
+ kprobe.function("sys_stime").return ?
+{
+ name = "stime"
+ retstr = returnstr(1)
+}
+
+# swapoff ____________________________________________________
+#
+# asmlinkage long
+# sys_swapoff(const char __user * specialfile)
+#
+probe nd_syscall.swapoff = kprobe.function("SyS_swapoff") ?,
+ kprobe.function("sys_swapoff") ?
+{
+ name = "swapoff"
+ // path = user_string($specialfile)
+ // argstr = user_string_quoted($specialfile)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ argstr = user_string_quoted(pointer_arg(1))
+}
+probe nd_syscall.swapoff.return = kprobe.function("SyS_swapoff").return ?,
+ kprobe.function("sys_swapoff").return ?
+{
+ name = "swapoff"
+ retstr = returnstr(1)
+}
+
+# swapon _____________________________________________________
+#
+# asmlinkage long
+# sys_swapon(const char __user * specialfile,
+# int swap_flags)
+#
+probe nd_syscall.swapon = kprobe.function("SyS_swapon") ?,
+ kprobe.function("sys_swapon") ?
+{
+ name = "swapon"
+ // path = user_string($specialfile)
+ // swapflags = $swap_flags
+ // argstr = sprintf("%s, %d", user_string_quoted($specialfile), swapflags)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ swapflags = int_arg(2)
+ argstr = sprintf("%s, %d", user_string_quoted(pointer_arg(1)), swapflags)
+}
+probe nd_syscall.swapon.return = kprobe.function("SyS_swapon").return ?,
+ kprobe.function("sys_swapon").return ?
+{
+ name = "swapon"
+ retstr = returnstr(1)
+}
+
+# symlink ____________________________________________________
+# long sys_symlink(const char __user * oldname,
+# const char __user * newname)
+probe nd_syscall.symlink = kprobe.function("SyS_symlink") ?,
+ kprobe.function("sys_symlink") ?
+{
+ name = "symlink"
+ // oldpath = user_string($oldname)
+ // newpath = user_string($newname)
+ // argstr = sprintf("%s, %s", user_string_quoted($oldname),
+ // user_string_quoted($newname))
+ asmlinkage()
+ oldpath = user_string(pointer_arg(1))
+ newpath = user_string(pointer_arg(2))
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
+}
+probe nd_syscall.symlink.return = kprobe.function("SyS_symlink").return ?,
+ kprobe.function("sys_symlink").return ?
+{
+ name = "symlink"
+ retstr = returnstr(1)
+}
+
+# symlinkat __________________________________________________
+# new function with 2.6.16
+# long sys_symlinkat(const char __user *oldname, int newdfd,
+# const char __user *newname)
+probe nd_syscall.symlinkat = kprobe.function("SyS_symlinkat") ?,
+ kprobe.function("sys_symlinkat") ?
+{
+ name = "symlinkat"
+// oldname = $oldname
+// oldname_str = user_string($oldname)
+// newdfd = $newdfd
+// newdfd_str = _dfd_str($newdfd)
+// newname = $newname
+// newname_str = user_string($newname)
+// argstr = sprintf("%s, %s, %s", user_string_quoted($oldname),
+// newdfd_str, user_string_quoted($newname))
+ asmlinkage()
+ oldname = pointer_arg(1)
+ oldname_str = user_string(oldname)
+ newdfd = int_arg(2)
+ newdfd_str = _dfd_str(newdfd)
+ newname = pointer_arg(3)
+ newname_str = user_string(newname)
+ argstr = sprintf("%s, %s, %s", user_string_quoted(oldname),
+ newdfd_str, user_string_quoted(newname))
+}
+probe nd_syscall.symlinkat.return = kprobe.function("SyS_symlinkat").return ?,
+ kprobe.function("sys_symlinkat").return ?
+{
+ name = "symlinkat"
+ retstr = returnstr(1)
+}
+
+# sync _______________________________________________________
+#
+# sys_sync(void)
+#
+probe nd_syscall.sync = kprobe.function("sys_sync")
+{
+ name = "sync"
+ argstr = ""
+}
+probe nd_syscall.sync.return = kprobe.function("sys_sync").return
+{
+ name = "sync"
+ retstr = returnstr(1)
+}
+
+# sysctl _____________________________________________________
+#
+# long sys_sysctl(struct __sysctl_args __user *args)
+#
+probe nd_syscall.sysctl = kprobe.function("compat_sys_sysctl") ?,
+ kprobe.function("SyS_sysctl") ?,
+ kprobe.function("sys_sysctl") ?
+{
+ name = "sysctl"
+ // argstr = sprintf("%p", $args)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sysctl.return = kprobe.function("compat_sys_sysctl").return ?,
+ kprobe.function("SyS_sysctl").return ?,
+ kprobe.function("sys_sysctl").return ?
+{
+ name = "sysctl"
+ retstr = returnstr(1)
+}
+
+# sysfs ______________________________________________________
+#
+# asmlinkage long
+# sys_sysfs(int option,
+# unsigned long arg1,
+# unsigned long arg2)
+#
+probe nd_syscall.sysfs = kprobe.function("SyS_sysfs") ?,
+ kprobe.function("sys_sysfs") ?
+{
+ name = "sysfs"
+ // option = $option
+ // arg1 = $arg1
+ // arg2 = $arg2
+ // if (option == 1)
+ // argstr = sprintf("%d, %s, %d", $option, user_string_quoted($arg1), $arg2)
+ // else if (option == 2)
+ // argstr = sprintf("%d, %d, %p", $option, $arg1, $arg2)
+ // else if (option == 3)
+ // argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
+ // else
+ // argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
+ asmlinkage()
+ option = int_arg(1)
+ arg1 = ulong_arg(2)
+ arg2 = ulong_arg(3)
+ if (option == 1)
+ argstr = sprintf("%d, %s, %d", option, user_string_quoted(arg1), arg2)
+ else if (option == 2)
+ argstr = sprintf("%d, %d, %p", option, arg1, arg2)
+ else
+ argstr = sprintf("%d, %d, %d", option, arg1, arg2)
+}
+probe nd_syscall.sysfs.return = kprobe.function("SyS_sysfs").return ?,
+ kprobe.function("sys_sysfs").return ?
+{
+ name = "sysfs"
+ retstr = returnstr(1)
+}
+
+# sysinfo ____________________________________________________
+#
+# long sys_sysinfo(struct sysinfo __user *info)
+# long compat_sys_sysinfo(struct compat_sysinfo __user *info)
+probe nd_syscall.sysinfo = kprobe.function("compat_sys_sysinfo") ?,
+ kprobe.function("SyS_sysinfo") ?,
+ kprobe.function("sys_sysinfo") ?
+{
+ name = "sysinfo"
+ // info_uaddr = $info
+ // argstr = sprintf("%p", $info)
+ asmlinkage()
+ info_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", info_uaddr)
+}
+probe nd_syscall.sysinfo.return = kprobe.function("compat_sys_sysinfo").return ?,
+ kprobe.function("SyS_sysinfo").return ?,
+ kprobe.function("sys_sysinfo").return ?
+{
+ name = "sysinfo"
+ retstr = returnstr(1)
+}
+
+# syslog _____________________________________________________
+#
+# long sys_syslog(int type, char __user * buf, int len)
+#
+probe nd_syscall.syslog = kprobe.function("SyS_syslog") ?,
+ kprobe.function("sys_syslog") ?
+{
+ name = "syslog"
+ // type = $type
+ // bufp_uaddr = $buf
+ // len = $len
+ // argstr = sprintf("%d, %p, %d", $type, $buf, $len)
+ asmlinkage()
+ type = int_arg(1)
+ bufp_uaddr = pointer_arg(2)
+ len = int_arg(3)
+ argstr = sprintf("%d, %p, %d", type, bufp_uaddr, len)
+}
+probe nd_syscall.syslog.return = kprobe.function("SyS_syslog").return ?,
+ kprobe.function("sys_syslog").return ?
+{
+ name = "syslog"
+ retstr = returnstr(1)
+}
+
+# tee _____________________________________________________
+#
+# long sys_tee(int fdin, int fdout, size_t len, unsigned int flags)
+#
+probe nd_syscall.tee = kprobe.function("SyS_tee") ?,
+ kprobe.function("sys_tee") ?
+{
+ name = "tee"
+ // argstr = sprintf("%d, %d, %d, 0x%x", $fdin, $fdout, $len, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, 0x%x", int_arg(1), int_arg(2), ulong_arg(3), uint_arg(4))
+}
+probe nd_syscall.tee.return = kprobe.function("SyS_tee").return ?,
+ kprobe.function("sys_tee").return ?
+{
+ name = "tee"
+ retstr = returnstr(1)
+}
+
+# tgkill _____________________________________________________
+#
+# asmlinkage long
+# sys_tgkill(int tgid,
+# int pid,
+# int sig)
+#
+probe nd_syscall.tgkill = kprobe.function("SyS_tgkill") ?,
+ kprobe.function("sys_tgkill") ?
+{
+ name = "tgkill"
+ // tgid = $tgid
+ // pid = $pid
+ // sig = $sig
+ // argstr = sprintf("%d, %d, %s", $tgid, $pid, _signal_name($sig))
+ asmlinkage()
+ tgid = int_arg(1)
+ pid = int_arg(2)
+ sig = int_arg(3)
+ argstr = sprintf("%d, %d, %s", tgid, pid, _signal_name(sig))
+}
+probe nd_syscall.tgkill.return = kprobe.function("SyS_tgkill").return ?,
+ kprobe.function("sys_tgkill").return ?
+{
+ name = "tgkill"
+ retstr = returnstr(1)
+}
+
+# time _______________________________________________________
+#
+# long sys_time(time_t __user * tloc)
+# long sys_time64(long __user * tloc)
+# long sys32_time(compat_time_t __user * tloc)
+# long compat_sys_time(compat_time_t __user * tloc)
+#
+probe nd_syscall.time = kprobe.function("sys32_time") ?,
+ kprobe.function("sys_time64") ?,
+ kprobe.function("compat_sys_time") ?,
+ kprobe.function("SyS_time") ?,
+ kprobe.function("sys_time") ?
+{
+ name = "time"
+ // t_uaddr = $tloc
+ // argstr = sprintf("%p", $tloc)
+ asmlinkage()
+ t_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", t_uaddr)
+}
+probe nd_syscall.time.return = kprobe.function("sys32_time").return ?,
+ kprobe.function("sys_time64").return ?,
+ kprobe.function("compat_sys_time").return ?,
+ kprobe.function("SyS_time").return ?,
+ kprobe.function("sys_time").return ?
+{
+ name = "time"
+ retstr = returnstr(1)
+}
+
+# timer_create _______________________________________________
+#
+# long sys_timer_create(clockid_t which_clock,
+# struct sigevent __user *timer_event_spec,
+# timer_t __user * created_timer_id)
+#
+probe nd_syscall.timer_create = kprobe.function("SyS_timer_create") ?,
+ kprobe.function("sys_timer_create") ?
+{
+ name = "timer_create"
+ // clockid = $which_clock
+ // clockid_str = _get_wc_str($which_clock)
+ // evp_uaddr = $timer_event_spec
+ // timerid_uaddr = $created_timer_id
+ // argstr = sprintf("%s, %p, %p", clockid_str, $timer_event_spec, $created_timer_id)
+ asmlinkage()
+ clockid = int_arg(1)
+ clockid_str = _get_wc_str(clockid)
+ evp_uaddr = pointer_arg(2)
+ timerid_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %p, %p", clockid_str, evp_uaddr, timerid_uaddr)
+}
+probe nd_syscall.timer_create.return = kprobe.function("SyS_timer_create").return ?,
+ kprobe.function("sys_timer_create").return ?
+{
+ name = "timer_create"
+ retstr = returnstr(1)
+}
+
+# timer_delete _______________________________________________
+#
+# long sys_timer_delete(timer_t timer_id)
+#
+probe nd_syscall.timer_delete = kprobe.function("SyS_timer_delete") ?,
+ kprobe.function("sys_timer_delete") ?
+{
+ name = "timer_delete"
+ // timerid = $timer_id
+ // argstr = sprint($timer_id)
+ asmlinkage()
+ timerid = int_arg(1)
+ argstr = sprint(timerid)
+}
+probe nd_syscall.timer_delete.return = kprobe.function("SyS_timer_delete").return ?,
+ kprobe.function("sys_timer_delete").return ?
+{
+ name = "timer_delete"
+ retstr = returnstr(1)
+}
+
+# timer_getoverrun ___________________________________________
+#
+# long sys_timer_getoverrun(timer_t timer_id)
+#
+probe nd_syscall.timer_getoverrun = kprobe.function("SyS_timer_getoverrun") ?,
+ kprobe.function("sys_timer_getoverrun") ?
+{
+ name = "timer_getoverrun"
+ // timerid = $timer_id
+ // argstr = sprint($timer_id)
+ asmlinkage()
+ timerid = int_arg(1)
+ argstr = sprint(timerid)
+}
+probe nd_syscall.timer_getoverrun.return = kprobe.function("SyS_timer_getoverrun").return ?,
+ kprobe.function("sys_timer_getoverrun").return ?
+{
+ name = "timer_getoverrun"
+ retstr = returnstr(1)
+}
+
+# timer_gettime ______________________________________________
+#
+# long sys_timer_gettime(timer_t timer_id,
+# struct itimerspec __user *setting)
+#
+probe nd_syscall.timer_gettime = kprobe.function("SyS_timer_gettime") ?,
+ kprobe.function("sys_timer_gettime") ?
+{
+ name = "timer_gettime"
+ // timerid = $timer_id
+ // value_uaddr = $setting
+ // argstr = sprintf("%d, %p", $timer_id, $setting)
+ asmlinkage()
+ timerid = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", timerid, value_uaddr)
+}
+probe nd_syscall.timer_gettime.return = kprobe.function("SyS_timer_gettime").return ?,
+ kprobe.function("sys_timer_gettime").return ?
+{
+ name = "timer_gettime"
+ retstr = returnstr(1)
+}
+
+# timer_settime ______________________________________________
+#
+# long sys_timer_settime(timer_t timer_id,
+# int flags,
+# const struct itimerspec __user *new_setting,
+# struct itimerspec __user *old_setting)
+#
+probe nd_syscall.timer_settime = kprobe.function("SyS_timer_settime") ?,
+ kprobe.function("sys_timer_settime") ?
+{
+ name = "timer_settime"
+ // timerid = $timer_id
+ // flags = $flags
+ // value_uaddr = $new_setting
+ // ovalue_uaddr = $old_setting
+ // argstr = sprintf("%d, %d, %s, %p", $timer_id, $flags,
+ // _struct_itimerspec_u($new_setting),
+ // $old_setting)
+ asmlinkage()
+ timerid = int_arg(1)
+ flags = int_arg(2)
+ value_uaddr = pointer_arg(3)
+ ovalue_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %d, %s, %p", timerid, flags,
+ _struct_itimerspec_u(value_uaddr),
+ ovalue_uaddr)
+}
+probe nd_syscall.timer_settime.return = kprobe.function("SyS_timer_settime").return ?,
+ kprobe.function("sys_timer_settime").return ?
+{
+ name = "timer_settime"
+ retstr = returnstr(1)
+}
+
+# timerfd ______________________________________________
+#
+# long sys_timerfd(int ufd, int clockid, int flags,
+# const struct itimerspec __user *utmr)
+# long compat_sys_timerfd(int ufd, int clockid, int flags,
+# const struct compat_itimerspec __user *utmr)
+#
+probe nd_syscall.timerfd = kprobe.function("sys_timerfd") ?,
+ kprobe.function("compat_sys_timerfd") ?
+{
+ name = "timerfd"
+ // argstr = sprintf("%d, %d, 0x%x", $ufd, $clockid, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %d, 0x%x", int_arg(1), int_arg(2), int_arg(3))
+}
+probe nd_syscall.timerfd.return = kprobe.function("sys_timerfd").return ?,
+ kprobe.function("compat_sys_timerfd").return ?
+{
+ name = "timerfd"
+ retstr = returnstr(1)
+}
+
+# times ______________________________________________________
+#
+# long sys_times(struct tms __user * tbuf)
+# long compat_sys_times(struct compat_tms __user *tbuf)
+probe nd_syscall.times = kprobe.function("compat_sys_times") ?,
+ kprobe.function("SyS_times") ?,
+ kprobe.function("sys_times") ?
+{
+ name = "times"
+ // argstr = sprintf("%p", $tbuf)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.times.return = kprobe.function("compat_sys_times").return ?,
+ kprobe.function("SyS_times").return ?,
+ kprobe.function("sys_times").return ?
+{
+ name = "times"
+ retstr = returnstr(1)
+}
+
+# tkill ______________________________________________________
+#
+# asmlinkage long
+# sys_tkill(int pid,
+# int sig)
+#
+probe nd_syscall.tkill = kprobe.function("SyS_tkill") ?,
+ kprobe.function("sys_tkill") ?
+{
+ name = "tkill"
+ // pid = $pid
+ // sig = $sig
+ // argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ asmlinkage()
+ pid = int_arg(1)
+ sig = int_arg(2)
+ argstr = sprintf("%d, %s", pid, _signal_name(sig))
+}
+probe nd_syscall.tkill.return = kprobe.function("SyS_tkill").return ?,
+ kprobe.function("sys_tkill").return ?
+{
+ name = "tkill"
+ retstr = returnstr(1)
+}
+
+# truncate ___________________________________________________
+#
+# sys_truncate(const char __user * path, unsigned long length)
+# sys_truncate64(const char __user * path, loff_t length)
+#
+probe nd_syscall.truncate = kprobe.function("SyS_truncate") ?,
+ kprobe.function("sys_truncate") ?,
+ kprobe.function("sys_truncate64") ?
+{
+ name = "truncate"
+ // path_uaddr = $path
+ // path = user_string($path)
+ // length = $length
+ // argstr = sprintf("%s, %d", user_string_quoted($path), $length)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ if (probefunc() == "sys_truncate")
+ length = ulong_arg(2)
+ else
+ length = longlong_arg(2)
+ argstr = sprintf("%s, %d", user_string_quoted(path_uaddr), length)
+}
+probe nd_syscall.truncate.return = kprobe.function("SyS_truncate").return ?,
+ kprobe.function("sys_truncate").return ?,
+ kprobe.function("sys_truncate64").return ?
+{
+ name = "truncate"
+ retstr = returnstr(1)
+}
+
+# tux ________________________________________________________
+# long sys_tux (unsigned int action, user_req_t *u_info)
+#
+probe nd_syscall.tux = kprobe.function("sys_tux") ?
+{
+ name = "tux"
+ // action = $action
+ // u_info_uaddr = $u_info
+ // argstr = sprintf("%d, %p", $action, $u_info)
+ // no sys_tux in recent kernels; guessing asmlinkage
+ asmlinkage()
+ action = uint_arg(1)
+ u_info_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", action, u_info_uaddr)
+}
+probe nd_syscall.tux.return = kprobe.function("sys_tux").return ?
+{
+ name = "tux"
+ retstr = returnstr(1)
+}
+
+# umask ______________________________________________________
+# long sys_umask(int mask)
+#
+probe nd_syscall.umask = kprobe.function("SyS_umask") ?,
+ kprobe.function("sys_umask") ?
+{
+ name = "umask"
+ // mask = $mask
+ // argstr = sprintf("%#o", $mask)
+ asmlinkage()
+ mask = int_arg(1)
+ argstr = sprintf("%#o", mask)
+}
+probe nd_syscall.umask.return = kprobe.function("SyS_umask").return ?,
+ kprobe.function("sys_umask").return ?
+{
+ name = "umask"
+ retstr = returnstr(3)
+}
+
+# umount _____________________________________________________
+# long sys_umount(char __user * name, int flags)
+#
+probe nd_syscall.umount = kprobe.function("SyS_umount") ?,
+ kprobe.function("sys_umount") ?
+{
+ name = "umount"
+ // target = user_string($name)
+ // flags = $flags
+ // flags_str = _umountflags_str($flags)
+ // argstr = sprintf("%s, %s", user_string_quoted($name), flags_str)
+ asmlinkage()
+ target = user_string(pointer_arg(1))
+ flags = int_arg(2)
+ flags_str = _umountflags_str(flags)
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), flags_str)
+}
+probe nd_syscall.umount.return = kprobe.function("SyS_umount").return ?,
+ kprobe.function("sys_umount").return ?
+{
+ name = "umount"
+ retstr = returnstr(1)
+}
+
+# uname ______________________________________________________
+#
+# int sys_uname(struct old_utsname __user *name)
+# long sys_newuname(struct new_utsname __user * name)
+# int sys_olduname(struct oldold_utsname __user * name)
+# int sys32_olduname(struct oldold_utsname __user * name)
+# long sys32_uname(struct old_utsname __user * name)
+#
+probe nd_syscall.uname = kprobe.function("sys_uname") ?,
+ kprobe.function("sys_olduname") ?,
+ kprobe.function("sys32_olduname") ?,
+ kprobe.function("sys32_uname") ?,
+ kprobe.function("SyS_newuname") ?,
+ kprobe.function("sys_newuname") ?
+{
+ name = "uname"
+ // argstr = sprintf("%p", $name)
+ _func_name = probefunc()
+ if (_func_name != "sys32_uname") {
+ if (_func_name == "sys_uname" || _func_name == "sys_olduname") {
+ %( arch != "ppc64" %? asmlinkage() %)
+ } else
+ asmlinkage()
+ }
+ argstr = sprintf("%p", pointer_arg(1))
+}
+
+probe nd_syscall.uname.return = kprobe.function("sys_uname").return ?,
+ kprobe.function("sys_olduname").return ?,
+ kprobe.function("sys32_olduname").return ?,
+ kprobe.function("sys32_uname").return ?,
+ kprobe.function("SyS_newuname").return ?,
+ kprobe.function("sys_newuname").return ?
+{
+ name = "uname"
+ retstr = returnstr(1)
+}
+
+# unlink _____________________________________________________
+# long sys_unlink(const char __user * pathname)
+#
+probe nd_syscall.unlink = kprobe.function("SyS_unlink") ?,
+ kprobe.function("sys_unlink") ?
+{
+ name = "unlink"
+ // pathname_uaddr = $pathname
+ // pathname = user_string($pathname)
+ // argstr = user_string_quoted($pathname)
+ asmlinkage()
+ pathname_uaddr = pointer_arg(1)
+ pathname = user_string(pathname_uaddr)
+ argstr = user_string_quoted(pathname_uaddr)
+}
+probe nd_syscall.unlink.return = kprobe.function("SyS_unlink").return ?,
+ kprobe.function("sys_unlink").return ?
+{
+ name = "unlink"
+ retstr = returnstr(1)
+}
+
+# unlinkat ___________________________________________________
+# new function with 2.6.16
+# long sys_unlinkat(int dfd, const char __user *pathname,
+# int flag)
+probe nd_syscall.unlinkat = kprobe.function("SyS_unlinkat") ?,
+ kprobe.function("sys_unlinkat") ?
+{
+ name = "unlinkat"
+ // dfd = $dfd
+ // dfd_str = _dfd_str($dfd)
+ // pathname = $pathname
+ // pathname_str = user_string($pathname)
+ // flag = $flag
+ // flag_str = _at_flag_str($flag)
+ // argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted($pathname), flag_str)
+ asmlinkage()
+ dfd = int_arg(1)
+ dfd_str = _dfd_str(dfd)
+ pathname = pointer_arg(2)
+ pathname_str = user_string(pathname)
+ flag = int_arg(3)
+ flag_str = _at_flag_str(flag)
+ argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted(pathname), flag_str)
+}
+probe nd_syscall.unlinkat.return = kprobe.function("SyS_unlinkat").return ?,
+ kprobe.function("sys_unlinkat").return ?
+{
+ name = "unlinkat"
+ retstr = returnstr(1)
+}
+
+# unshare ____________________________________________________
+# new function with 2.6.16
+# long sys_unshare(unsigned long unshare_flags)
+probe nd_syscall.unshare = kprobe.function("SyS_unshare") ?,
+ kprobe.function("sys_unshare") ?
+{
+ name = "unshare"
+ // unshare_flags = $unshare_flags
+ asmlinkage()
+ unshare_flags = ulong_arg(1)
+ argstr = __fork_flags(unshare_flags)
+}
+probe nd_syscall.unshare.return = kprobe.function("SyS_unshare").return ?,
+ kprobe.function("sys_unshare").return ?
+{
+ name = "unshare"
+ retstr = returnstr(1)
+}
+
+# uselib _____________________________________________________
+#
+# asmlinkage long
+# sys_uselib(const char __user * library)
+#
+probe nd_syscall.uselib = kprobe.function("SyS_uselib") ?,
+ kprobe.function("sys_uselib") ?
+{
+ name = "uselib"
+ // library_uaddr = $library
+ // library = user_string($library)
+ // argstr = user_string_quoted($library)
+ asmlinkage()
+ library_uaddr = pointer_arg(1)
+ library = user_string(library_uaddr)
+ argstr = user_string_quoted(library_uaddr)
+}
+probe nd_syscall.uselib.return = kprobe.function("SyS_uselib").return ?,
+ kprobe.function("sys_uselib").return ?
+{
+ name = "uselib"
+ retstr = returnstr(1)
+}
+
+# ustat ______________________________________________________
+# long sys_ustat(unsigned dev, struct ustat __user * ubuf)
+#
+probe nd_syscall.ustat = kprobe.function("SyS_ustat") ?,
+ kprobe.function("sys_ustat") ?
+{
+ name = "ustat"
+ // dev = $dev
+ // ubuf_uaddr = $ubuf
+ // argstr = sprintf("%d, %p", $dev, $ubuf)
+ asmlinkage()
+ dev = uint_arg(1)
+ ubuf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", dev, ubuf_uaddr)
+}
+
+#long sys32_ustat(unsigned dev, struct ustat32 __user *u32p)
+probe nd_syscall.ustat32 = kprobe.function("sys32_ustat") ?
+{
+ name = "ustat"
+ // dev = $dev
+ // argstr = sprintf("%d, %p", $dev, $u32p)
+ // no asmlinkage
+ dev = uint_arg(1)
+ argstr = sprintf("%d, %p", dev, pointer_arg(2))
+}
+
+probe nd_syscall.ustat.return = kprobe.function("SyS_ustat").return ?,
+ kprobe.function("sys_ustat").return ?,
+ kprobe.function("sys32_ustat").return ?
+{
+ name = "ustat"
+ retstr = returnstr(1)
+}
+
+# utime ______________________________________________________
+# long sys_utime(char __user * filename, struct utimbuf __user * times)
+probe nd_syscall.utime = kprobe.function("SyS_utime") ?,
+ kprobe.function("sys_utime") ?
+{
+ name = "utime"
+ asmlinkage()
+ filename_uaddr = pointer_arg(1)
+ filename = user_string_quoted(filename_uaddr)
+ buf_uaddr = pointer_arg(2)
+ actime = _struct_utimbuf_actime(buf_uaddr)
+ modtime = _struct_utimbuf_modtime(buf_uaddr)
+ argstr = sprintf("%s, [%s, %s]", filename,
+ ctime(actime), ctime(modtime))
+}
+probe nd_syscall.utime.return = kprobe.function("SyS_utime").return ?,
+ kprobe.function("sys_utime").return ?
+{
+ name = "utime"
+ retstr = returnstr(1)
+}
+
+# long compat_sys_utime(char __user *filename, struct compat_utimbuf __user *t)
+probe nd_syscall.compat_utime = kprobe.function("compat_sys_utime") ?
+{
+ name = "utime"
+ asmlinkage()
+ filename_uaddr = pointer_arg(1)
+ filename = user_string_quoted(filename_uaddr)
+ buf_uaddr = pointer_arg(2)
+ actime = _struct_compat_utimbuf_actime(buf_uaddr)
+ modtime = _struct_compat_utimbuf_modtime(buf_uaddr)
+ argstr = sprintf("%s, [%s, %s]", filename,
+ ctime(actime), ctime(modtime))
+}
+probe nd_syscall.compat_utime.return = kprobe.function("compat_sys_utime").return ?
+{
+ name = "utime"
+ retstr = returnstr(1)
+}
+
+# utimes _____________________________________________________
+#
+# long sys_utimes(char __user * filename, struct timeval __user * utimes)
+#
+probe nd_syscall.utimes = kprobe.function("SyS_utimes") ?,
+ kprobe.function("sys_utimes") ?
+{
+ name = "utimes"
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s", user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ filename_uaddr = pointer_arg(1)
+ filename = user_string(filename_uaddr)
+ tvp_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %s", user_string_quoted(filename_uaddr),
+ _struct_timeval_u(tvp_uaddr, 2))
+}
+probe nd_syscall.utimes.return = kprobe.function("SyS_utimes").return ?,
+ kprobe.function("sys_utimes").return ?
+{
+ name = "utimes"
+ retstr = returnstr(1)
+}
+
+# compat_sys_utimes ________________________________________
+#
+# long compat_sys_utimes(char __user *filename, struct compat_timeval __user *t)
+#
+probe nd_syscall.compat_sys_utimes = kprobe.function("compat_sys_utimes") ?
+{
+ name = "utimes"
+ // filename = user_string($filename)
+ // argstr = sprintf("%s, %s", user_string_quoted($filename),
+ // _struct_compat_timeval_u($t, 2))
+ asmlinkage()
+ filename = user_string(pointer_arg(1))
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
+ _struct_compat_timeval_u(pointer_arg(2), 2))
+}
+probe nd_syscall.compat_sys_utimes.return = kprobe.function("compat_sys_utimes").return ?
+{
+ name = "utimes"
+ retstr = returnstr(1)
+}
+
+# utimensat ____________________________________________________
+# long sys_utimensat(int dfd, char __user *filename, struct timespec __user *utimes, int flags)
+# long compat_sys_utimensat(unsigned int dfd, char __user *filename, struct compat_timespec __user *t, int flags)
+#
+probe nd_syscall.utimensat = kprobe.function("SyS_utimensat") ?,
+ kprobe.function("sys_utimensat") ?
+{
+ name = "utimensat"
+ // argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timespec_u($utimes, 2),
+ // _at_flag_str($flags))
+ asmlinkage()
+ argstr = sprintf("%s, %s, %s, %s", _dfd_str(int_arg(1)), user_string_quoted(pointer_arg(2)),
+ _struct_timespec_u(pointer_arg(3), 2), _at_flag_str(int_arg(4)))
+}
+probe nd_syscall.compat_utimensat = kprobe.function("compat_sys_utimensat") ?
+{
+ name = "utimensat"
+ // argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timespec_u($t, 2),
+ // _at_flag_str($flags))
+ asmlinkage()
+ argstr = sprintf("%s, %s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
+ _struct_compat_timespec_u(pointer_arg(3), 2), _at_flag_str(int_arg(4)))
+}
+probe nd_syscall.utimensat.return = kprobe.function("SyS_utimensat").return ?,
+ kprobe.function("sys_utimensat").return ?
+{
+ name = "utimensat"
+ retstr = returnstr(1)
+}
+probe nd_syscall.compat_utimensat.return = kprobe.function("compat_sys_utimensat").return ?
+{
+ name = "utimensat"
+ retstr = returnstr(1)
+}
+
+# vhangup ____________________________________________________
+#
+# asmlinkage long
+# sys_vhangup(void)
+#
+probe nd_syscall.vhangup = kprobe.function("sys_vhangup")
+{
+ name = "vhangup"
+ argstr = ""
+}
+probe nd_syscall.vhangup.return = kprobe.function("sys_vhangup").return
+{
+ name = "vhangup"
+ retstr = returnstr(1)
+}
+
+# vmsplice ___________________________________________________
+#
+# long sys_vmsplice(int fd, const struct iovec __user *iov,
+# unsigned long nr_segs, unsigned int flags)
+# long compat_sys_vmsplice(int fd, const struct compat_iovec __user *iov32,
+# unsigned int nr_segs, unsigned int flags)
+#
+probe nd_syscall.vmsplice = kprobe.function("SyS_vmsplice") ?,
+ kprobe.function("sys_vmsplice") ?
+{
+ name = "vmsplice"
+ // argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), ulong_arg(3), uint_arg(4))
+}
+probe nd_syscall.compat_vmsplice = kprobe.function("compat_sys_vmsplice") ?
+{
+ name = "vmsplice"
+ // argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov32, $nr_segs, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), uint_arg(3), uint_arg(4))
+}
+probe nd_syscall.vmsplice.return = kprobe.function("SyS_vmsplice").return ?,
+ kprobe.function("sys_vmsplice").return ?
+{
+ name = "vmsplice"
+ retstr = returnstr(1)
+}
+probe nd_syscall.compat_vmsplice.return = kprobe.function("compat_sys_vmsplice").return ?
+{
+ name = "vmsplice"
+ retstr = returnstr(1)
+}
+
+# wait4 ______________________________________________________
+#
+# long sys_wait4(pid_t pid,
+# int __user *stat_addr,
+# int options,
+# struct rusage __user *ru)
+#
+probe nd_syscall.wait4 = kprobe.function("SyS_wait4") ?,
+ kprobe.function("sys_wait4") ?
+{
+ name = "wait4"
+ // pid = %( kernel_vr >= "2.6.25" %? $upid %: $pid%)
+ // status_uaddr = $stat_addr
+ // options = $options
+ // options_str = _wait4_opt_str($options)
+ // rusage_uaddr = $ru
+ // argstr = sprintf("%d, %p, %s, %p",
+ // %( kernel_vr >= "2.6.25" %? $upid %: $pid%),
+ // $stat_addr, _wait4_opt_str($options), $ru)
+ asmlinkage()
+ pid = int_arg(1)
+ status_uaddr = pointer_arg(2)
+ options = int_arg(3)
+ options_str = _wait4_opt_str(options)
+ rusage_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %p, %s, %p", pid, status_uaddr, _wait4_opt_str(options), rusage_uaddr)
+
+}
+probe nd_syscall.wait4.return = kprobe.function("SyS_wait4").return ?,
+ kprobe.function("sys_wait4").return ?
+{
+ name = "wait4"
+ retstr = returnstr(1)
+}
+
+# waitid _____________________________________________________
+#
+# long sys_waitid(int which,
+# pid_t pid,
+# struct siginfo __user *infop,
+# int options,
+# struct rusage __user *ru)
+#
+probe nd_syscall.waitid = kprobe.function("SyS_waitid") ?,
+ kprobe.function("sys_waitid") ?
+{
+ name = "waitid"
+ // pid = %( kernel_vr >= "2.6.25" %? $upid %: $pid%)
+ // which = $which
+ // which_str = _waitid_which_str($which)
+ // infop_uaddr = $infop
+ // options = $options
+ // options_str = _waitid_opt_str($options)
+ // rusage_uaddr = $ru
+ // argstr = sprintf("%d, %d, %p, %s, %p", $which,
+ // %( kernel_vr >= "2.6.25" %? $upid %: $pid%), $infop,
+ // _waitid_opt_str($options), $ru)
+ asmlinkage()
+ pid = int_arg(1)
+ which = int_arg(2)
+ which_str = _waitid_which_str(which)
+ infop_uaddr = pointer_arg(3)
+ options = int_arg(4)
+ options_str = _waitid_opt_str(options)
+ rusage_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %d, %p, %s, %p", which,
+ pid, infop_uaddr, _waitid_opt_str(options), rusage_uaddr)
+}
+probe nd_syscall.waitid.return = kprobe.function("SyS_waitid").return ?,
+ kprobe.function("sys_waitid").return ?
+{
+ name = "waitid"
+ retstr = returnstr(1)
+}
+
+/* FIXME:
+# waitpid ____________________________________________________
+#
+# long sys_wait4(pid_t pid,
+# int __user *stat_addr,
+# int options,
+# struct rusage __user *ru)
+#
+probe nd_syscall.waitpid = kprobe.function("SyS_wait4") ?,
+ kprobe.function("sys_wait4") ?
+{
+ name = "waitpid"
+ pid = $pid
+ status_uaddr = $stat_addr
+ options = $options
+ options_str = _wait4_opt_str($options)
+ rusage_uaddr = $ru
+ argstr = sprintf("%d, %p, %s, %p", $pid, $stat_addr,
+ options_str, $ru)
+}
+probe nd_syscall.waitpid.return = kprobe.function("SyS_wait4").return ?,
+ kprobe.function("sys_wait4").return ?
+{
+ name = "waitpid"
+ retstr = returnstr(1)
+}
+*/
+
+# write ______________________________________________________
+#
+# ssize_t sys_write(unsigned int fd,
+# const char __user * buf,
+# size_t count)
+#
+probe nd_syscall.write = kprobe.function("SyS_write") ?,
+ kprobe.function("sys_write") ?
+{
+ name = "write"
+ // fd = $fd
+ // buf_uaddr = $buf
+ // count = $count
+ // argstr = sprintf("%d, %s, %d", $fd, text_strn(user_string($buf), syscall_string_trunc, 1), $count)
+ asmlinkage()
+ fd = uint_arg(1)
+ buf_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ argstr = sprintf("%d, %s, %d", fd, text_strn(user_string(buf_uaddr), syscall_string_trunc, 1), count)
+
+}
+probe nd_syscall.write.return = kprobe.function("SyS_write").return ?,
+ kprobe.function("sys_write").return ?
+{
+ name = "write"
+ retstr = returnstr(1)
+}
+
+# writev _____________________________________________________
+#
+# ssize_t sys_writev(unsigned long fd,
+# const struct iovec __user *vec,
+# unsigned long vlen)
+# ssize_t compat_sys_writev(unsigned long fd,
+# const struct compat_iovec __user *vec,
+# unsigned long vlen)
+#
+probe nd_syscall.writev = kprobe.function("compat_sys_writev") ?,
+ kprobe.function("SyS_writev") ?,
+ kprobe.function("sys_writev") ?
+{
+ name = "writev"
+ // vector_uaddr = $vec
+ // count = $vlen
+/* FIXME: RHEL4 U3 ppc64 can't resolve $fd */
+// %( arch != "ppc64" %?
+ // fd = $fd
+ // argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
+// %:
+ // argstr = sprintf("unknown fd, %p, %d", $vec, $vlen)
+// %)
+ asmlinkage()
+ vector_uaddr = pointer_arg(2)
+ count = ulong_arg(3)
+ fd = ulong_arg(1)
+ argstr = sprintf("%d, %p, %d", fd, vector_uaddr, count)
+}
+
+probe nd_syscall.writev.return = kprobe.function("compat_sys_writev").return ?,
+ kprobe.function("SyS_writev").return ?,
+ kprobe.function("sys_writev").return ?
+{
+ name = "writev"
+ retstr = returnstr(1)
+}
diff --git a/tapset/ppc64/nd_syscalls.stp b/tapset/ppc64/nd_syscalls.stp
new file mode 100644
index 00000000..46267507
--- /dev/null
+++ b/tapset/ppc64/nd_syscalls.stp
@@ -0,0 +1,738 @@
+# PPC64-specific system calls
+
+# sys64_time ________________________________________
+#
+# time_t sys64_time(time_t __user * tloc)
+#
+probe nd_syscall.sys64_time = kprobe.function("sys64_time") ?
+{
+ name = "sys64_time"
+ // argstr = sprintf("%p", $tloc)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sys64_time.return = kprobe.function("sys64_time").return ?
+{
+ name = "sys64_time"
+ retstr = returnstr(1)
+}
+
+# ppc64_personality ________________________________________
+#
+# long ppc64_personality(unsigned long personality)
+#
+probe nd_syscall.ppc64_personality = kprobe.function("ppc64_personality")
+{
+ name = "ppc64_personality"
+ // persona = $personality
+ // argstr = sprint($personality)
+ asmlinkage()
+ persona = ulong_arg(1)
+ argstr = sprint(persona)
+}
+probe nd_syscall.ppc64_personality.return = kprobe.function("ppc64_personality").return
+{
+ name = "ppc64_personality"
+ retstr = returnstr(1)
+}
+
+# ppc_rtas ________________________________________
+#
+# int ppc_rtas(struct rtas_args __user *uargs)
+#
+probe nd_syscall.ppc_rtas = kprobe.function("ppc_rtas") ?
+{
+ name = "ppc_rtas"
+ // uargs_uaddr = $uargs
+ // argstr = sprintf("%p", $uargs)
+ asmlinkage()
+ uargs_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", uargs_uaddr)
+}
+probe nd_syscall.ppc_rtas.return = kprobe.function("ppc_rtas").return ?
+{
+ name = "ppc_rtas"
+ retstr = returnstr(1)
+}
+
+# ppc64_sys32_stime ________________________________________
+#
+# long ppc64_sys32_stime(int __user * tptr)
+#
+probe nd_syscall.ppc64_sys32_stime = kprobe.function("ppc64_sys32_stime") ?
+{
+ name = "ppc64_sys32_stime"
+ // t_uaddr = $tptr
+ // argstr = sprintf("%p", $tptr)
+ asmlinkage()
+ t_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", t_uaddr)
+}
+probe nd_syscall.ppc64_sys32_stime.return = kprobe.function("ppc64_sys32_stime").return ?
+{
+ name = "ppc64_sys32_stime"
+ retstr = returnstr(1)
+}
+
+# sys32_ptrace ________________________________________
+# (obsolete)
+# int sys32_ptrace(long request, long pid, unsigned long addr,
+# unsigned long data)
+#
+probe nd_syscall.sys32_ptrace = kprobe.function("sys32_ptrace") ?
+{
+ name = "sys32_ptrace"
+ // request = $request
+ // pid = $pid
+ // addr = $addr
+ // data = $data
+ // argstr = sprintf("%p, %p, %p, %p", $request, $pid, $addr, $data)
+ asmlinkage()
+ request = long_arg(1)
+ pid = long_arg(2)
+ addr = ulong_arg(3)
+ data = ulong_arg(4)
+ argstr = sprintf("%p, %p, %p, %p", request, pid, addr, data)
+}
+probe nd_syscall.sys32_ptrace.return = kprobe.function("sys32_ptrace").return ?
+{
+ name = "sys32_ptrace"
+ retstr = returnstr(1)
+}
+
+# sys32_sysinfo ________________________________________
+#
+# (obsolete) long sys32_sysinfo(struct sysinfo32 __user *info)
+#
+probe nd_syscall.sys32_sysinfo = kprobe.function("sys32_sysinfo") ?
+{
+ name = "sys32_sysinfo"
+ // info_uaddr = $info
+ asmlinkage()
+ info_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", info_uaddr)
+}
+probe nd_syscall.sys32_sysinfo.return = kprobe.function("sys32_sysinfo").return ?
+{
+ name = "sys32_sysinfo"
+ retstr = returnstr(1)
+}
+
+# ipc ________________________________________
+#
+# long sys32_ipc(u32 call, u32 first, u32 second, u32 third,
+# compat_uptr_t ptr, u32 fifth)
+#
+probe nd_syscall.ipc = kprobe.function("sys32_ipc") ?
+{
+ name = "ipc"
+ // argstr = sprintf("%d, %d, %d, %d, %p, %d", $call, $first, $second,
+ // $third, $ptr, $fifth)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %d, %p, %d", uint_arg(1), uint_arg(2), uint_arg(3),
+ uint_arg(4), uint_arg(5), uint_arg(6))
+}
+probe nd_syscall.ipc.return = kprobe.function("sys32_ipc").return ?
+{
+ name = "sys_ipc"
+ retstr = returnstr(1)
+}
+
+# sys32_sigreturn ________________________________________
+#
+# long sys32_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
+# struct pt_regs *regs)
+#
+probe nd_syscall.sys32_sigreturn = kprobe.function("sys32_sigreturn") ?
+{
+ name = "sys32_sigreturn"
+ // r3 = $r3
+ // r4 = $r4
+ // // r5 = $r5
+ // r6 = $r6
+ // r7 = $r7
+ // r8 = $r8
+ // argstr = sprintf("%p, %p, %p, %p, %p, %p",
+ // $r3, $r4, $r5, $r6, $r7, $r8)
+ asmlinkage()
+ r3 = int_arg(1)
+ r4 = int_arg(2)
+ r5 = int_arg(3)
+ r6 = int_arg(4)
+ r7 = int_arg(5)
+ r8 = int_arg(6)
+ argstr = sprintf("%p, %p, %p, %p, %p, %p",
+ r3, r4, r5, r6, r7, r8)
+}
+probe nd_syscall.sys32_sigreturn.return = kprobe.function("sys32_sigreturn").return ?
+{
+ name = "sys32_sigreturn"
+ retstr = returnstr(1)
+}
+
+# sys32_adjtimex ________________________________________
+#
+# long sys32_adjtimex(struct timex32 __user *utp)
+#
+probe nd_syscall.sys32_adjtimex = kprobe.function("sys32_adjtimex") ?
+{
+ name = "sys32_adjtimex"
+ // argstr = sprintf("%p", $utp)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sys32_adjtimex.return = kprobe.function("sys32_adjtimex").return ?
+{
+ name = "sys32_adjtimex"
+ retstr = returnstr(1)
+}
+
+# sys32_getdents ________________________________________
+#
+# asmlinkage long sys32_getdents(unsigned int fd,
+# struct linux_dirent32 __user *dirent,
+# unsigned int count)
+#
+probe nd_syscall.sys32_getdents = kprobe.function("sys32_getdents") ?
+{
+ name = "sys32_getdents"
+ // fd = $fd
+ // dirp_uaddr = $dirent
+ // count = $count
+ asmlinkage()
+ fd = uint_arg(1)
+ dirp_uaddr = pointer_arg(2)
+ count = uint_arg(3)
+ argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
+}
+probe nd_syscall.sys32_getdents.return = kprobe.function("sys32_getdents").return ?
+{
+ name = "sys32_getdents"
+ retstr = returnstr(1)
+}
+
+# compat_sys_sysctl ________________________________________
+#
+# long compat_sys_sysctl(struct __sysctl_args32 __user *args)
+#
+probe nd_syscall.compat_sysctl = kprobe.function("compat_sys_sysctl") ?
+{
+ name = "sysctl"
+ // argstr = sprintf("%p", $args)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.compat_sysctl.return = kprobe.function("compat_sys_sysctl").return ?
+{
+ name = "sysctl"
+ retstr = returnstr(1)
+}
+
+# sys32_sched_setparam ________________________________________
+#
+# asmlinkage long sys32_sched_setparam(u32 pid,
+# struct sched_param __user *param)
+#
+probe nd_syscall.sys32_sched_setparam = kprobe.function("sys32_sched_setparam") ?
+{
+ name = "sys32_sched_setparam"
+ // pid = $pid
+ // param_uaddr = $param
+ asmlinkage()
+ pid = uint_arg(1)
+ param_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", pid, param_uaddr)
+}
+probe nd_syscall.sys32_sched_setparam.return = kprobe.function("sys32_sched_setparam").return ?
+{
+ name = "sys32_sched_setparam"
+ retstr = returnstr(1)
+}
+
+# sys32_sched_rr_get_interval ________________________________________
+#
+# asmlinkage long sys32_sched_rr_get_interval(u32 pid,
+# struct compat_timespec __user *interval)
+#
+probe nd_syscall.sys32_sched_rr_get_interval = kprobe.function("sys32_sched_rr_get_interval") ?
+{
+ name = "sys32_sched_rr_get_interval"
+ // pid = $pid
+ // interval_uaddr = $interval
+ asmlinkage()
+ pid = uint_arg(1)
+ interval_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", pid, interval_uaddr)
+}
+probe nd_syscall.sys32_sched_rr_get_interval.return = kprobe.function("sys32_sched_rr_get_interval").return ?
+{
+ name = "sys32_sched_rr_get_interval"
+ retstr = returnstr(1)
+}
+
+# sys32_rt_sigpending ________________________________________
+#
+# long sys32_rt_sigpending(compat_sigset_t __user *set,
+# compat_size_t sigsetsize)
+#
+probe nd_syscall.sys32_rt_sigpending = kprobe.function("sys32_rt_sigpending") ?
+{
+ name = "sys32_rt_sigpending"
+ // set_uaddr = $set
+ // sigsetsize = $sigsetsize
+ // argstr = sprintf("%p, %d", set_uaddr, $sigsetsize)
+ asmlinkage()
+ set_uaddr = pointer_arg(1)
+ sigsetsize = uint_arg(2)
+ argstr = sprintf("%p, %d", set_uaddr, sigsetsize)
+}
+probe nd_syscall.sys32_rt_sigpending.return = kprobe.function("sys32_rt_sigpending").return ?
+{
+ name = "sys32_rt_sigpending"
+ retstr = returnstr(1)
+}
+
+# sys32_rt_sigtimedwait ________________________________________
+#
+# long sys32_rt_sigtimedwait(compat_sigset_t __user *uthese,
+# compat_siginfo_t __user *uinfo,
+# struct compat_timespec __user *uts,
+# compat_size_t sigsetsize)
+#
+probe nd_syscall.sys32_rt_sigtimedwait = kprobe.function("sys32_rt_sigtimedwait") ?
+{
+ name = "sys32_rt_sigtimedwait"
+ // uthese_uaddr = $uthese
+ // uinfo_uaddr = $uinfo
+ // uts_uaddr = $uts
+ // sigsetsize = $sigsetsize
+ asmlinkage()
+ uthese_uaddr = pointer_arg(1)
+ uinfo_uaddr = pointer_arg(2)
+ uts_uaddr = pointer_arg(3)
+ sigsetsize = uint_arg(4)
+ argstr = sprintf("%p, %p, %p, %p", uthese_uaddr,
+ uinfo_uaddr, uts_uaddr, sigsetsize)
+}
+probe nd_syscall.sys32_rt_sigtimedwait.return = kprobe.function("sys32_rt_sigtimedwait").return ?
+{
+ name = "sys32_rt_sigtimedwait"
+ retstr = returnstr(1)
+}
+
+# sys32_rt_sigqueueinfo ________________________________________
+#
+# long sys32_rt_sigqueueinfo(u32 pid, u32 sig, compat_siginfo_t __user *uinfo)
+#
+probe nd_syscall.sys32_rt_sigqueueinfo = kprobe.function("sys32_rt_sigqueueinfo") ?
+{
+ name = "sys32_rt_sigqueueinfo"
+ // pid = $pid
+ // sig = $sig
+ // uinfo_uaddr = $uinfo
+ // argstr = sprintf("%p, %s, %p", pid, _signal_name($sig),
+ // uinfo_uaddr)
+ asmlinkage()
+ pid = uint_arg(1)
+ sig = uint_arg(2)
+ uinfo_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %s, %p", pid, _signal_name(sig),
+ uinfo_uaddr)
+}
+probe nd_syscall.sys32_rt_sigqueueinfo.return = kprobe.function("sys32_rt_sigqueueinfo").return ?
+{
+ name = "sys32_rt_sigqueueinfo"
+ retstr = returnstr(1)
+}
+
+# sys32_sigaltstack ________________________________________
+#
+# int sys32_sigaltstack(u32 __new, u32 __old, int r5,
+# int r6, int r7, int r8, struct pt_regs *regs)
+#
+probe nd_syscall.sys32_sigaltstack = kprobe.function("sys32_sigaltstack") ?
+{
+ name = "sys32_sigaltstack"
+ argstr = "FIXME"
+}
+probe nd_syscall.sys32_sigaltstack.return = kprobe.function("sys32_sigaltstack").return ?
+{
+ name = "sys32_sigaltstack"
+ retstr = returnstr(1)
+}
+
+# sys32_sendfile64 ________________________________________
+#
+# asmlinkage int sys32_sendfile64(int out_fd, int in_fd,
+# compat_loff_t __user *offset, s32 count)
+#
+probe nd_syscall.sys32_sendfile64 = kprobe.function("sys32_sendfile64") ?
+{
+ name = "sys32_sendfile64"
+ // out_fd = $out_fd
+ // in_fd = $in_fd
+ // offset_uaddr = $offset
+ // count = $count
+ // argstr = sprintf("%d, %d, %p, %d", $out_fd, $in_fd, offset_uaddr,
+ // $count)
+ asmlinkage()
+ out_fd = int_arg(1)
+ in_fd = int_arg(2)
+ offset_uaddr = long_arg(3)
+ count = int_arg(4)
+ argstr = sprintf("%d, %d, %p, %d", out_fd, in_fd, offset_uaddr,
+ count)
+}
+probe nd_syscall.sys32_sendfile64.return = kprobe.function("sys32_sendfile64").return ?
+{
+ name = "sys32_sendfile64"
+ retstr = returnstr(1)
+}
+
+# ppc32_timer_create ________________________________________
+#
+# long ppc32_timer_create(clockid_t clock,
+# struct compat_sigevent __user *ev32,
+# timer_t __user *timer_id)
+#
+probe nd_syscall.ppc32_timer_create = kprobe.function("ppc32_timer_create") ?
+{
+ name = "ppc32_timer_create"
+ // which_clock = $clock
+ // timer_event_spec = $ev32
+ // created_timer_id = $timer_id
+ asmlinkage()
+ which_clock = int_arg(1)
+ timer_event_spec = pointer_arg(2)
+ created_timer_id = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", which_clock, timer_event_spec,
+ created_timer_id)
+}
+probe nd_syscall.ppc32_timer_create.return = kprobe.function("ppc32_timer_create").return ?
+{
+ name = "ppc32_timer_create"
+ retstr = returnstr(1)
+}
+
+# compat_timer_settime ________________________________________
+#
+# long compat_timer_settime(timer_t timer_id, int flags,
+# struct compat_itimerspec __user *new,
+# struct compat_itimerspec __user *old)
+#
+probe nd_syscall.compat_timer_settime = kprobe.function("compat_timer_settime") ?
+{
+ name = "compat_timer_settime"
+ // timer_id = $timer_id
+ // flags = $flags
+ // new_setting_uaddr = $new
+ // old_setting_uaddr = $old
+ asmlinkage()
+ timer_id = int_arg(1)
+ flags = int_arg(2)
+ new_setting_uaddr = pointer_arg(3)
+ old_setting_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %d, %p, %p", timer_id, flags,
+ new_setting_uaddr, old_setting_uaddr)
+}
+probe nd_syscall.compat_timer_settime.return = kprobe.function("compat_timer_settime").return ?
+{
+ name = "compat_timer_settime"
+ retstr = returnstr(1)
+}
+
+# compat_timer_gettime ________________________________________
+#
+# long compat_timer_gettime(timer_t timer_id,
+# struct compat_itimerspec __user *setting)
+#
+probe nd_syscall.compat_timer_gettime = kprobe.function("compat_timer_gettime") ?
+{
+ name = "compat_timer_gettime"
+ // timer_id = $timer_id
+ // setting_uaddr = $setting
+ asmlinkage()
+ timer_id = int_arg(1)
+ setting_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", timer_id, setting_uaddr)
+}
+probe nd_syscall.compat_timer_gettime.return = kprobe.function("compat_timer_gettime").return ?
+{
+ name = "compat_timer_gettime"
+ retstr = returnstr(1)
+}
+
+# compat_clock_settime ________________________________________
+#
+# long compat_clock_settime(clockid_t which_clock,
+# struct compat_timespec __user *tp)
+#
+probe nd_syscall.compat_clock_settime = kprobe.function("compat_clock_settime") ?
+{
+ name = "compat_clock_settime"
+ // which_clock = $which_clock
+ // tp_uaddr = $tp
+ asmlinkage()
+ which_clock = int_arg(1)
+ tp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", which_clock, tp_uaddr)
+}
+probe nd_syscall.compat_clock_settime.return = kprobe.function("compat_clock_settime").return ?
+{
+ name = "compat_clock_settime"
+ retstr = returnstr(1)
+}
+
+# sys32_swapcontext ________________________________________
+#
+# long sys32_swapcontext(struct ucontext32 __user *old_ctx,
+# struct ucontext32 __user *new_ctx,
+# int ctx_size, int r6, int r7, int r8,
+# struct pt_regs *regs)
+#
+probe nd_syscall.sys32_swapcontext = kprobe.function("sys32_swapcontext") ?
+{
+ name = "sys32_swapcontext"
+ // old_ctx_uaddr = $old_ctx
+ // new_ctx_uaddr = $new_ctx
+ // r5 = $ctx_size
+ // r6 = $r6
+ // r7 = $r7
+ // r8 = $r8
+ // regs = $regs
+ asmlinkage()
+ old_ctx_uaddr = pointer_arg(1)
+ new_ctx_uaddr = pointer_arg(2)
+ r5 = int_arg(3)
+ r6 = int_arg(4)
+ r7 = int_arg(5)
+ r8 = int_arg(6)
+ regs = pointer_arg(7)
+ argstr = sprintf("%p, %p, %d, %d, %d, %d, %p",
+ old_ctx_uaddr, new_ctx_uaddr, r5, r6, r7, r8, regs)
+}
+probe nd_syscall.sys32_swapcontext.return = kprobe.function("sys32_swapcontext").return ?
+{
+ name = "sys32_swapcontext"
+ retstr = returnstr(1)
+}
+
+# sys32_utimes ________________________________________
+#
+# asmlinkage long sys32_utimes(char __user *filename,
+# struct compat_timeval __user *tvs)
+#
+probe nd_syscall.sys32_utimes = kprobe.function("sys32_utimes") ?
+{
+ name = "sys32_utimes"
+ // filename_uaddr = $filename
+ // path = user_string($filename)
+ // tvp_uaddr = $tvs
+ // argstr = sprintf("%s, %p", user_string_quoted($filename), tvp_uaddr)
+ asmlinkage()
+ filename_uaddr = pointer_arg(1)
+ path = user_string(filename_uaddr)
+ tvp_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", user_string_quoted(filename_uaddr), tvp_uaddr)
+}
+probe nd_syscall.sys32_utimes.return = kprobe.function("sys32_utimes").return ?
+{
+ name = "sys32_utimes"
+ retstr = returnstr(1)
+}
+
+# compat_mbind ________________________________________
+#
+# asmlinkage long compat_mbind(compat_ulong_t start, compat_ulong_t len,
+# compat_ulong_t mode, compat_ulong_t __user *nmask,
+# compat_ulong_t maxnode, compat_ulong_t flags)
+#
+probe nd_syscall.compat_mbind = kprobe.function("compat_mbind") ?
+{
+ name = "compat_mbind"
+ // start_uaddr = $start
+ // len = $len
+ // policy = $mode
+ // nodemask_uaddr = $nmask
+ // maxnode = $maxnode
+ // flags = $flags
+ asmlinkage()
+ start_uaddr = uint_arg(1)
+ len = uint_arg(2)
+ policy = uint_arg(3)
+ nodemask_uaddr = uint_arg(4)
+ maxnode = uint_arg(5)
+ flags = uint_arg(6)
+ argstr = sprintf("%p, %d, %d, %p, %d, %d", start_uaddr, len,
+ policy, nodemask_uaddr, maxnode, flags)
+}
+probe nd_syscall.compat_mbind.return = kprobe.function("compat_mbind").return ?
+{
+ name = "compat_mbind"
+ retstr = returnstr(1)
+}
+
+# compat_get_mempolicy ________________________________________
+#
+# asmlinkage long compat_get_mempolicy(int __user *policy,
+# compat_ulong_t __user *nmask,
+# compat_ulong_t maxnode,
+# compat_ulong_t addr, compat_ulong_t flags)
+#
+probe nd_syscall.compat_get_mempolicy = kprobe.function("compat_get_mempolicy") ?
+{
+ name = "compat_get_mempolicy"
+ // policy_uaddr = $policy
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // addr = $addr
+ // flags = $flags
+ asmlinkage()
+ policy_uaddr = int_arg(1)
+ nmask_uaddr = uint_arg(2)
+ maxnode = uint_arg(3)
+ addr = uint_arg(4)
+ flags = uint_arg(5)
+ argstr = sprintf("%p, %p, %d, %d", policy_uaddr, nmask_uaddr,
+ maxnode, addr)
+}
+probe nd_syscall.compat_get_mempolicy.return = kprobe.function("compat_get_mempolicy").return ?
+{
+ name = "compat_get_mempolicy"
+ retstr = returnstr(1)
+}
+
+# compat_set_mempolicy ________________________________________
+#
+# asmlinkage long compat_set_mempolicy(int mode, compat_ulong_t __user *nmask,
+# compat_ulong_t maxnode)
+#
+probe nd_syscall.compat_set_mempolicy = kprobe.function("compat_set_mempolicy") ?
+{
+ name = "compat_set_mempolicy"
+ // policy = $mode
+ // nodemask_uaddr = $nmask
+ // maxnode = $maxnode
+ asmlinkage()
+ policy = int_arg(1)
+ nodemask_uaddr = uint_arg(2)
+ maxnode = uint_arg(3)
+ argstr = sprintf("%d, %p, %d", policy, nodemask_uaddr, maxnode)
+}
+probe nd_syscall.compat_set_mempolicy.return = kprobe.function("compat_set_mempolicy").return ?
+{
+ name = "compat_set_mempolicy"
+ retstr = returnstr(1)
+}
+
+# mmap
+# long sys_mmap(unsigned long addr, size_t len,
+# unsigned long prot, unsigned long flags,
+# unsigned long fd, off_t offset)
+#
+probe nd_syscall.mmap = kprobe.function("sys_mmap") ?
+{
+ name = "mmap"
+ // start = $addr
+ // len = $len
+ // prot = $prot
+ // flags = $flags
+ // fd = $fd
+ // offset = $offset
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
+ // _mprotect_prot_str($prot), _mmap_flags($flags), $fd, $offset)
+ asmlinkage()
+ start = ulong_arg(1)
+ len = ulong_arg(2)
+ prot = ulong_arg(3)
+ flags = ulong_arg(4)
+ fd = ulong_arg(5)
+ offset = ulong_arg(6)
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", start, len,
+ _mprotect_prot_str(prot), _mmap_flags(flags), fd, offset)
+}
+probe nd_syscall.mmap.return = kprobe.function("sys_mmap").return ?
+{
+ name = "mmap"
+ retstr = returnstr(2)
+}
+
+# mmap2
+# long sys_mmap2(unsigned long addr, size_t len,
+# unsigned long prot, unsigned long flags,
+# unsigned long fd, unsigned long pgoff)
+# long compat_sys_mmap2(unsigned long addr, size_t len,
+# unsigned long prot, unsigned long flags,
+# unsigned long fd, unsigned long pgoff)
+#
+probe nd_syscall.mmap2 = kprobe.function("sys_mmap2") ?,
+ kprobe.function("compat_sys_mmap2") ?
+{
+ name = "mmap2"
+ // start = $addr
+ // length = $len
+ // prot = $prot
+ // flags = $flags
+ // fd = $fd
+ // pgoffset = $pgoff
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
+ // $len, _mprotect_prot_str($prot), _mmap_flags($flags),
+ // $fd, $pgoff)
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ prot = ulong_arg(3)
+ flags = ulong_arg(4)
+ fd = ulong_arg(5)
+ pgoffset = ulong_arg(6)
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", start,
+ length, _mprotect_prot_str(prot), _mmap_flags(flags),
+ fd, pgoffset)
+}
+probe nd_syscall.mmap2.return = kprobe.function("sys_mmap2").return ?,
+ kprobe.function("compat_sys_mmap2").return ?
+{
+ name = "mmap2"
+ retstr = returnstr(2)
+}
+
+# ppc64_sys_stime ________________________________________
+#
+# long ppc64_sys_stime(long __user * tptr)
+#
+probe nd_syscall.ppc64_sys_stime = kprobe.function("ppc64_sys_stime") ?
+{
+ name = "ppc64_sys_stime"
+ /* FIXME */
+ // t_uaddr = $tptr
+ asmlinkage()
+ t_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", t_uaddr)
+}
+probe nd_syscall.ppc64_sys_stime.return = kprobe.function("ppc64_sys_stime").return ?
+{
+ name = "ppc64_sys_stime"
+ retstr = returnstr(1)
+}
+
+# ppc64_newuname ________________________________________
+#
+# asmlinkage int ppc64_newuname(struct new_utsname __user * name)
+#
+probe nd_syscall.ppc64_newuname = kprobe.function("ppc64_newuname") ?
+{
+ name = "ppc64_newuname"
+ // name_uaddr = $name
+ asmlinkage()
+ name_uaddr = pointer_arg(1)
+ argstr = sprintf("%p", name_uaddr)
+}
+probe nd_syscall.ppc64_newuname.return = kprobe.function("ppc64_newuname").return ?
+{
+ name = "ppc64_newuname"
+ retstr = returnstr(1)
+}
+
+#
+#
+
diff --git a/tapset/ppc64/registers.stp b/tapset/ppc64/registers.stp
index e5decd81..c8713e5a 100644
--- a/tapset/ppc64/registers.stp
+++ b/tapset/ppc64/registers.stp
@@ -210,11 +210,9 @@ function u64_arg:long (argnum:long) {
return ulonglong_arg(argnum)
}
-function asmlinkage() {
-}
+function asmlinkage() %{ /* pure */ %}
-function fastcall() {
-}
+function fastcall() %{ /* pure */ %}
function regparm() %{
snprintf(CONTEXT->error_buffer, sizeof(CONTEXT->error_buffer),
diff --git a/tapset/ppc64/syscalls.stp b/tapset/ppc64/syscalls.stp
index 09c715c9..0518d486 100644
--- a/tapset/ppc64/syscalls.stp
+++ b/tapset/ppc64/syscalls.stp
@@ -4,11 +4,13 @@
#
# time_t sys64_time(time_t __user * tloc)
#
-probe syscall.sys64_time = kernel.function("sys64_time") ? {
+probe syscall.sys64_time = kernel.function("sys64_time") ?
+{
name = "sys64_time"
argstr = sprintf("%p", $tloc)
}
-probe syscall.sys64_time.return = kernel.function("sys64_time").return ? {
+probe syscall.sys64_time.return = kernel.function("sys64_time").return ?
+{
name = "sys64_time"
retstr = returnstr(1)
}
@@ -17,12 +19,14 @@ probe syscall.sys64_time.return = kernel.function("sys64_time").return ? {
#
# long ppc64_personality(unsigned long personality)
#
-probe syscall.ppc64_personality = kernel.function("ppc64_personality") {
+probe syscall.ppc64_personality = kernel.function("ppc64_personality")
+{
name = "ppc64_personality"
persona = $personality
argstr = sprint($personality)
}
-probe syscall.ppc64_personality.return = kernel.function("ppc64_personality").return {
+probe syscall.ppc64_personality.return = kernel.function("ppc64_personality").return
+{
name = "ppc64_personality"
retstr = returnstr(1)
}
@@ -31,12 +35,14 @@ probe syscall.ppc64_personality.return = kernel.function("ppc64_personality").re
#
# int ppc_rtas(struct rtas_args __user *uargs)
#
-probe syscall.ppc_rtas = kernel.function("ppc_rtas") ? {
+probe syscall.ppc_rtas = kernel.function("ppc_rtas") ?
+{
name = "ppc_rtas"
uargs_uaddr = $uargs
argstr = sprintf("%p", $uargs)
}
-probe syscall.ppc_rtas.return = kernel.function("ppc_rtas").return ? {
+probe syscall.ppc_rtas.return = kernel.function("ppc_rtas").return ?
+{
name = "ppc_rtas"
retstr = returnstr(1)
}
@@ -45,12 +51,14 @@ probe syscall.ppc_rtas.return = kernel.function("ppc_rtas").return ? {
#
# long ppc64_sys32_stime(int __user * tptr)
#
-probe syscall.ppc64_sys32_stime = kernel.function("ppc64_sys32_stime") ? {
+probe syscall.ppc64_sys32_stime = kernel.function("ppc64_sys32_stime") ?
+{
name = "ppc64_sys32_stime"
t_uaddr = $tptr
argstr = sprintf("%p", $tptr)
}
-probe syscall.ppc64_sys32_stime.return = kernel.function("ppc64_sys32_stime").return ? {
+probe syscall.ppc64_sys32_stime.return = kernel.function("ppc64_sys32_stime").return ?
+{
name = "ppc64_sys32_stime"
retstr = returnstr(1)
}
@@ -60,7 +68,8 @@ probe syscall.ppc64_sys32_stime.return = kernel.function("ppc64_sys32_stime").re
# int sys32_ptrace(long request, long pid, unsigned long addr,
# unsigned long data)
#
-probe syscall.sys32_ptrace = kernel.function("sys32_ptrace") ? {
+probe syscall.sys32_ptrace = kernel.function("sys32_ptrace") ?
+{
name = "sys32_ptrace"
request = $request
pid = $pid
@@ -68,7 +77,8 @@ probe syscall.sys32_ptrace = kernel.function("sys32_ptrace") ? {
data = $data
argstr = sprintf("%p, %p, %p, %p", $request, $pid, $addr, $data)
}
-probe syscall.sys32_ptrace.return = kernel.function("sys32_ptrace").return ? {
+probe syscall.sys32_ptrace.return = kernel.function("sys32_ptrace").return ?
+{
name = "sys32_ptrace"
retstr = returnstr(1)
}
@@ -77,12 +87,14 @@ probe syscall.sys32_ptrace.return = kernel.function("sys32_ptrace").return ? {
#
# (obsolete) long sys32_sysinfo(struct sysinfo32 __user *info)
#
-probe syscall.sys32_sysinfo = kernel.function("sys32_sysinfo") ? {
+probe syscall.sys32_sysinfo = kernel.function("sys32_sysinfo") ?
+{
name = "sys32_sysinfo"
info_uaddr = $info
argstr = sprintf("%p", info_uaddr)
}
-probe syscall.sys32_sysinfo.return = kernel.function("sys32_sysinfo").return ? {
+probe syscall.sys32_sysinfo.return = kernel.function("sys32_sysinfo").return ?
+{
name = "sys32_sysinfo"
retstr = returnstr(1)
}
@@ -92,12 +104,14 @@ probe syscall.sys32_sysinfo.return = kernel.function("sys32_sysinfo").return ? {
# long sys32_ipc(u32 call, u32 first, u32 second, u32 third,
# compat_uptr_t ptr, u32 fifth)
#
-probe syscall.ipc = kernel.function("sys32_ipc") ? {
+probe syscall.ipc = kernel.function("sys32_ipc") ?
+{
name = "ipc"
argstr = sprintf("%d, %d, %d, %d, %p, %d", $call, $first, $second,
- $third, $ptr, $fifth)
+ $third, $ptr, $fifth)
}
-probe syscall.ipc.return = kernel.function("sys32_ipc").return ? {
+probe syscall.ipc.return = kernel.function("sys32_ipc").return ?
+{
name = "sys_ipc"
retstr = returnstr(1)
}
@@ -107,7 +121,8 @@ probe syscall.ipc.return = kernel.function("sys32_ipc").return ? {
# long sys32_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
# struct pt_regs *regs)
#
-probe syscall.sys32_sigreturn = kernel.function("sys32_sigreturn") ? {
+probe syscall.sys32_sigreturn = kernel.function("sys32_sigreturn") ?
+{
name = "sys32_sigreturn"
r3 = $r3
r4 = $r4
@@ -118,8 +133,8 @@ probe syscall.sys32_sigreturn = kernel.function("sys32_sigreturn") ? {
argstr = sprintf("%p, %p, %p, %p, %p, %p",
$r3, $r4, $r5, $r6, $r7, $r8)
}
-probe syscall.sys32_sigreturn.return =
- kernel.function("sys32_sigreturn").return ? {
+probe syscall.sys32_sigreturn.return = kernel.function("sys32_sigreturn").return ?
+{
name = "sys32_sigreturn"
retstr = returnstr(1)
}
@@ -127,11 +142,13 @@ probe syscall.sys32_sigreturn.return =
#
# long sys32_adjtimex(struct timex32 __user *utp)
#
-probe syscall.sys32_adjtimex = kernel.function("sys32_adjtimex") ? {
+probe syscall.sys32_adjtimex = kernel.function("sys32_adjtimex") ?
+{
name = "sys32_adjtimex"
argstr = sprintf("%p", $utp)
}
-probe syscall.sys32_adjtimex.return = kernel.function("sys32_adjtimex").return ? {
+probe syscall.sys32_adjtimex.return = kernel.function("sys32_adjtimex").return ?
+{
name = "sys32_adjtimex"
retstr = returnstr(1)
}
@@ -142,15 +159,16 @@ probe syscall.sys32_adjtimex.return = kernel.function("sys32_adjtimex").return ?
# struct linux_dirent32 __user *dirent,
# unsigned int count)
#
-probe syscall.sys32_getdents = kernel.function("sys32_getdents") ? {
+probe syscall.sys32_getdents = kernel.function("sys32_getdents") ?
+{
name = "sys32_getdents"
fd = $fd
dirp_uaddr = $dirent
count = $count
argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
}
-probe syscall.sys32_getdents.return =
- kernel.function("sys32_getdents").return ? {
+probe syscall.sys32_getdents.return = kernel.function("sys32_getdents").return ?
+{
name = "sys32_getdents"
retstr = returnstr(1)
}
@@ -159,11 +177,13 @@ probe syscall.sys32_getdents.return =
#
# long compat_sys_sysctl(struct __sysctl_args32 __user *args)
#
-probe syscall.compat_sysctl = kernel.function("compat_sys_sysctl") ? {
+probe syscall.compat_sysctl = kernel.function("compat_sys_sysctl") ?
+{
name = "sysctl"
argstr = sprintf("%p", $args)
}
-probe syscall.compat_sysctl.return = kernel.function("compat_sys_sysctl").return ? {
+probe syscall.compat_sysctl.return = kernel.function("compat_sys_sysctl").return ?
+{
name = "sysctl"
retstr = returnstr(1)
}
@@ -173,14 +193,15 @@ probe syscall.compat_sysctl.return = kernel.function("compat_sys_sysctl").return
# asmlinkage long sys32_sched_setparam(u32 pid,
# struct sched_param __user *param)
#
-probe syscall.sys32_sched_setparam = kernel.function("sys32_sched_setparam") ? {
+probe syscall.sys32_sched_setparam = kernel.function("sys32_sched_setparam") ?
+{
name = "sys32_sched_setparam"
pid = $pid
param_uaddr = $param
argstr = sprintf("%d, %p", pid, param_uaddr)
}
-probe syscall.sys32_sched_setparam.return =
- kernel.function("sys32_sched_setparam").return ? {
+probe syscall.sys32_sched_setparam.return = kernel.function("sys32_sched_setparam").return ?
+{
name = "sys32_sched_setparam"
retstr = returnstr(1)
}
@@ -190,15 +211,15 @@ probe syscall.sys32_sched_setparam.return =
# asmlinkage long sys32_sched_rr_get_interval(u32 pid,
# struct compat_timespec __user *interval)
#
-probe syscall.sys32_sched_rr_get_interval =
- kernel.function("sys32_sched_rr_get_interval") ? {
+probe syscall.sys32_sched_rr_get_interval = kernel.function("sys32_sched_rr_get_interval") ?
+{
name = "sys32_sched_rr_get_interval"
pid = $pid
interval_uaddr = $interval
- argstr = sprintf("%d, %p", pid, interval_uaddr)
+ argstr = sprintf("%d, %p", pid, interval_uaddr)
}
-probe syscall.sys32_sched_rr_get_interval.return =
- kernel.function("sys32_sched_rr_get_interval").return ? {
+probe syscall.sys32_sched_rr_get_interval.return = kernel.function("sys32_sched_rr_get_interval").return ?
+{
name = "sys32_sched_rr_get_interval"
retstr = returnstr(1)
}
@@ -208,14 +229,15 @@ probe syscall.sys32_sched_rr_get_interval.return =
# long sys32_rt_sigpending(compat_sigset_t __user *set,
# compat_size_t sigsetsize)
#
-probe syscall.sys32_rt_sigpending = kernel.function("sys32_rt_sigpending") ? {
+probe syscall.sys32_rt_sigpending = kernel.function("sys32_rt_sigpending") ?
+{
name = "sys32_rt_sigpending"
set_uaddr = $set
sigsetsize = $sigsetsize
argstr = sprintf("%p, %d", set_uaddr, $sigsetsize)
}
-probe syscall.sys32_rt_sigpending.return =
- kernel.function("sys32_rt_sigpending").return ? {
+probe syscall.sys32_rt_sigpending.return = kernel.function("sys32_rt_sigpending").return ?
+{
name = "sys32_rt_sigpending"
retstr = returnstr(1)
}
@@ -226,8 +248,8 @@ probe syscall.sys32_rt_sigpending.return =
# struct compat_timespec __user *uts,
# compat_size_t sigsetsize)
#
-probe syscall.sys32_rt_sigtimedwait =
- kernel.function("sys32_rt_sigtimedwait") ? {
+probe syscall.sys32_rt_sigtimedwait = kernel.function("sys32_rt_sigtimedwait") ?
+{
name = "sys32_rt_sigtimedwait"
uthese_uaddr = $uthese
uinfo_uaddr = $uinfo
@@ -236,8 +258,8 @@ probe syscall.sys32_rt_sigtimedwait =
argstr = sprintf("%p, %p, %p, %p", uthese_uaddr,
uinfo_uaddr, uts_uaddr, sigsetsize)
}
-probe syscall.sys32_rt_sigtimedwait.return =
- kernel.function("sys32_rt_sigtimedwait").return ? {
+probe syscall.sys32_rt_sigtimedwait.return = kernel.function("sys32_rt_sigtimedwait").return ?
+{
name = "sys32_rt_sigtimedwait"
retstr = returnstr(1)
}
@@ -245,8 +267,8 @@ probe syscall.sys32_rt_sigtimedwait.return =
#
# long sys32_rt_sigqueueinfo(u32 pid, u32 sig, compat_siginfo_t __user *uinfo)
#
-probe syscall.sys32_rt_sigqueueinfo =
- kernel.function("sys32_rt_sigqueueinfo") ? {
+probe syscall.sys32_rt_sigqueueinfo = kernel.function("sys32_rt_sigqueueinfo") ?
+{
name = "sys32_rt_sigqueueinfo"
pid = $pid
sig = $sig
@@ -254,8 +276,8 @@ probe syscall.sys32_rt_sigqueueinfo =
argstr = sprintf("%p, %s, %p", pid, _signal_name($sig),
uinfo_uaddr)
}
-probe syscall.sys32_rt_sigqueueinfo.return =
- kernel.function("sys32_rt_sigqueueinfo").return ? {
+probe syscall.sys32_rt_sigqueueinfo.return = kernel.function("sys32_rt_sigqueueinfo").return ?
+{
name = "sys32_rt_sigqueueinfo"
retstr = returnstr(1)
}
@@ -264,12 +286,13 @@ probe syscall.sys32_rt_sigqueueinfo.return =
# int sys32_sigaltstack(u32 __new, u32 __old, int r5,
# int r6, int r7, int r8, struct pt_regs *regs)
#
-probe syscall.sys32_sigaltstack = kernel.function("sys32_sigaltstack") ? {
+probe syscall.sys32_sigaltstack = kernel.function("sys32_sigaltstack") ?
+{
name = "sys32_sigaltstack"
argstr = "FIXME"
}
-probe syscall.sys32_sigaltstack.return =
- kernel.function("sys32_sigaltstack").return ? {
+probe syscall.sys32_sigaltstack.return = kernel.function("sys32_sigaltstack").return ?
+{
name = "sys32_sigaltstack"
retstr = returnstr(1)
}
@@ -278,7 +301,8 @@ probe syscall.sys32_sigaltstack.return =
# asmlinkage int sys32_sendfile64(int out_fd, int in_fd,
# compat_loff_t __user *offset, s32 count)
#
-probe syscall.sys32_sendfile64 = kernel.function("sys32_sendfile64") ? {
+probe syscall.sys32_sendfile64 = kernel.function("sys32_sendfile64") ?
+{
name = "sys32_sendfile64"
out_fd = $out_fd
in_fd = $in_fd
@@ -287,8 +311,8 @@ probe syscall.sys32_sendfile64 = kernel.function("sys32_sendfile64") ? {
argstr = sprintf("%d, %d, %p, %d", $out_fd, $in_fd, offset_uaddr,
$count)
}
-probe syscall.sys32_sendfile64.return =
- kernel.function("sys32_sendfile64").return ? {
+probe syscall.sys32_sendfile64.return = kernel.function("sys32_sendfile64").return ?
+{
name = "sys32_sendfile64"
retstr = returnstr(1)
}
@@ -298,7 +322,8 @@ probe syscall.sys32_sendfile64.return =
# struct compat_sigevent __user *ev32,
# timer_t __user *timer_id)
#
-probe syscall.ppc32_timer_create = kernel.function("ppc32_timer_create") ? {
+probe syscall.ppc32_timer_create = kernel.function("ppc32_timer_create") ?
+{
name = "ppc32_timer_create"
which_clock = $clock
timer_event_spec = $ev32
@@ -306,8 +331,8 @@ probe syscall.ppc32_timer_create = kernel.function("ppc32_timer_create") ? {
argstr = sprintf("%d, %p, %p", which_clock, timer_event_spec,
created_timer_id)
}
-probe syscall.ppc32_timer_create.return =
- kernel.function("ppc32_timer_create").return ? {
+probe syscall.ppc32_timer_create.return = kernel.function("ppc32_timer_create").return ?
+{
name = "ppc32_timer_create"
retstr = returnstr(1)
}
@@ -317,7 +342,8 @@ probe syscall.ppc32_timer_create.return =
# struct compat_itimerspec __user *new,
# struct compat_itimerspec __user *old)
#
-probe syscall.compat_timer_settime = kernel.function("compat_timer_settime") ? {
+probe syscall.compat_timer_settime = kernel.function("compat_timer_settime") ?
+{
name = "compat_timer_settime"
timer_id = $timer_id
flags = $flags
@@ -326,8 +352,8 @@ probe syscall.compat_timer_settime = kernel.function("compat_timer_settime") ? {
argstr = sprintf("%d, %d, %p, %p", timer_id, flags,
new_setting_uaddr, old_setting_uaddr)
}
-probe syscall.compat_timer_settime.return =
- kernel.function("compat_timer_settime").return ? {
+probe syscall.compat_timer_settime.return = kernel.function("compat_timer_settime").return ?
+{
name = "compat_timer_settime"
retstr = returnstr(1)
}
@@ -336,14 +362,15 @@ probe syscall.compat_timer_settime.return =
# long compat_timer_gettime(timer_t timer_id,
# struct compat_itimerspec __user *setting)
#
-probe syscall.compat_timer_gettime = kernel.function("compat_timer_gettime") ? {
+probe syscall.compat_timer_gettime = kernel.function("compat_timer_gettime") ?
+{
name = "compat_timer_gettime"
timer_id = $timer_id
setting_uaddr = $setting
argstr = sprintf("%d, %p", timer_id, setting_uaddr)
}
-probe syscall.compat_timer_gettime.return =
- kernel.function("compat_timer_gettime").return ? {
+probe syscall.compat_timer_gettime.return = kernel.function("compat_timer_gettime").return ?
+{
name = "compat_timer_gettime"
retstr = returnstr(1)
}
@@ -352,14 +379,15 @@ probe syscall.compat_timer_gettime.return =
# long compat_clock_settime(clockid_t which_clock,
# struct compat_timespec __user *tp)
#
-probe syscall.compat_clock_settime = kernel.function("compat_clock_settime") ? {
+probe syscall.compat_clock_settime = kernel.function("compat_clock_settime") ?
+{
name = "compat_clock_settime"
which_clock = $which_clock
tp_uaddr = $tp
argstr = sprintf("%d, %p", which_clock, tp_uaddr)
}
-probe syscall.compat_clock_settime.return =
- kernel.function("compat_clock_settime").return ? {
+probe syscall.compat_clock_settime.return = kernel.function("compat_clock_settime").return ?
+{
name = "compat_clock_settime"
retstr = returnstr(1)
}
@@ -370,7 +398,8 @@ probe syscall.compat_clock_settime.return =
# int ctx_size, int r6, int r7, int r8,
# struct pt_regs *regs)
#
-probe syscall.sys32_swapcontext = kernel.function("sys32_swapcontext") ? {
+probe syscall.sys32_swapcontext = kernel.function("sys32_swapcontext") ?
+{
name = "sys32_swapcontext"
old_ctx_uaddr = $old_ctx
new_ctx_uaddr = $new_ctx
@@ -382,8 +411,8 @@ probe syscall.sys32_swapcontext = kernel.function("sys32_swapcontext") ? {
argstr = sprintf("%p, %p, %d, %d, %d, %d, %p",
old_ctx_uaddr, new_ctx_uaddr, r5, r6, r7, r8, regs)
}
-probe syscall.sys32_swapcontext.return =
- kernel.function("sys32_swapcontext").return ? {
+probe syscall.sys32_swapcontext.return = kernel.function("sys32_swapcontext").return ?
+{
name = "sys32_swapcontext"
retstr = returnstr(1)
}
@@ -392,14 +421,16 @@ probe syscall.sys32_swapcontext.return =
# asmlinkage long sys32_utimes(char __user *filename,
# struct compat_timeval __user *tvs)
#
-probe syscall.sys32_utimes = kernel.function("sys32_utimes") ? {
+probe syscall.sys32_utimes = kernel.function("sys32_utimes") ?
+{
name = "sys32_utimes"
filename_uaddr = $filename
path = user_string($filename)
tvp_uaddr = $tvs
argstr = sprintf("%s, %p", user_string_quoted($filename), tvp_uaddr)
}
-probe syscall.sys32_utimes.return = kernel.function("sys32_utimes").return ? {
+probe syscall.sys32_utimes.return = kernel.function("sys32_utimes").return ?
+{
name = "sys32_utimes"
retstr = returnstr(1)
}
@@ -409,7 +440,8 @@ probe syscall.sys32_utimes.return = kernel.function("sys32_utimes").return ? {
# compat_ulong_t mode, compat_ulong_t __user *nmask,
# compat_ulong_t maxnode, compat_ulong_t flags)
#
-probe syscall.compat_mbind = kernel.function("compat_mbind") ? {
+probe syscall.compat_mbind = kernel.function("compat_mbind") ?
+{
name = "compat_mbind"
start_uaddr = $start
len = $len
@@ -420,7 +452,8 @@ probe syscall.compat_mbind = kernel.function("compat_mbind") ? {
argstr = sprintf("%p, %d, %d, %p, %d, %d", start_uaddr, len,
policy, nodemask_uaddr, maxnode, flags)
}
-probe syscall.compat_mbind.return = kernel.function("compat_mbind").return ? {
+probe syscall.compat_mbind.return = kernel.function("compat_mbind").return ?
+{
name = "compat_mbind"
retstr = returnstr(1)
}
@@ -431,7 +464,8 @@ probe syscall.compat_mbind.return = kernel.function("compat_mbind").return ? {
# compat_ulong_t maxnode,
# compat_ulong_t addr, compat_ulong_t flags)
#
-probe syscall.compat_get_mempolicy = kernel.function("compat_get_mempolicy") ? {
+probe syscall.compat_get_mempolicy = kernel.function("compat_get_mempolicy") ?
+{
name = "compat_get_mempolicy"
policy_uaddr = $policy
nmask_uaddr = $nmask
@@ -441,8 +475,8 @@ probe syscall.compat_get_mempolicy = kernel.function("compat_get_mempolicy") ? {
argstr = sprintf("%p, %p, %d, %d", policy_uaddr, nmask_uaddr,
maxnode, addr)
}
-probe syscall.compat_get_mempolicy.return =
- kernel.function("compat_get_mempolicy").return ? {
+probe syscall.compat_get_mempolicy.return = kernel.function("compat_get_mempolicy").return ?
+{
name = "compat_get_mempolicy"
retstr = returnstr(1)
}
@@ -451,15 +485,16 @@ probe syscall.compat_get_mempolicy.return =
# asmlinkage long compat_set_mempolicy(int mode, compat_ulong_t __user *nmask,
# compat_ulong_t maxnode)
#
-probe syscall.compat_set_mempolicy = kernel.function("compat_set_mempolicy") ? {
+probe syscall.compat_set_mempolicy = kernel.function("compat_set_mempolicy") ?
+{
name = "compat_set_mempolicy"
policy = $mode
nodemask_uaddr = $nmask
maxnode = $maxnode
argstr = sprintf("%d, %p, %d", policy, nodemask_uaddr, maxnode)
}
-probe syscall.compat_set_mempolicy.return =
- kernel.function("compat_set_mempolicy").return ? {
+probe syscall.compat_set_mempolicy.return = kernel.function("compat_set_mempolicy").return ?
+{
name = "compat_set_mempolicy"
retstr = returnstr(1)
}
@@ -469,7 +504,8 @@ probe syscall.compat_set_mempolicy.return =
# unsigned long prot, unsigned long flags,
# unsigned long fd, off_t offset)
#
-probe syscall.mmap = kernel.function("sys_mmap") ? {
+probe syscall.mmap = kernel.function("sys_mmap") ?
+{
name = "mmap"
start = $addr
len = $len
@@ -481,7 +517,8 @@ probe syscall.mmap = kernel.function("sys_mmap") ? {
_mprotect_prot_str($prot), _mmap_flags($flags), $fd, $offset)
}
-probe syscall.mmap.return = kernel.function("sys_mmap").return ? {
+probe syscall.mmap.return = kernel.function("sys_mmap").return ?
+{
name = "mmap"
retstr = returnstr(2)
}
@@ -494,9 +531,8 @@ probe syscall.mmap.return = kernel.function("sys_mmap").return ? {
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long pgoff)
#
-probe syscall.mmap2 =
- kernel.function("sys_mmap2") ?,
- kernel.function("compat_sys_mmap2") ?
+probe syscall.mmap2 = kernel.function("sys_mmap2") ?,
+ kernel.function("compat_sys_mmap2") ?
{
name = "mmap2"
start = $addr
@@ -505,13 +541,12 @@ probe syscall.mmap2 =
flags = $flags
fd = $fd
pgoffset = $pgoff
- argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
$len, _mprotect_prot_str($prot), _mmap_flags($flags),
$fd, $pgoff)
}
-probe syscall.mmap2.return =
- kernel.function("sys_mmap2").return ?,
- kernel.function("compat_sys_mmap2").return ?
+probe syscall.mmap2.return = kernel.function("sys_mmap2").return ?,
+ kernel.function("compat_sys_mmap2").return ?
{
name = "mmap2"
retstr = returnstr(2)
@@ -521,14 +556,15 @@ probe syscall.mmap2.return =
#
# long ppc64_sys_stime(long __user * tptr)
#
-probe syscall.ppc64_sys_stime = kernel.function("ppc64_sys_stime") ? {
+probe syscall.ppc64_sys_stime = kernel.function("ppc64_sys_stime") ?
+{
name = "ppc64_sys_stime"
/* FIXME */
t_uaddr = $tptr
argstr = sprintf("%p", t_uaddr)
}
-probe syscall.ppc64_sys_stime.return =
- kernel.function("ppc64_sys_stime").return ? {
+probe syscall.ppc64_sys_stime.return = kernel.function("ppc64_sys_stime").return ?
+{
name = "ppc64_sys_stime"
retstr = returnstr(1)
}
@@ -536,16 +572,18 @@ probe syscall.ppc64_sys_stime.return =
#
# asmlinkage int ppc64_newuname(struct new_utsname __user * name)
#
-probe syscall.ppc64_newuname = kernel.function("ppc64_newuname") ? {
+probe syscall.ppc64_newuname = kernel.function("ppc64_newuname") ?
+{
name = "ppc64_newuname"
name_uaddr = $name
argstr = sprintf("%p", name_uaddr)
}
-probe syscall.ppc64_newuname.return = kernel.function("ppc64_newuname").return ? {
+probe syscall.ppc64_newuname.return = kernel.function("ppc64_newuname").return ?
+{
name = "ppc64_newuname"
retstr = returnstr(1)
}
#
-#
+#
diff --git a/tapset/s390x/nd_syscalls.stp b/tapset/s390x/nd_syscalls.stp
new file mode 100644
index 00000000..63435265
--- /dev/null
+++ b/tapset/s390x/nd_syscalls.stp
@@ -0,0 +1,187 @@
+# S390-specific system calls
+
+%(arch == "s390x" %?
+
+# getresgid __________________________________________________
+# long sys32_getresgid16(u16 __user *rgid, u16 __user *egid, u16 __user *sgid)
+#
+probe nd_syscall.getresgid16 = kprobe.function("sys32_getresgid16") ?
+{
+ name = "getresgid"
+ // argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+ asmlinkage()
+ argstr = sprintf("%p, %p, %p", pointer_arg(1), pointer_arg(2), pointer_arg(3))
+}
+probe nd_syscall.getresgid16.return = kprobe.function("sys32_getresgid16").return ?
+{
+ name = "getresgid"
+ retstr = returnstr(1)
+}
+
+# getresuid __________________________________________________
+# long sys32_getresuid16(u16 __user *ruid, u16 __user *euid, u16 __user *suid)
+#
+probe nd_syscall.getresuid16 = kprobe.function("sys32_getresuid16") ?
+{
+ name = "getresuid"
+ // argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+ asmlinkage()
+ argstr = sprintf("%p, %p, %p", pointer_arg(1), pointer_arg(2), pointer_arg(3))
+}
+probe nd_syscall.getresuid16.return = kprobe.function("sys32_getresuid16").return ?
+{
+ name = "getresuid"
+ retstr = returnstr(1)
+}
+
+# ipc _________________________________________________
+# long sys32_ipc(u32 call, int first, int second, int third, u32 ptr)
+#
+probe nd_syscall.ipc = kprobe.function("sys32_ipc") ?
+{
+ name = "ipc"
+ // argstr = sprintf("%d, %d, %d, %d, %p", $call, $first, $second, $third, $ptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %d, %p", uint_arg(1), int_arg(2), int_arg(3), int_arg(4), uint_arg(5))
+}
+probe nd_syscall.ipc.return = kprobe.function("sys_ipc").return ?
+{
+ name = "ipc"
+ retstr = returnstr(1)
+}
+
+# mmap _________________________________________________
+# long old_mmap(struct mmap_arg_struct __user *arg)
+# long old32_mmap(struct mmap_arg_struct_emu31 __user *arg)
+#
+probe nd_syscall.mmap = kprobe.function("old_mmap") ?,
+ kprobe.function("old32_mmap") ?,
+ kprobe.function("SyS_s390_old_mmap") ?
+{
+ name = "mmap"
+
+ // if ((probefunc() == "old_mmap") || (probefunc() == "SyS_s390_old_mmap"))
+ // argstr = get_mmap_args($arg)
+ // else
+ // argstr = get_32mmap_args($arg)
+
+ asmlinkage()
+ if ((probefunc() == "old_mmap") || (probefunc() == "SyS_s390_old_mmap"))
+ argstr = get_mmap_args(pointer_arg(1))
+ else
+ argstr = get_32mmap_args(pointer_arg(1))
+}
+probe nd_syscall.mmap.return = kprobe.function("old_mmap").return ?,
+ kprobe.function("old32_mmap").return ?,
+ kprobe.function("SyS_s390_old_mmap").return ?
+{
+ name = "mmap"
+ retstr = returnstr(2)
+}
+
+# mmap2 _________________________________________________
+#
+# long sys_mmap2(struct mmap_arg_struct __user *arg)
+# long sys32_mmap2(struct mmap_arg_struct_emu31 __user *arg)
+#
+probe nd_syscall.mmap2 = kprobe.function("sys_mmap2") ?,
+ kprobe.function("sys32_mmap2") ?,
+ kprobe.function("SyS_mmap2") ?
+{
+ name = "mmap2"
+
+ // if ((probefunc() == "sys_mmap2") || (probefunc() == "SyS_mmap2"))
+ // argstr = get_mmap_args($arg)
+ // else
+ // argstr = get_32mmap_args($arg)
+
+ asmlinkage()
+ if ((probefunc() == "sys_mmap2") || (probefunc() == "SyS_mmap2"))
+ argstr = get_mmap_args(pointer_arg(1))
+ else
+ argstr = get_32mmap_args(pointer_arg(1))
+}
+
+probe nd_syscall.mmap2.return = kprobe.function("sys_mmap2").return ?,
+ kprobe.function("sys32_mmap2").return ?,
+ kprobe.function("SyS_mmap2").return ?
+{
+ name = "mmap2"
+ retstr = returnstr(2)
+}
+
+# sysctl _____________________________________________________
+#
+# long sys32_sysctl(struct __sysctl_args32 __user *args)
+#
+probe nd_syscall.sysctl32 = kprobe.function("sys32_sysctl") ?
+{
+ name = "sysctl"
+ // argstr = sprintf("%p", $args)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sysctl32.return = kprobe.function("sys32_sysctl").return ?
+{
+ name = "sysctl"
+ retstr = returnstr(1)
+}
+
+/* compat */
+function get_32mmap_args:string (args:long)
+%{ /* pure */
+ struct mmap_arg_struct_emu31 {
+ u32 addr;
+ u32 len;
+ u32 prot;
+ u32 flags;
+ u32 fd;
+ u32 offset;
+ }a;
+
+
+ char proto[60];
+ char flags[256];
+
+ if(_stp_copy_from_user((char *)&a,
+ (char *)THIS->args, sizeof(a))== 0){
+
+ /* _mprotect_prot_str */
+ proto[0] = '\0';
+ if(a.prot){
+ if(a.prot & 1) strcat (proto, "PROT_READ|");
+ if(a.prot & 2) strcat (proto, "PROT_WRITE|");
+ if(a.prot & 4) strcat (proto, "PROT_EXEC|");
+ } else {
+ strcat (proto, "PROT_NONE");
+ }
+ if (proto[0] != '\0') proto[strlen(proto)-1] = '\0';
+
+ /* _mmap_flags */
+ flags[0]='\0';
+ if (a.flags & 1) strcat (flags, "MAP_SHARED|");
+ if (a.flags & 2) strcat (flags, "MAP_PRIVATE|");
+ if (a.flags & 0x10) strcat (flags, "MAP_FIXED|");
+ if (a.flags & 0x20) strcat (flags, "MAP_ANONYMOUS|");
+ if (a.flags & 0x100) strcat (flags, "MAP_GROWSDOWN|");
+ if (a.flags & 0x800) strcat (flags, "MAP_DENYWRITE|");
+ if (a.flags & 0x1000) strcat (flags, "MAP_EXECUTABLE|");
+ if (a.flags & 0x2000) strcat (flags, "MAP_LOCKED|");
+ if (a.flags & 0x4000) strcat (flags, "MAP_NORESERVE|");
+ if (a.flags & 0x8000) strcat (flags, "MAP_POPULATE|");
+ if (a.flags & 0x10000) strcat (flags, "MAP_NONBLOCK|");
+ if (flags[0] != '\0') flags[strlen(flags)-1] = '\0';
+
+ sprintf(THIS->__retvalue,"0x%x, %d, %s, %s, %d, %d",
+ a.addr,
+ a.len,
+ proto,
+ flags,
+ a.fd,
+ a.offset);
+ }else{
+ strlcpy (THIS->__retvalue, "UNKNOWN", MAXSTRINGLEN);
+ }
+%}
+
+%)
diff --git a/tapset/s390x/registers.stp b/tapset/s390x/registers.stp
index 37218d14..79482b73 100644
--- a/tapset/s390x/registers.stp
+++ b/tapset/s390x/registers.stp
@@ -210,11 +210,9 @@ function u64_arg:long (argnum:long) {
return ulonglong_arg(argnum)
}
-function asmlinkage() {
-}
+function asmlinkage() %{ /* pure */ %}
-function fastcall() {
-}
+function fastcall() %{ /* pure */ %}
function regparm() %{
snprintf(CONTEXT->error_buffer, sizeof(CONTEXT->error_buffer),
diff --git a/tapset/s390x/syscalls.stp b/tapset/s390x/syscalls.stp
index 17988ace..94e07adf 100644
--- a/tapset/s390x/syscalls.stp
+++ b/tapset/s390x/syscalls.stp
@@ -32,11 +32,13 @@ probe syscall.getresuid16.return = kernel.function("sys32_getresuid16").return ?
# ipc _________________________________________________
# long sys32_ipc(u32 call, int first, int second, int third, u32 ptr)
#
-probe syscall.ipc = kernel.function("sys32_ipc") ? {
+probe syscall.ipc = kernel.function("sys32_ipc") ?
+{
name = "ipc"
argstr = sprintf("%d, %d, %d, %d, %p", $call, $first, $second, $third, $ptr)
}
-probe syscall.ipc.return = kernel.function("sys_ipc").return ? {
+probe syscall.ipc.return = kernel.function("sys_ipc").return ?
+{
name = "ipc"
retstr = returnstr(1)
}
@@ -46,8 +48,8 @@ probe syscall.ipc.return = kernel.function("sys_ipc").return ? {
# long old32_mmap(struct mmap_arg_struct_emu31 __user *arg)
#
probe syscall.mmap = kernel.function("old_mmap") ?,
- kernel.function("old32_mmap") ?,
- kernel.function("SyS_s390_old_mmap") ?
+ kernel.function("old32_mmap") ?,
+ kernel.function("SyS_s390_old_mmap") ?
{
name = "mmap"
@@ -58,8 +60,8 @@ probe syscall.mmap = kernel.function("old_mmap") ?,
}
probe syscall.mmap.return = kernel.function("old_mmap").return ?,
- kernel.function("old32_mmap").return ?,
- kernel.function("SyS_s390_old_mmap").return ?
+ kernel.function("old32_mmap").return ?,
+ kernel.function("SyS_s390_old_mmap").return ?
{
name = "mmap"
retstr = returnstr(2)
@@ -72,8 +74,8 @@ probe syscall.mmap.return = kernel.function("old_mmap").return ?,
# long sys32_mmap2(struct mmap_arg_struct_emu31 __user *arg)
#
probe syscall.mmap2 = kernel.function("sys_mmap2") ?,
- kernel.function("sys32_mmap2") ?,
- kernel.function("SyS_mmap2") ?
+ kernel.function("sys32_mmap2") ?,
+ kernel.function("SyS_mmap2") ?
{
name = "mmap2"
@@ -84,8 +86,8 @@ probe syscall.mmap2 = kernel.function("sys_mmap2") ?,
}
probe syscall.mmap2.return = kernel.function("sys_mmap2").return ?,
- kernel.function("sys32_mmap2").return ?,
- kernel.function("SyS_mmap2").return ?
+ kernel.function("sys32_mmap2").return ?,
+ kernel.function("SyS_mmap2").return ?
{
name = "mmap2"
retstr = returnstr(2)
@@ -95,11 +97,13 @@ probe syscall.mmap2.return = kernel.function("sys_mmap2").return ?,
#
# long sys32_sysctl(struct __sysctl_args32 __user *args)
#
-probe syscall.sysctl32 = kernel.function("sys32_sysctl") ? {
+probe syscall.sysctl32 = kernel.function("sys32_sysctl") ?
+{
name = "sysctl"
argstr = sprintf("%p", $args)
}
-probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ? {
+probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ?
+{
name = "sysctl"
retstr = returnstr(1)
}
diff --git a/tapset/syscalls.stp b/tapset/syscalls.stp
index a215dc12..0886deeb 100644
--- a/tapset/syscalls.stp
+++ b/tapset/syscalls.stp
@@ -21,7 +21,7 @@
* braces are decoded structs.
*
* retstr - a string containing the return value in an easy-to-read format.
-* Set in return probes only.
+* Set in return probes only.
*/
@@ -29,7 +29,8 @@
# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
# int __user *upeer_addrlen)
probe syscall.accept = kernel.function("SyS_accept") !,
- kernel.function("sys_accept") ? {
+ kernel.function("sys_accept") ?
+{
name = "accept"
sockfd = $fd
addr_uaddr = $upeer_sockaddr
@@ -37,7 +38,8 @@ probe syscall.accept = kernel.function("SyS_accept") !,
argstr = sprintf("%d, %p, %p", $fd, $upeer_sockaddr, $upeer_addrlen)
}
probe syscall.accept.return = kernel.function("SyS_accept").return !,
- kernel.function("sys_accept").return ? {
+ kernel.function("sys_accept").return ?
+{
name = "accept"
retstr = returnstr(1)
}
@@ -45,7 +47,8 @@ probe syscall.accept.return = kernel.function("SyS_accept").return !,
# access _____________________________________________________
# long sys_access(const char __user * filename, int mode)
probe syscall.access = kernel.function("SyS_access") !,
- kernel.function("sys_access") {
+ kernel.function("sys_access")
+{
name = "access"
pathname = user_string($filename)
mode = $mode
@@ -53,19 +56,22 @@ probe syscall.access = kernel.function("SyS_access") !,
argstr = sprintf("%s, %s", user_string_quoted($filename), mode_str)
}
probe syscall.access.return = kernel.function("SyS_access").return !,
- kernel.function("sys_access").return {
+ kernel.function("sys_access").return
+{
name = "access"
retstr = returnstr(1)
}
# acct _______________________________________________________
# long sys_acct(const char __user *name)
-probe syscall.acct = kernel.function("sys_acct") ? {
+probe syscall.acct = kernel.function("sys_acct") ?
+{
name = "acct"
- filename = user_string($name)
+ filename = user_string($name)
argstr = user_string_quoted($name)
}
-probe syscall.acct.return = kernel.function("sys_acct").return ? {
+probe syscall.acct.return = kernel.function("sys_acct").return ?
+{
name = "acct"
retstr = returnstr(1)
}
@@ -78,21 +84,23 @@ probe syscall.acct.return = kernel.function("sys_acct").return ? {
# key_serial_t ringid)
#
probe syscall.add_key = kernel.function("SyS_add_key") !,
- kernel.function("sys_add_key") ? {
+ kernel.function("sys_add_key") ?
+{
name = "add_key"
type_uaddr = $_type
description_auddr = $_description
payload_uaddr = $_payload
plen = $plen
ringid = $ringid
- argstr = sprintf("%s, %s, %s, %d, %d",
- user_string_quoted($_type),
- user_string_quoted($_description),
- text_strn(user_string($_payload),syscall_string_trunc,1),
- $plen, $ringid)
+ argstr = sprintf("%s, %s, %s, %d, %d",
+ user_string_quoted($_type),
+ user_string_quoted($_description),
+ text_strn(user_string($_payload), syscall_string_trunc, 1),
+ $plen, $ringid)
}
probe syscall.add_key.return = kernel.function("SyS_add_key").return !,
- kernel.function("sys_add_key").return ? {
+ kernel.function("sys_add_key").return ?
+{
name = "add_key"
retstr = returnstr(1)
}
@@ -100,35 +108,39 @@ probe syscall.add_key.return = kernel.function("SyS_add_key").return !,
# adjtimex ___________________________________________________
# long sys_adjtimex(struct timex __user *txc_p)
probe syscall.adjtimex = kernel.function("SyS_adjtimex") !,
- kernel.function("sys_adjtimex") {
+ kernel.function("sys_adjtimex")
+{
name = "adjtimex"
-
+
/*
- * buf_offset = __uget_timex_m($txc_p,1)
- * buf_freq = __uget_timex_m($txc_p,2)
- * buf_maxerror = __uget_timex_m($txc_p,3)
- * buf_esterror = __uget_timex_m($txc_p,4)
- * buf_status = __uget_timex_m($txc_p,5)
- * buf_constant = __uget_timex_m($txc_p,6)
- * buf_precision = __uget_timex_m($txc_p,7)
- * buf_tolerance = __uget_timex_m($txc_p,8)
- * buf_time_tv_sec = __uget_timex_m($txc_p,9)
- * buf_time_tv_usec = __uget_timex_m($txc_p,10)
- * buf_tick = __uget_timex_m($txc_p,11)
+ * buf_offset = __uget_timex_m($txc_p, 1)
+ * buf_freq = __uget_timex_m($txc_p, 2)
+ * buf_maxerror = __uget_timex_m($txc_p, 3)
+ * buf_esterror = __uget_timex_m($txc_p, 4)
+ * buf_status = __uget_timex_m($txc_p, 5)
+ * buf_constant = __uget_timex_m($txc_p, 6)
+ * buf_precision = __uget_timex_m($txc_p, 7)
+ * buf_tolerance = __uget_timex_m($txc_p, 8)
+ * buf_time_tv_sec = __uget_timex_m($txc_p, 9)
+ * buf_time_tv_usec = __uget_timex_m($txc_p, 10)
+ * buf_tick = __uget_timex_m($txc_p, 11)
*/
argstr = sprintf("%p", $txc_p)
}
probe syscall.adjtimex.return = kernel.function("SyS_adjtimex").return !,
- kernel.function("sys_adjtimex").return {
+ kernel.function("sys_adjtimex").return
+{
name = "adjtimex"
retstr = _adjtimex_return_str($return)
}
# long compat_sys_adjtimex(struct compat_timex __user *utp)
-probe syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? {
+probe syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ?
+{
name = "compat_adjtimex"
argstr = sprintf("%p", $utp)
}
-probe syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? {
+probe syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ?
+{
name = "compat_adjtimex"
retstr = returnstr(1)
}
@@ -137,39 +149,39 @@ probe syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").re
# unsigned long sys_alarm (unsigned int seconds)
# long sys32_alarm(unsigned int seconds)
#
-probe syscall.alarm =
- kernel.function("sys32_alarm") ?,
- kernel.function("SyS_alarm") !,
- kernel.function("sys_alarm") ?
+probe syscall.alarm = kernel.function("sys32_alarm") ?,
+ kernel.function("SyS_alarm") !,
+ kernel.function("sys_alarm") ?
{
name = "alarm"
seconds = $seconds
argstr = sprint($seconds)
}
-probe syscall.alarm.return =
- kernel.function("sys32_alarm").return ?,
- kernel.function("SyS_alarm").return !,
- kernel.function("sys_alarm").return ?
+probe syscall.alarm.return = kernel.function("sys32_alarm").return ?,
+ kernel.function("SyS_alarm").return !,
+ kernel.function("sys_alarm").return ?
{
name = "alarm"
retstr = returnstr(1)
}
# bdflush ____________________________________________________
-# long sys_bdflush(int func,long data)
+# long sys_bdflush(int func, long data)
probe syscall.bdflush = kernel.function("SyS_bdflush") !,
- kernel.function("sys_bdflush") ? {
+ kernel.function("sys_bdflush") ?
+{
name = "bdflush"
func = $func
data = $data
- if (($func>=2)&&($func%2==0))
- data_str = sprintf("%p", $data)
- else
- data_str = sprintf("%d", $data)
- argstr = sprintf("%d, %s",func, data_str)
+ if (($func >= 2) && ($func % 2 == 0))
+ data_str = sprintf("%p", $data)
+ else
+ data_str = sprintf("%d", $data)
+ argstr = sprintf("%d, %s", func, data_str)
}
probe syscall.bdflush.return = kernel.function("SyS_bdflush").return !,
- kernel.function("sys_bdflush").return ? {
+ kernel.function("sys_bdflush").return ?
+{
name = "bdflush"
retstr = returnstr(1)
}
@@ -177,34 +189,34 @@ probe syscall.bdflush.return = kernel.function("SyS_bdflush").return !,
# bind _______________________________________________________
# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
probe syscall.bind = kernel.function("SyS_bind") !,
- kernel.function("sys_bind") ? {
+ kernel.function("sys_bind") ?
+{
name = "bind"
sockfd = $fd
my_addr_uaddr = $umyaddr
addrlen = $addrlen
- argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
+ argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
}
probe syscall.bind.return = kernel.function("SyS_bind").return !,
- kernel.function("sys_bind").return ? {
+ kernel.function("sys_bind").return ?
+{
name = "bind"
retstr = returnstr(1)
}
# brk ________________________________________________________
# unsigned long sys_brk(unsigned long brk)
-probe syscall.brk =
- kernel.function("ia64_brk") ?,
- kernel.function("SyS_brk") !,
- kernel.function("sys_brk")
+probe syscall.brk = kernel.function("ia64_brk") ?,
+ kernel.function("SyS_brk") !,
+ kernel.function("sys_brk")
{
name = "brk"
brk = $brk
argstr = sprintf("%p", brk)
}
-probe syscall.brk.return =
- kernel.function("ia64_brk").return ?,
- kernel.function("SyS_brk").return !,
- kernel.function("sys_brk").return
+probe syscall.brk.return = kernel.function("ia64_brk").return ?,
+ kernel.function("SyS_brk").return !,
+ kernel.function("sys_brk").return
{
name = "brk"
retstr = returnstr(1)
@@ -224,14 +236,16 @@ probe syscall.brk.return =
*/
# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
probe syscall.capget = kernel.function("SyS_capget") !,
- kernel.function("sys_capget") {
+ kernel.function("sys_capget")
+{
name = "capget"
header_uaddr = $header
data_uaddr = $dataptr
argstr = sprintf("%p, %p", $header, $dataptr)
}
probe syscall.capget.return = kernel.function("SyS_capget").return !,
- kernel.function("sys_capget").return {
+ kernel.function("sys_capget").return
+{
name = "capget"
retstr = returnstr(1)
}
@@ -249,14 +263,16 @@ probe syscall.capget.return = kernel.function("SyS_capget").return !,
*/
# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
probe syscall.capset = kernel.function("SyS_capset") !,
- kernel.function("sys_capset") {
+ kernel.function("sys_capset")
+{
name = "capset"
header_uaddr = $header
data_uaddr = $data
argstr = sprintf("%p, %p", $header, $data)
}
probe syscall.capset.return = kernel.function("SyS_capset").return !,
- kernel.function("sys_capset").return {
+ kernel.function("sys_capset").return
+{
name = "capset"
retstr = returnstr(1)
}
@@ -264,13 +280,15 @@ probe syscall.capset.return = kernel.function("SyS_capset").return !,
# chdir ______________________________________________________
# long sys_chdir(const char __user * filename)
probe syscall.chdir = kernel.function("SyS_chdir") !,
- kernel.function("sys_chdir") {
+ kernel.function("sys_chdir")
+{
name = "chdir"
path = user_string($filename)
argstr = user_string_quoted($filename)
}
probe syscall.chdir.return = kernel.function("SyS_chdir").return !,
- kernel.function("sys_chdir").return {
+ kernel.function("sys_chdir").return
+{
name = "chdir"
retstr = returnstr(1)
}
@@ -278,14 +296,16 @@ probe syscall.chdir.return = kernel.function("SyS_chdir").return !,
# chmod ______________________________________________________
# long sys_chmod(const char __user * filename, mode_t mode)
probe syscall.chmod = kernel.function("SyS_chmod") !,
- kernel.function("sys_chmod") {
+ kernel.function("sys_chmod")
+{
name = "chmod"
path = user_string($filename)
mode = $mode
argstr = sprintf("%s, %#o", user_string_quoted($filename), mode)
}
probe syscall.chmod.return = kernel.function("SyS_chmod").return !,
- kernel.function("sys_chmod").return {
+ kernel.function("sys_chmod").return
+{
name = "chmod"
retstr = returnstr(1)
}
@@ -293,30 +313,34 @@ probe syscall.chmod.return = kernel.function("SyS_chmod").return !,
# chown ______________________________________________________
# long sys_chown(const char __user * filename, uid_t user, gid_t group)
probe syscall.chown = kernel.function("SyS_chown") !,
- kernel.function("sys_chown") {
+ kernel.function("sys_chown")
+{
name = "chown"
path = user_string($filename)
owner = __int32($user)
group = __int32($group)
- argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+ argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
}
probe syscall.chown.return = kernel.function("SyS_chown").return !,
- kernel.function("sys_chown").return {
+ kernel.function("sys_chown").return
+{
name = "chown"
retstr = returnstr(1)
}
# chown16 ___________________________________________________
-# long sys_chown16(const char __user * filename, old_uid_t user,
+# long sys_chown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe syscall.chown16 = kernel.function("sys_chown16") ? {
+probe syscall.chown16 = kernel.function("sys_chown16") ?
+{
name = "chown16"
path = user_string($filename)
owner = __short($user)
group = __short($group)
argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
}
-probe syscall.chown16.return = kernel.function("sys_chown16").return ? {
+probe syscall.chown16.return = kernel.function("sys_chown16").return ?
+{
name = "chown16"
retstr = returnstr(1)
}
@@ -324,13 +348,15 @@ probe syscall.chown16.return = kernel.function("sys_chown16").return ? {
# chroot _____________________________________________________
# long sys_chroot(const char __user * filename)
probe syscall.chroot = kernel.function("SyS_chroot") !,
- kernel.function("sys_chroot") {
+ kernel.function("sys_chroot")
+{
name = "chroot"
path = user_string($filename)
argstr = user_string_quoted($filename)
}
probe syscall.chroot.return = kernel.function("SyS_chroot").return !,
- kernel.function("sys_chroot").return {
+ kernel.function("sys_chroot").return
+{
name = "chroot"
retstr = returnstr(1)
}
@@ -338,11 +364,10 @@ probe syscall.chroot.return = kernel.function("SyS_chroot").return !,
# clock_getres _______________________________________________
# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
# long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
-#
-probe syscall.clock_getres =
- kernel.function("compat_clock_getres") ?,
- kernel.function("SyS_clock_getres") !,
- kernel.function("sys_clock_getres")
+#
+probe syscall.clock_getres = kernel.function("compat_clock_getres") ?,
+ kernel.function("SyS_clock_getres") !,
+ kernel.function("sys_clock_getres")
{
name = "clock_getres"
clk_id = $which_clock
@@ -350,10 +375,9 @@ probe syscall.clock_getres =
res_uaddr = $tp
argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
}
-probe syscall.clock_getres.return =
- kernel.function("compat_clock_getres").return ?,
- kernel.function("SyS_clock_getres").return !,
- kernel.function("sys_clock_getres").return
+probe syscall.clock_getres.return = kernel.function("compat_clock_getres").return ?,
+ kernel.function("SyS_clock_getres").return !,
+ kernel.function("sys_clock_getres").return
{
name = "clock_getres"
retstr = returnstr(1)
@@ -362,18 +386,16 @@ probe syscall.clock_getres.return =
# clock_gettime ______________________________________________
# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
#
-probe syscall.clock_gettime =
- kernel.function("SyS_clock_gettime") !,
- kernel.function("sys_clock_gettime")
+probe syscall.clock_gettime = kernel.function("SyS_clock_gettime") !,
+ kernel.function("sys_clock_gettime")
{
name = "clock_gettime"
clk_id = $which_clock
clk_id_str = _get_wc_str($which_clock)
argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
}
-probe syscall.clock_gettime.return =
- kernel.function("SyS_clock_gettime").return !,
- kernel.function("sys_clock_gettime").return
+probe syscall.clock_gettime.return = kernel.function("SyS_clock_gettime").return !,
+ kernel.function("sys_clock_gettime").return
{
name = "clock_gettime"
retstr = returnstr(1)
@@ -386,18 +408,19 @@ probe syscall.clock_gettime.return =
# struct timespec __user *rmtp)
#
probe syscall.clock_nanosleep = kernel.function("SyS_clock_nanosleep") !,
- kernel.function("sys_clock_nanosleep") {
+ kernel.function("sys_clock_nanosleep")
+{
name = "clock_nanosleep"
if ($flags == 1)
flag_str = "TIMER_ABSTIME"
else
flag_str = sprintf("0x%x", $flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- _struct_timespec_u($rqtp,1), $rmtp)
+ _struct_timespec_u($rqtp, 1), $rmtp)
}
-probe syscall.clock_nanosleep.return =
- kernel.function("SyS_clock_nanosleep").return !,
- kernel.function("sys_clock_nanosleep").return {
+probe syscall.clock_nanosleep.return = kernel.function("SyS_clock_nanosleep").return !,
+ kernel.function("sys_clock_nanosleep").return
+{
name = "clock_nanosleep"
retstr = returnstr(1)
}
@@ -407,9 +430,8 @@ probe syscall.clock_nanosleep.return =
# struct compat_timespec __user *rqtp,
# struct compat_timespec __user *rmtp)
#
-probe syscall.compat_clock_nanosleep =
- kernel.function("compat_clock_nanosleep") ?,
- kernel.function("compat_sys_clock_nanosleep") ?
+probe syscall.compat_clock_nanosleep = kernel.function("compat_clock_nanosleep") ?,
+ kernel.function("compat_sys_clock_nanosleep") ?
{
name = "compat_clock_nanosleep"
if ($flags == 1)
@@ -417,11 +439,10 @@ probe syscall.compat_clock_nanosleep =
else
flag_str = sprintf("0x%x", $flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- _struct_compat_timespec_u($rqtp,1), $rmtp)
+ _struct_compat_timespec_u($rqtp, 1), $rmtp)
}
-probe syscall.compat_clock_nanosleep.return =
- kernel.function("compat_clock_nanosleep").return ?,
- kernel.function("compat_sys_clock_nanosleep").return ?
+probe syscall.compat_clock_nanosleep.return = kernel.function("compat_clock_nanosleep").return ?,
+ kernel.function("compat_sys_clock_nanosleep").return ?
{
name = "compat_clock_nanosleep"
retstr = returnstr(1)
@@ -432,15 +453,17 @@ probe syscall.compat_clock_nanosleep.return =
# const struct timespec __user *tp)
#
probe syscall.clock_settime = kernel.function("SyS_clock_settime") !,
- kernel.function("sys_clock_settime") {
+ kernel.function("sys_clock_settime")
+{
name = "clock_settime"
clk_id = $which_clock
clk_id_str = _get_wc_str($which_clock)
tp_uaddr = $tp
- argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1))
+ argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
}
probe syscall.clock_settime.return = kernel.function("SyS_clock_settime").return !,
- kernel.function("sys_clock_settime").return {
+ kernel.function("sys_clock_settime").return
+{
name = "clock_settime"
retstr = returnstr(1)
}
@@ -448,28 +471,32 @@ probe syscall.clock_settime.return = kernel.function("SyS_clock_settime").return
# close ______________________________________________________
# long sys_close(unsigned int fd)
probe syscall.close = kernel.function("SyS_close") !,
- kernel.function("sys_close") {
+ kernel.function("sys_close")
+{
name = "close"
fd = $fd
argstr = sprint(fd)
}
probe syscall.close.return = kernel.function("SyS_close").return !,
- kernel.function("sys_close").return {
+ kernel.function("sys_close").return
+{
name = "close"
retstr = returnstr(1)
}
# connect ____________________________________________________
# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
probe syscall.connect = kernel.function("SyS_connect") !,
- kernel.function("sys_connect") ? {
+ kernel.function("sys_connect") ?
+{
name = "connect"
sockfd = $fd
serv_addr_uaddr = $uservaddr
addrlen = $addrlen
- argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
+ argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
}
probe syscall.connect.return = kernel.function("SyS_connect").return !,
- kernel.function("sys_connect").return ? {
+ kernel.function("sys_connect").return ?
+{
name = "connect"
retstr = returnstr(1)
}
@@ -477,7 +504,7 @@ probe syscall.connect.return = kernel.function("SyS_connect").return !,
# creat
# long sys_creat(const char __user * pathname, int mode)
probe syscall.creat = kernel.function("SyS_creat") !,
- kernel.function("sys_creat") ?
+ kernel.function("sys_creat") ?
{
name = "creat"
mode = $mode
@@ -485,7 +512,7 @@ probe syscall.creat = kernel.function("SyS_creat") !,
argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
}
probe syscall.creat.return = kernel.function("SyS_creat").return !,
- kernel.function("sys_creat").return ?
+ kernel.function("sys_creat").return ?
{
name = "creat"
retstr = returnstr(1)
@@ -494,14 +521,16 @@ probe syscall.creat.return = kernel.function("SyS_creat").return !,
# delete_module ______________________________________________
# long sys_delete_module(const char __user *name_user, unsigned int flags)
probe syscall.delete_module = kernel.function("SyS_delete_module") !,
- kernel.function("sys_delete_module") ? {
+ kernel.function("sys_delete_module") ?
+{
name = "delete_module"
name_user = user_string($name_user)
flags = $flags
argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
}
probe syscall.delete_module.return = kernel.function("SyS_delete_module").return !,
- kernel.function("sys_delete_module").return ? {
+ kernel.function("sys_delete_module").return ?
+{
name = "delete_module"
retstr = returnstr(1)
}
@@ -509,13 +538,15 @@ probe syscall.delete_module.return = kernel.function("SyS_delete_module").return
# dup ________________________________________________________
# long sys_dup(unsigned int fildes)
probe syscall.dup = kernel.function("SyS_dup") !,
- kernel.function("sys_dup") {
+ kernel.function("sys_dup")
+{
name = "dup"
oldfd = $fildes
argstr = sprint($fildes)
}
probe syscall.dup.return = kernel.function("SyS_dup").return !,
- kernel.function("sys_dup").return {
+ kernel.function("sys_dup").return
+{
name = "dup"
retstr = returnstr(1)
}
@@ -523,14 +554,16 @@ probe syscall.dup.return = kernel.function("SyS_dup").return !,
# dup2 _______________________________________________________
# long sys_dup2(unsigned int oldfd, unsigned int newfd)
probe syscall.dup2 = kernel.function("SyS_dup2") !,
- kernel.function("sys_dup2") {
+ kernel.function("sys_dup2")
+{
name = "dup2"
oldfd = $oldfd
newfd = $newfd
argstr = sprintf("%d, %d", $oldfd, $newfd)
}
probe syscall.dup2.return = kernel.function("SyS_dup2").return !,
- kernel.function("sys_dup2").return {
+ kernel.function("sys_dup2").return
+{
name = "dup2"
retstr = returnstr(1)
}
@@ -538,14 +571,15 @@ probe syscall.dup2.return = kernel.function("SyS_dup2").return !,
# epoll_create _______________________________________________
# long sys_epoll_create(int size)
probe syscall.epoll_create = kernel.function("SyS_epoll_create") !,
- kernel.function("sys_epoll_create") ? {
+ kernel.function("sys_epoll_create") ?
+{
name = "epoll_create"
size = $size
argstr = sprint($size)
}
-probe syscall.epoll_create.return =
- kernel.function("SyS_epoll_create").return !,
- kernel.function("sys_epoll_create").return ? {
+probe syscall.epoll_create.return = kernel.function("SyS_epoll_create").return !,
+ kernel.function("sys_epoll_create").return ?
+{
name = "epoll_create"
retstr = returnstr(1)
}
@@ -556,10 +590,9 @@ probe syscall.epoll_create.return =
# long compat_sys_epoll_ctl(int epfd, int op, int fd,
# struct compat_epoll_event __user *event)
#
-probe syscall.epoll_ctl =
- kernel.function("compat_sys_epoll_ctl") ?,
- kernel.function("SyS_epoll_ctl") !,
- kernel.function("sys_epoll_ctl") ?
+probe syscall.epoll_ctl = kernel.function("compat_sys_epoll_ctl") ?,
+ kernel.function("SyS_epoll_ctl") !,
+ kernel.function("sys_epoll_ctl") ?
{
name = "epoll_ctl"
epfd = $epfd
@@ -569,10 +602,9 @@ probe syscall.epoll_ctl =
event_uaddr = $event
argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
}
-probe syscall.epoll_ctl.return =
- kernel.function("compat_sys_epoll_ctl").return ?,
- kernel.function("SyS_epoll_ctl").return !,
- kernel.function("sys_epoll_ctl").return ?
+probe syscall.epoll_ctl.return = kernel.function("compat_sys_epoll_ctl").return ?,
+ kernel.function("SyS_epoll_ctl").return !,
+ kernel.function("sys_epoll_ctl").return ?
{
name = "epoll_ctl"
retstr = returnstr(1)
@@ -589,19 +621,17 @@ probe syscall.epoll_ctl.return =
# const compat_sigset_t __user *sigmask,
# compat_size_t sigsetsize)
#
-probe syscall.epoll_pwait =
- kernel.function("compat_sys_epoll_pwait") ?,
- kernel.function("SyS_epoll_pwait") !,
- kernel.function("sys_epoll_pwait") ?
+probe syscall.epoll_pwait = kernel.function("compat_sys_epoll_pwait") ?,
+ kernel.function("SyS_epoll_pwait") !,
+ kernel.function("sys_epoll_pwait") ?
{
name = "epoll_pwait"
argstr = sprintf("%d, %p, %d, %d, %p, %d",
$epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
}
-probe syscall.epoll_pwait.return =
- kernel.function("compat_sys_epoll_pwait").return ?,
- kernel.function("SyS_epoll_pwait").return !,
- kernel.function("sys_epoll_pwait").return ?
+probe syscall.epoll_pwait.return = kernel.function("compat_sys_epoll_pwait").return ?,
+ kernel.function("SyS_epoll_pwait").return !,
+ kernel.function("sys_epoll_pwait").return ?
{
name = "epoll_pwait"
retstr = returnstr(1)
@@ -615,10 +645,9 @@ probe syscall.epoll_pwait.return =
# struct compat_epoll_event __user *events,
# int maxevents, int timeout)
#
-probe syscall.epoll_wait =
- kernel.function("compat_sys_epoll_wait") ?,
- kernel.function("SyS_epoll_wait") !,
- kernel.function("sys_epoll_wait") ?
+probe syscall.epoll_wait = kernel.function("compat_sys_epoll_wait") ?,
+ kernel.function("SyS_epoll_wait") !,
+ kernel.function("sys_epoll_wait") ?
{
name = "epoll_wait"
epfd = $epfd
@@ -627,10 +656,9 @@ probe syscall.epoll_wait =
timeout = $timeout
argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
}
-probe syscall.epoll_wait.return =
- kernel.function("compat_sys_epoll_wait").return ?,
- kernel.function("SyS_epoll_wait").return !,
- kernel.function("sys_epoll_wait").return ?
+probe syscall.epoll_wait.return = kernel.function("compat_sys_epoll_wait").return ?,
+ kernel.function("SyS_epoll_wait").return !,
+ kernel.function("sys_epoll_wait").return ?
{
name = "epoll_wait"
retstr = returnstr(1)
@@ -640,12 +668,14 @@ probe syscall.epoll_wait.return =
# long sys_eventfd(unsigned int count)
#
probe syscall.eventfd = kernel.function("SyS_eventfd") !,
- kernel.function("sys_eventfd") ? {
+ kernel.function("sys_eventfd") ?
+{
name = "eventfd"
argstr = sprint($count)
}
probe syscall.eventfd.return = kernel.function("SyS_eventfd").return !,
- kernel.function("sys_eventfd").return ? {
+ kernel.function("sys_eventfd").return ?
+{
name = "eventfd"
retstr = returnstr(1)
}
@@ -657,7 +687,8 @@ probe syscall.eventfd.return = kernel.function("SyS_eventfd").return !,
# char __user *__user *argv,
# char __user *__user *envp,
# struct pt_regs * regs)
-probe syscall.execve = kernel.function("do_execve") {
+probe syscall.execve = kernel.function("do_execve")
+{
name = "execve"
filename = kernel_string($filename)
args = __get_argv($argv, 0)
@@ -665,7 +696,8 @@ probe syscall.execve = kernel.function("do_execve") {
}
# v2.6.15-rc2 or earlier has problems with sys_execve return probes
# another reason to probe on do_execve
-probe syscall.execve.return = kernel.function("do_execve").return {
+probe syscall.execve.return = kernel.function("do_execve").return
+{
name = "execve"
retstr = returnstr(1)
}
@@ -673,20 +705,23 @@ probe syscall.execve.return = kernel.function("do_execve").return {
# compat_uptr_t __user *argv,
# compat_uptr_t __user *envp,
# struct pt_regs * regs)
-probe syscall.compat_execve = kernel.function("compat_do_execve") ? {
+probe syscall.compat_execve = kernel.function("compat_do_execve") ?
+{
name = "compat_execve"
filename = kernel_string($filename)
args = __get_compat_argv($argv, 0)
argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
}
-probe syscall.compat_execve.return = kernel.function("compat_do_execve").return ? {
+probe syscall.compat_execve.return = kernel.function("compat_do_execve").return ?
+{
name = "compat_execve"
retstr = returnstr(1)
}
# exit _______________________________________________________
# long sys_exit(int error_code)
-probe syscall.exit = kernel.function("do_exit") {
+probe syscall.exit = kernel.function("do_exit")
+{
name = "exit"
status = $code
argstr = sprint($code)
@@ -698,7 +733,8 @@ probe syscall.exit = kernel.function("do_exit") {
# void sys_exit_group(int error_code)
#
probe syscall.exit_group = kernel.function("SyS_exit_group") !,
- kernel.function("sys_exit_group") {
+ kernel.function("sys_exit_group")
+{
name = "exit_group"
status = $error_code
argstr = sprint($error_code)
@@ -710,18 +746,19 @@ probe syscall.exit_group = kernel.function("SyS_exit_group") !,
# new function with 2.6.16
# long sys_faccessat(int dfd, const char __user *filename, int mode)
probe syscall.faccessat = kernel.function("SyS_faccessat") !,
- kernel.function("sys_faccessat") ? {
+ kernel.function("sys_faccessat") ?
+{
name = "faccessat"
- dfd = $dfd
- dfd_str = _dfd_str($dfd)
- filename = $filename
- filename_str = user_string($filename)
+ dirfd = $dfd
+ dirfd_str = _dfd_str($dfd)
+ pathname = user_string($filename)
mode = $mode
mode_str = _access_mode_str($mode)
- argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted($filename), mode_str)
+ argstr = sprintf("%s, %s, %s", dirfd_str, user_string_quoted($filename), mode_str)
}
probe syscall.faccessat.return = kernel.function("SyS_faccessat").return !,
- kernel.function("sys_faccessat").return ? {
+ kernel.function("sys_faccessat").return ?
+{
name = "faccessat"
retstr = returnstr(1)
}
@@ -731,7 +768,8 @@ probe syscall.faccessat.return = kernel.function("SyS_faccessat").return !,
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
probe syscall.fadvise64 = kernel.function("SyS_fadvise64") !,
- kernel.function("sys_fadvise64") ? {
+ kernel.function("sys_fadvise64") ?
+{
name = "fadvise64"
fd = $fd
offset = $offset
@@ -740,7 +778,8 @@ probe syscall.fadvise64 = kernel.function("SyS_fadvise64") !,
argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
}
probe syscall.fadvise64.return = kernel.function("SyS_fadvise64").return !,
- kernel.function("sys_fadvise64").return ? {
+ kernel.function("sys_fadvise64").return ?
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -749,7 +788,8 @@ probe syscall.fadvise64.return = kernel.function("SyS_fadvise64").return !,
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
probe syscall.fadvise64_64 = kernel.function("SyS_fadvise64_64") !,
- kernel.function("sys_fadvise64_64") ? {
+ kernel.function("sys_fadvise64_64") ?
+{
name = "fadvise64_64"
fd = $fd
offset = $offset
@@ -758,7 +798,8 @@ probe syscall.fadvise64_64 = kernel.function("SyS_fadvise64_64") !,
argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
}
probe syscall.fadvise64_64.return = kernel.function("SyS_fadvise64_64").return !,
- kernel.function("sys_fadvise64_64").return ? {
+ kernel.function("sys_fadvise64_64").return ?
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -769,7 +810,8 @@ probe syscall.fadvise64_64.return = kernel.function("SyS_fadvise64_64").return !
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
probe syscall.fadvise64 = kernel.function("SyS_fadvise64") !,
- kernel.function("sys_fadvise64") {
+ kernel.function("sys_fadvise64")
+{
name = "fadvise64"
fd = 0
offset = 0
@@ -778,7 +820,8 @@ probe syscall.fadvise64 = kernel.function("SyS_fadvise64") !,
argstr = ""
}
probe syscall.fadvise64.return = kernel.function("SyS_fadvise64").return !,
- kernel.function("sys_fadvise64").return {
+ kernel.function("sys_fadvise64").return
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -787,7 +830,8 @@ probe syscall.fadvise64.return = kernel.function("SyS_fadvise64").return !,
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
probe syscall.fadvise64_64 = kernel.function("SyS_fadvise64_64") !,
- kernel.function("sys_fadvise64_64") {
+ kernel.function("sys_fadvise64_64")
+{
name = "fadvise64_64"
fd = 0
offset = 0
@@ -796,7 +840,8 @@ probe syscall.fadvise64_64 = kernel.function("SyS_fadvise64_64") !,
argstr = ""
}
probe syscall.fadvise64_64.return = kernel.function("SyS_fadvise64_64").return !,
- kernel.function("sys_fadvise64_64").return {
+ kernel.function("sys_fadvise64_64").return
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -805,13 +850,15 @@ probe syscall.fadvise64_64.return = kernel.function("SyS_fadvise64_64").return !
# fchdir _____________________________________________________
# long sys_fchdir(unsigned int fd)
probe syscall.fchdir = kernel.function("SyS_fchdir") !,
- kernel.function("sys_fchdir") {
+ kernel.function("sys_fchdir")
+{
name = "fchdir"
fd = $fd
argstr = sprint($fd)
}
probe syscall.fchdir.return = kernel.function("SyS_fchdir").return !,
- kernel.function("sys_fchdir").return {
+ kernel.function("sys_fchdir").return
+{
name = "fchdir"
retstr = returnstr(1)
}
@@ -819,14 +866,16 @@ probe syscall.fchdir.return = kernel.function("SyS_fchdir").return !,
# fchmod _____________________________________________________
# long sys_fchmod(unsigned int fd, mode_t mode)
probe syscall.fchmod = kernel.function("SyS_fchmod") !,
- kernel.function("sys_fchmod") {
+ kernel.function("sys_fchmod")
+{
name = "fchmod"
fildes = $fd
mode = $mode
argstr = sprintf("%d, %#o", $fd, $mode)
}
probe syscall.fchmod.return = kernel.function("SyS_fchmod").return !,
- kernel.function("sys_fchmod").return {
+ kernel.function("sys_fchmod").return
+{
name = "fchmod"
retstr = returnstr(1)
}
@@ -836,17 +885,18 @@ probe syscall.fchmod.return = kernel.function("SyS_fchmod").return !,
# long sys_fchmodat(int dfd, const char __user *filename,
# mode_t mode)
probe syscall.fchmodat = kernel.function("SyS_fchmodat") !,
- kernel.function("sys_fchmodat") ? {
+ kernel.function("sys_fchmodat") ?
+{
name = "fchmodat"
- dfd = $dfd
- dfd_str = _dfd_str($dfd)
- filename = $filename
- filename_str = user_string($filename)
+ dirfd = $dfd
+ dirfd_str = _dfd_str($dfd)
+ pathname = user_string($filename)
mode = $mode
- argstr = sprintf("%s, %s, %#o", dfd_str, user_string_quoted($filename), $mode)
+ argstr = sprintf("%s, %s, %#o", dirfd_str, user_string_quoted($filename), $mode)
}
probe syscall.fchmodat.return = kernel.function("SyS_fchmodat").return !,
- kernel.function("sys_fchmodat").return ? {
+ kernel.function("sys_fchmodat").return ?
+{
name = "fchmodat"
retstr = returnstr(1)
}
@@ -854,29 +904,33 @@ probe syscall.fchmodat.return = kernel.function("SyS_fchmodat").return !,
# fchown _____________________________________________________
# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
probe syscall.fchown = kernel.function("SyS_fchown") !,
- kernel.function("sys_fchown") {
+ kernel.function("sys_fchown")
+{
name = "fchown"
fd = $fd
owner = __int32($user)
group = __int32($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ argstr = sprintf("%d, %d, %d", $fd, owner, group)
}
probe syscall.fchown.return = kernel.function("SyS_fchown").return !,
- kernel.function("sys_fchown").return {
+ kernel.function("sys_fchown").return
+{
name = "fchown"
retstr = returnstr(1)
}
# fchown16 ___________________________________________________
# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
-probe syscall.fchown16 = kernel.function("sys_fchown16") ? {
+probe syscall.fchown16 = kernel.function("sys_fchown16") ?
+{
name = "fchown16"
fd = $fd
owner = __short($user)
group = __short($group)
argstr = sprintf("%d, %d, %d", $fd, owner, group)
}
-probe syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
+probe syscall.fchown16.return = kernel.function("sys_fchown16").return ?
+{
name = "fchown16"
retstr = returnstr(1)
}
@@ -886,21 +940,22 @@ probe syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
# long sys_fchownat(int dfd, const char __user *filename,
# uid_t user, gid_t group, int flag)
probe syscall.fchownat = kernel.function("SyS_fchownat") !,
- kernel.function("sys_fchownat") ? {
+ kernel.function("sys_fchownat") ?
+{
name = "fchownat"
- dfd = $dfd
- dfd_str = _dfd_str($dfd)
- filename = $filename
- filename_str = user_string($filename)
- user = __int32($user)
+ dirfd = $dfd
+ dirfd_str = _dfd_str($dfd)
+ pathname = user_string($filename)
+ owner = __int32($user)
group = __int32($group)
- flag = $flag
- flag_str = _at_flag_str($flag)
+ flags = $flag
+ flags_str = _at_flag_str($flag)
argstr = sprintf("%s, %s, %d, %d, %s",
- dfd_str, user_string_quoted($filename), user, group, flag_str)
+ dirfd_str, user_string_quoted($filename), owner, group, flags_str)
}
probe syscall.fchownat.return = kernel.function("SyS_fchownat").return !,
- kernel.function("sys_fchownat").return ? {
+ kernel.function("sys_fchownat").return ?
+{
name = "fchownat"
retstr = returnstr(1)
}
@@ -911,26 +966,24 @@ probe syscall.fchownat.return = kernel.function("SyS_fchownat").return !,
# long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe syscall.fcntl =
- kernel.function("compat_sys_fcntl") ?,
- kernel.function("compat_sys_fcntl64") ?,
- kernel.function("sys_fcntl64") ?,
- kernel.function("SyS_fcntl") !,
- kernel.function("sys_fcntl") ?
+probe syscall.fcntl = kernel.function("compat_sys_fcntl") ?,
+ kernel.function("compat_sys_fcntl64") ?,
+ kernel.function("sys_fcntl64") ?,
+ kernel.function("SyS_fcntl") !,
+ kernel.function("sys_fcntl") ?
{
name = "fcntl"
fd = $fd
cmd = $cmd
cmd_str = _fcntl_cmd_str($cmd)
- arg = $arg
+ arg = $arg
argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
}
-probe syscall.fcntl.return =
- kernel.function("compat_sys_fcntl").return ?,
- kernel.function("compat_sys_fcntl64").return ?,
- kernel.function("sys_fcntl64").return ?,
- kernel.function("SyS_fcntl").return !,
- kernel.function("sys_fcntl").return ?
+probe syscall.fcntl.return = kernel.function("compat_sys_fcntl").return ?,
+ kernel.function("compat_sys_fcntl64").return ?,
+ kernel.function("sys_fcntl64").return ?,
+ kernel.function("SyS_fcntl").return !,
+ kernel.function("sys_fcntl").return ?
{
name = "fcntl"
retstr = returnstr(1)
@@ -939,13 +992,15 @@ probe syscall.fcntl.return =
# fdatasync __________________________________________________
# long sys_fdatasync(unsigned int fd)
probe syscall.fdatasync = kernel.function("SyS_fdatasync") !,
- kernel.function("sys_fdatasync") {
+ kernel.function("sys_fdatasync")
+{
name = "fdatasync"
fd = $fd
argstr = sprint(fd)
}
probe syscall.fdatasync.return = kernel.function("SyS_fdatasync").return !,
- kernel.function("sys_fdatasync").return {
+ kernel.function("sys_fdatasync").return
+{
name = "fdatasync"
retstr = returnstr(1)
}
@@ -954,7 +1009,8 @@ probe syscall.fdatasync.return = kernel.function("SyS_fdatasync").return !,
# ssize_t sys_fgetxattr(int fd, char __user *name,
# void __user *value, size_t size)
probe syscall.fgetxattr = kernel.function("SyS_fgetxattr") !,
- kernel.function("sys_fgetxattr") {
+ kernel.function("sys_fgetxattr")
+{
name = "fgetxattr"
filedes = $fd
#FIXME
@@ -964,14 +1020,16 @@ probe syscall.fgetxattr = kernel.function("SyS_fgetxattr") !,
argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
}
probe syscall.fgetxattr.return = kernel.function("SyS_fgetxattr").return !,
- kernel.function("sys_fgetxattr").return {
+ kernel.function("sys_fgetxattr").return
+{
name = "fgetxattr"
retstr = returnstr(1)
}
# flistxattr _________________________________________________
# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
probe syscall.flistxattr = kernel.function("SyS_flistxattr") !,
- kernel.function("sys_flistxattr") {
+ kernel.function("sys_flistxattr")
+{
name = "flistxattr"
filedes = $fd
list_uaddr = $list
@@ -979,7 +1037,8 @@ probe syscall.flistxattr = kernel.function("SyS_flistxattr") !,
argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
}
probe syscall.flistxattr.return = kernel.function("SyS_flistxattr").return !,
- kernel.function("sys_flistxattr").return {
+ kernel.function("sys_flistxattr").return
+{
name = "flistxattr"
retstr = returnstr(1)
}
@@ -987,19 +1046,23 @@ probe syscall.flistxattr.return = kernel.function("SyS_flistxattr").return !,
# flock ______________________________________________________
# long sys_flock(unsigned int fd, unsigned int cmd)
probe syscall.flock = kernel.function("SyS_flock") !,
- kernel.function("sys_flock") {
+ kernel.function("sys_flock")
+{
name = "flock"
fd = $fd
operation = $cmd
argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
}
probe syscall.flock.return = kernel.function("SyS_flock").return !,
- kernel.function("sys_flock").return {
+ kernel.function("sys_flock").return
+{
name = "flock"
retstr = returnstr(1)
}
-function __is_user_regs:long (regs:long) %{ /* pure */
+function __is_user_regs:long (regs:long)
+%{
+ /* pure */
struct pt_regs * regs = (void *)((unsigned long)THIS->regs);
/* copied from asm/ptrace.h */
#if defined(__i386__)
@@ -1037,17 +1100,18 @@ CATCH_DEREF_FAULT();
# unsigned long stack_size,
# int __user *parent_tidptr,
# int __user *child_tidptr)
-probe syscall.fork = kernel.function("do_fork") {
+probe syscall.fork = kernel.function("do_fork")
+{
clone_flags = $clone_flags
stack_start = $stack_start
regs = $regs
stack_size = $stack_size
parent_tid_uaddr = $parent_tidptr
child_tid_uaddr = $child_tidptr
-
+
if (!__is_user_regs(regs)) {
name = "fork_kernel_thread"
- argstr = __fork_flags(clone_flags)
+ argstr = __fork_flags(clone_flags)
} else if (clone_flags & 17)
name = "fork"
else if (clone_flags & 0x4000)
@@ -1057,21 +1121,24 @@ probe syscall.fork = kernel.function("do_fork") {
argstr = __fork_flags(clone_flags)
}
}
-probe syscall.fork.return = kernel.function("do_fork").return {
+probe syscall.fork.return = kernel.function("do_fork").return
+{
name = "fork"
retstr = returnstr(1)
}
# fremovexattr _______________________________________________
# long sys_fremovexattr(int fd, char __user *name)
probe syscall.fremovexattr = kernel.function("SyS_fremovexattr") !,
- kernel.function("sys_fremovexattr") {
+ kernel.function("sys_fremovexattr")
+{
name = "fremovexattr"
filedes = $fd
name_uaddr = $name
argstr = sprintf("FIXME PLEASE")
}
probe syscall.fremovexattr.return = kernel.function("SyS_fremovexattr").return !,
- kernel.function("sys_fremovexattr").return {
+ kernel.function("sys_fremovexattr").return
+{
name = "fremovexattr"
retstr = returnstr(1)
}
@@ -1086,7 +1153,8 @@ probe syscall.fremovexattr.return = kernel.function("SyS_fremovexattr").return !
* int flags)
*/
probe syscall.fsetxattr = kernel.function("SyS_fsetxattr") !,
- kernel.function("sys_fsetxattr") {
+ kernel.function("sys_fsetxattr")
+{
name = "fsetxattr"
filedes = $fd
# FIXME
@@ -1097,7 +1165,8 @@ probe syscall.fsetxattr = kernel.function("SyS_fsetxattr") !,
argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
}
probe syscall.fsetxattr.return = kernel.function("SyS_fsetxattr").return !,
- kernel.function("sys_fsetxattr").return {
+ kernel.function("sys_fsetxattr").return
+{
name = "fsetxattr"
retstr = returnstr(1)
}
@@ -1111,30 +1180,28 @@ probe syscall.fsetxattr.return = kernel.function("SyS_fsetxattr").return !,
# struct oldabi_stat64 __user * statbuf)
# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
#
-probe syscall.fstat =
- kernel.function("sys_fstat") ?,
- kernel.function("SyS_fstat64") ?,
- kernel.function("sys_fstat64") ?,
- kernel.function("sys32_fstat64") ?,
- kernel.function("SyS_newfstat") ?,
- kernel.function("sys_newfstat") ?,
- kernel.function("sys_oabi_fstat64") ?,
- kernel.function("compat_sys_newfstat") ?
+probe syscall.fstat = kernel.function("sys_fstat") ?,
+ kernel.function("SyS_fstat64") ?,
+ kernel.function("sys_fstat64") ?,
+ kernel.function("sys32_fstat64") ?,
+ kernel.function("SyS_newfstat") ?,
+ kernel.function("sys_newfstat") ?,
+ kernel.function("sys_oabi_fstat64") ?,
+ kernel.function("compat_sys_newfstat") ?
{
name = "fstat"
filedes = $fd
buf_uaddr = $statbuf
argstr = sprintf("%d, %p", $fd, $statbuf)
}
-probe syscall.fstat.return =
- kernel.function("sys_fstat").return ?,
- kernel.function("SyS_fstat64").return ?,
- kernel.function("sys_fstat64").return ?,
- kernel.function("sys32_fstat64").return ?,
- kernel.function("SyS_newfstat").return ?,
- kernel.function("sys_newfstat").return ?,
- kernel.function("sys_oabi_fstat64").return ?,
- kernel.function("compat_sys_newfstat").return ?
+probe syscall.fstat.return = kernel.function("sys_fstat").return ?,
+ kernel.function("SyS_fstat64").return ?,
+ kernel.function("sys_fstat64").return ?,
+ kernel.function("sys32_fstat64").return ?,
+ kernel.function("SyS_newfstat").return ?,
+ kernel.function("sys_newfstat").return ?,
+ kernel.function("sys_oabi_fstat64").return ?,
+ kernel.function("compat_sys_newfstat").return ?
{
name = "fstat"
retstr = returnstr(1)
@@ -1145,13 +1212,12 @@ probe syscall.fstat.return =
# long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
# long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
# long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
-probe syscall.fstatat =
- kernel.function("SyS_fstatat64") ?,
- kernel.function("sys_fstatat64") ?,
- kernel.function("SyS_newfstatat") ?,
- kernel.function("sys_newfstatat") ?,
- kernel.function("compat_sys_newfstatat") ?,
- kernel.function("sys32_fstatat64") ?
+probe syscall.fstatat = kernel.function("SyS_fstatat64") ?,
+ kernel.function("sys_fstatat64") ?,
+ kernel.function("SyS_newfstatat") ?,
+ kernel.function("sys_newfstatat") ?,
+ kernel.function("compat_sys_newfstatat") ?,
+ kernel.function("sys32_fstatat64") ?
{
name = "fstatat"
dirfd = $dfd
@@ -1159,13 +1225,12 @@ probe syscall.fstatat =
buf_uaddr = $statbuf
argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
}
-probe syscall.fstatat.return =
- kernel.function("SyS_fstatat64").return ?,
- kernel.function("sys_fstatat64").return ?,
- kernel.function("SyS_newfstatat").return ?,
- kernel.function("sys_newfstatat").return ?,
- kernel.function("compat_sys_newfstatat").return ?,
- kernel.function("sys32_fstatat64").return ?
+probe syscall.fstatat.return = kernel.function("SyS_fstatat64").return ?,
+ kernel.function("sys_fstatat64").return ?,
+ kernel.function("SyS_newfstatat").return ?,
+ kernel.function("sys_newfstatat").return ?,
+ kernel.function("compat_sys_newfstatat").return ?,
+ kernel.function("sys32_fstatat64").return ?
{
name = "fstatat"
retstr = returnstr(1)
@@ -1175,20 +1240,18 @@ probe syscall.fstatat.return =
# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
#
-probe syscall.fstatfs =
- kernel.function("compat_sys_fstatfs") ?,
- kernel.function("SyS_fstatfs") !,
- kernel.function("sys_fstatfs")
+probe syscall.fstatfs = kernel.function("compat_sys_fstatfs") ?,
+ kernel.function("SyS_fstatfs") !,
+ kernel.function("sys_fstatfs")
{
name = "fstatfs"
fd = $fd
buf_uaddr = $buf
argstr = sprintf("%d, %p", $fd, $buf)
}
-probe syscall.fstatfs.return =
- kernel.function("compat_sys_fstatfs").return ?,
- kernel.function("SyS_fstatfs").return !,
- kernel.function("sys_fstatfs").return
+probe syscall.fstatfs.return = kernel.function("compat_sys_fstatfs").return ?,
+ kernel.function("SyS_fstatfs").return !,
+ kernel.function("sys_fstatfs").return
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1198,10 +1261,9 @@ probe syscall.fstatfs.return =
# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
# long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
#
-probe syscall.fstatfs64 =
- kernel.function("compat_sys_fstatfs64") ?,
- kernel.function("SyS_fstatfs64") !,
- kernel.function("sys_fstatfs64") ?
+probe syscall.fstatfs64 = kernel.function("compat_sys_fstatfs64") ?,
+ kernel.function("SyS_fstatfs64") !,
+ kernel.function("sys_fstatfs64") ?
{
name = "fstatfs"
fd = $fd
@@ -1209,10 +1271,9 @@ probe syscall.fstatfs64 =
buf_uaddr = $buf
argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
}
-probe syscall.fstatfs64.return =
- kernel.function("compat_sys_fstatfs64").return ?,
- kernel.function("SyS_fstatfs64").return !,
- kernel.function("sys_fstatfs64").return ?
+probe syscall.fstatfs64.return = kernel.function("compat_sys_fstatfs64").return ?,
+ kernel.function("SyS_fstatfs64").return !,
+ kernel.function("sys_fstatfs64").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1221,40 +1282,46 @@ probe syscall.fstatfs64.return =
# fsync ______________________________________________________
# long sys_fsync(unsigned int fd)
probe syscall.fsync = kernel.function("SyS_fsync") !,
- kernel.function("sys_fsync") {
+ kernel.function("sys_fsync")
+{
name = "fsync"
fd = $fd
argstr = sprint(fd)
}
probe syscall.fsync.return = kernel.function("SyS_fsync").return !,
- kernel.function("sys_fsync").return {
+ kernel.function("sys_fsync").return
+{
name = "fsync"
retstr = returnstr(1)
}
# ftruncate __________________________________________________
# long sys_ftruncate(unsigned int fd, unsigned long length)
probe syscall.ftruncate = kernel.function("SyS_ftruncate") !,
- kernel.function("sys_ftruncate") {
+ kernel.function("sys_ftruncate")
+{
name = "ftruncate"
fd = $fd
length = $length
argstr = sprintf("%d, %d", fd, length)
}
probe syscall.ftruncate.return = kernel.function("SyS_ftruncate").return !,
- kernel.function("sys_ftruncate").return {
+ kernel.function("sys_ftruncate").return
+{
name = "ftruncate"
retstr = returnstr(1)
}
# ftruncate64 ________________________________________________
# long sys_ftruncate64(unsigned int fd, loff_t length)
-probe syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
+probe syscall.ftruncate64 = kernel.function("sys_ftruncate64") ?
+{
name = "ftruncate"
fd = $fd
length = $length
argstr = sprintf("%d, %d", fd, length)
}
-probe syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
+probe syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ?
+{
name = "ftruncate"
retstr = returnstr(1)
}
@@ -1271,7 +1338,8 @@ probe syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
# u32 val3)
#
probe syscall.futex = kernel.function("SyS_futex") !,
- kernel.function("sys_futex") ? {
+ kernel.function("sys_futex") ?
+{
name = "futex"
futex_uaddr = $uaddr
op = $op
@@ -1280,18 +1348,20 @@ probe syscall.futex = kernel.function("SyS_futex") !,
uaddr2_uaddr = $uaddr2
val3 = $val3
if (op == 0)
- argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- $val, _struct_timespec_u($utime,1))
+ argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
+ $val, _struct_timespec_u($utime, 1))
else
- argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
- $val)
+ argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
+ $val)
}
probe syscall.futex.return = kernel.function("SyS_futex").return !,
- kernel.function("sys_futex").return ? {
+ kernel.function("sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
-probe syscall.compat_futex = kernel.function("compat_sys_futex") ? {
+probe syscall.compat_futex = kernel.function("compat_sys_futex") ?
+{
name = "futex"
futex_uaddr = $uaddr
op = $op
@@ -1300,13 +1370,14 @@ probe syscall.compat_futex = kernel.function("compat_sys_futex") ? {
uaddr2_uaddr = $uaddr2
val3 = $val3
if (op == 0)
- argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- $val, _struct_compat_timespec_u($utime,1))
+ argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
+ $val, _struct_compat_timespec_u($utime, 1))
else
- argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
- $val)
+ argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
+ $val)
}
-probe syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? {
+probe syscall.compat_futex.return = kernel.function("compat_sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
@@ -1318,30 +1389,34 @@ probe syscall.compat_futex.return = kernel.function("compat_sys_futex").return ?
#
probe syscall.futimesat = kernel.function("SyS_futimesat") !,
- kernel.function("sys_futimesat") ? {
+ kernel.function("sys_futimesat") ?
+{
name = "futimesat"
dirfd = $dfd
filename_uaddr = $filename
filename = user_string($filename)
tvp_uaddr = $utimes
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
_struct_timeval_u($utimes, 2))
}
-probe syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? {
+probe syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ?
+{
name = "futimesat"
dirfd = $dfd
filename_uaddr = $filename
filename = user_string($filename)
tvp_uaddr = $t
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
_struct_compat_timeval_u($t, 2))
}
probe syscall.futimesat.return = kernel.function("SyS_futimesat").return !,
- kernel.function("sys_futimesat").return ? {
+ kernel.function("sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
-probe syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? {
+probe syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
@@ -1349,31 +1424,32 @@ probe syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").
# getcwd _____________________________________________________
# long sys_getcwd(char __user *buf, unsigned long size)
probe syscall.getcwd = kernel.function("SyS_getcwd") !,
- kernel.function("sys_getcwd") {
+ kernel.function("sys_getcwd")
+{
name = "getcwd"
buf_uaddr = $buf
size = $size
argstr = sprintf("%p, %d", buf_uaddr, size)
}
probe syscall.getcwd.return = kernel.function("SyS_getcwd").return !,
- kernel.function("sys_getcwd").return {
+ kernel.function("sys_getcwd").return
+{
name = "getcwd"
retstr = returnstr(1)
}
# getdents ___________________________________________________
# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
-# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count)
+# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
#
-probe syscall.getdents =
- kernel.function("SyS_getdents") ?,
- kernel.function("sys_getdents") ?,
- kernel.function("SyS_getdents64") ?,
- kernel.function("sys_getdents64") ?,
- kernel.function("compat_sys_getdents") ?,
- kernel.function("compat_sys_getdents64") ?
+probe syscall.getdents = kernel.function("SyS_getdents") ?,
+ kernel.function("sys_getdents") ?,
+ kernel.function("SyS_getdents64") ?,
+ kernel.function("sys_getdents64") ?,
+ kernel.function("compat_sys_getdents") ?,
+ kernel.function("compat_sys_getdents64") ?
{
name = "getdents"
fd = $fd
@@ -1381,13 +1457,12 @@ probe syscall.getdents =
count = $count
argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
}
-probe syscall.getdents.return =
- kernel.function("SyS_getdents").return ?,
- kernel.function("sys_getdents").return ?,
- kernel.function("SyS_getdents64").return ?,
- kernel.function("sys_getdents64").return ?,
- kernel.function("compat_sys_getdents").return ?,
- kernel.function("compat_sys_getdents64").return ?
+probe syscall.getdents.return = kernel.function("SyS_getdents").return ?,
+ kernel.function("sys_getdents").return ?,
+ kernel.function("SyS_getdents64").return ?,
+ kernel.function("sys_getdents64").return ?,
+ kernel.function("compat_sys_getdents").return ?,
+ kernel.function("compat_sys_getdents64").return ?
{
name = "getdents"
retstr = returnstr(1)
@@ -1398,18 +1473,16 @@ probe syscall.getdents.return =
# long sys_getegid16(void)
# long sys32_getegid16(void)
#
-probe syscall.getegid =
- kernel.function("sys_getegid16") ?,
- kernel.function("sys32_getegid16") ?,
- kernel.function("sys_getegid")
+probe syscall.getegid = kernel.function("sys_getegid16") ?,
+ kernel.function("sys32_getegid16") ?,
+ kernel.function("sys_getegid")
{
name = "getegid"
argstr = ""
}
-probe syscall.getegid.return =
- kernel.function("sys_getegid16").return ?,
- kernel.function("sys32_getegid16").return ?,
- kernel.function("sys_getegid").return
+probe syscall.getegid.return = kernel.function("sys_getegid16").return ?,
+ kernel.function("sys32_getegid16").return ?,
+ kernel.function("sys_getegid").return
{
name = "getegid"
retstr = returnstr(1)
@@ -1419,18 +1492,16 @@ probe syscall.getegid.return =
# long sys_geteuid(void)
# long sys32_geteuid16(void)
#
-probe syscall.geteuid =
- kernel.function("sys_geteuid16") ?,
- kernel.function("sys32_geteuid16") ?,
- kernel.function("sys_geteuid")
+probe syscall.geteuid = kernel.function("sys_geteuid16") ?,
+ kernel.function("sys32_geteuid16") ?,
+ kernel.function("sys_geteuid")
{
name = "geteuid"
argstr = ""
}
-probe syscall.geteuid.return =
- kernel.function("sys_geteuid16").return ?,
- kernel.function("sys32_geteuid16").return ?,
- kernel.function("sys_geteuid").return
+probe syscall.geteuid.return = kernel.function("sys_geteuid16").return ?,
+ kernel.function("sys32_geteuid16").return ?,
+ kernel.function("sys_geteuid").return
{
name = "geteuid"
retstr = returnstr(1)
@@ -1440,18 +1511,16 @@ probe syscall.geteuid.return =
# long sys_getgid(void)
# long sys32_getgid16(void)
#
-probe syscall.getgid =
- kernel.function("sys_getgid16") ?,
- kernel.function("sys32_getgid16") ?,
- kernel.function("sys_getgid")
+probe syscall.getgid = kernel.function("sys_getgid16") ?,
+ kernel.function("sys32_getgid16") ?,
+ kernel.function("sys_getgid")
{
name = "getgid"
argstr = ""
}
-probe syscall.getgid.return =
- kernel.function("sys_getgid16").return ?,
- kernel.function("sys32_getgid16").return ?,
- kernel.function("sys_getgid").return
+probe syscall.getgid.return = kernel.function("sys_getgid16").return ?,
+ kernel.function("sys32_getgid16").return ?,
+ kernel.function("sys_getgid").return
{
name = "getgid"
retstr = returnstr(1)
@@ -1462,22 +1531,20 @@ probe syscall.getgid.return =
# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
#
-probe syscall.getgroups =
- kernel.function("sys_getgroups16") ?,
- kernel.function("sys32_getgroups16") ?,
- kernel.function("SyS_getgroups") !,
- kernel.function("sys_getgroups") ?
+probe syscall.getgroups = kernel.function("sys_getgroups16") ?,
+ kernel.function("sys32_getgroups16") ?,
+ kernel.function("SyS_getgroups") !,
+ kernel.function("sys_getgroups") ?
{
name = "getgroups"
size = $gidsetsize
list_uaddr = $grouplist
argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
}
-probe syscall.getgroups.return =
- kernel.function("sys_getgroups16").return ?,
- kernel.function("sys32_getgroups16").return ?,
- kernel.function("SyS_getgroups").return !,
- kernel.function("sys_getgroups").return ?
+probe syscall.getgroups.return = kernel.function("sys_getgroups16").return ?,
+ kernel.function("sys32_getgroups16").return ?,
+ kernel.function("SyS_getgroups").return !,
+ kernel.function("sys_getgroups").return ?
{
name = "getgroups"
retstr = returnstr(1)
@@ -1486,14 +1553,16 @@ probe syscall.getgroups.return =
# gethostname ________________________________________________
# long sys_gethostname(char __user *name, int len)
probe syscall.gethostname = kernel.function("SyS_gethostname") !,
- kernel.function("sys_gethostname") ? {
+ kernel.function("sys_gethostname") ?
+{
name = "gethostname"
name_uaddr = $name
len = $len
argstr = sprintf ("%p, %d", name_uaddr, len)
}
probe syscall.gethostname.return = kernel.function("SyS_gethostname").return !,
- kernel.function("sys_gethostname").return ? {
+ kernel.function("sys_gethostname").return ?
+{
name = "gethostname"
retstr = returnstr(1)
}
@@ -1502,25 +1571,29 @@ probe syscall.gethostname.return = kernel.function("SyS_gethostname").return !,
# sys_getitimer(int which, struct itimerval __user *value)
#
probe syscall.getitimer = kernel.function("SyS_getitimer") !,
- kernel.function("sys_getitimer") {
+ kernel.function("sys_getitimer")
+{
name = "getitimer"
which = $which
value_uaddr = $value
- argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
}
probe syscall.getitimer.return = kernel.function("SyS_getitimer").return !,
- kernel.function("sys_getitimer").return {
+ kernel.function("sys_getitimer").return
+{
name = "getitimer"
retstr = returnstr(1)
}
# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
-probe syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
+probe syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ?
+{
name = "getitimer"
which = $which
value_uaddr = $it
- argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
}
-probe syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
+probe syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ?
+{
name = "getitimer"
retstr = returnstr(1)
}
@@ -1536,10 +1609,9 @@ probe syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").
# compat_ulong_t maxnode,
# compat_ulong_t addr, compat_ulong_t flags)
#
-probe syscall.get_mempolicy =
- kernel.function("compat_sys_get_mempolicy") ?,
- kernel.function("SyS_get_mempolicy") !,
- kernel.function("sys_get_mempolicy") ?
+probe syscall.get_mempolicy = kernel.function("compat_sys_get_mempolicy") ?,
+ kernel.function("SyS_get_mempolicy") !,
+ kernel.function("sys_get_mempolicy") ?
{
name = "get_mempolicy"
policy_uaddr = $policy
@@ -1548,12 +1620,11 @@ probe syscall.get_mempolicy =
addr = $addr
flags = $flags
argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
- $nmask, $maxnode, $addr, $flags)
+ $nmask, $maxnode, $addr, $flags)
}
-probe syscall.get_mempolicy.return =
- kernel.function("compat_sys_get_mempolicy").return ?,
- kernel.function("SyS_get_mempolicy").return !,
- kernel.function("sys_get_mempolicy").return ?
+probe syscall.get_mempolicy.return = kernel.function("compat_sys_get_mempolicy").return ?,
+ kernel.function("SyS_get_mempolicy").return !,
+ kernel.function("sys_get_mempolicy").return ?
{
name = "get_mempolicy"
retstr = returnstr(1)
@@ -1563,7 +1634,8 @@ probe syscall.get_mempolicy.return =
# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
#
probe syscall.getpeername = kernel.function("SyS_getpeername") !,
- kernel.function("sys_getpeername") ? {
+ kernel.function("sys_getpeername") ?
+{
name = "getpeername"
s = $fd
name_uaddr = $usockaddr
@@ -1571,7 +1643,8 @@ probe syscall.getpeername = kernel.function("SyS_getpeername") !,
argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
}
probe syscall.getpeername.return = kernel.function("SyS_getpeername").return !,
- kernel.function("sys_getpeername").return ? {
+ kernel.function("sys_getpeername").return ?
+{
name = "getpeername"
retstr = returnstr(1)
}
@@ -1579,46 +1652,54 @@ probe syscall.getpeername.return = kernel.function("SyS_getpeername").return !,
# getpgid ____________________________________________________
# long sys_getpgid(pid_t pid)
probe syscall.getpgid = kernel.function("SyS_getpgid") !,
- kernel.function("sys_getpgid") {
+ kernel.function("sys_getpgid")
+{
name = "getpgid"
pid = $pid
argstr = sprintf("%d", $pid)
}
probe syscall.getpgid.return = kernel.function("SyS_getpgid").return !,
- kernel.function("sys_getpgid").return {
+ kernel.function("sys_getpgid").return
+{
name = "getpgid"
retstr = returnstr(1)
}
# getpgrp ____________________________________________________
# long sys_getpgrp(void)
-probe syscall.getpgrp = kernel.function("sys_getpgrp") ? {
+probe syscall.getpgrp = kernel.function("sys_getpgrp") ?
+{
name = "getpgrp"
argstr = ""
}
-probe syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? {
+probe syscall.getpgrp.return = kernel.function("sys_getpgrp").return ?
+{
name = "getpgrp"
retstr = returnstr(1)
}
# getpid _____________________________________________________
# long sys_getpid(void)
-probe syscall.getpid = kernel.function("sys_getpid") {
+probe syscall.getpid = kernel.function("sys_getpid")
+{
name = "getpid"
argstr = ""
}
-probe syscall.getpid.return = kernel.function("sys_getpid").return {
+probe syscall.getpid.return = kernel.function("sys_getpid").return
+{
name = "getpid"
retstr = returnstr(1)
}
# getppid ____________________________________________________
# long sys_getppid(void)
-probe syscall.getppid = kernel.function("sys_getppid") {
+probe syscall.getppid = kernel.function("sys_getppid")
+{
name = "getppid"
argstr = ""
}
-probe syscall.getppid.return = kernel.function("sys_getppid").return {
+probe syscall.getppid.return = kernel.function("sys_getppid").return
+{
name = "getppid"
retstr = returnstr(1)
}
@@ -1626,14 +1707,16 @@ probe syscall.getppid.return = kernel.function("sys_getppid").return {
# getpriority ________________________________________________
# long sys_getpriority(int which, int who)
probe syscall.getpriority = kernel.function("SyS_getpriority") !,
- kernel.function("sys_getpriority") {
+ kernel.function("sys_getpriority")
+{
name = "getpriority"
which = $which
who = $who
argstr = sprintf("%s, %d", _priority_which_str(which), who)
}
probe syscall.getpriority.return = kernel.function("SyS_getpriority").return !,
- kernel.function("sys_getpriority").return {
+ kernel.function("sys_getpriority").return
+{
name = "getpriority"
retstr = returnstr(1)
}
@@ -1645,10 +1728,9 @@ probe syscall.getpriority.return = kernel.function("SyS_getpriority").return !,
# long sys_getresgid16(old_uid_t __user *rgid,
# old_uid_t __user *egid,
# old_uid_t __user *sgid)
-probe syscall.getresgid =
- kernel.function("sys_getresgid16") ?,
- kernel.function("SyS_getresgid") !,
- kernel.function("sys_getresgid")
+probe syscall.getresgid = kernel.function("sys_getresgid16") ?,
+ kernel.function("SyS_getresgid") !,
+ kernel.function("sys_getresgid")
{
name = "getresgid"
rgid_uaddr = $rgid
@@ -1656,23 +1738,21 @@ probe syscall.getresgid =
sgid_uaddr = $sgid
argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
}
-probe syscall.getresgid.return =
- kernel.function("sys_getresgid16").return ?,
- kernel.function("SyS_getresgid").return !,
- kernel.function("sys_getresgid").return
+probe syscall.getresgid.return = kernel.function("sys_getresgid16").return ?,
+ kernel.function("SyS_getresgid").return !,
+ kernel.function("sys_getresgid").return
{
name = "getresgid"
retstr = returnstr(1)
}
# getresuid __________________________________________________
-# long sys_getresuid(uid_t __user *ruid,
+# long sys_getresuid(uid_t __user *ruid,
# uid_t __user *euid,
# uid_t __user *suid)
-probe syscall.getresuid =
- kernel.function("sys_getresuid16") ?,
- kernel.function("SyS_getresuid") !,
- kernel.function("sys_getresuid")
+probe syscall.getresuid = kernel.function("sys_getresuid16") ?,
+ kernel.function("SyS_getresuid") !,
+ kernel.function("sys_getresuid")
{
name = "getresuid"
ruid_uaddr = $ruid
@@ -1680,10 +1760,9 @@ probe syscall.getresuid =
suid_uaddr = $suid
argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
}
-probe syscall.getresuid.return =
- kernel.function("sys_getresuid16").return ?,
- kernel.function("SyS_getresuid").return !,
- kernel.function("sys_getresuid").return
+probe syscall.getresuid.return = kernel.function("sys_getresuid16").return ?,
+ kernel.function("SyS_getresuid").return !,
+ kernel.function("sys_getresuid").return
{
name = "getresuid"
retstr = returnstr(1)
@@ -1694,8 +1773,8 @@ probe syscall.getresuid.return =
# long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
probe syscall.getrlimit = kernel.function("SyS_getrlimit") ?,
- kernel.function("sys_getrlimit") ?,
- kernel.function("SyS_old_getrlimit") ?,
+ kernel.function("sys_getrlimit") ?,
+ kernel.function("SyS_old_getrlimit") ?,
kernel.function("sys_old_getrlimit") ?,
kernel.function("compat_sys_getrlimit") ?
{
@@ -1705,10 +1784,10 @@ probe syscall.getrlimit = kernel.function("SyS_getrlimit") ?,
argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
}
probe syscall.getrlimit.return = kernel.function("SyS_getrlimit").return ?,
- kernel.function("sys_getrlimit").return ?,
- kernel.function("SyS_old_getrlimit").return ?,
+ kernel.function("sys_getrlimit").return ?,
+ kernel.function("SyS_old_getrlimit").return ?,
kernel.function("sys_old_getrlimit").return ?,
- kernel.function("compat_sys_getrlimit").return ?
+ kernel.function("compat_sys_getrlimit").return ?
{
name = "getrlimit"
retstr = returnstr(1)
@@ -1717,23 +1796,21 @@ probe syscall.getrlimit.return = kernel.function("SyS_getrlimit").return ?,
# getrusage __________________________________________________
# long sys_getrusage(int who, struct rusage __user *ru)
probe syscall.getrusage = kernel.function("SyS_getrusage") !,
- kernel.function("sys_getrusage") {
+ kernel.function("sys_getrusage")
+{
name = "getrusage"
who = $who
- if($who==-2)
- {
+ if ($who == -2) {
# RUSAGE_BOTH is not valid argument for sys_getrusage
who_str = sprintf("UNKNOWN VALUE: %d", $who)
- }
- else
- {
+ } else
who_str = _rusage_who_str($who)
- }
usage_uaddr = $ru
argstr = sprintf("%s, %p", who_str, usage_uaddr)
}
probe syscall.getrusage.return = kernel.function("SyS_getrusage").return !,
- kernel.function("sys_getrusage").return {
+ kernel.function("sys_getrusage").return
+{
name = "getrusage"
retstr = returnstr(1)
}
@@ -1741,13 +1818,15 @@ probe syscall.getrusage.return = kernel.function("SyS_getrusage").return !,
# getsid _____________________________________________________
# long sys_getsid(pid_t pid)
probe syscall.getsid = kernel.function("SyS_getsid") !,
- kernel.function("sys_getsid") {
+ kernel.function("sys_getsid")
+{
name = "getsid"
pid = $pid
argstr = sprint(pid)
}
probe syscall.getsid.return = kernel.function("SyS_getsid").return !,
- kernel.function("sys_getsid").return {
+ kernel.function("sys_getsid").return
+{
name = "getsid"
retstr = returnstr(1)
}
@@ -1757,7 +1836,8 @@ probe syscall.getsid.return = kernel.function("SyS_getsid").return !,
# struct sockaddr __user *usockaddr,
# int __user *usockaddr_len)
probe syscall.getsockname = kernel.function("SyS_getsockname") !,
- kernel.function("sys_getsockname") ? {
+ kernel.function("sys_getsockname") ?
+{
name = "getsockname"
s = $fd
name_uaddr = $usockaddr
@@ -1765,7 +1845,8 @@ probe syscall.getsockname = kernel.function("SyS_getsockname") !,
argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
}
probe syscall.getsockname.return = kernel.function("SyS_getsockname").return !,
- kernel.function("sys_getsockname").return ? {
+ kernel.function("sys_getsockname").return ?
+{
name = "getsockname"
retstr = returnstr(1)
}
@@ -1777,10 +1858,9 @@ probe syscall.getsockname.return = kernel.function("SyS_getsockname").return !,
# char __user *optval,
# int __user *optlen)
#
-probe syscall.getsockopt =
- kernel.function("compat_sys_getsockopt") ?,
- kernel.function("SyS_getsockopt") !,
- kernel.function("sys_getsockopt") ?
+probe syscall.getsockopt = kernel.function("compat_sys_getsockopt") ?,
+ kernel.function("SyS_getsockopt") !,
+ kernel.function("sys_getsockopt") ?
{
name = "getsockopt"
fd = $fd
@@ -1791,12 +1871,11 @@ probe syscall.getsockopt =
optval_uaddr = $optval
optlen_uaddr = $optlen
argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
- _sockopt_optname_str($optname), $optval, $optlen)
+ _sockopt_optname_str($optname), $optval, $optlen)
}
-probe syscall.getsockopt.return =
- kernel.function("compat_sys_getsockopt").return ?,
- kernel.function("SyS_getsockopt").return !,
- kernel.function("sys_getsockopt").return ?
+probe syscall.getsockopt.return = kernel.function("compat_sys_getsockopt").return ?,
+ kernel.function("SyS_getsockopt").return !,
+ kernel.function("sys_getsockopt").return ?
{
name = "getsockopt"
retstr = returnstr(1)
@@ -1804,11 +1883,13 @@ probe syscall.getsockopt.return =
# gettid _____________________________________________________
# long sys_gettid(void)
-probe syscall.gettid = kernel.function("sys_gettid") {
+probe syscall.gettid = kernel.function("sys_gettid")
+{
name = "gettid"
argstr = ""
}
-probe syscall.gettid.return = kernel.function("sys_gettid").return {
+probe syscall.gettid.return = kernel.function("sys_gettid").return
+{
name = "gettid"
retstr = returnstr(1)
}
@@ -1816,15 +1897,14 @@ probe syscall.gettid.return = kernel.function("sys_gettid").return {
# gettimeofday _______________________________________________
# long sys_gettimeofday(struct timeval __user *tv,
# struct timezone __user *tz)
-# long sys32_gettimeofday(struct compat_timeval __user *tv,
+# long sys32_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
# long compat_sys_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
-probe syscall.gettimeofday =
- kernel.function("compat_sys_gettimeofday") ?,
- kernel.function("sys32_gettimeofday") ?,
- kernel.function("SyS_gettimeofday") !,
- kernel.function("sys_gettimeofday")
+probe syscall.gettimeofday = kernel.function("compat_sys_gettimeofday") ?,
+ kernel.function("sys32_gettimeofday") ?,
+ kernel.function("SyS_gettimeofday") !,
+ kernel.function("sys_gettimeofday")
{
name = "gettimeofday"
tv_uaddr = $tv
@@ -1832,11 +1912,10 @@ probe syscall.gettimeofday =
argstr = sprintf("%p, %p", $tv, $tz)
}
-probe syscall.gettimeofday.return =
- kernel.function("compat_sys_gettimeofday").return ?,
- kernel.function("sys32_gettimeofday").return ?,
- kernel.function("SyS_gettimeofday").return !,
- kernel.function("sys_gettimeofday").return
+probe syscall.gettimeofday.return = kernel.function("compat_sys_gettimeofday").return ?,
+ kernel.function("sys32_gettimeofday").return ?,
+ kernel.function("SyS_gettimeofday").return !,
+ kernel.function("sys_gettimeofday").return
{
name = "gettimeofday"
retstr = returnstr(1)
@@ -1847,18 +1926,16 @@ probe syscall.gettimeofday.return =
# long sys_getuid16(void)
# long sys32_getuid16(void)
#
-probe syscall.getuid =
- kernel.function("sys_getuid16") ?,
- kernel.function("sys32_getuid16") ?,
- kernel.function("sys_getuid")
+probe syscall.getuid = kernel.function("sys_getuid16") ?,
+ kernel.function("sys32_getuid16") ?,
+ kernel.function("sys_getuid")
{
name = "getuid"
argstr = ""
}
-probe syscall.getuid.return =
- kernel.function("sys_getuid16").return ?,
- kernel.function("sys32_getuid16").return ?,
- kernel.function("sys_getuid").return
+probe syscall.getuid.return = kernel.function("sys_getuid16").return ?,
+ kernel.function("sys32_getuid16").return ?,
+ kernel.function("sys_getuid").return
{
name = "getuid"
retstr = returnstr(1)
@@ -1868,7 +1945,8 @@ probe syscall.getuid.return =
# ssize_t sys_getxattr(char __user *path, char __user *name,
# void __user *value, size_t size)
probe syscall.getxattr = kernel.function("SyS_getxattr") !,
- kernel.function("sys_getxattr") {
+ kernel.function("sys_getxattr")
+{
name = "getxattr"
%( kernel_v >= "2.6.27" %?
path = user_string($pathname)
@@ -1879,17 +1957,18 @@ probe syscall.getxattr = kernel.function("SyS_getxattr") !,
name2 = user_string($name)
value_uaddr = $value
size = $size
- argstr = sprintf("%s, %s, %p, %d",
+ argstr = sprintf("%s, %s, %p, %d",
%( kernel_v >= "2.6.27" %?
- user_string_quoted($pathname),
+ user_string_quoted($pathname),
%:
- user_string_quoted($path),
+ user_string_quoted($path),
%)
user_string_quoted($name),
value_uaddr, size)
}
probe syscall.getxattr.return = kernel.function("SyS_getxattr").return !,
- kernel.function("sys_getxattr").return {
+ kernel.function("sys_getxattr").return
+{
name = "getxattr"
retstr = returnstr(1)
}
@@ -1900,7 +1979,8 @@ probe syscall.getxattr.return = kernel.function("SyS_getxattr").return !,
# const char __user *uargs)
#
probe syscall.init_module = kernel.function("SyS_init_module") !,
- kernel.function("sys_init_module") ? {
+ kernel.function("sys_init_module") ?
+{
name = "init_module"
umod_uaddr = $umod
len = $len
@@ -1908,7 +1988,8 @@ probe syscall.init_module = kernel.function("SyS_init_module") !,
argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
}
probe syscall.init_module.return = kernel.function("SyS_init_module").return !,
- kernel.function("sys_init_module").return ? {
+ kernel.function("sys_init_module").return ?
+{
name = "init_module"
retstr = returnstr(1)
}
@@ -1918,7 +1999,8 @@ probe syscall.init_module.return = kernel.function("SyS_init_module").return !,
# long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
#
probe syscall.inotify_add_watch = kernel.function("SyS_inotify_add_watch") !,
- kernel.function("sys_inotify_add_watch") ? {
+ kernel.function("sys_inotify_add_watch") ?
+{
name = "inotify_add_watch"
fd = $fd
mask = $mask
@@ -1934,7 +2016,8 @@ probe syscall.inotify_add_watch = kernel.function("SyS_inotify_add_watch") !,
}
probe syscall.inotify_add_watch.return = kernel.function("SyS_inotify_add_watch").return !,
- kernel.function("sys_inotify_add_watch").return ? {
+ kernel.function("sys_inotify_add_watch").return ?
+{
name = "inotify_add_watch"
retstr = returnstr(1)
}
@@ -1943,11 +2026,13 @@ probe syscall.inotify_add_watch.return = kernel.function("SyS_inotify_add_watch"
#
# long sys_inotify_init(void)
#
-probe syscall.inotify_init = kernel.function("sys_inotify_init") ? {
+probe syscall.inotify_init = kernel.function("sys_inotify_init") ?
+{
name = "inotify_init"
argstr = ""
}
-probe syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? {
+probe syscall.inotify_init.return = kernel.function("sys_inotify_init").return ?
+{
name = "inotify_init"
retstr = returnstr(1)
}
@@ -1957,14 +2042,16 @@ probe syscall.inotify_init.return = kernel.function("sys_inotify_init").return ?
# long sys_inotify_rm_watch(int fd, u32 wd)
#
probe syscall.inotify_rm_watch = kernel.function("SyS_inotify_rm_watch") !,
- kernel.function("sys_inotify_rm_watch") ? {
+ kernel.function("sys_inotify_rm_watch") ?
+{
name = "inotify_rm_watch"
fd = $fd
wd = $wd
argstr = sprintf("%d, %d", $fd, $wd)
}
probe syscall.inotify_rm_watch.return = kernel.function("SyS_inotify_rm_watch").return !,
- kernel.function("sys_inotify_rm_watch").return ? {
+ kernel.function("sys_inotify_rm_watch").return ?
+{
name = "inotify_rm_watch"
retstr = returnstr(1)
}
@@ -1974,15 +2061,17 @@ probe syscall.inotify_rm_watch.return = kernel.function("SyS_inotify_rm_watch").
# struct iocb __user *iocb,
# struct io_event __user *result)
probe syscall.io_cancel = kernel.function("SyS_io_cancel") !,
- kernel.function("sys_io_cancel") {
+ kernel.function("sys_io_cancel")
+{
name = "io_cancel"
ctx_id = $ctx_id
iocb_uaddr = $iocb
result_uaddr = $result
- argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
+ argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
}
probe syscall.io_cancel.return = kernel.function("SyS_io_cancel").return !,
- kernel.function("sys_io_cancel").return {
+ kernel.function("sys_io_cancel").return
+{
name = "io_cancel"
retstr = returnstr(1)
}
@@ -1991,10 +2080,9 @@ probe syscall.io_cancel.return = kernel.function("SyS_io_cancel").return !,
# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe syscall.ioctl =
- kernel.function("compat_sys_ioctl") ?,
- kernel.function("SyS_ioctl") !,
- kernel.function("sys_ioctl") ?
+probe syscall.ioctl = kernel.function("compat_sys_ioctl") ?,
+ kernel.function("SyS_ioctl") !,
+ kernel.function("sys_ioctl") ?
{
name = "ioctl"
fd = $fd
@@ -2002,10 +2090,9 @@ probe syscall.ioctl =
argp = $arg
argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
}
-probe syscall.ioctl.return =
- kernel.function("compat_sys_ioctl").return ?,
- kernel.function("SyS_ioctl").return !,
- kernel.function("sys_ioctl").return ?
+probe syscall.ioctl.return = kernel.function("compat_sys_ioctl").return ?,
+ kernel.function("SyS_ioctl").return !,
+ kernel.function("sys_ioctl").return ?
{
name = "ioctl"
retstr = returnstr(1)
@@ -2014,13 +2101,15 @@ probe syscall.ioctl.return =
# io_destroy _________________________________________________
# long sys_io_destroy(aio_context_t ctx)
probe syscall.io_destroy = kernel.function("SyS_io_destroy") !,
- kernel.function("sys_io_destroy") {
+ kernel.function("sys_io_destroy")
+{
name = "io_destroy"
ctx = $ctx
argstr = sprintf("%d", ctx)
}
probe syscall.io_destroy.return = kernel.function("SyS_io_destroy").return !,
- kernel.function("sys_io_destroy").return {
+ kernel.function("sys_io_destroy").return
+{
name = "io_destroy"
retstr = returnstr(1)
}
@@ -2037,10 +2126,9 @@ probe syscall.io_destroy.return = kernel.function("SyS_io_destroy").return !,
# struct io_event __user *events,
# struct compat_timespec __user *timeout)
#
-probe syscall.io_getevents =
- kernel.function("compat_sys_io_getevents") ?,
- kernel.function("SyS_io_getevents") !,
- kernel.function("sys_io_getevents") ?
+probe syscall.io_getevents = kernel.function("compat_sys_io_getevents") ?,
+ kernel.function("SyS_io_getevents") !,
+ kernel.function("sys_io_getevents") ?
{
name = "io_getevents"
ctx_id = $ctx_id
@@ -2048,14 +2136,13 @@ probe syscall.io_getevents =
nr = $nr
events_uaddr = $events
timeout_uaddr = $timeout
- timestr = _struct_timespec_u($timeout,1)
+ timestr = _struct_timespec_u($timeout, 1)
argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
$nr, $events, $timeout, timestr)
}
-probe syscall.io_getevents.return =
- kernel.function("compat_sys_io_getevents").return ?,
- kernel.function("SyS_io_getevents").return !,
- kernel.function("sys_io_getevents").return ?
+probe syscall.io_getevents.return = kernel.function("compat_sys_io_getevents").return ?,
+ kernel.function("SyS_io_getevents").return !,
+ kernel.function("sys_io_getevents").return ?
{
name = "io_getevents"
retstr = returnstr(1)
@@ -2064,23 +2151,26 @@ probe syscall.io_getevents.return =
# ioperm _____________________________________________________
# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
#
-probe syscall.ioperm = kernel.function("sys_ioperm") ? {
+probe syscall.ioperm = kernel.function("sys_ioperm") ?
+{
name = "ioperm"
from = $from
num = $num
turn_on = $turn_on
argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
}
-probe syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
+probe syscall.ioperm.return = kernel.function("sys_ioperm").return ?
+{
name = "ioperm"
retstr = returnstr(1)
}
# io_setup ___________________________________________________
# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
-#
+#
probe syscall.io_setup = kernel.function("SyS_io_setup") !,
- kernel.function("sys_io_setup") {
+ kernel.function("sys_io_setup")
+{
name = "io_setup"
maxevents = $nr_events
ctxp_uaddr = $ctxp
@@ -2088,20 +2178,23 @@ probe syscall.io_setup = kernel.function("SyS_io_setup") !,
}
probe syscall.io_setup.return = kernel.function("SyS_io_setup").return !,
- kernel.function("sys_io_setup").return {
+ kernel.function("sys_io_setup").return
+{
name = "io_setup"
retstr = returnstr(1)
}
# long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
#
-probe syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? {
+probe syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ?
+{
name = "io_setup"
maxevents = $nr_reqs
ctxp_uaddr = $ctx32p
argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
}
-probe syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? {
+probe syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ?
+{
name = "io_setup"
retstr = returnstr(1)
}
@@ -2110,7 +2203,8 @@ probe syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").re
# long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
#
probe syscall.io_submit = kernel.function("SyS_io_submit") !,
- kernel.function("sys_io_submit") {
+ kernel.function("sys_io_submit")
+{
name = "io_submit"
ctx_id = $ctx_id
nr = $nr
@@ -2118,20 +2212,23 @@ probe syscall.io_submit = kernel.function("SyS_io_submit") !,
argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
}
probe syscall.io_submit.return = kernel.function("SyS_io_submit").return !,
- kernel.function("sys_io_submit").return {
+ kernel.function("sys_io_submit").return
+{
name = "io_submit"
retstr = returnstr(1)
}
# long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
#
-probe syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? {
+probe syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ?
+{
name = "io_submit"
ctx_id = $ctx_id
nr = $nr
iocbpp_uaddr = $iocb
argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
}
-probe syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? {
+probe syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ?
+{
name = "io_submit"
retstr = returnstr(1)
}
@@ -2140,14 +2237,16 @@ probe syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").
# long sys_ioprio_get(int which, int who)
#
probe syscall.ioprio_get = kernel.function("SyS_ioprio_get") !,
- kernel.function("sys_ioprio_get") ? {
+ kernel.function("sys_ioprio_get") ?
+{
name = "ioprio_get"
which = $which
who = $who
argstr = sprintf("%d, %d", $which, $who)
}
probe syscall.ioprio_get.return = kernel.function("SyS_ioprio_get").return !,
- kernel.function("sys_ioprio_get").return ? {
+ kernel.function("sys_ioprio_get").return ?
+{
name = "ioprio_get"
retstr = returnstr(1)
}
@@ -2156,7 +2255,8 @@ probe syscall.ioprio_get.return = kernel.function("SyS_ioprio_get").return !,
# long sys_ioprio_set(int which, int who, int ioprio)
#
probe syscall.ioprio_set = kernel.function("SyS_ioprio_set") !,
- kernel.function("sys_ioprio_set") ? {
+ kernel.function("sys_ioprio_set") ?
+{
name = "ioprio_set"
which = $which
who = $who
@@ -2164,7 +2264,8 @@ probe syscall.ioprio_set = kernel.function("SyS_ioprio_set") !,
argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
}
probe syscall.ioprio_set.return = kernel.function("SyS_ioprio_set").return !,
- kernel.function("sys_ioprio_set").return ? {
+ kernel.function("sys_ioprio_set").return ?
+{
name = "ioprio_set"
retstr = returnstr(1)
}
@@ -2179,10 +2280,9 @@ probe syscall.ioprio_set.return = kernel.function("SyS_ioprio_set").return !,
# struct compat_kexec_segment __user *segments,
# unsigned long flags)
#
-probe syscall.kexec_load =
- kernel.function("compat_sys_kexec_load") ?,
- kernel.function("SyS_kexec_load") !,
- kernel.function("sys_kexec_load") ?
+probe syscall.kexec_load = kernel.function("compat_sys_kexec_load") ?,
+ kernel.function("SyS_kexec_load") !,
+ kernel.function("sys_kexec_load") ?
{
name = "kexec_load"
entry = $entry
@@ -2191,13 +2291,12 @@ probe syscall.kexec_load =
flags = $flags
argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
}
-probe syscall.kexec_load.return =
- kernel.function("compat_sys_kexec_load").return ?,
- kernel.function("SyS_kexec_load").return !,
- kernel.function("sys_kexec_load").return ?
+probe syscall.kexec_load.return = kernel.function("compat_sys_kexec_load").return ?,
+ kernel.function("SyS_kexec_load").return !,
+ kernel.function("sys_kexec_load").return ?
{
name = "kexec_load"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# keyctl _____________________________________________________
@@ -2208,19 +2307,17 @@ probe syscall.kexec_load.return =
# unsigned long arg5)
# long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
#
-probe syscall.keyctl =
- kernel.function("compat_sys_keyctl") ?,
- kernel.function("SyS_keyctl") !,
- kernel.function("sys_keyctl") ?
+probe syscall.keyctl = kernel.function("compat_sys_keyctl") ?,
+ kernel.function("SyS_keyctl") !,
+ kernel.function("sys_keyctl") ?
{
name = "keyctl"
argstr = sprintf("%d, ...", $option)
}
-probe syscall.keyctl.return =
- kernel.function("compat_sys_keyctl").return ?,
- kernel.function("SyS_keyctl").return !,
- kernel.function("sys_keyctl").return ?
+probe syscall.keyctl.return = kernel.function("compat_sys_keyctl").return ?,
+ kernel.function("SyS_keyctl").return !,
+ kernel.function("sys_keyctl").return ?
{
name = "keyctl"
retstr = returnstr(1)
@@ -2229,14 +2326,16 @@ probe syscall.keyctl.return =
# kill _______________________________________________________
# long sys_kill(int pid, int sig)
probe syscall.kill = kernel.function("SyS_kill") !,
- kernel.function("sys_kill") {
+ kernel.function("sys_kill")
+{
name = "kill"
pid = $pid
sig = $sig
argstr = sprintf("%d, %s", $pid, _signal_name($sig))
}
probe syscall.kill.return = kernel.function("SyS_kill").return !,
- kernel.function("sys_kill").return {
+ kernel.function("sys_kill").return
+{
name = "kill"
retstr = returnstr(1)
}
@@ -2245,31 +2344,35 @@ probe syscall.kill.return = kernel.function("SyS_kill").return !,
# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
#
probe syscall.lchown = kernel.function("SyS_lchown") !,
- kernel.function("sys_lchown") {
+ kernel.function("sys_lchown")
+{
name = "lchown"
path = user_string($filename)
owner = __int32($user)
group = __int32($group)
- argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
-}
+ argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+}
probe syscall.lchown.return = kernel.function("SyS_lchown").return !,
- kernel.function("sys_lchown").return {
+ kernel.function("sys_lchown").return
+{
name = "lchown"
retstr = returnstr(1)
}
# lchown16 ___________________________________________________
-# long sys_lchown16(const char __user * filename, old_uid_t user,
+# long sys_lchown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe syscall.lchown16 = kernel.function("sys_lchown16") ? {
+probe syscall.lchown16 = kernel.function("sys_lchown16") ?
+{
name = "lchown16"
path = user_string($filename)
owner = __short($user)
group = __short($group)
argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
}
-probe syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
+probe syscall.lchown16.return = kernel.function("sys_lchown16").return ?
+{
name = "lchown16"
retstr = returnstr(1)
}
@@ -2281,7 +2384,8 @@ probe syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
# size_t size)
#
probe syscall.lgetxattr = kernel.function("SyS_lgetxattr") !,
- kernel.function("sys_lgetxattr") {
+ kernel.function("sys_lgetxattr")
+{
name = "lgetxattr"
%( kernel_v >= "2.6.27" %?
path = user_string($pathname)
@@ -2292,17 +2396,18 @@ probe syscall.lgetxattr = kernel.function("SyS_lgetxattr") !,
name2 = user_string($name)
value_uaddr = $value
size = $size
- argstr = sprintf("%s, %s, %p, %d",
+ argstr = sprintf("%s, %s, %p, %d",
%( kernel_v >= "2.6.27" %?
- user_string_quoted($pathname),
+ user_string_quoted($pathname),
%:
- user_string_quoted($path),
+ user_string_quoted($path),
%)
user_string_quoted($name),
value_uaddr, size)
}
probe syscall.lgetxattr.return = kernel.function("SyS_lgetxattr").return !,
- kernel.function("sys_lgetxattr").return {
+ kernel.function("sys_lgetxattr").return
+{
name = "lgetxattr"
retstr = returnstr(1)
}
@@ -2311,18 +2416,20 @@ probe syscall.lgetxattr.return = kernel.function("SyS_lgetxattr").return !,
# long sys_link(const char __user * oldname,
# const char __user * newname)
probe syscall.link = kernel.function("SyS_link") !,
- kernel.function("sys_link") {
+ kernel.function("sys_link")
+{
name = "link"
oldpath = user_string($oldname)
newpath = user_string($newname)
- argstr = sprintf("%s, %s",
- user_string_quoted($oldname),
+ argstr = sprintf("%s, %s",
+ user_string_quoted($oldname),
user_string_quoted($newname))
}
probe syscall.link.return = kernel.function("SyS_link").return !,
- kernel.function("sys_link").return {
+ kernel.function("sys_link").return
+{
name = "link"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# linkat _____________________________________________________
@@ -2330,25 +2437,25 @@ probe syscall.link.return = kernel.function("SyS_link").return !,
# long sys_linkat(int olddfd, const char __user *oldname,
# int newdfd, const char __user *newname, int flags)
probe syscall.linkat = kernel.function("SyS_linkat") !,
- kernel.function("sys_linkat") ? {
+ kernel.function("sys_linkat") ?
+{
name = "linkat"
- olddfd = $olddfd
- olddfd_str = _dfd_str($olddfd)
- oldname = $oldname
- oldname_str = user_string($oldname)
- newdfd = $newdfd
- newdfd_str = _dfd_str($newdfd)
- newname = $newname
- newname_str = user_string($newname)
+ olddirfd = $olddfd
+ olddirfd_str = _dfd_str($olddfd)
+ oldpath = user_string($oldname)
+ newdirfd = $newdfd
+ newdirfd_str = _dfd_str($newdfd)
+ newpath = user_string($newname)
flags = $flags
flags_str = _at_flag_str($flags)
argstr = sprintf("%s, %s, %s, %s, %s",
- olddfd_str, user_string_quoted($oldname),
- newdfd_str, user_string_quoted($newname),
+ olddirfd_str, user_string_quoted($oldname),
+ newdirfd_str, user_string_quoted($newname),
flags_str)
}
probe syscall.linkat.return = kernel.function("SyS_linkat").return !,
- kernel.function("sys_linkat").return ? {
+ kernel.function("sys_linkat").return ?
+{
name = "linkat"
retstr = returnstr(1)
}
@@ -2356,14 +2463,16 @@ probe syscall.linkat.return = kernel.function("SyS_linkat").return !,
# listen _____________________________________________________
# long sys_listen(int fd, int backlog)
probe syscall.listen = kernel.function("SyS_listen") !,
- kernel.function("sys_listen") ? {
+ kernel.function("sys_listen") ?
+{
name = "listen"
sockfd = $fd
- backlog = $backlog
- argstr = sprintf("%d, %d", $fd, $backlog)
-}
+ backlog = $backlog
+ argstr = sprintf("%d, %d", $fd, $backlog)
+}
probe syscall.listen.return = kernel.function("SyS_listen").return !,
- kernel.function("sys_listen").return ? {
+ kernel.function("sys_listen").return ?
+{
name = "listen"
retstr = returnstr(1)
}
@@ -2372,7 +2481,8 @@ probe syscall.listen.return = kernel.function("SyS_listen").return !,
# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
#
probe syscall.listxattr = kernel.function("SyS_listxattr") !,
- kernel.function("sys_listxattr") {
+ kernel.function("sys_listxattr")
+{
name = "listxattr"
list_uaddr = $list
size = $size
@@ -2387,7 +2497,8 @@ probe syscall.listxattr = kernel.function("SyS_listxattr") !,
%)
}
probe syscall.listxattr.return = kernel.function("SyS_listxattr").return !,
- kernel.function("sys_listxattr").return {
+ kernel.function("sys_listxattr").return
+{
name = "listxattr"
retstr = returnstr(1)
}
@@ -2396,7 +2507,8 @@ probe syscall.listxattr.return = kernel.function("SyS_listxattr").return !,
# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
#
probe syscall.llistxattr = kernel.function("SyS_llistxattr") !,
- kernel.function("sys_llistxattr") {
+ kernel.function("sys_llistxattr")
+{
name = "llistxattr"
list_uaddr = $list
size = $size
@@ -2411,7 +2523,8 @@ probe syscall.llistxattr = kernel.function("SyS_llistxattr") !,
%)
}
probe syscall.llistxattr.return = kernel.function("SyS_llistxattr").return !,
- kernel.function("sys_llistxattr").return {
+ kernel.function("sys_llistxattr").return
+{
name = "llistxattr"
retstr = returnstr(1)
}
@@ -2423,7 +2536,8 @@ probe syscall.llistxattr.return = kernel.function("SyS_llistxattr").return !,
# loff_t __user * result,
# unsigned int origin)
probe syscall.llseek = kernel.function("SyS_llseek") !,
- kernel.function("sys_llseek") ? {
+ kernel.function("sys_llseek") ?
+{
name = "llseek"
fd = $fd
offset_high = $offset_high
@@ -2435,7 +2549,8 @@ probe syscall.llseek = kernel.function("SyS_llseek") !,
$offset_low, $result, whence_str)
}
probe syscall.llseek.return = kernel.function("SyS_llseek").return !,
- kernel.function("sys_llseek").return ? {
+ kernel.function("sys_llseek").return ?
+{
name = "llseek"
retstr = returnstr(1)
}
@@ -2444,7 +2559,8 @@ probe syscall.llseek.return = kernel.function("SyS_llseek").return !,
# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
#
probe syscall.lookup_dcookie = kernel.function("SyS_lookup_dcookie") !,
- kernel.function("sys_lookup_dcookie") ? {
+ kernel.function("sys_lookup_dcookie") ?
+{
name = "lookup_dcookie"
cookie = $cookie64
buffer_uaddr = $buf
@@ -2452,7 +2568,8 @@ probe syscall.lookup_dcookie = kernel.function("SyS_lookup_dcookie") !,
argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
}
probe syscall.lookup_dcookie.return = kernel.function("SyS_lookup_dcookie").return !,
- kernel.function("sys_lookup_dcookie").return ? {
+ kernel.function("sys_lookup_dcookie").return ?
+{
name = "lookup_dcookie"
retstr = returnstr(1)
}
@@ -2461,22 +2578,24 @@ probe syscall.lookup_dcookie.return = kernel.function("SyS_lookup_dcookie").retu
# long sys_lremovexattr(char __user *path, char __user *name)
#
probe syscall.lremovexattr = kernel.function("SyS_lremovexattr") !,
- kernel.function("sys_lremovexattr") {
+ kernel.function("sys_lremovexattr")
+{
name = "lremovexattr"
name_uaddr = $name
name2 = user_string($name)
%( kernel_v >= "2.6.27" %?
path_uaddr = $pathname
path = user_string($pathname)
- argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name))
+ argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name))
%:
path_uaddr = $path
path = user_string($path)
- argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
+ argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
%)
}
probe syscall.lremovexattr.return = kernel.function("SyS_lremovexattr").return !,
- kernel.function("sys_lremovexattr").return {
+ kernel.function("sys_lremovexattr").return
+{
name = "lremovexattr"
retstr = returnstr(1)
}
@@ -2484,7 +2603,8 @@ probe syscall.lremovexattr.return = kernel.function("SyS_lremovexattr").return !
# lseek ______________________________________________________
# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
probe syscall.lseek = kernel.function("SyS_lseek") !,
- kernel.function("sys_lseek") {
+ kernel.function("sys_lseek")
+{
name = "lseek"
fildes = $fd
# offset = __int32($offset)
@@ -2494,7 +2614,8 @@ probe syscall.lseek = kernel.function("SyS_lseek") !,
argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
}
probe syscall.lseek.return = kernel.function("SyS_lseek").return !,
- kernel.function("sys_lseek").return {
+ kernel.function("sys_lseek").return
+{
name = "lseek"
retstr = returnstr(1)
}
@@ -2507,7 +2628,8 @@ probe syscall.lseek.return = kernel.function("SyS_lseek").return !,
# int flags)
#
probe syscall.lsetxattr = kernel.function("SyS_lsetxattr") !,
- kernel.function("sys_lsetxattr") {
+ kernel.function("sys_lsetxattr")
+{
name = "lsetxattr"
%( kernel_v >= "2.6.27" %?
path_uaddr = $pathname
@@ -2521,17 +2643,18 @@ probe syscall.lsetxattr = kernel.function("SyS_lsetxattr") !,
value_uaddr = $value
size = $size
flags = $flags
- argstr = sprintf("%s, %s, %p, %d, %d",
+ argstr = sprintf("%s, %s, %p, %d, %d",
%( kernel_v >= "2.6.27" %?
- user_string_quoted($pathname),
+ user_string_quoted($pathname),
%:
- user_string_quoted($path),
+ user_string_quoted($path),
%)
user_string_quoted($name),
value_uaddr, $size, $flags)
}
probe syscall.lsetxattr.return = kernel.function("SyS_lsetxattr").return !,
- kernel.function("sys_lsetxattr").return {
+ kernel.function("sys_lsetxattr").return
+{
name = "lsetxattr"
retstr = returnstr(1)
}
@@ -2545,31 +2668,29 @@ probe syscall.lsetxattr.return = kernel.function("SyS_lsetxattr").return !,
# long sys_oabi_lstat64(char __user * filename,
# struct oldabi_stat64 __user * statbuf)
#
-probe syscall.lstat =
- kernel.function("sys_lstat") ?,
- kernel.function("SyS_newlstat") ?,
- kernel.function("sys_newlstat") ?,
- kernel.function("compat_sys_newlstat") ?,
- kernel.function("sys32_lstat64") ?,
- kernel.function("SyS_lstat64") ?,
- kernel.function("sys_lstat64") ?,
- kernel.function("sys_oabi_lstat64") ?
+probe syscall.lstat = kernel.function("sys_lstat") ?,
+ kernel.function("SyS_newlstat") ?,
+ kernel.function("sys_newlstat") ?,
+ kernel.function("compat_sys_newlstat") ?,
+ kernel.function("sys32_lstat64") ?,
+ kernel.function("SyS_lstat64") ?,
+ kernel.function("sys_lstat64") ?,
+ kernel.function("sys_oabi_lstat64") ?
{
name = "lstat"
path = user_string($filename)
buf_uaddr = $statbuf
- argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
-}
-probe syscall.lstat.return =
- kernel.function("sys_lstat").return ?,
- kernel.function("SyS_newlstat").return ?,
- kernel.function("sys_newlstat").return ?,
- kernel.function("compat_sys_newlstat").return ?,
- kernel.function("sys32_lstat64").return ?,
- kernel.function("SyS_lstat64").return ?,
- kernel.function("sys_lstat64").return ?,
- kernel.function("sys_oabi_lstat64").return ?
-{
+ argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
+}
+probe syscall.lstat.return = kernel.function("sys_lstat").return ?,
+ kernel.function("SyS_newlstat").return ?,
+ kernel.function("sys_newlstat").return ?,
+ kernel.function("compat_sys_newlstat").return ?,
+ kernel.function("sys32_lstat64").return ?,
+ kernel.function("SyS_lstat64").return ?,
+ kernel.function("sys_lstat64").return ?,
+ kernel.function("sys_oabi_lstat64").return ?
+{
name = "lstat"
retstr = returnstr(1)
}
@@ -2578,7 +2699,8 @@ probe syscall.lstat.return =
# long sys_madvise(unsigned long start, size_t len_in, int behavior)
#
probe syscall.madvise = kernel.function("SyS_madvise") !,
- kernel.function("sys_madvise") ? {
+ kernel.function("sys_madvise") ?
+{
name = "madvise"
start = $start
length = $len_in
@@ -2587,7 +2709,8 @@ probe syscall.madvise = kernel.function("SyS_madvise") !,
argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
}
probe syscall.madvise.return = kernel.function("SyS_madvise").return !,
- kernel.function("sys_madvise").return ? {
+ kernel.function("sys_madvise").return ?
+{
name = "madvise"
retstr = returnstr(1)
}
@@ -2607,10 +2730,9 @@ probe syscall.madvise.return = kernel.function("SyS_madvise").return !,
# compat_ulong_t maxnode,
# compat_ulong_t flags)
#
-probe syscall.mbind =
- kernel.function("compat_sys_mbind") ?,
- kernel.function("SyS_mbind") !,
- kernel.function("sys_mbind") ?
+probe syscall.mbind = kernel.function("compat_sys_mbind") ?,
+ kernel.function("SyS_mbind") !,
+ kernel.function("sys_mbind") ?
{
name = "mbind"
start = $start
@@ -2620,12 +2742,11 @@ probe syscall.mbind =
maxnode = $maxnode
flags = $flags
argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
- $nmask, $maxnode, $flags)
+ $nmask, $maxnode, $flags)
}
-probe syscall.mbind.return =
- kernel.function("compat_sys_mbind").return ?,
- kernel.function("SyS_mbind").return !,
- kernel.function("sys_mbind").return ?
+probe syscall.mbind.return = kernel.function("compat_sys_mbind").return ?,
+ kernel.function("SyS_mbind").return !,
+ kernel.function("sys_mbind").return ?
{
name = "mbind"
retstr = returnstr(1)
@@ -2636,12 +2757,14 @@ probe syscall.mbind.return =
# const unsigned long __user *old_nodes,
# const unsigned long __user *new_nodes)
probe syscall.migrate_pages = kernel.function("SyS_migrate_pages") !,
- kernel.function("sys_migrate_pages") ? {
+ kernel.function("sys_migrate_pages") ?
+{
name = "migrate_pages"
argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
}
probe syscall.migrate_pages.return = kernel.function("SyS_migrate_pages").return !,
- kernel.function("sys_migrate_pages").return ? {
+ kernel.function("sys_migrate_pages").return ?
+{
name = "migrate_pages"
retstr = returnstr(1)
}
@@ -2650,7 +2773,8 @@ probe syscall.migrate_pages.return = kernel.function("SyS_migrate_pages").return
# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
#
probe syscall.mincore = kernel.function("SyS_mincore") !,
- kernel.function("sys_mincore") ? {
+ kernel.function("sys_mincore") ?
+{
name = "mincore"
start = $start
length = $len
@@ -2658,15 +2782,17 @@ probe syscall.mincore = kernel.function("SyS_mincore") !,
argstr = sprintf("%p, %d, %p", $start, $len, $vec)
}
probe syscall.mincore.return = kernel.function("SyS_mincore").return !,
- kernel.function("sys_mincore").return ? {
+ kernel.function("sys_mincore").return ?
+{
name = "mincore"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# mkdir ______________________________________________________
# long sys_mkdir(const char __user * pathname, int mode)
probe syscall.mkdir = kernel.function("SyS_mkdir") !,
- kernel.function("sys_mkdir") {
+ kernel.function("sys_mkdir")
+{
name = "mkdir"
pathname_uaddr = $pathname
pathname = user_string($pathname)
@@ -2674,16 +2800,18 @@ probe syscall.mkdir = kernel.function("SyS_mkdir") !,
argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
}
probe syscall.mkdir.return = kernel.function("SyS_mkdir").return !,
- kernel.function("sys_mkdir").return {
+ kernel.function("sys_mkdir").return
+{
name = "mkdir"
- retstr = returnstr(1)
+ retstr = returnstr(1)
}
# mkdirat ____________________________________________________
# new function with 2.6.16
# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
probe syscall.mkdirat = kernel.function("SyS_mkdirat") !,
- kernel.function("sys_mkdirat") ? {
+ kernel.function("sys_mkdirat") ?
+{
name = "mkdirat"
dirfd = $dfd
pathname = user_string($pathname)
@@ -2691,7 +2819,8 @@ probe syscall.mkdirat = kernel.function("SyS_mkdirat") !,
argstr = sprintf("%s, %s, %#o", _dfd_str($dfd), user_string_quoted($pathname), $mode)
}
probe syscall.mkdirat.return = kernel.function("SyS_mkdirat").return !,
- kernel.function("sys_mkdirat").return ? {
+ kernel.function("sys_mkdirat").return ?
+{
name = "mkdirat"
retstr = returnstr(1)
}
@@ -2699,16 +2828,18 @@ probe syscall.mkdirat.return = kernel.function("SyS_mkdirat").return !,
# mknod
# long sys_mknod(const char __user * filename, int mode, unsigned dev)
probe syscall.mknod = kernel.function("SyS_mknod") !,
- kernel.function("sys_mknod") {
+ kernel.function("sys_mknod")
+{
name = "mknod"
- pathname = user_string($filename)
+ pathname = user_string($filename)
mode = $mode
dev = $dev
argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
}
probe syscall.mknod.return = kernel.function("SyS_mknod").return !,
- kernel.function("sys_mknod").return {
+ kernel.function("sys_mknod").return
+{
name = "mknod"
retstr = returnstr(1)
}
@@ -2718,20 +2849,21 @@ probe syscall.mknod.return = kernel.function("SyS_mknod").return !,
# long sys_mknodat(int dfd, const char __user *filename,
# int mode, unsigned dev)
probe syscall.mknodat = kernel.function("SyS_mknodat") !,
- kernel.function("sys_mknodat") ? {
+ kernel.function("sys_mknodat") ?
+{
name = "mknodat"
- dfd = $dfd
- dfd_str = _dfd_str($dfd)
- filename = $filename
- filename_str = user_string($filename)
+ dirfd = $dfd
+ dirfd_str = _dfd_str($dfd)
+ pathname = user_string($filename)
mode = $mode
mode_str = _mknod_mode_str($mode)
dev = $dev
argstr = sprintf("%s, %s, %s, %p",
- dfd_str, user_string_quoted($filename), mode_str, $dev)
+ dirfd_str, user_string_quoted($filename), mode_str, $dev)
}
probe syscall.mknodat.return = kernel.function("SyS_mknodat").return !,
- kernel.function("sys_mknodat").return ? {
+ kernel.function("sys_mknodat").return ?
+{
name = "mknodat"
retstr = returnstr(1)
}
@@ -2741,14 +2873,16 @@ probe syscall.mknodat.return = kernel.function("SyS_mknodat").return !,
# long sys_mlock(unsigned long start, size_t len)
#
probe syscall.mlock = kernel.function("SyS_mlock") !,
- kernel.function("sys_mlock") ? {
+ kernel.function("sys_mlock") ?
+{
name = "mlock"
addr = $start
len = $len
argstr = sprintf("%p, %d", $start, $len)
}
probe syscall.mlock.return = kernel.function("SyS_mlock").return !,
- kernel.function("sys_mlock").return ? {
+ kernel.function("sys_mlock").return ?
+{
name = "mlock"
retstr = returnstr(1)
}
@@ -2757,13 +2891,15 @@ probe syscall.mlock.return = kernel.function("SyS_mlock").return !,
# long sys_mlockall(int flags)
#
probe syscall.mlockall = kernel.function("SyS_mlockall") !,
- kernel.function("sys_mlockall") ? {
+ kernel.function("sys_mlockall") ?
+{
name = "mlockall"
flags = $flags
argstr = _mlockall_flags_str($flags)
}
probe syscall.mlockall.return = kernel.function("SyS_mlockall").return !,
- kernel.function("sys_mlockall").return ? {
+ kernel.function("sys_mlockall").return ?
+{
name = "mlockall"
retstr = returnstr(1)
}
@@ -2771,14 +2907,16 @@ probe syscall.mlockall.return = kernel.function("SyS_mlockall").return !,
# modify_ldt _________________________________________________
# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
#
-probe syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
+probe syscall.modify_ldt = kernel.function("sys_modify_ldt") ?
+{
name = "modify_ldt"
func = $func
ptr_uaddr = $ptr
bytecount = $bytecount
argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
}
-probe syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
+probe syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ?
+{
name = "modify_ldt"
retstr = returnstr(1)
}
@@ -2796,18 +2934,16 @@ probe syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
# int __user *status,
# int flags)
#
-probe syscall.move_pages =
- kernel.function("compat_sys_move_pages") ?,
- kernel.function("SyS_move_pages") !,
- kernel.function("sys_move_pages") ?
+probe syscall.move_pages = kernel.function("compat_sys_move_pages") ?,
+ kernel.function("SyS_move_pages") !,
+ kernel.function("sys_move_pages") ?
{
name = "move_pages"
argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
}
-probe syscall.move_pages.return =
- kernel.function("compat_sys_move_pages").return ?,
- kernel.function("SyS_move_pages").return !,
- kernel.function("sys_move_pages").return ?
+probe syscall.move_pages.return = kernel.function("compat_sys_move_pages").return ?,
+ kernel.function("SyS_move_pages").return !,
+ kernel.function("sys_move_pages").return ?
{
name = "move_pages"
retstr = returnstr(1)
@@ -2819,15 +2955,14 @@ probe syscall.move_pages.return =
# char __user * type,
# unsigned long flags,
# void __user * data)
-# long compat_sys_mount(char __user * dev_name,
+# long compat_sys_mount(char __user * dev_name,
# char __user * dir_name,
-# char __user * type,
-# unsigned long flags,
+# char __user * type,
+# unsigned long flags,
# void __user * data)
-probe syscall.mount =
- kernel.function("compat_sys_mount") ?,
- kernel.function("SyS_mount") !,
- kernel.function("sys_mount")
+probe syscall.mount = kernel.function("compat_sys_mount") ?,
+ kernel.function("SyS_mount") !,
+ kernel.function("sys_mount")
{
name = "mount"
source = user_string($dev_name)
@@ -2835,17 +2970,16 @@ probe syscall.mount =
filesystemtype = user_string($type)
mountflags = $flags
mountflags_str = _mountflags_str($flags)
- data = text_strn(user_string($data),syscall_string_trunc,1)
- argstr = sprintf("%s, %s, %s, %s, %s",
- user_string_quoted($dev_name),
- user_string_quoted($dir_name),
- user_string_quoted($type),
+ data = text_strn(user_string($data), syscall_string_trunc, 1)
+ argstr = sprintf("%s, %s, %s, %s, %s",
+ user_string_quoted($dev_name),
+ user_string_quoted($dir_name),
+ user_string_quoted($type),
mountflags_str, data)
}
-probe syscall.mount.return =
- kernel.function("compat_sys_mount").return ?,
- kernel.function("SyS_mount").return !,
- kernel.function("sys_mount").return
+probe syscall.mount.return = kernel.function("compat_sys_mount").return ?,
+ kernel.function("SyS_mount").return !,
+ kernel.function("sys_mount").return
{
name = "mount"
retstr = returnstr(1)
@@ -2855,7 +2989,8 @@ probe syscall.mount.return =
# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
#
probe syscall.mprotect = kernel.function("SyS_mprotect") !,
- kernel.function("sys_mprotect") ? {
+ kernel.function("sys_mprotect") ?
+{
name = "mprotect"
addr = $start
len = $len
@@ -2864,7 +2999,8 @@ probe syscall.mprotect = kernel.function("SyS_mprotect") !,
argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
}
probe syscall.mprotect.return = kernel.function("SyS_mprotect").return !,
- kernel.function("sys_mprotect").return ? {
+ kernel.function("sys_mprotect").return ?
+{
name = "mprotect"
retstr = returnstr(1)
}
@@ -2877,10 +3013,9 @@ probe syscall.mprotect.return = kernel.function("SyS_mprotect").return !,
# const struct compat_mq_attr __user *u_mqstat,
# struct compat_mq_attr __user *u_omqstat)
#
-probe syscall.mq_getsetattr =
- kernel.function("compat_sys_mq_getsetattr") ?,
- kernel.function("SyS_mq_getsetattr") !,
- kernel.function("sys_mq_getsetattr") ?
+probe syscall.mq_getsetattr = kernel.function("compat_sys_mq_getsetattr") ?,
+ kernel.function("SyS_mq_getsetattr") !,
+ kernel.function("sys_mq_getsetattr") ?
{
name = "mq_getsetattr"
mqdes = $mqdes
@@ -2888,10 +3023,9 @@ probe syscall.mq_getsetattr =
u_omqstat_uaddr = $u_omqstat
argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
}
-probe syscall.mq_getsetattr.return =
- kernel.function("compat_sys_mq_getsetattr").return ?,
- kernel.function("SyS_mq_getsetattr").return !,
- kernel.function("sys_mq_getsetattr").return ?
+probe syscall.mq_getsetattr.return = kernel.function("compat_sys_mq_getsetattr").return ?,
+ kernel.function("SyS_mq_getsetattr").return !,
+ kernel.function("sys_mq_getsetattr").return ?
{
name = "mq_getsetattr"
retstr = returnstr(1)
@@ -2901,20 +3035,18 @@ probe syscall.mq_getsetattr.return =
# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
# long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
#
-probe syscall.mq_notify =
- kernel.function("compat_sys_mq_notify") ?,
- kernel.function("SyS_mq_notify") !,
- kernel.function("sys_mq_notify") ?
+probe syscall.mq_notify = kernel.function("compat_sys_mq_notify") ?,
+ kernel.function("SyS_mq_notify") !,
+ kernel.function("sys_mq_notify") ?
{
name = "mq_notify"
mqdes = $mqdes
notification_uaddr = $u_notification
argstr = sprintf("%d, %p", $mqdes, $u_notification)
}
-probe syscall.mq_notify.return =
- kernel.function("compat_sys_mq_notify").return ?,
- kernel.function("SyS_mq_notify").return !,
- kernel.function("sys_mq_notify").return ?
+probe syscall.mq_notify.return = kernel.function("compat_sys_mq_notify").return ?,
+ kernel.function("SyS_mq_notify").return !,
+ kernel.function("sys_mq_notify").return ?
{
name = "mq_notify"
retstr = returnstr(1)
@@ -2929,10 +3061,9 @@ probe syscall.mq_notify.return =
# int oflag, compat_mode_t mode,
# struct compat_mq_attr __user *u_attr)
#
-probe syscall.mq_open =
- kernel.function("compat_sys_mq_open") ?,
- kernel.function("SyS_mq_open") !,
- kernel.function("sys_mq_open") ?
+probe syscall.mq_open = kernel.function("compat_sys_mq_open") ?,
+ kernel.function("SyS_mq_open") !,
+ kernel.function("sys_mq_open") ?
{
name = "mq_open"
name_uaddr = $u_name
@@ -2941,15 +3072,14 @@ probe syscall.mq_open =
u_attr_uaddr = $u_attr
oflag = $oflag
if (oflag & 64)
- argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name),
+ argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name),
_sys_open_flag_str($oflag), $mode, $u_attr)
else
argstr = sprintf("%s, %s", user_string_quoted($u_name), _sys_open_flag_str($oflag))
}
-probe syscall.mq_open.return =
- kernel.function("compat_sys_mq_open").return ?,
- kernel.function("SyS_mq_open").return !,
- kernel.function("sys_mq_open").return ?
+probe syscall.mq_open.return = kernel.function("compat_sys_mq_open").return ?,
+ kernel.function("SyS_mq_open").return !,
+ kernel.function("sys_mq_open").return ?
{
name = "mq_open"
retstr = returnstr(1)
@@ -2966,24 +3096,22 @@ probe syscall.mq_open.return =
# size_t msg_len, unsigned int __user *u_msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe syscall.mq_timedreceive =
- kernel.function("compat_sys_mq_timedreceive") ?,
- kernel.function("SyS_mq_timedreceive") !,
- kernel.function("sys_mq_timedreceive") ?
+probe syscall.mq_timedreceive = kernel.function("compat_sys_mq_timedreceive") ?,
+ kernel.function("SyS_mq_timedreceive") !,
+ kernel.function("sys_mq_timedreceive") ?
{
name = "mq_timedreceive"
mqdes = $mqdes
msg_ptr_uaddr = $u_msg_ptr
msg_len = $msg_len
msg_prio_uaddr = $u_msg_prio
- abs_timout_uaddr = $u_abs_timeout
+ abs_timeout_uaddr = $u_abs_timeout
argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
- $u_msg_prio, $u_abs_timeout)
+ $u_msg_prio, $u_abs_timeout)
}
-probe syscall.mq_timedreceive.return =
- kernel.function("compat_sys_mq_timedreceive").return ?,
- kernel.function("SyS_mq_timedreceive").return !,
- kernel.function("sys_mq_timedreceive").return ?
+probe syscall.mq_timedreceive.return = kernel.function("compat_sys_mq_timedreceive").return ?,
+ kernel.function("SyS_mq_timedreceive").return !,
+ kernel.function("sys_mq_timedreceive").return ?
{
name = "mq_timedreceive"
retstr = returnstr(1)
@@ -3000,10 +3128,9 @@ probe syscall.mq_timedreceive.return =
# size_t msg_len, unsigned int msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe syscall.mq_timedsend =
- kernel.function("compat_sys_mq_timedsend") ?,
- kernel.function("SyS_mq_timedsend") !,
- kernel.function("sys_mq_timedsend") ?
+probe syscall.mq_timedsend = kernel.function("compat_sys_mq_timedsend") ?,
+ kernel.function("SyS_mq_timedsend") !,
+ kernel.function("sys_mq_timedsend") ?
{
name = "mq_timedsend"
mqdes = $mqdes
@@ -3012,12 +3139,11 @@ probe syscall.mq_timedsend =
msg_prio = $msg_prio
abs_timeout_uaddr = $u_abs_timeout
argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
- $msg_prio, $u_abs_timeout)
+ $msg_prio, $u_abs_timeout)
}
-probe syscall.mq_timedsend.return =
- kernel.function("compat_sys_mq_timedsend").return ?,
- kernel.function("SyS_mq_timedsend").return !,
- kernel.function("sys_mq_timedsend").return ?
+probe syscall.mq_timedsend.return = kernel.function("compat_sys_mq_timedsend").return ?,
+ kernel.function("SyS_mq_timedsend").return !,
+ kernel.function("sys_mq_timedsend").return ?
{
name = "mq_timedsend"
retstr = returnstr(1)
@@ -3027,14 +3153,16 @@ probe syscall.mq_timedsend.return =
# long sys_mq_unlink(const char __user *u_name)
#
probe syscall.mq_unlink = kernel.function("SyS_mq_unlink") !,
- kernel.function("sys_mq_unlink") ? {
+ kernel.function("sys_mq_unlink") ?
+{
name = "mq_unlink"
u_name_uaddr = $u_name
u_name = user_string($u_name)
argstr = user_string_quoted($u_name)
}
probe syscall.mq_unlink.return = kernel.function("SyS_mq_unlink").return !,
- kernel.function("sys_mq_unlink").return ? {
+ kernel.function("sys_mq_unlink").return ?
+{
name = "mq_unlink"
retstr = returnstr(1)
}
@@ -3046,10 +3174,9 @@ probe syscall.mq_unlink.return = kernel.function("SyS_mq_unlink").return !,
# unsigned long flags,
# unsigned long new_addr)
#
-probe syscall.mremap =
- kernel.function("ia64_mremap") ?,
- kernel.function("SyS_mremap") !,
- kernel.function("sys_mremap") ?
+probe syscall.mremap = kernel.function("ia64_mremap") ?,
+ kernel.function("SyS_mremap") !,
+ kernel.function("sys_mremap") ?
{
name = "mremap"
old_address = $addr
@@ -3060,10 +3187,9 @@ probe syscall.mremap =
argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
_mremap_flags($flags), $new_addr)
}
-probe syscall.mremap.return =
- kernel.function("ia64_mremap").return ?,
- kernel.function("SyS_mremap").return !,
- kernel.function("sys_mremap").return ?
+probe syscall.mremap.return = kernel.function("ia64_mremap").return ?,
+ kernel.function("SyS_mremap").return !,
+ kernel.function("sys_mremap").return ?
{
name = "mremap"
retstr = returnstr(2)
@@ -3073,7 +3199,8 @@ probe syscall.mremap.return =
# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
#
probe syscall.msgctl = kernel.function("SyS_msgctl") !,
- kernel.function("sys_msgctl") ? {
+ kernel.function("sys_msgctl") ?
+{
name = "msgctl"
msqid = $msqid
cmd = $cmd
@@ -3081,7 +3208,8 @@ probe syscall.msgctl = kernel.function("SyS_msgctl") !,
argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
}
probe syscall.msgctl.return = kernel.function("SyS_msgctl").return !,
- kernel.function("sys_msgctl").return ? {
+ kernel.function("sys_msgctl").return ?
+{
name = "msgctl"
retstr = returnstr(1)
}
@@ -3089,11 +3217,13 @@ probe syscall.msgctl.return = kernel.function("SyS_msgctl").return !,
#
# long compat_sys_msgctl(int first, int second, void __user *uptr)
#
-probe syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? {
+probe syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ?
+{
name = "compat_sys_msgctl"
argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
}
-probe syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? {
+probe syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ?
+{
name = "compat_sys_msgctl"
retstr = returnstr(1)
}
@@ -3102,7 +3232,8 @@ probe syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").re
# long sys_msgget (key_t key, int msgflg)
#
probe syscall.msgget = kernel.function("SyS_msgget") !,
- kernel.function("sys_msgget") ? {
+ kernel.function("sys_msgget") ?
+{
name = "msgget"
key = $key
msgflg = $msgflg
@@ -3110,7 +3241,8 @@ probe syscall.msgget = kernel.function("SyS_msgget") !,
argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
}
probe syscall.msgget.return = kernel.function("SyS_msgget").return !,
- kernel.function("sys_msgget").return ? {
+ kernel.function("sys_msgget").return ?
+{
name = "msgget"
retstr = returnstr(1)
}
@@ -3123,7 +3255,8 @@ probe syscall.msgget.return = kernel.function("SyS_msgget").return !,
# int msgflg)
#
probe syscall.msgrcv = kernel.function("SyS_msgrcv") !,
- kernel.function("sys_msgrcv") ? {
+ kernel.function("sys_msgrcv") ?
+{
name = "msgrcv"
msqid = $msqid
msgp_uaddr = $msgp
@@ -3133,7 +3266,8 @@ probe syscall.msgrcv = kernel.function("SyS_msgrcv") !,
argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
}
probe syscall.msgrcv.return = kernel.function("SyS_msgrcv").return !,
- kernel.function("sys_msgrcv").return ? {
+ kernel.function("sys_msgrcv").return ?
+{
name = "msgrcv"
retstr = returnstr(1)
}
@@ -3142,11 +3276,13 @@ probe syscall.msgrcv.return = kernel.function("SyS_msgrcv").return !,
# long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
# int version, void __user *uptr)
#
-probe syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? {
+probe syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ?
+{
name = "compat_sys_msgrcv"
argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
}
-probe syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? {
+probe syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ?
+{
name = "compat_sys_msgrcv"
retstr = returnstr(1)
}
@@ -3158,7 +3294,8 @@ probe syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").re
# int msgflg)
#
probe syscall.msgsnd = kernel.function("SyS_msgsnd") !,
- kernel.function("sys_msgsnd") ? {
+ kernel.function("sys_msgsnd") ?
+{
name = "msgsnd"
msqid = $msqid
msgp_uaddr = $msgp
@@ -3167,7 +3304,8 @@ probe syscall.msgsnd = kernel.function("SyS_msgsnd") !,
argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
}
probe syscall.msgsnd.return = kernel.function("SyS_msgsnd").return !,
- kernel.function("sys_msgsnd").return ? {
+ kernel.function("sys_msgsnd").return ?
+{
name = "msgsnd"
retstr = returnstr(1)
}
@@ -3175,11 +3313,13 @@ probe syscall.msgsnd.return = kernel.function("SyS_msgsnd").return !,
#
# long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
#
-probe syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? {
+probe syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ?
+{
name = "compat_sys_msgsnd"
argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
}
-probe syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? {
+probe syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ?
+{
name = "compat_sys_msgsnd"
retstr = returnstr(1)
}
@@ -3187,15 +3327,17 @@ probe syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").re
# msync ______________________________________________________
# long sys_msync(unsigned long start, size_t len, int flags)
probe syscall.msync = kernel.function("SyS_msync") !,
- kernel.function("sys_msync") ? {
+ kernel.function("sys_msync") ?
+{
name = "msync"
start = $start
length = $len
flags = $flags
- argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
+ argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags))
}
probe syscall.msync.return = kernel.function("SyS_msync").return !,
- kernel.function("sys_msync").return ? {
+ kernel.function("sys_msync").return ?
+{
name = "msync"
retstr = returnstr(1)
}
@@ -3203,25 +3345,29 @@ probe syscall.msync.return = kernel.function("SyS_msync").return !,
# munlock ____________________________________________________
# long sys_munlock(unsigned long start, size_t len)
probe syscall.munlock = kernel.function("SyS_munlock") !,
- kernel.function("sys_munlock") ? {
+ kernel.function("sys_munlock") ?
+{
name = "munlock"
addr = $start
len = $len
argstr = sprintf("%p, %d", addr, len)
}
probe syscall.munlock.return = kernel.function("SyS_munlock").return !,
- kernel.function("sys_munlock").return ? {
+ kernel.function("sys_munlock").return ?
+{
name = "munlock"
retstr = returnstr(1)
}
# munlockall _________________________________________________
# long sys_munlockall(void)
-probe syscall.munlockall = kernel.function("sys_munlockall") ? {
+probe syscall.munlockall = kernel.function("sys_munlockall") ?
+{
name = "munlockall"
argstr = ""
}
-probe syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
+probe syscall.munlockall.return = kernel.function("sys_munlockall").return ?
+{
name = "munlockall"
retstr = returnstr(1)
}
@@ -3229,14 +3375,16 @@ probe syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
# munmap _____________________________________________________
# long sys_munmap(unsigned long addr, size_t len)
probe syscall.munmap = kernel.function("SyS_munmap") !,
- kernel.function("sys_munmap") {
+ kernel.function("sys_munmap")
+{
name = "munmap"
start = $addr
length = $len
argstr = sprintf("%p, %d", start, length)
}
probe syscall.munmap.return = kernel.function("SyS_munmap").return !,
- kernel.function("sys_munmap").return {
+ kernel.function("sys_munmap").return
+{
name = "munmap"
retstr = returnstr(1)
}
diff --git a/tapset/syscalls2.stp b/tapset/syscalls2.stp
index 65bcf9bf..e97082c7 100644
--- a/tapset/syscalls2.stp
+++ b/tapset/syscalls2.stp
@@ -29,24 +29,28 @@
# struct compat_timespec __user *rmtp)
#
probe syscall.nanosleep = kernel.function("SyS_nanosleep") !,
- kernel.function("sys_nanosleep") {
+ kernel.function("sys_nanosleep")
+{
name = "nanosleep"
req_uaddr = $rqtp
rem_uaddr = $rmtp
- argstr = sprintf("%s, %p", _struct_timespec_u($rqtp,1), $rmtp)
+ argstr = sprintf("%s, %p", _struct_timespec_u($rqtp, 1), $rmtp)
}
probe syscall.nanosleep.return = kernel.function("SyS_nanosleep").return !,
- kernel.function("sys_nanosleep").return {
+ kernel.function("sys_nanosleep").return
+{
name = "nanosleep"
retstr = returnstr(1)
}
-probe syscall.compat_nanosleep = kernel.function("compat_sys_nanosleep") ? {
+probe syscall.compat_nanosleep = kernel.function("compat_sys_nanosleep") ?
+{
name = "nanosleep"
req_uaddr = $rqtp
rem_uaddr = $rmtp
- argstr = sprintf("%s, %p", _struct_compat_timespec_u($rqtp,1), $rmtp)
+ argstr = sprintf("%s, %p", _struct_compat_timespec_u($rqtp, 1), $rmtp)
}
-probe syscall.compat_nanosleep.return = kernel.function("compat_sys_nanosleep").return ? {
+probe syscall.compat_nanosleep.return = kernel.function("compat_sys_nanosleep").return ?
+{
name = "nanosleep"
retstr = returnstr(1)
}
@@ -57,9 +61,8 @@ probe syscall.compat_nanosleep.return = kernel.function("compat_sys_nanosleep").
# long compat_sys_nfsservctl(int cmd, struct compat_nfsctl_arg __user *arg,
# union compat_nfsctl_res __user *res)
#
-probe syscall.nfsservctl =
- kernel.function("sys_nfsservctl") ?,
- kernel.function("compat_sys_nfsservctl") ?
+probe syscall.nfsservctl = kernel.function("sys_nfsservctl") ?,
+ kernel.function("compat_sys_nfsservctl") ?
{
name = "nfsservctl"
cmd = $cmd
@@ -67,9 +70,8 @@ probe syscall.nfsservctl =
resp_uaddr = $res
argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str($cmd), $arg, $res)
}
-probe syscall.nfsservctl.return =
- kernel.function("sys_nfsservctl").return ?,
- kernel.function("compat_sys_nfsservctl").return ?
+probe syscall.nfsservctl.return = kernel.function("sys_nfsservctl").return ?,
+ kernel.function("compat_sys_nfsservctl").return ?
{
name = "nfsservctl"
retstr = returnstr(1)
@@ -79,13 +81,15 @@ probe syscall.nfsservctl.return =
# long sys_nice(int increment)
#
probe syscall.nice = kernel.function("SyS_nice") !,
- kernel.function("sys_nice") ? {
+ kernel.function("sys_nice") ?
+{
name = "nice"
inc = $increment
argstr = sprintf("%d", $increment)
}
probe syscall.nice.return = kernel.function("SyS_nice").return !,
- kernel.function("sys_nice").return ? {
+ kernel.function("sys_nice").return ?
+{
name = "nice"
retstr = returnstr(1)
}
@@ -94,11 +98,13 @@ probe syscall.nice.return = kernel.function("SyS_nice").return !,
#
# long sys_ni_syscall(void)
#
-probe syscall.ni_syscall = kernel.function("sys_ni_syscall") {
+probe syscall.ni_syscall = kernel.function("sys_ni_syscall")
+{
name = "ni_syscall"
argstr = ""
}
-probe syscall.ni_syscall.return = kernel.function("sys_ni_syscall").return {
+probe syscall.ni_syscall.return = kernel.function("sys_ni_syscall").return
+{
name = "ni_syscall"
retstr = returnstr(1)
}
@@ -107,28 +113,26 @@ probe syscall.ni_syscall.return = kernel.function("sys_ni_syscall").return {
# long sys_open(const char __user * filename, int flags, int mode)
# (obsolete) long sys32_open(const char * filename, int flags, int mode)
#
-probe syscall.open =
- kernel.function("compat_sys_open") ?,
- kernel.function("sys32_open") ?,
- kernel.function("SyS_open") !,
- kernel.function("sys_open") ?
+probe syscall.open = kernel.function("compat_sys_open") ?,
+ kernel.function("sys32_open") ?,
+ kernel.function("SyS_open") !,
+ kernel.function("sys_open") ?
{
name = "open"
filename = user_string($filename)
flags = $flags
mode = $mode
if (flags & 64)
- argstr = sprintf("%s, %s, %#o", user_string_quoted($filename),
- _sys_open_flag_str($flags), $mode)
+ argstr = sprintf("%s, %s, %#o", user_string_quoted($filename),
+ _sys_open_flag_str($flags), $mode)
else
- argstr = sprintf("%s, %s", user_string_quoted($filename),
+ argstr = sprintf("%s, %s", user_string_quoted($filename),
_sys_open_flag_str($flags))
}
-probe syscall.open.return =
- kernel.function("compat_sys_open").return ?,
- kernel.function("sys32_open").return ?,
- kernel.function("SyS_open").return !,
- kernel.function("sys_open").return ?
+probe syscall.open.return = kernel.function("compat_sys_open").return ?,
+ kernel.function("sys32_open").return ?,
+ kernel.function("SyS_open").return !,
+ kernel.function("sys_open").return ?
{
name = "open"
retstr = returnstr(1)
@@ -138,10 +142,9 @@ probe syscall.open.return =
# long sys_openat(int dfd, const char __user *filename, int flags, int mode)
# long compat_sys_openat(unsigned int dfd, const char __user *filename, int flags, int mode)
#
-probe syscall.openat =
- kernel.function("compat_sys_openat") ?,
- kernel.function("SyS_openat") !,
- kernel.function("sys_openat") ?
+probe syscall.openat = kernel.function("compat_sys_openat") ?,
+ kernel.function("SyS_openat") !,
+ kernel.function("sys_openat") ?
{
name = "openat"
filename = user_string($filename)
@@ -149,17 +152,16 @@ probe syscall.openat =
mode = $mode
if ($flags & 64)
argstr = sprintf("%s, %s, %s, %#o", _dfd_str($dfd),
- user_string_quoted($filename),
- _sys_open_flag_str($flags), $mode)
+ user_string_quoted($filename),
+ _sys_open_flag_str($flags), $mode)
else
argstr = sprintf("%s, %s, %s", _dfd_str($dfd),
- user_string_quoted($filename),
+ user_string_quoted($filename),
_sys_open_flag_str($flags))
}
-probe syscall.openat.return =
- kernel.function("compat_sys_openat").return ?,
- kernel.function("SyS_openat").return !,
- kernel.function("sys_openat").return ?
+probe syscall.openat.return = kernel.function("compat_sys_openat").return ?,
+ kernel.function("SyS_openat").return !,
+ kernel.function("sys_openat").return ?
{
name = "openat"
retstr = returnstr(1)
@@ -170,15 +172,15 @@ probe syscall.openat.return =
# sys_pause(void)
#
probe syscall.pause = kernel.function("sys_pause") ?,
- kernel.function("sys32_pause") ?,
- kernel.function("compat_sys_pause") ?
-{
+ kernel.function("sys32_pause") ?,
+ kernel.function("compat_sys_pause") ?
+{
name = "pause"
argstr = ""
}
-probe syscall.pause.return = kernel.function("sys_pause").return ?,
- kernel.function("sys32_pause").return ?,
- kernel.function("compat_sys_pause").return ?
+probe syscall.pause.return = kernel.function("sys_pause").return ?,
+ kernel.function("sys32_pause").return ?,
+ kernel.function("compat_sys_pause").return ?
{
name = "pause"
retstr = returnstr(1)
@@ -192,14 +194,16 @@ probe syscall.pause.return = kernel.function("sys_pause").return ?,
# unsigned long dfn)
#
#
-#probe syscall.pciconfig_iobase = kernel.function("sys_pciconfig_iobase") {
+#probe syscall.pciconfig_iobase = kernel.function("sys_pciconfig_iobase")
+#{
# name = "pciconfig_iobase"
# which = $which
# bus = $bus
# dfn = $dfn
# argstr = sprintf("%p, %p, %p", which, bus, dfn)
#}
-#probe syscall.pciconfig_iobase.return = kernel.function("sys_pciconfig_iobase").return {
+#probe syscall.pciconfig_iobase.return = kernel.function("sys_pciconfig_iobase").return
+#{
# name = "pciconfig_iobase"
# retstr = returnstr(1)
#}
@@ -214,7 +218,8 @@ probe syscall.pause.return = kernel.function("sys_pause").return ?,
# { return 0; }
#
#
-#probe syscall.pciconfig_read = kernel.function("sys_pciconfig_read") {
+#probe syscall.pciconfig_read = kernel.function("sys_pciconfig_read")
+#{
# name = "pciconfig_read"
# bus = $bus
# dfn = $dfn
@@ -224,8 +229,8 @@ probe syscall.pause.return = kernel.function("sys_pause").return ?,
# argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
# len, buf_uaddr)
#}
-#probe syscall.pciconfig_read.return =
-# kernel.function("sys_pciconfig_read").return {
+#probe syscall.pciconfig_read.return = kernel.function("sys_pciconfig_read").return
+#{
# name = "pciconfig_read"
# retstr = returnstr(1)
#}
@@ -239,7 +244,8 @@ probe syscall.pause.return = kernel.function("sys_pause").return ?,
# unsigned char *buf)
#
#
-#probe syscall.pciconfig_write = kernel.function("sys_pciconfig_write") {
+#probe syscall.pciconfig_write = kernel.function("sys_pciconfig_write")
+#{
# name = "pciconfig_write"
# bus = $bus
# dfn = $dfn
@@ -249,8 +255,8 @@ probe syscall.pause.return = kernel.function("sys_pause").return ?,
# argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
# len, buf_uaddr)
#}
-#probe syscall.pciconfig_write.return =
-# kernel.function("sys_pciconfig_write").return {
+#probe syscall.pciconfig_write.return = kernel.function("sys_pciconfig_write").return
+#{
# name = "pciconfig_write"
# retstr = returnstr(1)
#}
@@ -260,13 +266,15 @@ probe syscall.pause.return = kernel.function("sys_pause").return ?,
# sys_personality(u_long personality)
#
probe syscall.personality = kernel.function("SyS_personality") !,
- kernel.function("sys_personality") {
+ kernel.function("sys_personality")
+{
name = "personality"
persona = $personality
argstr = sprintf("%p", persona);
}
probe syscall.personality.return = kernel.function("SyS_personality").return !,
- kernel.function("sys_personality").return {
+ kernel.function("sys_personality").return
+{
name = "personality"
retstr = returnstr(1)
}
@@ -278,13 +286,15 @@ probe syscall.personality.return = kernel.function("SyS_personality").return !,
%(arch == "x86_64" %?
# x86_64 gcc 4.1 problem
probe syscall.pipe = kernel.function("SyS_pipe") !,
- kernel.function("sys_pipe") {
+ kernel.function("sys_pipe")
+{
name = "pipe"
argstr = ""
}
%:
probe syscall.pipe = kernel.function("SyS_pipe") !,
- kernel.function("sys_pipe") {
+ kernel.function("sys_pipe")
+{
name = "pipe"
%( arch == "ia64" %?
# ia64 just returns value directly, no fildes argument
@@ -296,7 +306,8 @@ probe syscall.pipe = kernel.function("SyS_pipe") !,
}
%)
probe syscall.pipe.return = kernel.function("SyS_pipe").return !,
- kernel.function("sys_pipe").return {
+ kernel.function("sys_pipe").return
+{
name = "pipe"
retstr = returnstr(1)
}
@@ -306,15 +317,17 @@ probe syscall.pipe.return = kernel.function("SyS_pipe").return !,
# long sys_pivot_root(const char __user *new_root, const char __user *put_old)
#
probe syscall.pivot_root = kernel.function("SyS_pivot_root") !,
- kernel.function("sys_pivot_root") {
+ kernel.function("sys_pivot_root")
+{
name = "pivot_root"
new_root_str = user_string($new_root)
old_root_str = user_string($put_old)
argstr = sprintf("%s, %s", user_string_quoted($new_root),
- user_string_quoted($put_old))
+ user_string_quoted($put_old))
}
probe syscall.pivot_root.return = kernel.function("SyS_pivot_root").return !,
- kernel.function("sys_pivot_root").return {
+ kernel.function("sys_pivot_root").return
+{
name = "pivot_root"
retstr = returnstr(1)
}
@@ -324,7 +337,8 @@ probe syscall.pivot_root.return = kernel.function("SyS_pivot_root").return !,
# long sys_poll(struct pollfd __user * ufds, unsigned int nfds, long timeout)
#
probe syscall.poll = kernel.function("SyS_poll") !,
- kernel.function("sys_poll") {
+ kernel.function("sys_poll")
+{
name = "poll"
ufds_uaddr = $ufds
nfds = $nfds
@@ -336,7 +350,8 @@ probe syscall.poll = kernel.function("SyS_poll") !,
argstr = sprintf("%p, %d, %d", $ufds, $nfds, timeout)
}
probe syscall.poll.return = kernel.function("SyS_poll").return !,
- kernel.function("sys_poll").return {
+ kernel.function("sys_poll").return
+{
name = "poll"
retstr = returnstr(1)
}
@@ -348,17 +363,19 @@ probe syscall.poll.return = kernel.function("SyS_poll").return !,
# size_t sigsetsize)
#
probe syscall.ppoll = kernel.function("SyS_ppoll") !,
- kernel.function("sys_ppoll") ? {
+ kernel.function("sys_ppoll") ?
+{
name = "ppoll"
- argstr = sprintf("%p, %d, %s, %p, %d",
+ argstr = sprintf("%p, %d, %s, %p, %d",
$ufds,
$nfds,
- _struct_timespec_u($tsp,1),
+ _struct_timespec_u($tsp, 1),
$sigmask,
$sigsetsize)
}
probe syscall.ppoll.return = kernel.function("SyS_ppoll").return !,
- kernel.function("sys_ppoll").return ? {
+ kernel.function("sys_ppoll").return ?
+{
name = "ppoll"
retstr = returnstr(1)
}
@@ -366,16 +383,18 @@ probe syscall.ppoll.return = kernel.function("SyS_ppoll").return !,
# unsigned int nfds, struct compat_timespec __user *tsp,
# const compat_sigset_t __user *sigmask, compat_size_t sigsetsize)
#
-probe syscall.compat_ppoll = kernel.function("compat_sys_ppoll") ? {
+probe syscall.compat_ppoll = kernel.function("compat_sys_ppoll") ?
+{
name = "ppoll"
- argstr = sprintf("%p, %d, %s, %p, %d",
+ argstr = sprintf("%p, %d, %s, %p, %d",
$ufds,
$nfds,
- _struct_compat_timespec_u($tsp,1),
+ _struct_compat_timespec_u($tsp, 1),
$sigmask,
$sigsetsize)
}
-probe syscall.compat_ppoll.return = kernel.function("compat_sys_ppoll").return ? {
+probe syscall.compat_ppoll.return = kernel.function("compat_sys_ppoll").return ?
+{
name = "ppoll"
retstr = returnstr(1)
}
@@ -390,7 +409,8 @@ probe syscall.compat_ppoll.return = kernel.function("compat_sys_ppoll").return ?
# unsigned long arg5)
#
probe syscall.prctl = kernel.function("SyS_prctl") !,
- kernel.function("sys_prctl") {
+ kernel.function("sys_prctl")
+{
name = "prctl"
option = $option
arg2 = $arg2
@@ -398,10 +418,11 @@ probe syscall.prctl = kernel.function("SyS_prctl") !,
arg4 = $arg4
arg5 = $arg5
argstr = sprintf("%p, %p, %p, %p, %p", option, arg2, arg3,
- arg4, arg5)
+ arg4, arg5)
}
probe syscall.prctl.return = kernel.function("SyS_prctl").return !,
- kernel.function("sys_prctl").return {
+ kernel.function("sys_prctl").return
+{
name = "prctl"
retstr = returnstr(1)
}
@@ -413,7 +434,8 @@ probe syscall.prctl.return = kernel.function("SyS_prctl").return !,
# loff_t pos)
#
probe syscall.pread = kernel.function("SyS_pread64") !,
- kernel.function("sys_pread64") {
+ kernel.function("sys_pread64")
+{
name = "pread"
fd = $fd
buf_uaddr = $buf
@@ -422,7 +444,8 @@ probe syscall.pread = kernel.function("SyS_pread64") !,
argstr = sprintf("%d, %p, %d, %d", $fd, $buf, $count, $pos)
}
probe syscall.pread.return = kernel.function("SyS_pread64").return !,
- kernel.function("sys_pread64").return {
+ kernel.function("sys_pread64").return
+{
name = "pread"
retstr = returnstr(1)
}
@@ -433,22 +456,26 @@ probe syscall.pread.return = kernel.function("SyS_pread64").return !,
# fd_set __user *exp, struct timespec __user *tsp, void __user *sig)
#
probe syscall.pselect6 = kernel.function("SyS_pselect6") !,
- kernel.function("sys_pselect6") ? {
+ kernel.function("sys_pselect6") ?
+{
name = "pselect6"
argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
- _struct_timespec_u($tsp,1), $sig)
+ _struct_timespec_u($tsp, 1), $sig)
}
probe syscall.pselect6.return = kernel.function("SyS_pselect6").return !,
- kernel.function("sys_pselect6").return ? {
+ kernel.function("sys_pselect6").return ?
+{
name = "pselect6"
retstr = returnstr(1)
}
-probe syscall.compat_pselect6 = kernel.function("compat_sys_pselect6") ? {
+probe syscall.compat_pselect6 = kernel.function("compat_sys_pselect6") ?
+{
name = "pselect6"
argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
- _struct_compat_timespec_u($tsp,1), $sig)
+ _struct_compat_timespec_u($tsp, 1), $sig)
}
-probe syscall.compat_pselect6.return = kernel.function("compat_sys_pselect6").return ? {
+probe syscall.compat_pselect6.return = kernel.function("compat_sys_pselect6").return ?
+{
name = "pselect6"
retstr = returnstr(1)
}
@@ -456,24 +483,28 @@ probe syscall.compat_pselect6.return = kernel.function("compat_sys_pselect6").re
# pselect7 _____________________________________________________
#
# long sys_pselect7(int n, fd_set __user *inp, fd_set __user *outp,
-# fd_set __user *exp, struct timespec __user *tsp,
+# fd_set __user *exp, struct timespec __user *tsp,
# const sigset_t __user *sigmask, size_t sigsetsize)
#
-probe syscall.pselect7 = kernel.function("sys_pselect7") ? {
+probe syscall.pselect7 = kernel.function("sys_pselect7") ?
+{
name = "pselect7"
argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
- _struct_timespec_u($tsp,1), $sigmask, $sigsetsize)
+ _struct_timespec_u($tsp, 1), $sigmask, $sigsetsize)
}
-probe syscall.pselect7.return = kernel.function("sys_pselect7").return ? {
+probe syscall.pselect7.return = kernel.function("sys_pselect7").return ?
+{
name = "pselect7"
retstr = returnstr(1)
}
-probe syscall.compat_pselect7a = kernel.function("compat_sys_pselect7") ? {
+probe syscall.compat_pselect7a = kernel.function("compat_sys_pselect7") ?
+{
name = "pselect7"
argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
- _struct_compat_timespec_u($tsp,1), $sigmask, $sigsetsize)
+ _struct_compat_timespec_u($tsp, 1), $sigmask, $sigsetsize)
}
-probe syscall.compat_pselect7.return = kernel.function("compat_sys_pselect7").return ? {
+probe syscall.compat_pselect7.return = kernel.function("compat_sys_pselect7").return ?
+{
name = "pselect7"
retstr = returnstr(1)
}
@@ -486,8 +517,9 @@ probe syscall.compat_pselect7.return = kernel.function("compat_sys_pselect7").re
# long data)
#
probe syscall.ptrace = kernel.function("SyS_ptrace") !,
- kernel.function("sys_ptrace") ? {
- name = "ptrace"
+ kernel.function("sys_ptrace") ?
+{
+ name = "ptrace"
request = $request
pid = $pid
addr = $addr
@@ -495,7 +527,8 @@ probe syscall.ptrace = kernel.function("SyS_ptrace") !,
argstr = sprintf("%d, %d, %p, %p", request, pid, addr, data)
}
probe syscall.ptrace.return = kernel.function("SyS_ptrace").return !,
- kernel.function("sys_ptrace").return ? {
+ kernel.function("sys_ptrace").return ?
+{
name = "ptrace"
retstr = returnstr(1)
}
@@ -508,42 +541,46 @@ probe syscall.ptrace.return = kernel.function("SyS_ptrace").return !,
# loff_t pos)
#
probe syscall.pwrite = kernel.function("SyS_pwrite64") !,
- kernel.function("sys_pwrite64") {
+ kernel.function("sys_pwrite64")
+{
name = "pwrite"
fd = $fd
buf_uaddr = $buf
count = $count
offset = $pos
- argstr = sprintf("%d, %s, %d, %d", $fd,
- text_strn(user_string($buf),syscall_string_trunc,1),
- $count, $pos)
+ argstr = sprintf("%d, %s, %d, %d", $fd,
+ text_strn(user_string($buf), syscall_string_trunc, 1),
+ $count, $pos)
}
probe syscall.pwrite.return = kernel.function("SyS_pwrite64").return !,
- kernel.function("sys_pwrite64").return {
+ kernel.function("sys_pwrite64").return
+{
name = "pwrite"
retstr = returnstr(1)
}
# long sys32_pwrite64(unsigned int fd, const char __user *ubuf,
# size_t count, u32 poshi, u32 poslo)
-probe syscall.pwrite32 = kernel.function("sys32_pwrite64") ? {
+probe syscall.pwrite32 = kernel.function("sys32_pwrite64") ?
+{
name = "pwrite"
fd = $fd
buf_uaddr = $buf
count = $count
offset = ($poshi << 32) + $poslo
%( arch == "s390x" %?
- buf_uaddr = $ubuf
- argstr = sprintf("%d, %s, %d, %d", $fd,
- text_strn(user_string($ubuf),syscall_string_trunc,1),
- $count, ($poshi << 32) + $poslo)
+ buf_uaddr = $ubuf
+ argstr = sprintf("%d, %s, %d, %d", $fd,
+ text_strn(user_string($ubuf), syscall_string_trunc, 1),
+ $count, ($poshi << 32) + $poslo)
%:
buf_uaddr = $buf
- argstr = sprintf("%d, %s, %d, %d", $fd,
- text_strn(user_string($buf),syscall_string_trunc,1),
- $count, ($poshi << 32) + $poslo)
+ argstr = sprintf("%d, %s, %d, %d", $fd,
+ text_strn(user_string($buf), syscall_string_trunc, 1),
+ $count, ($poshi << 32) + $poslo)
%)
}
-probe syscall.pwrite32.return = kernel.function("sys32_pwrite64").return ? {
+probe syscall.pwrite32.return = kernel.function("sys32_pwrite64").return ?
+{
name = "pwrite"
retstr = returnstr(1)
}
@@ -556,7 +593,8 @@ probe syscall.pwrite32.return = kernel.function("sys32_pwrite64").return ? {
# void __user *addr)
#
probe syscall.quotactl = kernel.function("SyS_quotactl") !,
- kernel.function("sys_quotactl") ? {
+ kernel.function("sys_quotactl") ?
+{
name = "quotactl"
cmd = $cmd
cmd_str = _quotactl_cmd_str($cmd)
@@ -567,7 +605,8 @@ probe syscall.quotactl = kernel.function("SyS_quotactl") !,
argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, $id, $addr)
}
probe syscall.quotactl.return = kernel.function("SyS_quotactl").return !,
- kernel.function("sys_quotactl").return ? {
+ kernel.function("sys_quotactl").return ?
+{
name = "quotactl"
retstr = returnstr(1)
}
@@ -576,7 +615,8 @@ probe syscall.quotactl.return = kernel.function("SyS_quotactl").return !,
# read _______________________________________________________
# ssize_t sys_read(unsigned int fd, char __user * buf, size_t count)
probe syscall.read = kernel.function("SyS_read") !,
- kernel.function("sys_read") {
+ kernel.function("sys_read")
+{
name = "read"
fd = $fd
buf_uaddr = $buf
@@ -584,7 +624,8 @@ probe syscall.read = kernel.function("SyS_read") !,
argstr = sprintf("%d, %p, %d", $fd, $buf, $count)
}
probe syscall.read.return = kernel.function("SyS_read").return !,
- kernel.function("sys_read").return {
+ kernel.function("sys_read").return
+{
name = "read"
retstr = returnstr(1)
}
@@ -597,7 +638,8 @@ probe syscall.read.return = kernel.function("SyS_read").return !,
# size_t count)
#
probe syscall.readahead = kernel.function("SyS_readahead") !,
- kernel.function("sys_readahead") {
+ kernel.function("sys_readahead")
+{
name = "readahead"
fd = $fd
offset = $offset
@@ -605,7 +647,8 @@ probe syscall.readahead = kernel.function("SyS_readahead") !,
argstr = sprintf("%d, %p, %p", fd, offset, count)
}
probe syscall.readahead.return = kernel.function("SyS_readahead").return !,
- kernel.function("sys_readahead").return {
+ kernel.function("sys_readahead").return
+{
name = "readahead"
retstr = returnstr(1)
}
@@ -614,17 +657,15 @@ probe syscall.readahead.return = kernel.function("SyS_readahead").return !,
#
# long compat_sys_old_readdir(unsigned int fd, struct compat_old_linux_dirent __user *dirent, unsigned int count)
# int old32_readdir(unsigned int fd, struct old_linux_dirent32 *dirent, unsigned int count)
-#
-probe syscall.readdir =
- kernel.function("compat_sys_old_readdir") ?,
- kernel.function("old32_readdir") ?
+#
+probe syscall.readdir = kernel.function("compat_sys_old_readdir") ?,
+ kernel.function("old32_readdir") ?
{
name = "readdir"
argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
}
-probe syscall.readdir.return =
- kernel.function("compat_sys_old_readdir").return ?,
- kernel.function("old32_readdir").return ?
+probe syscall.readdir.return = kernel.function("compat_sys_old_readdir").return ?,
+ kernel.function("old32_readdir").return ?
{
name = "readdir"
retstr = returnstr(1)
@@ -637,16 +678,18 @@ probe syscall.readdir.return =
# int bufsiz)
#
probe syscall.readlink = kernel.function("SyS_readlink") !,
- kernel.function("sys_readlink") {
+ kernel.function("sys_readlink")
+{
name = "readlink"
path = user_string($path)
buf_uaddr = $buf
bufsiz = $bufsiz
- argstr = sprintf("%s, %p, %d", user_string_quoted($path),
- $buf, $bufsiz)
+ argstr = sprintf("%s, %p, %d", user_string_quoted($path),
+ $buf, $bufsiz)
}
probe syscall.readlink.return = kernel.function("SyS_readlink").return !,
- kernel.function("sys_readlink").return {
+ kernel.function("sys_readlink").return
+{
name = "readlink"
retstr = returnstr(1)
}
@@ -658,7 +701,8 @@ probe syscall.readlink.return = kernel.function("SyS_readlink").return !,
# int bufsiz)
#
probe syscall.readlinkat = kernel.function("SyS_readlinkat") !,
- kernel.function("sys_readlinkat") ? {
+ kernel.function("sys_readlinkat") ?
+{
name = "readlinkat"
dfd = $dfd
buf_uaddr = $buf
@@ -673,7 +717,8 @@ probe syscall.readlinkat = kernel.function("SyS_readlinkat") !,
}
probe syscall.readlinkat.return = kernel.function("SyS_readlinkat").return !,
- kernel.function("sys_readlinkat").return ? {
+ kernel.function("sys_readlinkat").return ?
+{
name = "readlinkat"
retstr = returnstr(1)
}
@@ -683,14 +728,13 @@ probe syscall.readlinkat.return = kernel.function("SyS_readlinkat").return !,
# ssize_t sys_readv(unsigned long fd,
# const struct iovec __user *vec,
# unsigned long vlen)
-# ssize_t compat_sys_readv(unsigned long fd,
-# const struct compat_iovec __user *vec,
+# ssize_t compat_sys_readv(unsigned long fd,
+# const struct compat_iovec __user *vec,
# unsigned long vlen)
#
-probe syscall.readv =
- kernel.function("compat_sys_readv") ?,
- kernel.function("SyS_readv") !,
- kernel.function("sys_readv")
+probe syscall.readv = kernel.function("compat_sys_readv") ?,
+ kernel.function("SyS_readv") !,
+ kernel.function("sys_readv")
{
name = "readv"
vector_uaddr = $vec
@@ -703,10 +747,9 @@ probe syscall.readv =
argstr = sprintf("unknown fd, %p, %d", $vec, $vlen)
%)
}
-probe syscall.readv.return =
- kernel.function("compat_sys_readv").return ?,
- kernel.function("SyS_readv").return !,
- kernel.function("sys_readv").return
+probe syscall.readv.return = kernel.function("compat_sys_readv").return ?,
+ kernel.function("SyS_readv").return !,
+ kernel.function("sys_readv").return
{
name = "readv"
retstr = returnstr(1)
@@ -720,7 +763,8 @@ probe syscall.readv.return =
# void __user * arg)
#
probe syscall.reboot = kernel.function("SyS_reboot") !,
- kernel.function("sys_reboot") {
+ kernel.function("sys_reboot")
+{
name = "reboot"
magic = $magic1
magic_str = _reboot_magic_str($magic1)
@@ -730,10 +774,11 @@ probe syscall.reboot = kernel.function("SyS_reboot") !,
flag_str = _reboot_flag_str($cmd)
arg_uaddr = $arg
argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
- flag_str, $arg)
+ flag_str, $arg)
}
probe syscall.reboot.return = kernel.function("SyS_reboot").return !,
- kernel.function("sys_reboot").return {
+ kernel.function("sys_reboot").return
+{
name = "reboot"
retstr = returnstr(1)
}
@@ -742,7 +787,8 @@ probe syscall.reboot.return = kernel.function("SyS_reboot").return !,
#
# long sys_recv(int fd, void __user *ubuf, size_t size, unsigned flags)
#
-probe syscall.recv = kernel.function("sys_recv") ? {
+probe syscall.recv = kernel.function("sys_recv") ?
+{
name = "recv"
s = $fd
buf_uaddr = $ubuf
@@ -751,7 +797,8 @@ probe syscall.recv = kernel.function("sys_recv") ? {
flags_str = _recvflags_str($flags)
argstr = sprintf("%d, %p, %d, %s", $fd, $ubuf, $size, _recvflags_str($flags))
}
-probe syscall.recv.return = kernel.function("sys_recv").return ? {
+probe syscall.recv.return = kernel.function("sys_recv").return ?
+{
name = "recv"
retstr = returnstr(1)
}
@@ -766,7 +813,8 @@ probe syscall.recv.return = kernel.function("sys_recv").return ? {
# int __user *addr_len)
#
probe syscall.recvfrom = kernel.function("SyS_recvfrom") !,
- kernel.function("sys_recvfrom") ? {
+ kernel.function("sys_recvfrom") ?
+{
name = "recvfrom"
s = $fd
buf_uaddr = $ubuf
@@ -779,7 +827,8 @@ probe syscall.recvfrom = kernel.function("SyS_recvfrom") !,
$fd, $ubuf, $size, _recvflags_str($flags), $addr, $addr_len)
}
probe syscall.recvfrom.return = kernel.function("SyS_recvfrom").return !,
- kernel.function("sys_recvfrom").return ? {
+ kernel.function("sys_recvfrom").return ?
+{
name = "recvfrom"
retstr = returnstr(1)
}
@@ -791,7 +840,8 @@ probe syscall.recvfrom.return = kernel.function("SyS_recvfrom").return !,
# unsigned int flags)
#
probe syscall.recvmsg = kernel.function("SyS_recvmsg") !,
- kernel.function("sys_recvmsg") ? {
+ kernel.function("sys_recvmsg") ?
+{
name = "recvmsg"
s = $fd
msg_uaddr = $msg
@@ -800,7 +850,8 @@ probe syscall.recvmsg = kernel.function("SyS_recvmsg") !,
argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
}
probe syscall.recvmsg.return = kernel.function("SyS_recvmsg").return !,
- kernel.function("sys_recvmsg").return ? {
+ kernel.function("sys_recvmsg").return ?
+{
name = "recvmsg"
retstr = returnstr(1)
}
@@ -810,14 +861,16 @@ probe syscall.recvmsg.return = kernel.function("SyS_recvmsg").return !,
# struct compat_msghdr __user *msg,
# unsigned int flags)
#
-probe syscall.compat_sys_recvmsg = kernel.function("compat_sys_recvmsg") ? {
+probe syscall.compat_sys_recvmsg = kernel.function("compat_sys_recvmsg") ?
+{
name = "compat_sys_recvmsg"
s = $fd
msg_uaddr = $msg
flags = $flags
argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
}
-probe syscall.compat_sys_recvmsg.return = kernel.function("compat_sys_recvmsg").return ? {
+probe syscall.compat_sys_recvmsg.return = kernel.function("compat_sys_recvmsg").return ?
+{
name = "compat_sys_recvmsg"
retstr = returnstr(1)
}
@@ -831,7 +884,8 @@ probe syscall.compat_sys_recvmsg.return = kernel.function("compat_sys_recvmsg").
# unsigned long flags)
#
probe syscall.remap_file_pages = kernel.function("SyS_remap_file_pages") !,
- kernel.function("sys_remap_file_pages") ? {
+ kernel.function("sys_remap_file_pages") ?
+{
name = "remap_file_pages"
start = $start
size = $size
@@ -843,11 +897,11 @@ probe syscall.remap_file_pages = kernel.function("SyS_remap_file_pages") !,
pgoff = $pgoff
flags = $flags
argstr = sprintf("%p, %p, %p, %p, %p", start, size, prot,
- pgoff, flags)
+ pgoff, flags)
}
-probe syscall.remap_file_pages.return =
- kernel.function("SyS_remap_file_pages").return !,
- kernel.function("sys_remap_file_pages").return ? {
+probe syscall.remap_file_pages.return = kernel.function("SyS_remap_file_pages").return !,
+ kernel.function("sys_remap_file_pages").return ?
+{
name = "remap_file_pages"
retstr = returnstr(1)
}
@@ -859,22 +913,24 @@ probe syscall.remap_file_pages.return =
# char __user *name)
#
probe syscall.removexattr = kernel.function("SyS_removexattr") !,
- kernel.function("sys_removexattr") {
+ kernel.function("sys_removexattr")
+{
name = "removexattr"
name_str = user_string($name)
%( kernel_v >= "2.6.27" %?
path = user_string($pathname)
- argstr = sprintf("%s, %s", user_string_quoted($pathname),
+ argstr = sprintf("%s, %s", user_string_quoted($pathname),
user_string_quoted($name))
%:
path = user_string($path)
- argstr = sprintf("%s, %s", user_string_quoted($path),
+ argstr = sprintf("%s, %s", user_string_quoted($path),
user_string_quoted($name))
%)
}
probe syscall.removexattr.return = kernel.function("SyS_removexattr").return !,
- kernel.function("sys_removexattr").return {
+ kernel.function("sys_removexattr").return
+{
name = "removexattr"
retstr = returnstr(1)
}
@@ -885,15 +941,17 @@ probe syscall.removexattr.return = kernel.function("SyS_removexattr").return !,
# const char __user * newname)
#
probe syscall.rename = kernel.function("SyS_rename") !,
- kernel.function("sys_rename") {
+ kernel.function("sys_rename")
+{
name = "rename"
oldpath = user_string($oldname)
newpath = user_string($newname)
- argstr = sprintf("%s, %s", user_string_quoted($oldname),
- user_string_quoted($newname))
+ argstr = sprintf("%s, %s", user_string_quoted($oldname),
+ user_string_quoted($newname))
}
probe syscall.rename.return = kernel.function("SyS_rename").return !,
- kernel.function("sys_rename").return {
+ kernel.function("sys_rename").return
+{
name = "rename"
retstr = returnstr(1)
}
@@ -903,7 +961,8 @@ probe syscall.rename.return = kernel.function("SyS_rename").return !,
# long sys_renameat(int olddfd, const char __user *oldname,
# int newdfd, const char __user *newname)
probe syscall.renameat = kernel.function("SyS_renameat") !,
- kernel.function("sys_renameat") ? {
+ kernel.function("sys_renameat") ?
+{
name = "renameat"
olddfd = $olddfd
olddfd_str = _dfd_str($olddfd)
@@ -918,7 +977,8 @@ probe syscall.renameat = kernel.function("SyS_renameat") !,
newdfd_str, user_string_quoted($newname))
}
probe syscall.renameat.return = kernel.function("SyS_renameat").return !,
- kernel.function("sys_renameat").return ? {
+ kernel.function("sys_renameat").return ?
+{
name = "renameat"
retstr = returnstr(1)
}
@@ -932,7 +992,8 @@ probe syscall.renameat.return = kernel.function("SyS_renameat").return !,
# compat_sys_request_key() calls sys_request_key, so don't need probe there.
#
probe syscall.request_key = kernel.function("SyS_request_key") !,
- kernel.function("sys_request_key") ? {
+ kernel.function("sys_request_key") ?
+{
name = "request_key"
type_uaddr = $_type
description_uaddr = $_description
@@ -941,7 +1002,8 @@ probe syscall.request_key = kernel.function("SyS_request_key") !,
argstr = sprintf("%p, %p, %p, %p", $_type, $_description, $_callout_info, $destringid)
}
probe syscall.request_key.return = kernel.function("SyS_request_key").return !,
- kernel.function("sys_request_key").return ? {
+ kernel.function("sys_request_key").return ?
+{
name = "request_key"
retstr = returnstr(1)
}
@@ -951,12 +1013,13 @@ probe syscall.request_key.return = kernel.function("SyS_request_key").return !,
# asmlinkage long
# sys_restart_syscall(void)
#
-probe syscall.restart_syscall = kernel.function("sys_restart_syscall") {
+probe syscall.restart_syscall = kernel.function("sys_restart_syscall")
+{
name = "restart_syscall"
argstr = ""
}
-probe syscall.restart_syscall.return =
- kernel.function("sys_restart_syscall").return {
+probe syscall.restart_syscall.return = kernel.function("sys_restart_syscall").return
+{
name = "restart_syscall"
retstr = returnstr(1)
}
@@ -966,13 +1029,15 @@ probe syscall.restart_syscall.return =
# sys_rmdir(const char __user * pathname)
#
probe syscall.rmdir = kernel.function("SyS_rmdir") !,
- kernel.function("sys_rmdir") {
+ kernel.function("sys_rmdir")
+{
name = "rmdir"
pathname = user_string($pathname)
argstr = user_string_quoted($pathname)
}
probe syscall.rmdir.return = kernel.function("SyS_rmdir").return !,
- kernel.function("sys_rmdir").return {
+ kernel.function("sys_rmdir").return
+{
name = "rmdir"
retstr = returnstr(1)
}
@@ -985,35 +1050,36 @@ probe syscall.rmdir.return = kernel.function("SyS_rmdir").return !,
# size_t sigsetsize)
#
probe syscall.rt_sigaction = kernel.function("SyS_rt_sigaction") !,
- kernel.function("sys_rt_sigaction") ? {
+ kernel.function("sys_rt_sigaction") ?
+{
name = "rt_sigaction"
sig = $sig
act_uaddr = $act
oact_uaddr = $oact
sigsetsize = $sigsetsize
argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
- _struct_sigaction_u($act), $oact, $sigsetsize)
+ _struct_sigaction_u($act), $oact, $sigsetsize)
}
-probe syscall.rt_sigaction.return =
- kernel.function("SyS_rt_sigaction").return !,
- kernel.function("sys_rt_sigaction").return ? {
+probe syscall.rt_sigaction.return = kernel.function("SyS_rt_sigaction").return !,
+ kernel.function("sys_rt_sigaction").return ?
+{
name = "rt_sigaction"
retstr = returnstr(1)
}
#
-# long sys32_rt_sigaction(int sig,
+# long sys32_rt_sigaction(int sig,
# struct sigaction32 __user *act,
-# struct sigaction32 __user *oact,
+# struct sigaction32 __user *oact,
# unsigned int sigsetsize)
# ppc only
-# compat_sys_rt_sigaction(int sig,
+# compat_sys_rt_sigaction(int sig,
# const struct sigaction32 __user *act,
-# struct sigaction32 __user *oact,
+# struct sigaction32 __user *oact,
# size_t sigsetsize)
probe syscall.rt_sigaction32 = kernel.function("sys32_rt_sigaction") ?,
- kernel.function("compat_sys_rt_sigaction") ?
+ kernel.function("compat_sys_rt_sigaction") ?
{
name = "rt_sigaction"
sig = $sig
@@ -1021,10 +1087,10 @@ probe syscall.rt_sigaction32 = kernel.function("sys32_rt_sigaction") ?,
oact_uaddr = $oact
sigsetsize = $sigsetsize
argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
- _struct_sigaction32_u($act), $oact, $sigsetsize)
+ _struct_sigaction32_u($act), $oact, $sigsetsize)
}
probe syscall.rt_sigaction32.return = kernel.function("sys32_rt_sigaction").return ?,
- kernel.function("compat_sys_rt_sigaction").return ?
+ kernel.function("compat_sys_rt_sigaction").return ?
{
name = "rt_sigaction"
retstr = returnstr(1)
@@ -1035,15 +1101,16 @@ probe syscall.rt_sigaction32.return = kernel.function("sys32_rt_sigaction").retu
# long sys_rt_sigpending(sigset_t __user *set, size_t sigsetsize)
#
probe syscall.rt_sigpending = kernel.function("SyS_rt_sigpending") !,
- kernel.function("sys_rt_sigpending") ? {
+ kernel.function("sys_rt_sigpending") ?
+{
name = "rt_sigpending"
set_uaddr = $set
sigsetsize = $sigsetsize
argstr = sprintf("%p, %d", $set, $sigsetsize)
}
-probe syscall.rt_sigpending.return =
- kernel.function("SyS_rt_sigpending").return !,
- kernel.function("sys_rt_sigpending").return ? {
+probe syscall.rt_sigpending.return = kernel.function("SyS_rt_sigpending").return !,
+ kernel.function("sys_rt_sigpending").return ?
+{
name = "rt_sigpending"
retstr = returnstr(1)
}
@@ -1053,11 +1120,10 @@ probe syscall.rt_sigpending.return =
# long compat_sys_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, compat_size_t sigsetsize)
# long sys_rt_sigprocmask(int how, sigset_t __user *set, sigset_t __user *oset, size_t sigsetsize)
#
-probe syscall.rt_sigprocmask =
- kernel.function("sys32_rt_sigprocmask") ?,
- kernel.function("compat_sys_rt_sigprocmask") ?,
- kernel.function("SyS_rt_sigprocmask") !,
- kernel.function("sys_rt_sigprocmask") ?
+probe syscall.rt_sigprocmask = kernel.function("sys32_rt_sigprocmask") ?,
+ kernel.function("compat_sys_rt_sigprocmask") ?,
+ kernel.function("SyS_rt_sigprocmask") !,
+ kernel.function("sys_rt_sigprocmask") ?
{
name = "rt_sigprocmask"
how = $how
@@ -1065,13 +1131,12 @@ probe syscall.rt_sigprocmask =
set_uaddr = $set
oldset_uaddr = $oset
argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u($set),
- $oset, $sigsetsize)
+ $oset, $sigsetsize)
}
-probe syscall.rt_sigprocmask.return =
- kernel.function("sys32_rt_sigprocmask").return ?,
- kernel.function("compat_sys_rt_sigprocmask").return ?,
- kernel.function("SyS_rt_sigprocmask").return !,
- kernel.function("sys_rt_sigprocmask").return ?
+probe syscall.rt_sigprocmask.return = kernel.function("sys32_rt_sigprocmask").return ?,
+ kernel.function("compat_sys_rt_sigprocmask").return ?,
+ kernel.function("SyS_rt_sigprocmask").return !,
+ kernel.function("sys_rt_sigprocmask").return ?
{
name = "rt_sigprocmask"
retstr = returnstr(1)
@@ -1079,19 +1144,20 @@ probe syscall.rt_sigprocmask.return =
# rt_sigqueueinfo ____________________________________________
#
-# long sys_rt_sigqueueinfo(int pid, int sig,siginfo_t __user *uinfo)
+# long sys_rt_sigqueueinfo(int pid, int sig, siginfo_t __user *uinfo)
#
probe syscall.rt_sigqueueinfo = kernel.function("SyS_rt_sigqueueinfo") !,
- kernel.function("sys_rt_sigqueueinfo") {
+ kernel.function("sys_rt_sigqueueinfo")
+{
name = "rt_sigqueueinfo"
pid = $pid
sig = $sig
uinfo_uaddr = $uinfo
argstr = sprintf("%d, %s, %p", $pid, _signal_name($sig), $uinfo)
}
-probe syscall.rt_sigqueueinfo.return =
- kernel.function("SyS_rt_sigqueueinfo").return !,
- kernel.function("sys_rt_sigqueueinfo").return {
+probe syscall.rt_sigqueueinfo.return = kernel.function("SyS_rt_sigqueueinfo").return !,
+ kernel.function("sys_rt_sigqueueinfo").return
+{
name = "rt_sigqueueinfo"
retstr = returnstr(1)
}
@@ -1099,16 +1165,14 @@ probe syscall.rt_sigqueueinfo.return =
# rt_sigreturn _______________________________________________
# int sys_rt_sigreturn(unsigned long __unused)
#
-probe syscall.rt_sigreturn =
- kernel.function("sys_rt_sigreturn") ?,
- kernel.function("sys32_rt_sigreturn") ?
+probe syscall.rt_sigreturn = kernel.function("sys_rt_sigreturn") ?,
+ kernel.function("sys32_rt_sigreturn") ?
{
name = "rt_sigreturn"
argstr = ""
}
-probe syscall.rt_sigreturn.return =
- kernel.function("sys_rt_sigreturn").return ?,
- kernel.function("sys32_rt_sigreturn").return ?
+probe syscall.rt_sigreturn.return = kernel.function("sys_rt_sigreturn").return ?,
+ kernel.function("sys32_rt_sigreturn").return ?
{
name = "rt_sigreturn"
retstr = returnstr(1)
@@ -1118,20 +1182,18 @@ probe syscall.rt_sigreturn.return =
#
# sys_rt_sigsuspend(struct pt_regs regs)
#
-probe syscall.rt_sigsuspend =
- kernel.function("compat_sys_rt_sigsuspend") ?,
- kernel.function("ia64_rt_sigsuspend") ?,
- kernel.function("SyS_rt_sigsuspend") !,
- kernel.function("sys_rt_sigsuspend") ?
+probe syscall.rt_sigsuspend = kernel.function("compat_sys_rt_sigsuspend") ?,
+ kernel.function("ia64_rt_sigsuspend") ?,
+ kernel.function("SyS_rt_sigsuspend") !,
+ kernel.function("sys_rt_sigsuspend") ?
{
name = "rt_sigsuspend"
argstr = ""
}
-probe syscall.rt_sigsuspend.return =
- kernel.function("compat_sys_rt_sigsuspend").return ?,
- kernel.function("ia64_rt_sigsuspend").return ?,
- kernel.function("SyS_rt_sigsuspend").return !,
- kernel.function("sys_rt_sigsuspend").return ?
+probe syscall.rt_sigsuspend.return = kernel.function("compat_sys_rt_sigsuspend").return ?,
+ kernel.function("ia64_rt_sigsuspend").return ?,
+ kernel.function("SyS_rt_sigsuspend").return !,
+ kernel.function("sys_rt_sigsuspend").return ?
{
name = "rt_sigsuspend"
retstr = returnstr(1)
@@ -1147,10 +1209,9 @@ probe syscall.rt_sigsuspend.return =
# struct compat_siginfo __user *uinfo,
# struct compat_timespec __user *uts, compat_size_t sigsetsize)
#
-probe syscall.rt_sigtimedwait =
- kernel.function("compat_sys_rt_sigtimedwait") ?,
- kernel.function("SyS_rt_sigtimedwait") !,
- kernel.function("sys_rt_sigtimedwait")
+probe syscall.rt_sigtimedwait = kernel.function("compat_sys_rt_sigtimedwait") ?,
+ kernel.function("SyS_rt_sigtimedwait") !,
+ kernel.function("sys_rt_sigtimedwait")
{
name = "rt_sigtimedwait"
uthese_uaddr = $uthese
@@ -1159,10 +1220,9 @@ probe syscall.rt_sigtimedwait =
sigsetsize = $sigsetsize
argstr = sprintf("%p, %p, %p, %d", $uthese, $uinfo, $uts, $sigsetsize)
}
-probe syscall.rt_sigtimedwait.return =
- kernel.function("compat_sys_rt_sigtimedwait").return ?,
- kernel.function("SyS_rt_sigtimedwait").return !,
- kernel.function("sys_rt_sigtimedwait").return
+probe syscall.rt_sigtimedwait.return = kernel.function("compat_sys_rt_sigtimedwait").return ?,
+ kernel.function("SyS_rt_sigtimedwait").return !,
+ kernel.function("sys_rt_sigtimedwait").return
{
name = "rt_sigtimedwait"
retstr = returnstr(1)
@@ -1176,16 +1236,17 @@ probe syscall.rt_sigtimedwait.return =
# unsigned long __user *user_mask_ptr)
#
probe syscall.sched_getaffinity = kernel.function("SyS_sched_getaffinity") !,
- kernel.function("sys_sched_getaffinity") {
+ kernel.function("sys_sched_getaffinity")
+{
name = "sched_getaffinity"
pid = $pid
len = $len
mask_uaddr = $user_mask_ptr
argstr = sprintf("%d, %p, %p", pid, len, mask_uaddr)
}
-probe syscall.sched_getaffinity.return =
- kernel.function("SyS_sched_getaffinity").return !,
- kernel.function("sys_sched_getaffinity").return {
+probe syscall.sched_getaffinity.return = kernel.function("SyS_sched_getaffinity").return !,
+ kernel.function("sys_sched_getaffinity").return
+{
name = "sched_getaffinity"
retstr = returnstr(1)
}
@@ -1196,15 +1257,16 @@ probe syscall.sched_getaffinity.return =
# struct sched_param __user *param)
#
probe syscall.sched_getparam = kernel.function("SyS_sched_getparam") !,
- kernel.function("sys_sched_getparam") {
+ kernel.function("sys_sched_getparam")
+{
name = "sched_getparam"
pid = $pid
p_uaddr = $param
argstr = sprintf("%d, %p", pid, p_uaddr)
}
-probe syscall.sched_getparam.return =
- kernel.function("SyS_sched_getparam").return !,
- kernel.function("sys_sched_getparam").return {
+probe syscall.sched_getparam.return = kernel.function("SyS_sched_getparam").return !,
+ kernel.function("sys_sched_getparam").return
+{
name = "sched_getparam"
retstr = returnstr(1)
}
@@ -1213,16 +1275,16 @@ probe syscall.sched_getparam.return =
# asmlinkage long
# sys_sched_get_priority_max(int policy)
#
-probe syscall.sched_get_priority_max =
- kernel.function("SyS_sched_get_priority_max") !,
- kernel.function("sys_sched_get_priority_max") {
+probe syscall.sched_get_priority_max = kernel.function("SyS_sched_get_priority_max") !,
+ kernel.function("sys_sched_get_priority_max")
+{
name = "sched_get_priority_max"
policy = $policy
argstr = sprint(policy)
}
-probe syscall.sched_get_priority_max.return =
- kernel.function("SyS_sched_get_priority_max").return !,
- kernel.function("sys_sched_get_priority_max").return {
+probe syscall.sched_get_priority_max.return = kernel.function("SyS_sched_get_priority_max").return !,
+ kernel.function("sys_sched_get_priority_max").return
+{
name = "sched_get_priority_max"
retstr = returnstr(1)
}
@@ -1231,16 +1293,16 @@ probe syscall.sched_get_priority_max.return =
# asmlinkage long
# sys_sched_get_priority_min(int policy)
#
-probe syscall.sched_get_priority_min =
- kernel.function("SyS_sched_get_priority_min") !,
- kernel.function("sys_sched_get_priority_min") {
+probe syscall.sched_get_priority_min = kernel.function("SyS_sched_get_priority_min") !,
+ kernel.function("sys_sched_get_priority_min")
+{
name = "sched_get_priority_min"
policy = $policy
argstr = sprint(policy)
}
-probe syscall.sched_get_priority_min.return =
- kernel.function("SyS_sched_get_priority_min").return !,
- kernel.function("sys_sched_get_priority_min").return {
+probe syscall.sched_get_priority_min.return = kernel.function("SyS_sched_get_priority_min").return !,
+ kernel.function("sys_sched_get_priority_min").return
+{
name = "sched_get_priority_min"
retstr = returnstr(1)
}
@@ -1249,13 +1311,15 @@ probe syscall.sched_get_priority_min.return =
# long sys_sched_getscheduler(pid_t pid)
#
probe syscall.sched_getscheduler = kernel.function("SyS_sched_getscheduler") !,
- kernel.function("sys_sched_getscheduler") {
+ kernel.function("sys_sched_getscheduler")
+{
name = "sched_getscheduler"
pid = $pid
argstr = sprint($pid)
}
probe syscall.sched_getscheduler.return = kernel.function("SyS_sched_getscheduler").return !,
- kernel.function("sys_sched_getscheduler").return {
+ kernel.function("sys_sched_getscheduler").return
+{
name = "sched_getscheduler"
retstr = returnstr(1)
}
@@ -1264,14 +1328,16 @@ probe syscall.sched_getscheduler.return = kernel.function("SyS_sched_getschedule
# long sys_sched_rr_get_interval(pid_t pid, struct timespec __user *interval)
#
probe syscall.sched_rr_get_interval = kernel.function("SyS_sched_rr_get_interval") !,
- kernel.function("sys_sched_rr_get_interval") {
+ kernel.function("sys_sched_rr_get_interval")
+{
name = "sched_rr_get_interval"
pid = $pid
tp_uaddr = $interval
- argstr = sprintf("%d, %s", $pid, _struct_timespec_u($interval,1))
+ argstr = sprintf("%d, %s", $pid, _struct_timespec_u($interval, 1))
}
probe syscall.sched_rr_get_interval.return = kernel.function("SyS_sched_rr_get_interval").return !,
- kernel.function("sys_sched_rr_get_interval").return {
+ kernel.function("sys_sched_rr_get_interval").return
+{
name = "sched_rr_get_interval"
retstr = returnstr(1)
}
@@ -1284,7 +1350,8 @@ probe syscall.sched_rr_get_interval.return = kernel.function("SyS_sched_rr_get_i
#
%( arch != "x86_64" %?
probe syscall.sched_setaffinity = kernel.function("SyS_sched_setaffinity") !,
- kernel.function("sys_sched_setaffinity") {
+ kernel.function("sys_sched_setaffinity")
+{
name = "sched_setaffinity"
pid = $pid
len = $len
@@ -1293,7 +1360,8 @@ probe syscall.sched_setaffinity = kernel.function("SyS_sched_setaffinity") !,
}
%:
probe syscall.sched_setaffinity = kernel.function("SyS_sched_setaffinity") !,
- kernel.function("sys_sched_setaffinity") {
+ kernel.function("sys_sched_setaffinity")
+{
name = "sched_setaffinity"
pid = $pid
len = 0
@@ -1302,7 +1370,8 @@ probe syscall.sched_setaffinity = kernel.function("SyS_sched_setaffinity") !,
}
%)
probe syscall.sched_setaffinity.return = kernel.function("SyS_sched_setaffinity").return !,
- kernel.function("sys_sched_setaffinity").return {
+ kernel.function("sys_sched_setaffinity").return
+{
name = "sched_setaffinity"
retstr = returnstr(1)
}
@@ -1312,15 +1381,16 @@ probe syscall.sched_setaffinity.return = kernel.function("SyS_sched_setaffinity"
# long sys_sched_setparam(pid_t pid, struct sched_param __user *param)
#
probe syscall.sched_setparam = kernel.function("SyS_sched_setparam") !,
- kernel.function("sys_sched_setparam") ? {
+ kernel.function("sys_sched_setparam") ?
+{
name = "sched_setparam"
pid = $pid
p_uaddr = $param
argstr = sprintf("%d, %p", $pid, $param)
}
-probe syscall.sched_setparam.return =
- kernel.function("SyS_sched_setparam").return !,
- kernel.function("sys_sched_setparam").return ? {
+probe syscall.sched_setparam.return = kernel.function("SyS_sched_setparam").return !,
+ kernel.function("sys_sched_setparam").return ?
+{
name = "sched_setparam"
retstr = returnstr(1)
}
@@ -1329,9 +1399,9 @@ probe syscall.sched_setparam.return =
#
# long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param)
#
-probe syscall.sched_setscheduler =
- kernel.function("SyS_sched_setscheduler") !,
- kernel.function("sys_sched_setscheduler") ? {
+probe syscall.sched_setscheduler = kernel.function("SyS_sched_setscheduler") !,
+ kernel.function("sys_sched_setscheduler") ?
+{
name = "sched_setscheduler"
pid = $pid
policy = $policy
@@ -1339,9 +1409,9 @@ probe syscall.sched_setscheduler =
p_uaddr = $param
argstr = sprintf("%d, %s, %p", $pid, policy_str, $param)
}
-probe syscall.sched_setscheduler.return =
- kernel.function("SyS_sched_setscheduler").return !,
- kernel.function("sys_sched_setscheduler").return ? {
+probe syscall.sched_setscheduler.return = kernel.function("SyS_sched_setscheduler").return !,
+ kernel.function("sys_sched_setscheduler").return ?
+{
name = "sched_setscheduler"
retstr = returnstr(1)
}
@@ -1349,11 +1419,13 @@ probe syscall.sched_setscheduler.return =
# sched_yield ________________________________________________
# long sys_sched_yield(void)
#
-probe syscall.sched_yield = kernel.function("sys_sched_yield") {
+probe syscall.sched_yield = kernel.function("sys_sched_yield")
+{
name = "sched_yield"
argstr = ""
}
-probe syscall.sched_yield.return = kernel.function("sys_sched_yield").return {
+probe syscall.sched_yield.return = kernel.function("sys_sched_yield").return
+{
name = "sched_yield"
retstr = returnstr(1)
}
@@ -1366,7 +1438,8 @@ probe syscall.sched_yield.return = kernel.function("sys_sched_yield").return {
# struct timeval __user *tvp)
#
probe syscall.select = kernel.function("SyS_select") !,
- kernel.function("sys_select") {
+ kernel.function("sys_select")
+{
name = "select"
n = $n
readfds_uaddr = $inp
@@ -1374,20 +1447,22 @@ probe syscall.select = kernel.function("SyS_select") !,
exceptfds_uaddr = $exp
timeout_uaddr = $tvp
argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
- _struct_timeval_u($tvp, 1))
+ _struct_timeval_u($tvp, 1))
}
probe syscall.select.return = kernel.function("SyS_select").return !,
- kernel.function("sys_select").return {
+ kernel.function("sys_select").return
+{
name = "select"
retstr = returnstr(1)
}
-# long compat_sys_select(int n,
+# long compat_sys_select(int n,
# compat_ulong_t __user *inp,
-# compat_ulong_t __user *outp,
+# compat_ulong_t __user *outp,
# compat_ulong_t __user *exp,
# struct compat_timeval __user *tvp)
#
-probe syscall.compat_select = kernel.function("compat_sys_select") ? {
+probe syscall.compat_select = kernel.function("compat_sys_select") ?
+{
name = "select"
n = $n
readfds_uaddr = $inp
@@ -1395,9 +1470,10 @@ probe syscall.compat_select = kernel.function("compat_sys_select") ? {
exceptfds_uaddr = $exp
timeout_uaddr = $tvp
argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
- _struct_compat_timeval_u($tvp, 1))
+ _struct_compat_timeval_u($tvp, 1))
}
-probe syscall.compat_select.return = kernel.function("compat_sys_select").return ? {
+probe syscall.compat_select.return = kernel.function("compat_sys_select").return ?
+{
name = "select"
retstr = returnstr(1)
}
@@ -1409,7 +1485,8 @@ probe syscall.compat_select.return = kernel.function("compat_sys_select").return
# union semun arg)
#
probe syscall.semctl = kernel.function("SyS_semctl") !,
- kernel.function("sys_semctl") ? {
+ kernel.function("sys_semctl") ?
+{
name = "semctl"
semid = $semid
semnum = $semnum
@@ -1421,7 +1498,8 @@ probe syscall.semctl = kernel.function("SyS_semctl") !,
argstr = sprintf("%d, %d, %s", $semid, $semnum, _semctl_cmd($cmd))
}
probe syscall.semctl.return = kernel.function("SyS_semctl").return !,
- kernel.function("sys_semctl").return ? {
+ kernel.function("sys_semctl").return ?
+{
name = "semctl"
retstr = returnstr(1)
}
@@ -1429,11 +1507,13 @@ probe syscall.semctl.return = kernel.function("SyS_semctl").return !,
#
# long compat_sys_semctl(int first, int second, int third, void __user *uptr)
#
-probe syscall.compat_sys_semctl = kernel.function("compat_sys_semctl") ? {
+probe syscall.compat_sys_semctl = kernel.function("compat_sys_semctl") ?
+{
name = "compat_sys_semctl"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
}
-probe syscall.compat_sys_semctl.return = kernel.function("compat_sys_semctl").return ? {
+probe syscall.compat_sys_semctl.return = kernel.function("compat_sys_semctl").return ?
+{
name = "compat_sys_semctl"
retstr = returnstr(1)
}
@@ -1442,7 +1522,8 @@ probe syscall.compat_sys_semctl.return = kernel.function("compat_sys_semctl").re
# long sys_semget (key_t key, int nsems, int semflg)
#
probe syscall.semget = kernel.function("SyS_semget") !,
- kernel.function("sys_semget") ? {
+ kernel.function("sys_semget") ?
+{
name = "semget"
key = $key
nsems = $nsems
@@ -1450,7 +1531,8 @@ probe syscall.semget = kernel.function("SyS_semget") !,
argstr = sprintf("%d, %d, %s", $key, $nsems, __sem_flags($semflg))
}
probe syscall.semget.return = kernel.function("SyS_semget").return !,
- kernel.function("sys_semget").return ? {
+ kernel.function("sys_semget").return ?
+{
name = "semget"
retstr = returnstr(1)
}
@@ -1462,7 +1544,8 @@ probe syscall.semget.return = kernel.function("SyS_semget").return !,
# unsigned nsops)
#
probe syscall.semop = kernel.function("SyS_semtimedop") !,
- kernel.function("sys_semtimedop") ? {
+ kernel.function("sys_semtimedop") ?
+{
name = "semop"
semid = $semid
tsops_uaddr = $tsops
@@ -1470,7 +1553,8 @@ probe syscall.semop = kernel.function("SyS_semtimedop") !,
argstr = sprintf("%d, %p, %d", $semid, $tsops, $nsops)
}
probe syscall.semop.return = kernel.function("SyS_semtimedop").return !,
- kernel.function("sys_semtimedop").return ? {
+ kernel.function("sys_semtimedop").return ?
+{
name = "semop"
retstr = returnstr(1)
}
@@ -1483,17 +1567,19 @@ probe syscall.semop.return = kernel.function("SyS_semtimedop").return !,
# const struct timespec __user *timeout)
#
probe syscall.semtimedop = kernel.function("SyS_semtimedop") !,
- kernel.function("sys_semtimedop") ? {
+ kernel.function("sys_semtimedop") ?
+{
name = "semtimedop"
semid = $semid
sops_uaddr = $tsops
nsops = $nsops
timeout_uaddr = $timeout
argstr = sprintf("%d, %p, %d, %s", $semid, $tsops, $nsops,
- _struct_timespec_u($timeout,1))
+ _struct_timespec_u($timeout, 1))
}
probe syscall.semtimedop.return = kernel.function("SyS_semtimedop").return !,
- kernel.function("sys_semtimedop").return ? {
+ kernel.function("sys_semtimedop").return ?
+{
name = "semtimedop"
retstr = returnstr(1)
}
@@ -1502,16 +1588,18 @@ probe syscall.semtimedop.return = kernel.function("SyS_semtimedop").return !,
# long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
# unsigned nsops, const struct compat_timespec __user *timeout)
#
-probe syscall.compat_sys_semtimedop = kernel.function("compat_sys_semtimedop") ? {
+probe syscall.compat_sys_semtimedop = kernel.function("compat_sys_semtimedop") ?
+{
name = "compat_sys_semtimedop"
semid = $semid
sops_uaddr = $tsems
nsops = $nsops
timeout_uaddr = $timeout
argstr = sprintf("%d, %p, %d, %s", $semid, $tsems, $nsops,
- _struct_compat_timespec_u($timeout,1))
+ _struct_compat_timespec_u($timeout, 1))
}
-probe syscall.compat_sys_semtimedop.return = kernel.function("compat_sys_semtimedop").return ? {
+probe syscall.compat_sys_semtimedop.return = kernel.function("compat_sys_semtimedop").return ?
+{
name = "compat_sys_semtimedop"
retstr = returnstr(1)
}
@@ -1524,7 +1612,8 @@ probe syscall.compat_sys_semtimedop.return = kernel.function("compat_sys_semtime
# unsigned flags)
#
probe syscall.send = kernel.function("SyS_send") !,
- kernel.function("sys_send") ? {
+ kernel.function("sys_send") ?
+{
name = "send"
s = $fd
buf_uaddr = $buff
@@ -1534,7 +1623,8 @@ probe syscall.send = kernel.function("SyS_send") !,
argstr = sprintf("%d, %p, %d, %s", $fd, $buff, $len, flags_str)
}
probe syscall.send.return = kernel.function("SyS_send").return !,
- kernel.function("sys_send").return ? {
+ kernel.function("sys_send").return ?
+{
name = "send"
retstr = returnstr(1)
}
@@ -1546,11 +1636,10 @@ probe syscall.send.return = kernel.function("SyS_send").return !,
# off_t __user *offset,
# size_t count)
#
-probe syscall.sendfile =
- kernel.function("SyS_sendfile") ?,
- kernel.function("sys_sendfile") ?,
- kernel.function("SyS_sendfile64") ?,
- kernel.function("sys_sendfile64") ?
+probe syscall.sendfile = kernel.function("SyS_sendfile") ?,
+ kernel.function("sys_sendfile") ?,
+ kernel.function("SyS_sendfile64") ?,
+ kernel.function("sys_sendfile64") ?
{
name = "sendfile"
out_fd = $out_fd
@@ -1558,13 +1647,12 @@ probe syscall.sendfile =
offset_uaddr = $offset
count = $count
argstr = sprintf("%d, %d, %p, %d", $out_fd, $in_fd, $offset,
- $count)
+ $count)
}
-probe syscall.sendfile.return =
- kernel.function("SyS_sendfile").return ?,
- kernel.function("sys_sendfile").return ?,
- kernel.function("SyS_sendfile64").return ?,
- kernel.function("sys_sendfile64").return ?
+probe syscall.sendfile.return = kernel.function("SyS_sendfile").return ?,
+ kernel.function("sys_sendfile").return ?,
+ kernel.function("SyS_sendfile64").return ?,
+ kernel.function("sys_sendfile64").return ?
{
name = "sendfile"
retstr = returnstr(1)
@@ -1575,7 +1663,8 @@ probe syscall.sendfile.return =
# long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
#
probe syscall.sendmsg = kernel.function("SyS_sendmsg") !,
- kernel.function("sys_sendmsg") ? {
+ kernel.function("sys_sendmsg") ?
+{
name = "sendmsg"
s = $fd
msg_uaddr = $msg
@@ -1584,7 +1673,8 @@ probe syscall.sendmsg = kernel.function("SyS_sendmsg") !,
argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
}
probe syscall.sendmsg.return = kernel.function("SyS_sendmsg").return !,
- kernel.function("sys_sendmsg").return ? {
+ kernel.function("sys_sendmsg").return ?
+{
name = "sendmsg"
retstr = returnstr(1)
}
@@ -1592,14 +1682,16 @@ probe syscall.sendmsg.return = kernel.function("SyS_sendmsg").return !,
#
# long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
#
-probe syscall.compat_sys_sendmsg = kernel.function("compat_sys_sendmsg") ? {
+probe syscall.compat_sys_sendmsg = kernel.function("compat_sys_sendmsg") ?
+{
name = "compat_sys_sendmsg"
s = $fd
msg_uaddr = $msg
flags = $flags
argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
}
-probe syscall.compat_sys_sendmsg.return = kernel.function("compat_sys_sendmsg").return ? {
+probe syscall.compat_sys_sendmsg.return = kernel.function("compat_sys_sendmsg").return ?
+{
name = "compat_sys_sendmsg"
retstr = returnstr(1)
}
@@ -1614,7 +1706,8 @@ probe syscall.compat_sys_sendmsg.return = kernel.function("compat_sys_sendmsg").
# int addr_len)
#
probe syscall.sendto = kernel.function("SyS_sendto") !,
- kernel.function("sys_sendto") ? {
+ kernel.function("sys_sendto") ?
+{
name = "sendto"
s = $fd
buf_uaddr = $buff
@@ -1624,10 +1717,11 @@ probe syscall.sendto = kernel.function("SyS_sendto") !,
to_uaddr = $addr
tolen = $addr_len
argstr = sprintf("%d, %p, %d, %s, %s, %d", $fd, $buff,
- $len, flags_str, _struct_sockaddr_u($addr,$addr_len), $addr_len)
+ $len, flags_str, _struct_sockaddr_u($addr, $addr_len), $addr_len)
}
probe syscall.sendto.return = kernel.function("SyS_sendto").return !,
- kernel.function("sys_sendto").return ? {
+ kernel.function("sys_sendto").return ?
+{
name = "sendto"
retstr = returnstr(1)
}
@@ -1639,15 +1733,16 @@ probe syscall.sendto.return = kernel.function("SyS_sendto").return !,
# int len)
#
probe syscall.setdomainname = kernel.function("SyS_setdomainname") !,
- kernel.function("sys_setdomainname") {
+ kernel.function("sys_setdomainname")
+{
name = "setdomainname"
hostname_uaddr = $name
len = $len
argstr = sprintf("%p, %d", $name, $len)
}
-probe syscall.setdomainname.return =
- kernel.function("SyS_setdomainname").return !,
- kernel.function("sys_setdomainname").return {
+probe syscall.setdomainname.return = kernel.function("SyS_setdomainname").return !,
+ kernel.function("sys_setdomainname").return
+{
name = "setdomainname"
retstr = returnstr(1)
}
@@ -1656,19 +1751,17 @@ probe syscall.setdomainname.return =
# long sys_setfsgid(gid_t gid)
# long sys_setfsgid16(old_gid_t gid)
#
-probe syscall.setfsgid =
- kernel.function("sys_setfsgid16") ?,
- kernel.function("SyS_setfsgid") !,
- kernel.function("sys_setfsgid") ?
+probe syscall.setfsgid = kernel.function("sys_setfsgid16") ?,
+ kernel.function("SyS_setfsgid") !,
+ kernel.function("sys_setfsgid") ?
{
name = "setfsgid"
fsgid = $gid
argstr = sprint($gid)
}
-probe syscall.setfsgid.return =
- kernel.function("sys_setfsgid16").return ?,
- kernel.function("SyS_setfsgid").return !,
- kernel.function("sys_setfsgid").return ?
+probe syscall.setfsgid.return = kernel.function("sys_setfsgid16").return ?,
+ kernel.function("SyS_setfsgid").return !,
+ kernel.function("sys_setfsgid").return ?
{
name = "setfsgid"
retstr = returnstr(1)
@@ -1678,19 +1771,17 @@ probe syscall.setfsgid.return =
# long sys_setfsuid(uid_t uid)
# long sys_setfsuid16(old_uid_t uid)
#
-probe syscall.setfsuid =
- kernel.function("sys_setfsuid16") ?,
- kernel.function("SyS_setfsuid") !,
- kernel.function("sys_setfsuid") ?
+probe syscall.setfsuid = kernel.function("sys_setfsuid16") ?,
+ kernel.function("SyS_setfsuid") !,
+ kernel.function("sys_setfsuid") ?
{
name = "setfsuid"
fsuid = $uid
argstr = sprint($uid)
}
-probe syscall.setfsuid.return =
- kernel.function("sys_setfsuid16").return ?,
- kernel.function("SyS_setfsuid").return !,
- kernel.function("sys_setfsuid").return ?
+probe syscall.setfsuid.return = kernel.function("sys_setfsuid16").return ?,
+ kernel.function("SyS_setfsuid").return !,
+ kernel.function("sys_setfsuid").return ?
{
name = "setfsuid"
retstr = returnstr(1)
@@ -1701,19 +1792,17 @@ probe syscall.setfsuid.return =
# long sys_setgid(gid_t gid)
# long sys_setgid16(old_gid_t gid)
#
-probe syscall.setgid =
- kernel.function("sys_setgid16") ?,
- kernel.function("SyS_setgid") !,
- kernel.function("sys_setgid") ?
+probe syscall.setgid = kernel.function("sys_setgid16") ?,
+ kernel.function("SyS_setgid") !,
+ kernel.function("sys_setgid") ?
{
name = "setgid"
gid = $gid
argstr = sprint($gid)
}
-probe syscall.setgid.return =
- kernel.function("sys_setgid16").return ?,
- kernel.function("SyS_setgid").return !,
- kernel.function("sys_setgid").return ?
+probe syscall.setgid.return = kernel.function("sys_setgid16").return ?,
+ kernel.function("SyS_setgid").return !,
+ kernel.function("sys_setgid").return ?
{
name = "setgid"
retstr = returnstr(1)
@@ -1725,22 +1814,20 @@ probe syscall.setgid.return =
# long sys_setgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_setgroups16(int gidsetsize, u16 __user *grouplist)
#
-probe syscall.setgroups =
- kernel.function("sys_setgroups16") ?,
- kernel.function("sys32_setgroups16") ?,
- kernel.function("SyS_setgroups") !,
- kernel.function("sys_setgroups") ?
+probe syscall.setgroups = kernel.function("sys_setgroups16") ?,
+ kernel.function("sys32_setgroups16") ?,
+ kernel.function("SyS_setgroups") !,
+ kernel.function("sys_setgroups") ?
{
name = "setgroups"
size = $gidsetsize
list_uaddr = $grouplist
argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
}
-probe syscall.setgroups.return =
- kernel.function("sys_setgroups16").return ?,
- kernel.function("sys32_setgroups16").return ?,
- kernel.function("SyS_setgroups").return !,
- kernel.function("sys_setgroups").return ?
+probe syscall.setgroups.return = kernel.function("sys_setgroups16").return ?,
+ kernel.function("sys32_setgroups16").return ?,
+ kernel.function("SyS_setgroups").return !,
+ kernel.function("sys_setgroups").return ?
{
name = "setgroups"
retstr = returnstr(1)
@@ -1753,7 +1840,8 @@ probe syscall.setgroups.return =
# int len)
#
probe syscall.sethostname = kernel.function("SyS_sethostname") !,
- kernel.function("sys_sethostname") {
+ kernel.function("sys_sethostname")
+{
name = "sethostname"
hostname_uaddr = $name
name_str = user_string($name)
@@ -1761,7 +1849,8 @@ probe syscall.sethostname = kernel.function("SyS_sethostname") !,
argstr = sprintf("%s, %d", user_string_quoted($name), $len)
}
probe syscall.sethostname.return = kernel.function("SyS_sethostname").return !,
- kernel.function("sys_sethostname").return {
+ kernel.function("sys_sethostname").return
+{
name = "sethostname"
retstr = returnstr(1)
}
@@ -1772,16 +1861,18 @@ probe syscall.sethostname.return = kernel.function("SyS_sethostname").return !,
# struct itimerval __user *ovalue)
#
probe syscall.setitimer = kernel.function("SyS_setitimer") !,
- kernel.function("sys_setitimer") {
+ kernel.function("sys_setitimer")
+{
name = "setitimer"
which = $which
value_uaddr = $value
ovalue_uaddr = $ovalue
- argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
+ argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
_struct_itimerval_u($value), $ovalue)
}
probe syscall.setitimer.return = kernel.function("SyS_setitimer").return !,
- kernel.function("sys_setitimer").return {
+ kernel.function("sys_setitimer").return
+{
name = "setitimer"
retstr = returnstr(1)
}
@@ -1790,15 +1881,17 @@ probe syscall.setitimer.return = kernel.function("SyS_setitimer").return !,
# struct compat_itimerval __user *in,
# struct compat_itimerval __user *out)
#
-probe syscall.compat_setitimer = kernel.function("compat_sys_setitimer") ? {
+probe syscall.compat_setitimer = kernel.function("compat_sys_setitimer") ?
+{
name = "setitimer"
which = $which
value_uaddr = $in
ovalue_uaddr = $out
- argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
+ argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
_struct_compat_itimerval_u($in), $out)
}
-probe syscall.compat_setitimer.return = kernel.function("compat_sys_setitimer").return ? {
+probe syscall.compat_setitimer.return = kernel.function("compat_sys_setitimer").return ?
+{
name = "setitimer"
retstr = returnstr(1)
}
@@ -1808,10 +1901,9 @@ probe syscall.compat_setitimer.return = kernel.function("compat_sys_setitimer").
# unsigned long __user *nmask,
# unsigned long maxnode)
#
-probe syscall.set_mempolicy =
- kernel.function("compat_sys_set_mempolicy") ?,
- kernel.function("SyS_set_mempolicy") !,
- kernel.function("sys_set_mempolicy") ?
+probe syscall.set_mempolicy = kernel.function("compat_sys_set_mempolicy") ?,
+ kernel.function("SyS_set_mempolicy") !,
+ kernel.function("sys_set_mempolicy") ?
{
name = "set_mempolicy"
mode = $mode
@@ -1819,10 +1911,9 @@ probe syscall.set_mempolicy =
maxnode = $maxnode
argstr = sprintf("%d, %p, %d", $mode, $nmask, $maxnode)
}
-probe syscall.set_mempolicy.return =
- kernel.function("compat_sys_set_mempolicy").return ?,
- kernel.function("SyS_set_mempolicy").return !,
- kernel.function("sys_set_mempolicy").return ?
+probe syscall.set_mempolicy.return = kernel.function("compat_sys_set_mempolicy").return ?,
+ kernel.function("SyS_set_mempolicy").return !,
+ kernel.function("sys_set_mempolicy").return ?
{
name = "set_mempolicy"
retstr = returnstr(1)
@@ -1835,14 +1926,16 @@ probe syscall.set_mempolicy.return =
# pid_t pgid)
#
probe syscall.setpgid = kernel.function("SyS_setpgid") !,
- kernel.function("sys_setpgid") {
+ kernel.function("sys_setpgid")
+{
name = "setpgid"
pid = $pid
pgid = $pgid
argstr = sprintf("%d, %d", $pid, $pgid)
}
probe syscall.setpgid.return = kernel.function("SyS_setpgid").return !,
- kernel.function("sys_setpgid").return {
+ kernel.function("sys_setpgid").return
+{
name = "setpgid"
retstr = returnstr(1)
}
@@ -1854,7 +1947,8 @@ probe syscall.setpgid.return = kernel.function("SyS_setpgid").return !,
# int niceval)
#
probe syscall.setpriority = kernel.function("SyS_setpriority") !,
- kernel.function("sys_setpriority") {
+ kernel.function("sys_setpriority")
+{
name = "setpriority"
which = $which
which_str = _priority_which_str($which)
@@ -1863,7 +1957,8 @@ probe syscall.setpriority = kernel.function("SyS_setpriority") !,
argstr = sprintf("%s, %d, %d", which_str, $who, $niceval)
}
probe syscall.setpriority.return = kernel.function("SyS_setpriority").return !,
- kernel.function("sys_setpriority").return {
+ kernel.function("sys_setpriority").return
+{
name = "setpriority"
retstr = returnstr(1)
}
@@ -1872,27 +1967,31 @@ probe syscall.setpriority.return = kernel.function("SyS_setpriority").return !,
# long sys_setregid(gid_t rgid, gid_t egid)
#
probe syscall.setregid = kernel.function("SyS_setregid") !,
- kernel.function("sys_setregid") {
+ kernel.function("sys_setregid")
+{
name = "setregid"
rgid = __int32($rgid)
egid = __int32($egid)
argstr = sprintf("%d, %d", rgid, egid)
}
probe syscall.setregid.return = kernel.function("SyS_setregid").return !,
- kernel.function("sys_setregid").return {
+ kernel.function("sys_setregid").return
+{
name = "setregid"
retstr = returnstr(1)
}
# setregid16 _________________________________________________
# long sys_setregid16(old_gid_t rgid, old_gid_t egid)
#
-probe syscall.setregid16 = kernel.function("sys_setregid16") ? {
+probe syscall.setregid16 = kernel.function("sys_setregid16") ?
+{
name = "setregid"
rgid = __short($rgid)
egid = __short($egid)
- argstr = sprintf("%d, %d",rgid, egid)
+ argstr = sprintf("%d, %d", rgid, egid)
}
-probe syscall.setregid16.return = kernel.function("sys_setregid16").return ? {
+probe syscall.setregid16.return = kernel.function("sys_setregid16").return ?
+{
name = "setregid"
retstr = returnstr(1)
}
@@ -1900,7 +1999,8 @@ probe syscall.setregid16.return = kernel.function("sys_setregid16").return ? {
# long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
#
probe syscall.setresgid = kernel.function("SyS_setresgid") !,
- kernel.function("sys_setresgid") {
+ kernel.function("sys_setresgid")
+{
name = "setresgid"
rgid = __int32($rgid)
egid = __int32($egid)
@@ -1908,7 +2008,8 @@ probe syscall.setresgid = kernel.function("SyS_setresgid") !,
argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
}
probe syscall.setresgid.return = kernel.function("SyS_setresgid").return !,
- kernel.function("sys_setresgid").return {
+ kernel.function("sys_setresgid").return
+{
name = "setresgid"
retstr = returnstr(1)
}
@@ -1918,14 +2019,16 @@ probe syscall.setresgid.return = kernel.function("SyS_setresgid").return !,
# old_gid_t egid,
# old_gid_t sgid)
#
-probe syscall.setresgid16 = kernel.function("sys_setresgid16") ? {
+probe syscall.setresgid16 = kernel.function("sys_setresgid16") ?
+{
name = "setresgid"
rgid = __short($rgid)
egid = __short($egid)
sgid = __short($sgid)
argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
}
-probe syscall.setresgid16.return = kernel.function("sys_setresgid16").return ? {
+probe syscall.setresgid16.return = kernel.function("sys_setresgid16").return ?
+{
name = "setresgid16"
retstr = returnstr(1)
}
@@ -1935,7 +2038,8 @@ probe syscall.setresgid16.return = kernel.function("sys_setresgid16").return ? {
# long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
#
probe syscall.setresuid = kernel.function("SyS_setresuid") !,
- kernel.function("sys_setresuid") {
+ kernel.function("sys_setresuid")
+{
name = "setresuid"
ruid = __int32($ruid)
euid = __int32($euid)
@@ -1943,7 +2047,8 @@ probe syscall.setresuid = kernel.function("SyS_setresuid") !,
argstr = sprintf("%d, %d, %d", ruid, euid, suid)
}
probe syscall.setresuid.return = kernel.function("SyS_setresuid").return !,
- kernel.function("sys_setresuid").return {
+ kernel.function("sys_setresuid").return
+{
name = "setresuid"
retstr = returnstr(1)
}
@@ -1952,14 +2057,16 @@ probe syscall.setresuid.return = kernel.function("SyS_setresuid").return !,
#
# long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
#
-probe syscall.setresuid16 = kernel.function("sys_setresuid16") ? {
+probe syscall.setresuid16 = kernel.function("sys_setresuid16") ?
+{
name = "setresuid"
ruid = __short($ruid)
euid = __short($euid)
suid = __short($suid)
argstr = sprintf("%d, %d, %d", ruid, euid, suid)
}
-probe syscall.setresuid16.return = kernel.function("sys_setresuid16").return ? {
+probe syscall.setresuid16.return = kernel.function("sys_setresuid16").return ?
+{
name = "setresuid"
retstr = returnstr(1)
}
@@ -1968,27 +2075,31 @@ probe syscall.setresuid16.return = kernel.function("sys_setresuid16").return ? {
# long sys_setreuid(uid_t ruid, uid_t euid)
#
probe syscall.setreuid = kernel.function("SyS_setreuid") !,
- kernel.function("sys_setreuid") {
+ kernel.function("sys_setreuid")
+{
name = "setreuid"
ruid = __int32($ruid)
euid = __int32($euid)
argstr = sprintf("%d, %d", ruid, euid)
}
probe syscall.setreuid.return = kernel.function("SyS_setreuid").return !,
- kernel.function("sys_setreuid").return {
+ kernel.function("sys_setreuid").return
+{
name = "setreuid"
retstr = returnstr(1)
}
# setreuid16 _________________________________________________
# long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
#
-probe syscall.setreuid16 = kernel.function("sys_setreuid16") ? {
+probe syscall.setreuid16 = kernel.function("sys_setreuid16") ?
+{
name = "setreuid"
ruid = __short($ruid)
euid = __short($euid)
argstr = sprintf("%d, %d", ruid, euid)
}
-probe syscall.setreuid16.return = kernel.function("sys_setreuid16").return ? {
+probe syscall.setreuid16.return = kernel.function("sys_setreuid16").return ?
+{
name = "setreuid"
retstr = returnstr(1)
}
@@ -1999,15 +2110,17 @@ probe syscall.setreuid16.return = kernel.function("sys_setreuid16").return ? {
# struct rlimit __user *rlim)
#
probe syscall.setrlimit = kernel.function("SyS_setrlimit") !,
- kernel.function("sys_setrlimit") {
+ kernel.function("sys_setrlimit")
+{
name = "setrlimit"
resource = $resource
rlim_uaddr = $rlim
argstr = sprintf("%s, %s", _rlimit_resource_str($resource),
- _struct_rlimit_u($rlim))
+ _struct_rlimit_u($rlim))
}
probe syscall.setrlimit.return = kernel.function("SyS_setrlimit").return !,
- kernel.function("sys_setrlimit").return {
+ kernel.function("sys_setrlimit").return
+{
name = "setrlimit"
retstr = returnstr(1)
}
@@ -2015,11 +2128,13 @@ probe syscall.setrlimit.return = kernel.function("SyS_setrlimit").return !,
#
# long sys_setsid(void)
#
-probe syscall.setsid = kernel.function("sys_setsid") {
+probe syscall.setsid = kernel.function("sys_setsid")
+{
name = "setsid"
argstr = ""
}
-probe syscall.setsid.return = kernel.function("sys_setsid").return {
+probe syscall.setsid.return = kernel.function("sys_setsid").return
+{
name = "setsid"
retstr = returnstr(1)
}
@@ -2032,10 +2147,9 @@ probe syscall.setsid.return = kernel.function("sys_setsid").return {
# char __user *optval,
# int optlen)
#
-probe syscall.setsockopt =
- kernel.function("compat_sys_setsockopt") ?,
- kernel.function("SyS_setsockopt") !,
- kernel.function("sys_setsockopt") ?
+probe syscall.setsockopt = kernel.function("compat_sys_setsockopt") ?,
+ kernel.function("SyS_setsockopt") !,
+ kernel.function("sys_setsockopt") ?
{
name = "setsockopt"
fd = $fd
@@ -2046,12 +2160,11 @@ probe syscall.setsockopt =
optval_uaddr = $optval
optlen = $optlen
argstr = sprintf("%d, %s, %s, %p, %d", $fd, level_str,
- optname_str, $optval, $optlen)
+ optname_str, $optval, $optlen)
}
-probe syscall.setsockopt.return =
- kernel.function("compat_sys_setsockopt").return ?,
- kernel.function("SyS_setsockopt").return !,
- kernel.function("sys_setsockopt").return ?
+probe syscall.setsockopt.return = kernel.function("compat_sys_setsockopt").return ?,
+ kernel.function("SyS_setsockopt").return !,
+ kernel.function("sys_setsockopt").return ?
{
name = "setsockopt"
retstr = returnstr(1)
@@ -2063,14 +2176,15 @@ probe syscall.setsockopt.return =
# sys_set_tid_address(int __user *tidptr)
#
probe syscall.set_tid_address = kernel.function("SyS_set_tid_address") !,
- kernel.function("sys_set_tid_address") {
+ kernel.function("sys_set_tid_address")
+{
name = "set_tid_address"
tidptr_uaddr = $tidptr
argstr = sprintf("%p", tidptr_uaddr)
}
-probe syscall.set_tid_address.return =
- kernel.function("SyS_set_tid_address").return !,
- kernel.function("sys_set_tid_address").return {
+probe syscall.set_tid_address.return = kernel.function("SyS_set_tid_address").return !,
+ kernel.function("sys_set_tid_address").return
+{
name = "set_tid_address"
retstr = returnstr(1)
}
@@ -2080,14 +2194,16 @@ probe syscall.set_tid_address.return =
# struct timezone __user *tz)
#
probe syscall.settimeofday = kernel.function("SyS_settimeofday") !,
- kernel.function("sys_settimeofday") {
+ kernel.function("sys_settimeofday")
+{
name = "settimeofday"
tv_uaddr = $tv
tz_uaddr = $tz
argstr = sprintf("%s, %s", _struct_timeval_u($tv, 1), _struct_timezone_u($tz))
}
probe syscall.settimeofday.return = kernel.function("SyS_settimeofday").return !,
- kernel.function("sys_settimeofday").return {
+ kernel.function("sys_settimeofday").return
+{
name = "settimeofday"
retstr = returnstr(1)
}
@@ -2095,18 +2211,16 @@ probe syscall.settimeofday.return = kernel.function("SyS_settimeofday").return !
# long sys32_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
# long compat_sys_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
#
-probe syscall.settimeofday32 =
- kernel.function("sys32_settimeofday") ?,
- kernel.function("compat_sys_settimeofday") ?
+probe syscall.settimeofday32 = kernel.function("sys32_settimeofday") ?,
+ kernel.function("compat_sys_settimeofday") ?
{
name = "settimeofday"
tv_uaddr = $tv
tz_uaddr = $tz
- argstr = sprintf("%s, %s", _struct_compat_timeval_u($tv, 1),_struct_timezone_u($tz))
+ argstr = sprintf("%s, %s", _struct_compat_timeval_u($tv, 1), _struct_timezone_u($tz))
}
-probe syscall.settimeofday32.return =
- kernel.function("sys32_settimeofday").return ?,
- kernel.function("compat_sys_settimeofday").return ?
+probe syscall.settimeofday32.return = kernel.function("sys32_settimeofday").return ?,
+ kernel.function("compat_sys_settimeofday").return ?
{
name = "settimeofday"
retstr = returnstr(1)
@@ -2117,19 +2231,17 @@ probe syscall.settimeofday32.return =
# long sys_setuid(uid_t uid)
# long sys_setuid16(old_uid_t uid)
#
-probe syscall.setuid =
- kernel.function("sys_setuid16") ?,
- kernel.function("SyS_setuid") !,
- kernel.function("sys_setuid")
+probe syscall.setuid = kernel.function("sys_setuid16") ?,
+ kernel.function("SyS_setuid") !,
+ kernel.function("sys_setuid")
{
name = "setuid"
uid = $uid
argstr = sprint($uid)
}
-probe syscall.setuid.return =
- kernel.function("sys_setuid16").return ?,
- kernel.function("SyS_setuid").return !,
- kernel.function("sys_setuid").return
+probe syscall.setuid.return = kernel.function("sys_setuid16").return ?,
+ kernel.function("SyS_setuid").return !,
+ kernel.function("sys_setuid").return
{
name = "setuid"
retstr = returnstr(1)
@@ -2143,7 +2255,8 @@ probe syscall.setuid.return =
# int flags)
#
probe syscall.setxattr = kernel.function("SyS_setxattr") !,
- kernel.function("sys_setxattr") {
+ kernel.function("sys_setxattr")
+{
name = "setxattr"
%( kernel_v >= "2.6.27" %?
path_uaddr = $pathname
@@ -2157,17 +2270,18 @@ probe syscall.setxattr = kernel.function("SyS_setxattr") !,
value_uaddr = $value
size = $size
flags = $flags
- argstr = sprintf("%s, %s, %p, %d, %d",
+ argstr = sprintf("%s, %s, %p, %d, %d",
%( kernel_v >= "2.6.27" %?
- user_string_quoted($pathname),
+ user_string_quoted($pathname),
%:
- user_string_quoted($path),
+ user_string_quoted($path),
%)
user_string_quoted($name),
value_uaddr, $size, $flags)
}
probe syscall.setxattr.return = kernel.function("SyS_setxattr").return !,
- kernel.function("sys_setxattr").return {
+ kernel.function("sys_setxattr").return
+{
name = "setxattr"
retstr = returnstr(1)
}
@@ -2175,11 +2289,13 @@ probe syscall.setxattr.return = kernel.function("SyS_setxattr").return !,
#
# sys_sgetmask(void)
#
-probe syscall.sgetmask = kernel.function("sys_sgetmask")? {
+probe syscall.sgetmask = kernel.function("sys_sgetmask") ?
+{
name = "sgetmask"
argstr = ""
}
-probe syscall.sgetmask.return = kernel.function("sys_sgetmask").return ? {
+probe syscall.sgetmask.return = kernel.function("sys_sgetmask").return ?
+{
name = "sgetmask"
retstr = returnstr(1)
}
@@ -2189,15 +2305,17 @@ probe syscall.sgetmask.return = kernel.function("sys_sgetmask").return ? {
# long sys_shmat(int shmid, char __user *shmaddr, int shmflg)
#
probe syscall.shmat = kernel.function("SyS_shmat") !,
- kernel.function("sys_shmat") ? {
- name = "shmat"
+ kernel.function("sys_shmat") ?
+{
+ name = "shmat"
shmid = $shmid
shmaddr_uaddr = $shmaddr
shmflg = $shmflg
argstr = sprintf("%d, %p, %s", $shmid, $shmaddr, _shmat_flags_str($shmflg))
}
probe syscall.shmat.return = kernel.function("SyS_shmat").return !,
- kernel.function("sys_shmat").return ? {
+ kernel.function("sys_shmat").return ?
+{
name = "shmat"
retstr = returnstr(1)
}
@@ -2206,7 +2324,8 @@ probe syscall.shmat.return = kernel.function("SyS_shmat").return !,
# long compat_sys_shmat(int first, int second, compat_uptr_t third,
# int version, void __user *uptr)
#
-probe syscall.compat_sys_shmat = kernel.function("compat_sys_shmat") ? {
+probe syscall.compat_sys_shmat = kernel.function("compat_sys_shmat") ?
+{
name = "compat_sys_shmat"
first = $first
second = $second
@@ -2214,7 +2333,8 @@ probe syscall.compat_sys_shmat = kernel.function("compat_sys_shmat") ? {
uptr_uaddr = $uptr
argstr = sprintf("%d, %d, %d, %d, %p", $first, $second, $third, $version, $uptr)
}
-probe syscall.compat_sys_shmat.return = kernel.function("compat_sys_shmat").return ? {
+probe syscall.compat_sys_shmat.return = kernel.function("compat_sys_shmat").return ?
+{
name = "compat_sys_shmat"
retstr = returnstr(1)
}
@@ -2226,7 +2346,8 @@ probe syscall.compat_sys_shmat.return = kernel.function("compat_sys_shmat").retu
# struct shmid_ds __user *buf)
#
probe syscall.shmctl = kernel.function("SyS_shmctl") !,
- kernel.function("sys_shmctl") ? {
+ kernel.function("sys_shmctl") ?
+{
name = "shmctl"
shmid = $shmid
cmd = $cmd
@@ -2234,7 +2355,8 @@ probe syscall.shmctl = kernel.function("SyS_shmctl") !,
argstr = sprintf("%d, %s, %p", $shmid, _semctl_cmd($cmd), $buf)
}
probe syscall.shmctl.return = kernel.function("SyS_shmctl").return !,
- kernel.function("sys_shmctl").return ? {
+ kernel.function("sys_shmctl").return ?
+{
name = "shmctl"
retstr = returnstr(1)
}
@@ -2242,14 +2364,16 @@ probe syscall.shmctl.return = kernel.function("SyS_shmctl").return !,
#
# long compat_sys_shmctl(int first, int second, void __user *uptr)
#
-probe syscall.compat_sys_shmctl = kernel.function("compat_sys_shmctl") ? {
+probe syscall.compat_sys_shmctl = kernel.function("compat_sys_shmctl") ?
+{
name = "compat_sys_shmctl"
first = $first
second = $second
uptr_uaddr = $uptr
argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
}
-probe syscall.compat_sys_shmctl.return = kernel.function("compat_sys_shmctl").return ? {
+probe syscall.compat_sys_shmctl.return = kernel.function("compat_sys_shmctl").return ?
+{
name = "compat_sys_shmctl"
retstr = returnstr(1)
}
@@ -2259,13 +2383,15 @@ probe syscall.compat_sys_shmctl.return = kernel.function("compat_sys_shmctl").re
# long sys_shmdt(char __user *shmaddr)
#
probe syscall.shmdt = kernel.function("SyS_shmdt") !,
- kernel.function("sys_shmdt") ? {
+ kernel.function("sys_shmdt") ?
+{
name = "shmdt"
shmaddr_uaddr = $shmaddr
argstr = sprintf("%p", $shmaddr)
}
probe syscall.shmdt.return = kernel.function("SyS_shmdt").return !,
- kernel.function("sys_shmdt").return ? {
+ kernel.function("sys_shmdt").return ?
+{
name = "shmdt"
retstr = returnstr(1)
}
@@ -2277,7 +2403,8 @@ probe syscall.shmdt.return = kernel.function("SyS_shmdt").return !,
# int shmflg)
#
probe syscall.shmget = kernel.function("SyS_shmget") !,
- kernel.function("sys_shmget") ? {
+ kernel.function("sys_shmget") ?
+{
name = "shmget"
key = $key
size = $size
@@ -2285,7 +2412,8 @@ probe syscall.shmget = kernel.function("SyS_shmget") !,
argstr = sprintf("%d, %d, %d", $key, $size, $shmflg)
}
probe syscall.shmget.return = kernel.function("SyS_shmget").return !,
- kernel.function("sys_shmget").return ? {
+ kernel.function("sys_shmget").return ?
+{
name = "shmget"
retstr = returnstr(1)
}
@@ -2295,7 +2423,8 @@ probe syscall.shmget.return = kernel.function("SyS_shmget").return !,
# long sys_shutdown(int fd, int how)
#
probe syscall.shutdown = kernel.function("SyS_shutdown") !,
- kernel.function("sys_shutdown") ? {
+ kernel.function("sys_shutdown") ?
+{
name = "shutdown"
s = $fd
how = $how
@@ -2303,7 +2432,8 @@ probe syscall.shutdown = kernel.function("SyS_shutdown") !,
argstr = sprintf("%d, %s", $fd, how_str)
}
probe syscall.shutdown.return = kernel.function("SyS_shutdown").return !,
- kernel.function("sys_shutdown").return ? {
+ kernel.function("sys_shutdown").return ?
+{
name = "shutdown"
retstr = returnstr(1)
}
@@ -2312,25 +2442,29 @@ probe syscall.shutdown.return = kernel.function("SyS_shutdown").return !,
# sys_sigaction(int sig, const struct old_sigaction __user *act, struct old_sigaction __user *oact)
# sys32_sigaction(int sig, struct old_sigaction32 __user *act, struct old_sigaction32 __user *oact)
#
-probe syscall.sigaction = kernel.function("sys_sigaction") ? {
+probe syscall.sigaction = kernel.function("sys_sigaction") ?
+{
name = "sigaction"
sig = $sig
act_uaddr = $act
oact_uaddr = $oact
argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_sigaction_u($act), $oact)
}
-probe syscall.sigaction.return = kernel.function("sys_sigaction").return ? {
+probe syscall.sigaction.return = kernel.function("sys_sigaction").return ?
+{
name = "sigaction"
retstr = returnstr(1)
}
-probe syscall.sigaction32 = kernel.function("sys32_sigaction") ? {
+probe syscall.sigaction32 = kernel.function("sys32_sigaction") ?
+{
name = "sigaction"
sig = $sig
act_uaddr = $act
oact_uaddr = $oact
argstr = sprintf("%s, %p, %p", _signal_name($sig), $act, $oact)
}
-probe syscall.sigaction32.return = kernel.function("sys32_sigaction").return ? {
+probe syscall.sigaction32.return = kernel.function("sys32_sigaction").return ?
+{
name = "sigaction"
retstr = returnstr(1)
}
@@ -2339,14 +2473,16 @@ probe syscall.sigaction32.return = kernel.function("sys32_sigaction").return ? {
# unsigned long sys_signal(int sig, __sighandler_t handler)
#
probe syscall.signal = kernel.function("SyS_signal") !,
- kernel.function("sys_signal") ? {
+ kernel.function("sys_signal") ?
+{
name = "signal"
sig = $sig
handler = $handler
argstr = sprintf("%s, %s", _signal_name($sig), _sighandler_str($handler))
}
probe syscall.signal.return = kernel.function("SyS_signal").return !,
- kernel.function("sys_signal").return ? {
+ kernel.function("sys_signal").return ?
+{
name = "signal"
retstr = returnstr(1)
}
@@ -2358,20 +2494,24 @@ probe syscall.signal.return = kernel.function("SyS_signal").return !,
# compat_size_t sigsetsize)
#
probe syscall.signalfd = kernel.function("SyS_signalfd") !,
- kernel.function("sys_signalfd") ? {
+ kernel.function("sys_signalfd") ?
+{
name = "signalfd"
argstr = sprintf("%d, %p, %d", $ufd, $user_mask, $sizemask)
}
probe syscall.signalfd.return = kernel.function("SyS_signalfd").return !,
- kernel.function("sys_signalfd").return ? {
+ kernel.function("sys_signalfd").return ?
+{
name = "signalfd"
retstr = returnstr(1)
}
-probe syscall.compat_signalfd = kernel.function("compat_sys_signalfd") ? {
+probe syscall.compat_signalfd = kernel.function("compat_sys_signalfd") ?
+{
name = "compat_signalfd"
argstr = sprintf("%d, %p, %d", $ufd, $sigmask, $sigsetsize)
}
-probe syscall.compat_signalfd.return = kernel.function("compat_sys_signalfd").return ? {
+probe syscall.compat_signalfd.return = kernel.function("compat_sys_signalfd").return ?
+{
name = "compat_signalfd"
retstr = returnstr(1)
}
@@ -2380,12 +2520,14 @@ probe syscall.compat_signalfd.return = kernel.function("compat_sys_signalfd").re
# long sys_sigpending(old_sigset_t __user *set)
#
probe syscall.sigpending = kernel.function("SyS_sigpending") !,
- kernel.function("sys_sigpending") ? {
+ kernel.function("sys_sigpending") ?
+{
name = "sigpending"
argstr = sprintf("%p", $set)
}
probe syscall.sigpending.return = kernel.function("SyS_sigpending").return !,
- kernel.function("sys_sigpending").return ? {
+ kernel.function("sys_sigpending").return ?
+{
name = "sigpending"
retstr = returnstr(1)
}
@@ -2394,7 +2536,7 @@ probe syscall.sigpending.return = kernel.function("SyS_sigpending").return !,
# long sys_sigprocmask(int how, old_sigset_t __user *set, old_sigset_t __user *oset)
#
probe syscall.sigprocmask = kernel.function("SyS_sigprocmask") !,
- kernel.function("sys_sigprocmask") ?
+ kernel.function("sys_sigprocmask") ?
{
name = "sigprocmask"
how = $how
@@ -2404,7 +2546,7 @@ probe syscall.sigprocmask = kernel.function("SyS_sigprocmask") !,
argstr = sprintf("%s, %p, %p", how_str, $set, $oset)
}
probe syscall.sigprocmask.return = kernel.function("SyS_sigprocmask").return !,
- kernel.function("sys_sigprocmask").return ?
+ kernel.function("sys_sigprocmask").return ?
{
name = "sigprocmask"
retstr = returnstr(1)
@@ -2413,33 +2555,29 @@ probe syscall.sigprocmask.return = kernel.function("SyS_sigprocmask").return !,
# sigreturn __________________________________________________
# int sys_sigreturn(unsigned long __unused)
#
-probe syscall.sigreturn =
- kernel.function("sys_sigreturn") ?,
- kernel.function("sys32_sigreturn") ?
+probe syscall.sigreturn = kernel.function("sys_sigreturn") ?,
+ kernel.function("sys32_sigreturn") ?
{
name = "sigreturn"
argstr = ""
}
-probe syscall.sigreturn.return =
- kernel.function("sys_sigreturn").return ?,
- kernel.function("sys32_sigreturn").return ?
+probe syscall.sigreturn.return = kernel.function("sys_sigreturn").return ?,
+ kernel.function("sys32_sigreturn").return ?
{
name = "sigreturn"
retstr = returnstr(1)
}
# sigsuspend _________________________________________________
-#
-probe syscall.sigsuspend =
- kernel.function("sys_sigsuspend") ?,
- kernel.function("sys32_sigsuspend") ?
+#
+probe syscall.sigsuspend = kernel.function("sys_sigsuspend") ?,
+ kernel.function("sys32_sigsuspend") ?
{
name = "sigsuspend"
argstr = ""
}
-probe syscall.sigsuspend.return =
- kernel.function("sys_sigsuspend").return ?,
- kernel.function("sys32_sigsuspend").return ?
+probe syscall.sigsuspend.return = kernel.function("sys_sigsuspend").return ?,
+ kernel.function("sys32_sigsuspend").return ?
{
name = "sigsuspend"
retstr = returnstr(1)
@@ -2449,17 +2587,19 @@ probe syscall.sigsuspend.return =
# long sys_socket(int family, int type, int protocol)
#
probe syscall.socket = kernel.function("SyS_socket") !,
- kernel.function("sys_socket") ? {
+ kernel.function("sys_socket") ?
+{
name = "socket"
family = $family
type = $type
protocol = $protocol
argstr = sprintf("%s, %s, %d", _sock_family_str($family),
- _sock_type_str($type),
- $protocol)
+ _sock_type_str($type),
+ $protocol)
}
probe syscall.socket.return = kernel.function("SyS_socket").return !,
- kernel.function("sys_socket").return ? {
+ kernel.function("sys_socket").return ?
+{
name = "socket"
retstr = returnstr(1)
}
@@ -2469,13 +2609,15 @@ probe syscall.socket.return = kernel.function("SyS_socket").return !,
#
# long sys_socketcall(int call, unsigned long __user *args)
#
-#probe syscall.socketcall = kernel.function("sys_socketcall") ? {
+#probe syscall.socketcall = kernel.function("sys_socketcall") ?
+#{
# name = "socketcall"
# call = $call
# args_uaddr = $args
# argstr = sprintf("%d, %p", $call, args_uaddr)
#}
-#probe syscall.socketcall.return = kernel.function("sys_socketcall").return ? {
+#probe syscall.socketcall.return = kernel.function("sys_socketcall").return ?
+#{
# name = "socketcall"
# retstr = returnstr(1)
#}
@@ -2487,19 +2629,21 @@ probe syscall.socket.return = kernel.function("SyS_socket").return !,
# int __user *usockvec)
#
probe syscall.socketpair = kernel.function("SyS_socketpair") !,
- kernel.function("sys_socketpair") ? {
+ kernel.function("sys_socketpair") ?
+{
name = "socketpair"
family = $family
type = $type
protocol = $protocol
sv_uaddr = $usockvec
- argstr = sprintf("%s, %s, %d, %p",
- _sock_family_str($family),
- _sock_type_str($type),
- $protocol, sv_uaddr)
+ argstr = sprintf("%s, %s, %d, %p",
+ _sock_family_str($family),
+ _sock_type_str($type),
+ $protocol, sv_uaddr)
}
probe syscall.socketpair.return = kernel.function("SyS_socketpair").return !,
- kernel.function("sys_socketpair").return ? {
+ kernel.function("sys_socketpair").return ?
+{
name = "socketpair"
retstr = returnstr(1)
}
@@ -2511,13 +2655,15 @@ probe syscall.socketpair.return = kernel.function("SyS_socketpair").return !,
# size_t len, unsigned int flags)
#
probe syscall.splice = kernel.function("SyS_splice") !,
- kernel.function("sys_splice") ? {
+ kernel.function("sys_splice") ?
+{
name = "splice"
argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
$fd_in, $off_in, $fd_out, $off_out, $len, $flags)
}
probe syscall.splice.return = kernel.function("SyS_splice").return !,
- kernel.function("sys_splice").return ? {
+ kernel.function("sys_splice").return ?
+{
name = "splice"
retstr = returnstr(1)
}
@@ -2527,13 +2673,15 @@ probe syscall.splice.return = kernel.function("SyS_splice").return !,
# long sys_ssetmask(int newmask)
#
probe syscall.ssetmask = kernel.function("SyS_ssetmask") !,
- kernel.function("sys_ssetmask") ? {
+ kernel.function("sys_ssetmask") ?
+{
name = "ssetmask"
newmask = $newmask
argstr = sprint($newmask)
}
probe syscall.ssetmask.return = kernel.function("SyS_ssetmask").return !,
- kernel.function("sys_ssetmask").return ? {
+ kernel.function("sys_ssetmask").return ?
+{
name = "ssetmask"
retstr = returnstr(1)
}
@@ -2544,15 +2692,14 @@ probe syscall.ssetmask.return = kernel.function("SyS_ssetmask").return !,
# long sys_stat64(char __user * filename, struct stat64 __user * statbuf)
# long sys_oabi_stat64(char __user * filename, struct oldabi_stat64 __user * statbuf)
# long compat_sys_newstat(char __user * filename, struct compat_stat __user *statbuf)
-probe syscall.stat =
- kernel.function("sys_stat") ?,
- kernel.function("SyS_newstat") ?,
- kernel.function("sys_newstat") ?,
- kernel.function("sys32_stat64") ?,
- kernel.function("SyS_stat64") ?,
- kernel.function("sys_stat64") ?,
- kernel.function("sys_oabi_stat64") ?,
- kernel.function("compat_sys_newstat") ?
+probe syscall.stat = kernel.function("sys_stat") ?,
+ kernel.function("SyS_newstat") ?,
+ kernel.function("sys_newstat") ?,
+ kernel.function("sys32_stat64") ?,
+ kernel.function("SyS_stat64") ?,
+ kernel.function("sys_stat64") ?,
+ kernel.function("sys_oabi_stat64") ?,
+ kernel.function("compat_sys_newstat") ?
{
name = "stat"
filename_uaddr = $filename
@@ -2560,15 +2707,14 @@ probe syscall.stat =
buf_uaddr = $statbuf
argstr = sprintf("%s, %p", user_string_quoted($filename), buf_uaddr)
}
-probe syscall.stat.return =
- kernel.function("sys_stat").return ?,
- kernel.function("SyS_newstat").return ?,
- kernel.function("sys_newstat").return ?,
- kernel.function("sys32_stat64").return ?,
- kernel.function("SyS_stat64").return ?,
- kernel.function("sys_stat64").return ?,
- kernel.function("sys_oabi_stat64").return ?,
- kernel.function("compat_sys_newstat").return ?
+probe syscall.stat.return = kernel.function("sys_stat").return ?,
+ kernel.function("SyS_newstat").return ?,
+ kernel.function("sys_newstat").return ?,
+ kernel.function("sys32_stat64").return ?,
+ kernel.function("SyS_stat64").return ?,
+ kernel.function("sys_stat64").return ?,
+ kernel.function("sys_oabi_stat64").return ?,
+ kernel.function("compat_sys_newstat").return ?
{
name = "stat"
retstr = returnstr(1)
@@ -2578,10 +2724,9 @@ probe syscall.stat.return =
# long sys_statfs(const char __user * path, struct statfs __user * buf)
# long compat_sys_statfs(const char __user *path, struct compat_statfs __user *buf)
#
-probe syscall.statfs =
- kernel.function("compat_sys_statfs") ?,
- kernel.function("SyS_statfs") !,
- kernel.function("sys_statfs") ?
+probe syscall.statfs = kernel.function("compat_sys_statfs") ?,
+ kernel.function("SyS_statfs") !,
+ kernel.function("sys_statfs") ?
{
name = "statfs"
buf_uaddr = $buf
@@ -2594,10 +2739,9 @@ probe syscall.statfs =
%)
}
-probe syscall.statfs.return =
- kernel.function("compat_sys_statfs").return ?,
- kernel.function("SyS_statfs").return !,
- kernel.function("sys_statfs").return ?
+probe syscall.statfs.return = kernel.function("compat_sys_statfs").return ?,
+ kernel.function("SyS_statfs").return !,
+ kernel.function("sys_statfs").return ?
{
name = "statfs"
retstr = returnstr(1)
@@ -2608,27 +2752,25 @@ probe syscall.statfs.return =
# long sys_statfs64(const char __user *path, size_t sz, struct statfs64 __user *buf)
# long compat_sys_statfs64(const char __user *path, compat_size_t sz, struct compat_statfs64 __user *buf)
#
-probe syscall.statfs64 =
- kernel.function("compat_sys_statfs64") ?,
- kernel.function("SyS_statfs64") !,
- kernel.function("sys_statfs64") ?
+probe syscall.statfs64 = kernel.function("compat_sys_statfs64") ?,
+ kernel.function("SyS_statfs64") !,
+ kernel.function("sys_statfs64") ?
{
name = "statfs"
sz = $sz
buf_uaddr = $buf
%( kernel_v >= "2.6.27" %?
path = user_string($pathname)
- argstr = sprintf("%s, %d, %p", user_string_quoted($pathname), $sz, $buf)
+ argstr = sprintf("%s, %d, %p", user_string_quoted($pathname), $sz, $buf)
%:
path = user_string($path)
- argstr = sprintf("%s, %d, %p", user_string_quoted($path), $sz, $buf)
+ argstr = sprintf("%s, %d, %p", user_string_quoted($path), $sz, $buf)
%)
}
-probe syscall.statfs64.return =
- kernel.function("compat_sys_statfs64").return ?,
- kernel.function("SyS_statfs64").return !,
- kernel.function("sys_statfs64").return ?
+probe syscall.statfs64.return = kernel.function("compat_sys_statfs64").return ?,
+ kernel.function("SyS_statfs64").return !,
+ kernel.function("sys_statfs64").return ?
{
name = "statfs"
retstr = returnstr(1)
@@ -2639,20 +2781,18 @@ probe syscall.statfs64.return =
# long sys_stime(time_t __user *tptr)
# long compat_sys_stime(compat_time_t __user *tptr)
#
-probe syscall.stime =
- kernel.function("compat_sys_stime") ?,
- kernel.function("SyS_stime") !,
- kernel.function("sys_stime") ?
+probe syscall.stime = kernel.function("compat_sys_stime") ?,
+ kernel.function("SyS_stime") !,
+ kernel.function("sys_stime") ?
{
name = "stime"
t_uaddr = $tptr
- /* FIXME. Decode time */
+ /* FIXME. Decode time */
argstr = sprintf("%p", $tptr)
}
-probe syscall.stime.return =
- kernel.function("compat_sys_stime").return ?,
- kernel.function("SyS_stime").return !,
- kernel.function("sys_stime").return ?
+probe syscall.stime.return = kernel.function("compat_sys_stime").return ?,
+ kernel.function("SyS_stime").return !,
+ kernel.function("sys_stime").return ?
{
name = "stime"
retstr = returnstr(1)
@@ -2664,13 +2804,15 @@ probe syscall.stime.return =
# sys_swapoff(const char __user * specialfile)
#
probe syscall.swapoff = kernel.function("SyS_swapoff") !,
- kernel.function("sys_swapoff") ? {
+ kernel.function("sys_swapoff") ?
+{
name = "swapoff"
path = user_string($specialfile)
argstr = user_string_quoted($specialfile)
}
probe syscall.swapoff.return = kernel.function("SyS_swapoff").return !,
- kernel.function("sys_swapoff").return ? {
+ kernel.function("sys_swapoff").return ?
+{
name = "swapoff"
retstr = returnstr(1)
}
@@ -2681,14 +2823,16 @@ probe syscall.swapoff.return = kernel.function("SyS_swapoff").return !,
# int swap_flags)
#
probe syscall.swapon = kernel.function("SyS_swapon") !,
- kernel.function("sys_swapon") ? {
+ kernel.function("sys_swapon") ?
+{
name = "swapon"
path = user_string($specialfile)
swapflags = $swap_flags
argstr = sprintf("%s, %d", user_string_quoted($specialfile), swapflags)
}
probe syscall.swapon.return = kernel.function("SyS_swapon").return !,
- kernel.function("sys_swapon").return ? {
+ kernel.function("sys_swapon").return ?
+{
name = "swapon"
retstr = returnstr(1)
}
@@ -2697,15 +2841,17 @@ probe syscall.swapon.return = kernel.function("SyS_swapon").return !,
# long sys_symlink(const char __user * oldname,
# const char __user * newname)
probe syscall.symlink = kernel.function("SyS_symlink") !,
- kernel.function("sys_symlink") {
+ kernel.function("sys_symlink")
+{
name = "symlink"
oldpath = user_string($oldname)
newpath = user_string($newname)
argstr = sprintf("%s, %s", user_string_quoted($oldname),
- user_string_quoted($newname))
+ user_string_quoted($newname))
}
probe syscall.symlink.return = kernel.function("SyS_symlink").return !,
- kernel.function("sys_symlink").return {
+ kernel.function("sys_symlink").return
+{
name = "symlink"
retstr = returnstr(1)
}
@@ -2715,7 +2861,8 @@ probe syscall.symlink.return = kernel.function("SyS_symlink").return !,
# long sys_symlinkat(const char __user *oldname, int newdfd,
# const char __user *newname)
probe syscall.symlinkat = kernel.function("SyS_symlinkat") !,
- kernel.function("sys_symlinkat") ? {
+ kernel.function("sys_symlinkat") ?
+{
name = "symlinkat"
oldname = $oldname
oldname_str = user_string($oldname)
@@ -2727,7 +2874,8 @@ probe syscall.symlinkat = kernel.function("SyS_symlinkat") !,
newdfd_str, user_string_quoted($newname))
}
probe syscall.symlinkat.return = kernel.function("SyS_symlinkat").return !,
- kernel.function("sys_symlinkat").return ? {
+ kernel.function("sys_symlinkat").return ?
+{
name = "symlinkat"
retstr = returnstr(1)
}
@@ -2736,11 +2884,13 @@ probe syscall.symlinkat.return = kernel.function("SyS_symlinkat").return !,
#
# sys_sync(void)
#
-probe syscall.sync = kernel.function("sys_sync") {
+probe syscall.sync = kernel.function("sys_sync")
+{
name = "sync"
argstr = ""
}
-probe syscall.sync.return = kernel.function("sys_sync").return {
+probe syscall.sync.return = kernel.function("sys_sync").return
+{
name = "sync"
retstr = returnstr(1)
}
@@ -2749,18 +2899,16 @@ probe syscall.sync.return = kernel.function("sys_sync").return {
#
# long sys_sysctl(struct __sysctl_args __user *args)
#
-probe syscall.sysctl =
- kernel.function("compat_sys_sysctl") ?,
- kernel.function("SyS_sysctl") !,
- kernel.function("sys_sysctl") ?
+probe syscall.sysctl = kernel.function("compat_sys_sysctl") ?,
+ kernel.function("SyS_sysctl") !,
+ kernel.function("sys_sysctl") ?
{
name = "sysctl"
argstr = sprintf("%p", $args)
}
-probe syscall.sysctl.return =
- kernel.function("compat_sys_sysctl").return ?,
- kernel.function("SyS_sysctl").return !,
- kernel.function("sys_sysctl").return ?
+probe syscall.sysctl.return = kernel.function("compat_sys_sysctl").return ?,
+ kernel.function("SyS_sysctl").return !,
+ kernel.function("sys_sysctl").return ?
{
name = "sysctl"
retstr = returnstr(1)
@@ -2774,7 +2922,8 @@ probe syscall.sysctl.return =
# unsigned long arg2)
#
probe syscall.sysfs = kernel.function("SyS_sysfs") !,
- kernel.function("sys_sysfs") {
+ kernel.function("sys_sysfs")
+{
name = "sysfs"
option = $option
arg1 = $arg1
@@ -2789,7 +2938,8 @@ probe syscall.sysfs = kernel.function("SyS_sysfs") !,
argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
}
probe syscall.sysfs.return = kernel.function("SyS_sysfs").return !,
- kernel.function("sys_sysfs").return {
+ kernel.function("sys_sysfs").return
+{
name = "sysfs"
retstr = returnstr(1)
}
@@ -2797,19 +2947,17 @@ probe syscall.sysfs.return = kernel.function("SyS_sysfs").return !,
#
# long sys_sysinfo(struct sysinfo __user *info)
# long compat_sys_sysinfo(struct compat_sysinfo __user *info)
-probe syscall.sysinfo =
- kernel.function("compat_sys_sysinfo") ?,
- kernel.function("SyS_sysinfo") !,
- kernel.function("sys_sysinfo")
+probe syscall.sysinfo = kernel.function("compat_sys_sysinfo") ?,
+ kernel.function("SyS_sysinfo") !,
+ kernel.function("sys_sysinfo")
{
name = "sysinfo"
info_uaddr = $info
argstr = sprintf("%p", $info)
}
-probe syscall.sysinfo.return =
- kernel.function("compat_sys_sysinfo").return ?,
- kernel.function("SyS_sysinfo").return !,
- kernel.function("sys_sysinfo").return
+probe syscall.sysinfo.return = kernel.function("compat_sys_sysinfo").return ?,
+ kernel.function("SyS_sysinfo").return !,
+ kernel.function("sys_sysinfo").return
{
name = "sysinfo"
retstr = returnstr(1)
@@ -2820,7 +2968,8 @@ probe syscall.sysinfo.return =
# long sys_syslog(int type, char __user * buf, int len)
#
probe syscall.syslog = kernel.function("SyS_syslog") !,
- kernel.function("sys_syslog") {
+ kernel.function("sys_syslog")
+{
name = "syslog"
type = $type
bufp_uaddr = $buf
@@ -2828,7 +2977,8 @@ probe syscall.syslog = kernel.function("SyS_syslog") !,
argstr = sprintf("%d, %p, %d", $type, $buf, $len)
}
probe syscall.syslog.return = kernel.function("SyS_syslog").return !,
- kernel.function("sys_syslog").return {
+ kernel.function("sys_syslog").return
+{
name = "syslog"
retstr = returnstr(1)
}
@@ -2838,12 +2988,14 @@ probe syscall.syslog.return = kernel.function("SyS_syslog").return !,
# long sys_tee(int fdin, int fdout, size_t len, unsigned int flags)
#
probe syscall.tee = kernel.function("SyS_tee") !,
- kernel.function("sys_tee") ? {
+ kernel.function("sys_tee") ?
+{
name = "tee"
- argstr = sprintf("%d, %d, %d, 0x%x", $fdin, $fdout, $len, $flags)
+ argstr = sprintf("%d, %d, %d, 0x%x", $fdin, $fdout, $len, $flags)
}
probe syscall.tee.return = kernel.function("SyS_tee").return !,
- kernel.function("sys_tee").return ? {
+ kernel.function("sys_tee").return ?
+{
name = "tee"
retstr = returnstr(1)
}
@@ -2856,7 +3008,8 @@ probe syscall.tee.return = kernel.function("SyS_tee").return !,
# int sig)
#
probe syscall.tgkill = kernel.function("SyS_tgkill") !,
- kernel.function("sys_tgkill") {
+ kernel.function("sys_tgkill")
+{
name = "tgkill"
tgid = $tgid
pid = $pid
@@ -2864,7 +3017,8 @@ probe syscall.tgkill = kernel.function("SyS_tgkill") !,
argstr = sprintf("%d, %d, %s", $tgid, $pid, _signal_name($sig))
}
probe syscall.tgkill.return = kernel.function("SyS_tgkill").return !,
- kernel.function("sys_tgkill").return {
+ kernel.function("sys_tgkill").return
+{
name = "tgkill"
retstr = returnstr(1)
}
@@ -2875,23 +3029,21 @@ probe syscall.tgkill.return = kernel.function("SyS_tgkill").return !,
# long sys32_time(compat_time_t __user * tloc)
# long compat_sys_time(compat_time_t __user * tloc)
#
-probe syscall.time =
- kernel.function("sys32_time") ?,
- kernel.function("sys_time64") ?,
- kernel.function("compat_sys_time") ?,
- kernel.function("SyS_time") !,
- kernel.function("sys_time") ?
+probe syscall.time = kernel.function("sys32_time") ?,
+ kernel.function("sys_time64") ?,
+ kernel.function("compat_sys_time") ?,
+ kernel.function("SyS_time") !,
+ kernel.function("sys_time") ?
{
name = "time"
t_uaddr = $tloc
argstr = sprintf("%p", $tloc)
}
-probe syscall.time.return =
- kernel.function("sys32_time").return ?,
- kernel.function("sys_time64").return ?,
- kernel.function("compat_sys_time").return ?,
- kernel.function("SyS_time").return !,
- kernel.function("sys_time").return ?
+probe syscall.time.return = kernel.function("sys32_time").return ?,
+ kernel.function("sys_time64").return ?,
+ kernel.function("compat_sys_time").return ?,
+ kernel.function("SyS_time").return !,
+ kernel.function("sys_time").return ?
{
name = "time"
retstr = returnstr(1)
@@ -2904,7 +3056,8 @@ probe syscall.time.return =
# timer_t __user * created_timer_id)
#
probe syscall.timer_create = kernel.function("SyS_timer_create") !,
- kernel.function("sys_timer_create") {
+ kernel.function("sys_timer_create")
+{
name = "timer_create"
clockid = $which_clock
clockid_str = _get_wc_str($which_clock)
@@ -2912,9 +3065,9 @@ probe syscall.timer_create = kernel.function("SyS_timer_create") !,
timerid_uaddr = $created_timer_id
argstr = sprintf("%s, %p, %p", clockid_str, $timer_event_spec, $created_timer_id)
}
-probe syscall.timer_create.return =
- kernel.function("SyS_timer_create").return !,
- kernel.function("sys_timer_create").return {
+probe syscall.timer_create.return = kernel.function("SyS_timer_create").return !,
+ kernel.function("sys_timer_create").return
+{
name = "timer_create"
retstr = returnstr(1)
}
@@ -2924,13 +3077,15 @@ probe syscall.timer_create.return =
# long sys_timer_delete(timer_t timer_id)
#
probe syscall.timer_delete = kernel.function("SyS_timer_delete") !,
- kernel.function("sys_timer_delete") {
+ kernel.function("sys_timer_delete")
+{
name = "timer_delete"
timerid = $timer_id
argstr = sprint($timer_id)
}
probe syscall.timer_delete.return = kernel.function("SyS_timer_delete").return !,
- kernel.function("sys_timer_delete").return {
+ kernel.function("sys_timer_delete").return
+{
name = "timer_delete"
retstr = returnstr(1)
}
@@ -2940,14 +3095,15 @@ probe syscall.timer_delete.return = kernel.function("SyS_timer_delete").return !
# long sys_timer_getoverrun(timer_t timer_id)
#
probe syscall.timer_getoverrun = kernel.function("SyS_timer_getoverrun") !,
- kernel.function("sys_timer_getoverrun") {
+ kernel.function("sys_timer_getoverrun")
+{
name = "timer_getoverrun"
timerid = $timer_id
argstr = sprint($timer_id)
}
-probe syscall.timer_getoverrun.return =
- kernel.function("SyS_timer_getoverrun").return !,
- kernel.function("sys_timer_getoverrun").return {
+probe syscall.timer_getoverrun.return = kernel.function("SyS_timer_getoverrun").return !,
+ kernel.function("sys_timer_getoverrun").return
+{
name = "timer_getoverrun"
retstr = returnstr(1)
}
@@ -2958,15 +3114,16 @@ probe syscall.timer_getoverrun.return =
# struct itimerspec __user *setting)
#
probe syscall.timer_gettime = kernel.function("SyS_timer_gettime") !,
- kernel.function("sys_timer_gettime") {
+ kernel.function("sys_timer_gettime")
+{
name = "timer_gettime"
timerid = $timer_id
value_uaddr = $setting
argstr = sprintf("%d, %p", $timer_id, $setting)
}
-probe syscall.timer_gettime.return =
- kernel.function("SyS_timer_gettime").return !,
- kernel.function("sys_timer_gettime").return {
+probe syscall.timer_gettime.return = kernel.function("SyS_timer_gettime").return !,
+ kernel.function("sys_timer_gettime").return
+{
name = "timer_gettime"
retstr = returnstr(1)
}
@@ -2979,19 +3136,20 @@ probe syscall.timer_gettime.return =
# struct itimerspec __user *old_setting)
#
probe syscall.timer_settime = kernel.function("SyS_timer_settime") !,
- kernel.function("sys_timer_settime") {
+ kernel.function("sys_timer_settime")
+{
name = "timer_settime"
timerid = $timer_id
flags = $flags
value_uaddr = $new_setting
ovalue_uaddr = $old_setting
argstr = sprintf("%d, %d, %s, %p", $timer_id, $flags,
- _struct_itimerspec_u($new_setting),
- $old_setting)
+ _struct_itimerspec_u($new_setting),
+ $old_setting)
}
-probe syscall.timer_settime.return =
- kernel.function("SyS_timer_settime").return !,
- kernel.function("sys_timer_settime").return {
+probe syscall.timer_settime.return = kernel.function("SyS_timer_settime").return !,
+ kernel.function("sys_timer_settime").return
+{
name = "timer_settime"
retstr = returnstr(1)
}
@@ -3003,16 +3161,14 @@ probe syscall.timer_settime.return =
# long compat_sys_timerfd(int ufd, int clockid, int flags,
# const struct compat_itimerspec __user *utmr)
#
-probe syscall.timerfd =
- kernel.function("sys_timerfd") ?,
- kernel.function("compat_sys_timerfd") ?
+probe syscall.timerfd = kernel.function("sys_timerfd") ?,
+ kernel.function("compat_sys_timerfd") ?
{
name = "timerfd"
argstr = sprintf("%d, %d, 0x%x", $ufd, $clockid, $flags)
}
-probe syscall.timerfd.return =
- kernel.function("sys_timerfd").return ?,
- kernel.function("compat_sys_timerfd").return ?
+probe syscall.timerfd.return = kernel.function("sys_timerfd").return ?,
+ kernel.function("compat_sys_timerfd").return ?
{
name = "timerfd"
retstr = returnstr(1)
@@ -3022,18 +3178,16 @@ probe syscall.timerfd.return =
#
# long sys_times(struct tms __user * tbuf)
# long compat_sys_times(struct compat_tms __user *tbuf)
-probe syscall.times =
- kernel.function("compat_sys_times") ?,
- kernel.function("SyS_times") !,
- kernel.function("sys_times") ?
+probe syscall.times = kernel.function("compat_sys_times") ?,
+ kernel.function("SyS_times") !,
+ kernel.function("sys_times") ?
{
name = "times"
- argstr = sprintf("%p", $tbuf)
+ argstr = sprintf("%p", $tbuf)
}
-probe syscall.times.return =
- kernel.function("compat_sys_times").return ?,
- kernel.function("SyS_times").return !,
- kernel.function("sys_times").return ?
+probe syscall.times.return = kernel.function("compat_sys_times").return ?,
+ kernel.function("SyS_times").return !,
+ kernel.function("sys_times").return ?
{
name = "times"
retstr = returnstr(1)
@@ -3046,14 +3200,16 @@ probe syscall.times.return =
# int sig)
#
probe syscall.tkill = kernel.function("SyS_tkill") !,
- kernel.function("sys_tkill") {
+ kernel.function("sys_tkill")
+{
name = "tkill"
pid = $pid
sig = $sig
argstr = sprintf("%d, %s", $pid, _signal_name($sig))
}
probe syscall.tkill.return = kernel.function("SyS_tkill").return !,
- kernel.function("sys_tkill").return {
+ kernel.function("sys_tkill").return
+{
name = "tkill"
retstr = returnstr(1)
}
@@ -3064,8 +3220,9 @@ probe syscall.tkill.return = kernel.function("SyS_tkill").return !,
# sys_truncate64(const char __user * path, loff_t length)
#
probe syscall.truncate = kernel.function("SyS_truncate") !,
- kernel.function("sys_truncate") ?,
- kernel.function("sys_truncate64") ? {
+ kernel.function("sys_truncate") ?,
+ kernel.function("sys_truncate64") ?
+{
name = "truncate"
path_uaddr = $path
path = user_string($path)
@@ -3073,8 +3230,9 @@ probe syscall.truncate = kernel.function("SyS_truncate") !,
argstr = sprintf("%s, %d", user_string_quoted($path), $length)
}
probe syscall.truncate.return = kernel.function("SyS_truncate").return !,
- kernel.function("sys_truncate").return ?,
- kernel.function("sys_truncate64").return ? {
+ kernel.function("sys_truncate").return ?,
+ kernel.function("sys_truncate64").return ?
+{
name = "truncate"
retstr = returnstr(1)
}
@@ -3082,13 +3240,15 @@ probe syscall.truncate.return = kernel.function("SyS_truncate").return !,
# tux ________________________________________________________
# long sys_tux (unsigned int action, user_req_t *u_info)
#
-probe syscall.tux = kernel.function("sys_tux") ? {
+probe syscall.tux = kernel.function("sys_tux") ?
+{
name = "tux"
action = $action
u_info_uaddr = $u_info
argstr = sprintf("%d, %p", $action, $u_info)
}
-probe syscall.tux.return = kernel.function("sys_tux").return ? {
+probe syscall.tux.return = kernel.function("sys_tux").return ?
+{
name = "tux"
retstr = returnstr(1)
}
@@ -3097,13 +3257,15 @@ probe syscall.tux.return = kernel.function("sys_tux").return ? {
# long sys_umask(int mask)
#
probe syscall.umask = kernel.function("SyS_umask") !,
- kernel.function("sys_umask") {
+ kernel.function("sys_umask")
+{
name = "umask"
mask = $mask
argstr = sprintf("%#o", $mask)
}
probe syscall.umask.return = kernel.function("SyS_umask").return !,
- kernel.function("sys_umask").return {
+ kernel.function("sys_umask").return
+{
name = "umask"
retstr = returnstr(3)
}
@@ -3112,7 +3274,8 @@ probe syscall.umask.return = kernel.function("SyS_umask").return !,
# long sys_umount(char __user * name, int flags)
#
probe syscall.umount = kernel.function("SyS_umount") !,
- kernel.function("sys_umount") {
+ kernel.function("sys_umount")
+{
name = "umount"
target = user_string($name)
flags = $flags
@@ -3120,7 +3283,8 @@ probe syscall.umount = kernel.function("SyS_umount") !,
argstr = sprintf("%s, %s", user_string_quoted($name), flags_str)
}
probe syscall.umount.return = kernel.function("SyS_umount").return !,
- kernel.function("sys_umount").return {
+ kernel.function("sys_umount").return
+{
name = "umount"
retstr = returnstr(1)
}
@@ -3132,25 +3296,23 @@ probe syscall.umount.return = kernel.function("SyS_umount").return !,
# int sys32_olduname(struct oldold_utsname __user * name)
# long sys32_uname(struct old_utsname __user * name)
#
-probe syscall.uname =
- kernel.function("sys_uname") ?,
- kernel.function("sys_olduname") ?,
- kernel.function("sys32_olduname") ?,
- kernel.function("sys32_uname") ?,
- kernel.function("SyS_newuname") !,
- kernel.function("sys_newuname") ?
+probe syscall.uname = kernel.function("sys_uname") ?,
+ kernel.function("sys_olduname") ?,
+ kernel.function("sys32_olduname") ?,
+ kernel.function("sys32_uname") ?,
+ kernel.function("SyS_newuname") !,
+ kernel.function("sys_newuname") ?
{
name = "uname"
argstr = sprintf("%p", $name)
}
-probe syscall.uname.return =
- kernel.function("sys_uname").return ?,
- kernel.function("sys_olduname").return ?,
- kernel.function("sys32_olduname").return ?,
- kernel.function("sys32_uname").return ?,
- kernel.function("SyS_newuname").return !,
- kernel.function("sys_newuname").return ?
+probe syscall.uname.return = kernel.function("sys_uname").return ?,
+ kernel.function("sys_olduname").return ?,
+ kernel.function("sys32_olduname").return ?,
+ kernel.function("sys32_uname").return ?,
+ kernel.function("SyS_newuname").return !,
+ kernel.function("sys_newuname").return ?
{
name = "uname"
retstr = returnstr(1)
@@ -3160,14 +3322,16 @@ probe syscall.uname.return =
# long sys_unlink(const char __user * pathname)
#
probe syscall.unlink = kernel.function("SyS_unlink") !,
- kernel.function("sys_unlink") {
+ kernel.function("sys_unlink")
+{
name = "unlink"
pathname_uaddr = $pathname
pathname = user_string($pathname)
argstr = user_string_quoted($pathname)
}
probe syscall.unlink.return = kernel.function("SyS_unlink").return !,
- kernel.function("sys_unlink").return {
+ kernel.function("sys_unlink").return
+{
name = "unlink"
retstr = returnstr(1)
}
@@ -3177,7 +3341,8 @@ probe syscall.unlink.return = kernel.function("SyS_unlink").return !,
# long sys_unlinkat(int dfd, const char __user *pathname,
# int flag)
probe syscall.unlinkat = kernel.function("SyS_unlinkat") !,
- kernel.function("sys_unlinkat") ? {
+ kernel.function("sys_unlinkat") ?
+{
name = "unlinkat"
dfd = $dfd
dfd_str = _dfd_str($dfd)
@@ -3188,7 +3353,8 @@ probe syscall.unlinkat = kernel.function("SyS_unlinkat") !,
argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted($pathname), flag_str)
}
probe syscall.unlinkat.return = kernel.function("SyS_unlinkat").return !,
- kernel.function("sys_unlinkat").return ? {
+ kernel.function("sys_unlinkat").return ?
+{
name = "unlinkat"
retstr = returnstr(1)
}
@@ -3197,13 +3363,15 @@ probe syscall.unlinkat.return = kernel.function("SyS_unlinkat").return !,
# new function with 2.6.16
# long sys_unshare(unsigned long unshare_flags)
probe syscall.unshare = kernel.function("SyS_unshare") !,
- kernel.function("sys_unshare") ? {
+ kernel.function("sys_unshare") ?
+{
name = "unshare"
unshare_flags = $unshare_flags
argstr = __fork_flags(unshare_flags)
}
probe syscall.unshare.return = kernel.function("SyS_unshare").return !,
- kernel.function("sys_unshare").return ? {
+ kernel.function("sys_unshare").return ?
+{
name = "unshare"
retstr = returnstr(1)
}
@@ -3214,14 +3382,16 @@ probe syscall.unshare.return = kernel.function("SyS_unshare").return !,
# sys_uselib(const char __user * library)
#
probe syscall.uselib = kernel.function("SyS_uselib") !,
- kernel.function("sys_uselib") {
+ kernel.function("sys_uselib")
+{
name = "uselib"
library_uaddr = $library
library = user_string($library)
argstr = user_string_quoted($library)
}
probe syscall.uselib.return = kernel.function("SyS_uselib").return !,
- kernel.function("sys_uselib").return {
+ kernel.function("sys_uselib").return
+{
name = "uselib"
retstr = returnstr(1)
}
@@ -3229,7 +3399,8 @@ probe syscall.uselib.return = kernel.function("SyS_uselib").return !,
# long sys_ustat(unsigned dev, struct ustat __user * ubuf)
#
probe syscall.ustat = kernel.function("SyS_ustat") !,
- kernel.function("sys_ustat") {
+ kernel.function("sys_ustat")
+{
name = "ustat"
dev = $dev
ubuf_uaddr = $ubuf
@@ -3237,16 +3408,16 @@ probe syscall.ustat = kernel.function("SyS_ustat") !,
}
#long sys32_ustat(unsigned dev, struct ustat32 __user *u32p)
-probe syscall.ustat32 = kernel.function("sys32_ustat") ? {
+probe syscall.ustat32 = kernel.function("sys32_ustat") ?
+{
name = "ustat"
dev = $dev
argstr = sprintf("%d, %p", $dev, $u32p)
}
-probe syscall.ustat.return =
- kernel.function("SyS_ustat").return ?,
- kernel.function("sys_ustat").return?,
- kernel.function("sys32_ustat").return ?
+probe syscall.ustat.return = kernel.function("SyS_ustat").return ?,
+ kernel.function("sys_ustat").return ?,
+ kernel.function("sys32_ustat").return ?
{
name = "ustat"
retstr = returnstr(1)
@@ -3255,7 +3426,8 @@ probe syscall.ustat.return =
# utime ______________________________________________________
# long sys_utime(char __user * filename, struct utimbuf __user * times)
probe syscall.utime = kernel.function("SyS_utime") !,
- kernel.function("sys_utime") ? {
+ kernel.function("sys_utime") ?
+{
name = "utime"
filename_uaddr = $filename
filename = user_string($filename)
@@ -3263,16 +3435,18 @@ probe syscall.utime = kernel.function("SyS_utime") !,
actime = _struct_utimbuf_actime(buf_uaddr)
modtime = _struct_utimbuf_modtime(buf_uaddr)
argstr = sprintf("%s, [%s, %s]", user_string_quoted($filename),
- ctime(actime), ctime(modtime))
+ ctime(actime), ctime(modtime))
}
probe syscall.utime.return = kernel.function("SyS_utime").return !,
- kernel.function("sys_utime").return ? {
+ kernel.function("sys_utime").return ?
+{
name = "utime"
retstr = returnstr(1)
}
# long compat_sys_utime(char __user *filename, struct compat_utimbuf __user *t)
-probe syscall.compat_utime = kernel.function("compat_sys_utime") ? {
+probe syscall.compat_utime = kernel.function("compat_sys_utime") ?
+{
name = "utime"
filename_uaddr = $filename
filename = user_string($filename)
@@ -3280,9 +3454,10 @@ probe syscall.compat_utime = kernel.function("compat_sys_utime") ? {
actime = _struct_compat_utimbuf_actime(buf_uaddr)
modtime = _struct_compat_utimbuf_modtime(buf_uaddr)
argstr = sprintf("%s, [%s, %s]", user_string_quoted($filename),
- ctime(actime), ctime(modtime))
+ ctime(actime), ctime(modtime))
}
-probe syscall.compat_utime.return = kernel.function("compat_sys_utime").return ? {
+probe syscall.compat_utime.return = kernel.function("compat_sys_utime").return ?
+{
name = "utime"
retstr = returnstr(1)
}
@@ -3292,16 +3467,18 @@ probe syscall.compat_utime.return = kernel.function("compat_sys_utime").return ?
# long sys_utimes(char __user * filename, struct timeval __user * utimes)
#
probe syscall.utimes = kernel.function("SyS_utimes") !,
- kernel.function("sys_utimes") {
+ kernel.function("sys_utimes")
+{
name = "utimes"
filename_uaddr = $filename
filename = user_string($filename)
tvp_uaddr = $utimes
- argstr = sprintf("%s, %s", user_string_quoted($filename),
+ argstr = sprintf("%s, %s", user_string_quoted($filename),
_struct_timeval_u($utimes, 2))
}
probe syscall.utimes.return = kernel.function("SyS_utimes").return !,
- kernel.function("sys_utimes").return {
+ kernel.function("sys_utimes").return
+{
name = "utimes"
retstr = returnstr(1)
}
@@ -3309,13 +3486,15 @@ probe syscall.utimes.return = kernel.function("SyS_utimes").return !,
#
# long compat_sys_utimes(char __user *filename, struct compat_timeval __user *t)
#
-probe syscall.compat_sys_utimes = kernel.function("compat_sys_utimes") ? {
+probe syscall.compat_sys_utimes = kernel.function("compat_sys_utimes") ?
+{
name = "utimes"
filename = user_string($filename)
argstr = sprintf("%s, %s", user_string_quoted($filename),
- _struct_compat_timeval_u($t, 2))
+ _struct_compat_timeval_u($t, 2))
}
-probe syscall.compat_sys_utimes.return = kernel.function("compat_sys_utimes").return ? {
+probe syscall.compat_sys_utimes.return = kernel.function("compat_sys_utimes").return ?
+{
name = "utimes"
retstr = returnstr(1)
}
@@ -3323,24 +3502,28 @@ probe syscall.compat_sys_utimes.return = kernel.function("compat_sys_utimes").re
# utimensat ____________________________________________________
# long sys_utimensat(int dfd, char __user *filename, struct timespec __user *utimes, int flags)
# long compat_sys_utimensat(unsigned int dfd, char __user *filename, struct compat_timespec __user *t, int flags)
-#
+#
probe syscall.utimensat = kernel.function("SyS_utimensat") !,
- kernel.function("sys_utimensat") ? {
+ kernel.function("sys_utimensat") ?
+{
name = "utimensat"
- argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timespec_u($utimes,2),
+ argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timespec_u($utimes, 2),
_at_flag_str($flags))
}
-probe syscall.compat_utimensat = kernel.function("compat_sys_utimensat") ? {
+probe syscall.compat_utimensat = kernel.function("compat_sys_utimensat") ?
+{
name = "utimensat"
- argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timespec_u($t,2),
+ argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timespec_u($t, 2),
_at_flag_str($flags))
}
probe syscall.utimensat.return = kernel.function("SyS_utimensat").return !,
- kernel.function("sys_utimensat").return ? {
+ kernel.function("sys_utimensat").return ?
+{
name = "utimensat"
retstr = returnstr(1)
}
-probe syscall.compat_utimensat.return = kernel.function("compat_sys_utimensat").return ? {
+probe syscall.compat_utimensat.return = kernel.function("compat_sys_utimensat").return ?
+{
name = "utimensat"
retstr = returnstr(1)
}
@@ -3350,11 +3533,13 @@ probe syscall.compat_utimensat.return = kernel.function("compat_sys_utimensat")
# asmlinkage long
# sys_vhangup(void)
#
-probe syscall.vhangup = kernel.function("sys_vhangup") {
+probe syscall.vhangup = kernel.function("sys_vhangup")
+{
name = "vhangup"
argstr = ""
}
-probe syscall.vhangup.return = kernel.function("sys_vhangup").return {
+probe syscall.vhangup.return = kernel.function("sys_vhangup").return
+{
name = "vhangup"
retstr = returnstr(1)
}
@@ -3367,20 +3552,24 @@ probe syscall.vhangup.return = kernel.function("sys_vhangup").return {
# unsigned int nr_segs, unsigned int flags)
#
probe syscall.vmsplice = kernel.function("SyS_vmsplice") !,
- kernel.function("sys_vmsplice") ? {
+ kernel.function("sys_vmsplice") ?
+{
name = "vmsplice"
argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
}
-probe syscall.compat_vmsplice = kernel.function("compat_sys_vmsplice") ? {
+probe syscall.compat_vmsplice = kernel.function("compat_sys_vmsplice") ?
+{
name = "vmsplice"
argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov32, $nr_segs, $flags)
}
probe syscall.vmsplice.return = kernel.function("SyS_vmsplice").return !,
- kernel.function("sys_vmsplice").return ? {
+ kernel.function("sys_vmsplice").return ?
+{
name = "vmsplice"
retstr = returnstr(1)
}
-probe syscall.compat_vmsplice.return = kernel.function("compat_sys_vmsplice").return ? {
+probe syscall.compat_vmsplice.return = kernel.function("compat_sys_vmsplice").return ?
+{
name = "vmsplice"
retstr = returnstr(1)
}
@@ -3393,7 +3582,8 @@ probe syscall.compat_vmsplice.return = kernel.function("compat_sys_vmsplice").re
# struct rusage __user *ru)
#
probe syscall.wait4 = kernel.function("SyS_wait4") !,
- kernel.function("sys_wait4") {
+ kernel.function("sys_wait4")
+{
name = "wait4"
pid = %( kernel_vr >= "2.6.25" %? $upid %: $pid%)
status_uaddr = $stat_addr
@@ -3401,11 +3591,12 @@ probe syscall.wait4 = kernel.function("SyS_wait4") !,
options_str = _wait4_opt_str($options)
rusage_uaddr = $ru
argstr = sprintf("%d, %p, %s, %p",
- %( kernel_vr >= "2.6.25" %? $upid %: $pid%),
- $stat_addr,_wait4_opt_str($options), $ru)
+ %( kernel_vr >= "2.6.25" %? $upid %: $pid%),
+ $stat_addr, _wait4_opt_str($options), $ru)
}
probe syscall.wait4.return = kernel.function("SyS_wait4").return !,
- kernel.function("sys_wait4").return {
+ kernel.function("sys_wait4").return
+{
name = "wait4"
retstr = returnstr(1)
}
@@ -3418,7 +3609,8 @@ probe syscall.wait4.return = kernel.function("SyS_wait4").return !,
# struct rusage __user *ru)
#
probe syscall.waitid = kernel.function("SyS_waitid") !,
- kernel.function("sys_waitid") {
+ kernel.function("sys_waitid")
+{
name = "waitid"
pid = %( kernel_vr >= "2.6.25" %? $upid %: $pid%)
which = $which
@@ -3428,11 +3620,12 @@ probe syscall.waitid = kernel.function("SyS_waitid") !,
options_str = _waitid_opt_str($options)
rusage_uaddr = $ru
argstr = sprintf("%d, %d, %p, %s, %p", $which,
- %( kernel_vr >= "2.6.25" %? $upid %: $pid%), $infop,
- _waitid_opt_str($options), $ru)
+ %( kernel_vr >= "2.6.25" %? $upid %: $pid%), $infop,
+ _waitid_opt_str($options), $ru)
}
probe syscall.waitid.return = kernel.function("SyS_waitid").return !,
- kernel.function("sys_waitid").return {
+ kernel.function("sys_waitid").return
+{
name = "waitid"
retstr = returnstr(1)
}
@@ -3445,7 +3638,8 @@ probe syscall.waitid.return = kernel.function("SyS_waitid").return !,
# struct rusage __user *ru)
#
probe syscall.waitpid = kernel.function("SyS_wait4") !,
- kernel.function("sys_wait4") {
+ kernel.function("sys_wait4")
+{
name = "waitpid"
pid = $pid
status_uaddr = $stat_addr
@@ -3453,10 +3647,11 @@ probe syscall.waitpid = kernel.function("SyS_wait4") !,
options_str = _wait4_opt_str($options)
rusage_uaddr = $ru
argstr = sprintf("%d, %p, %s, %p", $pid, $stat_addr,
- options_str, $ru)
+ options_str, $ru)
}
probe syscall.waitpid.return = kernel.function("SyS_wait4").return !,
- kernel.function("sys_wait4").return {
+ kernel.function("sys_wait4").return
+{
name = "waitpid"
retstr = returnstr(1)
}
@@ -3469,15 +3664,17 @@ probe syscall.waitpid.return = kernel.function("SyS_wait4").return !,
# size_t count)
#
probe syscall.write = kernel.function("SyS_write") !,
- kernel.function("sys_write") {
+ kernel.function("sys_write")
+{
name = "write"
fd = $fd
buf_uaddr = $buf
count = $count
- argstr = sprintf("%d, %s, %d", $fd, text_strn(user_string($buf),syscall_string_trunc,1), $count)
+ argstr = sprintf("%d, %s, %d", $fd, text_strn(user_string($buf), syscall_string_trunc, 1), $count)
}
probe syscall.write.return = kernel.function("SyS_write").return !,
- kernel.function("sys_write").return {
+ kernel.function("sys_write").return
+{
name = "write"
retstr = returnstr(1)
}
@@ -3487,19 +3684,18 @@ probe syscall.write.return = kernel.function("SyS_write").return !,
# ssize_t sys_writev(unsigned long fd,
# const struct iovec __user *vec,
# unsigned long vlen)
-# ssize_t compat_sys_writev(unsigned long fd,
-# const struct compat_iovec __user *vec,
+# ssize_t compat_sys_writev(unsigned long fd,
+# const struct compat_iovec __user *vec,
# unsigned long vlen)
#
-probe syscall.writev =
- kernel.function("compat_sys_writev") ?,
- kernel.function("SyS_writev") !,
- kernel.function("sys_writev")
+probe syscall.writev = kernel.function("compat_sys_writev") ?,
+ kernel.function("SyS_writev") !,
+ kernel.function("sys_writev")
{
name = "writev"
vector_uaddr = $vec
count = $vlen
-/* FIXME: RHEL4 U3 ppc64 can't resolve $fd */
+/* FIXME: RHEL4 U3 ppc64 can't resolve $fd */
%( arch != "ppc64" %?
fd = $fd
argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
@@ -3507,10 +3703,9 @@ probe syscall.writev =
argstr = sprintf("unknown fd, %p, %d", $vec, $vlen)
%)
}
-probe syscall.writev.return =
- kernel.function("compat_sys_writev").return ?,
- kernel.function("SyS_writev").return !,
- kernel.function("sys_writev").return
+probe syscall.writev.return = kernel.function("compat_sys_writev").return ?,
+ kernel.function("SyS_writev").return !,
+ kernel.function("sys_writev").return
{
name = "writev"
retstr = returnstr(1)
diff --git a/tapset/timestamp_gtod.stp b/tapset/timestamp_gtod.stp
index 43b127dc..b916a3b1 100644
--- a/tapset/timestamp_gtod.stp
+++ b/tapset/timestamp_gtod.stp
@@ -7,23 +7,10 @@
// Public License (GPL); either version 2, or (at your option) any
// later version.
-function _gettimeofday_init:long() %{
- THIS->__retvalue = _stp_init_time(); /* Kick off the Big Bang. */
+%{
+#define STAP_NEED_GETTIMEOFDAY 1
%}
-probe begin(-0x8000000000000000) {
- if (_gettimeofday_init() != 0)
- error("couldn't initialize gettimeofday")
-}
-
-function _gettimeofday_kill() %{
- _stp_kill_time(); /* Go to a beach. Drink a beer. */
-%}
-
-probe end(0x7FFFFFFFFFFFFFFF), error(0x7FFFFFFFFFFFFFFF) {
- _gettimeofday_kill()
-}
-
/**
* sfunction gettimeofday_ns - Number of nanoseconds since UNIX epoch.
diff --git a/tapset/ucontext-unwind.stp b/tapset/ucontext-unwind.stp
index 0801f1c9..df275d4b 100644
--- a/tapset/ucontext-unwind.stp
+++ b/tapset/ucontext-unwind.stp
@@ -41,7 +41,6 @@ function print_ubacktrace () %{
* string length. Returns empty string when current probe point cannot
* determine user backtrace.
*/
-
function ubacktrace:string () %{ /* pure */
if (CONTEXT->regs)
_stp_stack_snprint (THIS->__retvalue, MAXSTRINGLEN,
diff --git a/tapset/x86_64/nd_syscalls.stp b/tapset/x86_64/nd_syscalls.stp
new file mode 100644
index 00000000..6a3a984b
--- /dev/null
+++ b/tapset/x86_64/nd_syscalls.stp
@@ -0,0 +1,187 @@
+# x86_64-specific system calls
+
+# arch_prctl _________________________________________________
+# long sys_arch_prctl(int code, unsigned long addr)
+#
+# NOTE: x86_64 only.
+#
+probe nd_syscall.arch_prctl = kprobe.function("sys_arch_prctl")
+{
+ name = "arch_prctl"
+ // code = $code
+ // addr = $addr
+ // argstr = sprintf("%d, %p", $code, $addr)
+ // NB: no asmlinkage()
+ code = int_arg(1)
+ addr = ulong_arg(2)
+ argstr = sprintf("%d, %p", code, addr)
+}
+probe nd_syscall.arch_prctl.return = kprobe.function("sys_arch_prctl").return
+{
+ name = "arch_prctl"
+ retstr = returnstr(1)
+}
+
+# iopl _______________________________________________________
+# long sys_iopl(unsigned int level, struct pt_regs *regs);
+# NOTE. This function is only in i386 and x86_64 and its args vary
+# between those two archs.
+#
+probe nd_syscall.iopl = kprobe.function("sys_iopl")
+{
+ name = "iopl"
+// %( kernel_vr == "*xen" %?
+// level = $new_iopl
+// %:
+// level = $level
+// %)
+ asmlinkage()
+ level = int_arg(1)
+ argstr = sprint(level)
+}
+probe nd_syscall.iopl.return = kprobe.function("sys_iopl").return
+{
+ name = "iopl"
+ retstr = returnstr(1)
+}
+
+# sigaltstack ________________________________________________
+# long sys_sigaltstack(const stack_t __user *uss, stack_t __user *uoss,
+# struct pt_regs *regs)
+#
+# NOTE: args vary between archs.
+#
+probe nd_syscall.sigaltstack = kprobe.function("sys_sigaltstack")
+{
+ name = "sigaltstack"
+ // uss_uaddr = $uss
+ // uoss_uaddr = $uoss
+ // regs_uaddr = $regs
+ // argstr = sprintf("%p, %p", $uss, $uoss)
+ asmlinkage()
+ uss_uaddr = pointer_arg(1)
+ uoss_uaddr = pointer_arg(2)
+ regs_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p", uss_uaddr, uoss_uaddr)
+}
+probe nd_syscall.sigaltstack.return = kprobe.function("sys_sigaltstack").return
+{
+ name = "sigaltstack"
+ retstr = returnstr(1)
+}
+
+# sysctl _____________________________________________________
+#
+# long sys32_sysctl(struct sysctl_ia32 __user *args32)
+#
+probe nd_syscall.sysctl32 = kprobe.function("sys32_sysctl") ?
+{
+ name = "sysctl"
+ // argstr = sprintf("%p", $args32)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.sysctl32.return = kprobe.function("sys32_sysctl").return ?
+{
+ name = "sysctl"
+ retstr = returnstr(1)
+}
+
+# mmap
+# long sys_mmap(unsigned long addr, unsigned long len,
+# unsigned long prot, unsigned long flags,
+# unsigned long fd, unsigned long off)
+probe nd_syscall.mmap = kprobe.function("sys_mmap") ?
+{
+ name = "mmap"
+ // start = $addr
+ // len = $len
+ // prot = $prot
+ // flags = $flags
+ // fd = $fd
+ // offset = $off
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
+ // _mprotect_prot_str($prot), _mmap_flags($flags), $fd, $off)
+ asmlinkage()
+ start = ulong_arg(1)
+ len = ulong_arg(2)
+ prot = ulong_arg(3)
+ flags = ulong_arg(4)
+ fd = ulong_arg(5)
+ offset = ulong_arg(6)
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", start, len,
+ _mprotect_prot_str(prot), _mmap_flags(flags), fd, offset)
+}
+probe nd_syscall.mmap.return = kprobe.function("sys_mmap").return ?
+{
+ name = "mmap"
+ retstr = returnstr(2)
+}
+
+#
+# sys32_mmap(struct mmap_arg_struct __user *arg)
+#
+probe nd_syscall.mmap32 = kprobe.function("sys32_mmap")
+{
+ name = "mmap"
+ // argstr = get_mmap_args($arg)
+ asmlinkage()
+ argstr = get_mmap_args(pointer_arg(1))
+}
+probe nd_syscall.mmap32.return = kprobe.function("sys32_mmap").return
+{
+ name = "mmap"
+ retstr = returnstr(2)
+}
+
+# sys32_mmap2(unsigned long addr, unsigned long len,
+# unsigned long prot, unsigned long flags,
+# unsigned long fd, unsigned long pgoff)
+#
+probe nd_syscall.mmap2 = kprobe.function("sys32_mmap2")
+{
+ name = "mmap2"
+ // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
+ // _mprotect_prot_str($prot), _mmap_flags($flags), $fd, $pgoff)
+ asmlinkage()
+ argstr = sprintf("%p, %d, %s, %s, %d, %d", ulong_arg(1), ulong_arg(2),
+ _mprotect_prot_str(ulong_arg(3)), _mmap_flags(ulong_arg(4)),
+ ulong_arg(5), ulong_arg(6))
+}
+probe nd_syscall.mmap2.return = kprobe.function("sys32_mmap2").return
+{
+ name = "mmap2"
+ retstr = returnstr(2)
+}
+
+# vm86_warning _____________________________________________________
+#
+# long sys32_vm86_warning(void)
+#
+probe nd_syscall.vm86_warning = kprobe.function("sys32_vm86_warning")
+{
+ name = "vm86_warning"
+ argstr = ""
+}
+probe nd_syscall.vm86_warning.return = kprobe.function("sys32_vm86_warning").return
+{
+ name = "wm86_warning"
+ retstr = returnstr(1)
+}
+
+# pipe _______________________________________________________
+#
+# long sys32_pipe(int __user *fd)
+#
+probe nd_syscall.pipe32 = kprobe.function("sys32_pipe")
+{
+ name = "pipe"
+ // argstr = sprintf("%p", $fd)
+ asmlinkage()
+ argstr = sprintf("%p", pointer_arg(1))
+}
+probe nd_syscall.pipe32.return = kprobe.function("sys32_pipe").return
+{
+ name = "pipe"
+ retstr = returnstr(1)
+}
diff --git a/tapset/x86_64/registers.stp b/tapset/x86_64/registers.stp
index 2e21f3eb..48ba3119 100644
--- a/tapset/x86_64/registers.stp
+++ b/tapset/x86_64/registers.stp
@@ -235,11 +235,9 @@ function u64_arg:long (argnum:long) {
return ulonglong_arg(argnum)
}
-function asmlinkage() {
-}
+function asmlinkage() %{ /* pure */ %}
-function fastcall() {
-}
+function fastcall() %{ /* pure */ %}
function regparm(n:long) %{
if (_stp_probing_32bit_app(CONTEXT->regs) &&
diff --git a/tapset/x86_64/syscalls.stp b/tapset/x86_64/syscalls.stp
index ad16878f..c0cb8139 100644
--- a/tapset/x86_64/syscalls.stp
+++ b/tapset/x86_64/syscalls.stp
@@ -5,13 +5,15 @@
#
# NOTE: x86_64 only.
#
-probe syscall.arch_prctl = kernel.function("sys_arch_prctl") {
+probe syscall.arch_prctl = kernel.function("sys_arch_prctl")
+{
name = "arch_prctl"
code = $code
addr = $addr
argstr = sprintf("%d, %p", $code, $addr)
}
-probe syscall.arch_prctl.return = kernel.function("sys_arch_prctl").return {
+probe syscall.arch_prctl.return = kernel.function("sys_arch_prctl").return
+{
name = "arch_prctl"
retstr = returnstr(1)
}
@@ -21,7 +23,8 @@ probe syscall.arch_prctl.return = kernel.function("sys_arch_prctl").return {
# NOTE. This function is only in i386 and x86_64 and its args vary
# between those two archs.
#
-probe syscall.iopl = kernel.function("sys_iopl") {
+probe syscall.iopl = kernel.function("sys_iopl")
+{
name = "iopl"
%( kernel_vr == "*xen" %?
level = $new_iopl
@@ -30,7 +33,8 @@ probe syscall.iopl = kernel.function("sys_iopl") {
%)
argstr = sprint(level)
}
-probe syscall.iopl.return = kernel.function("sys_iopl").return {
+probe syscall.iopl.return = kernel.function("sys_iopl").return
+{
name = "iopl"
retstr = returnstr(1)
}
@@ -41,14 +45,16 @@ probe syscall.iopl.return = kernel.function("sys_iopl").return {
#
# NOTE: args vary between archs.
#
-probe syscall.sigaltstack = kernel.function("sys_sigaltstack") {
+probe syscall.sigaltstack = kernel.function("sys_sigaltstack")
+{
name = "sigaltstack"
uss_uaddr = $uss
uoss_uaddr = $uoss
regs_uaddr = $regs
argstr = sprintf("%p, %p", $uss, $uoss)
}
-probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return {
+probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return
+{
name = "sigaltstack"
retstr = returnstr(1)
}
@@ -57,11 +63,13 @@ probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return {
#
# long sys32_sysctl(struct sysctl_ia32 __user *args32)
#
-probe syscall.sysctl32 = kernel.function("sys32_sysctl") ? {
+probe syscall.sysctl32 = kernel.function("sys32_sysctl") ?
+{
name = "sysctl"
argstr = sprintf("%p", $args32)
}
-probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ? {
+probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ?
+{
name = "sysctl"
retstr = returnstr(1)
}
@@ -70,7 +78,8 @@ probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ? {
# long sys_mmap(unsigned long addr, unsigned long len,
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long off)
-probe syscall.mmap = kernel.function("sys_mmap") ? {
+probe syscall.mmap = kernel.function("sys_mmap") ?
+{
name = "mmap"
start = $addr
len = $len
@@ -82,19 +91,22 @@ probe syscall.mmap = kernel.function("sys_mmap") ? {
_mprotect_prot_str($prot), _mmap_flags($flags), $fd, $off)
}
-probe syscall.mmap.return = kernel.function("sys_mmap").return ? {
+probe syscall.mmap.return = kernel.function("sys_mmap").return ?
+{
name = "mmap"
retstr = returnstr(2)
}
#
# sys32_mmap(struct mmap_arg_struct __user *arg)
#
-probe syscall.mmap32 = kernel.function("sys32_mmap") {
+probe syscall.mmap32 = kernel.function("sys32_mmap")
+{
name = "mmap"
argstr = get_mmap_args($arg)
}
-probe syscall.mmap32.return = kernel.function("sys32_mmap").return {
+probe syscall.mmap32.return = kernel.function("sys32_mmap").return
+{
name = "mmap"
retstr = returnstr(2)
}
@@ -103,13 +115,15 @@ probe syscall.mmap32.return = kernel.function("sys32_mmap").return {
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long pgoff)
#
-probe syscall.mmap2 = kernel.function("sys32_mmap2") {
+probe syscall.mmap2 = kernel.function("sys32_mmap2")
+{
name = "mmap2"
argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
_mprotect_prot_str($prot), _mmap_flags($flags), $fd, $pgoff)
}
-probe syscall.mmap2.return = kernel.function("sys32_mmap2").return {
+probe syscall.mmap2.return = kernel.function("sys32_mmap2").return
+{
name = "mmap2"
retstr = returnstr(2)
}
@@ -118,11 +132,13 @@ probe syscall.mmap2.return = kernel.function("sys32_mmap2").return {
#
# long sys32_vm86_warning(void)
#
-probe syscall.vm86_warning = kernel.function("sys32_vm86_warning") {
+probe syscall.vm86_warning = kernel.function("sys32_vm86_warning")
+{
name = "vm86_warning"
argstr = ""
}
-probe syscall.vm86_warning.return = kernel.function("sys32_vm86_warning").return {
+probe syscall.vm86_warning.return = kernel.function("sys32_vm86_warning").return
+{
name = "wm86_warning"
retstr = returnstr(1)
}
@@ -130,11 +146,13 @@ probe syscall.vm86_warning.return = kernel.function("sys32_vm86_warning").return
#
# long sys32_pipe(int __user *fd)
#
-probe syscall.pipe32 = kernel.function("sys32_pipe") {
+probe syscall.pipe32 = kernel.function("sys32_pipe")
+{
name = "pipe"
argstr = sprintf("%p", $fd)
}
-probe syscall.pipe32.return = kernel.function("sys32_pipe").return {
+probe syscall.pipe32.return = kernel.function("sys32_pipe").return
+{
name = "pipe"
retstr = returnstr(1)
}
generated by cgit (git 2.34.1) at 2025-08-05 21:01:45 +0000