# fstat ______________________________________________________ # long sys_fstat(unsigned int fd,struct __old_kernel_stat __user * statbuf) probe syscall.fstat = kernel.function("sys_fstat") { name = "fstat" filedes = $fd buf_uaddr = $statbuf argstr = sprintf("%d, [0x%p]", filedes, buf_uaddr) } probe syscall.fstat.return = kernel.function("sys_fstat").return { name = "fstat" retstr = returnstr(1) } # getegid16 __________________________________________________ # long sys_getegid16(void) probe syscall.getegid16 = kernel.function("sys_getegid16") { name = "getegid16" } probe syscall.getegid16.return = kernel.function("sys_getegid16").return { name = "getegid16" retstr = returnstr(1) } # geteuid16 __________________________________________________ # long sys_geteuid16(void) probe syscall.geteuid16 = kernel.function("sys_geteuid16") { name = "geteuid16" } probe syscall.geteuid16.return = kernel.function("sys_geteuid16").return { name = "geteuid16" retstr = returnstr(1) } # getgid16 ___________________________________________________ # long sys_getgid16(void) probe syscall.getgid16 = kernel.function("sys_getgid16") { name = "getgid16" } probe syscall.getgid16.return = kernel.function("sys_getgid16").return { name = "getgid16" retstr = returnstr(1) } # getgroups16 ________________________________________________ # long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist) probe syscall.getgroups16 = kernel.function("sys_getgroups16") { name = "getgroups16" size = $gidsetsize list_uaddr = $grouplist argstr = sprintf("%d, [0x%p]", size, list_uaddr) } probe syscall.getgroups16.return = kernel.function("sys_getgroups16").return { name = "getgroups16" retstr = returnstr(1) } # getuid16 ___________________________________________________ # long sys_getuid16(void) probe syscall.getuid16 = kernel.function("sys_getuid16") { name = "getuid16" } probe syscall.getuid16.return = kernel.function("sys_getuid16").return { name = "getuid16" retstr = returnstr(1) } # lstat ______________________________________________________ # long sys_lstat(char __user * filename, struct __old_kernel_stat __user * statbuf) probe syscall.lstat = kernel.function("sys_lstat") { name = "lstat" file_name = user_string($filename) buf_uaddr = $statbuf argstr = sprintf("%s, [0x%p]", file_name, buf_uaddr) } probe syscall.lstat.return = kernel.function("sys_lstat").return { name = "lstat.return" retstr = returnstr(1) } # mmap2 # long sys_mmap2(unsigned long addr, unsigned long len, # unsigned long prot, unsigned long flags, # unsigned long fd, unsigned long pgoff) probe syscall.mmap2 = kernel.function("sys_mmap2") { name = "mmap2" start = $addr length = $len prot = $prot flags = $flags fd = $fd pgoffset = $pgoff argstr = sprintf("0x%p, %d, %s, %s, %d, 0x%p", start, length, _mprotect_prot_str(prot), _mmap_flags(flags), fd, pgoffset) } probe syscall.mmap2.return = kernel.function("sys_mmap2").return { name = "mmap2" retstr = returnstr(2) } # setgroups16 ________________________________________________ # # asmlinkage long # sys_setgroups16(int gidsetsize, # old_gid_t __user *grouplist) # probe syscall.setgroups16 = kernel.function("sys_setgroups16") { name = "setgroups16" size = $gidsetsize list_uaddr = $grouplist argstr = "" } probe syscall.setgroups16.return = kernel.function("sys_setgroups16").return { name = "setgroups16" retstr = returnstr(1) } # stat _______________________________________________________ # # asmlinkage long # sys_stat(char __user * filename, # struct __old_stat __user * statbuf) # probe syscall.stat = kernel.function("sys_stat") { name = "stat" filename_uaddr = $filename filename = user_string($filename) buf_uaddr = $statbuf argstr = sprintf("%s, [0x%p]", filename, buf_uaddr) } probe syscall.stat.return = kernel.function("sys_stat").return { name = "stat" retstr = returnstr(1) } # acct _______________________________________________________ # long sys_acct(const char __user *name) probe syscall.acct = kernel.function("sys_acct") { name = "acct" filename = user_string($name) argstr = filename } probe syscall.acct.return = kernel.function("sys_acct").return { name = "acct" retstr = returnstr(1) } # add_key ____________________________________________________ # long sys_add_key(const char __user *_type, # const char __user *_description, # const void __user *_payload, # size_t plen, # key_serial_t ringid) probe syscall.add_key = kernel.function("sys_add_key") { name = "add_key" type_uaddr = $_type description_auddr = $_description payload_uaddr = $_payload plen = $plen ringid = $ringid argstr = "add_key" } probe syscall.add_key.return = kernel.function("sys_add_key").return { name = "add_key" retstr = returnstr(1) } # quotactl ___________________________________________________ # # asmlinkage long # sys_quotactl(unsigned int cmd, # const char __user *special, # qid_t id, # void __user *addr) # probe syscall.quotactl = kernel.function("sys_quotactl") { name = "quotactl" cmd = $cmd cmd_str = _quotactl_cmd_str($cmd) special_str = user_string($special) id = $id addr_uaddr = $addr argstr = sprintf("%s, %s, 0x%p, [0x%p]", cmd_str, special_str, id, addr_uaddr) } probe syscall.quotactl.return = kernel.function("sys_quotactl").return { name = "quotactl" retstr = returnstr(1) } # request_key ________________________________________________ # # asmlinkage long # sys_request_key(const char __user *_type, # const char __user *_description, # const char __user *_callout_info, # key_serial_t destringid) # probe syscall.request_key = kernel.function("sys_request_key") { name = "request_key" type_uaddr = $_type description_uaddr = $_description callout_info_uaddr = $_callout_info destringid = $destringid argstr = sprintf("[0x%p], [0x%p], [0x%p], 0x%p", type_uaddr, description_uaddr, callout_info_uaddr, destringid) } probe syscall.request_key.return = kernel.function("sys_request_key").return { name = "request_key" retstr = returnstr(1) } # fcntl64 ____________________________________________________ /* * asmlinkage long * sys_fcntl64(unsigned int fd, * unsigned int cmd, * unsigned long arg) */ probe syscall.fcntl64 = kernel.function("sys_fcntl64") { name = "fcntl64" fd = $fd cmd = $cmd cmd_str = _fcntl_cmd_str($cmd) arg = $arg argstr = sprintf("%d, %s, 0x%p", $fd, cmd_str, $arg) } probe syscall.fcntl64.return = kernel.function("sys_fcntl64").return { name = "fcntl64" retstr = returnstr(1) } # fstat64 ____________________________________________________ /* * asmlinkage long * sys_fstat64(unsigned long fd, * struct stat64 __user * statbuf) */ probe syscall.fstat64 = kernel.function("sys_fstat64") { name = "fstat64" fd = $fd buf_uaddr = $statbuf argstr = sprintf("%d, [0x%p]", $fd, buf_uaddr) } probe syscall.fstat64.return = kernel.function("sys_fstat64").return { name = "fstat64" retstr = returnstr(1) } # get_thread_area ____________________________________________ /* * asmlinkage int * sys_get_thread_area(struct user_desc __user *u_info) */ probe syscall.get_thread_area = kernel.function("sys_get_thread_area") { name = "get_thread_area" u_info_uaddr = $u_info argstr = sprintf("[0x%p]", u_info_uaddr) } probe syscall.get_thread_area.return = kernel.function("sys_get_thread_area").return { name = "get_thread_area" retstr = returnstr(1) } # inotify_add_watch __________________________________________ /* * asmlinkage long * sys_inotify_add_watch(int fd, * const char __user *path, * u32 mask) */ probe syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") { name = "inotify_add_watch" fd = $fd path_uaddr = $path path = user_string($path) mask = $mask argstr = sprintf("%d, %s, %d", $fd, path, $mask) } probe syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return { name = "inotify_add_watch" retstr = returnstr(1) } # inotify_init _______________________________________________ /* * asmlinkage long * sys_inotify_init(void) * */ probe syscall.inotify_init = kernel.function("sys_inotify_init") { name = "inotify_init" } probe syscall.inotify_init.return = kernel.function("sys_inotify_init").return { name = "inotify_init" retstr = returnstr(1) } # inotify_rm_watch ___________________________________________ /* * asmlinkage long * sys_inotify_rm_watch(int fd, * u32 wd) */ probe syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") { name = "inotify_rm_watch" fd = $fd wd = $wd argstr = sprintf("%d, %d", $fd, $wd) } probe syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return { name = "inotify_rm_watch" retstr = returnstr(1) } # iopl _______________________________________________________ /* * asmlinkage long * sys_iopl(unsigned long unused) */ probe syscall.iopl = kernel.function("sys_iopl") { name = "iopl" level = $unused argstr = sprint($unused) } probe syscall.iopl.return = kernel.function("sys_iopl").return { name = "iopl" retstr = returnstr(1) } # ioprio_get _________________________________________________ /* * asmlinkage long * sys_ioprio_get(int which, * int who) */ probe syscall.ioprio_get = kernel.function("sys_ioprio_get") { name = "ioprio_get" which = $which who = $who argstr = sprintf("%d, %d", $which, $who) } probe syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return { name = "ioprio_get" retstr = returnstr(1) } # ioprio_set _________________________________________________ /* * asmlinkage long * sys_ioprio_set(int which, * int who, * int ioprio) */ probe syscall.ioprio_set = kernel.function("sys_ioprio_set") { name = "ioprio_set" which = $which who = $who ioprio = $ioprio argstr = sprintf("%d, %d, %d", $which, $who, $ioprio) } probe syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return { name = "ioprio_set" retstr = returnstr(1) } # ipc ________________________________________________________ /* * asmlinkage int * sys_ipc(uint call, * int first, * int second, * int third, * void __user *ptr, * long fifth) */ probe syscall.ipc = kernel.function("sys_ipc") { name = "ipc" call = $call first = $first second = $second third = $third ptr_uaddr = $ptr fifth = $fifth argstr = sprintf("%d, %d, %d, %d, [0x%p], %d", $call, $first, $second, $third, ptr_uaddr, $fifth) } probe syscall.ipc.return = kernel.function("sys_ipc").return { name = "ipc" retstr = returnstr(1) } # lstat64 ____________________________________________________ /* * asmlinkage long * sys_lstat64(char __user * filename, * struct stat64 __user * statbuf) */ probe syscall.lstat64 = kernel.function("sys_lstat64") { name = "lstat64" filename_uaddr = $filename filename = user_string($filename) buf_uaddr = $statbuf argstr = sprintf("%s, [0x%p]", filename, buf_uaddr) } probe syscall.lstat64.return = kernel.function("sys_lstat64").return { name = "lstat64" retstr = returnstr(1) } # olduname ___________________________________________________ /* * asmlinkage long * sys_olduname(struct new_utsname __user * name) */ probe syscall.olduname = kernel.function("sys_olduname") { name = "olduname" name_uaddr = $name argstr = sprintf("[0x%p]", name_uaddr) } probe syscall.olduname.return = kernel.function("sys_olduname").return { name = "olduname" retstr = returnstr(1) } # rt_sigreturn _______________________________________________ /* * asmlinkage int * sys_rt_sigreturn(unsigned long __unused) */ probe syscall.rt_sigreturn = kernel.function("sys_rt_sigreturn") { name = "rt_sigreturn" __unused = $__unused argstr = sprint($__unused) } probe syscall.rt_sigreturn.return = kernel.function("sys_rt_sigreturn").return { name = "rt_sigreturn" retstr = returnstr(1) } # sched_setaffinity __________________________________________ /* * asmlinkage long * sys_sched_setaffinity(pid_t pid, * unsigned int len, * unsigned long __user *user_mask_ptr) */ probe syscall.sched_setaffinity = kernel.function("sys_sched_setaffinity") { name = "sched_setaffinity" pid = $pid /* * doesnt like $len on x86_64 ???? */ len = $len mask_uaddr = $user_mask_ptr argstr = sprintf("%d, %d, [0x%p]", $pid, $len, mask_uaddr) } probe syscall.sched_setaffinity.return = kernel.function("sys_sched_setaffinity").return { name = "sched_setaffinity" retstr = returnstr(1) } # sched_setparam _____________________________________________ /* * asmlinkage long * sys_sched_setparam(pid_t pid, * struct sched_param __user *param) */ probe syscall.sched_setparam = kernel.function("do_sched_setscheduler") { name = "sched_setparam" pid = $pid p_uaddr = $param argstr = sprintf("%d, [0x%p]", $pid, p_uaddr) } probe syscall.sched_setparam.return = kernel.function("do_sched_setscheduler").return { name = "sched_setparam" retstr = returnstr(1) } # sched_setscheduler _________________________________________ /* * asmlinkage long * sys_sched_setscheduler(pid_t pid, * int policy, * struct sched_param __user *param) */ probe syscall.sched_setscheduler = kernel.function("do_sched_setscheduler") { name = "sched_setscheduler" pid = $pid policy = $policy policy_str = _sched_policy_str($policy) p_uaddr = $param argstr = sprintf("%d, %s, [0x%p]", $pid, policy_str, p_uaddr) } probe syscall.sched_setscheduler.return = kernel.function("do_sched_setscheduler").return { name = "sched_setscheduler" retstr = returnstr(1) } # set_thread_area ____________________________________________ /* * asmlinkage int * sys_set_thread_area(struct user_desc __user *u_info) */ probe syscall.set_thread_area = kernel.function("sys_set_thread_area") { name = "set_thread_area" u_info_uaddr = $u_info argstr = sprintf("[0x%p]", u_info_uaddr) } probe syscall.set_thread_area.return = kernel.function("sys_set_thread_area").return { name = "set_thread_area" retstr = returnstr(1) } # set_zone_reclaim ___________________________________________ /* * asmlinkage long * sys_set_zone_reclaim(unsigned int node, * unsigned int zone, * unsigned int state) */ %( kernel_v < "2.6.15" %? probe syscall.set_zone_reclaim = kernel.function("sys_set_zone_reclaim") { name = "set_zone_reclaim" node = $node zone = $zone state = $state argstr = sprintf("%d, %d, %d", $node, $zone, $state) } probe syscall.set_zone_reclaim.return = kernel.function("sys_set_zone_reclaim").return { name = "set_zone_reclaim" retstr = returnstr(1) } %) # shmat ______________________________________________________ /* * asmlinkage long * sys_shmat(int shmid, * char __user *shmaddr, * int shmflg) */ probe syscall.shmat = kernel.function("sys_shmat") { name = "shmat" shmid = $shmid shmaddr_uaddr = $shmaddr shmflg = $shmflg argstr = sprintf("%d, [0x%p], %d", $shmid, shmaddr_uaddr, $shmflg) } probe syscall.shmat.return = kernel.function("sys_shmat").return { name = "shmat" retstr = returnstr(1) } # sigaction __________________________________________________ /* * asmlinkage int * sys_sigaction(int sig, * const struct old_sigaction __user *act, * struct old_sigaction __user *oact) */ probe syscall.sigaction = kernel.function("sys_sigaction") { name = "sigaction" sig = $sig act_uaddr = $act oact_uaddr = $oact argstr = sprintf("%s, [0x%p], [0x%p]", _signal_name($sig), act_uaddr, oact_uaddr) } probe syscall.sigaction.return = kernel.function("sys_sigaction").return { name = "sigaction" retstr = returnstr(1) } # sigaltstack ________________________________________________ /* * asmlinkage int * sys_sigaltstack(unsigned long ebx) */ probe syscall.sigaltstack = kernel.function("sys_sigaltstack") { name = "sigaltstack" ebx = $ebx argstr = sprintf("0x%p", $ebx) } probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return { name = "sigaltstack" retstr = returnstr(1) } # sigreturn __________________________________________________ /* * asmlinkage int * sys_sigreturn(unsigned long __unused) */ probe syscall.sigreturn = kernel.function("sys_sigreturn") { name = "sigreturn" __unused = $__unused argstr = sprint($__unused) } probe syscall.sigreturn.return = kernel.function("sys_sigreturn").return { name = "sigreturn.return" } # sigsuspend _________________________________________________ /* * asmlinkage int * sys_sigsuspend(int history0, * int history1, * old_sigset_t mask) */ probe syscall.sigsuspend = kernel.function("sys_sigsuspend") { name = "sigsuspend" history0 = $history0 history1 = $history1 mask = $mask argstr = sprintf("%d, %d, 0x%p", $history0, $history1, $mask) } probe syscall.sigsuspend.return = kernel.function("sys_sigsuspend").return { name = "sigsuspend" retstr = returnstr(1) } # stat64 _____________________________________________________ /* * asmlinkage long * sys_stat64(char __user * filename, * struct stat64 __user * statbuf) */ probe syscall.stat64 = kernel.function("sys_stat64") { name = "stat64" filename_uaddr = $filename filename = user_string($filename) buf_uaddr = $statbuf argstr = sprintf("%s, [0x%p]", filename, buf_uaddr) } probe syscall.stat64.return = kernel.function("sys_stat64").return { name = "stat64" retstr = returnstr(1) } # umask ______________________________________________________ /* * asmlinkage long * sys_umask(int mask) */ probe syscall.umask = kernel.function("sys_umask") { name = "umask" mask = $mask argstr = sprintf("%d", $mask) } probe syscall.umask.return = kernel.function("sys_umask").return { name = "umask" retstr = returnstr(1) } # vm86 _______________________________________________________ /* * asmlinkage int * sys_vm86(struct pt_regs regs) */ probe syscall.vm86 = kernel.function("sys_vm86") { name = "vm86" /* * unsupported type identifier '$regs' * regs = $regs */ } probe syscall.vm86.return = kernel.function("sys_vm86").return { name = "vm86" retstr = returnstr(1) } # vm86old ____________________________________________________ /* * asmlinkage int * sys_vm86old(struct pt_regs regs) */ probe syscall.vm86old = kernel.function("sys_vm86old") { name = "vm86old" /* * unsupported type identifier '$regs' * regs = $regs */ } probe syscall.vm86old.return = kernel.function("sys_vm86old").return { name = "vm86old" retstr = returnstr(1) }