// syscalls tapset part 1 [A-M] // Copyright (C) 2005 IBM Corp. // Copyright (C) 2005-2007 Red Hat Inc. // Copyright (C) 2007 Quentin Barnes. // // This file is part of systemtap, and is free software. You can // redistribute it and/or modify it under the terms of the GNU General // Public License (GPL); either version 2, or (at your option) any // later version. /* * nd_syscalls.stp is a copy of syscalls.stp, modified to refer to * function arguments by number rather than name, so that this tapset * can be used even when the probed kernel lacks debugging information. * * So far, the names-to-numbers conversion covers only syscall.a* * through syscall.c*, plus a few others. */ /* Each syscall returns the calls parameters. In addition, the following * variables are set: * * name - generally the syscall name minus the "sys_". * * argstr - a string containing the decoded args in an easy-to-read format. * It doesn't need to contain everything, but should have all the * important args. Set in entry probes only. Values enclosed in * square brackets are user-space pointers. Values in curly * braces are decoded structs. * * retstr - a string containing the return value in an easy-to-read format. * Set in return probes only. */ # accept _____________________________________________________ # long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr, # int __user *upeer_addrlen) probe nd_syscall.accept = kernel.function("sys_accept") ? { name = "accept" // sockfd = $fd // addr_uaddr = $upeer_sockaddr // addrlen_uaddr = $upeer_addrlen // argstr = sprintf("%d, %p, %p", $fd, $upeer_sockaddr, $upeer_addrlen) asmlinkage() sockfd = int_arg(1) addr_uaddr = pointer_arg(2) addrlen_uaddr = pointer_arg(3) argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr) } probe nd_syscall.accept.return = kernel.function("sys_accept").return ? { name = "accept" retstr = returnstr(1) } # access _____________________________________________________ # long sys_access(const char __user * filename, int mode) probe nd_syscall.access = kernel.function("sys_access") { name = "access" // pathname = user_string($filename) // mode = $mode // mode_str = _access_mode_str($mode) // argstr = sprintf("%s, %s", user_string_quoted($filename), mode_str) asmlinkage() pathname = user_string(pointer_arg(1)) mode = int_arg(2) mode_str = _access_mode_str(mode) argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str) } probe nd_syscall.access.return = kernel.function("sys_access").return { name = "access" retstr = returnstr(1) } # acct _______________________________________________________ # long sys_acct(const char __user *name) probe nd_syscall.acct = kernel.function("sys_acct") ? { name = "acct" // filename = user_string($name) // argstr = user_string_quoted($name) asmlinkage() filename = user_string(pointer_arg(1)) argstr = user_string_quoted(pointer_arg(1)) } probe nd_syscall.acct.return = kernel.function("sys_acct").return ? { name = "acct" retstr = returnstr(1) } # add_key ____________________________________________________ # long sys_add_key(const char __user *_type, # const char __user *_description, # const void __user *_payload, # size_t plen, # key_serial_t ringid) # probe nd_syscall.add_key = kernel.function("sys_add_key") ? { name = "add_key" // type_uaddr = $_type // description_auddr = $_description // payload_uaddr = $_payload // plen = $plen // ringid = $ringid // argstr = sprintf("%s, %s, %s, %d, %d", // user_string_quoted($_type), // user_string_quoted($_description), // text_strn(user_string($_payload),syscall_string_trunc,1), // $plen, $ringid) asmlinkage() type_uaddr = pointer_arg(1) description_uaddr = pointer_arg(2) payload_uaddr = pointer_arg(3) plen = ulong_arg(4) ringid = int_arg(5) argstr = sprintf("%s, %s, %s, %d, %d", user_string_quoted(type_uaddr), user_string_quoted(description_uaddr), text_strn(user_string(payload_uaddr),syscall_string_trunc,1), plen, ringid) } probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? { name = "add_key" retstr = returnstr(1) } # adjtimex ___________________________________________________ # long sys_adjtimex(struct timex __user *txc_p) probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") { name = "adjtimex" /* * buf_offset = __uget_timex_m($txc_p,1) * buf_freq = __uget_timex_m($txc_p,2) * buf_maxerror = __uget_timex_m($txc_p,3) * buf_esterror = __uget_timex_m($txc_p,4) * buf_status = __uget_timex_m($txc_p,5) * buf_constant = __uget_timex_m($txc_p,6) * buf_precision = __uget_timex_m($txc_p,7) * buf_tolerance = __uget_timex_m($txc_p,8) * buf_time_tv_sec = __uget_timex_m($txc_p,9) * buf_time_tv_usec = __uget_timex_m($txc_p,10) * buf_tick = __uget_timex_m($txc_p,11) */ // argstr = sprintf("%p", $txc_p) asmlinkage() argstr = sprintf("%p", pointer_arg(1)) } probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return { name = "adjtimex" // retstr = _adjtimex_return_str($return) retstr = _adjtimex_return_str(returnval()) } # long compat_sys_adjtimex(struct compat_timex __user *utp) probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? { name = "compat_adjtimex" // argstr = sprintf("%p", $utp) asmlinkage() argstr = sprintf("%p", pointer_arg(1)) } probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? { name = "compat_adjtimex" retstr = returnstr(1) } # alarm ______________________________________________________ # unsigned long sys_alarm (unsigned int seconds) # long sys32_alarm(unsigned int seconds) # probe nd_syscall.alarm = kernel.function("sys_alarm") ?, kernel.function("sys32_alarm") ? { name = "alarm" // seconds = $seconds // argstr = sprint($seconds) asmlinkage() seconds = uint_arg(1) argstr = sprint(seconds) } probe nd_syscall.alarm.return = kernel.function("sys_alarm").return ?, kernel.function("sys32_alarm").return ? { name = "alarm" retstr = returnstr(1) } # bdflush ____________________________________________________ # long sys_bdflush(int func,long data) probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? { name = "bdflush" // func = $func // data = $data // if (($func>=2)&&($func%2==0)) // data_str = sprintf("%p", $data) // else // data_str = sprintf("%d", $data) asmlinkage() func = int_arg(1) data = long_arg(2) if ((func>=2)&&(func%2==0)) data_str = sprintf("%p", data) else data_str = sprintf("%d", data) argstr = sprintf("%d, %s",func, data_str) } probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? { name = "bdflush" retstr = returnstr(1) } # bind _______________________________________________________ # long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen) probe nd_syscall.bind = kernel.function("sys_bind") ? { name = "bind" // sockfd = $fd // my_addr_uaddr = $umyaddr // addrlen = $addrlen // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen) asmlinkage() sockfd = int_arg(1) my_addr_uaddr = pointer_arg(2) addrlen = int_arg(3) argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr,addrlen),addrlen) } probe nd_syscall.bind.return = kernel.function("sys_bind").return ? { name = "bind" retstr = returnstr(1) } # brk ________________________________________________________ # unsigned long sys_brk(unsigned long brk) probe nd_syscall.brk = kernel.function("sys_brk"), kernel.function("ia64_brk") ? { name = "brk" // brk = $brk asmlinkage() brk = ulong_arg(1) argstr = sprintf("%p", brk) } probe nd_syscall.brk.return = kernel.function("sys_brk").return, kernel.function("ia64_brk").return ? { name = "brk" retstr = returnstr(1) } # capget _____________________________________________________ /* * NOTE * this is probably not a good function * to probe. The structures are always * changing. It also seems like it is * not really used. Cscope produced no * reference of this function in the * kernel (returned no callers). Perhaps * cap_get_proc / cap_set_proc are better * functions to export. */ # long sys_capget(cap_user_header_t header, cap_user_data_t dataptr) probe nd_syscall.capget = kernel.function("sys_capget") { name = "capget" // header_uaddr = $header // data_uaddr = $dataptr // argstr = sprintf("%p, %p", $header, $dataptr) asmlinkage() header_uaddr = pointer_arg(1) data_uaddr = pointer_arg(2) argstr = sprintf("%p, %p", header_uaddr, data_uaddr) } probe nd_syscall.capget.return = kernel.function("sys_capget").return { name = "capget" retstr = returnstr(1) } # capset _____________________________________________________ /* * NOTE * this is probably not a good function * to probe. The structures are always * changing. It also seems like it is * not really used. Cscope produced no * reference of this function in the * kernel (returned no callers). Perhaps * cap_get_proc / cap_set_proc are better * functions to export. */ # long sys_capset(cap_user_header_t header, const cap_user_data_t data) probe nd_syscall.capset = kernel.function("sys_capset") { name = "capset" // header_uaddr = $header // data_uaddr = $data // argstr = sprintf("%p, %p", $header, $data) asmlinkage() header_uaddr = pointer_arg(1) data_uaddr = pointer_arg(2) argstr = sprintf("%p, %p", header_uaddr, data_uaddr) } probe nd_syscall.capset.return = kernel.function("sys_capset").return { name = "capset" retstr = returnstr(1) } # chdir ______________________________________________________ # long sys_chdir(const char __user * filename) probe nd_syscall.chdir = kernel.function("sys_chdir") { name = "chdir" // path = user_string($filename) // argstr = user_string_quoted($filename) asmlinkage() path = user_string(pointer_arg(1)) argstr = user_string_quoted(pointer_arg(1)) } probe nd_syscall.chdir.return = kernel.function("sys_chdir").return { name = "chdir" retstr = returnstr(1) } # chmod ______________________________________________________ # long sys_chmod(const char __user * filename, mode_t mode) probe nd_syscall.chmod = kernel.function("sys_chmod") { name = "chmod" // path = user_string($filename) // mode = $mode // argstr = sprintf("%s, %#o", user_string_quoted($filename), mode) asmlinkage() path = user_string(pointer_arg(1)) mode = uint_arg(2) argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode) } probe nd_syscall.chmod.return = kernel.function("sys_chmod").return { name = "chmod" retstr = returnstr(1) } # chown ______________________________________________________ # long sys_chown(const char __user * filename, uid_t user, gid_t group) probe nd_syscall.chown = kernel.function("sys_chown") { name = "chown" // path = user_string($filename) // owner = __int32($user) // group = __int32($group) // argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group) asmlinkage() path = user_string(pointer_arg(1)) owner = __int32(uint_arg(2)) group = __int32(uint_arg(3)) argstr = sprintf("%s, %d, %d",user_string_quoted(pointer_arg(1)), owner, group) } probe nd_syscall.chown.return = kernel.function("sys_chown").return { name = "chown" retstr = returnstr(1) } # chown16 ___________________________________________________ # long sys_chown16(const char __user * filename, old_uid_t user, # old_gid_t group) # probe nd_syscall.chown16 = kernel.function("sys_chown16") ? { name = "chown16" // path = user_string($filename) // owner = __short($user) // group = __short($group) // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) asmlinkage() path = user_string(pointer_arg(1)) owner = __short(uint_arg(2)) group = __short(uint_arg(3)) argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group) } probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? { name = "chown16" retstr = returnstr(1) } # chroot _____________________________________________________ # long sys_chroot(const char __user * filename) probe nd_syscall.chroot = kernel.function("sys_chroot") { name = "chroot" // path = user_string($filename) // argstr = user_string_quoted($filename) asmlinkage() path = user_string(pointer_arg(1)) argstr = user_string_quoted(pointer_arg(1)) } probe nd_syscall.chroot.return = kernel.function("sys_chroot").return { name = "chroot" retstr = returnstr(1) } # clock_getres _______________________________________________ # long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp) # long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp) # probe nd_syscall.clock_getres = kernel.function("sys_clock_getres"), kernel.function("compat_clock_getres") ? { name = "clock_getres" // clk_id = $which_clock // clk_id_str = _get_wc_str($which_clock) // res_uaddr = $tp // argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp) asmlinkage() clk_id = int_arg(1) clk_id_str = _get_wc_str(clk_id) res_uaddr = pointer_arg(2) argstr = sprintf("%s, %p", clk_id_str, res_uaddr) } probe nd_syscall.clock_getres.return = kernel.function("sys_clock_getres").return, kernel.function("compat_clock_getres").return ? { name = "clock_getres" retstr = returnstr(1) } # clock_gettime ______________________________________________ # long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp) # probe nd_syscall.clock_gettime = kernel.function("sys_clock_gettime") { name = "clock_gettime" // clk_id = $which_clock // clk_id_str = _get_wc_str($which_clock) // argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp) asmlinkage() clk_id = int_arg(1) clk_id_str = _get_wc_str(clk_id) argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2)) } probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return { name = "clock_gettime" retstr = returnstr(1) } # clock_nanosleep ____________________________________________ # long sys_clock_nanosleep(clockid_t which_clock, # int flags, # const struct timespec __user *rqtp, # struct timespec __user *rmtp) # probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") { name = "clock_nanosleep" // if ($flags == 1) // flag_str = "TIMER_ABSTIME" // else // flag_str = sprintf("0x%x", $flags) // argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str, // _struct_timespec_u($rqtp,1), $rmtp) asmlinkage() flags = int_arg(2) if (flags == 1) flag_str = "TIMER_ABSTIME" else flag_str = sprintf("0x%x", flags) argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str, _struct_timespec_u(pointer_arg(3),1), pointer_arg(4)) } probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return { name = "clock_nanosleep" retstr = returnstr(1) } # compat_clock_nanosleep ________________________________________ # # long compat_clock_nanosleep(clockid_t which_clock, int flags, # struct compat_timespec __user *rqtp, # struct compat_timespec __user *rmtp) # probe nd_syscall.compat_clock_nanosleep = kernel.function("compat_clock_nanosleep") ?, kernel.function("compat_sys_clock_nanosleep") ? { name = "compat_clock_nanosleep" // if ($flags == 1) // flag_str = "TIMER_ABSTIME" // else // flag_str = sprintf("0x%x", $flags) // argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str, // _struct_compat_timespec_u($rqtp,1), $rmtp) asmlinkage() flags = int_arg(2) if (flags == 1) flag_str = "TIMER_ABSTIME" else flag_str = sprintf("0x%x", flags) argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str, _struct_compat_timespec_u(pointer_arg(3),1), pointer_arg(4)) } probe nd_syscall.compat_clock_nanosleep.return = kernel.function("compat_clock_nanosleep").return ?, kernel.function("compat_sys_clock_nanosleep").return ? { name = "compat_clock_nanosleep" retstr = returnstr(1) } # clock_settime ______________________________________________ # long sys_clock_settime(clockid_t which_clock, # const struct timespec __user *tp) # probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") { name = "clock_settime" // clk_id = $which_clock // clk_id_str = _get_wc_str($which_clock) // tp_uaddr = $tp // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1)) asmlinkage() clk_id = int_arg(1) clk_id_str = _get_wc_str(clk_id) tp_uaddr = pointer_arg(2) argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr,1)) } probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return { name = "clock_settime" retstr = returnstr(1) } # close ______________________________________________________ # long sys_close(unsigned int fd) probe nd_syscall.close = kernel.function("sys_close") { name = "close" // fd = $fd asmlinkage() fd = int_arg(1) argstr = sprint(fd) } probe nd_syscall.close.return = kernel.function("sys_close").return { name = "close" retstr = returnstr(1) } # connect ____________________________________________________ # long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen) probe nd_syscall.connect = kernel.function("sys_connect") ? { name = "connect" // sockfd = $fd // serv_addr_uaddr = $uservaddr // addrlen = $addrlen // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen) asmlinkage() sockfd = int_arg(1) serv_addr_uaddr = pointer_arg(2) addrlen = int_arg(3) argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr,addrlen),addrlen) } probe nd_syscall.connect.return = kernel.function("sys_connect").return ? { name = "connect" retstr = returnstr(1) } # creat # long sys_creat(const char __user * pathname, int mode) probe nd_syscall.creat = kernel.function("sys_creat") ? { name = "creat" // mode = $mode // pathname = user_string($pathname) // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode) mode = int_arg(2) pathname = user_string(pointer_arg(1)) argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode) } probe nd_syscall.creat.return = kernel.function("sys_creat").return ? { name = "creat" retstr = returnstr(1) } # delete_module ______________________________________________ # long sys_delete_module(const char __user *name_user, unsigned int flags) probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? { name = "delete_module" name_user = user_string($name_user) flags = $flags argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags)) } probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? { name = "delete_module" retstr = returnstr(1) } # dup ________________________________________________________ # long sys_dup(unsigned int fildes) probe nd_syscall.dup = kernel.function("sys_dup") { name = "dup" // oldfd = $fildes // argstr = sprint($fildes) asmlinkage() old_fd = int_arg(1) argstr = sprint(old_fd) } probe nd_syscall.dup.return = kernel.function("sys_dup").return { name = "dup" retstr = returnstr(1) } # dup2 _______________________________________________________ # long sys_dup2(unsigned int oldfd, unsigned int newfd) probe nd_syscall.dup2 = kernel.function("sys_dup2") { name = "dup2" oldfd = $oldfd newfd = $newfd argstr = sprintf("%d, %d", $oldfd, $newfd) } probe nd_syscall.dup2.return = kernel.function("sys_dup2").return { name = "dup2" retstr = returnstr(1) } # epoll_create _______________________________________________ # long sys_epoll_create(int size) probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? { name = "epoll_create" size = $size argstr = sprint($size) } probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? { name = "epoll_create" retstr = returnstr(1) } # epoll_ctl __________________________________________________ # # long sys_epoll_ctl(int epfd, int op, int fd, struct epoll_event __user *event) # long compat_sys_epoll_ctl(int epfd, int op, int fd, # struct compat_epoll_event __user *event) # probe nd_syscall.epoll_ctl = kernel.function("sys_epoll_ctl") ?, kernel.function("compat_sys_epoll_ctl") ? { name = "epoll_ctl" epfd = $epfd op = $op op_str = _opoll_op_str($op) fd = $fd event_uaddr = $event argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event) } probe nd_syscall.epoll_ctl.return = kernel.function("sys_epoll_ctl").return ?, kernel.function("compat_sys_epoll_ctl").return ? { name = "epoll_ctl" retstr = returnstr(1) } # epoll_pwait _________________________________________________ # # long sys_epoll_pwait(int epfd, struct epoll_event __user *events, # int maxevents, int timeout, const sigset_t __user *sigmask, # size_t sigsetsize) # long compat_sys_epoll_pwait(int epfd, # struct compat_epoll_event __user *events, # int maxevents, int timeout, # const compat_sigset_t __user *sigmask, # compat_size_t sigsetsize) # probe nd_syscall.epoll_pwait = kernel.function("sys_epoll_pwait") ?, kernel.function("compat_sys_epoll_pwait") ? { name = "epoll_pwait" argstr = sprintf("%d, %p, %d, %d, %p, %d", $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize) } probe nd_syscall.epoll_pwait.return = kernel.function("sys_epoll_pwait").return ?, kernel.function("compat_sys_epoll_pwait").return ? { name = "epoll_pwait" retstr = returnstr(1) } # epoll_wait _________________________________________________ # # long sys_epoll_wait(int epfd, struct epoll_event __user *events, # int maxevents, int timeout) # long compat_sys_epoll_wait(int epfd, # struct compat_epoll_event __user *events, # int maxevents, int timeout) # probe nd_syscall.epoll_wait = kernel.function("sys_epoll_wait") ?, kernel.function("compat_sys_epoll_wait") ? { name = "epoll_wait" epfd = $epfd events_uaddr = $events maxevents = $maxevents timeout = $timeout argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout) } probe nd_syscall.epoll_wait.return = kernel.function("sys_epoll_wait").return ?, kernel.function("compat_sys_epoll_wait").return ? { name = "epoll_wait" retstr = returnstr(1) } # eventfd _____________________________________________________ # long sys_eventfd(unsigned int count) # probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? { name = "eventfd" argstr = sprint($count) } probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? { name = "eventfd" retstr = returnstr(1) } # execve _____________________________________________________ # int sys_execve(struct pt_regs regs) # which breaks out the args and immediately calls # int do_execve(char * filename, # char __user *__user *argv, # char __user *__user *envp, # struct pt_regs * regs) probe nd_syscall.execve = kernel.function("do_execve") { name = "execve" // filename = kernel_string($filename) // args = __get_argv($argv, 0) // argstr = sprintf("%s %s", filename, __get_argv($argv, 1)) filename = kernel_string(pointer_arg(1)) args = __get_argv(pointer_arg(2), 0) argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1)) } # v2.6.15-rc2 or earlier has problems with sys_execve return probes # another reason to probe on do_execve probe nd_syscall.execve.return = kernel.function("do_execve").return { name = "execve" retstr = returnstr(1) } # int compat_do_execve(char * filename, # compat_uptr_t __user *argv, # compat_uptr_t __user *envp, # struct pt_regs * regs) probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? { name = "compat_execve" filename = kernel_string($filename) args = __get_compat_argv($argv, 0) argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1)) } probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return ? { name = "compat_execve" retstr = returnstr(1) } # exit _______________________________________________________ # long sys_exit(int error_code) probe nd_syscall.exit = kernel.function("do_exit") { name = "exit" status = $code argstr = sprint($code) } probe nd_syscall.exit.return = end {} # exit_group _________________________________________________ # void sys_exit_group(int error_code) # probe nd_syscall.exit_group = kernel.function("sys_exit_group") { name = "exit_group" status = $error_code argstr = sprint($error_code) } probe nd_syscall.exit_group.return = end {} %(arch != "x86_64" %? # fadvise64 __________________________________________________ # long sys_fadvise64(int fd, loff_t offset, size_t len, int advice) # probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? { name = "fadvise64" fs = $fd offset = $offset len = $len advice = $advice argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice)) } probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? { name = "fadvise64" retstr = returnstr(1) } # fadvise64_64 _______________________________________________ # long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice) # probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") { name = "fadvise64_64" fs = $fd offset = $offset len = $len advice = $advice argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice)) } probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return { name = "fadvise64_64" retstr = returnstr(1) } %: # FIXME x86_64 has problems resolving parameters # fadvise64 __________________________________________________ # long sys_fadvise64(int fd, loff_t offset, size_t len, int advice) # probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") { name = "fadvise64" fs = 0 offset = 0 len = 0 advice = 0 argstr = "" } probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return { name = "fadvise64" retstr = returnstr(1) } # fadvise64_64 _______________________________________________ # long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice) # probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") { name = "fadvise64_64" fs = 0 offset = 0 len = 0 advice = 0 argstr = "" } probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return { name = "fadvise64_64" retstr = returnstr(1) } %) # fchdir _____________________________________________________ # long sys_fchdir(unsigned int fd) probe nd_syscall.fchdir = kernel.function("sys_fchdir") { name = "fchdir" fd = $fd argstr = sprint($fd) } probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return { name = "fchdir" retstr = returnstr(1) } # fchmod _____________________________________________________ # long sys_fchmod(unsigned int fd, mode_t mode) probe nd_syscall.fchmod = kernel.function("sys_fchmod") { name = "fchmod" fildes = $fd mode = $mode argstr = sprintf("%d, %#o", $fd, $mode) } probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return { name = "fchmod" retstr = returnstr(1) } # fchown _____________________________________________________ # long sys_fchown(unsigned int fd, uid_t user, gid_t group) probe nd_syscall.fchown = kernel.function("sys_fchown") { name = "fchown" fd = $fd owner = __int32($user) group = __int32($group) argstr = sprintf("%d, %d, %d", $fd, owner, group) } probe nd_syscall.fchown.return = kernel.function("sys_fchown").return { name = "fchown" retstr = returnstr(1) } # fchown16 ___________________________________________________ # long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group) probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? { name = "fchown16" fd = $fd owner = __short($user) group = __short($group) argstr = sprintf("%d, %d, %d", $fd, owner, group) } probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? { name = "fchown16" retstr = returnstr(1) } # fcntl ______________________________________________________ # long sys_fcntl(int fd, unsigned int cmd, unsigned long arg) # long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg) # long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg) # long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg) # probe nd_syscall.fcntl = kernel.function("sys_fcntl") ?, kernel.function("sys_fcntl64") ?, kernel.function("compat_sys_fcntl") ?, kernel.function("compat_sys_fcntl64") ? { name = "fcntl" fd = $fd cmd = $cmd cmd_str = _fcntl_cmd_str($cmd) arg = $arg argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg) } probe nd_syscall.fcntl.return = kernel.function("sys_fcntl").return ?, kernel.function("sys_fcntl64").return ?, kernel.function("compat_sys_fcntl").return ?, kernel.function("compat_sys_fcntl64").return ? { name = "fcntl" retstr = returnstr(1) } # fdatasync __________________________________________________ # long sys_fdatasync(unsigned int fd) probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") { name = "fdatasync" fd = $fd argstr = sprint(fd) } probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return { name = "fdatasync" retstr = returnstr(1) } # fgetxattr __________________________________________________ # ssize_t sys_fgetxattr(int fd, char __user *name, # void __user *value, size_t size) probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") { name = "fgetxattr" filedes = $fd #FIXME name2 = user_string($name) value_uaddr = $value size = $size argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size) } probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return { name = "fgetxattr" retstr = returnstr(1) } # flistxattr _________________________________________________ # ssize_t sys_flistxattr(int fd, char __user *list, size_t size) probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") { name = "flistxattr" filedes = $fd list_uaddr = $list size = $size argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size) } probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return { name = "flistxattr" retstr = returnstr(1) } # flock ______________________________________________________ # long sys_flock(unsigned int fd, unsigned int cmd) probe nd_syscall.flock = kernel.function("sys_flock") { name = "flock" fd = $fd operation = $cmd argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation)) } probe nd_syscall.flock.return = kernel.function("sys_flock").return { name = "flock" retstr = returnstr(1) } function __is_user_regs:long (regs:long) %{ /* pure */ struct pt_regs * regs = (void *)((unsigned long)THIS->regs); /* copied from asm/ptrace.h */ #if defined(__i386__) #ifdef STAPCONF_X86_UNIREGS int cs = kread(®s->cs); #else int cs = kread(®s->xcs); #endif THIS->__retvalue = (!!((cs & 3))); #elif defined(__x86_64__) unsigned long cs = kread(®s->cs); THIS->__retvalue = (!!((cs & 3))); #elif defined(__ia64__) unsigned long psr = kread(®s->cr_ipsr); THIS->__retvalue = (((struct ia64_psr *) &psr)->cpl != 0); #elif defined(__powerpc64__) unsigned long msr = kread(®s->msr); THIS->__retvalue = ((msr >> MSR_PR_LG) & 0x1); #elif defined(__arm__) long cpsr = kread(®s->ARM_cpsr); THIS->__retvalue = ((cpsr & 0xf) == 0); #elif defined(__s390__) || defined(__s390x__) unsigned long mask = kread(®s->psw.mask); THIS->__retvalue = ((mask & PSW_MASK_PSTATE) != 0); #else #error "Unimplemented architecture" #endif CATCH_DEREF_FAULT(); %} # fork _______________________________________________________ # long do_fork(unsigned long clone_flags, # unsigned long stack_start, # struct pt_regs *regs, # unsigned long stack_size, # int __user *parent_tidptr, # int __user *child_tidptr) probe nd_syscall.fork = kernel.function("do_fork") { // clone_flags = $clone_flags // stack_start = $stack_start // regs = $regs // stack_size = $stack_size // parent_tid_uaddr = $parent_tidptr // child_tid_uaddr = $child_tidptr clone_flags = ulong_arg(1) stack_start = ulong_arg(2) regs = pointer_arg(3) stack_size = ulong_arg(4) parent_tid_uaddr = pointer_arg(5) child_tid_uaddr = pointer_arg(6) if (!__is_user_regs(regs)) { name = "fork_kernel_thread" argstr = __fork_flags(clone_flags) } else if (clone_flags & 17) name = "fork" else if (clone_flags & 0x4000) name = "vfork" else { name = "clone" argstr = __fork_flags(clone_flags) } } probe nd_syscall.fork.return = kernel.function("do_fork").return { name = "fork" retstr = returnstr(1) } # fremovexattr _______________________________________________ # long sys_fremovexattr(int fd, char __user *name) probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") { name = "fremovexattr" filedes = $fd name_uaddr = $name argstr = sprintf("FIXME PLEASE") } probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return { name = "fremovexattr" retstr = returnstr(1) } # fsetxattr __________________________________________________ /* * asmlinkage long * sys_fsetxattr(int fd, * char __user *name, * void __user *value, * size_t size, * int flags) */ probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") { name = "fsetxattr" filedes = $fd # FIXME name2 = user_string($name) value_uaddr = $value size = $size flags = $flags argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags) } probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return { name = "fsetxattr" retstr = returnstr(1) } # fstat ______________________________________________________ # long sys_fstat(unsigned int fd, struct __old_kernel_stat __user * statbuf) # long sys_fstat64(unsigned long fd, struct stat64 __user * statbuf) # long sys32_fstat64(unsigned int fd, struct stat64 __user *statbuf) # long sys_newfstat(unsigned int fd, struct stat __user * statbuf) # long sys_oabi_fstat64(char __user * filename, # struct oldabi_stat64 __user * statbuf) # long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf) # probe nd_syscall.fstat = kernel.function("sys_fstat") ?, kernel.function("sys_fstat64") ?, kernel.function("sys32_fstat64") ?, kernel.function("sys_newfstat") ?, kernel.function("sys_oabi_fstat64") ?, kernel.function("compat_sys_newfstat") ? { name = "fstat" filedes = $fd buf_uaddr = $statbuf argstr = sprintf("%d, %p", $fd, $statbuf) } probe nd_syscall.fstat.return = kernel.function("sys_fstat").return ?, kernel.function("sys_fstat64").return ?, kernel.function("sys32_fstat64").return ?, kernel.function("sys_newfstat").return ?, kernel.function("sys_oabi_fstat64").return ?, kernel.function("compat_sys_newfstat").return ? { name = "fstat" retstr = returnstr(1) } # fstatat ____________________________________________________ # sys32_fstatat64(unsigned int dfd, char __user *filename, struct stat64_emu31 __user* statbuf, int flag) # long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag) # long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag) # long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag) probe nd_syscall.fstatat = kernel.function("sys_fstatat64") ?, kernel.function("sys_newfstatat") ?, kernel.function("compat_sys_newfstatat") ?, kernel.function("sys32_fstatat64") ? { name = "fstatat" dirfd = $dfd path = user_string($filename) buf_uaddr = $statbuf argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag)) } probe nd_syscall.fstatat.return = kernel.function("sys_fstatat64").return ?, kernel.function("sys_newfstatat").return ?, kernel.function("compat_sys_newfstatat").return ?, kernel.function("sys32_fstatat64").return ? { name = "fstatat" retstr = returnstr(1) } # fstatfs ____________________________________________________ # long sys_fstatfs(unsigned int fd, struct statfs __user * buf) # long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf) # probe nd_syscall.fstatfs = kernel.function("sys_fstatfs"), kernel.function("compat_sys_fstatfs") ? { name = "fstatfs" fd = $fd buf_uaddr = $buf argstr = sprintf("%d, %p", $fd, $buf) } probe nd_syscall.fstatfs.return = kernel.function("sys_fstatfs").return, kernel.function("compat_sys_fstatfs").return ? { name = "fstatfs" retstr = returnstr(1) } # fstatfs64 __________________________________________________ # long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf) # long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf) # probe nd_syscall.fstatfs64 = kernel.function("sys_fstatfs64") ?, kernel.function("compat_sys_fstatfs64") ? { name = "fstatfs" fd = $fd sz = $sz buf_uaddr = $buf argstr = sprintf("%d, %d, %p", $fd, $sz, $buf) } probe nd_syscall.fstatfs64.return = kernel.function("sys_fstatfs64").return ?, kernel.function("compat_sys_fstatfs64").return ? { name = "fstatfs" retstr = returnstr(1) } # fsync ______________________________________________________ # long sys_fsync(unsigned int fd) probe nd_syscall.fsync = kernel.function("sys_fsync") { name = "fsync" fd = $fd argstr = sprint(fd) } probe nd_syscall.fsync.return = kernel.function("sys_fsync").return { name = "fsync" retstr = returnstr(1) } # ftruncate __________________________________________________ # long sys_ftruncate(unsigned int fd, unsigned long length) probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") { name = "ftruncate" fd = $fd length = $length argstr = sprintf("%d, %d", fd, length) } probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return { name = "ftruncate" retstr = returnstr(1) } # ftruncate64 ________________________________________________ # long sys_ftruncate64(unsigned int fd, loff_t length) probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? { name = "ftruncate" fd = $fd length = $length argstr = sprintf("%d, %d", fd, length) } probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? { name = "ftruncate" retstr = returnstr(1) } # futex ______________________________________________________ # long sys_futex(u32 __user *uaddr, # int op, # int val, # struct timespec __user *utime, # u32 __user *uaddr2, # int val3) # long compat_sys_futex(u32 __user *uaddr, int op, u32 val, # struct compat_timespec __user *utime, u32 __user *uaddr2, # u32 val3) # probe nd_syscall.futex = kernel.function("sys_futex") ? { name = "futex" // futex_uaddr = $uaddr // op = $op // val = $val // utime_uaddr = $utime // uaddr2_uaddr = $uaddr2 // val3 = $val3 // if (op == 0) // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), // $val, _struct_timespec_u($utime,1)) // else // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), // $val) asmlinkage() futex_uaddr = pointer_arg(1) op = int_arg(2) val = u32_arg(3) utime_uaddr = pointer_arg(4) uaddr2_uaddr = pointer_arg(5) val3 = u32_arg(6) if (op == 0) argstr = sprintf("%p, %s, %d, %s", futex_uaddr, _futex_op_str(op), val, _struct_timespec_u(utime_uaddr,1)) else argstr = sprintf("%p, %s, %d", futex_uaddr, _futex_op_str(op), val) } probe nd_syscall.futex.return = kernel.function("sys_futex").return ? { name = "futex" retstr = returnstr(1) } probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? { name = "futex" // futex_uaddr = $uaddr // op = $op // val = $val // utime_uaddr = $utime // uaddr2_uaddr = $uaddr2 // val3 = $val3 // if (op == 0) // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), // $val, _struct_compat_timespec_u($utime,1)) // else // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), // $val) asmlinkage() futex_uaddr = pointer_arg(1) op = int_arg(2) val = u32_arg(3) utime_uaddr = pointer_arg(4) uaddr2_uaddr = pointer_arg(5) val3 = u32_arg(6) if (op == 0) argstr = sprintf("%p, %s, %d, %s", futex_uaddr, _futex_op_str(op), val, _struct_compat_timespec_u(utime_uaddr,1)) else argstr = sprintf("%p, %s, %d", futex_uaddr, _futex_op_str(op), val) } probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? { name = "futex" retstr = returnstr(1) } # futimesat _____________________________________________________ # # long sys_futimesat(int dfd, char __user *filename, struct timeval __user *utimes) # long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t) # probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? { name = "futimesat" dirfd = $dfd filename_uaddr = $filename filename = user_string($filename) tvp_uaddr = $utimes argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timeval_u($utimes, 2)) } probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? { name = "futimesat" dirfd = $dfd filename_uaddr = $filename filename = user_string($filename) tvp_uaddr = $t argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timeval_u($t, 2)) } probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? { name = "futimesat" retstr = returnstr(1) } probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? { name = "futimesat" retstr = returnstr(1) } # getcwd _____________________________________________________ # long sys_getcwd(char __user *buf, unsigned long size) probe nd_syscall.getcwd = kernel.function("sys_getcwd") { name = "getcwd" buf_uaddr = $buf size = $size argstr = sprintf("%p, %d", buf_uaddr, size) } probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return { name = "getcwd" retstr = returnstr(1) } # getdents ___________________________________________________ # long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count) # long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count) # long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count) # long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count) # probe nd_syscall.getdents = kernel.function("sys_getdents") ?, kernel.function("sys_getdents64") ?, kernel.function("compat_sys_getdents") ?, kernel.function("compat_sys_getdents64") ? { name = "getdents" fd = $fd dirp_uaddr = $dirent count = $count argstr = sprintf("%d, %p, %d", $fd, $dirent, $count) } probe nd_syscall.getdents.return = kernel.function("sys_getdents").return ?, kernel.function("sys_getdents64").return ?, kernel.function("compat_sys_getdents").return ?, kernel.function("compat_sys_getdents64").return ? { name = "getdents" retstr = returnstr(1) } # getegid ____________________________________________________ # long sys_getegid(void) # long sys_getegid16(void) # long sys32_getegid16(void) # probe nd_syscall.getegid = kernel.function("sys_getegid16") ?, kernel.function("sys32_getegid16") ?, kernel.function("sys_getegid") { name = "getegid" argstr = "" } probe nd_syscall.getegid.return = kernel.function("sys_getegid16").return ?, kernel.function("sys32_getegid16").return ?, kernel.function("sys_getegid").return { name = "getegid" retstr = returnstr(1) } # geteuid ____________________________________________________ # long sys_geteuid(void) # long sys32_geteuid16(void) # probe nd_syscall.geteuid = kernel.function("sys_geteuid16") ?, kernel.function("sys32_geteuid16") ?, kernel.function("sys_geteuid") { name = "geteuid" argstr = "" } probe nd_syscall.geteuid.return = kernel.function("sys_geteuid16").return ?, kernel.function("sys32_geteuid16").return ?, kernel.function("sys_geteuid").return { name = "geteuid" retstr = returnstr(1) } # getgid _____________________________________________________ # long sys_getgid(void) # long sys32_getgid16(void) # probe nd_syscall.getgid = kernel.function("sys_getgid16") ?, kernel.function("sys32_getgid16") ?, kernel.function("sys_getgid") { name = "getgid" argstr = "" } probe nd_syscall.getgid.return = kernel.function("sys_getgid16").return ?, kernel.function("sys32_getgid16").return ?, kernel.function("sys_getgid").return { name = "getgid" retstr = returnstr(1) } # getgroups __________________________________________________ # long sys_getgroups(int gidsetsize, gid_t __user *grouplist) # long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist) # long sys32_getgroups16(int gidsetsize, u16 __user *grouplist) # probe nd_syscall.getgroups = kernel.function("sys_getgroups") ?, kernel.function("sys_getgroups16") ?, kernel.function("sys32_getgroups16") ? { name = "getgroups" size = $gidsetsize list_uaddr = $grouplist argstr = sprintf("%d, %p", $gidsetsize, $grouplist) } probe nd_syscall.getgroups.return = kernel.function("sys_getgroups").return ?, kernel.function("sys_getgroups16").return ?, kernel.function("sys32_getgroups16").return ? { name = "getgroups" retstr = returnstr(1) } # gethostname ________________________________________________ # long sys_gethostname(char __user *name, int len) probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? { name = "gethostname" name_uaddr = $name len = $len argstr = sprintf ("%p, %d", name_uaddr, len) } probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? { name = "gethostname" retstr = returnstr(1) } # getitimer __________________________________________________ # sys_getitimer(int which, struct itimerval __user *value) # probe nd_syscall.getitimer = kernel.function("sys_getitimer") { name = "getitimer" which = $which value_uaddr = $value argstr = sprintf("%s, %p", _itimer_which_str($which), $value) } probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return { name = "getitimer" retstr = returnstr(1) } # long compat_sys_getitimer(int which, struct compat_itimerval __user *it probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? { name = "getitimer" which = $which value_uaddr = $it argstr = sprintf("%s, %p", _itimer_which_str($which), $it) } probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? { name = "getitimer" retstr = returnstr(1) } # get_mempolicy ______________________________________________ # long sys_get_mempolicy(int __user *policy, # unsigned long __user *nmask, # unsigned long maxnode, # unsigned long addr, # unsigned long flags) # long compat_sys_get_mempolicy(int __user *policy, # compat_ulong_t __user *nmask, # compat_ulong_t maxnode, # compat_ulong_t addr, compat_ulong_t flags) # probe nd_syscall.get_mempolicy = kernel.function("sys_get_mempolicy") ?, kernel.function("compat_sys_get_mempolicy") ? { name = "get_mempolicy" policy_uaddr = $policy nmask_uaddr = $nmask maxnode = $maxnode addr = $addr flags = $flags argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy, $nmask, $maxnode, $addr, $flags) } probe nd_syscall.get_mempolicy.return = kernel.function("sys_get_mempolicy").return ?, kernel.function("compat_sys_get_mempolicy").return ? { name = "get_mempolicy" retstr = returnstr(1) } # getpeername ________________________________________________ # long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len) # probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? { name = "getpeername" s = $fd name_uaddr = $usockaddr namelen_uaddr = $usockaddr_len argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len) } probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? { name = "getpeername" retstr = returnstr(1) } # getpgid ____________________________________________________ # long sys_getpgid(pid_t pid) probe nd_syscall.getpgid = kernel.function("sys_getpgid") { name = "getpgid" pid = $pid argstr = sprintf("%d", $pid) } probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return { name = "getpgid" retstr = returnstr(1) } # getpgrp ____________________________________________________ # long sys_getpgrp(void) probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? { name = "getpgrp" argstr = "" } probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? { name = "getpgrp" retstr = returnstr(1) } # getpid _____________________________________________________ # long sys_getpid(void) probe nd_syscall.getpid = kernel.function("sys_getpid") { name = "getpid" argstr = "" } probe nd_syscall.getpid.return = kernel.function("sys_getpid").return { name = "getpid" retstr = returnstr(1) } # getppid ____________________________________________________ # long sys_getppid(void) probe nd_syscall.getppid = kernel.function("sys_getppid") { name = "getppid" argstr = "" } probe nd_syscall.getppid.return = kernel.function("sys_getppid").return { name = "getppid" retstr = returnstr(1) } # getpriority ________________________________________________ # long sys_getpriority(int which, int who) probe nd_syscall.getpriority = kernel.function("sys_getpriority") { name = "getpriority" which = $which who = $who argstr = sprintf("%s, %d", _priority_which_str(which), who) } probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return { name = "getpriority" retstr = returnstr(1) } # getresgid __________________________________________________ # long sys_getresgid(gid_t __user *rgid, # gid_t __user *egid, # gid_t __user *sgid) # long sys_getresgid16(old_uid_t __user *rgid, # old_uid_t __user *egid, # old_uid_t __user *sgid) probe nd_syscall.getresgid = kernel.function("sys_getresgid16") ?, kernel.function("sys_getresgid") { name = "getresgid" rgid_uaddr = $rgid egid_uaddr = $egid sgid_uaddr = $sgid argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid) } probe nd_syscall.getresgid.return = kernel.function("sys_getresgid16").return ?, kernel.function("sys_getresgid").return { name = "getresgid" retstr = returnstr(1) } # getresuid __________________________________________________ # long sys_getresuid(uid_t __user *ruid, # uid_t __user *euid, # uid_t __user *suid) probe nd_syscall.getresuid = kernel.function("sys_getresuid16") ?, kernel.function("sys_getresuid") { name = "getresuid" ruid_uaddr = $ruid euid_uaddr = $euid suid_uaddr = $suid argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid) } probe nd_syscall.getresuid.return = kernel.function("sys_getresuid16").return ?, kernel.function("sys_getresuid").return { name = "getresuid" retstr = returnstr(1) } # getrlimit __________________________________________________ # long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim) # long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim) # long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim) probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"), kernel.function("sys_old_getrlimit") ?, kernel.function("compat_sys_getrlimit") ? { name = "getrlimit" resource = $resource rlim_uaddr = $rlim argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim) } probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return, kernel.function("sys_old_getrlimit").return ?, kernel.function("compat_sys_getrlimit").return ? { name = "getrlimit" retstr = returnstr(1) } # getrusage __________________________________________________ # long sys_getrusage(int who, struct rusage __user *ru) probe nd_syscall.getrusage = kernel.function("sys_getrusage") { name = "getrusage" // who = $who // if($who==-2) // { // # RUSAGE_BOTH is not valid argument for sys_getrusage // who_str = sprintf("UNKNOWN VALUE: %d", $who) // } // else // { // who_str = _rusage_who_str($who) // } // usage_uaddr = $ru asmlinkage() who = int_arg(1) if(who==-2) { # RUSAGE_BOTH is not valid argument for sys_getrusage who_str = sprintf("UNKNOWN VALUE: %d", who) } else { who_str = _rusage_who_str(who) } usage_uaddr = pointer_arg(2) argstr = sprintf("%s, %p", who_str, usage_uaddr) } probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return { name = "getrusage" retstr = returnstr(1) } # getsid _____________________________________________________ # long sys_getsid(pid_t pid) probe nd_syscall.getsid = kernel.function("sys_getsid") { name = "getsid" pid = $pid argstr = sprint(pid) } probe nd_syscall.getsid.return = kernel.function("sys_getsid").return { name = "getsid" retstr = returnstr(1) } # getsockname ________________________________________________ # long sys_getsockname(int fd, # struct sockaddr __user *usockaddr, # int __user *usockaddr_len) probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? { name = "getsockname" s = $fd name_uaddr = $usockaddr namelen_uaddr = $usockaddr_len argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len) } probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? { name = "getsockname" retstr = returnstr(1) } # getsockopt _________________________________________________ # long sys_getsockopt(int fd, # int level, # int optname, # char __user *optval, # int __user *optlen) # probe nd_syscall.getsockopt = kernel.function("sys_getsockopt") ?, kernel.function("compat_sys_getsockopt") ? { name = "getsockopt" fd = $fd level = $level level_str = _sockopt_level_str($level) optname = $optname optname_str = _sockopt_optname_str($optname) optval_uaddr = $optval optlen_uaddr = $optlen argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level), _sockopt_optname_str($optname), $optval, $optlen) } probe nd_syscall.getsockopt.return = kernel.function("sys_getsockopt").return ?, kernel.function("compat_sys_getsockopt").return ? { name = "getsockopt" retstr = returnstr(1) } # gettid _____________________________________________________ # long sys_gettid(void) probe nd_syscall.gettid = kernel.function("sys_gettid") { name = "gettid" argstr = "" } probe nd_syscall.gettid.return = kernel.function("sys_gettid").return { name = "gettid" retstr = returnstr(1) } # gettimeofday _______________________________________________ # long sys_gettimeofday(struct timeval __user *tv, # struct timezone __user *tz) # long sys32_gettimeofday(struct compat_timeval __user *tv, # struct timezone __user *tz) # long compat_sys_gettimeofday(struct compat_timeval __user *tv, # struct timezone __user *tz) probe nd_syscall.gettimeofday = kernel.function("sys_gettimeofday"), kernel.function("sys32_gettimeofday") ?, kernel.function("compat_sys_gettimeofday") ? { name = "gettimeofday" tv_uaddr = $tv tz_uaddr = $tz argstr = sprintf("%p, %p", $tv, $tz) } probe nd_syscall.gettimeofday.return = kernel.function("sys_gettimeofday").return, kernel.function("sys32_gettimeofday").return ?, kernel.function("compat_sys_gettimeofday").return ? { name = "gettimeofday" retstr = returnstr(1) } # getuid _____________________________________________________ # long sys_getuid(void # long sys_getuid16(void) # long sys32_getuid16(void) # probe nd_syscall.getuid = kernel.function("sys_getuid16") ?, kernel.function("sys32_getuid16") ?, kernel.function("sys_getuid") { name = "getuid" argstr = "" } probe nd_syscall.getuid.return = kernel.function("sys_getuid16").return ?, kernel.function("sys32_getuid16").return ?, kernel.function("sys_getuid").return { name = "getuid" retstr = returnstr(1) } # getxattr ___________________________________________________ # ssize_t sys_getxattr(char __user *path, char __user *name, # void __user *value, size_t size) probe nd_syscall.getxattr = kernel.function("sys_getxattr") { name = "getxattr" path = user_string($path) # FIXME name2 = user_string($name) value_uaddr = $value size = $size argstr = sprintf("%s, %s, %p, %d", user_string_quoted($path), user_string_quoted($name), value_uaddr, size) } probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return { name = "getxattr" retstr = returnstr(1) } # init_module ________________________________________________ # long sys_init_module(void __user *umod, # unsigned long len, # const char __user *uargs) # probe nd_syscall.init_module = kernel.function("sys_init_module") ? { name = "init_module" umod_uaddr = $umod len = $len uargs = user_string($uargs) argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs)) } probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? { name = "init_module" retstr = returnstr(1) } # inotify_add_watch __________________________________________ # # long sys_inotify_add_watch(int fd, const char __user *path, u32 mask) # probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? { name = "inotify_add_watch" fd = $fd path_uaddr = $path path = user_string($path) mask = $mask argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask) } probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? { name = "inotify_add_watch" retstr = returnstr(1) } # inotify_init _______________________________________________ # # long sys_inotify_init(void) # probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? { name = "inotify_init" argstr = "" } probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? { name = "inotify_init" retstr = returnstr(1) } # inotify_rm_watch ___________________________________________ # # long sys_inotify_rm_watch(int fd, u32 wd) # probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? { name = "inotify_rm_watch" fd = $fd wd = $wd argstr = sprintf("%d, %d", $fd, $wd) } probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? { name = "inotify_rm_watch" retstr = returnstr(1) } # io_cancel __________________________________________________ # long sys_io_cancel(aio_context_t ctx_id, # struct iocb __user *iocb, # struct io_event __user *result) probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") { name = "io_cancel" ctx_id = $ctx_id iocb_uaddr = $iocb result_uaddr = $result argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr) } probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return { name = "io_cancel" retstr = returnstr(1) } # ioctl ______________________________________________________ # long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg) # long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg) # probe nd_syscall.ioctl = kernel.function("sys_ioctl") ?, kernel.function("compat_sys_ioctl") ? { name = "ioctl" fd = $fd request = $cmd argp = $arg argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg) } probe nd_syscall.ioctl.return = kernel.function("sys_ioctl").return ?, kernel.function("compat_sys_ioctl").return ? { name = "ioctl" retstr = returnstr(1) } # io_destroy _________________________________________________ # long sys_io_destroy(aio_context_t ctx) probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") { name = "io_destroy" ctx = $ctx argstr = sprintf("%d", ctx) } probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return { name = "io_destroy" retstr = returnstr(1) } # io_getevents _______________________________________________ # long sys_io_getevents(aio_context_t ctx_id, # long min_nr, # long nr, # struct io_event __user *events, # struct timespec __user *timeout) # long compat_sys_io_getevents(aio_context_t ctx_id, # unsigned long min_nr, # unsigned long nr, # struct io_event __user *events, # struct compat_timespec __user *timeout) # probe nd_syscall.io_getevents = kernel.function("sys_io_getevents") ?, kernel.function("compat_sys_io_getevents") ? { name = "io_getevents" ctx_id = $ctx_id min_nr = $min_nr nr = $nr events_uaddr = $events timeout_uaddr = $timeout timestr = _struct_timespec_u($timeout,1) argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr, $nr, $events, $timeout, timestr) } probe nd_syscall.io_getevents.return = kernel.function("sys_io_getevents").return ?, kernel.function("compat_sys_io_getevents").return ? { name = "io_getevents" retstr = returnstr(1) } # ioperm _____________________________________________________ # long sys_ioperm(unsigned long from, unsigned long num, int turn_on) # probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? { name = "ioperm" from = $from num = $num turn_on = $turn_on argstr = sprintf("%d, %d, %d", $from, $num, $turn_on) } probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? { name = "ioperm" retstr = returnstr(1) } # io_setup ___________________________________________________ # long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp) # probe nd_syscall.io_setup = kernel.function("sys_io_setup") { name = "io_setup" maxevents = $nr_events ctxp_uaddr = $ctxp argstr = sprintf("%d, %p", $nr_events, $ctxp) } probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return { name = "io_setup" retstr = returnstr(1) } # long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p) # probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? { name = "io_setup" maxevents = $nr_reqs ctxp_uaddr = $ctx32p argstr = sprintf("%d, %p", $nr_reqs, $ctx32p) } probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? { name = "io_setup" retstr = returnstr(1) } # io_submit __________________________________________________ # long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp) # probe nd_syscall.io_submit = kernel.function("sys_io_submit") { name = "io_submit" ctx_id = $ctx_id nr = $nr iocbpp_uaddr = $iocbpp argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp) } probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return { name = "io_submit" retstr = returnstr(1) } # long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb) # probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? { name = "io_submit" ctx_id = $ctx_id nr = $nr iocbpp_uaddr = $iocb argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb) } probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? { name = "io_submit" retstr = returnstr(1) } # ioprio_get _________________________________________________ # long sys_ioprio_get(int which, int who) # probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? { name = "ioprio_get" which = $which who = $who argstr = sprintf("%d, %d", $which, $who) } probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? { name = "ioprio_get" retstr = returnstr(1) } # ioprio_set _________________________________________________ # long sys_ioprio_set(int which, int who, int ioprio) # probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? { name = "ioprio_set" which = $which who = $who ioprio = $ioprio argstr = sprintf("%d, %d, %d", $which, $who, $ioprio) } probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? { name = "ioprio_set" retstr = returnstr(1) } # kexec_load _________________________________________________ # long sys_kexec_load(unsigned long entry, # unsigned long nr_segments, # struct kexec_segment __user *segments, # unsigned long flags) # long compat_sys_kexec_load(unsigned long entry, # unsigned long nr_segments, # struct compat_kexec_segment __user *segments, # unsigned long flags) # probe nd_syscall.kexec_load = kernel.function("sys_kexec_load") ?, kernel.function("compat_sys_kexec_load") ? { name = "kexec_load" entry = $entry nr_segments = $nr_segments segments_uaddr = $segments flags = $flags argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags) } probe nd_syscall.kexec_load.return = kernel.function("sys_kexec_load").return ?, kernel.function("compat_sys_kexec_load").return ? { name = "kexec_load" retstr = returnstr(1) } # keyctl _____________________________________________________ # long sys_keyctl(int option, # unsigned long arg2, # unsigned long arg3, # unsigned long arg4, # unsigned long arg5) # long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5) # probe nd_syscall.keyctl = kernel.function("sys_keyctl") ?, kernel.function("compat_sys_keyctl") ? { name = "keyctl" argstr = sprintf("%d, ...", $option) } probe nd_syscall.keyctl.return = kernel.function("sys_keyctl").return ?, kernel.function("compat_sys_keyctl").return ? { name = "keyctl" retstr = returnstr(1) } # kill _______________________________________________________ # long sys_kill(int pid, int sig) probe nd_syscall.kill = kernel.function("sys_kill") { name = "kill" pid = $pid sig = $sig argstr = sprintf("%d, %s", $pid, _signal_name($sig)) } probe nd_syscall.kill.return = kernel.function("sys_kill").return { name = "kill" retstr = returnstr(1) } # lchown _____________________________________________________ # long sys_lchown(const char __user * filename, uid_t user, gid_t group) # probe nd_syscall.lchown = kernel.function("sys_lchown") { name = "lchown" path = user_string($filename) owner = __int32($user) group = __int32($group) argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group) } probe nd_syscall.lchown.return = kernel.function("sys_lchown").return { name = "lchown" retstr = returnstr(1) } # lchown16 ___________________________________________________ # long sys_lchown16(const char __user * filename, old_uid_t user, # old_gid_t group) # probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? { name = "lchown16" path = user_string($filename) owner = __short($user) group = __short($group) argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) } probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? { name = "lchown16" retstr = returnstr(1) } # lgetxattr __________________________________________________ # ssize_t sys_lgetxattr(char __user *path, # char __user *name, # void __user *value, # size_t size) # probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") { name = "lgetxattr" path = user_string($path) # FIXME name2 = user_string($name) value_uaddr = $value size = $size argstr = sprintf("%s, %s, %p, %d", user_string_quoted($path), user_string_quoted($name), value_uaddr, size) } probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return { name = "lgetxattr" retstr = returnstr(1) } # link _______________________________________________________ # long sys_link(const char __user * oldname, # const char __user * newname) probe nd_syscall.link = kernel.function("sys_link") { name = "link" oldpath = user_string($oldname) newpath = user_string($newname) argstr = sprintf("%s, %s", user_string_quoted($oldname), user_string_quoted($newname)) } probe nd_syscall.link.return = kernel.function("sys_link").return { name = "link" retstr = returnstr(1) } # listen _____________________________________________________ # long sys_listen(int fd, int backlog) probe nd_syscall.listen = kernel.function("sys_listen") ? { name = "listen" sockfd = $fd backlog = $backlog argstr = sprintf("%d, %d", $fd, $backlog) } probe nd_syscall.listen.return = kernel.function("sys_listen").return ? { name = "listen" retstr = returnstr(1) } # listxattr __________________________________________________ # ssize_t sys_listxattr(char __user *path, char __user *list, size_t size) # probe nd_syscall.listxattr = kernel.function("sys_listxattr") { name = "listxattr" path_uaddr = $path path = user_string($path) list_uaddr = $list size = $size argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size) } probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return { name = "listxattr" retstr = returnstr(1) } # llistxattr _________________________________________________ # ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size) # probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") { name = "llistxattr" path_uaddr = $path path = user_string($path) list_uaddr = $list size = $size argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size) } probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return { name = "llistxattr" retstr = returnstr(1) } # llseek _____________________________________________________ # long sys_llseek(unsigned int fd, # unsigned long offset_high, # unsigned long offset_low, # loff_t __user * result, # unsigned int origin) probe nd_syscall.llseek = kernel.function("sys_llseek") ? { name = "llseek" fd = $fd offset_high = $offset_high offset_low = $offset_low result_uaddr = $result whence = $origin whence_str = _seek_whence_str($origin) argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high, $offset_low, $result, whence_str) } probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? { name = "llseek" retstr = returnstr(1) } # lookup_dcookie _____________________________________________ # long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len) # probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? { name = "lookup_dcookie" cookie = $cookie64 buffer_uaddr = $buf len = $len argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len) } probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? { name = "lookup_dcookie" retstr = returnstr(1) } # lremovexattr _______________________________________________ # long sys_lremovexattr(char __user *path, char __user *name) # probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") { name = "lremovexattr" path_uaddr = $path path = user_string($path) name_uaddr = $name name2 = user_string($name) argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name)) } probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return { name = "lremovexattr" retstr = returnstr(1) } # lseek ______________________________________________________ # off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin) probe nd_syscall.lseek = kernel.function("sys_lseek") { name = "lseek" fildes = $fd # offset = __int32($offset) offset = $offset whence = $origin whence_str = _seek_whence_str($origin) argstr = sprintf("%d, %d, %s", $fd, offset, whence_str) } probe nd_syscall.lseek.return = kernel.function("sys_lseek").return { name = "lseek" retstr = returnstr(1) } # lsetxattr __________________________________________________ # long sys_lsetxattr(char __user *path, # char __user *name, # void __user *value, # size_t size, # int flags) # probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") { name = "lsetxattr" path_uaddr = $path path = user_string($path) name_uaddr = $name name_str = user_string($name) value_uaddr = $value size = $size flags = $flags argstr = sprintf("%s, %s, %p, %d, %d", user_string_quoted($path), user_string_quoted($name), value_uaddr, $size, $flags) } probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return { name = "lsetxattr" retstr = returnstr(1) } # lstat ______________________________________________________ # long sys_lstat(char __user * filename, struct __old_kernel_stat __user * statbuf) # long sys_newlstat(char __user * filename, struct stat __user * statbuf) # long compat_sys_newlstat(char __user * filename, struct compat_stat __user *statbuf) # long sys32_lstat64(char * filename, struct stat64 __user *statbuf) # long sys_lstat64(char __user * filename, struct stat64 __user * statbuf) # long sys_oabi_lstat64(char __user * filename, # struct oldabi_stat64 __user * statbuf) # probe nd_syscall.lstat = kernel.function("sys_lstat") ?, kernel.function("sys_newlstat") ?, kernel.function("compat_sys_newlstat") ?, kernel.function("sys32_lstat64") ?, kernel.function("sys_lstat64") ?, kernel.function("sys_oabi_lstat64") ? { name = "lstat" path = user_string($filename) buf_uaddr = $statbuf argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf) } probe nd_syscall.lstat.return = kernel.function("sys_lstat").return ?, kernel.function("sys_newlstat").return ?, kernel.function("compat_sys_newlstat").return ?, kernel.function("sys32_lstat64").return ?, kernel.function("sys_lstat64").return ?, kernel.function("sys_oabi_lstat64").return ? { name = "lstat" retstr = returnstr(1) } # madvise ____________________________________________________ # long sys_madvise(unsigned long start, size_t len_in, int behavior) # probe nd_syscall.madvise = kernel.function("sys_madvise") ? { name = "madvise" start = $start length = $len_in advice = $behavior advice_str = _madvice_advice_str($behavior) argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior)) } probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? { name = "madvise" retstr = returnstr(1) } # mbind ______________________________________________________ # long sys_mbind(unsigned long start, # unsigned long len, # unsigned long mode, # unsigned long __user *nmask, # unsigned long maxnode, # unsigned flags) # # long compat_sys_mbind(compat_ulong_t start, # compat_ulong_t len, # compat_ulong_t mode, # compat_ulong_t __user *nmask, # compat_ulong_t maxnode, # compat_ulong_t flags) # probe nd_syscall.mbind = kernel.function("sys_mbind") ?, kernel.function("compat_sys_mbind") ? { name = "mbind" start = $start len = $len mode = $mode nmask_uaddr = $nmask maxnode = $maxnode flags = $flags argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode, $nmask, $maxnode, $flags) } probe nd_syscall.mbind.return = kernel.function("sys_mbind").return ?, kernel.function("compat_sys_mbind").return ? { name = "mbind" retstr = returnstr(1) } # migrate_pages ____________________________________________________ # long sys_migrate_pages(pid_t pid, unsigned long maxnode, # const unsigned long __user *old_nodes, # const unsigned long __user *new_nodes) probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? { name = "migrate_pages" argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes) } probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? { name = "migrate_pages" retstr = returnstr(1) } # mincore ____________________________________________________ # long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec) # probe nd_syscall.mincore = kernel.function("sys_mincore") ? { name = "mincore" start = $start length = $len vec_uaddr = $vec argstr = sprintf("%p, %d, %p", $start, $len, $vec) } probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? { name = "mincore" retstr = returnstr(1) } # mkdir ______________________________________________________ # long sys_mkdir(const char __user * pathname, int mode) probe nd_syscall.mkdir = kernel.function("sys_mkdir") { name = "mkdir" pathname_uaddr = $pathname pathname = user_string($pathname) mode = $mode argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode) } probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return { name = "mkdir" retstr = returnstr(1) } # mkdirat ____________________________________________________ # new function with 2.6.16 # long sys_mkdirat(int dfd, const char __user *pathname, int mode) probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? { name = "mkdirat" dirfd = $dfd pathname = user_string($pathname) mode = $mode argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode) } probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? { name = "mkdirat" retstr = returnstr(1) } # mknod # long sys_mknod(const char __user * filename, int mode, unsigned dev) probe nd_syscall.mknod = kernel.function("sys_mknod") { name = "mknod" pathname = user_string($filename) mode = $mode dev = $dev argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev) } probe nd_syscall.mknod.return = kernel.function("sys_mknod").return { name = "mknod" retstr = returnstr(1) } # mlock ______________________________________________________ # # long sys_mlock(unsigned long start, size_t len) # probe nd_syscall.mlock = kernel.function("sys_mlock") ? { name = "mlock" addr = $start len = $len argstr = sprintf("%p, %d", $start, $len) } probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? { name = "mlock" retstr = returnstr(1) } # mlockall ___________________________________________________ # # long sys_mlockall(int flags) # probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? { name = "mlockall" flags = $flags argstr = _mlockall_flags_str($flags) } probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? { name = "mlockall" retstr = returnstr(1) } # modify_ldt _________________________________________________ # int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount) # probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? { name = "modify_ldt" func = $func ptr_uaddr = $ptr bytecount = $bytecount argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount) } probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? { name = "modify_ldt" retstr = returnstr(1) } # move_pages ____________________________________________________ # long sys_move_pages(pid_t pid, unsigned long nr_pages, # const void __user * __user *pages, # const int __user *nodes, # int __user *status, # int flags) # # long compat_sys_move_pages(pid_t pid, unsigned long nr_pages, # compat_uptr_t __user *pages32, # const int __user *nodes, # int __user *status, # int flags) # probe nd_syscall.move_pages = kernel.function("sys_move_pages") ?, kernel.function("compat_sys_move_pages") ? { name = "move_pages" argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags) } probe nd_syscall.move_pages.return = kernel.function("sys_move_pages").return ?, kernel.function("compat_sys_move_pages").return ? { name = "move_pages" retstr = returnstr(1) } # mount ______________________________________________________ # long sys_mount(char __user * dev_name, # char __user * dir_name, # char __user * type, # unsigned long flags, # void __user * data) # long compat_sys_mount(char __user * dev_name, # char __user * dir_name, # char __user * type, # unsigned long flags, # void __user * data) probe nd_syscall.mount = kernel.function("sys_mount"), kernel.function("compat_sys_mount") ? { name = "mount" source = user_string($dev_name) target = user_string($dir_name) filesystemtype = user_string($type) mountflags = $flags mountflags_str = _mountflags_str($flags) data = text_strn(user_string($data),syscall_string_trunc,1) argstr = sprintf("%s, %s, %s, %s, %s", user_string_quoted($dev_name), user_string_quoted($dir_name), user_string_quoted($type), mountflags_str, data) } probe nd_syscall.mount.return = kernel.function("sys_mount").return, kernel.function("compat_sys_mount").return ? { name = "mount" retstr = returnstr(1) } # mprotect ___________________________________________________ # long sys_mprotect(unsigned long start, size_t len, unsigned long prot) # probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? { name = "mprotect" addr = $start len = $len prot = $prot prot_str = _mprotect_prot_str($prot) argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot)) } probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? { name = "mprotect" retstr = returnstr(1) } # mq_getsetattr ______________________________________________ # long sys_mq_getsetattr(mqd_t mqdes, # const struct mq_attr __user *u_mqstat, # struct mq_attr __user *u_omqstat) # long compat_sys_mq_getsetattr(mqd_t mqdes, # const struct compat_mq_attr __user *u_mqstat, # struct compat_mq_attr __user *u_omqstat) # probe nd_syscall.mq_getsetattr = kernel.function("sys_mq_getsetattr") ?, kernel.function("compat_sys_mq_getsetattr") ? { name = "mq_getsetattr" mqdes = $mqdes u_mqstat_uaddr = $u_mqstat u_omqstat_uaddr = $u_omqstat argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat) } probe nd_syscall.mq_getsetattr.return = kernel.function("sys_mq_getsetattr").return ?, kernel.function("compat_sys_mq_getsetattr").return ? { name = "mq_getsetattr" retstr = returnstr(1) } # mq_notify __________________________________________________ # long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) # long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification) # probe nd_syscall.mq_notify = kernel.function("sys_mq_notify") ?, kernel.function("compat_sys_mq_notify") ? { name = "mq_notify" mqdes = $mqdes notification_uaddr = $u_notification argstr = sprintf("%d, %p", $mqdes, $u_notification) } probe nd_syscall.mq_notify.return = kernel.function("sys_mq_notify").return ?, kernel.function("compat_sys_mq_notify").return ? { name = "mq_notify" retstr = returnstr(1) } # mq_open ____________________________________________________ # long sys_mq_open(const char __user *u_name, # int oflag, # mode_t mode, # struct mq_attr __user *u_attr) # long compat_sys_mq_open(const char __user *u_name, # int oflag, compat_mode_t mode, # struct compat_mq_attr __user *u_attr) # probe nd_syscall.mq_open = kernel.function("sys_mq_open") ?, kernel.function("compat_sys_mq_open") ? { name = "mq_open" // name_uaddr = $u_name // filename = user_string($u_name) // mode = $mode // u_attr_uaddr = $u_attr // oflag = $oflag // if (oflag & 64) // argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name), // _sys_open_flag_str($oflag), $mode, $u_attr) // else // argstr = sprintf("%s, %s", user_string_quoted($u_name), _sys_open_flag_str($oflag)) asmlinkage() name_uaddr = pointer_arg(1) filename = user_string(name_uaddr) mode = uint_arg(3) u_attr_uaddr = pointer_arg(4) oflag = int_arg(2) if (oflag & 64) argstr = sprintf("%s, %s, %#o, %p", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag), mode, u_attr_uaddr) else argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag)) } probe nd_syscall.mq_open.return = kernel.function("sys_mq_open").return ?, kernel.function("compat_sys_mq_open").return ? { name = "mq_open" retstr = returnstr(1) } # mq_timedreceive ____________________________________________ # ssize_t sys_mq_timedreceive(mqd_t mqdes, # char __user *u_msg_ptr, # size_t msg_len, # unsigned int __user *u_msg_prio, # const struct timespec __user *u_abs_timeout) # ssize_t compat_sys_mq_timedreceive(mqd_t mqdes, # char __user *u_msg_ptr, # size_t msg_len, unsigned int __user *u_msg_prio, # const struct compat_timespec __user *u_abs_timeout) # probe nd_syscall.mq_timedreceive = kernel.function("sys_mq_timedreceive") ?, kernel.function("compat_sys_mq_timedreceive") ? { name = "mq_timedreceive" mqdes = $mqdes msg_ptr_uaddr = $u_msg_ptr msg_len = $msg_len msg_prio_uaddr = $u_msg_prio abs_timout_uaddr = $u_abs_timeout argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len, $u_msg_prio, $u_abs_timeout) } probe nd_syscall.mq_timedreceive.return = kernel.function("sys_mq_timedreceive").return ?, kernel.function("compat_sys_mq_timedreceive").return ? { name = "mq_timedreceive" retstr = returnstr(1) } # mq_timedsend _______________________________________________ # long sys_mq_timedsend(mqd_t mqdes, # const char __user *u_msg_ptr, # size_t msg_len, # unsigned int msg_prio, # const struct timespec __user *u_abs_timeout) # long compat_sys_mq_timedsend(mqd_t mqdes, # const char __user *u_msg_ptr, # size_t msg_len, unsigned int msg_prio, # const struct compat_timespec __user *u_abs_timeout) # probe nd_syscall.mq_timedsend = kernel.function("sys_mq_timedsend") ?, kernel.function("compat_sys_mq_timedsend") ? { name = "mq_timedsend" mqdes = $mqdes msg_ptr_uaddr = $u_msg_ptr msg_len = $msg_len msg_prio = $msg_prio abs_timeout_uaddr = $u_abs_timeout argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len, $msg_prio, $u_abs_timeout) } probe nd_syscall.mq_timedsend.return = kernel.function("sys_mq_timedsend").return ?, kernel.function("compat_sys_mq_timedsend").return ? { name = "mq_timedsend" retstr = returnstr(1) } # mq_unlink __________________________________________________ # long sys_mq_unlink(const char __user *u_name) # probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? { name = "mq_unlink" u_name_uaddr = $u_name u_name = user_string($u_name) argstr = user_string_quoted($u_name) } probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? { name = "mq_unlink" retstr = returnstr(1) } # mremap _____________________________________________________ # unsigned long sys_mremap(unsigned long addr, # unsigned long old_len, # unsigned long new_len, # unsigned long flags, # unsigned long new_addr) # probe nd_syscall.mremap = kernel.function("sys_mremap") ?, kernel.function("ia64_mremap") ? { name = "mremap" old_address = $addr old_size = $old_len new_size = $new_len flags = $flags new_address = $new_addr argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len, _mremap_flags($flags), $new_addr) } probe nd_syscall.mremap.return = kernel.function("sys_mremap").return ?, kernel.function("ia64_mremap").return ? { name = "mremap" retstr = returnstr(2) } # msgctl _____________________________________________________ # long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf) # probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? { name = "msgctl" msqid = $msqid cmd = $cmd buf_uaddr = $buf argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf) } probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? { name = "msgctl" retstr = returnstr(1) } # compat_sys_msgctl ________________________________________ # # long compat_sys_msgctl(int first, int second, void __user *uptr) # probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? { name = "compat_sys_msgctl" argstr = sprintf("%d, %d, %p", $first, $second, $uptr) } probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? { name = "compat_sys_msgctl" retstr = returnstr(1) } # msgget _____________________________________________________ # long sys_msgget (key_t key, int msgflg) # probe nd_syscall.msgget = kernel.function("sys_msgget") ? { name = "msgget" key = $key msgflg = $msgflg msgflg_str = _sys_open_flag_str($msgflg) argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg)) } probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? { name = "msgget" retstr = returnstr(1) } # msgrcv _____________________________________________________ # long sys_msgrcv (int msqid, # struct msgbuf __user *msgp, # size_t msgsz, # long msgtyp, # int msgflg) # probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? { name = "msgrcv" msqid = $msqid msgp_uaddr = $msgp msgsz = $msgsz msgtyp = $msgtyp msgflg = $msgflg argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg) } probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? { name = "msgrcv" retstr = returnstr(1) } # compat_sys_msgrcv ________________________________________ # # long compat_sys_msgrcv(int first, int second, int msgtyp, int third, # int version, void __user *uptr) # probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? { name = "compat_sys_msgrcv" argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) } probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? { name = "compat_sys_msgrcv" retstr = returnstr(1) } # msgsnd _____________________________________________________ # long sys_msgsnd (int msqid, # struct msgbuf __user *msgp, # size_t msgsz, # int msgflg) # probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? { name = "msgsnd" msqid = $msqid msgp_uaddr = $msgp msgsz = $msgsz msgflg = $msgflg argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg) } probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? { name = "msgsnd" retstr = returnstr(1) } # compat_sys_msgsnd ________________________________________ # # long compat_sys_msgsnd(int first, int second, int third, void __user *uptr) # probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? { name = "compat_sys_msgsnd" argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) } probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? { name = "compat_sys_msgsnd" retstr = returnstr(1) } # msync ______________________________________________________ # long sys_msync(unsigned long start, size_t len, int flags) probe nd_syscall.msync = kernel.function("sys_msync") ? { name = "msync" start = $start length = $len flags = $flags argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags)) } probe nd_syscall.msync.return = kernel.function("sys_msync").return ? { name = "msync" retstr = returnstr(1) } # munlock ____________________________________________________ # long sys_munlock(unsigned long start, size_t len) probe nd_syscall.munlock = kernel.function("sys_munlock") ? { name = "munlock" addr = $start len = $len argstr = sprintf("%p, %d", addr, len) } probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? { name = "munlock" retstr = returnstr(1) } # munlockall _________________________________________________ # long sys_munlockall(void) probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? { name = "munlockall" argstr = "" } probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? { name = "munlockall" retstr = returnstr(1) } # munmap _____________________________________________________ # long sys_munmap(unsigned long addr, size_t len) probe nd_syscall.munmap = kernel.function("sys_munmap") { name = "munmap" start = $addr length = $len argstr = sprintf("%p, %d", start, length) } probe nd_syscall.munmap.return = kernel.function("sys_munmap").return { name = "munmap" retstr = returnstr(1) }