1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
# getgroups16 ________________________________________________
# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
probe syscall.getgroups16 = kernel.function("sys_getgroups16") {
name = "getgroups16"
size = $gidsetsize
list_uaddr = $grouplist
argstr = sprintf("%d, %p", size, list_uaddr)
}
probe syscall.getgroups16.return = kernel.function("sys_getgroups16").return {
name = "getgroups16"
retstr = returnstr(1)
}
# setgroups16 ________________________________________________
#
# asmlinkage long
# sys_setgroups16(int gidsetsize,
# old_gid_t __user *grouplist)
#
probe syscall.setgroups16 = kernel.function("sys_setgroups16") {
name = "setgroups16"
size = $gidsetsize
list_uaddr = $grouplist
argstr = ""
}
probe syscall.setgroups16.return = kernel.function("sys_setgroups16").return {
name = "setgroups16"
retstr = returnstr(1)
}
# quotactl ___________________________________________________
#
# asmlinkage long
# sys_quotactl(unsigned int cmd,
# const char __user *special,
# qid_t id,
# void __user *addr)
#
probe syscall.quotactl = kernel.function("sys_quotactl") {
name = "quotactl"
cmd = $cmd
cmd_str = _quotactl_cmd_str($cmd)
special_str = user_string($special)
id = $id
addr_uaddr = $addr
argstr = sprintf("%s, %s, %p, %p", cmd_str, special_str,
id, addr_uaddr)
}
probe syscall.quotactl.return = kernel.function("sys_quotactl").return {
name = "quotactl"
retstr = returnstr(1)
}
# request_key ________________________________________________
#
# asmlinkage long
# sys_request_key(const char __user *_type,
# const char __user *_description,
# const char __user *_callout_info,
# key_serial_t destringid)
#
probe syscall.request_key = kernel.function("sys_request_key") ? {
name = "request_key"
type_uaddr = $_type
description_uaddr = $_description
callout_info_uaddr = $_callout_info
destringid = $destringid
argstr = sprintf("%p, %p, %p, %p", type_uaddr,
description_uaddr, callout_info_uaddr, destringid)
}
probe syscall.request_key.return = kernel.function("sys_request_key").return ? {
name = "request_key"
retstr = returnstr(1)
}
# arch_prctl _________________________________________________
# long sys_arch_prctl(int code, unsigned long addr)
#
# NOTE: x86_64 only.
#
probe syscall.arch_prctl = kernel.function("sys_arch_prctl") {
name = "arch_prctl"
code = $code
addr = $addr
argstr = sprintf("%d, %p", $code, $addr)
}
probe syscall.arch_prctl.return = kernel.function("sys_arch_prctl").return {
name = "arch_prctl"
retstr = returnstr(1)
}
# iopl _______________________________________________________
# long sys_iopl(unsigned int level, struct pt_regs *regs);
# NOTE. This function is only in i386 and x86_64 and its args vary
# between those two archs.
#
probe syscall.iopl = kernel.function("sys_iopl") {
name = "iopl"
level = $level
argstr = sprint($level)
}
probe syscall.iopl.return = kernel.function("sys_iopl").return {
name = "iopl"
retstr = returnstr(1)
}
# sigaltstack ________________________________________________
# long sys_sigaltstack(const stack_t __user *uss, stack_t __user *uoss,
# struct pt_regs *regs)
#
# NOTE: args vary between archs.
#
probe syscall.sigaltstack = kernel.function("sys_sigaltstack") {
name = "sigaltstack"
uss_uaddr = $uss
uoss_uaddr = $uoss
regs_uaddr = $regs
argstr = sprintf("%p, %p", $uss, $uoss)
}
probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return {
name = "sigaltstack"
retstr = returnstr(1)
}
|
