|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /proc/21571/root/usr/share/systemtap/tapset/ |
Upload File : |
// syscalls tapset part 2 [N-Z]
// Copyright (C) 2005 IBM Corp.
// Copyright (C) 2005, 2006, 2007, 2010 Red Hat Inc.
// Copyright (C) 2007 Quentin Barnes.
//
// This file is part of systemtap, and is free software. You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
/* Each syscall returns the calls parameters. In addition, the following
* variables are set:
*
* name - generally the syscall name minus the "sys_".
*
* argstr - a string containing the decoded args in an easy-to-read format.
* It doesn't need to contain everything, but should have all the
* important args. Set in entry probes only.
*
* retstr - a string containing the return value in an easy-to-read format.
* Set in return probes only.
*/
# nanosleep __________________________________________________
#
# long sys_nanosleep(struct timespec __user *rqtp,
# struct timespec __user *rmtp)
# long compat_sys_nanosleep(struct compat_timespec __user *rqtp,
# struct compat_timespec __user *rmtp)
#
probe nd_syscall.nanosleep = kprobe.function("sys_nanosleep") ?
{
name = "nanosleep"
// req_uaddr = $rqtp
// rem_uaddr = $rmtp
// argstr = sprintf("%s, %p", _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
req_uaddr = pointer_arg(1)
rem_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", _struct_timespec_u(req_uaddr, 1), rem_uaddr)
}
probe nd_syscall.nanosleep.return = kprobe.function("sys_nanosleep").return ?
{
name = "nanosleep"
retstr = returnstr(1)
}
probe nd_syscall.compat_nanosleep = kprobe.function("compat_sys_nanosleep") ?
{
name = "nanosleep"
// req_uaddr = $rqtp
// rem_uaddr = $rmtp
// argstr = sprintf("%s, %p", _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
req_uaddr = pointer_arg(1)
rem_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", _struct_compat_timespec_u(req_uaddr, 1), rem_uaddr)
}
probe nd_syscall.compat_nanosleep.return = kprobe.function("compat_sys_nanosleep").return ?
{
name = "nanosleep"
retstr = returnstr(1)
}
# nfsservctl _________________________________________________
#
# long sys_nfsservctl(int cmd, struct nfsctl_arg __user *arg, void __user *res)
# long compat_sys_nfsservctl(int cmd, struct compat_nfsctl_arg __user *arg,
# union compat_nfsctl_res __user *res)
#
probe nd_syscall.nfsservctl = kprobe.function("sys_nfsservctl") ?,
kprobe.function("compat_sys_nfsservctl") ?
{
name = "nfsservctl"
// cmd = $cmd
// argp_uaddr = $arg
// resp_uaddr = $res
// argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str($cmd), $arg, $res)
asmlinkage()
cmd = int_arg(1)
argp_uaddr = pointer_arg(2)
resp_uaddr = pointer_arg(3)
argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str(cmd), argp_uaddr, resp_uaddr)
}
probe nd_syscall.nfsservctl.return = kprobe.function("sys_nfsservctl").return ?,
kprobe.function("compat_sys_nfsservctl").return ?
{
name = "nfsservctl"
retstr = returnstr(1)
}
# nice _______________________________________________________
# long sys_nice(int increment)
#
probe nd_syscall.nice = kprobe.function("sys_nice") ?
{
name = "nice"
// inc = $increment
// argstr = sprintf("%d", $increment)
asmlinkage()
inc = int_arg(1)
argstr = sprintf("%d", inc)
}
probe nd_syscall.nice.return = kprobe.function("sys_nice").return ?
{
name = "nice"
retstr = returnstr(1)
}
# ni_syscall _________________________________________________
#
# long sys_ni_syscall(void)
#
probe nd_syscall.ni_syscall = kprobe.function("sys_ni_syscall")
{
name = "ni_syscall"
argstr = ""
}
probe nd_syscall.ni_syscall.return = kprobe.function("sys_ni_syscall").return
{
name = "ni_syscall"
retstr = returnstr(1)
}
# open _______________________________________________________
# long sys_open(const char __user * filename, int flags, int mode)
# (obsolete) long sys32_open(const char * filename, int flags, int mode)
#
probe nd_syscall.open = kprobe.function("compat_sys_open") ?,
kprobe.function("sys32_open") ?,
kprobe.function("sys_open") ?
{
name = "open"
// filename = user_string($filename)
// flags = $flags
// mode = $mode
// if (flags & 64)
// argstr = sprintf("%s, %s, %#o", user_string_quoted($filename),
// _sys_open_flag_str($flags), $mode)
// else
// argstr = sprintf("%s, %s", user_string_quoted($filename),
// _sys_open_flag_str($flags))
asmlinkage()
filename = user_string(pointer_arg(1))
flags = int_arg(2)
mode = int_arg(3)
if (flags & 64)
argstr = sprintf("%s, %s, %#o", user_string_quoted(pointer_arg(1)),
_sys_open_flag_str(flags), mode)
else
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
_sys_open_flag_str(flags))
}
probe nd_syscall.open.return = kprobe.function("compat_sys_open").return ?,
kprobe.function("sys32_open").return ?,
kprobe.function("sys_open").return ?
{
name = "open"
retstr = returnstr(1)
}
# openat _______________________________________________________
# long sys_openat(int dfd, const char __user *filename, int flags, int mode)
# long compat_sys_openat(unsigned int dfd, const char __user *filename, int flags, int mode)
#
probe nd_syscall.openat = kprobe.function("compat_sys_openat") ?,
kprobe.function("sys_openat") ?
{
name = "openat"
// filename = user_string($filename)
// flags = $flags
// mode = $mode
// if ($flags & 64)
// argstr = sprintf("%s, %s, %s, %#o", _dfd_str($dfd),
// user_string_quoted($filename),
// _sys_open_flag_str($flags), $mode)
// else
// argstr = sprintf("%s, %s, %s", _dfd_str($dfd),
// user_string_quoted($filename),
// _sys_open_flag_str($flags))
asmlinkage()
filename = user_string(pointer_arg(2))
flags = int_arg(3)
mode = int_arg(4)
if (flags & 64)
argstr = sprintf("%s, %s, %s, %#o", _dfd_str(int_arg(1)),
user_string_quoted(pointer_arg(2)),
_sys_open_flag_str(flags), mode)
else
argstr = sprintf("%s, %s, %s", _dfd_str(int_arg(1)),
user_string_quoted(pointer_arg(2)),
_sys_open_flag_str(flags))
}
probe nd_syscall.openat.return = kprobe.function("compat_sys_openat").return ?,
kprobe.function("sys_openat").return ?
{
name = "openat"
retstr = returnstr(1)
}
# pause ______________________________________________________
#
# sys_pause(void)
#
probe nd_syscall.pause = kprobe.function("sys_pause") ?,
kprobe.function("sys32_pause") ?,
kprobe.function("compat_sys_pause") ?
{
name = "pause"
argstr = ""
}
probe nd_syscall.pause.return = kprobe.function("sys_pause").return ?,
kprobe.function("sys32_pause").return ?,
kprobe.function("compat_sys_pause").return ?
{
name = "pause"
retstr = returnstr(1)
}
# pciconfig_iobase ___________________________________________
#
# asmlinkage long
# sys_pciconfig_iobase(long which,
# unsigned long bus,
# unsigned long dfn)
#
#
#probe nd_syscall.pciconfig_iobase = kprobe.function("sys_pciconfig_iobase")
#{
# name = "pciconfig_iobase"
# which = $which
# bus = $bus
# dfn = $dfn
# argstr = sprintf("%p, %p, %p", which, bus, dfn)
#}
#probe nd_syscall.pciconfig_iobase.return = kprobe.function("sys_pciconfig_iobase").return
#{
# name = "pciconfig_iobase"
# retstr = returnstr(1)
#}
# pciconfig_read _____________________________________________
#
# asmlinkage int
# sys_pciconfig_read(unsigned long bus,
# unsigned long dfn,
# unsigned long off,
# unsigned long len,
# unsigned char *buf)
# { return 0; }
#
#
#probe nd_syscall.pciconfig_read = kprobe.function("sys_pciconfig_read")
#{
# name = "pciconfig_read"
# bus = $bus
# dfn = $dfn
# off = $off
# len = $len
# buf_uaddr = $buf
# argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
# len, buf_uaddr)
#}
#probe nd_syscall.pciconfig_read.return = kprobe.function("sys_pciconfig_read").return
#{
# name = "pciconfig_read"
# retstr = returnstr(1)
#}
# pciconfig_write ____________________________________________
#
# asmlinkage int
# sys_pciconfig_write(unsigned long bus,
# unsigned long dfn,
# unsigned long off,
# unsigned long len,
# unsigned char *buf)
#
#
#probe nd_syscall.pciconfig_write = kprobe.function("sys_pciconfig_write")
#{
# name = "pciconfig_write"
# bus = $bus
# dfn = $dfn
# off = $off
# len = $len
# buf_uaddr = $buf
# argstr = sprintf("%p, %p, %p, %d, %p", bus, dfn, off,
# len, buf_uaddr)
#}
#probe nd_syscall.pciconfig_write.return = kprobe.function("sys_pciconfig_write").return
#{
# name = "pciconfig_write"
# retstr = returnstr(1)
#}
# personality ________________________________________________
#
# asmlinkage long
# sys_personality(u_long personality)
#
probe nd_syscall.personality = kprobe.function("sys_personality") ?
{
name = "personality"
// persona = $personality
asmlinkage()
persona = ulong_arg(1)
argstr = sprintf("%p", persona);
}
probe nd_syscall.personality.return = kprobe.function("sys_personality").return ?
{
name = "personality"
retstr = returnstr(1)
}
# pipe _______________________________________________________
#
# asmlinkage int
# sys_pipe(unsigned long __user * fildes)
#
# FIXME: needs to handle sys_pipe2
# FIXME: needs to support pipe0/pipe1
probe nd_syscall.pipe =
%( arch == "ia64" %?
kprobe.function("sys_ia64_pipe") ?,
%)
kprobe.function("sys_pipe") ?
{
name = "pipe"
flags = 0
flag_str = ""
%( arch == "ia64" %?
# ia64 just returns value directly, so fake the arguments
fildes_uaddr = 0
argstr = "[0, 0]"
%:
// fildes_uaddr = $fildes
// argstr = _fildes_u($fildes)
%( arch != "powerpc" %? asmlinkage() %)
fildes_uaddr = pointer_arg(1)
argstr = _fildes_u(fildes_uaddr)
%)
}
# FIXME: needs to handle sys_pipe2.return
# FIXME: needs to support pipe0/pipe1
probe nd_syscall.pipe.return =
%( arch == "ia64" %?
kprobe.function("sys_ia64_pipe").return ?,
%)
kprobe.function("sys_pipe").return ?
{
name = "pipe"
retstr = returnstr(1)
}
# pivot_root _________________________________________________
#
# long sys_pivot_root(const char __user *new_root, const char __user *put_old)
#
probe nd_syscall.pivot_root = kprobe.function("sys_pivot_root") ?
{
name = "pivot_root"
// new_root_str = user_string($new_root)
// old_root_str = user_string($put_old)
// argstr = sprintf("%s, %s", user_string_quoted($new_root),
// user_string_quoted($put_old))
asmlinkage()
new_root_str = user_string(pointer_arg(1))
old_root_str = user_string(pointer_arg(2))
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)))
}
probe nd_syscall.pivot_root.return = kprobe.function("sys_pivot_root").return ?
{
name = "pivot_root"
retstr = returnstr(1)
}
# poll _______________________________________________________
#
# long sys_poll(struct pollfd __user * ufds, unsigned int nfds, long timeout)
#
probe nd_syscall.poll = kprobe.function("sys_poll") ?
{
name = "poll"
// ufds_uaddr = $ufds
// nfds = $nfds
// timeout = $timeout
// argstr = sprintf("%p, %d, %d", $ufds, $nfds, timeout)
asmlinkage()
ufds_uaddr = pointer_arg(1)
nfds = uint_arg(2)
timeout = long_arg(3)
argstr = sprintf("%p, %d, %d", ufds_uaddr, nfds, timeout)
}
probe nd_syscall.poll.return = kprobe.function("sys_poll").return ?
{
name = "poll"
retstr = returnstr(1)
}
# ppoll _______________________________________________________
#
# long sys_ppoll(struct pollfd __user *ufds, unsigned int nfds,
# struct timespec __user *tsp, const sigset_t __user *sigmask,
# size_t sigsetsize)
#
probe nd_syscall.ppoll = kprobe.function("sys_ppoll") ?
{
name = "ppoll"
// argstr = sprintf("%p, %d, %s, %p, %d",
// $ufds,
// $nfds,
// _struct_timespec_u($tsp, 1),
// $sigmask,
// $sigsetsize)
asmlinkage()
argstr = sprintf("%p, %d, %s, %p, %d",
pointer_arg(1),
uint_arg(2),
_struct_timespec_u(pointer_arg(3), 1),
pointer_arg(4),
ulong_arg(5))
}
probe nd_syscall.ppoll.return = kprobe.function("sys_ppoll").return ?
{
name = "ppoll"
retstr = returnstr(1)
}
# long compat_sys_ppoll(struct pollfd __user *ufds,
# unsigned int nfds, struct compat_timespec __user *tsp,
# const compat_sigset_t __user *sigmask, compat_size_t sigsetsize)
#
probe nd_syscall.compat_ppoll = kprobe.function("compat_sys_ppoll") ?
{
name = "ppoll"
// argstr = sprintf("%p, %d, %s, %p, %d",
// $ufds,
// $nfds,
// _struct_compat_timespec_u($tsp, 1),
// $sigmask,
// $sigsetsize)
asmlinkage()
argstr = sprintf("%p, %d, %s, %p, %d",
pointer_arg(1),
uint_arg(2),
_struct_compat_timespec_u(pointer_arg(3), 1),
pointer_arg(4),
u32_arg(5))
}
probe nd_syscall.compat_ppoll.return = kprobe.function("compat_sys_ppoll").return ?
{
name = "ppoll"
retstr = returnstr(1)
}
# prctl ______________________________________________________
#
# asmlinkage long
# sys_prctl(int option,
# unsigned long arg2,
# unsigned long arg3,
# unsigned long arg4,
# unsigned long arg5)
#
probe nd_syscall.prctl = kprobe.function("sys_prctl") ?
{
name = "prctl"
// option = $option
// arg2 = $arg2
// arg3 = $arg3
// arg4 = $arg4
// arg5 = $arg5
asmlinkage()
option = int_arg(1)
arg2 = ulong_arg(2)
arg3 = ulong_arg(3)
arg4 = ulong_arg(4)
arg5 = ulong_arg(5)
argstr = sprintf("%p, %p, %p, %p, %p", option, arg2, arg3,
arg4, arg5)
}
probe nd_syscall.prctl.return = kprobe.function("sys_prctl").return ?
{
name = "prctl"
retstr = returnstr(1)
}
# pread64 ____________________________________________________
#
# ssize_t sys_pread64(unsigned int fd,
# char __user *buf,
# size_t count,
# loff_t pos)
#
probe nd_syscall.pread = kprobe.function("sys_pread64") ?
{
name = "pread"
// fd = $fd
// buf_uaddr = $buf
// count = $count
// offset = $pos
// argstr = sprintf("%d, %p, %d, %d", $fd, $buf, $count, $pos)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
count = ulong_arg(3)
offset = longlong_arg(4)
argstr = sprintf("%d, %p, %d, %d", fd, buf_uaddr, count, offset)
}
probe nd_syscall.pread.return = kprobe.function("sys_pread64").return ?
{
name = "pread"
retstr = returnstr(1)
}
# pselect6 _____________________________________________________
#
# long sys_pselect6(int n, fd_set __user *inp, fd_set __user *outp,
# fd_set __user *exp, struct timespec __user *tsp, void __user *sig)
#
probe nd_syscall.pselect6 = kprobe.function("sys_pselect6") ?
{
name = "pselect6"
// argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
// _struct_timespec_u($tsp, 1), $sig)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
_struct_timespec_u(pointer_arg(5), 1), pointer_arg(6))
}
probe nd_syscall.pselect6.return = kprobe.function("sys_pselect6").return ?
{
name = "pselect6"
retstr = returnstr(1)
}
probe nd_syscall.compat_pselect6 = kprobe.function("compat_sys_pselect6") ?
{
name = "pselect6"
// argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
// _struct_compat_timespec_u($tsp, 1), $sig)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1), pointer_arg(2), pointer_arg(3), pointer_arg(4),
_struct_compat_timespec_u(pointer_arg(5), 1), pointer_arg(6))
}
probe nd_syscall.compat_pselect6.return = kprobe.function("compat_sys_pselect6").return ?
{
name = "pselect6"
retstr = returnstr(1)
}
# pselect7 _____________________________________________________
#
# long sys_pselect7(int n, fd_set __user *inp, fd_set __user *outp,
# fd_set __user *exp, struct timespec __user *tsp,
# const sigset_t __user *sigmask, size_t sigsetsize)
#
probe nd_syscall.pselect7 = kprobe.function("sys_pselect7") ?
{
name = "pselect7"
// argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
// _struct_timespec_u($tsp, 1), $sigmask, $sigsetsize)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1),
pointer_arg(2), pointer_arg(3), pointer_arg(4),
_struct_timespec_u(pointer_arg(5), 1),
pointer_arg(6),
%( arch != "s390" %?
ulong_arg(7))
%:
-1)
%)
}
probe nd_syscall.pselect7.return = kprobe.function("sys_pselect7").return ?
{
name = "pselect7"
retstr = returnstr(1)
}
# Through a typo, 'compat_pselect7' was misnamed as
# 'compat_pselect7a' (notice the trailing 'a'). The old name is
# deprecated. To use the old name without changing your script, use
# the '--compatible 1.4' stap option.
probe
%( systemtap_v <= "1.4"
%? nd_syscall.compat_pselect7a %: nd_syscall.compat_pselect7
%) =
kernel.function("compat_sys_pselect7").call ?
{
name = "pselect7"
//argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
// _struct_compat_timespec_u($tsp, 1), $sigmask, $sigsetsize)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1),
pointer_arg(2), pointer_arg(3), pointer_arg(4),
_struct_timespec_u(pointer_arg(5), 1),
pointer_arg(6),
%( arch != "s390" %?
ulong_arg(7))
%:
-1)
%)
}
probe nd_syscall.compat_pselect7.return = kprobe.function("compat_sys_pselect7").return ?
{
name = "pselect7"
retstr = returnstr(1)
}
# ptrace _____________________________________________________
#
# int sys_ptrace(long request,
# long pid,
# long addr,
# long data)
#
probe nd_syscall.ptrace = kprobe.function("sys_ptrace") ?
{
name = "ptrace"
// request = $request
// pid = $pid
// addr = $addr
// data = $data
asmlinkage()
request = long_arg(1)
pid = long_arg(2)
addr = long_arg(3)
data = long_arg(4)
argstr = _ptrace_argstr(request, pid, addr, data)
}
probe nd_syscall.ptrace.return = kprobe.function("sys_ptrace").return ?
{
name = "ptrace"
retstr = returnstr(1)
// long_arg values are not available here.
geteventmsg_data = 0
arch_prctl_addr = 0
}
# pwrite64 ___________________________________________________
#
# ssize_t sys_pwrite64(unsigned int fd,
# const char __user *buf,
# size_t count,
# loff_t pos)
#
probe nd_syscall.pwrite = kprobe.function("sys_pwrite64") ?
{
name = "pwrite"
// fd = $fd
// buf_uaddr = $buf
// count = $count
// offset = $pos
// argstr = sprintf("%d, %s, %d, %d", $fd,
// text_strn(user_string($buf), syscall_string_trunc, 1),
// $count, $pos)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
count = ulong_arg(3)
offset = longlong_arg(4)
argstr = sprintf("%d, %s, %d, %d", fd,
text_strn(user_string(buf_uaddr), syscall_string_trunc, 1),
count, offset)
}
probe nd_syscall.pwrite.return = kprobe.function("sys_pwrite64").return ?
{
name = "pwrite"
retstr = returnstr(1)
}
# long sys32_pwrite64(unsigned int fd, const char __user *ubuf,
# size_t count, u32 poshi, u32 poslo)
probe nd_syscall.pwrite32 = kprobe.function("sys32_pwrite64") ?
{
name = "pwrite"
// fd = $fd
// buf_uaddr = $buf
// count = $count
// offset = ($poshi << 32) + $poslo
// %( arch == "s390" %?
// buf_uaddr = $ubuf
// argstr = sprintf("%d, %s, %d, %d", $fd,
// text_strn(user_string($ubuf), syscall_string_trunc, 1),
// $count, ($poshi << 32) + $poslo)
// %:
// buf_uaddr = $buf
// argstr = sprintf("%d, %s, %d, %d", $fd,
// text_strn(user_string($buf), syscall_string_trunc, 1),
// $count, ($poshi << 32) + $poslo)
// %)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
count = ulong_arg(3)
offset = (u32_arg(4) << 32) + u32_arg(5)
argstr = sprintf("%d, %s, %d, %d", fd,
text_strn(user_string(buf_uaddr), syscall_string_trunc, 1),
count, offset)
}
probe nd_syscall.pwrite32.return = kprobe.function("sys32_pwrite64").return ?
{
name = "pwrite"
retstr = returnstr(1)
}
# quotactl ___________________________________________________
#
# long sys_quotactl(unsigned int cmd,
# const char __user *special,
# qid_t id,
# void __user *addr)
#
probe nd_syscall.quotactl = kprobe.function("sys_quotactl") ?
{
name = "quotactl"
// cmd = $cmd
// cmd_str = _quotactl_cmd_str($cmd)
// special = $special
// special_str = user_string($special)
// id = $id
// addr_uaddr = $addr
// argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, $id, $addr)
asmlinkage()
cmd = uint_arg(1)
cmd_str = _quotactl_cmd_str(cmd)
special = pointer_arg(2)
special_str = user_string(special)
id = uint_arg(3)
addr_uaddr = pointer_arg(4)
argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, id, addr_uaddr)
}
probe nd_syscall.quotactl.return = kprobe.function("sys_quotactl").return ?
{
name = "quotactl"
retstr = returnstr(1)
}
# read _______________________________________________________
# ssize_t sys_read(unsigned int fd, char __user * buf, size_t count)
probe nd_syscall.read = kprobe.function("sys_read") ?
{
name = "read"
// fd = $fd
// buf_uaddr = $buf
// count = $count
// argstr = sprintf("%d, %p, %d", $fd, $buf, $count)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
count = ulong_arg(3)
argstr = sprintf("%d, %p, %d", fd, buf_uaddr, count)
}
probe nd_syscall.read.return = kprobe.function("sys_read").return ?
{
name = "read"
retstr = returnstr(1)
}
# readahead __________________________________________________
#
# asmlinkage ssize_t
# sys_readahead(int fd,
# loff_t offset,
# size_t count)
#
probe nd_syscall.readahead = kprobe.function("sys_readahead") ?
{
name = "readahead"
// fd = $fd
// offset = $offset
// count = $count
asmlinkage()
fd = int_arg(1)
offset = longlong_arg(2)
count = ulong_arg(3)
argstr = sprintf("%d, %p, %p", fd, offset, count)
}
probe nd_syscall.readahead.return = kprobe.function("sys_readahead").return ?
{
name = "readahead"
retstr = returnstr(1)
}
# readdir ___________________________________________________
#
# long compat_sys_old_readdir(unsigned int fd, struct compat_old_linux_dirent __user *dirent, unsigned int count)
# int old32_readdir(unsigned int fd, struct old_linux_dirent32 *dirent, unsigned int count)
#
probe nd_syscall.readdir = kprobe.function("compat_sys_old_readdir") ?,
kprobe.function("old32_readdir") ?
{
name = "readdir"
// argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
asmlinkage()
argstr = sprintf("%d, %p, %d", uint_arg(1), pointer_arg(2), uint_arg(3))
}
probe nd_syscall.readdir.return = kprobe.function("compat_sys_old_readdir").return ?,
kprobe.function("old32_readdir").return ?
{
name = "readdir"
retstr = returnstr(1)
}
# readlink ___________________________________________________
#
# long sys_readlink(const char __user * path,
# char __user * buf,
# int bufsiz)
#
probe nd_syscall.readlink = kprobe.function("sys_readlink") ?
{
name = "readlink"
// path = user_string($path)
// buf_uaddr = $buf
// bufsiz = $bufsiz
// argstr = sprintf("%s, %p, %d", user_string_quoted($path),
// $buf, $bufsiz)
asmlinkage()
path = user_string(pointer_arg(1))
buf_uaddr = pointer_arg(2)
bufsiz = int_arg(3)
argstr = sprintf("%s, %p, %d", user_string_quoted(pointer_arg(1)),
buf_uaddr, bufsiz)
}
probe nd_syscall.readlink.return = kprobe.function("sys_readlink").return ?
{
name = "readlink"
retstr = returnstr(1)
}
# readlinkat ___________________________________________________
#
# long sys_readlinkat(int dfd, const char __user * path,
# char __user * buf,
# int bufsiz)
#
probe nd_syscall.readlinkat = kprobe.function("sys_readlinkat") ?
{
name = "readlinkat"
//dfd = $dfd
// path = user_string($path)
// buf_uaddr = $buf
// bufsiz = $bufsiz
// argstr = sprintf("%s, %s, %p, %d", _dfd_str($dfd), user_string_quoted($path),
// $buf, $bufsiz)
asmlinkage()
dfd = int_arg(1)
path = user_string(pointer_arg(2))
buf_uaddr = pointer_arg(3)
bufsiz = int_arg(4)
argstr = sprintf("%s, %s, %p, %d", _dfd_str(dfd), user_string_quoted(pointer_arg(2)),
buf_uaddr, bufsiz)
}
probe nd_syscall.readlinkat.return = kprobe.function("sys_readlinkat").return ?
{
name = "readlinkat"
retstr = returnstr(1)
}
# readv ______________________________________________________
#
# ssize_t sys_readv(unsigned long fd,
# const struct iovec __user *vec,
# unsigned long vlen)
# ssize_t compat_sys_readv(unsigned long fd,
# const struct compat_iovec __user *vec,
# unsigned long vlen)
#
probe nd_syscall.readv = kprobe.function("compat_sys_readv") ?,
kprobe.function("sys_readv") ?
{
name = "readv"
// vector_uaddr = $vec
// count = $vlen
// fd = $fd
// argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
asmlinkage()
vector_uaddr = pointer_arg(2)
count = ulong_arg(3)
fd = ulong_arg(1)
argstr = sprintf("%d, %p, %d", fd, vector_uaddr, count)
}
probe nd_syscall.readv.return = kprobe.function("compat_sys_readv").return ?,
kprobe.function("sys_readv").return ?
{
name = "readv"
retstr = returnstr(1)
}
# reboot _____________________________________________________
#
# long sys_reboot(int magic1,
# int magic2,
# unsigned int cmd,
# void __user * arg)
#
probe nd_syscall.reboot = kprobe.function("sys_reboot") ?
{
name = "reboot"
// magic = $magic1
// magic_str = _reboot_magic_str($magic1)
// magic2 = $magic2
// magic2_str =_reboot_magic_str($magic2)
// flag = $cmd
// flag_str = _reboot_flag_str($cmd)
// arg_uaddr = $arg
// argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
// flag_str, $arg)
asmlinkage()
magic = int_arg(1)
magic_str = _reboot_magic_str(magic)
magic2 = int_arg(2)
magic2_str =_reboot_magic_str(magic2)
flag = uint_arg(3)
flag_str = _reboot_flag_str(flag)
arg_uaddr = pointer_arg(4)
argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
flag_str, arg_uaddr)
}
probe nd_syscall.reboot.return = kprobe.function("sys_reboot").return ?
{
name = "reboot"
retstr = returnstr(1)
}
# recv _______________________________________________________
#
# long sys_recv(int fd, void __user *ubuf, size_t size, unsigned flags)
#
probe nd_syscall.recv = kprobe.function("sys_recv") ?
{
name = "recv"
// s = $fd
// buf_uaddr = $ubuf
// len = $size
// flags = $flags
// flags_str = _recvflags_str($flags)
// argstr = sprintf("%d, %p, %d, %s", $fd, $ubuf, $size, _recvflags_str($flags))
asmlinkage()
s = int_arg(1)
buf_uaddr = pointer_arg(2)
len = ulong_arg(3)
flags = uint_arg(4)
flags_str = _recvflags_str(flags)
argstr = sprintf("%d, %p, %d, %s", s, buf_uaddr, len, flags_str)
}
probe nd_syscall.recv.return = kprobe.function("sys_recv").return ?
{
name = "recv"
retstr = returnstr(1)
}
# recvfrom ___________________________________________________
#
# long sys_recvfrom(int fd,
# void __user * ubuf,
# size_t size,
# unsigned flags,
# struct sockaddr __user *addr,
# int __user *addr_len)
#
probe nd_syscall.recvfrom = kprobe.function("sys_recvfrom") ?
{
name = "recvfrom"
// s = $fd
// buf_uaddr = $ubuf
// len = $size
// flags = $flags
// flags_str = _recvflags_str($flags)
// addr_uaddr = $addr
// addrlen_uaddr = $addr_len
// argstr = sprintf("%d, %p, %d, %s, %p, %p",
// $fd, $ubuf, $size, _recvflags_str($flags), $addr, $addr_len)
asmlinkage()
s = int_arg(1)
buf_uaddr = pointer_arg(2)
len = ulong_arg(3)
flags = uint_arg(4)
flags_str = _recvflags_str(flags)
addr_uaddr = pointer_arg(5)
addrlen_uaddr = pointer_arg(6)
argstr = sprintf("%d, %p, %d, %s, %p, %p",
s, buf_uaddr, len, flags_str, addr_uaddr, addrlen_uaddr)
}
probe nd_syscall.recvfrom.return = kprobe.function("sys_recvfrom").return ?
{
name = "recvfrom"
retstr = returnstr(1)
}
# recvmsg ____________________________________________________
#
# long sys_recvmsg(int fd,
# struct msghdr __user *msg,
# unsigned int flags)
#
probe nd_syscall.recvmsg = kprobe.function("sys_recvmsg") ?
{
name = "recvmsg"
// s = $fd
// msg_uaddr = $msg
// flags = $flags
// flags_str = _recvflags_str($flags)
// argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
asmlinkage()
s = int_arg(1)
msg_uaddr = pointer_arg(2)
flags = uint_arg(3)
flags_str = _recvflags_str(flags)
argstr = sprintf("%d, %p, %s", s, msg_uaddr, flags_str)
}
probe nd_syscall.recvmsg.return = kprobe.function("sys_recvmsg").return ?
{
name = "recvmsg"
retstr = returnstr(1)
}
# compat_sys_recvmsg ________________________________________
#
# long compat_sys_recvmsg(int fd,
# struct compat_msghdr __user *msg,
# unsigned int flags)
#
probe nd_syscall.compat_sys_recvmsg = kprobe.function("compat_sys_recvmsg") ?
{
name = "compat_sys_recvmsg"
// s = $fd
// msg_uaddr = $msg
// flags = $flags
// argstr = sprintf("%d, %p, %s", $fd, $msg, _recvflags_str($flags))
asmlinkage()
s = int_arg(1)
msg_uaddr = pointer_arg(2)
flags = uint_arg(3)
flags_str = _recvflags_str(flags)
argstr = sprintf("%d, %p, %s", s, msg_uaddr, _recvflags_str(flags))
}
probe nd_syscall.compat_sys_recvmsg.return = kprobe.function("compat_sys_recvmsg").return ?
{
name = "compat_sys_recvmsg"
retstr = returnstr(1)
}
# remap_file_pages ___________________________________________
#
# long sys_remap_file_pages(unsigned long start,
# unsigned long size,
# unsigned long __prot,
# unsigned long pgoff,
# unsigned long flags)
#
probe nd_syscall.remap_file_pages = kprobe.function("sys_remap_file_pages") ?
{
name = "remap_file_pages"
// start = $start
// size = $size
// prot = (@defined($prot) ? $prot : $__prot)
// pgoff = $pgoff
// flags = $flags
asmlinkage()
start = ulong_arg(1)
size = ulong_arg(2)
prot = ulong_arg(3)
pgoff = ulong_arg(4)
flags = ulong_arg(5)
argstr = sprintf("%p, %p, %p, %p, %p", start, size, prot,
pgoff, flags)
}
probe nd_syscall.remap_file_pages.return = kprobe.function("sys_remap_file_pages").return ?
{
name = "remap_file_pages"
retstr = returnstr(1)
}
# removexattr ________________________________________________
#
# asmlinkage long
# sys_removexattr(char __user *path,
# char __user *name)
#
probe nd_syscall.removexattr = kprobe.function("sys_removexattr") ?
{
name = "removexattr"
// path = user_string($path)
// name_str = user_string($name)
// argstr = sprintf("%s, %s", user_string_quoted($path),
// user_string_quoted($name))
asmlinkage()
path = user_string(pointer_arg(1))
name_str = user_string(pointer_arg(2))
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)))
}
probe nd_syscall.removexattr.return = kprobe.function("sys_removexattr").return ?
{
name = "removexattr"
retstr = returnstr(1)
}
# rename _____________________________________________________
#
# asmlinkage long
# sys_rename(const char __user * oldname,
# const char __user * newname)
#
probe nd_syscall.rename = kprobe.function("sys_rename") ?
{
name = "rename"
// oldpath = user_string($oldname)
// newpath = user_string($newname)
// argstr = sprintf("%s, %s", user_string_quoted($oldname),
// user_string_quoted($newname))
asmlinkage()
oldpath = user_string(pointer_arg(1))
newpath = user_string(pointer_arg(2))
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)))
}
probe nd_syscall.rename.return = kprobe.function("sys_rename").return ?
{
name = "rename"
retstr = returnstr(1)
}
# renameat ___________________________________________________
# new function with 2.6.16
# long sys_renameat(int olddfd, const char __user *oldname,
# int newdfd, const char __user *newname)
probe nd_syscall.renameat = kprobe.function("sys_renameat") ?
{
name = "renameat"
// olddfd = $olddfd
// olddfd_str = _dfd_str($olddfd)
// oldname = $oldname
// oldname_str = user_string($oldname)
// newdfd = $newdfd
// newdfd_str = _dfd_str($newdfd)
// newname = $newname
// newname_str = user_string($newname)
// argstr = sprintf("%s, %s, %s, %s",
// olddfd_str, user_string_quoted($oldname),
// newdfd_str, user_string_quoted($newname))
asmlinkage()
olddfd = int_arg(1)
olddfd_str = _dfd_str(olddfd)
oldname = pointer_arg(2)
oldname_str = user_string(oldname)
newdfd = int_arg(3)
newdfd_str = _dfd_str(newdfd)
newname = pointer_arg(4)
newname_str = user_string(newname)
argstr = sprintf("%s, %s, %s, %s",
olddfd_str, user_string_quoted(oldname),
newdfd_str, user_string_quoted(newname))
}
probe nd_syscall.renameat.return = kprobe.function("sys_renameat").return ?
{
name = "renameat"
retstr = returnstr(1)
}
# request_key ________________________________________________
#
# long sys_request_key(const char __user *_type,
# const char __user *_description,
# const char __user *_callout_info,
# key_serial_t destringid)
# compat_sys_request_key() calls sys_request_key, so don't need probe there.
#
probe nd_syscall.request_key = kprobe.function("sys_request_key") ?
{
name = "request_key"
// type_uaddr = $_type
// description_uaddr = $_description
// callout_info_uaddr = $_callout_info
// destringid = $destringid
// argstr = sprintf("%p, %p, %p, %p", $_type, $_description, $_callout_info, $destringid)
asmlinkage()
type_uaddr = pointer_arg(1)
description_uaddr = pointer_arg(2)
callout_info_uaddr = pointer_arg(3)
destringid = u32_arg(4)
argstr = sprintf("%p, %p, %p, %p", type_uaddr, description_uaddr, callout_info_uaddr, destringid)
}
probe nd_syscall.request_key.return = kprobe.function("sys_request_key").return ?
{
name = "request_key"
retstr = returnstr(1)
}
# restart_syscall ____________________________________________
#
# asmlinkage long
# sys_restart_syscall(void)
#
probe nd_syscall.restart_syscall = kprobe.function("sys_restart_syscall")
{
name = "restart_syscall"
argstr = ""
}
probe nd_syscall.restart_syscall.return = kprobe.function("sys_restart_syscall").return
{
name = "restart_syscall"
retstr = returnstr(1)
}
# rmdir ______________________________________________________
#
# asmlinkage long
# sys_rmdir(const char __user * pathname)
#
probe nd_syscall.rmdir = kprobe.function("sys_rmdir") ?
{
name = "rmdir"
// pathname = user_string($pathname)
// argstr = user_string_quoted($pathname)
asmlinkage()
pathname = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
probe nd_syscall.rmdir.return = kprobe.function("sys_rmdir").return ?
{
name = "rmdir"
retstr = returnstr(1)
}
# rt_sigaction _______________________________________________
#
# sys_rt_sigaction(int sig,
# const struct sigaction __user *act,
# struct sigaction __user *oact,
# size_t sigsetsize)
#
probe nd_syscall.rt_sigaction = kprobe.function("sys_rt_sigaction") ?
{
name = "rt_sigaction"
// sig = $sig
// act_uaddr = $act
// oact_uaddr = $oact
// sigsetsize = $sigsetsize
// argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
// _struct_sigaction_u($act), $oact, $sigsetsize)
asmlinkage()
sig = int_arg(1)
act_uaddr = pointer_arg(2)
oact_uaddr = pointer_arg(3)
sigsetsize = ulong_arg(4)
argstr = sprintf("%s, {%s}, %p, %d", _signal_name(sig),
_struct_sigaction_u(act_uaddr), oact_uaddr, sigsetsize)
}
probe nd_syscall.rt_sigaction.return = kprobe.function("sys_rt_sigaction").return ?
{
name = "rt_sigaction"
retstr = returnstr(1)
}
#
# long sys32_rt_sigaction(int sig,
# struct sigaction32 __user *act,
# struct sigaction32 __user *oact,
# unsigned int sigsetsize)
# ppc only
# compat_sys_rt_sigaction(int sig,
# const struct sigaction32 __user *act,
# struct sigaction32 __user *oact,
# size_t sigsetsize)
probe nd_syscall.rt_sigaction32 = kprobe.function("sys32_rt_sigaction") ?,
kprobe.function("compat_sys_rt_sigaction") ?
{
name = "rt_sigaction"
// sig = $sig
// act_uaddr = $act
// oact_uaddr = $oact
// sigsetsize = $sigsetsize
// argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
// _struct_sigaction32_u($act), $oact, $sigsetsize)
asmlinkage()
sig = int_arg(1)
act_uaddr = pointer_arg(2)
oact_uaddr = pointer_arg(3)
sigsetsize = uint_arg(4)
argstr = sprintf("%s, {%s}, %p, %d", _signal_name(sig),
_struct_sigaction32_u(act_uaddr), oact_uaddr, sigsetsize)
}
probe nd_syscall.rt_sigaction32.return = kprobe.function("sys32_rt_sigaction").return ?,
kprobe.function("compat_sys_rt_sigaction").return ?
{
name = "rt_sigaction"
retstr = returnstr(1)
}
# rt_sigpending ______________________________________________
#
# long sys_rt_sigpending(sigset_t __user *set, size_t sigsetsize)
#
probe nd_syscall.rt_sigpending = kprobe.function("sys_rt_sigpending") ?
{
name = "rt_sigpending"
// set_uaddr = $set
// sigsetsize = $sigsetsize
// argstr = sprintf("%p, %d", $set, $sigsetsize)
asmlinkage()
set_uaddr = pointer_arg(1)
sigsetsize = ulong_arg(2)
argstr = sprintf("%p, %d", set_uaddr, sigsetsize)
}
probe nd_syscall.rt_sigpending.return = kprobe.function("sys_rt_sigpending").return ?
{
name = "rt_sigpending"
retstr = returnstr(1)
}
# rt_sigprocmask _____________________________________________
# long sys32_rt_sigprocmask(u32 how, compat_sigset_t __user *set, compat_sigset_t __user *oset, size_t sigsetsize)
# long compat_sys_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, compat_size_t sigsetsize)
# long sys_rt_sigprocmask(int how, sigset_t __user *set, sigset_t __user *oset, size_t sigsetsize)
#
probe nd_syscall.rt_sigprocmask = kprobe.function("sys32_rt_sigprocmask") ?,
kprobe.function("compat_sys_rt_sigprocmask") ?,
kprobe.function("sys_rt_sigprocmask") ?
{
name = "rt_sigprocmask"
// how = $how
// how_str = _sigprocmask_how_str($how)
// set_uaddr = $set
// oldset_uaddr = $oset
// argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u($set),
// $oset, $sigsetsize)
if (probefunc() != "compat_sys_rt_sigprocmask")
asmlinkage()
how = int_arg(1)
how_str = _sigprocmask_how_str(how)
set_uaddr = pointer_arg(2)
oldset_uaddr = pointer_arg(3)
argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u(set_uaddr),
oldset_uaddr, uint_arg(4))
}
probe nd_syscall.rt_sigprocmask.return = kprobe.function("sys32_rt_sigprocmask").return ?,
kprobe.function("compat_sys_rt_sigprocmask").return ?,
kprobe.function("sys_rt_sigprocmask").return ?
{
name = "rt_sigprocmask"
retstr = returnstr(1)
}
# rt_sigqueueinfo ____________________________________________
#
# long sys_rt_sigqueueinfo(int pid, int sig, siginfo_t __user *uinfo)
#
probe nd_syscall.rt_sigqueueinfo = kprobe.function("sys_rt_sigqueueinfo") ?
{
name = "rt_sigqueueinfo"
// pid = $pid
// sig = $sig
// uinfo_uaddr = $uinfo
// argstr = sprintf("%d, %s, %p", $pid, _signal_name($sig), $uinfo)
asmlinkage()
pid = int_arg(1)
sig = int_arg(2)
uinfo_uaddr = pointer_arg(3)
argstr = sprintf("%d, %s, %p", pid, _signal_name(sig), uinfo_uaddr)
}
probe nd_syscall.rt_sigqueueinfo.return = kprobe.function("sys_rt_sigqueueinfo").return ?
{
name = "rt_sigqueueinfo"
retstr = returnstr(1)
}
# rt_sigreturn _______________________________________________
# int sys_rt_sigreturn(unsigned long __unused)
#
probe nd_syscall.rt_sigreturn = kprobe.function("sys_rt_sigreturn") ?,
kprobe.function("sys32_rt_sigreturn") ?
{
name = "rt_sigreturn"
argstr = ""
}
probe nd_syscall.rt_sigreturn.return = kprobe.function("sys_rt_sigreturn").return ?,
kprobe.function("sys32_rt_sigreturn").return ?
{
name = "rt_sigreturn"
retstr = returnstr(1)
}
# rt_sigsuspend ______________________________________________
#
# sys_rt_sigsuspend(struct pt_regs regs)
#
probe nd_syscall.rt_sigsuspend = kprobe.function("compat_sys_rt_sigsuspend") ?,
kprobe.function("ia64_rt_sigsuspend") ?,
kprobe.function("sys_rt_sigsuspend") ?
{
name = "rt_sigsuspend"
argstr = ""
}
probe nd_syscall.rt_sigsuspend.return = kprobe.function("compat_sys_rt_sigsuspend").return ?,
kprobe.function("ia64_rt_sigsuspend").return ?,
kprobe.function("sys_rt_sigsuspend").return ?
{
name = "rt_sigsuspend"
retstr = returnstr(1)
}
# rt_sigtimedwait ____________________________________________
#
# long sys_rt_sigtimedwait(const sigset_t __user *uthese,
# siginfo_t __user *uinfo,
# const struct timespec __user *uts,
# size_t sigsetsize)
# long compat_sys_rt_sigtimedwait (compat_sigset_t __user *uthese,
# struct compat_siginfo __user *uinfo,
# struct compat_timespec __user *uts, compat_size_t sigsetsize)
#
probe nd_syscall.rt_sigtimedwait = kprobe.function("compat_sys_rt_sigtimedwait") ?,
kprobe.function("sys_rt_sigtimedwait") ?
{
name = "rt_sigtimedwait"
// uthese_uaddr = $uthese
// uinfo_uaddr = $uinfo
// uts_uaddr = $uts
// sigsetsize = $sigsetsize
// argstr = sprintf("%p, %p, %p, %d", $uthese, $uinfo, $uts, $sigsetsize)
asmlinkage()
uthese_uaddr = pointer_arg(1)
uinfo_uaddr = pointer_arg(2)
uts_uaddr = pointer_arg(3)
if (probefunc() == "sys_rt_sigtimedwait")
sigsetsize = ulong_arg(4)
else
sigsetsize = u32_arg(4)
argstr = sprintf("%p, %p, %p, %d", uthese_uaddr, uinfo_uaddr, uts_uaddr, sigsetsize)
}
probe nd_syscall.rt_sigtimedwait.return = kprobe.function("compat_sys_rt_sigtimedwait").return ?,
kprobe.function("sys_rt_sigtimedwait").return ?
{
name = "rt_sigtimedwait"
retstr = returnstr(1)
}
# sched_getaffinity __________________________________________
#
# asmlinkage long
# sys_sched_getaffinity(pid_t pid,
# unsigned int len,
# unsigned long __user *user_mask_ptr)
#
probe nd_syscall.sched_getaffinity = kprobe.function("sys_sched_getaffinity") ?
{
name = "sched_getaffinity"
// pid = $pid
// len = $len
// mask_uaddr = $user_mask_ptr
asmlinkage()
pid = int_arg(1)
len = uint_arg(2)
mask_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", pid, len, mask_uaddr)
}
probe nd_syscall.sched_getaffinity.return = kprobe.function("sys_sched_getaffinity").return ?
{
name = "sched_getaffinity"
retstr = returnstr(1)
}
# sched_getparam _____________________________________________
#
# asmlinkage long
# sys_sched_getparam(pid_t pid,
# struct sched_param __user *param)
#
probe nd_syscall.sched_getparam = kprobe.function("sys_sched_getparam") ?
{
name = "sched_getparam"
// pid = $pid
// p_uaddr = $param
asmlinkage()
pid = int_arg(1)
p_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", pid, p_uaddr)
}
probe nd_syscall.sched_getparam.return = kprobe.function("sys_sched_getparam").return ?
{
name = "sched_getparam"
retstr = returnstr(1)
}
# sched_get_priority_max _____________________________________
#
# asmlinkage long
# sys_sched_get_priority_max(int policy)
#
probe nd_syscall.sched_get_priority_max = kprobe.function("sys_sched_get_priority_max") ?
{
name = "sched_get_priority_max"
// policy = $policy
asmlinkage()
policy = int_arg(1)
argstr = sprint(policy)
}
probe nd_syscall.sched_get_priority_max.return = kprobe.function("sys_sched_get_priority_max").return ?
{
name = "sched_get_priority_max"
retstr = returnstr(1)
}
# sched_get_priority_min _____________________________________
#
# asmlinkage long
# sys_sched_get_priority_min(int policy)
#
probe nd_syscall.sched_get_priority_min = kprobe.function("sys_sched_get_priority_min") ?
{
name = "sched_get_priority_min"
// policy = $policy
asmlinkage()
policy = int_arg(1)
argstr = sprint(policy)
}
probe nd_syscall.sched_get_priority_min.return = kprobe.function("sys_sched_get_priority_min").return ?
{
name = "sched_get_priority_min"
retstr = returnstr(1)
}
# sched_getscheduler _________________________________________
#
# long sys_sched_getscheduler(pid_t pid)
#
probe nd_syscall.sched_getscheduler = kprobe.function("sys_sched_getscheduler") ?
{
name = "sched_getscheduler"
// pid = $pid
// argstr = sprint($pid)
asmlinkage()
pid = int_arg(1)
argstr = sprint(pid)
}
probe nd_syscall.sched_getscheduler.return = kprobe.function("sys_sched_getscheduler").return ?
{
name = "sched_getscheduler"
retstr = returnstr(1)
}
# sched_rr_get_interval ______________________________________
#
# long sys_sched_rr_get_interval(pid_t pid, struct timespec __user *interval)
#
probe nd_syscall.sched_rr_get_interval = kprobe.function("sys_sched_rr_get_interval") ?
{
name = "sched_rr_get_interval"
// pid = $pid
// tp_uaddr = $interval
// argstr = sprintf("%d, %s", $pid, _struct_timespec_u($interval, 1))
asmlinkage()
pid = int_arg(1)
tp_uaddr = pointer_arg(2)
argstr = sprintf("%d, %s", pid, _struct_timespec_u(tp_uaddr, 1))
}
probe nd_syscall.sched_rr_get_interval.return = kprobe.function("sys_sched_rr_get_interval").return ?
{
name = "sched_rr_get_interval"
retstr = returnstr(1)
}
# sched_setaffinity __________________________________________
# long sys_sched_setaffinity(pid_t pid,
# unsigned int len,
# unsigned long __user *user_mask_ptr)
#
probe nd_syscall.sched_setaffinity = kprobe.function("sys_sched_setaffinity") ?
{
name = "sched_setaffinity"
// pid = $pid
// len = $len
// mask_uaddr = $user_mask_ptr
// argstr = sprintf("%d, %d, %p", $pid, $len, $user_mask_ptr)
asmlinkage()
pid = int_arg(1)
len = uint_arg(2)
mask_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", pid, len, mask_uaddr)
}
probe nd_syscall.sched_setaffinity.return = kprobe.function("sys_sched_setaffinity").return ?
{
name = "sched_setaffinity"
retstr = returnstr(1)
}
# sched_setparam _____________________________________________
#
# long sys_sched_setparam(pid_t pid, struct sched_param __user *param)
#
probe nd_syscall.sched_setparam = kprobe.function("sys_sched_setparam") ?
{
name = "sched_setparam"
// pid = $pid
// p_uaddr = $param
// argstr = sprintf("%d, %p", $pid, $param)
asmlinkage()
pid = int_arg(1)
p_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", pid, p_uaddr)
}
probe nd_syscall.sched_setparam.return = kprobe.function("sys_sched_setparam").return ?
{
name = "sched_setparam"
retstr = returnstr(1)
}
# sched_setscheduler _________________________________________
#
# long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param)
#
probe nd_syscall.sched_setscheduler = kprobe.function("sys_sched_setscheduler") ?
{
name = "sched_setscheduler"
// pid = $pid
// policy = $policy
// policy_str = _sched_policy_str($policy)
// p_uaddr = $param
// argstr = sprintf("%d, %s, %p", $pid, policy_str, $param)
asmlinkage()
pid = int_arg(1)
policy = int_arg(2)
policy_str = _sched_policy_str(policy)
p_uaddr = pointer_arg(3)
argstr = sprintf("%d, %s, %p", pid, policy_str, p_uaddr)
}
probe nd_syscall.sched_setscheduler.return = kprobe.function("sys_sched_setscheduler").return ?
{
name = "sched_setscheduler"
retstr = returnstr(1)
}
# sched_yield ________________________________________________
# long sys_sched_yield(void)
#
probe nd_syscall.sched_yield = kprobe.function("sys_sched_yield")
{
name = "sched_yield"
argstr = ""
}
probe nd_syscall.sched_yield.return = kprobe.function("sys_sched_yield").return
{
name = "sched_yield"
retstr = returnstr(1)
}
# select _____________________________________________________
# long sys_select(int n,
# fd_set __user *inp,
# fd_set __user *outp,
# fd_set __user *exp,
# struct timeval __user *tvp)
#
probe nd_syscall.select = kprobe.function("sys_select") ?
{
name = "select"
// n = $n
// readfds_uaddr = $inp
// writefds_uaddr = $outp
// exceptfds_uaddr = $exp
// timeout_uaddr = $tvp
// argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
// _struct_timeval_u($tvp, 1))
asmlinkage()
n = int_arg(1)
readfds_uaddr = pointer_arg(2)
writefds_uaddr = pointer_arg(3)
exceptfds_uaddr = pointer_arg(4)
timeout_uaddr = pointer_arg(5)
argstr = sprintf("%d, %p, %p, %p, %s", n, readfds_uaddr, writefds_uaddr,
exceptfds_uaddr, _struct_timeval_u(timeout_uaddr, 1))
}
probe nd_syscall.select.return = kprobe.function("sys_select").return ?
{
name = "select"
retstr = returnstr(1)
}
# long compat_sys_select(int n,
# compat_ulong_t __user *inp,
# compat_ulong_t __user *outp,
# compat_ulong_t __user *exp,
# struct compat_timeval __user *tvp)
#
probe nd_syscall.compat_select = kprobe.function("compat_sys_select") ?
{
name = "select"
// n = $n
// readfds_uaddr = $inp
// writefds_uaddr = $outp
// exceptfds_uaddr = $exp
// timeout_uaddr = $tvp
// argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
// _struct_compat_timeval_u($tvp, 1))
asmlinkage()
n = int_arg(1)
readfds_uaddr = pointer_arg(2)
writefds_uaddr = pointer_arg(3)
exceptfds_uaddr = pointer_arg(4)
timeout_uaddr = pointer_arg(5)
argstr = sprintf("%d, %p, %p, %p, %s", n, readfds_uaddr,
writefds_uaddr, exceptfds_uaddr,
_struct_compat_timeval_u(timeout_uaddr, 1))
}
probe nd_syscall.compat_select.return = kprobe.function("compat_sys_select").return ?
{
name = "select"
retstr = returnstr(1)
}
# semctl _____________________________________________________
# long sys_semctl (int semid,
# int semnum,
# int cmd,
# union semun arg)
#
probe nd_syscall.semctl = kprobe.function("sys_semctl") ?
{
name = "semctl"
// semid = $semid
// semnum = $semnum
// cmd = $cmd
/*
* unsupported type tag identifier '$arg'
* arg = $arg
*/
// argstr = sprintf("%d, %d, %s", $semid, $semnum, _semctl_cmd($cmd))
asmlinkage()
semid = int_arg(1)
semnum = int_arg(2)
cmd = int_arg(3)
argstr = sprintf("%d, %d, %s", semid, semnum, _semctl_cmd(cmd))
}
probe nd_syscall.semctl.return = kprobe.function("sys_semctl").return ?
{
name = "semctl"
retstr = returnstr(1)
}
# compat_sys_semctl ________________________________________
#
# long compat_sys_semctl(int first, int second, int third, void __user *uptr)
#
probe nd_syscall.compat_sys_semctl = kprobe.function("compat_sys_semctl") ?
{
name = "compat_sys_semctl"
// semid = $first
// semnum = $second
// cmd = $third
// argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
// NB: no asmlinkage()
semid = int_arg(1)
semnum = int_arg(2)
cmd = int_arg(3)
argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4))
}
probe nd_syscall.compat_sys_semctl.return = kprobe.function("compat_sys_semctl").return ?
{
name = "compat_sys_semctl"
retstr = returnstr(1)
}
# semget _____________________________________________________
# long sys_semget (key_t key, int nsems, int semflg)
#
probe nd_syscall.semget = kprobe.function("sys_semget") ?
{
name = "semget"
// key = $key
// nsems = $nsems
// semflg = $semflg
// argstr = sprintf("%d, %d, %s", $key, $nsems, __sem_flags($semflg))
asmlinkage()
key = int_arg(1)
nsems = int_arg(2)
semflg = int_arg(3)
argstr = sprintf("%d, %d, %s", key, nsems, __sem_flags(semflg))
}
probe nd_syscall.semget.return = kprobe.function("sys_semget").return ?
{
name = "semget"
retstr = returnstr(1)
}
# semop ______________________________________________________
#
# long sys_semop (int semid,
# struct sembuf __user *tsops,
# unsigned nsops)
#
probe nd_syscall.semop = kprobe.function("sys_semtimedop") ?
{
name = "semop"
// semid = $semid
// tsops_uaddr = $tsops
// nsops = $nsops
// argstr = sprintf("%d, %p, %d", $semid, $tsops, $nsops)
asmlinkage()
semid = int_arg(1)
tsops_uaddr = pointer_arg(2)
nsops = uint_arg(3)
argstr = sprintf("%d, %p, %d", semid, tsops_uaddr, nsops)
}
probe nd_syscall.semop.return = kprobe.function("sys_semtimedop").return ?
{
name = "semop"
retstr = returnstr(1)
}
# semtimedop _________________________________________________
#
# long sys_semtimedop(int semid,
# struct sembuf __user *tsops,
# unsigned nsops,
# const struct timespec __user *timeout)
#
probe nd_syscall.semtimedop = kprobe.function("sys_semtimedop") ?
{
name = "semtimedop"
// semid = $semid
// sops_uaddr = $tsops
// nsops = $nsops
// timeout_uaddr = $timeout
// argstr = sprintf("%d, %p, %d, %s", $semid, $tsops, $nsops,
// _struct_timespec_u($timeout, 1))
asmlinkage()
semid = int_arg(1)
sops_uaddr = pointer_arg(2)
nsops = uint_arg(3)
timeout_uaddr = pointer_arg(4)
argstr = sprintf("%d, %p, %d, %s", semid, sops_uaddr, nsops,
_struct_timespec_u(timeout_uaddr, 1))
}
probe nd_syscall.semtimedop.return = kprobe.function("sys_semtimedop").return ?
{
name = "semtimedop"
retstr = returnstr(1)
}
# compat_sys_semtimedop ________________________________________
#
# long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
# unsigned nsops, const struct compat_timespec __user *timeout)
#
probe nd_syscall.compat_sys_semtimedop = kprobe.function("compat_sys_semtimedop") ?
{
name = "compat_sys_semtimedop"
// semid = $semid
// sops_uaddr = $tsems
// nsops = $nsops
// timeout_uaddr = $timeout
// argstr = sprintf("%d, %p, %d, %s", $semid, $tsems, $nsops,
// _struct_compat_timespec_u($timeout, 1))
// no asmlinkage
semid = int_arg(1)
sops_uaddr = pointer_arg(2)
nsops = uint_arg(3)
timeout_uaddr = pointer_arg(4)
argstr = sprintf("%d, %p, %d, %s", semid, sops_uaddr, nsops,
_struct_compat_timespec_u(timeout_uaddr, 1))
}
probe nd_syscall.compat_sys_semtimedop.return = kprobe.function("compat_sys_semtimedop").return ?
{
name = "compat_sys_semtimedop"
retstr = returnstr(1)
}
# send _______________________________________________________
#
# long sys_send(int fd,
# void __user * buff,
# size_t len,
# unsigned flags)
#
probe nd_syscall.send = kprobe.function("sys_send") ?
{
name = "send"
// s = $fd
// buf_uaddr = $buff
// len = $len
// flags = $flags
// flags_str = _sendflags_str($flags)
// argstr = sprintf("%d, %p, %d, %s", $fd, $buff, $len, flags_str)
asmlinkage()
s = int_arg(1)
buf_uaddr = pointer_arg(2)
len = ulong_arg(3)
flags = uint_arg(4)
flags_str = _sendflags_str(flags)
argstr = sprintf("%d, %p, %d, %s", s, buf_uaddr, len, flags_str)
}
probe nd_syscall.send.return = kprobe.function("sys_send").return ?
{
name = "send"
retstr = returnstr(1)
}
# sendfile ___________________________________________________
#
# ssize_t sys_sendfile[64](int out_fd,
# int in_fd,
# off_t __user *offset,
# size_t count)
#
probe nd_syscall.sendfile = kprobe.function("sys_sendfile") ?,
kprobe.function("sys_sendfile64") ?
{
name = "sendfile"
// out_fd = $out_fd
// in_fd = $in_fd
// offset_uaddr = $offset
// count = $count
// argstr = sprintf("%d, %d, %p, %d", $out_fd, $in_fd, $offset,
// $count)
asmlinkage()
out_fd = int_arg(1)
in_fd = int_arg(2)
offset_uaddr = pointer_arg(3)
count = ulong_arg(4)
argstr = sprintf("%d, %d, %p, %d", out_fd, in_fd, offset_uaddr,
count)
}
probe nd_syscall.sendfile.return = kprobe.function("sys_sendfile").return ?,
kprobe.function("sys_sendfile64").return ?
{
name = "sendfile"
retstr = returnstr(1)
}
# sendmsg ____________________________________________________
#
# long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
#
probe nd_syscall.sendmsg = kprobe.function("sys_sendmsg") ?
{
name = "sendmsg"
// s = $fd
// msg_uaddr = $msg
// flags = $flags
// flags_str = _sendflags_str($flags)
// argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
asmlinkage()
s = int_arg(1)
msg_uaddr = pointer_arg(2)
flags = uint_arg(3)
flags_str = _sendflags_str(flags)
argstr = sprintf("%d, %p, %s", s, msg_uaddr, _sendflags_str(flags))
}
probe nd_syscall.sendmsg.return = kprobe.function("sys_sendmsg").return ?
{
name = "sendmsg"
retstr = returnstr(1)
}
# compat_sys_sendmsg ________________________________________
#
# long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
#
probe nd_syscall.compat_sys_sendmsg = kprobe.function("compat_sys_sendmsg") ?
{
name = "compat_sys_sendmsg"
// s = $fd
// msg_uaddr = $msg
// flags = $flags
// flags_str = _sendflags_str($flags)
// argstr = sprintf("%d, %p, %s", $fd, $msg, _sendflags_str($flags))
asmlinkage()
s = int_arg(1)
msg_uaddr = pointer_arg(2)
flags = uint_arg(3)
flags_str = _sendflags_str(flags)
argstr = sprintf("%d, %p, %s", s, msg_uaddr, _sendflags_str(flags))
}
probe nd_syscall.compat_sys_sendmsg.return = kprobe.function("compat_sys_sendmsg").return ?
{
name = "compat_sys_sendmsg"
retstr = returnstr(1)
}
# sendto _____________________________________________________
#
# long sys_sendto(int fd,
# void __user * buff,
# size_t len,
# unsigned flags,
# struct sockaddr __user *addr,
# int addr_len)
#
probe nd_syscall.sendto = kprobe.function("sys_sendto") ?
{
name = "sendto"
// s = $fd
// buf_uaddr = $buff
// len = $len
// flags = $flags
// flags_str = _sendflags_str($flags)
// to_uaddr = $addr
// tolen = $addr_len
// argstr = sprintf("%d, %p, %d, %s, %s, %d", $fd, $buff,
// $len, flags_str, _struct_sockaddr_u($addr, $addr_len), $addr_len)
asmlinkage()
s = int_arg(1)
buf_uaddr = pointer_arg(2)
len = ulong_arg(3)
flags = uint_arg(4)
flags_str = _sendflags_str(flags)
to_uaddr = pointer_arg(5)
tolen = int_arg(6)
argstr = sprintf("%d, %p, %d, %s, %s, %d", s, buf_uaddr,
len, flags_str, _struct_sockaddr_u(to_uaddr, tolen), tolen)
}
probe nd_syscall.sendto.return = kprobe.function("sys_sendto").return ?
{
name = "sendto"
retstr = returnstr(1)
}
# setdomainname ______________________________________________
#
# asmlinkage long
# sys_setdomainname(char __user *name,
# int len)
#
probe nd_syscall.setdomainname = kprobe.function("sys_setdomainname") ?
{
name = "setdomainname"
// hostname_uaddr = $name
// len = $len
// argstr = sprintf("%p, %d", $name, $len)
asmlinkage()
hostname_uaddr = pointer_arg(1)
len = int_arg(2)
argstr = sprintf("%p, %d", hostname_uaddr, len)
}
probe nd_syscall.setdomainname.return = kprobe.function("sys_setdomainname").return ?
{
name = "setdomainname"
retstr = returnstr(1)
}
# setfsgid ___________________________________________________
# long sys_setfsgid(gid_t gid)
# long sys_setfsgid16(old_gid_t gid)
#
probe nd_syscall.setfsgid = kprobe.function("sys_setfsgid16") ?,
kprobe.function("sys_setfsgid") ?
{
name = "setfsgid"
// fsgid = $gid
// argstr = sprint($gid)
asmlinkage()
fsgid = uint_arg(1)
argstr = sprint(fsgid)
}
probe nd_syscall.setfsgid.return = kprobe.function("sys_setfsgid16").return ?,
kprobe.function("sys_setfsgid").return ?
{
name = "setfsgid"
retstr = returnstr(1)
}
# setfsuid ___________________________________________________
# long sys_setfsuid(uid_t uid)
# long sys_setfsuid16(old_uid_t uid)
#
probe nd_syscall.setfsuid = kprobe.function("sys_setfsuid16") ?,
kprobe.function("sys_setfsuid") ?
{
name = "setfsuid"
// fsuid = $uid
// argstr = sprint($uid)
asmlinkage()
fsuid = uint_arg(1)
argstr = sprint(fsuid)
}
probe nd_syscall.setfsuid.return = kprobe.function("sys_setfsuid16").return ?,
kprobe.function("sys_setfsuid").return ?
{
name = "setfsuid"
retstr = returnstr(1)
}
# setgid _____________________________________________________
#
# long sys_setgid(gid_t gid)
# long sys_setgid16(old_gid_t gid)
#
probe nd_syscall.setgid = kprobe.function("sys_setgid16") ?,
kprobe.function("sys_setgid") ?
{
name = "setgid"
// gid = $gid
// argstr = sprint($gid)
asmlinkage()
gid = uint_arg(1)
argstr = sprint(gid)
}
probe nd_syscall.setgid.return = kprobe.function("sys_setgid16").return ?,
kprobe.function("sys_setgid").return ?
{
name = "setgid"
retstr = returnstr(1)
}
# setgroups __________________________________________________
#
# long sys_setgroups(int gidsetsize, gid_t __user *grouplist)
# long sys_setgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_setgroups16(int gidsetsize, u16 __user *grouplist)
#
probe nd_syscall.setgroups = kprobe.function("sys_setgroups16") ?,
kprobe.function("sys32_setgroups16") ?,
kprobe.function("sys_setgroups") ?
{
name = "setgroups"
// size = $gidsetsize
// list_uaddr = $grouplist
// argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
asmlinkage()
size = int_arg(1)
list_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", size, list_uaddr)
}
probe nd_syscall.setgroups.return = kprobe.function("sys_setgroups16").return ?,
kprobe.function("sys32_setgroups16").return ?,
kprobe.function("sys_setgroups").return ?
{
name = "setgroups"
retstr = returnstr(1)
}
# sethostname ________________________________________________
#
# asmlinkage long
# sys_sethostname(char __user *name,
# int len)
#
probe nd_syscall.sethostname = kprobe.function("sys_sethostname") ?
{
name = "sethostname"
// hostname_uaddr = $name
// name_str = user_string($name)
// len = $len
// argstr = sprintf("%s, %d", user_string_quoted($name), $len)
asmlinkage()
hostname_uaddr = pointer_arg(1)
name_str = user_string(hostname_uaddr)
len = int_arg(2)
argstr = sprintf("%s, %d", user_string_quoted(hostname_uaddr), len)
}
probe nd_syscall.sethostname.return = kprobe.function("sys_sethostname").return ?
{
name = "sethostname"
retstr = returnstr(1)
}
# setitimer __________________________________________________
#
# long sys_setitimer(int which,
# struct itimerval __user *value,
# struct itimerval __user *ovalue)
#
probe nd_syscall.setitimer = kprobe.function("sys_setitimer") ?
{
name = "setitimer"
// which = $which
// value_uaddr = $value
// ovalue_uaddr = $ovalue
// argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
// _struct_itimerval_u($value), $ovalue)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
ovalue_uaddr = pointer_arg(3)
argstr = sprintf("%s, %s, %p", _itimer_which_str(which),
_struct_itimerval_u(value_uaddr), ovalue_uaddr)
}
probe nd_syscall.setitimer.return = kprobe.function("sys_setitimer").return ?
{
name = "setitimer"
retstr = returnstr(1)
}
#
# long compat_sys_setitimer(int which,
# struct compat_itimerval __user *in,
# struct compat_itimerval __user *out)
#
probe nd_syscall.compat_setitimer = kprobe.function("compat_sys_setitimer") ?
{
name = "setitimer"
// which = $which
// value_uaddr = $in
// ovalue_uaddr = $out
// argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
// _struct_compat_itimerval_u($in), $out)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
ovalue_uaddr = pointer_arg(3)
argstr = sprintf("%s, %s, %p", _itimer_which_str(which),
_struct_compat_itimerval_u(value_uaddr), ovalue_uaddr)
}
probe nd_syscall.compat_setitimer.return = kprobe.function("compat_sys_setitimer").return ?
{
name = "setitimer"
retstr = returnstr(1)
}
# set_mempolicy ______________________________________________
# long sys_set_mempolicy(int mode,
# unsigned long __user *nmask,
# unsigned long maxnode)
#
probe nd_syscall.set_mempolicy = kprobe.function("compat_sys_set_mempolicy") ?,
kprobe.function("sys_set_mempolicy") ?
{
name = "set_mempolicy"
// mode = $mode
// nmask_uaddr = $nmask
// maxnode = $maxnode
// argstr = sprintf("%d, %p, %d", $mode, $nmask, $maxnode)
asmlinkage()
mode = int_arg(1)
nmask_uaddr = pointer_arg(2)
maxnode = ulong_arg(3)
argstr = sprintf("%d, %p, %d", mode, nmask_uaddr, maxnode)
}
probe nd_syscall.set_mempolicy.return = kprobe.function("compat_sys_set_mempolicy").return ?,
kprobe.function("sys_set_mempolicy").return ?
{
name = "set_mempolicy"
retstr = returnstr(1)
}
# setpgid ____________________________________________________
#
# asmlinkage long
# sys_setpgid(pid_t pid,
# pid_t pgid)
#
probe nd_syscall.setpgid = kprobe.function("sys_setpgid") ?
{
name = "setpgid"
// pid = $pid
// pgid = $pgid
// argstr = sprintf("%d, %d", $pid, $pgid)
asmlinkage()
pid = int_arg(1)
pgid = int_arg(2)
argstr = sprintf("%d, %d", pid, pgid)
}
probe nd_syscall.setpgid.return = kprobe.function("sys_setpgid").return ?
{
name = "setpgid"
retstr = returnstr(1)
}
# setpriority ________________________________________________
#
# asmlinkage long
# sys_setpriority(int which,
# int who,
# int niceval)
#
probe nd_syscall.setpriority = kprobe.function("sys_setpriority") ?
{
name = "setpriority"
// which = $which
// which_str = _priority_which_str($which)
// who = $who
// prio = $niceval
// argstr = sprintf("%s, %d, %d", which_str, $who, $niceval)
asmlinkage()
which = int_arg(1)
which_str = _priority_which_str(which)
who = int_arg(2)
prio = int_arg(3)
argstr = sprintf("%s, %d, %d", which_str, who, prio)
}
probe nd_syscall.setpriority.return = kprobe.function("sys_setpriority").return ?
{
name = "setpriority"
retstr = returnstr(1)
}
# setregid ___________________________________________________
# long sys_setregid(gid_t rgid, gid_t egid)
#
probe nd_syscall.setregid = kprobe.function("sys_setregid") ?
{
name = "setregid"
// rgid = __int32($rgid)
// egid = __int32($egid)
asmlinkage()
rgid = __int32(uint_arg(1))
egid = __int32(uint_arg(2))
argstr = sprintf("%d, %d", rgid, egid)
}
probe nd_syscall.setregid.return = kprobe.function("sys_setregid").return ?
{
name = "setregid"
retstr = returnstr(1)
}
# setregid16 _________________________________________________
# long sys_setregid16(old_gid_t rgid, old_gid_t egid)
#
probe nd_syscall.setregid16 = kprobe.function("sys_setregid16") ?
{
name = "setregid"
// rgid = __short($rgid)
// egid = __short($egid)
asmlinkage()
rgid = __short(uint_arg(1))
egid = __short(uint_arg(2))
argstr = sprintf("%d, %d", rgid, egid)
}
probe nd_syscall.setregid16.return = kprobe.function("sys_setregid16").return ?
{
name = "setregid"
retstr = returnstr(1)
}
# setresgid __________________________________________________
# long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
#
probe nd_syscall.setresgid = kprobe.function("sys_setresgid") ?
{
name = "setresgid"
// rgid = __int32($rgid)
// egid = __int32($egid)
// sgid = __int32($sgid)
asmlinkage()
rgid = __int32(uint_arg(1))
egid = __int32(uint_arg(2))
sgid = __int32(uint_arg(3))
argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
}
probe nd_syscall.setresgid.return = kprobe.function("sys_setresgid").return ?
{
name = "setresgid"
retstr = returnstr(1)
}
# setresgid16 ________________________________________________
#
# long sys_setresgid16(old_gid_t rgid,
# old_gid_t egid,
# old_gid_t sgid)
#
probe nd_syscall.setresgid16 = kprobe.function("sys_setresgid16") ?
{
name = "setresgid"
// rgid = __short($rgid)
// egid = __short($egid)
// sgid = __short($sgid)
asmlinkage()
rgid = __short(uint_arg(1))
egid = __short(uint_arg(2))
sgid = __short(uint_arg(3))
argstr = sprintf("%d, %d, %d", rgid, egid, sgid)
}
probe nd_syscall.setresgid16.return = kprobe.function("sys_setresgid16").return ?
{
name = "setresgid16"
retstr = returnstr(1)
}
# setresuid __________________________________________________
#
# long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
#
probe nd_syscall.setresuid = kprobe.function("sys_setresuid") ?
{
name = "setresuid"
// ruid = __int32($ruid)
// euid = __int32($euid)
// suid = __int32($suid)
asmlinkage()
ruid = __int32(uint_arg(1))
euid = __int32(uint_arg(2))
suid = __int32(uint_arg(3))
argstr = sprintf("%d, %d, %d", ruid, euid, suid)
}
probe nd_syscall.setresuid.return = kprobe.function("sys_setresuid").return ?
{
name = "setresuid"
retstr = returnstr(1)
}
# setresuid16 ________________________________________________
#
# long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
#
probe nd_syscall.setresuid16 = kprobe.function("sys_setresuid16") ?
{
name = "setresuid"
// ruid = __short($ruid)
// reuid = __short($euid)
// rsuid = __short($suid)
asmlinkage()
ruid = __short(uint_arg(1))
euid = __short(uint_arg(2))
suid = __short(uint_arg(3))
argstr = sprintf("%d, %d, %d", ruid, euid, suid)
}
probe nd_syscall.setresuid16.return = kprobe.function("sys_setresuid16").return ?
{
name = "setresuid"
retstr = returnstr(1)
}
# setreuid ___________________________________________________
# long sys_setreuid(uid_t ruid, uid_t euid)
#
probe nd_syscall.setreuid = kprobe.function("sys_setreuid") ?
{
name = "setreuid"
// ruid = __int32($ruid)
// euid = __int32($euid)
asmlinkage()
ruid = __int32(uint_arg(1))
euid = __int32(uint_arg(2))
argstr = sprintf("%d, %d", ruid, euid)
}
probe nd_syscall.setreuid.return = kprobe.function("sys_setreuid").return ?
{
name = "setreuid"
retstr = returnstr(1)
}
# setreuid16 _________________________________________________
# long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
#
probe nd_syscall.setreuid16 = kprobe.function("sys_setreuid16") ?
{
name = "setreuid"
// ruid = __short($ruid)
// euid = __short($euid)
asmlinkage()
ruid = __short(uint_arg(1))
euid = __short(uint_arg(2))
argstr = sprintf("%d, %d", ruid, euid)
}
probe nd_syscall.setreuid16.return = kprobe.function("sys_setreuid16").return ?
{
name = "setreuid"
retstr = returnstr(1)
}
# setrlimit __________________________________________________
#
# asmlinkage long
# sys_setrlimit(unsigned int resource,
# struct rlimit __user *rlim)
#
probe nd_syscall.setrlimit = kprobe.function("sys_setrlimit") ?
{
name = "setrlimit"
// resource = $resource
// rlim_uaddr = $rlim
// argstr = sprintf("%s, %s", _rlimit_resource_str($resource),
// _struct_rlimit_u($rlim))
asmlinkage()
resource = uint_arg(1)
rlim_uaddr = pointer_arg(2)
argstr = sprintf("%s, %s", _rlimit_resource_str(resource),
_struct_rlimit_u(rlim_uaddr))
}
probe nd_syscall.setrlimit.return = kprobe.function("sys_setrlimit").return ?
{
name = "setrlimit"
retstr = returnstr(1)
}
# setsid _____________________________________________________
#
# long sys_setsid(void)
#
probe nd_syscall.setsid = kprobe.function("sys_setsid")
{
name = "setsid"
argstr = ""
}
probe nd_syscall.setsid.return = kprobe.function("sys_setsid").return
{
name = "setsid"
retstr = returnstr(1)
}
# setsockopt _________________________________________________
#
# long sys_setsockopt(int fd,
# int level,
# int optname,
# char __user *optval,
# int optlen)
#
probe nd_syscall.setsockopt = kprobe.function("compat_sys_setsockopt") ?,
kprobe.function("sys_setsockopt") ?
{
name = "setsockopt"
// fd = $fd
// level = $level
// level_str = _sockopt_level_str($level)
// optname = $optname
// optname_str = _sockopt_optname_str($optname)
// optval_uaddr = $optval
// optlen = $optlen
// argstr = sprintf("%d, %s, %s, %p, %d", $fd, level_str,
// optname_str, $optval, $optlen)
asmlinkage()
fd = int_arg(1)
level = int_arg(2)
level_str = _sockopt_level_str(level)
optname = int_arg(3)
optname_str = _sockopt_optname_str(optname)
optval_uaddr = pointer_arg(4)
optlen = int_arg(5)
argstr = sprintf("%d, %s, %s, %p, %d", fd, level_str,
optname_str, optval_uaddr, optlen)
}
probe nd_syscall.setsockopt.return = kprobe.function("compat_sys_setsockopt").return ?,
kprobe.function("sys_setsockopt").return ?
{
name = "setsockopt"
retstr = returnstr(1)
}
# set_tid_address ____________________________________________
#
# asmlinkage long
# sys_set_tid_address(int __user *tidptr)
#
probe nd_syscall.set_tid_address = kprobe.function("sys_set_tid_address") ?
{
name = "set_tid_address"
// tidptr_uaddr = $tidptr
asmlinkage()
tidptr_uaddr = pointer_arg(1)
argstr = sprintf("%p", tidptr_uaddr)
}
probe nd_syscall.set_tid_address.return = kprobe.function("sys_set_tid_address").return ?
{
name = "set_tid_address"
retstr = returnstr(1)
}
# settimeofday _______________________________________________
#
# long sys_settimeofday(struct timeval __user *tv,
# struct timezone __user *tz)
#
probe nd_syscall.settimeofday = kprobe.function("sys_settimeofday") ?
{
name = "settimeofday"
// ttv_uaddr = $tv
// ttz_uaddr = $tz
// targstr = sprintf("%s, %s", _struct_timeval_u($tv, 1), _struct_timezone_u($tz))
asmlinkage()
tv_uaddr = pointer_arg(1)
tz_uaddr = pointer_arg(2)
argstr = sprintf("%s, %s", _struct_timeval_u(tv_uaddr, 1), _struct_timezone_u(tz_uaddr))
}
probe nd_syscall.settimeofday.return = kprobe.function("sys_settimeofday").return ?
{
name = "settimeofday"
retstr = returnstr(1)
}
#
# long sys32_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
# long compat_sys_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
#
probe nd_syscall.settimeofday32 = kprobe.function("sys32_settimeofday") ?,
kprobe.function("compat_sys_settimeofday") ?
{
name = "settimeofday"
// tv_uaddr = $tv
// tz_uaddr = $tz
// argstr = sprintf("%s, %s", _struct_compat_timeval_u($tv, 1), _struct_timezone_u($tz))
asmlinkage()
tv_uaddr = pointer_arg(1)
tz_uaddr = pointer_arg(2)
argstr = sprintf("%s, %s", _struct_compat_timeval_u(tv_uaddr, 1), _struct_timezone_u(tz_uaddr))
}
probe nd_syscall.settimeofday32.return = kprobe.function("sys32_settimeofday").return ?,
kprobe.function("compat_sys_settimeofday").return ?
{
name = "settimeofday"
retstr = returnstr(1)
}
# setuid _____________________________________________________
#
# long sys_setuid(uid_t uid)
# long sys_setuid16(old_uid_t uid)
#
probe nd_syscall.setuid = kprobe.function("sys_setuid16") ?,
kprobe.function("sys_setuid") ?
{
name = "setuid"
// uid = $uid
// argstr = sprint($uid)
asmlinkage()
uid = uint_arg(1)
argstr = sprint(uid)
}
probe nd_syscall.setuid.return = kprobe.function("sys_setuid16").return ?,
kprobe.function("sys_setuid").return ?
{
name = "setuid"
retstr = returnstr(1)
}
# setxattr ___________________________________________________
# long sys_setxattr(char __user *path,
# char __user *name,
# void __user *value,
# size_t size,
# int flags)
#
probe nd_syscall.setxattr = kprobe.function("sys_setxattr") ?
{
name = "setxattr"
// path_uaddr = $path
// path = user_string($path)
// name_uaddr = $name
// name_str = user_string($name)
// value_uaddr = $value
// size = $size
// flags = $flags
// argstr = sprintf("%s, %s, %p, %d, %d",
// user_string_quoted($path),
// user_string_quoted($name),
// value_uaddr, $size, $flags)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string(path_uaddr)
name_uaddr = pointer_arg(2)
name_str = user_string(name_uaddr)
value_uaddr = pointer_arg(3)
size = ulong_arg(4)
flags = int_arg(5)
argstr = sprintf("%s, %s, %p, %d, %d",
user_string_quoted(path_uaddr),
user_string_quoted(name_uaddr),
value_uaddr, size, flags)
}
probe nd_syscall.setxattr.return = kprobe.function("sys_setxattr").return ?
{
name = "setxattr"
retstr = returnstr(1)
}
# sgetmask ___________________________________________________
#
# sys_sgetmask(void)
#
probe nd_syscall.sgetmask = kprobe.function("sys_sgetmask") ?
{
name = "sgetmask"
argstr = ""
}
probe nd_syscall.sgetmask.return = kprobe.function("sys_sgetmask").return ?
{
name = "sgetmask"
retstr = returnstr(1)
}
# shmat ______________________________________________________
#
# long sys_shmat(int shmid, char __user *shmaddr, int shmflg)
#
probe nd_syscall.shmat = kprobe.function("sys_shmat") ?
{
name = "shmat"
// shmid = $shmid
// shmaddr_uaddr = $shmaddr
// shmflg = $shmflg
// argstr = sprintf("%d, %p, %s", $shmid, $shmaddr, _shmat_flags_str($shmflg))
asmlinkage()
shmid = int_arg(1)
shmaddr_uaddr = pointer_arg(2)
shmflg = int_arg(3)
argstr = sprintf("%d, %p, %s", shmid, shmaddr_uaddr, _shmat_flags_str(shmflg))
}
probe nd_syscall.shmat.return = kprobe.function("sys_shmat").return ?
{
name = "shmat"
retstr = returnstr(1)
}
# compat_sys_shmat ________________________________________
#
# long compat_sys_shmat(int first, int second, compat_uptr_t third,
# int version, void __user *uptr)
#
probe nd_syscall.compat_sys_shmat = kprobe.function("compat_sys_shmat") ?
{
name = "compat_sys_shmat"
// first = $first
// second = $second
// third = $third
// uptr_uaddr = $uptr
// argstr = sprintf("%d, %d, %d, %d, %p", $first, $second, $third, $version, $uptr)
// no asmlinkage
first = int_arg(1)
second = int_arg(2)
third = u32_arg(3)
uptr_uaddr = pointer_arg(5)
argstr = sprintf("%d, %d, %d, %d, %p", first, second, third, int_arg(4), uptr_uaddr)
}
probe nd_syscall.compat_sys_shmat.return = kprobe.function("compat_sys_shmat").return ?
{
name = "compat_sys_shmat"
retstr = returnstr(1)
}
# shmctl _____________________________________________________
#
# long sys_shmctl (int shmid,
# int cmd,
# struct shmid_ds __user *buf)
#
probe nd_syscall.shmctl = kprobe.function("sys_shmctl") ?
{
name = "shmctl"
// shmid = $shmid
// cmd = $cmd
// buf_uaddr = $buf
// argstr = sprintf("%d, %s, %p", $shmid, _semctl_cmd($cmd), $buf)
asmlinkage()
shmid = int_arg(1)
cmd = int_arg(2)
buf_uaddr = pointer_arg(3)
argstr = sprintf("%d, %s, %p", shmid, _semctl_cmd(cmd), buf_uaddr)
}
probe nd_syscall.shmctl.return = kprobe.function("sys_shmctl").return ?
{
name = "shmctl"
retstr = returnstr(1)
}
# compat_sys_shmctl ________________________________________
#
# long compat_sys_shmctl(int first, int second, void __user *uptr)
#
probe nd_syscall.compat_sys_shmctl = kprobe.function("compat_sys_shmctl") ?
{
name = "compat_sys_shmctl"
// first = $first
// second = $second
// uptr_uaddr = $uptr
// argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
// no asmlinkages
first = int_arg(1)
second = int_arg(2)
uptr_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", first, second, uptr_uaddr)
}
probe nd_syscall.compat_sys_shmctl.return = kprobe.function("compat_sys_shmctl").return ?
{
name = "compat_sys_shmctl"
retstr = returnstr(1)
}
# shmdt ______________________________________________________
#
# long sys_shmdt(char __user *shmaddr)
#
probe nd_syscall.shmdt = kprobe.function("sys_shmdt") ?
{
name = "shmdt"
// shmaddr_uaddr = $shmaddr
// argstr = sprintf("%p", $shmaddr)
asmlinkage()
shmaddr_uaddr = pointer_arg(1)
argstr = sprintf("%p", shmaddr_uaddr)
}
probe nd_syscall.shmdt.return = kprobe.function("sys_shmdt").return ?
{
name = "shmdt"
retstr = returnstr(1)
}
# shmget _____________________________________________________
#
# long sys_shmget (key_t key,
# size_t size,
# int shmflg)
#
probe nd_syscall.shmget = kprobe.function("sys_shmget") ?
{
name = "shmget"
// key = $key
// size = $size
// shmflg = $shmflg
// argstr = sprintf("%d, %d, %d", $key, $size, $shmflg)
asmlinkage()
key = int_arg(1)
size = ulong_arg(2)
shmflg = int_arg(3)
argstr = sprintf("%d, %d, %d", key, size, shmflg)
}
probe nd_syscall.shmget.return = kprobe.function("sys_shmget").return ?
{
name = "shmget"
retstr = returnstr(1)
}
# shutdown ___________________________________________________
#
# long sys_shutdown(int fd, int how)
#
probe nd_syscall.shutdown = kprobe.function("sys_shutdown") ?
{
name = "shutdown"
// s = $fd
// how = $how
// how_str = _shutdown_how_str($how)
// argstr = sprintf("%d, %s", $fd, how_str)
asmlinkage()
s = int_arg(1)
how = int_arg(2)
how_str = _shutdown_how_str(how)
argstr = sprintf("%d, %s", s, how_str)
}
probe nd_syscall.shutdown.return = kprobe.function("sys_shutdown").return ?
{
name = "shutdown"
retstr = returnstr(1)
}
# sigaction __________________________________________________
# sys_sigaction(int sig, const struct old_sigaction __user *act, struct old_sigaction __user *oact)
# sys32_sigaction(int sig, struct old_sigaction32 __user *act, struct old_sigaction32 __user *oact)
#
probe nd_syscall.sigaction = kprobe.function("sys_sigaction") ?
{
name = "sigaction"
// sig = $sig
// act_uaddr = $act
// oact_uaddr = $oact
// argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_sigaction_u($act), $oact)
%( arch != "powerpc" %? asmlinkage() %)
sig = int_arg(1)
act_uaddr = pointer_arg(2)
oact_uaddr = pointer_arg(3)
argstr = sprintf("%s, {%s}, %p", _signal_name(sig), _struct_sigaction_u(act_uaddr), oact_uaddr)
}
probe nd_syscall.sigaction.return = kprobe.function("sys_sigaction").return ?
{
name = "sigaction"
retstr = returnstr(1)
}
probe nd_syscall.sigaction32 = kprobe.function("sys32_sigaction") ?,
kprobe.function("compat_sys_sigaction") ?
{
name = "sigaction"
// sig = $sig
// sact_uaddr = $act
// soact_uaddr = $oact
// argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_old_sigaction32_u($act), $oact)
asmlinkage()
sig = int_arg(1)
act_uaddr = pointer_arg(2)
oact_uaddr = pointer_arg(3)
argstr = sprintf("%s, {%s}, %p", _signal_name(sig), _struct_old_sigaction32_u(act_uaddr), oact_uaddr)
}
probe nd_syscall.sigaction32.return = kprobe.function("sys32_sigaction").return ?,
kprobe.function("compat_sys_sigaction") ?
{
name = "sigaction"
retstr = returnstr(1)
}
# signal _____________________________________________________
# unsigned long sys_signal(int sig, __sighandler_t handler)
#
probe nd_syscall.signal = kprobe.function("sys_signal") ?
{
name = "signal"
// sig = $sig
// handler = $handler
// argstr = sprintf("%s, %s", _signal_name($sig), _sighandler_str($handler))
asmlinkage()
sig = int_arg(1)
handler = pointer_arg(2)
argstr = sprintf("%s, %s", _signal_name(sig), _sighandler_str(handler))
}
probe nd_syscall.signal.return = kprobe.function("sys_signal").return ?
{
name = "signal"
retstr = returnstr(1)
}
# signalfd _____________________________________________________
#
# long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemask)
# long compat_sys_signalfd(int ufd, const compat_sigset_t __user *sigmask,
# compat_size_t sigsetsize)
#
# FIXME: should prefer sys_signalfd4
probe nd_syscall.signalfd = kprobe.function("sys_signalfd") ?
{
name = "signalfd"
// argstr = sprintf("%d, %p, %d", $ufd, $user_mask, $sizemask)
asmlinkage()
flags = 0
argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2), ulong_arg(3))
}
probe nd_syscall.signalfd.return = kprobe.function("sys_signalfd").return ?
{
name = "signalfd"
retstr = returnstr(1)
}
# FIXME: should prefer compat_sys_signalfd4()
probe nd_syscall.compat_signalfd = kprobe.function("compat_sys_signalfd") ?
{
name = "compat_signalfd"
// argstr = sprintf("%d, %p, %d", $ufd, $sigmask, $sigsetsize)
asmlinkage()
flags = 0
argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2), u32_arg(3))
}
probe nd_syscall.compat_signalfd.return = kprobe.function("compat_sys_signalfd").return ?
{
name = "compat_signalfd"
retstr = returnstr(1)
}
# sigpending _________________________________________________
# long sys_sigpending(old_sigset_t __user *set)
#
probe nd_syscall.sigpending = kprobe.function("sys_sigpending") ?
{
name = "sigpending"
// argstr = sprintf("%p", $set)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.sigpending.return = kprobe.function("sys_sigpending").return ?
{
name = "sigpending"
retstr = returnstr(1)
}
# sigprocmask ________________________________________________
# long sys_sigprocmask(int how, old_sigset_t __user *set, old_sigset_t __user *oset)
#
probe nd_syscall.sigprocmask = kprobe.function("sys_sigprocmask") ?
{
name = "sigprocmask"
// how = $how
// how_str = _sigprocmask_how_str($how)
// set_uaddr = $set
// oldset_uaddr = $oset
// argstr = sprintf("%s, %p, %p", how_str, $set, $oset)
asmlinkage()
how = int_arg(1)
how_str = _sigprocmask_how_str(how)
set_uaddr = pointer_arg(2)
oldset_uaddr = pointer_arg(3)
argstr = sprintf("%s, %p, %p", how_str, set_uaddr, oldset_uaddr)
}
probe nd_syscall.sigprocmask.return = kprobe.function("sys_sigprocmask").return ?
{
name = "sigprocmask"
retstr = returnstr(1)
}
# sigreturn __________________________________________________
# int sys_sigreturn(unsigned long __unused)
#
probe nd_syscall.sigreturn = kprobe.function("sys_sigreturn") ?,
kprobe.function("sys32_sigreturn") ?
{
name = "sigreturn"
argstr = ""
}
probe nd_syscall.sigreturn.return = kprobe.function("sys_sigreturn").return ?,
kprobe.function("sys32_sigreturn").return ?
{
name = "sigreturn"
retstr = returnstr(1)
}
# sigsuspend _________________________________________________
#
probe nd_syscall.sigsuspend = kprobe.function("sys_sigsuspend") ?,
kprobe.function("sys32_sigsuspend") ?
{
name = "sigsuspend"
argstr = ""
}
probe nd_syscall.sigsuspend.return = kprobe.function("sys_sigsuspend").return ?,
kprobe.function("sys32_sigsuspend").return ?
{
name = "sigsuspend"
retstr = returnstr(1)
}
# socket _____________________________________________________
# long sys_socket(int family, int type, int protocol)
#
probe nd_syscall.socket = kprobe.function("sys_socket") ?
{
name = "socket"
// family = $family
// type = $type
// protocol = $protocol
// argstr = sprintf("%s, %s, %d", _sock_family_str($family),
// _sock_type_str($type),
// $protocol)
asmlinkage()
family = int_arg(1)
type = int_arg(2)
protocol = int_arg(3)
argstr = sprintf("%s, %s, %d", _sock_family_str(family),
_sock_type_str(type),
protocol)
}
probe nd_syscall.socket.return = kprobe.function("sys_socket").return ?
{
name = "socket"
retstr = returnstr(1)
}
# commented out because this seems redundant
# socketcall _________________________________________________
#
# long sys_socketcall(int call, unsigned long __user *args)
#
#probe nd_syscall.socketcall = kprobe.function("sys_socketcall") ?
#{
# name = "socketcall"
# call = $call
# args_uaddr = $args
# argstr = sprintf("%d, %p", $call, args_uaddr)
#}
#probe nd_syscall.socketcall.return = kprobe.function("sys_socketcall").return ?
#{
# name = "socketcall"
# retstr = returnstr(1)
#}
# socketpair _________________________________________________
# long sys_socketpair(int family,
# int type,
# int protocol,
# int __user *usockvec)
#
probe nd_syscall.socketpair = kprobe.function("sys_socketpair") ?
{
name = "socketpair"
// family = $family
// type = $type
// protocol = $protocol
// sv_uaddr = $usockvec
// argstr = sprintf("%s, %s, %d, %p",
// _sock_family_str($family),
// _sock_type_str($type),
// $protocol, sv_uaddr)
asmlinkage()
family = int_arg(1)
type = int_arg(2)
protocol = int_arg(3)
sv_uaddr = pointer_arg(4)
argstr = sprintf("%s, %s, %d, %p",
_sock_family_str(family),
_sock_type_str(type),
protocol, sv_uaddr)
}
probe nd_syscall.socketpair.return = kprobe.function("sys_socketpair").return ?
{
name = "socketpair"
retstr = returnstr(1)
}
# splice ___________________________________________________
#
# long sys_splice(int fd_in, loff_t __user *off_in,
# int fd_out, loff_t __user *off_out,
# size_t len, unsigned int flags)
#
probe nd_syscall.splice = kprobe.function("sys_splice") ?
{
name = "splice"
// argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
// $fd_in, $off_in, $fd_out, $off_out, $len, $flags)
asmlinkage()
argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
int_arg(1), pointer_arg(2), int_arg(3), pointer_arg(4), ulong_arg(5), uint_arg(6))
}
probe nd_syscall.splice.return = kprobe.function("sys_splice").return ?
{
name = "splice"
retstr = returnstr(1)
}
# ssetmask ___________________________________________________
#
# long sys_ssetmask(int newmask)
#
probe nd_syscall.ssetmask = kprobe.function("sys_ssetmask") ?
{
name = "ssetmask"
// newmask = $newmask
// argstr = sprint($newmask)
asmlinkage()
newmask = int_arg(1)
argstr = sprint(newmask)
}
probe nd_syscall.ssetmask.return = kprobe.function("sys_ssetmask").return ?
{
name = "ssetmask"
retstr = returnstr(1)
}
# stat _______________________________________________________
# long sys_stat(char __user * filename, struct __old_stat __user * statbuf)
# long sys32_stat64(char __user * filename, struct stat64 __user *statbuf)
# long sys_stat64(char __user * filename, struct stat64 __user * statbuf)
# long sys_oabi_stat64(char __user * filename, struct oldabi_stat64 __user * statbuf)
# long compat_sys_newstat(char __user * filename, struct compat_stat __user *statbuf)
probe nd_syscall.stat = kprobe.function("sys_stat") ?,
kprobe.function("sys_newstat") ?,
kprobe.function("sys32_stat64") ?,
kprobe.function("sys_stat64") ?,
kprobe.function("sys_oabi_stat64") ?,
kprobe.function("compat_sys_newstat") ?
{
name = "stat"
// filename_uaddr = $filename
// filename = user_string($filename)
// buf_uaddr = $statbuf
// argstr = sprintf("%s, %p", user_string_quoted($filename), buf_uaddr)
asmlinkage()
filename_uaddr = pointer_arg(1)
filename = user_string(filename_uaddr)
buf_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", user_string_quoted(filename_uaddr), buf_uaddr)
}
probe nd_syscall.stat.return = kprobe.function("sys_stat").return ?,
kprobe.function("sys_newstat").return ?,
kprobe.function("sys32_stat64").return ?,
kprobe.function("sys_stat64").return ?,
kprobe.function("sys_oabi_stat64").return ?,
kprobe.function("compat_sys_newstat").return ?
{
name = "stat"
retstr = returnstr(1)
}
# statfs _____________________________________________________
# long sys_statfs(const char __user * path, struct statfs __user * buf)
# long compat_sys_statfs(const char __user *path, struct compat_statfs __user *buf)
#
probe nd_syscall.statfs = kprobe.function("compat_sys_statfs") ?,
kprobe.function("sys_statfs") ?
{
name = "statfs"
// path = user_string($path)
// buf_uaddr = $buf
// argstr = sprintf("%s, %p", user_string_quoted($path), $buf)
asmlinkage()
path = user_string(pointer_arg(1))
buf_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
}
probe nd_syscall.statfs.return = kprobe.function("compat_sys_statfs").return ?,
kprobe.function("sys_statfs").return ?
{
name = "statfs"
retstr = returnstr(1)
}
# statfs64 ___________________________________________________
#
# long sys_statfs64(const char __user *path, size_t sz, struct statfs64 __user *buf)
# long compat_sys_statfs64(const char __user *path, compat_size_t sz, struct compat_statfs64 __user *buf)
#
probe nd_syscall.statfs64 = kprobe.function("compat_sys_statfs64") ?,
kprobe.function("sys_statfs64") ?
{
name = "statfs"
// path = user_string($path)
// sz = $sz
// buf_uaddr = $buf
// argstr = sprintf("%s, %d, %p", user_string_quoted($path), $sz, $buf)
asmlinkage()
path = user_string(pointer_arg(1))
sz = ulong_arg(2)
buf_uaddr = pointer_arg(3)
argstr = sprintf("%s, %d, %p", user_string_quoted(pointer_arg(1)), sz, buf_uaddr)
}
probe nd_syscall.statfs64.return = kprobe.function("compat_sys_statfs64").return ?,
kprobe.function("sys_statfs64").return ?
{
name = "statfs"
retstr = returnstr(1)
}
# stime ______________________________________________________
#
# long sys_stime(time_t __user *tptr)
# long compat_sys_stime(compat_time_t __user *tptr)
#
probe nd_syscall.stime = kprobe.function("compat_sys_stime") ?,
kprobe.function("sys_stime") ?
{
name = "stime"
// t_uaddr = $tptr
/* FIXME. Decode time */
// argstr = sprintf("%p", $tptr)
asmlinkage()
t_uaddr = pointer_arg(1)
argstr = sprintf("%p", t_uaddr)
}
probe nd_syscall.stime.return = kprobe.function("compat_sys_stime").return ?,
kprobe.function("sys_stime").return ?
{
name = "stime"
retstr = returnstr(1)
}
# swapoff ____________________________________________________
#
# asmlinkage long
# sys_swapoff(const char __user * specialfile)
#
probe nd_syscall.swapoff = kprobe.function("sys_swapoff") ?
{
name = "swapoff"
// path = user_string($specialfile)
// argstr = user_string_quoted($specialfile)
asmlinkage()
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
probe nd_syscall.swapoff.return = kprobe.function("sys_swapoff").return ?
{
name = "swapoff"
retstr = returnstr(1)
}
# swapon _____________________________________________________
#
# asmlinkage long
# sys_swapon(const char __user * specialfile,
# int swap_flags)
#
probe nd_syscall.swapon = kprobe.function("sys_swapon") ?
{
name = "swapon"
// path = user_string($specialfile)
// swapflags = $swap_flags
// argstr = sprintf("%s, %d", user_string_quoted($specialfile), swapflags)
asmlinkage()
path = user_string(pointer_arg(1))
swapflags = int_arg(2)
argstr = sprintf("%s, %d", user_string_quoted(pointer_arg(1)), swapflags)
}
probe nd_syscall.swapon.return = kprobe.function("sys_swapon").return ?
{
name = "swapon"
retstr = returnstr(1)
}
# symlink ____________________________________________________
# long sys_symlink(const char __user * oldname,
# const char __user * newname)
probe nd_syscall.symlink = kprobe.function("sys_symlink") ?
{
name = "symlink"
// oldpath = user_string($oldname)
// newpath = user_string($newname)
// argstr = sprintf("%s, %s", user_string_quoted($oldname),
// user_string_quoted($newname))
asmlinkage()
oldpath = user_string(pointer_arg(1))
newpath = user_string(pointer_arg(2))
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)))
}
probe nd_syscall.symlink.return = kprobe.function("sys_symlink").return ?
{
name = "symlink"
retstr = returnstr(1)
}
# symlinkat __________________________________________________
# new function with 2.6.16
# long sys_symlinkat(const char __user *oldname, int newdfd,
# const char __user *newname)
probe nd_syscall.symlinkat = kprobe.function("sys_symlinkat") ?
{
name = "symlinkat"
// oldname = $oldname
// oldname_str = user_string($oldname)
// newdfd = $newdfd
// newdfd_str = _dfd_str($newdfd)
// newname = $newname
// newname_str = user_string($newname)
// argstr = sprintf("%s, %s, %s", user_string_quoted($oldname),
// newdfd_str, user_string_quoted($newname))
asmlinkage()
oldname = pointer_arg(1)
oldname_str = user_string(oldname)
newdfd = int_arg(2)
newdfd_str = _dfd_str(newdfd)
newname = pointer_arg(3)
newname_str = user_string(newname)
argstr = sprintf("%s, %s, %s", user_string_quoted(oldname),
newdfd_str, user_string_quoted(newname))
}
probe nd_syscall.symlinkat.return = kprobe.function("sys_symlinkat").return ?
{
name = "symlinkat"
retstr = returnstr(1)
}
# sync _______________________________________________________
#
# sys_sync(void)
#
probe nd_syscall.sync = kprobe.function("sys_sync")
{
name = "sync"
argstr = ""
}
probe nd_syscall.sync.return = kprobe.function("sys_sync").return
{
name = "sync"
retstr = returnstr(1)
}
# sysctl _____________________________________________________
#
# long sys_sysctl(struct __sysctl_args __user *args)
#
probe nd_syscall.sysctl = kprobe.function("compat_sys_sysctl") ?,
kprobe.function("sys_sysctl") ?
{
name = "sysctl"
// argstr = sprintf("%p", $args)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.sysctl.return = kprobe.function("compat_sys_sysctl").return ?,
kprobe.function("sys_sysctl").return ?
{
name = "sysctl"
retstr = returnstr(1)
}
# sysfs ______________________________________________________
#
# asmlinkage long
# sys_sysfs(int option,
# unsigned long arg1,
# unsigned long arg2)
#
probe nd_syscall.sysfs = kprobe.function("sys_sysfs") ?
{
name = "sysfs"
// option = $option
// arg1 = $arg1
// arg2 = $arg2
// if (option == 1)
// argstr = sprintf("%d, %s, %d", $option, user_string_quoted($arg1), $arg2)
// else if (option == 2)
// argstr = sprintf("%d, %d, %p", $option, $arg1, $arg2)
// else if (option == 3)
// argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
// else
// argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
asmlinkage()
option = int_arg(1)
arg1 = ulong_arg(2)
arg2 = ulong_arg(3)
if (option == 1)
argstr = sprintf("%d, %s, %d", option, user_string_quoted(arg1), arg2)
else if (option == 2)
argstr = sprintf("%d, %d, %p", option, arg1, arg2)
else
argstr = sprintf("%d, %d, %d", option, arg1, arg2)
}
probe nd_syscall.sysfs.return = kprobe.function("sys_sysfs").return ?
{
name = "sysfs"
retstr = returnstr(1)
}
# sysinfo ____________________________________________________
#
# long sys_sysinfo(struct sysinfo __user *info)
# long compat_sys_sysinfo(struct compat_sysinfo __user *info)
probe nd_syscall.sysinfo = kprobe.function("compat_sys_sysinfo") ?,
kprobe.function("sys_sysinfo") ?
{
name = "sysinfo"
// info_uaddr = $info
// argstr = sprintf("%p", $info)
asmlinkage()
info_uaddr = pointer_arg(1)
argstr = sprintf("%p", info_uaddr)
}
probe nd_syscall.sysinfo.return = kprobe.function("compat_sys_sysinfo").return ?,
kprobe.function("sys_sysinfo").return ?
{
name = "sysinfo"
retstr = returnstr(1)
}
# syslog _____________________________________________________
#
# long sys_syslog(int type, char __user * buf, int len)
#
probe nd_syscall.syslog = kprobe.function("sys_syslog") ?
{
name = "syslog"
// type = $type
// bufp_uaddr = $buf
// len = $len
// argstr = sprintf("%d, %p, %d", $type, $buf, $len)
asmlinkage()
type = int_arg(1)
bufp_uaddr = pointer_arg(2)
len = int_arg(3)
argstr = sprintf("%d, %p, %d", type, bufp_uaddr, len)
}
probe nd_syscall.syslog.return = kprobe.function("sys_syslog").return ?
{
name = "syslog"
retstr = returnstr(1)
}
# tee _____________________________________________________
#
# long sys_tee(int fdin, int fdout, size_t len, unsigned int flags)
#
probe nd_syscall.tee = kprobe.function("sys_tee") ?
{
name = "tee"
// argstr = sprintf("%d, %d, %d, 0x%x", $fdin, $fdout, $len, $flags)
asmlinkage()
argstr = sprintf("%d, %d, %d, 0x%x", int_arg(1), int_arg(2), ulong_arg(3), uint_arg(4))
}
probe nd_syscall.tee.return = kprobe.function("sys_tee").return ?
{
name = "tee"
retstr = returnstr(1)
}
# tgkill _____________________________________________________
#
# asmlinkage long
# sys_tgkill(int tgid,
# int pid,
# int sig)
#
probe nd_syscall.tgkill = kprobe.function("sys_tgkill") ?
{
name = "tgkill"
// tgid = $tgid
// pid = $pid
// sig = $sig
// argstr = sprintf("%d, %d, %s", $tgid, $pid, _signal_name($sig))
asmlinkage()
tgid = int_arg(1)
pid = int_arg(2)
sig = int_arg(3)
argstr = sprintf("%d, %d, %s", tgid, pid, _signal_name(sig))
}
probe nd_syscall.tgkill.return = kprobe.function("sys_tgkill").return ?
{
name = "tgkill"
retstr = returnstr(1)
}
# time _______________________________________________________
#
# long sys_time(time_t __user * tloc)
# long sys_time64(long __user * tloc)
# long sys32_time(compat_time_t __user * tloc)
# long compat_sys_time(compat_time_t __user * tloc)
#
probe nd_syscall.time = kprobe.function("sys32_time") ?,
kprobe.function("sys_time64") ?,
kprobe.function("compat_sys_time") ?,
kprobe.function("sys_time") ?
{
name = "time"
// t_uaddr = $tloc
// argstr = sprintf("%p", $tloc)
asmlinkage()
t_uaddr = pointer_arg(1)
argstr = sprintf("%p", t_uaddr)
}
probe nd_syscall.time.return = kprobe.function("sys32_time").return ?,
kprobe.function("sys_time64").return ?,
kprobe.function("compat_sys_time").return ?,
kprobe.function("sys_time").return ?
{
name = "time"
retstr = returnstr(1)
}
# timer_create _______________________________________________
#
# long sys_timer_create(clockid_t which_clock,
# struct sigevent __user *timer_event_spec,
# timer_t __user * created_timer_id)
#
probe nd_syscall.timer_create = kprobe.function("sys_timer_create") ?
{
name = "timer_create"
// clockid = $which_clock
// clockid_str = _get_wc_str($which_clock)
// evp_uaddr = $timer_event_spec
// timerid_uaddr = $created_timer_id
// argstr = sprintf("%s, %p, %p", clockid_str, $timer_event_spec, $created_timer_id)
asmlinkage()
clockid = int_arg(1)
clockid_str = _get_wc_str(clockid)
evp_uaddr = pointer_arg(2)
timerid_uaddr = pointer_arg(3)
argstr = sprintf("%s, %p, %p", clockid_str, evp_uaddr, timerid_uaddr)
}
probe nd_syscall.timer_create.return = kprobe.function("sys_timer_create").return ?
{
name = "timer_create"
retstr = returnstr(1)
}
# timer_delete _______________________________________________
#
# long sys_timer_delete(timer_t timer_id)
#
probe nd_syscall.timer_delete = kprobe.function("sys_timer_delete") ?
{
name = "timer_delete"
// timerid = $timer_id
// argstr = sprint($timer_id)
asmlinkage()
timerid = int_arg(1)
argstr = sprint(timerid)
}
probe nd_syscall.timer_delete.return = kprobe.function("sys_timer_delete").return ?
{
name = "timer_delete"
retstr = returnstr(1)
}
# timer_getoverrun ___________________________________________
#
# long sys_timer_getoverrun(timer_t timer_id)
#
probe nd_syscall.timer_getoverrun = kprobe.function("sys_timer_getoverrun") ?
{
name = "timer_getoverrun"
// timerid = $timer_id
// argstr = sprint($timer_id)
asmlinkage()
timerid = int_arg(1)
argstr = sprint(timerid)
}
probe nd_syscall.timer_getoverrun.return = kprobe.function("sys_timer_getoverrun").return ?
{
name = "timer_getoverrun"
retstr = returnstr(1)
}
# timer_gettime ______________________________________________
#
# long sys_timer_gettime(timer_t timer_id,
# struct itimerspec __user *setting)
#
probe nd_syscall.timer_gettime = kprobe.function("sys_timer_gettime") ?
{
name = "timer_gettime"
// timerid = $timer_id
// value_uaddr = $setting
// argstr = sprintf("%d, %p", $timer_id, $setting)
asmlinkage()
timerid = int_arg(1)
value_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", timerid, value_uaddr)
}
probe nd_syscall.timer_gettime.return = kprobe.function("sys_timer_gettime").return ?
{
name = "timer_gettime"
retstr = returnstr(1)
}
# timer_settime ______________________________________________
#
# long sys_timer_settime(timer_t timer_id,
# int flags,
# const struct itimerspec __user *new_setting,
# struct itimerspec __user *old_setting)
#
probe nd_syscall.timer_settime = kprobe.function("sys_timer_settime") ?
{
name = "timer_settime"
// timerid = $timer_id
// flags = $flags
// value_uaddr = $new_setting
// ovalue_uaddr = $old_setting
// argstr = sprintf("%d, %d, %s, %p", $timer_id, $flags,
// _struct_itimerspec_u($new_setting),
// $old_setting)
asmlinkage()
timerid = int_arg(1)
flags = int_arg(2)
value_uaddr = pointer_arg(3)
ovalue_uaddr = pointer_arg(4)
argstr = sprintf("%d, %d, %s, %p", timerid, flags,
_struct_itimerspec_u(value_uaddr),
ovalue_uaddr)
}
probe nd_syscall.timer_settime.return = kprobe.function("sys_timer_settime").return ?
{
name = "timer_settime"
retstr = returnstr(1)
}
# timerfd ______________________________________________
#
# long sys_timerfd(int ufd, int clockid, int flags,
# const struct itimerspec __user *utmr)
# long compat_sys_timerfd(int ufd, int clockid, int flags,
# const struct compat_itimerspec __user *utmr)
#
probe nd_syscall.timerfd = kprobe.function("sys_timerfd") ?,
kprobe.function("compat_sys_timerfd") ?
{
name = "timerfd"
// argstr = sprintf("%d, %d, 0x%x", $ufd, $clockid, $flags)
asmlinkage()
argstr = sprintf("%d, %d, 0x%x", int_arg(1), int_arg(2), int_arg(3))
}
probe nd_syscall.timerfd.return = kprobe.function("sys_timerfd").return ?,
kprobe.function("compat_sys_timerfd").return ?
{
name = "timerfd"
retstr = returnstr(1)
}
# times ______________________________________________________
#
# long sys_times(struct tms __user * tbuf)
# long compat_sys_times(struct compat_tms __user *tbuf)
probe nd_syscall.times = kprobe.function("compat_sys_times") ?,
kprobe.function("sys_times") ?
{
name = "times"
// argstr = sprintf("%p", $tbuf)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.times.return = kprobe.function("compat_sys_times").return ?,
kprobe.function("sys_times").return ?
{
name = "times"
retstr = returnstr(1)
}
# tkill ______________________________________________________
#
# asmlinkage long
# sys_tkill(int pid,
# int sig)
#
probe nd_syscall.tkill = kprobe.function("sys_tkill") ?
{
name = "tkill"
// pid = $pid
// sig = $sig
// argstr = sprintf("%d, %s", $pid, _signal_name($sig))
asmlinkage()
pid = int_arg(1)
sig = int_arg(2)
argstr = sprintf("%d, %s", pid, _signal_name(sig))
}
probe nd_syscall.tkill.return = kprobe.function("sys_tkill").return ?
{
name = "tkill"
retstr = returnstr(1)
}
# truncate ___________________________________________________
#
# sys_truncate(const char __user * path, unsigned long length)
# sys_truncate64(const char __user * path, loff_t length)
#
probe nd_syscall.truncate = kprobe.function("sys_truncate") ?,
kprobe.function("sys_truncate64") ?
{
name = "truncate"
// path_uaddr = $path
// path = user_string($path)
// length = $length
// argstr = sprintf("%s, %d", user_string_quoted($path), $length)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string(path_uaddr)
if (probefunc() == "sys_truncate")
length = ulong_arg(2)
else
length = longlong_arg(2)
argstr = sprintf("%s, %d", user_string_quoted(path_uaddr), length)
}
probe nd_syscall.truncate.return = kprobe.function("sys_truncate").return ?,
kprobe.function("sys_truncate64").return ?
{
name = "truncate"
retstr = returnstr(1)
}
# tux ________________________________________________________
# long sys_tux (unsigned int action, user_req_t *u_info)
#
probe nd_syscall.tux = kprobe.function("sys_tux") ?
{
name = "tux"
// action = $action
// u_info_uaddr = $u_info
// argstr = sprintf("%d, %p", $action, $u_info)
// no sys_tux in recent kernels; guessing asmlinkage
asmlinkage()
action = uint_arg(1)
u_info_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", action, u_info_uaddr)
}
probe nd_syscall.tux.return = kprobe.function("sys_tux").return ?
{
name = "tux"
retstr = returnstr(1)
}
# umask ______________________________________________________
# long sys_umask(int mask)
#
probe nd_syscall.umask = kprobe.function("sys_umask") ?
{
name = "umask"
// mask = $mask
// argstr = sprintf("%#o", $mask)
asmlinkage()
mask = int_arg(1)
argstr = sprintf("%#o", mask)
}
probe nd_syscall.umask.return = kprobe.function("sys_umask").return ?
{
name = "umask"
retstr = returnstr(3)
}
# umount _____________________________________________________
# long sys_umount(char __user * name, int flags)
#
probe nd_syscall.umount = kprobe.function("sys_umount") ?
{
name = "umount"
// target = user_string($name)
// flags = $flags
// flags_str = _umountflags_str($flags)
// argstr = sprintf("%s, %s", user_string_quoted($name), flags_str)
asmlinkage()
target = user_string(pointer_arg(1))
flags = int_arg(2)
flags_str = _umountflags_str(flags)
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), flags_str)
}
probe nd_syscall.umount.return = kprobe.function("sys_umount").return ?
{
name = "umount"
retstr = returnstr(1)
}
# uname ______________________________________________________
#
# int sys_uname(struct old_utsname __user *name)
# long sys_newuname(struct new_utsname __user * name)
# int sys_olduname(struct oldold_utsname __user * name)
# int sys32_olduname(struct oldold_utsname __user * name)
# long sys32_uname(struct old_utsname __user * name)
#
probe nd_syscall.uname = kprobe.function("sys_uname") ?,
kprobe.function("sys_olduname") ?,
kprobe.function("sys32_olduname") ?,
kprobe.function("sys32_uname") ?,
kprobe.function("sys_newuname") ?
{
name = "uname"
// argstr = sprintf("%p", $name)
_func_name = probefunc()
if (_func_name != "sys32_uname") {
if (_func_name == "sys_uname" || _func_name == "sys_olduname") {
%( arch != "powerpc" %? asmlinkage() %)
} else
asmlinkage()
}
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.uname.return = kprobe.function("sys_uname").return ?,
kprobe.function("sys_olduname").return ?,
kprobe.function("sys32_olduname").return ?,
kprobe.function("sys32_uname").return ?,
kprobe.function("sys_newuname").return ?
{
name = "uname"
retstr = returnstr(1)
}
# unlink _____________________________________________________
# long sys_unlink(const char __user * pathname)
#
probe nd_syscall.unlink = kprobe.function("sys_unlink") ?
{
name = "unlink"
// pathname_uaddr = $pathname
// pathname = user_string($pathname)
// argstr = user_string_quoted($pathname)
asmlinkage()
pathname_uaddr = pointer_arg(1)
pathname = user_string(pathname_uaddr)
argstr = user_string_quoted(pathname_uaddr)
}
probe nd_syscall.unlink.return = kprobe.function("sys_unlink").return ?
{
name = "unlink"
retstr = returnstr(1)
}
# unlinkat ___________________________________________________
# new function with 2.6.16
# long sys_unlinkat(int dfd, const char __user *pathname,
# int flag)
probe nd_syscall.unlinkat = kprobe.function("sys_unlinkat") ?
{
name = "unlinkat"
// dfd = $dfd
// dfd_str = _dfd_str($dfd)
// pathname = $pathname
// pathname_str = user_string($pathname)
// flag = $flag
// flag_str = _at_flag_str($flag)
// argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted($pathname), flag_str)
asmlinkage()
dfd = int_arg(1)
dfd_str = _dfd_str(dfd)
pathname = pointer_arg(2)
pathname_str = user_string(pathname)
flag = int_arg(3)
flag_str = _at_flag_str(flag)
argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted(pathname), flag_str)
}
probe nd_syscall.unlinkat.return = kprobe.function("sys_unlinkat").return ?
{
name = "unlinkat"
retstr = returnstr(1)
}
# unshare ____________________________________________________
# new function with 2.6.16
# long sys_unshare(unsigned long unshare_flags)
probe nd_syscall.unshare = kprobe.function("sys_unshare") ?
{
name = "unshare"
// unshare_flags = $unshare_flags
asmlinkage()
unshare_flags = ulong_arg(1)
argstr = __fork_flags(unshare_flags)
}
probe nd_syscall.unshare.return = kprobe.function("sys_unshare").return ?
{
name = "unshare"
retstr = returnstr(1)
}
# uselib _____________________________________________________
#
# asmlinkage long
# sys_uselib(const char __user * library)
#
probe nd_syscall.uselib = kprobe.function("sys_uselib") ?
{
name = "uselib"
// library_uaddr = $library
// library = user_string($library)
// argstr = user_string_quoted($library)
asmlinkage()
library_uaddr = pointer_arg(1)
library = user_string(library_uaddr)
argstr = user_string_quoted(library_uaddr)
}
probe nd_syscall.uselib.return = kprobe.function("sys_uselib").return ?
{
name = "uselib"
retstr = returnstr(1)
}
# ustat ______________________________________________________
# long sys_ustat(unsigned dev, struct ustat __user * ubuf)
#
probe nd_syscall.ustat = kprobe.function("sys_ustat") ?
{
name = "ustat"
// dev = $dev
// ubuf_uaddr = $ubuf
// argstr = sprintf("%d, %p", $dev, $ubuf)
asmlinkage()
dev = uint_arg(1)
ubuf_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", dev, ubuf_uaddr)
}
#long sys32_ustat(unsigned dev, struct ustat32 __user *u32p)
probe nd_syscall.ustat32 = kprobe.function("sys32_ustat") ?
{
name = "ustat"
// dev = $dev
// ubuf_uaddr = (@defined($u) ? $u : $u32p)
// argstr = sprintf("%d, %p", $dev, (@defined($u) ? $u : $u32p))
// no asmlinkage
dev = uint_arg(1)
ubuf_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", dev, ubuf_uaddr)
}
# Since 2.6.30 sys32_ustat is called compat_sys_ustat and is now asmlinkage.
#asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u)
probe nd_syscall.ustat32 = kprobe.function("compat_sys_ustat") ?
{
name = "ustat"
// dev = $dev
// ubuf_uaddr = (@defined($u) ? $u : $u32p)
// argstr = sprintf("%d, %p", $dev, (@defined($u) ? $u : $u32p))
// asmlinkage
asmlinkage()
dev = uint_arg(1)
ubuf_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", dev, ubuf_uaddr)
}
probe nd_syscall.ustat.return = kprobe.function("sys_ustat").return ?,
kprobe.function("sys32_ustat").return ?,
kprobe.function("compat_sys_ustat").return ?
{
name = "ustat"
retstr = returnstr(1)
}
# utime ______________________________________________________
# long sys_utime(char __user * filename, struct utimbuf __user * times)
probe nd_syscall.utime = kprobe.function("sys_utime") ?
{
name = "utime"
asmlinkage()
filename_uaddr = pointer_arg(1)
filename = user_string_quoted(filename_uaddr)
buf_uaddr = pointer_arg(2)
actime = _struct_utimbuf_actime(buf_uaddr)
modtime = _struct_utimbuf_modtime(buf_uaddr)
argstr = sprintf("%s, [%s, %s]", filename,
ctime(actime), ctime(modtime))
}
probe nd_syscall.utime.return = kprobe.function("sys_utime").return ?
{
name = "utime"
retstr = returnstr(1)
}
# long compat_sys_utime(char __user *filename, struct compat_utimbuf __user *t)
probe nd_syscall.compat_utime = kprobe.function("compat_sys_utime") ?
{
name = "utime"
asmlinkage()
filename_uaddr = pointer_arg(1)
filename = user_string_quoted(filename_uaddr)
buf_uaddr = pointer_arg(2)
actime = _struct_compat_utimbuf_actime(buf_uaddr)
modtime = _struct_compat_utimbuf_modtime(buf_uaddr)
argstr = sprintf("%s, [%s, %s]", filename,
ctime(actime), ctime(modtime))
}
probe nd_syscall.compat_utime.return = kprobe.function("compat_sys_utime").return ?
{
name = "utime"
retstr = returnstr(1)
}
# utimes _____________________________________________________
#
# long sys_utimes(char __user * filename, struct timeval __user * utimes)
#
probe nd_syscall.utimes = kprobe.function("sys_utimes") ?
{
name = "utimes"
// filename_uaddr = $filename
// filename = user_string($filename)
// tvp_uaddr = $utimes
// argstr = sprintf("%s, %s", user_string_quoted($filename),
// _struct_timeval_u($utimes, 2))
asmlinkage()
filename_uaddr = pointer_arg(1)
filename = user_string(filename_uaddr)
tvp_uaddr = pointer_arg(2)
argstr = sprintf("%s, %s", user_string_quoted(filename_uaddr),
_struct_timeval_u(tvp_uaddr, 2))
}
probe nd_syscall.utimes.return = kprobe.function("sys_utimes").return ?
{
name = "utimes"
retstr = returnstr(1)
}
# compat_sys_utimes ________________________________________
#
# long compat_sys_utimes(char __user *filename, struct compat_timeval __user *t)
#
probe nd_syscall.compat_sys_utimes = kprobe.function("compat_sys_utimes") ?
{
name = "utimes"
// filename = user_string($filename)
// argstr = sprintf("%s, %s", user_string_quoted($filename),
// _struct_compat_timeval_u($t, 2))
asmlinkage()
filename = user_string(pointer_arg(1))
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
_struct_compat_timeval_u(pointer_arg(2), 2))
}
probe nd_syscall.compat_sys_utimes.return = kprobe.function("compat_sys_utimes").return ?
{
name = "utimes"
retstr = returnstr(1)
}
# utimensat ____________________________________________________
# long sys_utimensat(int dfd, char __user *filename, struct timespec __user *utimes, int flags)
# long compat_sys_utimensat(unsigned int dfd, char __user *filename, struct compat_timespec __user *t, int flags)
#
probe nd_syscall.utimensat = kprobe.function("sys_utimensat") ?
{
name = "utimensat"
// argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timespec_u($utimes, 2),
// _at_flag_str($flags))
asmlinkage()
argstr = sprintf("%s, %s, %s, %s", _dfd_str(int_arg(1)), user_string_quoted(pointer_arg(2)),
_struct_timespec_u(pointer_arg(3), 2), _at_flag_str(int_arg(4)))
}
probe nd_syscall.compat_utimensat = kprobe.function("compat_sys_utimensat") ?
{
name = "utimensat"
// argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timespec_u($t, 2),
// _at_flag_str($flags))
asmlinkage()
argstr = sprintf("%s, %s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
_struct_compat_timespec_u(pointer_arg(3), 2), _at_flag_str(int_arg(4)))
}
probe nd_syscall.utimensat.return = kprobe.function("sys_utimensat").return ?
{
name = "utimensat"
retstr = returnstr(1)
}
probe nd_syscall.compat_utimensat.return = kprobe.function("compat_sys_utimensat").return ?
{
name = "utimensat"
retstr = returnstr(1)
}
# vhangup ____________________________________________________
#
# asmlinkage long
# sys_vhangup(void)
#
probe nd_syscall.vhangup = kprobe.function("sys_vhangup")
{
name = "vhangup"
argstr = ""
}
probe nd_syscall.vhangup.return = kprobe.function("sys_vhangup").return
{
name = "vhangup"
retstr = returnstr(1)
}
# vmsplice ___________________________________________________
#
# long sys_vmsplice(int fd, const struct iovec __user *iov,
# unsigned long nr_segs, unsigned int flags)
# long compat_sys_vmsplice(int fd, const struct compat_iovec __user *iov32,
# unsigned int nr_segs, unsigned int flags)
#
probe nd_syscall.vmsplice = kprobe.function("sys_vmsplice") ?
{
name = "vmsplice"
// argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
asmlinkage()
argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), ulong_arg(3), uint_arg(4))
}
probe nd_syscall.compat_vmsplice = kprobe.function("compat_sys_vmsplice") ?
{
name = "vmsplice"
// argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov32, $nr_segs, $flags)
asmlinkage()
argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), uint_arg(3), uint_arg(4))
}
probe nd_syscall.vmsplice.return = kprobe.function("sys_vmsplice").return ?
{
name = "vmsplice"
retstr = returnstr(1)
}
probe nd_syscall.compat_vmsplice.return = kprobe.function("compat_sys_vmsplice").return ?
{
name = "vmsplice"
retstr = returnstr(1)
}
# wait4 ______________________________________________________
#
# long sys_wait4(pid_t pid,
# int __user *stat_addr,
# int options,
# struct rusage __user *ru)
#
probe nd_syscall.wait4 = kprobe.function("sys_wait4") ?
{
name = "wait4"
// pid = (@defined($upid) ? $upid : $pid)
// status_uaddr = $stat_addr
// options = $options & 0xffffffff
// options_str = _wait4_opt_str(options)
// rusage_uaddr = $ru
// argstr = sprintf("%d, %p, %s, %p",
// (@defined($upid) ? $upid : $pid),
// $stat_addr, _wait4_opt_str($options), $ru)
asmlinkage()
pid = int_arg(1)
status_uaddr = pointer_arg(2)
options = int_arg(3) & 0xffffffff
options_str = _wait4_opt_str(options)
rusage_uaddr = pointer_arg(4)
argstr = sprintf("%d, %p, %s, %p", pid, status_uaddr, _wait4_opt_str(options), rusage_uaddr)
}
probe nd_syscall.wait4.return = kprobe.function("sys_wait4").return ?
{
name = "wait4"
status_uaddr = pointer_arg(2)
if (returnval () <= 0)
status_str = "N/A"
else if (status_uaddr == 0)
status_str = "NULL"
else
status_str = _wait_status_str(user_int(status_uaddr))
retstr = returnstr(1)
}
# waitid _____________________________________________________
#
# long sys_waitid(int which,
# pid_t pid,
# struct siginfo __user *infop,
# int options,
# struct rusage __user *ru)
#
probe nd_syscall.waitid = kprobe.function("sys_waitid") ?
{
name = "waitid"
// pid = (@defined($upid) ? $upid : $pid)
// which = $which
// which_str = _waitid_which_str($which)
// infop_uaddr = $infop
// options = $options
// options_str = _waitid_opt_str($options)
// rusage_uaddr = $ru
// argstr = sprintf("%d, %d, %p, %s, %p", $which,
// (@defined($upid) ? $upid : $pid), $infop,
// _waitid_opt_str($options), $ru)
asmlinkage()
pid = int_arg(1)
which = int_arg(2)
which_str = _waitid_which_str(which)
infop_uaddr = pointer_arg(3)
options = int_arg(4)
options_str = _waitid_opt_str(options)
rusage_uaddr = pointer_arg(5)
argstr = sprintf("%d, %d, %p, %s, %p", which,
pid, infop_uaddr, _waitid_opt_str(options), rusage_uaddr)
}
probe nd_syscall.waitid.return = kprobe.function("sys_waitid").return ?
{
name = "waitid"
retstr = returnstr(1)
}
/* FIXME:
# waitpid ____________________________________________________
#
# long sys_wait4(pid_t pid,
# int __user *stat_addr,
# int options,
# struct rusage __user *ru)
#
probe nd_syscall.waitpid = kprobe.function("sys_wait4") ?
{
name = "waitpid"
pid = $pid
status_uaddr = $stat_addr
options = $options & 0xffffffff
options_str = _wait4_opt_str(options)
rusage_uaddr = $ru
argstr = sprintf("%d, %p, %s, %p", $pid, $stat_addr,
options_str, $ru)
}
probe nd_syscall.waitpid.return = kprobe.function("sys_wait4").return ?
{
name = "waitpid"
retstr = returnstr(1)
}
*/
# write ______________________________________________________
#
# ssize_t sys_write(unsigned int fd,
# const char __user * buf,
# size_t count)
#
probe nd_syscall.write = kprobe.function("sys_write") ?
{
name = "write"
// fd = $fd
// buf_uaddr = $buf
// count = $count
// argstr = sprintf("%d, %s, %d", $fd, text_strn(user_string($buf), syscall_string_trunc, 1), $count)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
count = ulong_arg(3)
argstr = sprintf("%d, %s, %d", fd, text_strn(user_string(buf_uaddr), syscall_string_trunc, 1), count)
}
probe nd_syscall.write.return = kprobe.function("sys_write").return ?
{
name = "write"
retstr = returnstr(1)
}
# writev _____________________________________________________
#
# ssize_t sys_writev(unsigned long fd,
# const struct iovec __user *vec,
# unsigned long vlen)
# ssize_t compat_sys_writev(unsigned long fd,
# const struct compat_iovec __user *vec,
# unsigned long vlen)
#
probe nd_syscall.writev = kprobe.function("compat_sys_writev") ?,
kprobe.function("sys_writev") ?
{
name = "writev"
// vector_uaddr = $vec
// count = $vlen
// fd = $fd
// argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
asmlinkage()
vector_uaddr = pointer_arg(2)
count = ulong_arg(3)
fd = ulong_arg(1)
argstr = sprintf("%d, %p, %d", fd, vector_uaddr, count)
}
probe nd_syscall.writev.return = kprobe.function("compat_sys_writev").return ?,
kprobe.function("sys_writev").return ?
{
name = "writev"
retstr = returnstr(1)
}