|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /proc/21573/root/usr/share/systemtap/tapset/ |
Upload File : |
// syscalls tapset part 1 [A-M]
// Copyright (C) 2005 IBM Corp.
// Copyright (C) 2005, 2006, 2007, 2010 Red Hat Inc.
// Copyright (C) 2007 Quentin Barnes.
//
// This file is part of systemtap, and is free software. You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
/*
* nd_syscalls.stp is a copy of syscalls.stp, modified to refer to
* function arguments by number rather than name, so that this tapset
* can be used even when the probed kernel lacks debugging information.
*/
/* Each syscall returns the calls parameters. In addition, the following
* variables are set:
*
* name - generally the syscall name minus the "sys_".
*
* argstr - a string containing the decoded args in an easy-to-read format.
* It doesn't need to contain everything, but should have all the
* important args. Set in entry probes only. Values enclosed in
* square brackets are user-space pointers. Values in curly
* braces are decoded structs.
*
* retstr - a string containing the return value in an easy-to-read format.
* Set in return probes only.
*/
# accept _____________________________________________________
# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
# int __user *upeer_addrlen)
%( kernel_v >= "2.6.28" %?
probe nd_syscall.accept = kprobe.function("sys_accept4") ?
%:
probe nd_syscall.accept = kprobe.function("sys_accept") ?
%)
{
name = "accept"
// sockfd = $fd
// addr_uaddr = $upeer_sockaddr
// addrlen_uaddr = $upeer_addrlen
// argstr = sprintf("%d, %p, %p", $fd, $upeer_sockaddr, $upeer_addrlen)
asmlinkage()
sockfd = int_arg(1)
addr_uaddr = pointer_arg(2)
addrlen_uaddr = pointer_arg(3)
flags = 0
# 'flag_str should have been 'flags_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
flag_str = "0"
%)
flags_str = "0"
argstr = sprintf("%d, %p, %p, %s", sockfd, addr_uaddr, addrlen_uaddr,
flags_str)
}
%( kernel_v >= "2.6.28" %?
probe nd_syscall.accept.return = kprobe.function("sys_accept4").return ?
%:
probe nd_syscall.accept.return = kprobe.function("sys_accept").return ?
%)
{
name = "accept"
retstr = returnstr(1)
}
# access _____________________________________________________
# long sys_access(const char __user * filename, int mode)
probe nd_syscall.access = kprobe.function("sys_access") ?
{
name = "access"
// pathname = user_string($filename)
// mode = $mode
// mode_str = _access_mode_str($mode)
// argstr = sprintf("%s, %s", user_string_quoted($filename), mode_str)
asmlinkage()
pathname = user_string(pointer_arg(1))
mode = int_arg(2)
mode_str = _access_mode_str(mode)
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str)
}
probe nd_syscall.access.return = kprobe.function("sys_access").return ?
{
name = "access"
retstr = returnstr(1)
}
# acct _______________________________________________________
# long sys_acct(const char __user *name)
probe nd_syscall.acct = kprobe.function("sys_acct") ?
{
name = "acct"
// filename = user_string($name)
// argstr = user_string_quoted($name)
asmlinkage()
filename = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
probe nd_syscall.acct.return = kprobe.function("sys_acct").return ?
{
name = "acct"
retstr = returnstr(1)
}
# add_key ____________________________________________________
# long sys_add_key(const char __user *_type,
# const char __user *_description,
# const void __user *_payload,
# size_t plen,
# key_serial_t ringid)
#
probe nd_syscall.add_key = kprobe.function("sys_add_key") ?
{
name = "add_key"
// type_uaddr = $_type
// description_auddr = $_description
// payload_uaddr = $_payload
// plen = $plen
// ringid = $ringid
// argstr = sprintf("%s, %s, %s, %d, %d",
// user_string_quoted($_type),
// user_string_quoted($_description),
// text_strn(user_string($_payload), syscall_string_trunc, 1),
// $plen, $ringid)
asmlinkage()
type_uaddr = pointer_arg(1)
description_uaddr = pointer_arg(2)
payload_uaddr = pointer_arg(3)
plen = ulong_arg(4)
ringid = int_arg(5)
argstr = sprintf("%s, %s, %s, %d, %d",
user_string_quoted(type_uaddr),
user_string_quoted(description_uaddr),
text_strn(user_string(payload_uaddr), syscall_string_trunc, 1),
plen, ringid)
}
probe nd_syscall.add_key.return = kprobe.function("sys_add_key").return ?
{
name = "add_key"
retstr = returnstr(1)
}
# adjtimex ___________________________________________________
# long sys_adjtimex(struct timex __user *txc_p)
probe nd_syscall.adjtimex = kprobe.function("sys_adjtimex") ?
{
name = "adjtimex"
/*
* buf_offset = __uget_timex_m($txc_p, 1)
* buf_freq = __uget_timex_m($txc_p, 2)
* buf_maxerror = __uget_timex_m($txc_p, 3)
* buf_esterror = __uget_timex_m($txc_p, 4)
* buf_status = __uget_timex_m($txc_p, 5)
* buf_constant = __uget_timex_m($txc_p, 6)
* buf_precision = __uget_timex_m($txc_p, 7)
* buf_tolerance = __uget_timex_m($txc_p, 8)
* buf_time_tv_sec = __uget_timex_m($txc_p, 9)
* buf_time_tv_usec = __uget_timex_m($txc_p, 10)
* buf_tick = __uget_timex_m($txc_p, 11)
*/
// argstr = sprintf("%p", $txc_p)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.adjtimex.return = kprobe.function("sys_adjtimex").return ?
{
name = "adjtimex"
// retstr = _adjtimex_return_str($return)
retstr = _adjtimex_return_str(returnval())
}
# long compat_sys_adjtimex(struct compat_timex __user *utp)
probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ?
{
name = "compat_adjtimex"
// argstr = sprintf("%p", $utp)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.compat_adjtimex.return = kprobe.function("compat_sys_adjtimex").return ?
{
name = "compat_adjtimex"
retstr = returnstr(1)
}
# alarm ______________________________________________________
# unsigned long sys_alarm (unsigned int seconds)
# long sys32_alarm(unsigned int seconds)
#
probe nd_syscall.alarm = kprobe.function("sys32_alarm") ?,
kprobe.function("sys_alarm") ?
{
name = "alarm"
// seconds = $seconds
// argstr = sprint($seconds)
asmlinkage()
seconds = uint_arg(1)
argstr = sprint(seconds)
}
probe nd_syscall.alarm.return = kprobe.function("sys32_alarm").return ?,
kprobe.function("sys_alarm").return ?
{
name = "alarm"
retstr = returnstr(1)
}
# bdflush ____________________________________________________
# long sys_bdflush(int func, long data)
probe nd_syscall.bdflush = kprobe.function("sys_bdflush") ?
{
name = "bdflush"
// func = $func
// data = $data
// if (($func >= 2) && ($func % 2 == 0))
// data_str = sprintf("%p", $data)
// else
// data_str = sprintf("%d", $data)
asmlinkage()
func = int_arg(1)
data = long_arg(2)
if ((func >= 2) && (func % 2 == 0))
data_str = sprintf("%p", data)
else
data_str = sprintf("%d", data)
argstr = sprintf("%d, %s", func, data_str)
}
probe nd_syscall.bdflush.return = kprobe.function("sys_bdflush").return ?
{
name = "bdflush"
retstr = returnstr(1)
}
# bind _______________________________________________________
# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
probe nd_syscall.bind = kprobe.function("sys_bind") ?
{
name = "bind"
// sockfd = $fd
// my_addr_uaddr = $umyaddr
// addrlen = $addrlen
// argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
my_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr, addrlen), addrlen)
}
probe nd_syscall.bind.return = kprobe.function("sys_bind").return ?
{
name = "bind"
retstr = returnstr(1)
}
# brk ________________________________________________________
# unsigned long sys_brk(unsigned long brk)
probe nd_syscall.brk = kprobe.function("ia64_brk") ?,
kprobe.function("sys_brk") ?
{
name = "brk"
// brk = $brk
asmlinkage()
brk = ulong_arg(1)
argstr = sprintf("%p", brk)
}
probe nd_syscall.brk.return = kprobe.function("ia64_brk").return ?,
kprobe.function("sys_brk").return ?
{
name = "brk"
retstr = returnstr(1)
}
# capget _____________________________________________________
/*
* NOTE
* this is probably not a good function
* to probe. The structures are always
* changing. It also seems like it is
* not really used. Cscope produced no
* reference of this function in the
* kernel (returned no callers). Perhaps
* cap_get_proc / cap_set_proc are better
* functions to export.
*/
# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
probe nd_syscall.capget = kprobe.function("sys_capget") ?
{
name = "capget"
// header_uaddr = $header
// data_uaddr = $dataptr
// argstr = sprintf("%p, %p", $header, $dataptr)
asmlinkage()
header_uaddr = pointer_arg(1)
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
probe nd_syscall.capget.return = kprobe.function("sys_capget").return ?
{
name = "capget"
retstr = returnstr(1)
}
# capset _____________________________________________________
/*
* NOTE
* this is probably not a good function
* to probe. The structures are always
* changing. It also seems like it is
* not really used. Cscope produced no
* reference of this function in the
* kernel (returned no callers). Perhaps
* cap_get_proc / cap_set_proc are better
* functions to export.
*/
# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
probe nd_syscall.capset = kprobe.function("sys_capset") ?
{
name = "capset"
// header_uaddr = $header
// data_uaddr = $data
// argstr = sprintf("%p, %p", $header, $data)
asmlinkage()
header_uaddr = pointer_arg(1)
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
probe nd_syscall.capset.return = kprobe.function("sys_capset").return ?
{
name = "capset"
retstr = returnstr(1)
}
# chdir ______________________________________________________
# long sys_chdir(const char __user * filename)
probe nd_syscall.chdir = kprobe.function("sys_chdir") ?
{
name = "chdir"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
asmlinkage()
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
probe nd_syscall.chdir.return = kprobe.function("sys_chdir").return ?
{
name = "chdir"
retstr = returnstr(1)
}
# chmod ______________________________________________________
# long sys_chmod(const char __user * filename, mode_t mode)
probe nd_syscall.chmod = kprobe.function("sys_chmod") ?
{
name = "chmod"
// path = user_string($filename)
// mode = $mode
// argstr = sprintf("%s, %#o", user_string_quoted($filename), mode)
asmlinkage()
path = user_string(pointer_arg(1))
mode = uint_arg(2)
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
probe nd_syscall.chmod.return = kprobe.function("sys_chmod").return ?
{
name = "chmod"
retstr = returnstr(1)
}
# chown ______________________________________________________
# long sys_chown(const char __user * filename, uid_t user, gid_t group)
probe nd_syscall.chown = kprobe.function("sys_chown") ?
{
name = "chown"
// path = user_string($filename)
// owner = __int32($user)
// group = __int32($group)
// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __int32(uint_arg(2))
group = __int32(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
probe nd_syscall.chown.return = kprobe.function("sys_chown").return ?
{
name = "chown"
retstr = returnstr(1)
}
# chown16 ___________________________________________________
# long sys_chown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
probe nd_syscall.chown16 = kprobe.function("sys_chown16") ?
{
name = "chown16"
// path = user_string($filename)
// owner = __short($user)
// group = __short($group)
// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __short(uint_arg(2))
group = __short(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
probe nd_syscall.chown16.return = kprobe.function("sys_chown16").return ?
{
name = "chown16"
retstr = returnstr(1)
}
# chroot _____________________________________________________
# long sys_chroot(const char __user * filename)
probe nd_syscall.chroot = kprobe.function("sys_chroot") ?
{
name = "chroot"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
asmlinkage()
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
probe nd_syscall.chroot.return = kprobe.function("sys_chroot").return ?
{
name = "chroot"
retstr = returnstr(1)
}
# clock_getres _______________________________________________
# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
# long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
#
probe nd_syscall.clock_getres = kprobe.function("compat_clock_getres") ?,
kprobe.function("sys_clock_getres") ?
{
name = "clock_getres"
// clk_id = $which_clock
// clk_id_str = _get_wc_str($which_clock)
// res_uaddr = $tp
// argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
res_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", clk_id_str, res_uaddr)
}
probe nd_syscall.clock_getres.return = kprobe.function("compat_clock_getres").return ?,
kprobe.function("sys_clock_getres").return ?
{
name = "clock_getres"
retstr = returnstr(1)
}
# clock_gettime ______________________________________________
# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
#
probe nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime") ?
{
name = "clock_gettime"
// clk_id = $which_clock
// clk_id_str = _get_wc_str($which_clock)
// argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2))
}
probe nd_syscall.clock_gettime.return = kprobe.function("sys_clock_gettime").return ?
{
name = "clock_gettime"
retstr = returnstr(1)
}
# clock_nanosleep ____________________________________________
# long sys_clock_nanosleep(clockid_t which_clock,
# int flags,
# const struct timespec __user *rqtp,
# struct timespec __user *rmtp)
#
probe nd_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep") ?
{
name = "clock_nanosleep"
// if ($flags == 1)
// flag_str = "TIMER_ABSTIME"
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
// _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
flag_str = "TIMER_ABSTIME"
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
_struct_timespec_u(pointer_arg(3), 1), pointer_arg(4))
}
probe nd_syscall.clock_nanosleep.return = kprobe.function("sys_clock_nanosleep").return ?
{
name = "clock_nanosleep"
retstr = returnstr(1)
}
# compat_clock_nanosleep ________________________________________
#
# long compat_clock_nanosleep(clockid_t which_clock, int flags,
# struct compat_timespec __user *rqtp,
# struct compat_timespec __user *rmtp)
#
probe nd_syscall.compat_clock_nanosleep = kprobe.function("compat_clock_nanosleep") ?,
kprobe.function("compat_sys_clock_nanosleep") ?
{
name = "compat_clock_nanosleep"
// if ($flags == 1)
// flag_str = "TIMER_ABSTIME"
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
// _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
flag_str = "TIMER_ABSTIME"
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
_struct_compat_timespec_u(pointer_arg(3), 1),
pointer_arg(4))
}
probe nd_syscall.compat_clock_nanosleep.return = kprobe.function("compat_clock_nanosleep").return ?,
kprobe.function("compat_sys_clock_nanosleep").return ?
{
name = "compat_clock_nanosleep"
retstr = returnstr(1)
}
# clock_settime ______________________________________________
# long sys_clock_settime(clockid_t which_clock,
# const struct timespec __user *tp)
#
probe nd_syscall.clock_settime = kprobe.function("sys_clock_settime") ?
{
name = "clock_settime"
// clk_id = $which_clock
// clk_id_str = _get_wc_str($which_clock)
// tp_uaddr = $tp
// argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
tp_uaddr = pointer_arg(2)
argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr, 1))
}
probe nd_syscall.clock_settime.return = kprobe.function("sys_clock_settime").return ?
{
name = "clock_settime"
retstr = returnstr(1)
}
# close ______________________________________________________
# long sys_close(unsigned int fd)
probe nd_syscall.close = kprobe.function("sys_close") ?
{
name = "close"
// fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
probe nd_syscall.close.return = kprobe.function("sys_close").return ?
{
name = "close"
retstr = returnstr(1)
}
# connect ____________________________________________________
# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
probe nd_syscall.connect = kprobe.function("sys_connect") ?
{
name = "connect"
// sockfd = $fd
// serv_addr_uaddr = $uservaddr
// addrlen = $addrlen
// argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
serv_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr, addrlen), addrlen)
}
probe nd_syscall.connect.return = kprobe.function("sys_connect").return ?
{
name = "connect"
retstr = returnstr(1)
}
# creat
# long sys_creat(const char __user * pathname, int mode)
probe nd_syscall.creat = kprobe.function("sys_creat") ?
{
name = "creat"
// mode = $mode
// pathname = user_string($pathname)
// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
asmlinkage()
mode = int_arg(2)
pathname = user_string(pointer_arg(1))
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
probe nd_syscall.creat.return = kprobe.function("sys_creat").return ?
{
name = "creat"
retstr = returnstr(1)
}
# delete_module ______________________________________________
# long sys_delete_module(const char __user *name_user, unsigned int flags)
probe nd_syscall.delete_module = kprobe.function("sys_delete_module") ?
{
name = "delete_module"
// name_user = user_string($name_user)
// flags = $flags
// argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
asmlinkage()
name_user = user_string(pointer_arg(1))
flags = uint_arg(2)
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), _module_flags_str(uint_arg(2)))
}
probe nd_syscall.delete_module.return = kprobe.function("sys_delete_module").return ?
{
name = "delete_module"
retstr = returnstr(1)
}
# dup ________________________________________________________
# long sys_dup(unsigned int fildes)
probe nd_syscall.dup = kprobe.function("sys_dup") ?
{
name = "dup"
// oldfd = $fildes
// argstr = sprint($fildes)
asmlinkage()
# 'old_fd' should have been 'oldfd. Deprecate the old name.
%(systemtap_v <= "1.4" %?
old_fd = int_arg(1)
%)
oldfd = int_arg(1)
argstr = sprint(oldfd)
}
probe nd_syscall.dup.return = kprobe.function("sys_dup").return ?
{
name = "dup"
retstr = returnstr(1)
}
# dup2 _______________________________________________________
# long sys_dup2(unsigned int oldfd, unsigned int newfd)
#
# FIXME: doesn't handle dup3
probe nd_syscall.dup2 = kprobe.function("sys_dup2") ?
{
name = "dup2"
// oldfd = $oldfd
// newfd = $newfd
// flags = 0
// argstr = sprintf("%d, %d", $oldfd, $newfd)
asmlinkage()
oldfd = int_arg(1)
newfd = int_arg(2)
flags = 0
argstr = sprintf("%d, %d", oldfd, newfd)
}
probe nd_syscall.dup2.return = kprobe.function("sys_dup2").return ?
{
name = "dup2"
retstr = returnstr(1)
}
# epoll_create _______________________________________________
# long sys_epoll_create(int size)
#
# FIXME: doesn't handle sys_epoll_create1()
probe nd_syscall.epoll_create = kprobe.function("sys_epoll_create") ?
{
name = "epoll_create"
// size = $size
// argstr = sprint($size)
asmlinkage()
size = int_arg(1)
flags = 0
argstr = sprint(size)
}
probe nd_syscall.epoll_create.return = kprobe.function("sys_epoll_create").return ?
{
name = "epoll_create"
retstr = returnstr(1)
}
# epoll_ctl __________________________________________________
#
# long sys_epoll_ctl(int epfd, int op, int fd, struct epoll_event __user *event)
# long compat_sys_epoll_ctl(int epfd, int op, int fd,
# struct compat_epoll_event __user *event)
#
probe nd_syscall.epoll_ctl = kprobe.function("compat_sys_epoll_ctl") ?,
kprobe.function("sys_epoll_ctl") ?
{
name = "epoll_ctl"
// epfd = $epfd
// eop = $op
// eop_str = _opoll_op_str($op)
// efd = $fd
// eevent_uaddr = $event
// eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
asmlinkage()
epfd = int_arg(1)
op = int_arg(2)
op_str = _opoll_op_str(op)
fd = int_arg(3)
event_uaddr = pointer_arg(4)
argstr = sprintf("%d, %s, %d, %p", epfd, op_str, fd, event_uaddr)
}
probe nd_syscall.epoll_ctl.return = kprobe.function("compat_sys_epoll_ctl").return ?,
kprobe.function("sys_epoll_ctl").return ?
{
name = "epoll_ctl"
retstr = returnstr(1)
}
# epoll_pwait _________________________________________________
#
# long sys_epoll_pwait(int epfd, struct epoll_event __user *events,
# int maxevents, int timeout, const sigset_t __user *sigmask,
# size_t sigsetsize)
# long compat_sys_epoll_pwait(int epfd,
# struct compat_epoll_event __user *events,
# int maxevents, int timeout,
# const compat_sigset_t __user *sigmask,
# compat_size_t sigsetsize)
#
probe nd_syscall.epoll_pwait = kprobe.function("compat_sys_epoll_pwait") ?,
kprobe.function("sys_epoll_pwait") ?
{
name = "epoll_pwait"
asmlinkage()
argstr = sprintf("%d, %p, %d, %d, %p, %d",
// $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6))
}
probe nd_syscall.epoll_pwait.return = kprobe.function("compat_sys_epoll_pwait").return ?,
kprobe.function("sys_epoll_pwait").return ?
{
name = "epoll_pwait"
retstr = returnstr(1)
}
# epoll_wait _________________________________________________
#
# long sys_epoll_wait(int epfd, struct epoll_event __user *events,
# int maxevents, int timeout)
# long compat_sys_epoll_wait(int epfd,
# struct compat_epoll_event __user *events,
# int maxevents, int timeout)
#
probe nd_syscall.epoll_wait = kprobe.function("compat_sys_epoll_wait") ?,
kprobe.function("sys_epoll_wait") ?
{
name = "epoll_wait"
// epfd = $epfd
// events_uaddr = $events
// maxevents = $maxevents
// timeout = $timeout
// argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
asmlinkage()
epfd = int_arg(1)
events_uaddr = pointer_arg(2)
maxevents = int_arg(3)
timeout = int_arg(4)
argstr = sprintf("%d, %p, %d, %d", epfd, events_uaddr, maxevents, timeout)
}
probe nd_syscall.epoll_wait.return = kprobe.function("compat_sys_epoll_wait").return ?,
kprobe.function("sys_epoll_wait").return ?
{
name = "epoll_wait"
retstr = returnstr(1)
}
# eventfd _____________________________________________________
# long sys_eventfd(unsigned int count)
#
# FIXME: doesn't handle sys_eventfd2()
probe nd_syscall.eventfd = kprobe.function("sys_eventfd") ?
{
name = "eventfd"
// argstr = sprint($count)
asmlinkage()
flags = 0
argstr = sprint(uint_arg(1))
}
probe nd_syscall.eventfd.return = kprobe.function("sys_eventfd").return ?
{
name = "eventfd"
retstr = returnstr(1)
}
# execve _____________________________________________________
# int sys_execve(struct pt_regs regs)
# which breaks out the args and immediately calls
# int do_execve(char * filename,
# char __user *__user *argv,
# char __user *__user *envp,
# struct pt_regs * regs)
probe nd_syscall.execve = kprobe.function("do_execve")
{
name = "execve"
// filename = kernel_string($filename)
// args = __get_argv($argv, 0)
// argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
filename = kernel_string(pointer_arg(1))
args = __get_argv(pointer_arg(2), 0)
argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1))
}
# v2.6.15-rc2 or earlier has problems with sys_execve return probes
# another reason to probe on do_execve
probe nd_syscall.execve.return = kprobe.function("do_execve").return
{
name = "execve"
retstr = returnstr(1)
}
# int compat_do_execve(char * filename,
# compat_uptr_t __user *argv,
# compat_uptr_t __user *envp,
# struct pt_regs * regs)
probe nd_syscall.compat_execve = kprobe.function("compat_do_execve") ?
{
name = "compat_execve"
// filename = kernel_string($filename)
// args = __get_compat_argv($argv, 0)
// argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
filename = kernel_string(pointer_arg(1))
args = __get_compat_argv(pointer_arg(2), 0)
argstr = sprintf("%s %s", filename, __get_compat_argv(pointer_arg(2), 1))
}
probe nd_syscall.compat_execve.return = kprobe.function("compat_do_execve").return ?
{
name = "compat_execve"
retstr = returnstr(1)
}
# exit _______________________________________________________
# long sys_exit(int error_code)
probe nd_syscall.exit = kprobe.function("do_exit")
{
name = "exit"
// status = $code
// argstr = sprint($code)
asmlinkage()
status = int_arg(1)
argstr = sprint(status)
}
# sys_exit() never returns, and is blacklisted for return probes,
# so no alias here. See bz6588.
# exit_group _________________________________________________
# void sys_exit_group(int error_code)
#
probe nd_syscall.exit_group = kprobe.function("sys_exit_group") ?
{
name = "exit_group"
// status = $error_code
// argstr = sprint($error_code)
asmlinkage()
status = int_arg(1)
argstr = sprint(status)
}
# sys_exit_group() never returns, and is blacklisted for return probes,
# so no alias here. See bz6588.
# faccessat __________________________________________________
# new function with 2.6.16
# long sys_faccessat(int dfd, const char __user *filename, int mode)
probe nd_syscall.faccessat = kprobe.function("sys_faccessat") ?
{
name = "faccessat"
// dirfd = $dfd
// dirfd_str = _dfd_str($dfd)
// pathname = user_string($filename)
// mode = $mode
// mode_str = _access_mode_str($mode)
// argstr = sprintf("%s, %s, %s", dirfd_str, user_string_quoted($filename), mode_str)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
pathname = user_string(pointer_arg(2))
mode = int_arg(3)
mode_str = _access_mode_str(mode)
argstr = sprintf("%s, %s, %s", dirfd_str, user_string_quoted(pointer_arg(2)), mode_str)
}
probe nd_syscall.faccessat.return = kprobe.function("sys_faccessat").return ?
{
name = "faccessat"
retstr = returnstr(1)
}
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") ?
{
name = "fadvise64"
// fd = $fd
// offset = $offset
// len = $len
// advice = $advice
// argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
asmlinkage()
fd = int_arg(1)
offset = longlong_arg(2)
len = ulong_arg(3)
advice = int_arg(4)
argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return ?
{
name = "fadvise64"
retstr = returnstr(1)
}
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64") ?
{
name = "fadvise64_64"
// fd = $fd
// offset = $offset
// len = $len
// advice = $advice
// argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
asmlinkage()
fd = int_arg(1)
offset = longlong_arg(2)
len = ulong_arg(3)
advice = int_arg(4)
argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return ?
{
name = "fadvise64_64"
retstr = returnstr(1)
}
# fchdir _____________________________________________________
# long sys_fchdir(unsigned int fd)
probe nd_syscall.fchdir = kprobe.function("sys_fchdir") ?
{
name = "fchdir"
// fd = $fd
// argstr = sprint($fd)
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
probe nd_syscall.fchdir.return = kprobe.function("sys_fchdir").return ?
{
name = "fchdir"
retstr = returnstr(1)
}
# fchmod _____________________________________________________
# long sys_fchmod(unsigned int fd, mode_t mode)
probe nd_syscall.fchmod = kprobe.function("sys_fchmod") ?
{
name = "fchmod"
// fildes = $fd
// mode = $mode
asmlinkage()
fildes = int_arg(1)
mode = uint_arg(2) # SAFE?
argstr = sprintf("%d, %#o", fildes, mode)
}
probe nd_syscall.fchmod.return = kprobe.function("sys_fchmod").return ?
{
name = "fchmod"
retstr = returnstr(1)
}
# fchmodat ___________________________________________________
# new function with 2.6.16
# long sys_fchmodat(int dfd, const char __user *filename,
# mode_t mode)
probe nd_syscall.fchmodat = kprobe.function("sys_fchmodat") ?
{
name = "fchmodat"
// dirfd = $dfd
// dirfd_str = _dfd_str($dfd)
// pathname = user_string($filename)
// mode = $mode
// argstr = sprintf("%s, %s, %#o", dirfd_str, user_string_quoted($filename), $mode)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
pathname = user_string(pointer_arg(2))
mode = uint_arg(3)
argstr = sprintf("%s, %s, %#o", dirfd_str, user_string_quoted(pointer_arg(2)), mode)
}
probe nd_syscall.fchmodat.return = kprobe.function("sys_fchmodat").return ?
{
name = "fchmodat"
retstr = returnstr(1)
}
# fchown _____________________________________________________
# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
probe nd_syscall.fchown = kprobe.function("sys_fchown") ?
{
name = "fchown"
// fd = $fd
// owner = __int32($user)
// group = __int32($group)
// argstr = sprintf("%d, %d, %d", $fd, owner, group)
asmlinkage()
fd = int_arg(1)
owner = __int32(uint_arg(2))
group = __int32(uint_arg(3))
argstr = sprintf("%d, %d, %d", fd, owner, group)
}
probe nd_syscall.fchown.return = kprobe.function("sys_fchown").return ?
{
name = "fchown"
retstr = returnstr(1)
}
# fchown16 ___________________________________________________
# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ?
{
name = "fchown16"
// fd = $fd
// owner = __short($user)
// group = __short($group)
// argstr = sprintf("%d, %d, %d", $fd, owner, group)
asmlinkage()
fd = int_arg(1)
owner = __short(uint_arg(2))
group = __short(uint_arg(3))
argstr = sprintf("%d, %d, %d", fd, owner, group)
}
probe nd_syscall.fchown16.return = kprobe.function("sys_fchown16").return ?
{
name = "fchown16"
retstr = returnstr(1)
}
# fchownat ___________________________________________________
# new function with 2.6.16
# long sys_fchownat(int dfd, const char __user *filename,
# uid_t user, gid_t group, int flag)
probe nd_syscall.fchownat = kprobe.function("sys_fchownat") ?
{
name = "fchownat"
// dirfd = $dfd
// dirfd_str = _dfd_str($dfd)
// pathname = user_string($filename)
// owner = __int32($user)
// group = __int32($group)
// flags = $flag
// flags_str = _at_flag_str($flag)
// argstr = sprintf("%s, %s, %d, %d, %s",
// dirfd_str, user_string_quoted($filename), owner, group, flags_str)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
pathname = user_string(pointer_arg(2))
owner = __int32(uint_arg(3))
group = __int32(uint_arg(4))
flags = int_arg(5)
flags_str = _at_flag_str(flags)
argstr = sprintf("%s, %s, %d, %d, %s",
dirfd_str, user_string_quoted(pointer_arg(2)), owner, group, flags_str)
}
probe nd_syscall.fchownat.return = kprobe.function("sys_fchownat").return ?
{
name = "fchownat"
retstr = returnstr(1)
}
# fcntl ______________________________________________________
# long sys_fcntl(int fd, unsigned int cmd, unsigned long arg)
# long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
probe nd_syscall.fcntl = kprobe.function("compat_sys_fcntl") ?,
kprobe.function("compat_sys_fcntl64") ?,
kprobe.function("sys_fcntl64") ?,
kprobe.function("sys_fcntl") ?
{
name = "fcntl"
// fd = $fd
// cmd = $cmd
// cmd_str = _fcntl_cmd_str($cmd)
// arg = $arg
// argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
asmlinkage()
fd = int_arg(1)
cmd = int_arg(2)
cmd_str = _fcntl_cmd_str(cmd)
arg = long_arg(3)
argstr = sprintf("%d, %s, %p", fd, cmd_str, arg)
}
probe nd_syscall.fcntl.return = kprobe.function("compat_sys_fcntl").return ?,
kprobe.function("compat_sys_fcntl64").return ?,
kprobe.function("sys_fcntl64").return ?,
kprobe.function("sys_fcntl").return ?
{
name = "fcntl"
retstr = returnstr(1)
}
# fdatasync __________________________________________________
# long sys_fdatasync(unsigned int fd)
probe nd_syscall.fdatasync = kprobe.function("sys_fdatasync") ?
{
name = "fdatasync"
// fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
probe nd_syscall.fdatasync.return = kprobe.function("sys_fdatasync").return ?
{
name = "fdatasync"
retstr = returnstr(1)
}
# fgetxattr __________________________________________________
# ssize_t sys_fgetxattr(int fd, char __user *name,
# void __user *value, size_t size)
probe nd_syscall.fgetxattr = kprobe.function("sys_fgetxattr") ?
{
name = "fgetxattr"
// filedes = $fd
// name2 = user_string($name)
// value_uaddr = $value
// size = $size
// argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size)
asmlinkage()
filedes = int_arg(1)
# 'name2' should have been 'name_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
name2 = user_string(pointer_arg(2))
%)
name_str = user_string(pointer_arg(2))
value_uaddr = pointer_arg(3)
size = ulong_arg(4)
argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size)
}
probe nd_syscall.fgetxattr.return = kprobe.function("sys_fgetxattr").return ?
{
name = "fgetxattr"
retstr = returnstr(1)
}
# flistxattr _________________________________________________
# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
probe nd_syscall.flistxattr = kprobe.function("sys_flistxattr") ?
{
name = "flistxattr"
// filedes = $fd
// list_uaddr = $list
// size = $size
asmlinkage()
filedes = int_arg(1)
list_uaddr = pointer_arg(2)
size = ulong_arg(3)
argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
}
probe nd_syscall.flistxattr.return = kprobe.function("sys_flistxattr").return ?
{
name = "flistxattr"
retstr = returnstr(1)
}
# flock ______________________________________________________
# long sys_flock(unsigned int fd, unsigned int cmd)
probe nd_syscall.flock = kprobe.function("sys_flock") ?
{
name = "flock"
// fd = $fd
// operation = $cmd
asmlinkage()
fd = int_arg(1)
operation = int_arg(2)
argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
}
probe nd_syscall.flock.return = kprobe.function("sys_flock").return ?
{
name = "flock"
retstr = returnstr(1)
}
# fork _______________________________________________________
# long do_fork(unsigned long clone_flags,
# unsigned long stack_start,
# struct pt_regs *regs,
# unsigned long stack_size,
# int __user *parent_tidptr,
# int __user *child_tidptr)
probe nd_syscall.fork = kprobe.function("do_fork")
{
// clone_flags = $clone_flags
// stack_start = $stack_start
// regs = $regs
// stack_size = $stack_size
// parent_tid_uaddr = $parent_tidptr
// child_tid_uaddr = $child_tidptr
clone_flags = ulong_arg(1)
stack_start = ulong_arg(2)
regs = pointer_arg(3)
stack_size = ulong_arg(4)
parent_tid_uaddr = pointer_arg(5)
child_tid_uaddr = pointer_arg(6)
if (!__is_user_regs(regs)) {
name = "fork_kernel_thread"
argstr = __fork_flags(clone_flags)
} else if (clone_flags & 17)
name = "fork"
else if (clone_flags & 0x4000)
name = "vfork"
else {
name = "clone"
argstr = __fork_flags(clone_flags)
}
}
probe nd_syscall.fork.return = kprobe.function("do_fork").return
{
name = "fork"
retstr = returnstr(1)
}
# fremovexattr _______________________________________________
# long sys_fremovexattr(int fd, char __user *name)
probe nd_syscall.fremovexattr = kprobe.function("sys_fremovexattr") ?
{
name = "fremovexattr"
// filedes = $fd
// name2 = user_string($name)
// argstr = sprintf("%d, %s", $fd, user_string_quoted($name))
asmlinkage()
filedes = int_arg(1)
# 'name2' should have been 'name_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
name2 = user_string(pointer_arg(2))
%)
name_uaddr = pointer_arg(2)
name_str = user_string(pointer_arg(2))
argstr = sprintf("%d, %s", filedes, user_string_quoted(pointer_arg(2)))
}
probe nd_syscall.fremovexattr.return = kprobe.function("sys_fremovexattr").return ?
{
name = "fremovexattr"
retstr = returnstr(1)
}
# fsetxattr __________________________________________________
/*
* asmlinkage long
* sys_fsetxattr(int fd,
* char __user *name,
* void __user *value,
* size_t size,
* int flags)
*/
probe nd_syscall.fsetxattr = kprobe.function("sys_fsetxattr") ?
{
name = "fsetxattr"
// filedes = $fd
// name2 = user_string($name)
// value_uaddr = $value
// size = $size
// flags = $flags
// argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
asmlinkage()
filedes = int_arg(1)
# 'name2' should have been 'name_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
name2 = user_string(pointer_arg(2))
%)
name_uaddr = pointer_arg(2)
name_str = user_string(pointer_arg(2))
value_uaddr = pointer_arg(3)
size = ulong_arg(4)
flags = int_arg(5)
argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size, flags)
}
probe nd_syscall.fsetxattr.return = kprobe.function("sys_fsetxattr").return ?
{
name = "fsetxattr"
retstr = returnstr(1)
}
# fstat ______________________________________________________
# long sys_fstat(unsigned int fd, struct __old_kernel_stat __user * statbuf)
# long sys_fstat64(unsigned long fd, struct stat64 __user * statbuf)
# long sys32_fstat64(unsigned int fd, struct stat64 __user *statbuf)
# long sys_newfstat(unsigned int fd, struct stat __user * statbuf)
# long sys_oabi_fstat64(char __user * filename,
# struct oldabi_stat64 __user * statbuf)
# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
#
probe nd_syscall.fstat = kprobe.function("sys_fstat") ?,
kprobe.function("sys_fstat64") ?,
kprobe.function("sys32_fstat64") ?,
kprobe.function("sys_newfstat") ?,
kprobe.function("sys_oabi_fstat64") ?,
kprobe.function("compat_sys_newfstat") ?
{
name = "fstat"
// filedes = $fd
// buf_uaddr = $statbuf
// argstr = sprintf("%d, %p", $fd, $statbuf)
asmlinkage()
filedes = int_arg(1)
buf_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", filedes, buf_uaddr)
}
probe nd_syscall.fstat.return = kprobe.function("sys_fstat").return ?,
kprobe.function("sys_fstat64").return ?,
kprobe.function("sys32_fstat64").return ?,
kprobe.function("sys_newfstat").return ?,
kprobe.function("sys_oabi_fstat64").return ?,
kprobe.function("compat_sys_newfstat").return ?
{
name = "fstat"
retstr = returnstr(1)
}
# fstatat ____________________________________________________
# sys32_fstatat64(unsigned int dfd, char __user *filename, struct stat64_emu31 __user* statbuf, int flag)
# long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
# long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
# long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
probe nd_syscall.fstatat = kprobe.function("sys_fstatat64") ?,
kprobe.function("sys_newfstatat") ?,
kprobe.function("compat_sys_newfstatat") ?,
kprobe.function("sys32_fstatat64") ?
{
name = "fstatat"
// dirfd = $dfd
// path = user_string($filename)
// buf_uaddr = $statbuf
// argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
asmlinkage()
dirfd = int_arg(1)
path = user_string(pointer_arg(2))
buf_uaddr = pointer_arg(3)
argstr = sprintf("%s, %s, %p, %s", _dfd_str(dirfd), user_string_quoted(pointer_arg(2)), buf_uaddr, _at_flag_str(int_arg(4)))
}
probe nd_syscall.fstatat.return = kprobe.function("sys_fstatat64").return ?,
kprobe.function("sys_newfstatat").return ?,
kprobe.function("compat_sys_newfstatat").return ?,
kprobe.function("sys32_fstatat64").return ?
{
name = "fstatat"
retstr = returnstr(1)
}
# fstatfs ____________________________________________________
# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
#
probe nd_syscall.fstatfs = kprobe.function("compat_sys_fstatfs") ?,
kprobe.function("sys_fstatfs") ?
{
name = "fstatfs"
// fd = $fd
// buf_uaddr = $buf
// argstr = sprintf("%d, %p", $fd, $buf)
asmlinkage()
fd = int_arg(1)
buf_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", fd, buf_uaddr)
}
probe nd_syscall.fstatfs.return = kprobe.function("compat_sys_fstatfs").return ?,
kprobe.function("sys_fstatfs").return ?
{
name = "fstatfs"
retstr = returnstr(1)
}
# fstatfs64 __________________________________________________
# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
# long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
#
probe nd_syscall.fstatfs64 = kprobe.function("compat_sys_fstatfs64") ?,
kprobe.function("sys_fstatfs64") ?
{
name = "fstatfs"
// fd = $fd
// sz = $sz
// buf_uaddr = $buf
// argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
asmlinkage()
fd = int_arg(1)
sz = ulong_arg(2)
buf_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr)
}
probe nd_syscall.fstatfs64.return = kprobe.function("compat_sys_fstatfs64").return ?,
kprobe.function("sys_fstatfs64").return ?
{
name = "fstatfs"
retstr = returnstr(1)
}
# fsync ______________________________________________________
# long sys_fsync(unsigned int fd)
probe nd_syscall.fsync = kprobe.function("sys_fsync") ?
{
name = "fsync"
// fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
probe nd_syscall.fsync.return = kprobe.function("sys_fsync").return ?
{
name = "fsync"
retstr = returnstr(1)
}
# ftruncate __________________________________________________
# long sys_ftruncate(unsigned int fd, unsigned long length)
probe nd_syscall.ftruncate = kprobe.function("sys_ftruncate") ?
{
name = "ftruncate"
// fd = $fd
// length = $length
asmlinkage()
fd = int_arg(1)
length = ulong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
probe nd_syscall.ftruncate.return = kprobe.function("sys_ftruncate").return ?
{
name = "ftruncate"
retstr = returnstr(1)
}
# ftruncate64 ________________________________________________
# long sys_ftruncate64(unsigned int fd, loff_t length)
probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ?
{
name = "ftruncate"
// fd = $fd
// length = $length
asmlinkage()
fd = int_arg(1)
length = longlong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
probe nd_syscall.ftruncate64.return = kprobe.function("sys_ftruncate64").return ?
{
name = "ftruncate"
retstr = returnstr(1)
}
# futex ______________________________________________________
# long sys_futex(u32 __user *uaddr,
# int op,
# int val,
# struct timespec __user *utime,
# u32 __user *uaddr2,
# int val3)
# long compat_sys_futex(u32 __user *uaddr, int op, u32 val,
# struct compat_timespec __user *utime, u32 __user *uaddr2,
# u32 val3)
#
probe nd_syscall.futex = kprobe.function("sys_futex") ?
{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
// val = $val
// utime_uaddr = $utime
// uaddr2_uaddr = $uaddr2
// val3 = $val3
// if (op == 0)
// argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
// $val, _struct_timespec_u($utime, 1))
// else
// argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
// $val)
asmlinkage()
futex_uaddr = pointer_arg(1)
op = int_arg(2)
val = u32_arg(3)
utime_uaddr = pointer_arg(4)
uaddr2_uaddr = pointer_arg(5)
val3 = u32_arg(6)
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
_struct_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
_futex_op_str(op), val)
}
probe nd_syscall.futex.return = kprobe.function("sys_futex").return ?
{
name = "futex"
retstr = returnstr(1)
}
probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ?
{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
// val = $val
// utime_uaddr = $utime
// uaddr2_uaddr = $uaddr2
// val3 = $val3
// if (op == 0)
// argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
// $val, _struct_compat_timespec_u($utime, 1))
// else
// argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
// $val)
asmlinkage()
futex_uaddr = pointer_arg(1)
op = int_arg(2)
val = u32_arg(3)
utime_uaddr = pointer_arg(4)
uaddr2_uaddr = pointer_arg(5)
val3 = u32_arg(6)
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
_struct_compat_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
_futex_op_str(op), val)
}
probe nd_syscall.compat_futex.return = kprobe.function("compat_sys_futex").return ?
{
name = "futex"
retstr = returnstr(1)
}
# futimesat _____________________________________________________
#
# long sys_futimesat(int dfd, char __user *filename, struct timeval __user *utimes)
# long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t)
#
probe nd_syscall.futimesat = kprobe.function("sys_futimesat") ?
{
name = "futimesat"
// dirfd = $dfd
// filename_uaddr = $filename
// filename = user_string($filename)
// tvp_uaddr = $utimes
// argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
// _struct_timeval_u($utimes, 2))
asmlinkage()
dirfd = int_arg(1)
filename_uaddr = pointer_arg(2)
filename = user_string(filename_uaddr)
tvp_uaddr = pointer_arg(3)
argstr = sprintf("%s, %s, %s", _dfd_str(dirfd), user_string_quoted(filename_uaddr),
_struct_timeval_u(tvp_uaddr, 2))
}
probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ?
{
name = "futimesat"
// dirfd = $dfd
// filename_uaddr = $filename
// filename = user_string($filename)
// tvp_uaddr = $utimes
// argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
// _struct_timeval_u($utimes, 2))
asmlinkage()
dirfd = uint_arg(1)
filename_uaddr = pointer_arg(2)
filename = user_string(pointer_arg(2))
tvp_uaddr = pointer_arg(3)
argstr = sprintf("%s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
_struct_compat_timeval_u(pointer_arg(3), 2))
}
probe nd_syscall.futimesat.return = kprobe.function("sys_futimesat").return ?
{
name = "futimesat"
retstr = returnstr(1)
}
probe nd_syscall.compat_futimesat.return = kprobe.function("compat_sys_futimesat").return ?
{
name = "futimesat"
retstr = returnstr(1)
}
# getcwd _____________________________________________________
# long sys_getcwd(char __user *buf, unsigned long size)
probe nd_syscall.getcwd = kprobe.function("sys_getcwd") ?
{
name = "getcwd"
// buf_uaddr = $buf
// size = $size
asmlinkage()
buf_uaddr = pointer_arg(1)
size = ulong_arg(2)
argstr = sprintf("%p, %d", buf_uaddr, size)
}
probe nd_syscall.getcwd.return = kprobe.function("sys_getcwd").return ?
{
name = "getcwd"
retstr = returnstr(1)
}
# getdents ___________________________________________________
# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
#
probe nd_syscall.getdents = kprobe.function("sys_getdents") ?,
kprobe.function("sys_getdents64") ?,
kprobe.function("compat_sys_getdents") ?,
kprobe.function("compat_sys_getdents64") ?
{
name = "getdents"
// fd = $fd
// dirp_uaddr = $dirent
// count = $count
// argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
asmlinkage()
fd = int_arg(1)
dirp_uaddr = pointer_arg(2)
count = uint_arg(3)
argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
}
probe nd_syscall.getdents.return = kprobe.function("sys_getdents").return ?,
kprobe.function("sys_getdents64").return ?,
kprobe.function("compat_sys_getdents").return ?,
kprobe.function("compat_sys_getdents64").return ?
{
name = "getdents"
retstr = returnstr(1)
}
# getegid ____________________________________________________
# long sys_getegid(void)
# long sys_getegid16(void)
# long sys32_getegid16(void)
#
probe nd_syscall.getegid = kprobe.function("sys_getegid16") ?,
kprobe.function("sys32_getegid16") ?,
kprobe.function("sys_getegid")
{
name = "getegid"
argstr = ""
}
probe nd_syscall.getegid.return = kprobe.function("sys_getegid16").return ?,
kprobe.function("sys32_getegid16").return ?,
kprobe.function("sys_getegid").return
{
name = "getegid"
retstr = returnstr(1)
}
# geteuid ____________________________________________________
# long sys_geteuid(void)
# long sys32_geteuid16(void)
#
probe nd_syscall.geteuid = kprobe.function("sys_geteuid16") ?,
kprobe.function("sys32_geteuid16") ?,
kprobe.function("sys_geteuid")
{
name = "geteuid"
argstr = ""
}
probe nd_syscall.geteuid.return = kprobe.function("sys_geteuid16").return ?,
kprobe.function("sys32_geteuid16").return ?,
kprobe.function("sys_geteuid").return
{
name = "geteuid"
retstr = returnstr(1)
}
# getgid _____________________________________________________
# long sys_getgid(void)
# long sys32_getgid16(void)
#
probe nd_syscall.getgid = kprobe.function("sys_getgid16") ?,
kprobe.function("sys32_getgid16") ?,
kprobe.function("sys_getgid")
{
name = "getgid"
argstr = ""
}
probe nd_syscall.getgid.return = kprobe.function("sys_getgid16").return ?,
kprobe.function("sys32_getgid16").return ?,
kprobe.function("sys_getgid").return
{
name = "getgid"
retstr = returnstr(1)
}
# getgroups __________________________________________________
# long sys_getgroups(int gidsetsize, gid_t __user *grouplist)
# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
#
probe nd_syscall.getgroups = kprobe.function("sys_getgroups16") ?,
kprobe.function("sys32_getgroups16") ?,
kprobe.function("sys_getgroups") ?
{
name = "getgroups"
// size = $gidsetsize
// list_uaddr = $grouplist
// argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
asmlinkage()
size = int_arg(1)
list_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", size, list_uaddr)
}
probe nd_syscall.getgroups.return = kprobe.function("sys_getgroups16").return ?,
kprobe.function("sys32_getgroups16").return ?,
kprobe.function("sys_getgroups").return ?
{
name = "getgroups"
retstr = returnstr(1)
}
# gethostname ________________________________________________
# long sys_gethostname(char __user *name, int len)
probe nd_syscall.gethostname = kprobe.function("sys_gethostname") ?
{
name = "gethostname"
// name_uaddr = $name
// len = $len
asmlinkage()
name_uaddr = pointer_arg(1)
len = int_arg(2)
argstr = sprintf ("%p, %d", name_uaddr, len)
}
probe nd_syscall.gethostname.return = kprobe.function("sys_gethostname").return ?
{
name = "gethostname"
retstr = returnstr(1)
}
# getitimer __________________________________________________
# sys_getitimer(int which, struct itimerval __user *value)
#
probe nd_syscall.getitimer = kprobe.function("sys_getitimer") ?
{
name = "getitimer"
// which = $which
// value_uaddr = $value
// argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr)
}
probe nd_syscall.getitimer.return = kprobe.function("sys_getitimer").return ?
{
name = "getitimer"
retstr = returnstr(1)
}
# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ?
{
name = "getitimer"
// which = $which
// value_uaddr = $it
// argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr)
}
probe nd_syscall.compat_getitimer.return = kprobe.function("compat_sys_getitimer").return ?
{
name = "getitimer"
retstr = returnstr(1)
}
# get_mempolicy ______________________________________________
# long sys_get_mempolicy(int __user *policy,
# unsigned long __user *nmask,
# unsigned long maxnode,
# unsigned long addr,
# unsigned long flags)
# long compat_sys_get_mempolicy(int __user *policy,
# compat_ulong_t __user *nmask,
# compat_ulong_t maxnode,
# compat_ulong_t addr, compat_ulong_t flags)
#
probe nd_syscall.get_mempolicy = kprobe.function("compat_sys_get_mempolicy") ?,
kprobe.function("sys_get_mempolicy") ?
{
name = "get_mempolicy"
// policy_uaddr = $policy
// nmask_uaddr = $nmask
// maxnode = $maxnode
// addr = $addr
// flags = $flags
// argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
// $nmask, $maxnode, $addr, $flags)
asmlinkage()
policy_uaddr = pointer_arg(1)
nmask_uaddr = pointer_arg(2)
maxnode = ulong_arg(3)
addr = ulong_arg(4)
flags = ulong_arg(5)
argstr = sprintf("%p, %p, %d, %p, 0x%x", policy_uaddr,
nmask_uaddr, maxnode, addr, flags)
}
probe nd_syscall.get_mempolicy.return = kprobe.function("compat_sys_get_mempolicy").return ?,
kprobe.function("sys_get_mempolicy").return ?
{
name = "get_mempolicy"
retstr = returnstr(1)
}
# getpeername ________________________________________________
# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
#
probe nd_syscall.getpeername = kprobe.function("sys_getpeername") ?
{
name = "getpeername"
// s = $fd
// name_uaddr = $usockaddr
// namelen_uaddr = $usockaddr_len
// argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
asmlinkage()
s = int_arg(1)
name_uaddr = pointer_arg(2)
namelen_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
probe nd_syscall.getpeername.return = kprobe.function("sys_getpeername").return ?
{
name = "getpeername"
retstr = returnstr(1)
}
# getpgid ____________________________________________________
# long sys_getpgid(pid_t pid)
probe nd_syscall.getpgid = kprobe.function("sys_getpgid") ?
{
name = "getpgid"
// pid = $pid
// argstr = sprintf("%d", $pid)
asmlinkage()
pid = int_arg(1)
argstr = sprintf("%d", pid)
}
probe nd_syscall.getpgid.return = kprobe.function("sys_getpgid").return ?
{
name = "getpgid"
retstr = returnstr(1)
}
# getpgrp ____________________________________________________
# long sys_getpgrp(void)
probe nd_syscall.getpgrp = kprobe.function("sys_getpgrp") ?
{
name = "getpgrp"
argstr = ""
}
probe nd_syscall.getpgrp.return = kprobe.function("sys_getpgrp").return ?
{
name = "getpgrp"
retstr = returnstr(1)
}
# getpid _____________________________________________________
# long sys_getpid(void)
probe nd_syscall.getpid = kprobe.function("sys_getpid")
{
name = "getpid"
argstr = ""
}
probe nd_syscall.getpid.return = kprobe.function("sys_getpid").return
{
name = "getpid"
retstr = returnstr(1)
}
# getppid ____________________________________________________
# long sys_getppid(void)
probe nd_syscall.getppid = kprobe.function("sys_getppid")
{
name = "getppid"
argstr = ""
}
probe nd_syscall.getppid.return = kprobe.function("sys_getppid").return
{
name = "getppid"
retstr = returnstr(1)
}
# getpriority ________________________________________________
# long sys_getpriority(int which, int who)
probe nd_syscall.getpriority = kprobe.function("sys_getpriority") ?
{
name = "getpriority"
// which = $which
// who = $who
asmlinkage()
which = int_arg(1)
who = int_arg(2)
argstr = sprintf("%s, %d", _priority_which_str(which), who)
}
probe nd_syscall.getpriority.return = kprobe.function("sys_getpriority").return ?
{
name = "getpriority"
retstr = returnstr(1)
}
# getresgid __________________________________________________
# long sys_getresgid(gid_t __user *rgid,
# gid_t __user *egid,
# gid_t __user *sgid)
# long sys_getresgid16(old_uid_t __user *rgid,
# old_uid_t __user *egid,
# old_uid_t __user *sgid)
probe nd_syscall.getresgid = kprobe.function("sys_getresgid16") ?,
kprobe.function("sys_getresgid") ?
{
name = "getresgid"
// rgid_uaddr = $rgid
// egid_uaddr = $egid
// sgid_uaddr = $sgid
// argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
asmlinkage()
rgid_uaddr = pointer_arg(1)
egid_uaddr = pointer_arg(2)
sgid_uaddr = pointer_arg(3)
argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
}
probe nd_syscall.getresgid.return = kprobe.function("sys_getresgid16").return ?,
kprobe.function("sys_getresgid").return ?
{
name = "getresgid"
retstr = returnstr(1)
}
# getresuid __________________________________________________
# long sys_getresuid(uid_t __user *ruid,
# uid_t __user *euid,
# uid_t __user *suid)
probe nd_syscall.getresuid = kprobe.function("sys_getresuid16") ?,
kprobe.function("sys_getresuid") ?
{
name = "getresuid"
// ruid_uaddr = $ruid
// euid_uaddr = $euid
// suid_uaddr = $suid
// argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
asmlinkage()
ruid_uaddr = pointer_arg(1)
euid_uaddr = pointer_arg(2)
suid_uaddr = pointer_arg(3)
argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
}
probe nd_syscall.getresuid.return = kprobe.function("sys_getresuid16").return ?,
kprobe.function("sys_getresuid").return ?
{
name = "getresuid"
retstr = returnstr(1)
}
# getrlimit __________________________________________________
# long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
probe nd_syscall.getrlimit = kprobe.function("sys_getrlimit") ?,
kprobe.function("sys_old_getrlimit") ?,
kprobe.function("compat_sys_getrlimit") ?
{
name = "getrlimit"
// resource = $resource
// rlim_uaddr = $rlim
// argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
asmlinkage()
resource = uint_arg(1)
rlim_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", _rlimit_resource_str(resource), rlim_uaddr)
}
probe nd_syscall.getrlimit.return = kprobe.function("sys_getrlimit").return ?,
kprobe.function("sys_old_getrlimit").return ?,
kprobe.function("compat_sys_getrlimit").return ?
{
name = "getrlimit"
retstr = returnstr(1)
}
# getrusage __________________________________________________
# long sys_getrusage(int who, struct rusage __user *ru)
probe nd_syscall.getrusage = kprobe.function("sys_getrusage") ?
{
name = "getrusage"
// who = $who
// if ($who == -2) {
// # RUSAGE_BOTH is not valid argument for sys_getrusage
// who_str = sprintf("UNKNOWN VALUE: %d", $who)
// } else
// who_str = _rusage_who_str($who)
// usage_uaddr = $ru
asmlinkage()
who = int_arg(1)
if (who == -2) {
# RUSAGE_BOTH is not valid argument for sys_getrusage
who_str = sprintf("UNKNOWN VALUE: %d", who)
} else
who_str = _rusage_who_str(who)
usage_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", who_str, usage_uaddr)
}
probe nd_syscall.getrusage.return = kprobe.function("sys_getrusage").return ?
{
name = "getrusage"
retstr = returnstr(1)
}
# getsid _____________________________________________________
# long sys_getsid(pid_t pid)
probe nd_syscall.getsid = kprobe.function("sys_getsid") ?
{
name = "getsid"
// pid = $pid
asmlinkage()
pid = int_arg(1)
argstr = sprint(pid)
}
probe nd_syscall.getsid.return = kprobe.function("sys_getsid").return ?
{
name = "getsid"
retstr = returnstr(1)
}
# getsockname ________________________________________________
# long sys_getsockname(int fd,
# struct sockaddr __user *usockaddr,
# int __user *usockaddr_len)
probe nd_syscall.getsockname = kprobe.function("sys_getsockname") ?
{
name = "getsockname"
// s = $fd
// name_uaddr = $usockaddr
// namelen_uaddr = $usockaddr_len
// argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
asmlinkage()
s = int_arg(1)
name_uaddr = pointer_arg(2)
namelen_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
probe nd_syscall.getsockname.return = kprobe.function("sys_getsockname").return ?
{
name = "getsockname"
retstr = returnstr(1)
}
# getsockopt _________________________________________________
# long sys_getsockopt(int fd,
# int level,
# int optname,
# char __user *optval,
# int __user *optlen)
#
probe nd_syscall.getsockopt = kprobe.function("compat_sys_getsockopt") ?,
kprobe.function("sys_getsockopt") ?
{
name = "getsockopt"
// fd = $fd
// level = $level
// level_str = _sockopt_level_str($level)
// optname = $optname
// optname_str = _sockopt_optname_str($optname)
// optval_uaddr = $optval
// optlen_uaddr = $optlen
// argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
// _sockopt_optname_str($optname), $optval, $optlen)
asmlinkage()
fd = int_arg(1)
level = int_arg(2)
level_str = _sockopt_level_str(level)
optname = int_arg(3)
optname_str = _sockopt_optname_str(optname)
optval_uaddr = pointer_arg(4)
optlen_uaddr = pointer_arg(5)
argstr = sprintf("%d, %s, %s, %p, %p", fd, _sockopt_level_str(level),
_sockopt_optname_str(optname), optval_uaddr, optlen_uaddr)
}
probe nd_syscall.getsockopt.return = kprobe.function("compat_sys_getsockopt").return ?,
kprobe.function("sys_getsockopt").return ?
{
name = "getsockopt"
retstr = returnstr(1)
}
# gettid _____________________________________________________
# long sys_gettid(void)
probe nd_syscall.gettid = kprobe.function("sys_gettid")
{
name = "gettid"
argstr = ""
}
probe nd_syscall.gettid.return = kprobe.function("sys_gettid").return
{
name = "gettid"
retstr = returnstr(1)
}
# gettimeofday _______________________________________________
# long sys_gettimeofday(struct timeval __user *tv,
# struct timezone __user *tz)
# long sys32_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
# long compat_sys_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
probe nd_syscall.gettimeofday = kprobe.function("compat_sys_gettimeofday") ?,
kprobe.function("sys32_gettimeofday") ?,
kprobe.function("sys_gettimeofday") ?
{
name = "gettimeofday"
// tv_uaddr = $tv
// tz_uaddr = $tz
// argstr = sprintf("%p, %p", $tv, $tz)
asmlinkage()
tv_uaddr = pointer_arg(1)
tz_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr)
}
probe nd_syscall.gettimeofday.return = kprobe.function("compat_sys_gettimeofday").return ?,
kprobe.function("sys32_gettimeofday").return ?,
kprobe.function("sys_gettimeofday").return ?
{
name = "gettimeofday"
retstr = returnstr(1)
}
# getuid _____________________________________________________
# long sys_getuid(void
# long sys_getuid16(void)
# long sys32_getuid16(void)
#
probe nd_syscall.getuid = kprobe.function("sys_getuid16") ?,
kprobe.function("sys32_getuid16") ?,
kprobe.function("sys_getuid")
{
name = "getuid"
argstr = ""
}
probe nd_syscall.getuid.return = kprobe.function("sys_getuid16").return ?,
kprobe.function("sys32_getuid16").return ?,
kprobe.function("sys_getuid").return
{
name = "getuid"
retstr = returnstr(1)
}
# getxattr ___________________________________________________
# ssize_t sys_getxattr(char __user *path, char __user *name,
# void __user *value, size_t size)
probe nd_syscall.getxattr = kprobe.function("sys_getxattr") ?
{
name = "getxattr"
// path = user_string(@defined($pathname) ? $pathname : $path)
// name2 = user_string($name)
// value_uaddr = $value
// size = $size
// argstr = sprintf("%s, %s, %p, %d",
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// user_string_quoted($name),
// value_uaddr, size)
asmlinkage()
path = user_string(pointer_arg(1))
# 'name2' should have been 'name_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
name2 = user_string(pointer_arg(2))
%)
name_str = user_string(pointer_arg(2))
value_uaddr = pointer_arg(3)
size = ulong_arg(4)
argstr = sprintf("%s, %s, %p, %d",
user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
probe nd_syscall.getxattr.return = kprobe.function("sys_getxattr").return ?
{
name = "getxattr"
retstr = returnstr(1)
}
# init_module ________________________________________________
# long sys_init_module(void __user *umod,
# unsigned long len,
# const char __user *uargs)
#
probe nd_syscall.init_module = kprobe.function("sys_init_module") ?
{
name = "init_module"
// umod_uaddr = $umod
// len = $len
// uargs = user_string($uargs)
// argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
asmlinkage()
umod_uaddr = pointer_arg(1)
len = ulong_arg(2)
uargs = user_string(pointer_arg(3))
argstr = sprintf("%p, %d, %s", umod_uaddr, len, user_string_quoted(pointer_arg(4)))
}
probe nd_syscall.init_module.return = kprobe.function("sys_init_module").return ?
{
name = "init_module"
retstr = returnstr(1)
}
# inotify_add_watch __________________________________________
#
# long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
#
probe nd_syscall.inotify_add_watch = kprobe.function("sys_inotify_add_watch") ?
{
name = "inotify_add_watch"
// fd = $fd
// mask = $mask
// path_uaddr = (@defined($pathname) ? $pathname : $path)
// path = user_string(@defined($pathname) ? $pathname : $path)
// argstr = sprintf("%d, %s, %d", $fd,
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// $mask)
asmlinkage()
fd = int_arg(1)
path_uaddr = pointer_arg(2)
path = user_string(path_uaddr)
mask = uint_arg(3)
argstr = sprintf("%d, %s, %d", fd, user_string_quoted(path_uaddr), mask)
}
probe nd_syscall.inotify_add_watch.return = kprobe.function("sys_inotify_add_watch").return ?
{
name = "inotify_add_watch"
retstr = returnstr(1)
}
# inotify_init _______________________________________________
#
# long sys_inotify_init(void)
#
# FIXME: doesn't handle sys_inotify_init1()
probe nd_syscall.inotify_init = kprobe.function("sys_inotify_init") ?
{
name = "inotify_init"
flags = 0
argstr = ""
}
probe nd_syscall.inotify_init.return = kprobe.function("sys_inotify_init").return ?
{
name = "inotify_init"
retstr = returnstr(1)
}
# inotify_rm_watch ___________________________________________
#
# long sys_inotify_rm_watch(int fd, u32 wd)
#
probe nd_syscall.inotify_rm_watch = kprobe.function("sys_inotify_rm_watch") ?
{
name = "inotify_rm_watch"
// fd = $fd
// wd = $wd
// argstr = sprintf("%d, %d", $fd, $wd)
asmlinkage()
fd = int_arg(1)
wd = uint_arg(2)
argstr = sprintf("%d, %d", fd, wd)
}
probe nd_syscall.inotify_rm_watch.return = kprobe.function("sys_inotify_rm_watch").return ?
{
name = "inotify_rm_watch"
retstr = returnstr(1)
}
# io_cancel __________________________________________________
# long sys_io_cancel(aio_context_t ctx_id,
# struct iocb __user *iocb,
# struct io_event __user *result)
probe nd_syscall.io_cancel = kprobe.function("sys_io_cancel") ?
{
name = "io_cancel"
// ctx_id = $ctx_id
// iocb_uaddr = $iocb
// result_uaddr = $result
asmlinkage()
ctx_id = ulong_arg(1)
iocb_uaddr = pointer_arg(2)
result_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
}
probe nd_syscall.io_cancel.return = kprobe.function("sys_io_cancel").return ?
{
name = "io_cancel"
retstr = returnstr(1)
}
# ioctl ______________________________________________________
# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
probe nd_syscall.ioctl = kprobe.function("compat_sys_ioctl") ?,
kprobe.function("sys_ioctl") ?
{
name = "ioctl"
// fd = $fd
// request = $cmd
// argp = $arg
// argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
asmlinkage()
fd = int_arg(1)
request = int_arg(2)
argp = ulong_arg(3)
argstr = sprintf("%d, %d, %p", fd, request, argp)
}
probe nd_syscall.ioctl.return = kprobe.function("compat_sys_ioctl").return ?,
kprobe.function("sys_ioctl").return ?
{
name = "ioctl"
retstr = returnstr(1)
}
# io_destroy _________________________________________________
# long sys_io_destroy(aio_context_t ctx)
probe nd_syscall.io_destroy = kprobe.function("sys_io_destroy") ?
{
name = "io_destroy"
// ctx = $ctx
asmlinkage()
ctx = ulong_arg(1)
argstr = sprintf("%d", ctx)
}
probe nd_syscall.io_destroy.return = kprobe.function("sys_io_destroy").return ?
{
name = "io_destroy"
retstr = returnstr(1)
}
# io_getevents _______________________________________________
# long sys_io_getevents(aio_context_t ctx_id,
# long min_nr,
# long nr,
# struct io_event __user *events,
# struct timespec __user *timeout)
# long compat_sys_io_getevents(aio_context_t ctx_id,
# unsigned long min_nr,
# unsigned long nr,
# struct io_event __user *events,
# struct compat_timespec __user *timeout)
#
probe nd_syscall.io_getevents = kprobe.function("compat_sys_io_getevents") ?,
kprobe.function("sys_io_getevents") ?
{
name = "io_getevents"
// ctx_id = $ctx_id
// min_nr = $min_nr
// nr = $nr
// events_uaddr = $events
// timeout_uaddr = $timeout
// timestr = _struct_timespec_u($timeout, 1)
// argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
// $nr, $events, $timeout, timestr)
asmlinkage()
ctx_id = ulong_arg(1)
min_nr = long_arg(2)
nr = long_arg(3)
events_uaddr = pointer_arg(4)
timeout_uaddr = pointer_arg(5)
timestr = _struct_timespec_u(timeout_uaddr, 1)
argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr,
nr, events_uaddr, timeout_uaddr, timestr)
}
probe nd_syscall.io_getevents.return = kprobe.function("compat_sys_io_getevents").return ?,
kprobe.function("sys_io_getevents").return ?
{
name = "io_getevents"
retstr = returnstr(1)
}
# ioperm _____________________________________________________
# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
#
probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ?
{
name = "ioperm"
// from = $from
// num = $num
// turn_on = $turn_on
// argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
asmlinkage()
from = ulong_arg(1)
num = ulong_arg(2)
turn_on = int_arg(3)
argstr = sprintf("%d, %d, %d", from, num, turn_on)
}
probe nd_syscall.ioperm.return = kprobe.function("sys_ioperm").return ?
{
name = "ioperm"
retstr = returnstr(1)
}
# io_setup ___________________________________________________
# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
#
probe nd_syscall.io_setup = kprobe.function("sys_io_setup") ?
{
name = "io_setup"
// maxevents = $nr_events
// ctxp_uaddr = $ctxp
// argstr = sprintf("%d, %p", $nr_events, $ctxp)
asmlinkage()
maxevents = uint_arg(1)
ctxp_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
probe nd_syscall.io_setup.return = kprobe.function("sys_io_setup").return ?
{
name = "io_setup"
retstr = returnstr(1)
}
# long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
#
probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ?
{
name = "io_setup"
// maxevents = $nr_reqs
// ctxp_uaddr = $ctx32p
// argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
asmlinkage()
maxevents = uint_arg(1)
ctxp_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
probe nd_syscall.compat_io_setup.return = kprobe.function("compat_sys_io_setup").return ?
{
name = "io_setup"
retstr = returnstr(1)
}
# io_submit __________________________________________________
# long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
#
probe nd_syscall.io_submit = kprobe.function("sys_io_submit") ?
{
name = "io_submit"
// ctx_id = $ctx_id
// nr = $nr
// iocbpp_uaddr = $iocbpp
// argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
asmlinkage()
ctx_id = ulong_arg(1)
nr = long_arg(2)
iocbpp_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
probe nd_syscall.io_submit.return = kprobe.function("sys_io_submit").return ?
{
name = "io_submit"
retstr = returnstr(1)
}
# long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
#
probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ?
{
name = "io_submit"
// ctx_id = $ctx_id
// nr = $nr
// iocbpp_uaddr = $iocb
// argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
asmlinkage()
ctx_id = ulong_arg(1)
nr = int_arg(2)
iocbpp_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
probe nd_syscall.compat_io_submit.return = kprobe.function("compat_sys_io_submit").return ?
{
name = "io_submit"
retstr = returnstr(1)
}
# ioprio_get _________________________________________________
# long sys_ioprio_get(int which, int who)
#
probe nd_syscall.ioprio_get = kprobe.function("sys_ioprio_get") ?
{
name = "ioprio_get"
// which = $which
// who = $who
// argstr = sprintf("%d, %d", $which, $who)
asmlinkage()
which = int_arg(1)
who = int_arg(2)
argstr = sprintf("%d, %d", which, who)
}
probe nd_syscall.ioprio_get.return = kprobe.function("sys_ioprio_get").return ?
{
name = "ioprio_get"
retstr = returnstr(1)
}
# ioprio_set _________________________________________________
# long sys_ioprio_set(int which, int who, int ioprio)
#
probe nd_syscall.ioprio_set = kprobe.function("sys_ioprio_set") ?
{
name = "ioprio_set"
// which = $which
// who = $who
// ioprio = $ioprio
// argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
asmlinkage()
which = int_arg(1)
who = int_arg(2)
ioprio = int_arg(3)
argstr = sprintf("%d, %d, %d", which, who, ioprio)
}
probe nd_syscall.ioprio_set.return = kprobe.function("sys_ioprio_set").return ?
{
name = "ioprio_set"
retstr = returnstr(1)
}
# kexec_load _________________________________________________
# long sys_kexec_load(unsigned long entry,
# unsigned long nr_segments,
# struct kexec_segment __user *segments,
# unsigned long flags)
# long compat_sys_kexec_load(unsigned long entry,
# unsigned long nr_segments,
# struct compat_kexec_segment __user *segments,
# unsigned long flags)
#
probe nd_syscall.kexec_load = kprobe.function("compat_sys_kexec_load") ?,
kprobe.function("sys_kexec_load") ?
{
name = "kexec_load"
// entry = $entry
// nr_segments = $nr_segments
// segments_uaddr = $segments
// flags = $flags
// argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
asmlinkage()
entry = ulong_arg(1)
nr_segments = ulong_arg(2)
segments_uaddr = pointer_arg(3)
flags = ulong_arg(4)
argstr = sprintf("%p, %d, %p, %d", entry, nr_segments, segments_uaddr, flags)
}
probe nd_syscall.kexec_load.return = kprobe.function("compat_sys_kexec_load").return ?,
kprobe.function("sys_kexec_load").return ?
{
name = "kexec_load"
retstr = returnstr(1)
}
# keyctl _____________________________________________________
# long sys_keyctl(int option,
# unsigned long arg2,
# unsigned long arg3,
# unsigned long arg4,
# unsigned long arg5)
# long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
#
probe nd_syscall.keyctl = kprobe.function("compat_sys_keyctl") ?,
kprobe.function("sys_keyctl") ?
{
name = "keyctl"
// argstr = sprintf("%d, ...", $option)
asmlinkage()
argstr = sprintf("%d, ...", uint_arg(1))
}
probe nd_syscall.keyctl.return = kprobe.function("compat_sys_keyctl").return ?,
kprobe.function("sys_keyctl").return ?
{
name = "keyctl"
retstr = returnstr(1)
}
# kill _______________________________________________________
# long sys_kill(int pid, int sig)
probe nd_syscall.kill = kprobe.function("sys_kill") ?
{
name = "kill"
// pid = $pid
// sig = $sig
// argstr = sprintf("%d, %s", $pid, _signal_name($sig))
asmlinkage()
pid = int_arg(1)
sig = int_arg(2)
argstr = sprintf("%d, %s", pid, _signal_name(sig))
}
probe nd_syscall.kill.return = kprobe.function("sys_kill").return ?
{
name = "kill"
retstr = returnstr(1)
}
# lchown _____________________________________________________
# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
#
probe nd_syscall.lchown = kprobe.function("sys_lchown") ?
{
name = "lchown"
// path = user_string($filename)
// owner = __int32($user)
// group = __int32($group)
// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __int32(uint_arg(2))
group = __int32(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
probe nd_syscall.lchown.return = kprobe.function("sys_lchown").return ?
{
name = "lchown"
retstr = returnstr(1)
}
# lchown16 ___________________________________________________
# long sys_lchown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ?
{
name = "lchown16"
// path = user_string($filename)
// owner = __short($user)
// group = __short($group)
// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __short(uint_arg(2))
group = __short(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
probe nd_syscall.lchown16.return = kprobe.function("sys_lchown16").return ?
{
name = "lchown16"
retstr = returnstr(1)
}
# lgetxattr __________________________________________________
# ssize_t sys_lgetxattr(char __user *path,
# char __user *name,
# void __user *value,
# size_t size)
#
probe nd_syscall.lgetxattr = kprobe.function("sys_lgetxattr") ?
{
name = "lgetxattr"
// path = user_string(@defined($pathname) ? $pathname : $path)
// # FIXME
// name2 = user_string($name)
// value_uaddr = $value
// size = $size
// argstr = sprintf("%s, %s, %p, %d",
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// user_string_quoted($name),
// value_uaddr, size)
asmlinkage()
path = user_string(pointer_arg(1))
# 'name2' should have been 'name_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
name2 = user_string(pointer_arg(2))
%)
name_str = user_string(pointer_arg(2))
value_uaddr = pointer_arg(3)
size = ulong_arg(4)
argstr = sprintf("%s, %s, %p, %d",
user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
probe nd_syscall.lgetxattr.return = kprobe.function("sys_lgetxattr").return ?
{
name = "lgetxattr"
retstr = returnstr(1)
}
# link _______________________________________________________
# long sys_link(const char __user * oldname,
# const char __user * newname)
probe nd_syscall.link = kprobe.function("sys_link") ?
{
name = "link"
// oldpath = user_string($oldname)
// newpath = user_string($newname)
// argstr = sprintf("%s, %s",
// user_string_quoted($oldname),
// user_string_quoted($newname))
asmlinkage()
oldpath = user_string(pointer_arg(1))
newpath = user_string(pointer_arg(2))
argstr = sprintf("%s, %s",
user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)))
}
probe nd_syscall.link.return = kprobe.function("sys_link").return ?
{
name = "link"
retstr = returnstr(1)
}
# linkat _____________________________________________________
# new function with 2.6.16
# long sys_linkat(int olddfd, const char __user *oldname,
# int newdfd, const char __user *newname, int flags)
probe nd_syscall.linkat = kprobe.function("sys_linkat") ?
{
name = "linkat"
// olddirfd = $olddfd
// olddirfd_str = _dfd_str($olddfd)
// oldpath = user_string($oldname)
// newdirfd = $newdfd
// newdirfd_str = _dfd_str($newdfd)
// newpath = user_string($newname)
// flags = $flags
// flags_str = _at_flag_str($flags)
// argstr = sprintf("%s, %s, %s, %s, %s",
// olddirfd_str, user_string_quoted($oldname),
// newdirfd_str, user_string_quoted($newname),
// flags_str)
asmlinkage()
olddirfd = int_arg(1)
olddirfd_str = _dfd_str(olddirfd)
oldpath = user_string(pointer_arg(2))
newdirfd = int_arg(3)
newdirfd_str = _dfd_str(newdirfd)
newpath = user_string(pointer_arg(4))
flags = int_arg(5)
flags_str = _at_flag_str(flags)
argstr = sprintf("%s, %s, %s, %s, %s",
olddirfd_str, user_string_quoted(pointer_arg(2)),
newdirfd_str, user_string_quoted(pointer_arg(4)),
flags_str)
}
probe nd_syscall.linkat.return = kprobe.function("sys_linkat").return ?
{
name = "linkat"
retstr = returnstr(1)
}
# listen _____________________________________________________
# long sys_listen(int fd, int backlog)
probe nd_syscall.listen = kprobe.function("sys_listen") ?
{
name = "listen"
// sockfd = $fd
// backlog = $backlog
// argstr = sprintf("%d, %d", $fd, $backlog)
asmlinkage()
sockfd = int_arg(1)
backlog = int_arg(2)
argstr = sprintf("%d, %d", sockfd, backlog)
}
probe nd_syscall.listen.return = kprobe.function("sys_listen").return ?
{
name = "listen"
retstr = returnstr(1)
}
# listxattr __________________________________________________
# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
#
probe nd_syscall.listxattr = kprobe.function("sys_listxattr") ?
{
name = "listxattr"
// list_uaddr = $list
// size = $size
// path_uaddr = (@defined($pathname) ? $pathname : $path)
// path = user_string(@defined($pathname) ? $pathname : $path)
// argstr = sprintf("%s, %p, %d",
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// $list, $size)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string(path_uaddr)
list_uaddr = pointer_arg(2)
size = ulong_arg(3)
argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
}
probe nd_syscall.listxattr.return = kprobe.function("sys_listxattr").return ?
{
name = "listxattr"
retstr = returnstr(1)
}
# llistxattr _________________________________________________
# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
#
probe nd_syscall.llistxattr = kprobe.function("sys_llistxattr") ?
{
name = "llistxattr"
// list_uaddr = $list
// size = $size
// path_uaddr = (@defined($pathname) ? $pathname : $path)
// path = user_string(@defined($pathname) ? $pathname : $path)
// argstr = sprintf("%s, %p, %d",
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// $list, $size)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string(path_uaddr)
list_uaddr = pointer_arg(2)
size = ulong_arg(3)
argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
}
probe nd_syscall.llistxattr.return = kprobe.function("sys_llistxattr").return ?
{
name = "llistxattr"
retstr = returnstr(1)
}
# llseek _____________________________________________________
# long sys_llseek(unsigned int fd,
# unsigned long offset_high,
# unsigned long offset_low,
# loff_t __user * result,
# unsigned int origin)
probe nd_syscall.llseek = kprobe.function("sys_llseek") ?
{
name = "llseek"
// fd = $fd
// offset_high = $offset_high
// offset_low = $offset_low
// result_uaddr = $result
// whence = $origin
// whence_str = _seek_whence_str($origin)
// argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
// $offset_low, $result, whence_str)
asmlinkage()
fd = int_arg(1)
offset_high = ulong_arg(2)
offset_low = ulong_arg(3)
result_uaddr = pointer_arg(4)
whence = uint_arg(5)
whence_str = _seek_whence_str(whence)
argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
offset_low, result_uaddr, whence_str)
}
probe nd_syscall.llseek.return = kprobe.function("sys_llseek").return ?
{
name = "llseek"
retstr = returnstr(1)
}
# lookup_dcookie _____________________________________________
# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
#
probe nd_syscall.lookup_dcookie = kprobe.function("sys_lookup_dcookie") ?
{
name = "lookup_dcookie"
// cookie = $cookie64
// buffer_uaddr = $buf
// len = $len
// argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
asmlinkage()
cookie = ulonglong_arg(1)
buffer_uaddr = pointer_arg(2)
len = ulong_arg(3)
argstr = sprintf("%d, %p, %d", cookie, buffer_uaddr, len)
}
probe nd_syscall.lookup_dcookie.return = kprobe.function("sys_lookup_dcookie").return ?
{
name = "lookup_dcookie"
retstr = returnstr(1)
}
# lremovexattr _______________________________________________
# long sys_lremovexattr(char __user *path, char __user *name)
#
probe nd_syscall.lremovexattr = kprobe.function("sys_lremovexattr") ?
{
name = "lremovexattr"
// name_uaddr = $name
// name2 = user_string($name)
// path_uaddr = (@defined($pathname) ? $pathname : $path)
// path = user_string(@defined($pathname) ? $pathname : $path)
// argstr = sprintf("%s, %s",
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// user_string_quoted($name))
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string(path_uaddr)
name_uaddr = pointer_arg(2)
# 'name2' should have been 'name_str'. Deprecate the old name.
%(systemtap_v <= "1.4" %?
name2 = user_string(name_uaddr)
%)
name_str = user_string(name_uaddr)
argstr = sprintf("%s, %s", user_string_quoted(path_uaddr), user_string_quoted(name_uaddr))
}
probe nd_syscall.lremovexattr.return = kprobe.function("sys_lremovexattr").return ?
{
name = "lremovexattr"
retstr = returnstr(1)
}
# lseek ______________________________________________________
# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
probe nd_syscall.lseek = kprobe.function("sys_lseek") ?
{
name = "lseek"
// fildes = $fd
// # offset = __int32($offset)
// offset = $offset
// whence = $origin
// whence_str = _seek_whence_str($origin)
// argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
asmlinkage()
fildes = int_arg(1)
offset = long_arg(2)
whence = uint_arg(3)
whence_str = _seek_whence_str(whence)
argstr = sprintf("%d, %d, %s", fildes, offset, whence_str)
}
probe nd_syscall.lseek.return = kprobe.function("sys_lseek").return ?
{
name = "lseek"
retstr = returnstr(1)
}
# lsetxattr __________________________________________________
# long sys_lsetxattr(char __user *path,
# char __user *name,
# void __user *value,
# size_t size,
# int flags)
#
probe nd_syscall.lsetxattr = kprobe.function("sys_lsetxattr") ?
{
name = "lsetxattr"
// path_uaddr = (@defined($pathname) ? $pathname : $path)
// path = user_string(@defined($pathname) ? $pathname : $path)
// name_uaddr = $name
// name_str = user_string($name)
// value_uaddr = $value
// size = $size
// flags = $flags
// argstr = sprintf("%s, %s, %p, %d, %d",
// user_string_quoted(@defined($pathname) ? $pathname : $path),
// user_string_quoted($name),
// value_uaddr, $size, $flags)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string(path_uaddr)
name_uaddr = pointer_arg(2)
name_str = user_string(name_uaddr)
value_uaddr = pointer_arg(3)
size = ulong_arg(4)
flags = int_arg(5)
argstr = sprintf("%s, %s, %p, %d, %d",
user_string_quoted(path_uaddr),
user_string_quoted(name_uaddr),
value_uaddr, size, flags)
}
probe nd_syscall.lsetxattr.return = kprobe.function("sys_lsetxattr").return ?
{
name = "lsetxattr"
retstr = returnstr(1)
}
# lstat ______________________________________________________
# long sys_lstat(char __user * filename, struct __old_kernel_stat __user * statbuf)
# long sys_newlstat(char __user * filename, struct stat __user * statbuf)
# long compat_sys_newlstat(char __user * filename, struct compat_stat __user *statbuf)
# long sys32_lstat64(char * filename, struct stat64 __user *statbuf)
# long sys_lstat64(char __user * filename, struct stat64 __user * statbuf)
# long sys_oabi_lstat64(char __user * filename,
# struct oldabi_stat64 __user * statbuf)
#
probe nd_syscall.lstat = kprobe.function("sys_lstat") ?,
kprobe.function("sys_newlstat") ?,
kprobe.function("compat_sys_newlstat") ?,
kprobe.function("sys32_lstat64") ?,
kprobe.function("sys_lstat64") ?,
kprobe.function("sys_oabi_lstat64") ?
{
name = "lstat"
// path = user_string($filename)
// buf_uaddr = $statbuf
// argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
asmlinkage()
path = user_string(pointer_arg(1))
buf_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
}
probe nd_syscall.lstat.return = kprobe.function("sys_lstat").return ?,
kprobe.function("sys_newlstat").return ?,
kprobe.function("compat_sys_newlstat").return ?,
kprobe.function("sys32_lstat64").return ?,
kprobe.function("sys_lstat64").return ?,
kprobe.function("sys_oabi_lstat64").return ?
{
name = "lstat"
retstr = returnstr(1)
}
# madvise ____________________________________________________
# long sys_madvise(unsigned long start, size_t len_in, int behavior)
#
probe nd_syscall.madvise = kprobe.function("sys_madvise") ?
{
name = "madvise"
// start = $start
// length = $len_in
// advice = $behavior
// advice_str = _madvice_advice_str($behavior)
// argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
advice = int_arg(3)
advice_str = _madvice_advice_str(advice)
argstr = sprintf("%p, %d, %s", start, length, _madvice_advice_str(advice))
}
probe nd_syscall.madvise.return = kprobe.function("sys_madvise").return ?
{
name = "madvise"
retstr = returnstr(1)
}
# mbind ______________________________________________________
# long sys_mbind(unsigned long start,
# unsigned long len,
# unsigned long mode,
# unsigned long __user *nmask,
# unsigned long maxnode,
# unsigned flags)
#
# long compat_sys_mbind(compat_ulong_t start,
# compat_ulong_t len,
# compat_ulong_t mode,
# compat_ulong_t __user *nmask,
# compat_ulong_t maxnode,
# compat_ulong_t flags)
#
probe nd_syscall.mbind = kprobe.function("compat_sys_mbind") ?,
kprobe.function("sys_mbind") ?
{
name = "mbind"
// start = $start
// len = $len
// mode = $mode
// nmask_uaddr = $nmask
// maxnode = $maxnode
// flags = $flags
// argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
// $nmask, $maxnode, $flags)
asmlinkage()
start = ulong_arg(1)
len = long_arg(2)
mode = ulong_arg(3)
nmask_uaddr = pointer_arg(4)
maxnode = ulong_arg(5)
flags = uint_arg(6)
argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", start, len, mode,
nmask_uaddr, maxnode, flags)
}
probe nd_syscall.mbind.return = kprobe.function("compat_sys_mbind").return ?,
kprobe.function("sys_mbind").return ?
{
name = "mbind"
retstr = returnstr(1)
}
# migrate_pages ____________________________________________________
# long sys_migrate_pages(pid_t pid, unsigned long maxnode,
# const unsigned long __user *old_nodes,
# const unsigned long __user *new_nodes)
probe nd_syscall.migrate_pages = kprobe.function("sys_migrate_pages") ?
{
name = "migrate_pages"
// argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
asmlinkage()
argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4))
}
probe nd_syscall.migrate_pages.return = kprobe.function("sys_migrate_pages").return ?
{
name = "migrate_pages"
retstr = returnstr(1)
}
# mincore ____________________________________________________
# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
#
probe nd_syscall.mincore = kprobe.function("sys_mincore") ?
{
name = "mincore"
// start = $start
// length = $len
// vec_uaddr = $vec
// argstr = sprintf("%p, %d, %p", $start, $len, $vec)
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
vec_uaddr = pointer_arg(3)
argstr = sprintf("%p, %d, %p", start, length, vec_uaddr)
}
probe nd_syscall.mincore.return = kprobe.function("sys_mincore").return ?
{
name = "mincore"
retstr = returnstr(1)
}
# mkdir ______________________________________________________
# long sys_mkdir(const char __user * pathname, int mode)
probe nd_syscall.mkdir = kprobe.function("sys_mkdir") ?
{
name = "mkdir"
// pathname_uaddr = $pathname
// pathname = user_string($pathname)
// mode = $mode
// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
asmlinkage()
pathname_uaddr = pointer_arg(1)
pathname = user_string(pathname_uaddr)
mode = int_arg(2)
argstr = sprintf("%s, %#o", user_string_quoted(pathname_uaddr), mode)
}
probe nd_syscall.mkdir.return = kprobe.function("sys_mkdir").return ?
{
name = "mkdir"
retstr = returnstr(1)
}
# mkdirat ____________________________________________________
# new function with 2.6.16
# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
probe nd_syscall.mkdirat = kprobe.function("sys_mkdirat") ?
{
name = "mkdirat"
// dirfd = $dfd
// pathname = user_string($pathname)
// mode = $mode
// argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
asmlinkage()
dirfd = int_arg(1)
pathname = user_string(pointer_arg(2))
mode = int_arg(3)
argstr = sprintf("%d, %s, %#o", dirfd, user_string_quoted(pointer_arg(2)), mode)
}
probe nd_syscall.mkdirat.return = kprobe.function("sys_mkdirat").return ?
{
name = "mkdirat"
retstr = returnstr(1)
}
# mknod
# long sys_mknod(const char __user * filename, int mode, unsigned dev)
probe nd_syscall.mknod = kprobe.function("sys_mknod") ?
{
name = "mknod"
// pathname = user_string($filename)
// mode = $mode
// dev = $dev
// argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
asmlinkage()
pathname = user_string(pointer_arg(1))
mode = int_arg(2)
dev = uint_arg(3)
argstr = sprintf("%s, %s, %p", user_string_quoted(pointer_arg(1)), _mknod_mode_str(mode), dev)
}
probe nd_syscall.mknod.return = kprobe.function("sys_mknod").return ?
{
name = "mknod"
retstr = returnstr(1)
}
# mknodat ____________________________________________________
# new function with 2.6.16
# long sys_mknodat(int dfd, const char __user *filename,
# int mode, unsigned dev)
probe nd_syscall.mknodat = kprobe.function("sys_mknodat") ?
{
name = "mknodat"
// dirfd = $dfd
// dirfd_str = _dfd_str($dfd)
// pathname = user_string($filename)
// mode = $mode
// mode_str = _mknod_mode_str($mode)
// dev = $dev
// argstr = sprintf("%s, %s, %s, %p",
// dirfd_str, user_string_quoted($filename), mode_str, $dev)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
pathname = user_string(pointer_arg(2))
mode = int_arg(3)
mode_str = _mknod_mode_str(mode)
dev = uint_arg(4)
argstr = sprintf("%s, %s, %s, %p",
dirfd_str, user_string_quoted(pointer_arg(2)), mode_str, dev)
}
probe nd_syscall.mknodat.return = kprobe.function("sys_mknodat").return ?
{
name = "mknodat"
retstr = returnstr(1)
}
# mlock ______________________________________________________
#
# long sys_mlock(unsigned long start, size_t len)
#
probe nd_syscall.mlock = kprobe.function("sys_mlock") ?
{
name = "mlock"
// addr = $start
// len = $len
// argstr = sprintf("%p, %d", $start, $len)
asmlinkage()
addr = ulong_arg(1)
len = ulong_arg(2)
argstr = sprintf("%p, %d", addr, len)
}
probe nd_syscall.mlock.return = kprobe.function("sys_mlock").return ?
{
name = "mlock"
retstr = returnstr(1)
}
# mlockall ___________________________________________________
#
# long sys_mlockall(int flags)
#
probe nd_syscall.mlockall = kprobe.function("sys_mlockall") ?
{
name = "mlockall"
// flags = $flags
// argstr = _mlockall_flags_str($flags)
asmlinkage()
flags = int_arg(1)
argstr = _mlockall_flags_str(flags)
}
probe nd_syscall.mlockall.return = kprobe.function("sys_mlockall").return ?
{
name = "mlockall"
retstr = returnstr(1)
}
# modify_ldt _________________________________________________
# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
#
probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ?
{
name = "modify_ldt"
// func = $func
// ptr_uaddr = $ptr
// bytecount = $bytecount
// argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
asmlinkage()
func = int_arg(1)
ptr_uaddr = pointer_arg(2)
bytecount = ulong_arg(3)
argstr = sprintf("%d, %p, %d", func, ptr_uaddr, bytecount)
}
probe nd_syscall.modify_ldt.return = kprobe.function("sys_modify_ldt").return ?
{
name = "modify_ldt"
retstr = returnstr(1)
}
# move_pages ____________________________________________________
# long sys_move_pages(pid_t pid, unsigned long nr_pages,
# const void __user * __user *pages,
# const int __user *nodes,
# int __user *status,
# int flags)
#
# long compat_sys_move_pages(pid_t pid, unsigned long nr_pages,
# compat_uptr_t __user *pages32,
# const int __user *nodes,
# int __user *status,
# int flags)
#
probe nd_syscall.move_pages = kprobe.function("compat_sys_move_pages") ?,
kprobe.function("sys_move_pages") ?
{
name = "move_pages"
// argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
asmlinkage()
argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6))
}
probe nd_syscall.move_pages.return = kprobe.function("compat_sys_move_pages").return ?,
kprobe.function("sys_move_pages").return ?
{
name = "move_pages"
retstr = returnstr(1)
}
# mount ______________________________________________________
# long sys_mount(char __user * dev_name,
# char __user * dir_name,
# char __user * type,
# unsigned long flags,
# void __user * data)
# long compat_sys_mount(char __user * dev_name,
# char __user * dir_name,
# char __user * type,
# unsigned long flags,
# void __user * data)
probe nd_syscall.mount = kprobe.function("compat_sys_mount") ?,
kprobe.function("sys_mount") ?
{
name = "mount"
// source = user_string($dev_name)
// target = user_string($dir_name)
// filesystemtype = user_string($type)
// mountflags = $flags
// mountflags_str = _mountflags_str($flags)
// data = text_strn(user_string($data), syscall_string_trunc, 1)
// argstr = sprintf("%s, %s, %s, %s, %s",
// user_string_quoted($dev_name),
// user_string_quoted($dir_name),
// user_string_quoted($type),
// mountflags_str, data)
asmlinkage()
source = user_string(pointer_arg(1))
target = user_string(pointer_arg(2))
filesystemtype = user_string(pointer_arg(3))
mountflags = ulong_arg(4)
mountflags_str = _mountflags_str(mountflags)
data = text_strn(user_string(pointer_arg(5)), syscall_string_trunc, 1)
argstr = sprintf("%s, %s, %s, %s, %s",
user_string_quoted(pointer_arg(1)),
user_string_quoted(pointer_arg(2)),
user_string_quoted(pointer_arg(3)),
mountflags_str, data)
}
probe nd_syscall.mount.return = kprobe.function("compat_sys_mount").return ?,
kprobe.function("sys_mount").return ?
{
name = "mount"
retstr = returnstr(1)
}
%( kernel_v >= "2.6.33" %?
# In newer kernels (2.6.33+), all the sys_mmap() variants are just
# wrappers around sys_mmap_pgoff(), which is in arch-generic code.
#
# long sys_mmap_pgoff(unsigned long addr, unsigned long len,
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long pgoff)
probe nd_syscall.mmap2 = kprobe.function("sys_mmap_pgoff") ?
{
name = "mmap2"
// start = $addr
// length = $len
// prot = $prot
// flags = $flags
// # Although the kernel gets an unsigned long fd, on the
// # user-side it is a signed int. Fix this.
// fd = __int32($fd)
// pgoffset = $pgoff
// argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
// _mprotect_prot_str($prot), _mmap_flags($flags),
// __int32($fd), $pgoff)
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
prot = ulong_arg(3)
flags = ulong_arg(4)
# Although the kernel gets an unsigned long fd, on the
# user-side it is a signed int. Fix this.
fd = int_arg(5)
pgoffset = ulong_arg(6)
argstr = sprintf("%p, %d, %s, %s, %d, %d", start, length,
_mprotect_prot_str(prot), _mmap_flags(flags),
fd, pgoffset)
}
probe nd_syscall.mmap2.return = kprobe.function("sys_mmap_pgoff").return ?
{
name = "mmap2"
retstr = returnstr(2)
}
%)
# mprotect ___________________________________________________
# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
#
probe nd_syscall.mprotect = kprobe.function("sys_mprotect") ?
{
name = "mprotect"
// addr = $start
// len = $len
// prot = $prot
// prot_str = _mprotect_prot_str($prot)
// argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
asmlinkage()
addr = ulong_arg(1)
len = ulong_arg(2)
prot = ulong_arg(3)
prot_str = _mprotect_prot_str(prot)
argstr = sprintf("%p, %d, %s", addr, len, _mprotect_prot_str(prot))
}
probe nd_syscall.mprotect.return = kprobe.function("sys_mprotect").return ?
{
name = "mprotect"
retstr = returnstr(1)
}
# mq_getsetattr ______________________________________________
# long sys_mq_getsetattr(mqd_t mqdes,
# const struct mq_attr __user *u_mqstat,
# struct mq_attr __user *u_omqstat)
# long compat_sys_mq_getsetattr(mqd_t mqdes,
# const struct compat_mq_attr __user *u_mqstat,
# struct compat_mq_attr __user *u_omqstat)
#
probe nd_syscall.mq_getsetattr = kprobe.function("compat_sys_mq_getsetattr") ?,
kprobe.function("sys_mq_getsetattr") ?
{
name = "mq_getsetattr"
// mqdes = $mqdes
// u_mqstat_uaddr = $u_mqstat
// u_omqstat_uaddr = $u_omqstat
// argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
asmlinkage()
mqdes = int_arg(1)
u_mqstat_uaddr = pointer_arg(2)
u_omqstat_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", mqdes, u_mqstat_uaddr, u_omqstat_uaddr)
}
probe nd_syscall.mq_getsetattr.return = kprobe.function("compat_sys_mq_getsetattr").return ?,
kprobe.function("sys_mq_getsetattr").return ?
{
name = "mq_getsetattr"
retstr = returnstr(1)
}
# mq_notify __________________________________________________
# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
# long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
#
probe nd_syscall.mq_notify = kprobe.function("compat_sys_mq_notify") ?,
kprobe.function("sys_mq_notify") ?
{
name = "mq_notify"
// mqdes = $mqdes
// notification_uaddr = $u_notification
// argstr = sprintf("%d, %p", $mqdes, $u_notification)
asmlinkage()
mqdes = int_arg(1)
notification_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", mqdes, notification_uaddr)
}
probe nd_syscall.mq_notify.return = kprobe.function("compat_sys_mq_notify").return ?,
kprobe.function("sys_mq_notify").return ?
{
name = "mq_notify"
retstr = returnstr(1)
}
# mq_open ____________________________________________________
# long sys_mq_open(const char __user *u_name,
# int oflag,
# mode_t mode,
# struct mq_attr __user *u_attr)
# long compat_sys_mq_open(const char __user *u_name,
# int oflag, compat_mode_t mode,
# struct compat_mq_attr __user *u_attr)
#
probe nd_syscall.mq_open = kprobe.function("compat_sys_mq_open") ?,
kprobe.function("sys_mq_open") ?
{
name = "mq_open"
// name_uaddr = $u_name
// filename = user_string($u_name)
// mode = $mode
// u_attr_uaddr = $u_attr
// oflag = $oflag
// if (oflag & 64)
// argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name),
// _sys_open_flag_str($oflag), $mode, $u_attr)
// else
// argstr = sprintf("%s, %s", user_string_quoted($u_name), _sys_open_flag_str($oflag))
asmlinkage()
name_uaddr = pointer_arg(1)
filename = user_string(name_uaddr)
mode = uint_arg(3)
u_attr_uaddr = pointer_arg(4)
oflag = int_arg(2)
if (oflag & 64)
argstr = sprintf("%s, %s, %#o, %p",
user_string_quoted(name_uaddr),
_sys_open_flag_str(oflag), mode, u_attr_uaddr)
else
argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag))
}
probe nd_syscall.mq_open.return = kprobe.function("compat_sys_mq_open").return ?,
kprobe.function("sys_mq_open").return ?
{
name = "mq_open"
retstr = returnstr(1)
}
# mq_timedreceive ____________________________________________
# ssize_t sys_mq_timedreceive(mqd_t mqdes,
# char __user *u_msg_ptr,
# size_t msg_len,
# unsigned int __user *u_msg_prio,
# const struct timespec __user *u_abs_timeout)
# ssize_t compat_sys_mq_timedreceive(mqd_t mqdes,
# char __user *u_msg_ptr,
# size_t msg_len, unsigned int __user *u_msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
probe nd_syscall.mq_timedreceive = kprobe.function("compat_sys_mq_timedreceive") ?,
kprobe.function("sys_mq_timedreceive") ?
{
name = "mq_timedreceive"
// mqdes = $mqdes
// msg_ptr_uaddr = $u_msg_ptr
// msg_len = $msg_len
// msg_prio_uaddr = $u_msg_prio
// abs_timout_uaddr = $u_abs_timeout
// argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
// $u_msg_prio, $u_abs_timeout)
asmlinkage()
mqdes = int_arg(1)
msg_ptr_uaddr = pointer_arg(2)
msg_len = ulong_arg(3)
msg_prio_uaddr = pointer_arg(4)
abs_timeout_uaddr = pointer_arg(5)
argstr = sprintf("%d, %p, %d, %p, %p", mqdes, msg_ptr_uaddr, msg_len,
msg_prio_uaddr, abs_timeout_uaddr)
}
probe nd_syscall.mq_timedreceive.return = kprobe.function("compat_sys_mq_timedreceive").return ?,
kprobe.function("sys_mq_timedreceive").return ?
{
name = "mq_timedreceive"
retstr = returnstr(1)
}
# mq_timedsend _______________________________________________
# long sys_mq_timedsend(mqd_t mqdes,
# const char __user *u_msg_ptr,
# size_t msg_len,
# unsigned int msg_prio,
# const struct timespec __user *u_abs_timeout)
# long compat_sys_mq_timedsend(mqd_t mqdes,
# const char __user *u_msg_ptr,
# size_t msg_len, unsigned int msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
probe nd_syscall.mq_timedsend = kprobe.function("compat_sys_mq_timedsend") ?,
kprobe.function("sys_mq_timedsend") ?
{
name = "mq_timedsend"
// mqdes = $mqdes
// msg_ptr_uaddr = $u_msg_ptr
// msg_len = $msg_len
// msg_prio = $msg_prio
// abs_timeout_uaddr = $u_abs_timeout
// argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
// $msg_prio, $u_abs_timeout)
asmlinkage()
mqdes = int_arg(1)
msg_ptr_uaddr = pointer_arg(2)
msg_len = ulong_arg(3)
msg_prio = uint_arg(4)
abs_timeout_uaddr = pointer_arg(5)
argstr = sprintf("%d, %p, %d, %d, %p", mqdes, msg_ptr_uaddr, msg_len,
msg_prio, abs_timeout_uaddr)
}
probe nd_syscall.mq_timedsend.return = kprobe.function("compat_sys_mq_timedsend").return ?,
kprobe.function("sys_mq_timedsend").return ?
{
name = "mq_timedsend"
retstr = returnstr(1)
}
# mq_unlink __________________________________________________
# long sys_mq_unlink(const char __user *u_name)
#
probe nd_syscall.mq_unlink = kprobe.function("sys_mq_unlink") ?
{
name = "mq_unlink"
// u_name_uaddr = $u_name
// u_name = user_string($u_name)
// argstr = user_string_quoted($u_name)
asmlinkage()
u_name_uaddr = pointer_arg(1)
u_name = user_string(u_name_uaddr)
argstr = user_string_quoted(u_name_uaddr)
}
probe nd_syscall.mq_unlink.return = kprobe.function("sys_mq_unlink").return ?
{
name = "mq_unlink"
retstr = returnstr(1)
}
# mremap _____________________________________________________
# unsigned long sys_mremap(unsigned long addr,
# unsigned long old_len,
# unsigned long new_len,
# unsigned long flags,
# unsigned long new_addr)
#
probe nd_syscall.mremap = kprobe.function("ia64_mremap") ?,
kprobe.function("sys_mremap") ?
{
name = "mremap"
// old_address = $addr
// old_size = $old_len
// new_size = $new_len
// flags = $flags
// new_address = $new_addr
// argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
// _mremap_flags($flags), $new_addr)
asmlinkage()
old_address = ulong_arg(1)
old_size = ulong_arg(2)
new_size = ulong_arg(3)
flags = ulong_arg(4)
new_address = ulong_arg(5)
argstr = sprintf("%p, %d, %d, %s, %p", old_address, old_size, new_size,
_mremap_flags(flags), new_address)
}
probe nd_syscall.mremap.return = kprobe.function("ia64_mremap").return ?,
kprobe.function("sys_mremap").return ?
{
name = "mremap"
retstr = returnstr(2)
}
# msgctl _____________________________________________________
# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
#
probe nd_syscall.msgctl = kprobe.function("sys_msgctl") ?
{
name = "msgctl"
// msqid = $msqid
// cmd = $cmd
// buf_uaddr = $buf
// argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
asmlinkage()
msqid = int_arg(1)
cmd = int_arg(2)
buf_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", msqid, cmd, buf_uaddr)
}
probe nd_syscall.msgctl.return = kprobe.function("sys_msgctl").return ?
{
name = "msgctl"
retstr = returnstr(1)
}
# compat_sys_msgctl ________________________________________
#
# long compat_sys_msgctl(int first, int second, void __user *uptr)
#
probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ?
{
name = "compat_sys_msgctl"
// msqid = $first
// cmd = $second
// buf_uaddr = $uptr
// argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
asmlinkage()
msqid = int_arg(1)
cmd = int_arg(2)
buf_uaddr = pointer_arg(3)
argstr = sprintf("%d, %d, %p", int_arg(1), int_arg(2), pointer_arg(3))
}
probe nd_syscall.compat_sys_msgctl.return = kprobe.function("compat_sys_msgctl").return ?
{
name = "compat_sys_msgctl"
retstr = returnstr(1)
}
# msgget _____________________________________________________
# long sys_msgget (key_t key, int msgflg)
#
probe nd_syscall.msgget = kprobe.function("sys_msgget") ?
{
name = "msgget"
// key = $key
// msgflg = $msgflg
// msgflg_str = _sys_open_flag_str($msgflg)
// argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
asmlinkage()
key = int_arg(1)
msgflg = int_arg(2)
msgflg_str = _sys_open_flag_str(msgflg)
argstr = sprintf("%d, %s", key, _sys_open_flag_str(msgflg))
}
probe nd_syscall.msgget.return = kprobe.function("sys_msgget").return ?
{
name = "msgget"
retstr = returnstr(1)
}
# msgrcv _____________________________________________________
# long sys_msgrcv (int msqid,
# struct msgbuf __user *msgp,
# size_t msgsz,
# long msgtyp,
# int msgflg)
#
probe nd_syscall.msgrcv = kprobe.function("sys_msgrcv") ?
{
name = "msgrcv"
// msqid = $msqid
// msgp_uaddr = $msgp
// msgsz = $msgsz
// msgtyp = $msgtyp
// msgflg = $msgflg
// argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(2)
msgsz = ulong_arg(3)
msgtyp = long_arg(4)
msgflg = int_arg(5)
argstr = sprintf("%d, %p, %d, %d, %d", msqid, msgp_uaddr, msgsz, msgtyp, msgflg)
}
probe nd_syscall.msgrcv.return = kprobe.function("sys_msgrcv").return ?
{
name = "msgrcv"
retstr = returnstr(1)
}
# compat_sys_msgrcv ________________________________________
#
# long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
# int version, void __user *uptr)
#
probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ?
{
name = "compat_sys_msgrcv"
// msqid = $first
// msgp_uaddr = $uptr
// msgsz = $second
// msgtyp = $msgtyp
// msgflg = $third
// argstr = sprintf("%d, %p, %d, %d", $first, $uptr, $second, $third)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(5)
msgsz = int_arg(2)
msgtyp = int_arg(3)
msgflg = int_arg(4)
argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
}
probe nd_syscall.compat_sys_msgrcv.return = kprobe.function("compat_sys_msgrcv").return ?
{
name = "compat_sys_msgrcv"
retstr = returnstr(1)
}
# msgsnd _____________________________________________________
# long sys_msgsnd (int msqid,
# struct msgbuf __user *msgp,
# size_t msgsz,
# int msgflg)
#
probe nd_syscall.msgsnd = kprobe.function("sys_msgsnd") ?
{
name = "msgsnd"
// msqid = $msqid
// msgp_uaddr = $msgp
// msgsz = $msgsz
// msgflg = $msgflg
// argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(2)
msgsz = ulong_arg(3)
msgflg = int_arg(4)
argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
}
probe nd_syscall.msgsnd.return = kprobe.function("sys_msgsnd").return ?
{
name = "msgsnd"
retstr = returnstr(1)
}
# compat_sys_msgsnd ________________________________________
#
# long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
#
probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ?
{
name = "compat_sys_msgsnd"
// msqid = $first
// msgp_uaddr = $uptr
// msgsz = $second
// msgflg = $third
// argstr = sprintf("%d, %p, %d, %d", $first, $uptr, $second, $third)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(4)
msgsz = int_arg(2)
msgflg = int_arg(3)
argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
}
probe nd_syscall.compat_sys_msgsnd.return = kprobe.function("compat_sys_msgsnd").return ?
{
name = "compat_sys_msgsnd"
retstr = returnstr(1)
}
# msync ______________________________________________________
# long sys_msync(unsigned long start, size_t len, int flags)
probe nd_syscall.msync = kprobe.function("sys_msync") ?
{
name = "msync"
// start = $start
// length = $len
// flags = $flags
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
flags = int_arg(3)
argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags))
}
probe nd_syscall.msync.return = kprobe.function("sys_msync").return ?
{
name = "msync"
retstr = returnstr(1)
}
# munlock ____________________________________________________
# long sys_munlock(unsigned long start, size_t len)
probe nd_syscall.munlock = kprobe.function("sys_munlock") ?
{
name = "munlock"
// addr = $start
// len = $len
asmlinkage()
addr = ulong_arg(1)
len = ulong_arg(2)
argstr = sprintf("%p, %d", addr, len)
}
probe nd_syscall.munlock.return = kprobe.function("sys_munlock").return ?
{
name = "munlock"
retstr = returnstr(1)
}
# munlockall _________________________________________________
# long sys_munlockall(void)
probe nd_syscall.munlockall = kprobe.function("sys_munlockall") ?
{
name = "munlockall"
argstr = ""
}
probe nd_syscall.munlockall.return = kprobe.function("sys_munlockall").return ?
{
name = "munlockall"
retstr = returnstr(1)
}
# munmap _____________________________________________________
# long sys_munmap(unsigned long addr, size_t len)
probe nd_syscall.munmap = kprobe.function("sys_munmap") ?
{
name = "munmap"
// start = $addr
// length = $len
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
argstr = sprintf("%p, %d", start, length)
}
probe nd_syscall.munmap.return = kprobe.function("sys_munmap").return ?
{
name = "munmap"
retstr = returnstr(1)
}