This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
- From: Przemyslaw Pawelczyk <przemyslaw at pawelczyk dot it>
- To: systemtap at sourceware dot org
- Date: Sun, 17 May 2009 20:09:34 +0200
- Subject: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.
- Mail-from: 41d41d4952e8aea8c3f1f2a5f724745febb36f89 Mon Sep 17 00:00:00 2001
Replace in-scope variables references with *_arg functions. Use 'kprobe'
family of probes instead of 'kernel' family for dwarfless probing. Also
fix a few typos and unify formatting.
---
tapset/nd_syscalls.stp | 2691 ++++++++++++++++++++++++++++++------------------
1 files changed, 1711 insertions(+), 980 deletions(-)
diff --git a/tapset/nd_syscalls.stp b/tapset/nd_syscalls.stp
index a0e5286..32c3640 100644
--- a/tapset/nd_syscalls.stp
+++ b/tapset/nd_syscalls.stp
@@ -12,9 +12,6 @@
* nd_syscalls.stp is a copy of syscalls.stp, modified to refer to
* function arguments by number rather than name, so that this tapset
* can be used even when the probed kernel lacks debugging information.
- *
- * So far, the names-to-numbers conversion covers only syscall.a*
- * through syscall.c*, plus a few others.
*/
@@ -37,7 +34,8 @@
# accept _____________________________________________________
# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
# int __user *upeer_addrlen)
-probe nd_syscall.accept = kernel.function("sys_accept") ? {
+probe nd_syscall.accept = kprobe.function("sys_accept") ?
+{
name = "accept"
// sockfd = $fd
// addr_uaddr = $upeer_sockaddr
@@ -49,14 +47,16 @@ probe nd_syscall.accept = kernel.function("sys_accept") ? {
addrlen_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr)
}
-probe nd_syscall.accept.return = kernel.function("sys_accept").return ? {
+probe nd_syscall.accept.return = kprobe.function("sys_accept").return ?
+{
name = "accept"
retstr = returnstr(1)
}
# access _____________________________________________________
# long sys_access(const char __user * filename, int mode)
-probe nd_syscall.access = kernel.function("sys_access") {
+probe nd_syscall.access = kprobe.function("sys_access")
+{
name = "access"
// pathname = user_string($filename)
// mode = $mode
@@ -68,22 +68,25 @@ probe nd_syscall.access = kernel.function("sys_access") {
mode_str = _access_mode_str(mode)
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str)
}
-probe nd_syscall.access.return = kernel.function("sys_access").return {
+probe nd_syscall.access.return = kprobe.function("sys_access").return
+{
name = "access"
retstr = returnstr(1)
}
# acct _______________________________________________________
# long sys_acct(const char __user *name)
-probe nd_syscall.acct = kernel.function("sys_acct") ? {
+probe nd_syscall.acct = kprobe.function("sys_acct") ?
+{
name = "acct"
- // filename = user_string($name)
+ // filename = user_string($name)
// argstr = user_string_quoted($name)
asmlinkage()
filename = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
+probe nd_syscall.acct.return = kprobe.function("sys_acct").return ?
+{
name = "acct"
retstr = returnstr(1)
}
@@ -95,7 +98,8 @@ probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
# size_t plen,
# key_serial_t ringid)
#
-probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
+probe nd_syscall.add_key = kprobe.function("sys_add_key") ?
+{
name = "add_key"
// type_uaddr = $_type
// description_auddr = $_description
@@ -105,7 +109,7 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
// argstr = sprintf("%s, %s, %s, %d, %d",
// user_string_quoted($_type),
// user_string_quoted($_description),
- // text_strn(user_string($_payload),syscall_string_trunc,1),
+ // text_strn(user_string($_payload), syscall_string_trunc, 1),
// $plen, $ringid)
asmlinkage()
type_uaddr = pointer_arg(1)
@@ -116,49 +120,54 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
argstr = sprintf("%s, %s, %s, %d, %d",
user_string_quoted(type_uaddr),
user_string_quoted(description_uaddr),
- text_strn(user_string(payload_uaddr),syscall_string_trunc,1),
+ text_strn(user_string(payload_uaddr), syscall_string_trunc, 1),
plen, ringid)
}
-probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? {
+probe nd_syscall.add_key.return = kprobe.function("sys_add_key").return ?
+{
name = "add_key"
retstr = returnstr(1)
}
# adjtimex ___________________________________________________
# long sys_adjtimex(struct timex __user *txc_p)
-probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") {
+probe nd_syscall.adjtimex = kprobe.function("sys_adjtimex")
+{
name = "adjtimex"
/*
- * buf_offset = __uget_timex_m($txc_p,1)
- * buf_freq = __uget_timex_m($txc_p,2)
- * buf_maxerror = __uget_timex_m($txc_p,3)
- * buf_esterror = __uget_timex_m($txc_p,4)
- * buf_status = __uget_timex_m($txc_p,5)
- * buf_constant = __uget_timex_m($txc_p,6)
- * buf_precision = __uget_timex_m($txc_p,7)
- * buf_tolerance = __uget_timex_m($txc_p,8)
- * buf_time_tv_sec = __uget_timex_m($txc_p,9)
- * buf_time_tv_usec = __uget_timex_m($txc_p,10)
- * buf_tick = __uget_timex_m($txc_p,11)
+ * buf_offset = __uget_timex_m($txc_p, 1)
+ * buf_freq = __uget_timex_m($txc_p, 2)
+ * buf_maxerror = __uget_timex_m($txc_p, 3)
+ * buf_esterror = __uget_timex_m($txc_p, 4)
+ * buf_status = __uget_timex_m($txc_p, 5)
+ * buf_constant = __uget_timex_m($txc_p, 6)
+ * buf_precision = __uget_timex_m($txc_p, 7)
+ * buf_tolerance = __uget_timex_m($txc_p, 8)
+ * buf_time_tv_sec = __uget_timex_m($txc_p, 9)
+ * buf_time_tv_usec = __uget_timex_m($txc_p, 10)
+ * buf_tick = __uget_timex_m($txc_p, 11)
*/
// argstr = sprintf("%p", $txc_p)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
-probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return {
+probe nd_syscall.adjtimex.return = kprobe.function("sys_adjtimex").return
+{
name = "adjtimex"
// retstr = _adjtimex_return_str($return)
retstr = _adjtimex_return_str(returnval())
}
# long compat_sys_adjtimex(struct compat_timex __user *utp)
-probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? {
+probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ?
+{
name = "compat_adjtimex"
// argstr = sprintf("%p", $utp)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
-probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? {
+probe nd_syscall.compat_adjtimex.return = kprobe.function("compat_sys_adjtimex").return ?
+{
name = "compat_adjtimex"
retstr = returnstr(1)
}
@@ -167,9 +176,8 @@ probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex")
# unsigned long sys_alarm (unsigned int seconds)
# long sys32_alarm(unsigned int seconds)
#
-probe nd_syscall.alarm =
- kernel.function("sys_alarm") ?,
- kernel.function("sys32_alarm") ?
+probe nd_syscall.alarm = kprobe.function("sys_alarm") ?,
+ kprobe.function("sys32_alarm") ?
{
name = "alarm"
// seconds = $seconds
@@ -178,62 +186,64 @@ probe nd_syscall.alarm =
seconds = uint_arg(1)
argstr = sprint(seconds)
}
-probe nd_syscall.alarm.return =
- kernel.function("sys_alarm").return ?,
- kernel.function("sys32_alarm").return ?
+probe nd_syscall.alarm.return = kprobe.function("sys_alarm").return ?,
+ kprobe.function("sys32_alarm").return ?
{
name = "alarm"
retstr = returnstr(1)
}
# bdflush ____________________________________________________
-# long sys_bdflush(int func,long data)
-probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? {
+# long sys_bdflush(int func, long data)
+probe nd_syscall.bdflush = kprobe.function("sys_bdflush") ?
+{
name = "bdflush"
// func = $func
// data = $data
- // if (($func>=2)&&($func%2==0))
- // data_str = sprintf("%p", $data)
- // else
- // data_str = sprintf("%d", $data)
+ // if (($func>=2)&&($func%2==0))
+ // data_str = sprintf("%p", $data)
+ // else
+ // data_str = sprintf("%d", $data)
asmlinkage()
func = int_arg(1)
data = long_arg(2)
- if ((func>=2)&&(func%2==0))
- data_str = sprintf("%p", data)
- else
- data_str = sprintf("%d", data)
- argstr = sprintf("%d, %s",func, data_str)
+ if ((func>=2)&&(func%2==0))
+ data_str = sprintf("%p", data)
+ else
+ data_str = sprintf("%d", data)
+ argstr = sprintf("%d, %s", func, data_str)
}
-probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? {
+probe nd_syscall.bdflush.return = kprobe.function("sys_bdflush").return ?
+{
name = "bdflush"
retstr = returnstr(1)
}
# bind _______________________________________________________
# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
-probe nd_syscall.bind = kernel.function("sys_bind") ? {
+probe nd_syscall.bind = kprobe.function("sys_bind") ?
+{
name = "bind"
// sockfd = $fd
// my_addr_uaddr = $umyaddr
// addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
+ // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
my_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
- argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr,addrlen),addrlen)
+ argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr, addrlen), addrlen)
}
-probe nd_syscall.bind.return = kernel.function("sys_bind").return ? {
+probe nd_syscall.bind.return = kprobe.function("sys_bind").return ?
+{
name = "bind"
retstr = returnstr(1)
}
# brk ________________________________________________________
# unsigned long sys_brk(unsigned long brk)
-probe nd_syscall.brk =
- kernel.function("sys_brk"),
- kernel.function("ia64_brk") ?
+probe nd_syscall.brk = kprobe.function("sys_brk"),
+ kprobe.function("ia64_brk") ?
{
name = "brk"
// brk = $brk
@@ -241,9 +251,8 @@ probe nd_syscall.brk =
brk = ulong_arg(1)
argstr = sprintf("%p", brk)
}
-probe nd_syscall.brk.return =
- kernel.function("sys_brk").return,
- kernel.function("ia64_brk").return ?
+probe nd_syscall.brk.return = kprobe.function("sys_brk").return,
+ kprobe.function("ia64_brk").return ?
{
name = "brk"
retstr = returnstr(1)
@@ -262,7 +271,8 @@ probe nd_syscall.brk.return =
* functions to export.
*/
# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
-probe nd_syscall.capget = kernel.function("sys_capget") {
+probe nd_syscall.capget = kprobe.function("sys_capget")
+{
name = "capget"
// header_uaddr = $header
// data_uaddr = $dataptr
@@ -272,7 +282,8 @@ probe nd_syscall.capget = kernel.function("sys_capget") {
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
-probe nd_syscall.capget.return = kernel.function("sys_capget").return {
+probe nd_syscall.capget.return = kprobe.function("sys_capget").return
+{
name = "capget"
retstr = returnstr(1)
}
@@ -289,7 +300,8 @@ probe nd_syscall.capget.return = kernel.function("sys_capget").return {
* functions to export.
*/
# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
-probe nd_syscall.capset = kernel.function("sys_capset") {
+probe nd_syscall.capset = kprobe.function("sys_capset")
+{
name = "capset"
// header_uaddr = $header
// data_uaddr = $data
@@ -299,14 +311,16 @@ probe nd_syscall.capset = kernel.function("sys_capset") {
data_uaddr = pointer_arg(2)
argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
}
-probe nd_syscall.capset.return = kernel.function("sys_capset").return {
+probe nd_syscall.capset.return = kprobe.function("sys_capset").return
+{
name = "capset"
retstr = returnstr(1)
}
# chdir ______________________________________________________
# long sys_chdir(const char __user * filename)
-probe nd_syscall.chdir = kernel.function("sys_chdir") {
+probe nd_syscall.chdir = kprobe.function("sys_chdir")
+{
name = "chdir"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
@@ -314,14 +328,16 @@ probe nd_syscall.chdir = kernel.function("sys_chdir") {
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.chdir.return = kernel.function("sys_chdir").return {
+probe nd_syscall.chdir.return = kprobe.function("sys_chdir").return
+{
name = "chdir"
retstr = returnstr(1)
}
# chmod ______________________________________________________
# long sys_chmod(const char __user * filename, mode_t mode)
-probe nd_syscall.chmod = kernel.function("sys_chmod") {
+probe nd_syscall.chmod = kprobe.function("sys_chmod")
+{
name = "chmod"
// path = user_string($filename)
// mode = $mode
@@ -331,26 +347,29 @@ probe nd_syscall.chmod = kernel.function("sys_chmod") {
mode = uint_arg(2)
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
-probe nd_syscall.chmod.return = kernel.function("sys_chmod").return {
+probe nd_syscall.chmod.return = kprobe.function("sys_chmod").return
+{
name = "chmod"
retstr = returnstr(1)
}
# chown ______________________________________________________
# long sys_chown(const char __user * filename, uid_t user, gid_t group)
-probe nd_syscall.chown = kernel.function("sys_chown") {
+probe nd_syscall.chown = kprobe.function("sys_chown")
+{
name = "chown"
// path = user_string($filename)
// owner = __int32($user)
// group = __int32($group)
- // argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string(pointer_arg(1))
owner = __int32(uint_arg(2))
group = __int32(uint_arg(3))
- argstr = sprintf("%s, %d, %d",user_string_quoted(pointer_arg(1)), owner, group)
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.chown.return = kernel.function("sys_chown").return {
+probe nd_syscall.chown.return = kprobe.function("sys_chown").return
+{
name = "chown"
retstr = returnstr(1)
}
@@ -358,7 +377,8 @@ probe nd_syscall.chown.return = kernel.function("sys_chown").return {
# long sys_chown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
+probe nd_syscall.chown16 = kprobe.function("sys_chown16") ?
+{
name = "chown16"
// path = user_string($filename)
// owner = __short($user)
@@ -370,14 +390,16 @@ probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
group = __short(uint_arg(3))
argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? {
+probe nd_syscall.chown16.return = kprobe.function("sys_chown16").return ?
+{
name = "chown16"
retstr = returnstr(1)
}
# chroot _____________________________________________________
# long sys_chroot(const char __user * filename)
-probe nd_syscall.chroot = kernel.function("sys_chroot") {
+probe nd_syscall.chroot = kprobe.function("sys_chroot")
+{
name = "chroot"
// path = user_string($filename)
// argstr = user_string_quoted($filename)
@@ -385,7 +407,8 @@ probe nd_syscall.chroot = kernel.function("sys_chroot") {
path = user_string(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
}
-probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
+probe nd_syscall.chroot.return = kprobe.function("sys_chroot").return
+{
name = "chroot"
retstr = returnstr(1)
}
@@ -394,9 +417,8 @@ probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
# long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
#
-probe nd_syscall.clock_getres =
- kernel.function("sys_clock_getres"),
- kernel.function("compat_clock_getres") ?
+probe nd_syscall.clock_getres = kprobe.function("sys_clock_getres"),
+ kprobe.function("compat_clock_getres") ?
{
name = "clock_getres"
// clk_id = $which_clock
@@ -409,9 +431,8 @@ probe nd_syscall.clock_getres =
res_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", clk_id_str, res_uaddr)
}
-probe nd_syscall.clock_getres.return =
- kernel.function("sys_clock_getres").return,
- kernel.function("compat_clock_getres").return ?
+probe nd_syscall.clock_getres.return = kprobe.function("sys_clock_getres").return,
+ kprobe.function("compat_clock_getres").return ?
{
name = "clock_getres"
retstr = returnstr(1)
@@ -420,8 +441,7 @@ probe nd_syscall.clock_getres.return =
# clock_gettime ______________________________________________
# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
#
-probe nd_syscall.clock_gettime =
- kernel.function("sys_clock_gettime")
+probe nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime")
{
name = "clock_gettime"
// clk_id = $which_clock
@@ -432,7 +452,7 @@ probe nd_syscall.clock_gettime =
clk_id_str = _get_wc_str(clk_id)
argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2))
}
-probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return
+probe nd_syscall.clock_gettime.return = kprobe.function("sys_clock_gettime").return
{
name = "clock_gettime"
retstr = returnstr(1)
@@ -444,14 +464,15 @@ probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").ret
# const struct timespec __user *rqtp,
# struct timespec __user *rmtp)
#
-probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
+probe nd_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep")
+{
name = "clock_nanosleep"
// if ($flags == 1)
// flag_str = "TIMER_ABSTIME"
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_timespec_u($rqtp,1), $rmtp)
+ // _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
@@ -459,9 +480,10 @@ probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
- _struct_timespec_u(pointer_arg(3),1), pointer_arg(4))
+ _struct_timespec_u(pointer_arg(3), 1), pointer_arg(4))
}
-probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return {
+probe nd_syscall.clock_nanosleep.return = kprobe.function("sys_clock_nanosleep").return
+{
name = "clock_nanosleep"
retstr = returnstr(1)
}
@@ -471,9 +493,8 @@ probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep")
# struct compat_timespec __user *rqtp,
# struct compat_timespec __user *rmtp)
#
-probe nd_syscall.compat_clock_nanosleep =
- kernel.function("compat_clock_nanosleep") ?,
- kernel.function("compat_sys_clock_nanosleep") ?
+probe nd_syscall.compat_clock_nanosleep = kprobe.function("compat_clock_nanosleep") ?,
+ kprobe.function("compat_sys_clock_nanosleep") ?
{
name = "compat_clock_nanosleep"
// if ($flags == 1)
@@ -481,7 +502,7 @@ probe nd_syscall.compat_clock_nanosleep =
// else
// flag_str = sprintf("0x%x", $flags)
// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_compat_timespec_u($rqtp,1), $rmtp)
+ // _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
@@ -489,12 +510,11 @@ probe nd_syscall.compat_clock_nanosleep =
else
flag_str = sprintf("0x%x", flags)
argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
- _struct_compat_timespec_u(pointer_arg(3),1),
+ _struct_compat_timespec_u(pointer_arg(3), 1),
pointer_arg(4))
}
-probe nd_syscall.compat_clock_nanosleep.return =
- kernel.function("compat_clock_nanosleep").return ?,
- kernel.function("compat_sys_clock_nanosleep").return ?
+probe nd_syscall.compat_clock_nanosleep.return = kprobe.function("compat_clock_nanosleep").return ?,
+ kprobe.function("compat_sys_clock_nanosleep").return ?
{
name = "compat_clock_nanosleep"
retstr = returnstr(1)
@@ -504,68 +524,75 @@ probe nd_syscall.compat_clock_nanosleep.return =
# long sys_clock_settime(clockid_t which_clock,
# const struct timespec __user *tp)
#
-probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") {
+probe nd_syscall.clock_settime = kprobe.function("sys_clock_settime")
+{
name = "clock_settime"
// clk_id = $which_clock
// clk_id_str = _get_wc_str($which_clock)
// tp_uaddr = $tp
- // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1))
+ // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
tp_uaddr = pointer_arg(2)
- argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr,1))
+ argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr, 1))
}
-probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return {
+probe nd_syscall.clock_settime.return = kprobe.function("sys_clock_settime").return
+{
name = "clock_settime"
retstr = returnstr(1)
}
# close ______________________________________________________
# long sys_close(unsigned int fd)
-probe nd_syscall.close = kernel.function("sys_close") {
+probe nd_syscall.close = kprobe.function("sys_close")
+{
name = "close"
// fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.close.return = kernel.function("sys_close").return {
+probe nd_syscall.close.return = kprobe.function("sys_close").return
+{
name = "close"
retstr = returnstr(1)
}
# connect ____________________________________________________
# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
-probe nd_syscall.connect = kernel.function("sys_connect") ? {
+probe nd_syscall.connect = kprobe.function("sys_connect") ?
+{
name = "connect"
// sockfd = $fd
// serv_addr_uaddr = $uservaddr
// addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
+ // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
serv_addr_uaddr = pointer_arg(2)
addrlen = int_arg(3)
- argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr,addrlen),addrlen)
+ argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr, addrlen), addrlen)
}
-probe nd_syscall.connect.return = kernel.function("sys_connect").return ? {
+probe nd_syscall.connect.return = kprobe.function("sys_connect").return ?
+{
name = "connect"
retstr = returnstr(1)
}
# creat
# long sys_creat(const char __user * pathname, int mode)
-probe nd_syscall.creat = kernel.function("sys_creat") ?
+probe nd_syscall.creat = kprobe.function("sys_creat") ?
{
name = "creat"
// mode = $mode
// pathname = user_string($pathname)
// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ asmlinkage()
mode = int_arg(2)
pathname = user_string(pointer_arg(1))
argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
}
-probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
+probe nd_syscall.creat.return = kprobe.function("sys_creat").return ?
{
name = "creat"
retstr = returnstr(1)
@@ -573,20 +600,27 @@ probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
# delete_module ______________________________________________
# long sys_delete_module(const char __user *name_user, unsigned int flags)
-probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? {
+probe nd_syscall.delete_module = kprobe.function("sys_delete_module") ?
+{
name = "delete_module"
- name_user = user_string($name_user)
- flags = $flags
- argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+ // name_user = user_string($name_user)
+ // flags = $flags
+ // argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+ asmlinkage()
+ name_user = user_string(pointer_arg(1))
+ flags = uint_arg(2)
+ argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), _module_flags_str(uint_arg(2)))
}
-probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? {
+probe nd_syscall.delete_module.return = kprobe.function("sys_delete_module").return ?
+{
name = "delete_module"
retstr = returnstr(1)
}
# dup ________________________________________________________
# long sys_dup(unsigned int fildes)
-probe nd_syscall.dup = kernel.function("sys_dup") {
+probe nd_syscall.dup = kprobe.function("sys_dup")
+{
name = "dup"
// oldfd = $fildes
// argstr = sprint($fildes)
@@ -594,32 +628,44 @@ probe nd_syscall.dup = kernel.function("sys_dup") {
old_fd = int_arg(1)
argstr = sprint(old_fd)
}
-probe nd_syscall.dup.return = kernel.function("sys_dup").return {
+probe nd_syscall.dup.return = kprobe.function("sys_dup").return
+{
name = "dup"
retstr = returnstr(1)
}
# dup2 _______________________________________________________
# long sys_dup2(unsigned int oldfd, unsigned int newfd)
-probe nd_syscall.dup2 = kernel.function("sys_dup2") {
+probe nd_syscall.dup2 = kprobe.function("sys_dup2")
+{
name = "dup2"
- oldfd = $oldfd
- newfd = $newfd
- argstr = sprintf("%d, %d", $oldfd, $newfd)
+ // oldfd = $oldfd
+ // newfd = $newfd
+ // argstr = sprintf("%d, %d", $oldfd, $newfd)
+ asmlinkage()
+ oldfd = int_arg(1)
+ newfd = int_arg(2)
+ argstr = sprintf("%d, %d", oldfd, newfd)
}
-probe nd_syscall.dup2.return = kernel.function("sys_dup2").return {
+probe nd_syscall.dup2.return = kprobe.function("sys_dup2").return
+{
name = "dup2"
retstr = returnstr(1)
}
# epoll_create _______________________________________________
# long sys_epoll_create(int size)
-probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? {
+probe nd_syscall.epoll_create = kprobe.function("sys_epoll_create") ?
+{
name = "epoll_create"
- size = $size
- argstr = sprint($size)
+ // size = $size
+ // argstr = sprint($size)
+ asmlinkage()
+ size = int_arg(1)
+ argstr = sprint(size)
}
-probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? {
+probe nd_syscall.epoll_create.return = kprobe.function("sys_epoll_create").return ?
+{
name = "epoll_create"
retstr = returnstr(1)
}
@@ -630,21 +676,26 @@ probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").retur
# long compat_sys_epoll_ctl(int epfd, int op, int fd,
# struct compat_epoll_event __user *event)
#
-probe nd_syscall.epoll_ctl =
- kernel.function("sys_epoll_ctl") ?,
- kernel.function("compat_sys_epoll_ctl") ?
+probe nd_syscall.epoll_ctl = kprobe.function("sys_epoll_ctl") ?,
+ kprobe.function("compat_sys_epoll_ctl") ?
{
name = "epoll_ctl"
- epfd = $epfd
- op = $op
- op_str = _opoll_op_str($op)
- fd = $fd
- event_uaddr = $event
- argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+ // epfd = $epfd
+ // eop = $op
+ // eop_str = _opoll_op_str($op)
+ // efd = $fd
+ // eevent_uaddr = $event
+ // eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+ asmlinkage()
+ epfd = int_arg(1)
+ op = int_arg(2)
+ op_str = _opoll_op_str(op)
+ fd = int_arg(3)
+ event_uaddr = pointer_arg(4)
+ argstr = sprintf("%d, %s, %d, %p", epfd, op_str, fd, event_uaddr)
}
-probe nd_syscall.epoll_ctl.return =
- kernel.function("sys_epoll_ctl").return ?,
- kernel.function("compat_sys_epoll_ctl").return ?
+probe nd_syscall.epoll_ctl.return = kprobe.function("sys_epoll_ctl").return ?,
+ kprobe.function("compat_sys_epoll_ctl").return ?
{
name = "epoll_ctl"
retstr = returnstr(1)
@@ -661,17 +712,17 @@ probe nd_syscall.epoll_ctl.return =
# const compat_sigset_t __user *sigmask,
# compat_size_t sigsetsize)
#
-probe nd_syscall.epoll_pwait =
- kernel.function("sys_epoll_pwait") ?,
- kernel.function("compat_sys_epoll_pwait") ?
+probe nd_syscall.epoll_pwait = kprobe.function("sys_epoll_pwait") ?,
+ kprobe.function("compat_sys_epoll_pwait") ?
{
name = "epoll_pwait"
+ asmlinkage()
argstr = sprintf("%d, %p, %d, %d, %p, %d",
- $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+// $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+ int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6))
}
-probe nd_syscall.epoll_pwait.return =
- kernel.function("sys_epoll_pwait").return ?,
- kernel.function("compat_sys_epoll_pwait").return ?
+probe nd_syscall.epoll_pwait.return = kprobe.function("sys_epoll_pwait").return ?,
+ kprobe.function("compat_sys_epoll_pwait").return ?
{
name = "epoll_pwait"
retstr = returnstr(1)
@@ -685,20 +736,24 @@ probe nd_syscall.epoll_pwait.return =
# struct compat_epoll_event __user *events,
# int maxevents, int timeout)
#
-probe nd_syscall.epoll_wait =
- kernel.function("sys_epoll_wait") ?,
- kernel.function("compat_sys_epoll_wait") ?
+probe nd_syscall.epoll_wait = kprobe.function("sys_epoll_wait") ?,
+ kprobe.function("compat_sys_epoll_wait") ?
{
name = "epoll_wait"
- epfd = $epfd
- events_uaddr = $events
- maxevents = $maxevents
- timeout = $timeout
- argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+ // epfd = $epfd
+ // events_uaddr = $events
+ // maxevents = $maxevents
+ // timeout = $timeout
+ // argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+ asmlinkage()
+ epfd = int_arg(1)
+ events_uaddr = pointer_arg(2)
+ maxevents = int_arg(3)
+ timeout = int_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", epfd, events_uaddr, maxevents, timeout)
}
-probe nd_syscall.epoll_wait.return =
- kernel.function("sys_epoll_wait").return ?,
- kernel.function("compat_sys_epoll_wait").return ?
+probe nd_syscall.epoll_wait.return = kprobe.function("sys_epoll_wait").return ?,
+ kprobe.function("compat_sys_epoll_wait").return ?
{
name = "epoll_wait"
retstr = returnstr(1)
@@ -707,11 +762,15 @@ probe nd_syscall.epoll_wait.return =
# eventfd _____________________________________________________
# long sys_eventfd(unsigned int count)
#
-probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? {
+probe nd_syscall.eventfd = kprobe.function("sys_eventfd") ?
+{
name = "eventfd"
- argstr = sprint($count)
+ // argstr = sprint($count)
+ asmlinkage()
+ argstr = sprint(uint_arg(1))
}
-probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
+probe nd_syscall.eventfd.return = kprobe.function("sys_eventfd").return ?
+{
name = "eventfd"
retstr = returnstr(1)
}
@@ -723,18 +782,21 @@ probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
# char __user *__user *argv,
# char __user *__user *envp,
# struct pt_regs * regs)
-probe nd_syscall.execve = kernel.function("do_execve") {
+probe nd_syscall.execve = kprobe.function("do_execve")
+{
name = "execve"
// filename = kernel_string($filename)
// args = __get_argv($argv, 0)
// argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
+ asmlinkage()
filename = kernel_string(pointer_arg(1))
args = __get_argv(pointer_arg(2), 0)
argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1))
}
# v2.6.15-rc2 or earlier has problems with sys_execve return probes
# another reason to probe on do_execve
-probe nd_syscall.execve.return = kernel.function("do_execve").return {
+probe nd_syscall.execve.return = kprobe.function("do_execve").return
+{
name = "execve"
retstr = returnstr(1)
}
@@ -742,33 +804,47 @@ probe nd_syscall.execve.return = kernel.function("do_execve").return {
# compat_uptr_t __user *argv,
# compat_uptr_t __user *envp,
# struct pt_regs * regs)
-probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? {
+probe nd_syscall.compat_execve = kprobe.function("compat_do_execve") ?
+{
name = "compat_execve"
- filename = kernel_string($filename)
- args = __get_compat_argv($argv, 0)
- argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+ // filename = kernel_string($filename)
+ // args = __get_compat_argv($argv, 0)
+ // argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+ asmlinkage()
+ filename = kernel_string(pointer_arg(1))
+ args = __get_compat_argv(pointer_arg(2), 0)
+ argstr = sprintf("%s %s", filename, __get_compat_argv(pointer_arg(2), 1))
}
-probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return ? {
+probe nd_syscall.compat_execve.return = kprobe.function("compat_do_execve").return ?
+{
name = "compat_execve"
retstr = returnstr(1)
}
# exit _______________________________________________________
# long sys_exit(int error_code)
-probe nd_syscall.exit = kernel.function("do_exit") {
+probe nd_syscall.exit = kprobe.function("do_exit")
+{
name = "exit"
- status = $code
- argstr = sprint($code)
+ // status = $code
+ // argstr = sprint($code)
+ asmlinkage()
+ status = int_arg(1)
+ argstr = sprint(status)
}
probe nd_syscall.exit.return = end {}
# exit_group _________________________________________________
# void sys_exit_group(int error_code)
#
-probe nd_syscall.exit_group = kernel.function("sys_exit_group") {
+probe nd_syscall.exit_group = kprobe.function("sys_exit_group")
+{
name = "exit_group"
- status = $error_code
- argstr = sprint($error_code)
+ // status = $error_code
+ // argstr = sprint($error_code)
+ asmlinkage()
+ status = int_arg(1)
+ argstr = sprint(status)
}
probe nd_syscall.exit_group.return = end {}
@@ -777,15 +853,23 @@ probe nd_syscall.exit_group.return = end {}
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? {
+probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") ?
+{
name = "fadvise64"
- fs = $fd
- offset = $offset
- len = $len
- advice = $advice
- argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ // fd = $fd
+ // offset = $offset
+ // len = $len
+ // advice = $advice
+ // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ len = ulong_arg(3)
+ advice = int_arg(4)
+ argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
+probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return ?
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -793,15 +877,23 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64")
+{
name = "fadvise64_64"
- fs = $fd
- offset = $offset
- len = $len
- advice = $advice
- argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ // fd = $fd
+ // offset = $offset
+ // len = $len
+ // advice = $advice
+ // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+ asmlinkage()
+ fd = int_arg(1)
+ offset = longlong_arg(2)
+ len = ulong_arg(3)
+ advice = int_arg(4)
+ argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
}
-probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -811,15 +903,17 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") {
+probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64")
+{
name = "fadvise64"
- fs = 0
+ fd = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
+probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return
+{
name = "fadvise64"
retstr = returnstr(1)
}
@@ -827,15 +921,17 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64")
+{
name = "fadvise64_64"
- fs = 0
+ fd = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
-probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return
+{
name = "fadvise64_64"
retstr = returnstr(1)
}
@@ -843,53 +939,77 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu
# fchdir _____________________________________________________
# long sys_fchdir(unsigned int fd)
-probe nd_syscall.fchdir = kernel.function("sys_fchdir") {
+probe nd_syscall.fchdir = kprobe.function("sys_fchdir")
+{
name = "fchdir"
- fd = $fd
- argstr = sprint($fd)
+ // fd = $fd
+ // argstr = sprint($fd)
+ asmlinkage()
+ fd = int_arg(1)
+ argstr = sprint(fd)
}
-probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return {
+probe nd_syscall.fchdir.return = kprobe.function("sys_fchdir").return
+{
name = "fchdir"
retstr = returnstr(1)
}
# fchmod _____________________________________________________
# long sys_fchmod(unsigned int fd, mode_t mode)
-probe nd_syscall.fchmod = kernel.function("sys_fchmod") {
+probe nd_syscall.fchmod = kprobe.function("sys_fchmod")
+{
name = "fchmod"
- fildes = $fd
- mode = $mode
- argstr = sprintf("%d, %#o", $fd, $mode)
+ // fildes = $fd
+ // mode = $mode
+ asmlinkage()
+ fildes = int_arg(1)
+ mode = uint_arg(2) # SAFE?
+ argstr = sprintf("%d, %#o", fildes, mode)
}
-probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return {
+probe nd_syscall.fchmod.return = kprobe.function("sys_fchmod").return
+{
name = "fchmod"
retstr = returnstr(1)
}
# fchown _____________________________________________________
# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
-probe nd_syscall.fchown = kernel.function("sys_fchown") {
+probe nd_syscall.fchown = kprobe.function("sys_fchown")
+{
name = "fchown"
- fd = $fd
- owner = __int32($user)
- group = __int32($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ // fd = $fd
+ // owner = __int32($user)
+ // group = __int32($group)
+ // argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ asmlinkage()
+ fd = int_arg(1)
+ owner = __int32(uint_arg(2))
+ group = __int32(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", fd, owner, group)
}
-probe nd_syscall.fchown.return = kernel.function("sys_fchown").return {
+probe nd_syscall.fchown.return = kprobe.function("sys_fchown").return
+{
name = "fchown"
retstr = returnstr(1)
}
# fchown16 ___________________________________________________
# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
-probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? {
+probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ?
+{
name = "fchown16"
- fd = $fd
- owner = __short($user)
- group = __short($group)
- argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ // fd = $fd
+ // owner = __short($user)
+ // group = __short($group)
+ // argstr = sprintf("%d, %d, %d", $fd, owner, group)
+ asmlinkage()
+ fd = int_arg(1)
+ owner = __short(uint_arg(2))
+ group = __short(uint_arg(3))
+ argstr = sprintf("%d, %d, %d", fd, owner, group)
}
-probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
+probe nd_syscall.fchown16.return = kprobe.function("sys_fchown16").return ?
+{
name = "fchown16"
retstr = returnstr(1)
}
@@ -900,24 +1020,28 @@ probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
# long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe nd_syscall.fcntl =
- kernel.function("sys_fcntl") ?,
- kernel.function("sys_fcntl64") ?,
- kernel.function("compat_sys_fcntl") ?,
- kernel.function("compat_sys_fcntl64") ?
+probe nd_syscall.fcntl = kprobe.function("sys_fcntl") ?,
+ kprobe.function("sys_fcntl64") ?,
+ kprobe.function("compat_sys_fcntl") ?,
+ kprobe.function("compat_sys_fcntl64") ?
{
name = "fcntl"
- fd = $fd
- cmd = $cmd
- cmd_str = _fcntl_cmd_str($cmd)
- arg = $arg
- argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
-}
-probe nd_syscall.fcntl.return =
- kernel.function("sys_fcntl").return ?,
- kernel.function("sys_fcntl64").return ?,
- kernel.function("compat_sys_fcntl").return ?,
- kernel.function("compat_sys_fcntl64").return ?
+ // fd = $fd
+ // cmd = $cmd
+ // cmd_str = _fcntl_cmd_str($cmd)
+ // arg = $arg
+ // argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
+ asmlinkage()
+ fd = int_arg(1)
+ cmd = int_arg(2)
+ cmd_str = _fcntl_cmd_str(cmd)
+ arg = long_arg(3)
+ argstr = sprintf("%d, %s, %p", fd, cmd_str, arg)
+}
+probe nd_syscall.fcntl.return = kprobe.function("sys_fcntl").return ?,
+ kprobe.function("sys_fcntl64").return ?,
+ kprobe.function("compat_sys_fcntl").return ?,
+ kprobe.function("compat_sys_fcntl64").return ?
{
name = "fcntl"
retstr = returnstr(1)
@@ -925,12 +1049,16 @@ probe nd_syscall.fcntl.return =
# fdatasync __________________________________________________
# long sys_fdatasync(unsigned int fd)
-probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") {
+probe nd_syscall.fdatasync = kprobe.function("sys_fdatasync")
+{
name = "fdatasync"
- fd = $fd
+ // fd = $fd
+ asmlinkage()
+ fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
+probe nd_syscall.fdatasync.return = kprobe.function("sys_fdatasync").return
+{
name = "fdatasync"
retstr = returnstr(1)
}
@@ -938,42 +1066,61 @@ probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
# fgetxattr __________________________________________________
# ssize_t sys_fgetxattr(int fd, char __user *name,
# void __user *value, size_t size)
-probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") {
+probe nd_syscall.fgetxattr = kprobe.function("sys_fgetxattr")
+{
name = "fgetxattr"
- filedes = $fd
-#FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
-}
-probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return {
+ // filedes = $fd
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size)
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size)
+}
+probe nd_syscall.fgetxattr.return = kprobe.function("sys_fgetxattr").return
+{
name = "fgetxattr"
retstr = returnstr(1)
}
# flistxattr _________________________________________________
# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
-probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") {
+probe nd_syscall.flistxattr = kprobe.function("sys_flistxattr")
+{
name = "flistxattr"
- filedes = $fd
- list_uaddr = $list
- size = $size
+ // filedes = $fd
+ // list_uaddr = $list
+ // size = $size
+ asmlinkage()
+ filedes = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
}
-probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return {
+probe nd_syscall.flistxattr.return = kprobe.function("sys_flistxattr").return
+{
name = "flistxattr"
retstr = returnstr(1)
}
# flock ______________________________________________________
# long sys_flock(unsigned int fd, unsigned int cmd)
-probe nd_syscall.flock = kernel.function("sys_flock") {
+probe nd_syscall.flock = kprobe.function("sys_flock")
+{
name = "flock"
- fd = $fd
- operation = $cmd
+ // fd = $fd
+ // operation = $cmd
+ asmlinkage()
+ fd = int_arg(1)
+ operation = int_arg(2)
argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
}
-probe nd_syscall.flock.return = kernel.function("sys_flock").return {
+probe nd_syscall.flock.return = kprobe.function("sys_flock").return
+{
name = "flock"
retstr = returnstr(1)
}
@@ -1016,13 +1163,15 @@ CATCH_DEREF_FAULT();
# unsigned long stack_size,
# int __user *parent_tidptr,
# int __user *child_tidptr)
-probe nd_syscall.fork = kernel.function("do_fork") {
+probe nd_syscall.fork = kprobe.function("do_fork")
+{
// clone_flags = $clone_flags
// stack_start = $stack_start
// regs = $regs
// stack_size = $stack_size
// parent_tid_uaddr = $parent_tidptr
// child_tid_uaddr = $child_tidptr
+ asmlinkage()
clone_flags = ulong_arg(1)
stack_start = ulong_arg(2)
regs = pointer_arg(3)
@@ -1042,19 +1191,27 @@ probe nd_syscall.fork = kernel.function("do_fork") {
argstr = __fork_flags(clone_flags)
}
}
-probe nd_syscall.fork.return = kernel.function("do_fork").return {
+probe nd_syscall.fork.return = kprobe.function("do_fork").return
+{
name = "fork"
retstr = returnstr(1)
}
# fremovexattr _______________________________________________
# long sys_fremovexattr(int fd, char __user *name)
-probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") {
+probe nd_syscall.fremovexattr = kprobe.function("sys_fremovexattr")
+{
name = "fremovexattr"
- filedes = $fd
- name_uaddr = $name
- argstr = sprintf("FIXME PLEASE")
+ // filedes = $fd
+ // name2 = user_string($name)
+ // argstr = sprintf("%d, %s", $fd, user_string_quoted($name))
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ argstr = sprintf("%d, %s", filedes, user_string_quoted(pointer_arg(2)))
}
-probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return {
+probe nd_syscall.fremovexattr.return = kprobe.function("sys_fremovexattr").return
+{
name = "fremovexattr"
retstr = returnstr(1)
}
@@ -1068,17 +1225,26 @@ probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").retur
* size_t size,
* int flags)
*/
-probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") {
+probe nd_syscall.fsetxattr = kprobe.function("sys_fsetxattr")
+{
name = "fsetxattr"
- filedes = $fd
-# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
- flags = $flags
- argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
-}
-probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
+ // filedes = $fd
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
+ asmlinkage()
+ filedes = int_arg(1)
+ # FIXME
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
+ argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size, flags)
+}
+probe nd_syscall.fsetxattr.return = kprobe.function("sys_fsetxattr").return
+{
name = "fsetxattr"
retstr = returnstr(1)
}
@@ -1092,26 +1258,28 @@ probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
# struct oldabi_stat64 __user * statbuf)
# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
#
-probe nd_syscall.fstat =
- kernel.function("sys_fstat") ?,
- kernel.function("sys_fstat64") ?,
- kernel.function("sys32_fstat64") ?,
- kernel.function("sys_newfstat") ?,
- kernel.function("sys_oabi_fstat64") ?,
- kernel.function("compat_sys_newfstat") ?
+probe nd_syscall.fstat = kprobe.function("sys_fstat") ?,
+ kprobe.function("sys_fstat64") ?,
+ kprobe.function("sys32_fstat64") ?,
+ kprobe.function("sys_newfstat") ?,
+ kprobe.function("sys_oabi_fstat64") ?,
+ kprobe.function("compat_sys_newfstat") ?
{
name = "fstat"
- filedes = $fd
- buf_uaddr = $statbuf
- argstr = sprintf("%d, %p", $fd, $statbuf)
-}
-probe nd_syscall.fstat.return =
- kernel.function("sys_fstat").return ?,
- kernel.function("sys_fstat64").return ?,
- kernel.function("sys32_fstat64").return ?,
- kernel.function("sys_newfstat").return ?,
- kernel.function("sys_oabi_fstat64").return ?,
- kernel.function("compat_sys_newfstat").return ?
+ // filedes = $fd
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%d, %p", $fd, $statbuf)
+ asmlinkage()
+ filedes = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", filedes, buf_uaddr)
+}
+probe nd_syscall.fstat.return = kprobe.function("sys_fstat").return ?,
+ kprobe.function("sys_fstat64").return ?,
+ kprobe.function("sys32_fstat64").return ?,
+ kprobe.function("sys_newfstat").return ?,
+ kprobe.function("sys_oabi_fstat64").return ?,
+ kprobe.function("compat_sys_newfstat").return ?
{
name = "fstat"
retstr = returnstr(1)
@@ -1122,23 +1290,26 @@ probe nd_syscall.fstat.return =
# long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
# long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
# long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
-probe nd_syscall.fstatat =
- kernel.function("sys_fstatat64") ?,
- kernel.function("sys_newfstatat") ?,
- kernel.function("compat_sys_newfstatat") ?,
- kernel.function("sys32_fstatat64") ?
+probe nd_syscall.fstatat = kprobe.function("sys_fstatat64") ?,
+ kprobe.function("sys_newfstatat") ?,
+ kprobe.function("compat_sys_newfstatat") ?,
+ kprobe.function("sys32_fstatat64") ?
{
name = "fstatat"
- dirfd = $dfd
- path = user_string($filename)
- buf_uaddr = $statbuf
- argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+ // dirfd = $dfd
+ // path = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+ asmlinkage()
+ dirfd = int_arg(1)
+ path = user_string(pointer_arg(2))
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %p, %s", _dfd_str(dirfd), user_string_quoted(pointer_arg(2)), buf_uaddr, _at_flag_str(int_arg(4)))
}
-probe nd_syscall.fstatat.return =
- kernel.function("sys_fstatat64").return ?,
- kernel.function("sys_newfstatat").return ?,
- kernel.function("compat_sys_newfstatat").return ?,
- kernel.function("sys32_fstatat64").return ?
+probe nd_syscall.fstatat.return = kprobe.function("sys_fstatat64").return ?,
+ kprobe.function("sys_newfstatat").return ?,
+ kprobe.function("compat_sys_newfstatat").return ?,
+ kprobe.function("sys32_fstatat64").return ?
{
name = "fstatat"
retstr = returnstr(1)
@@ -1148,18 +1319,20 @@ probe nd_syscall.fstatat.return =
# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
#
-probe nd_syscall.fstatfs =
- kernel.function("sys_fstatfs"),
- kernel.function("compat_sys_fstatfs") ?
+probe nd_syscall.fstatfs = kprobe.function("sys_fstatfs"),
+ kprobe.function("compat_sys_fstatfs") ?
{
name = "fstatfs"
- fd = $fd
- buf_uaddr = $buf
- argstr = sprintf("%d, %p", $fd, $buf)
+ // fd = $fd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %p", $fd, $buf)
+ asmlinkage()
+ fd = int_arg(1)
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", fd, buf_uaddr)
}
-probe nd_syscall.fstatfs.return =
- kernel.function("sys_fstatfs").return,
- kernel.function("compat_sys_fstatfs").return ?
+probe nd_syscall.fstatfs.return = kprobe.function("sys_fstatfs").return,
+ kprobe.function("compat_sys_fstatfs").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1169,19 +1342,22 @@ probe nd_syscall.fstatfs.return =
# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
# long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
#
-probe nd_syscall.fstatfs64 =
- kernel.function("sys_fstatfs64") ?,
- kernel.function("compat_sys_fstatfs64") ?
+probe nd_syscall.fstatfs64 = kprobe.function("sys_fstatfs64") ?,
+ kprobe.function("compat_sys_fstatfs64") ?
{
name = "fstatfs"
- fd = $fd
- sz = $sz
- buf_uaddr = $buf
- argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+ // fd = $fd
+ // sz = $sz
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+ asmlinkage()
+ fd = int_arg(1)
+ sz = ulong_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr)
}
-probe nd_syscall.fstatfs64.return =
- kernel.function("sys_fstatfs64").return ?,
- kernel.function("compat_sys_fstatfs64").return ?
+probe nd_syscall.fstatfs64.return = kprobe.function("sys_fstatfs64").return ?,
+ kprobe.function("compat_sys_fstatfs64").return ?
{
name = "fstatfs"
retstr = returnstr(1)
@@ -1189,37 +1365,51 @@ probe nd_syscall.fstatfs64.return =
# fsync ______________________________________________________
# long sys_fsync(unsigned int fd)
-probe nd_syscall.fsync = kernel.function("sys_fsync") {
+probe nd_syscall.fsync = kprobe.function("sys_fsync")
+{
name = "fsync"
- fd = $fd
+ // fd = $fd
+ asmlinkage()
+ fd = int_arg(1)
argstr = sprint(fd)
}
-probe nd_syscall.fsync.return = kernel.function("sys_fsync").return {
+probe nd_syscall.fsync.return = kprobe.function("sys_fsync").return
+{
name = "fsync"
retstr = returnstr(1)
}
# ftruncate __________________________________________________
# long sys_ftruncate(unsigned int fd, unsigned long length)
-probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") {
+probe nd_syscall.ftruncate = kprobe.function("sys_ftruncate")
+{
name = "ftruncate"
- fd = $fd
- length = $length
+ // fd = $fd
+ // length = $length
+ asmlinkage()
+ fd = int_arg(1)
+ length = ulong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
-probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return {
+probe nd_syscall.ftruncate.return = kprobe.function("sys_ftruncate").return
+{
name = "ftruncate"
retstr = returnstr(1)
}
# ftruncate64 ________________________________________________
# long sys_ftruncate64(unsigned int fd, loff_t length)
-probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
+probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ?
+{
name = "ftruncate"
- fd = $fd
- length = $length
+ // fd = $fd
+ // length = $length
+ asmlinkage()
+ fd = int_arg(1)
+ length = longlong_arg(2)
argstr = sprintf("%d, %d", fd, length)
}
-probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
+probe nd_syscall.ftruncate64.return = kprobe.function("sys_ftruncate64").return ?
+{
name = "ftruncate"
retstr = returnstr(1)
}
@@ -1235,7 +1425,8 @@ probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return
# struct compat_timespec __user *utime, u32 __user *uaddr2,
# u32 val3)
#
-probe nd_syscall.futex = kernel.function("sys_futex") ? {
+probe nd_syscall.futex = kprobe.function("sys_futex") ?
+{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
@@ -1245,7 +1436,7 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
// val3 = $val3
// if (op == 0)
// argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_timespec_u($utime,1))
+ // $val, _struct_timespec_u($utime, 1))
// else
// argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
// $val)
@@ -1259,16 +1450,18 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
- _struct_timespec_u(utime_uaddr,1))
+ _struct_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
_futex_op_str(op), val)
}
-probe nd_syscall.futex.return = kernel.function("sys_futex").return ? {
+probe nd_syscall.futex.return = kprobe.function("sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
-probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
+probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ?
+{
name = "futex"
// futex_uaddr = $uaddr
// op = $op
@@ -1278,7 +1471,7 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
// val3 = $val3
// if (op == 0)
// argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_compat_timespec_u($utime,1))
+ // $val, _struct_compat_timespec_u($utime, 1))
// else
// argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
// $val)
@@ -1292,12 +1485,13 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
_futex_op_str(op), val,
- _struct_compat_timespec_u(utime_uaddr,1))
+ _struct_compat_timespec_u(utime_uaddr, 1))
else
argstr = sprintf("%p, %s, %d", futex_uaddr,
_futex_op_str(op), val)
}
-probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? {
+probe nd_syscall.compat_futex.return = kprobe.function("compat_sys_futex").return ?
+{
name = "futex"
retstr = returnstr(1)
}
@@ -1308,69 +1502,95 @@ probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").retur
# long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t)
#
-probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? {
+probe nd_syscall.futimesat = kprobe.function("sys_futimesat") ?
+{
name = "futimesat"
- dirfd = $dfd
- filename_uaddr = $filename
- filename = user_string($filename)
- tvp_uaddr = $utimes
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- _struct_timeval_u($utimes, 2))
-}
-probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? {
+ // dirfd = $dfd
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ dirfd = int_arg(1)
+ filename_uaddr = pointer_arg(2)
+ filename = user_string(filename_uaddr)
+ tvp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %s", _dfd_str(dirfd), user_string_quoted(filename_uaddr),
+ _struct_timeval_u(tvp_uaddr, 2))
+}
+probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ?
+{
name = "futimesat"
- dirfd = $dfd
- filename_uaddr = $filename
- filename = user_string($filename)
- tvp_uaddr = $t
- argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- _struct_compat_timeval_u($t, 2))
-}
-probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? {
+ // dirfd = $dfd
+ // filename_uaddr = $filename
+ // filename = user_string($filename)
+ // tvp_uaddr = $utimes
+ // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
+ // _struct_timeval_u($utimes, 2))
+ asmlinkage()
+ dirfd = uint_arg(1)
+ filename_uaddr = pointer_arg(2)
+ filename = user_string(pointer_arg(2))
+ tvp_uaddr = pointer_arg(3)
+ argstr = sprintf("%s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
+ _struct_compat_timeval_u(pointer_arg(3), 2))
+}
+probe nd_syscall.futimesat.return = kprobe.function("sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
-probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? {
+probe nd_syscall.compat_futimesat.return = kprobe.function("compat_sys_futimesat").return ?
+{
name = "futimesat"
retstr = returnstr(1)
}
# getcwd _____________________________________________________
# long sys_getcwd(char __user *buf, unsigned long size)
-probe nd_syscall.getcwd = kernel.function("sys_getcwd") {
+probe nd_syscall.getcwd = kprobe.function("sys_getcwd")
+{
name = "getcwd"
- buf_uaddr = $buf
- size = $size
+ // buf_uaddr = $buf
+ // size = $size
+ asmlinkage()
+ buf_uaddr = pointer_arg(1)
+ size = ulong_arg(2)
argstr = sprintf("%p, %d", buf_uaddr, size)
}
-probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return {
+probe nd_syscall.getcwd.return = kprobe.function("sys_getcwd").return
+{
name = "getcwd"
retstr = returnstr(1)
}
# getdents ___________________________________________________
# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
-# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count)
+# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
#
-probe nd_syscall.getdents =
- kernel.function("sys_getdents") ?,
- kernel.function("sys_getdents64") ?,
- kernel.function("compat_sys_getdents") ?,
- kernel.function("compat_sys_getdents64") ?
+probe nd_syscall.getdents = kprobe.function("sys_getdents") ?,
+ kprobe.function("sys_getdents64") ?,
+ kprobe.function("compat_sys_getdents") ?,
+ kprobe.function("compat_sys_getdents64") ?
{
name = "getdents"
- fd = $fd
- dirp_uaddr = $dirent
- count = $count
- argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+ // fd = $fd
+ // dirp_uaddr = $dirent
+ // count = $count
+ // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+ asmlinkage()
+ fd = int_arg(1)
+ dirp_uaddr = pointer_arg(2)
+ count = uint_arg(3)
+ argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
}
-probe nd_syscall.getdents.return =
- kernel.function("sys_getdents").return ?,
- kernel.function("sys_getdents64").return ?,
- kernel.function("compat_sys_getdents").return ?,
- kernel.function("compat_sys_getdents64").return ?
+probe nd_syscall.getdents.return = kprobe.function("sys_getdents").return ?,
+ kprobe.function("sys_getdents64").return ?,
+ kprobe.function("compat_sys_getdents").return ?,
+ kprobe.function("compat_sys_getdents64").return ?
{
name = "getdents"
retstr = returnstr(1)
@@ -1381,18 +1601,16 @@ probe nd_syscall.getdents.return =
# long sys_getegid16(void)
# long sys32_getegid16(void)
#
-probe nd_syscall.getegid =
- kernel.function("sys_getegid16") ?,
- kernel.function("sys32_getegid16") ?,
- kernel.function("sys_getegid")
+probe nd_syscall.getegid = kprobe.function("sys_getegid16") ?,
+ kprobe.function("sys32_getegid16") ?,
+ kprobe.function("sys_getegid")
{
name = "getegid"
argstr = ""
}
-probe nd_syscall.getegid.return =
- kernel.function("sys_getegid16").return ?,
- kernel.function("sys32_getegid16").return ?,
- kernel.function("sys_getegid").return
+probe nd_syscall.getegid.return = kprobe.function("sys_getegid16").return ?,
+ kprobe.function("sys32_getegid16").return ?,
+ kprobe.function("sys_getegid").return
{
name = "getegid"
retstr = returnstr(1)
@@ -1402,18 +1620,16 @@ probe nd_syscall.getegid.return =
# long sys_geteuid(void)
# long sys32_geteuid16(void)
#
-probe nd_syscall.geteuid =
- kernel.function("sys_geteuid16") ?,
- kernel.function("sys32_geteuid16") ?,
- kernel.function("sys_geteuid")
+probe nd_syscall.geteuid = kprobe.function("sys_geteuid16") ?,
+ kprobe.function("sys32_geteuid16") ?,
+ kprobe.function("sys_geteuid")
{
name = "geteuid"
argstr = ""
}
-probe nd_syscall.geteuid.return =
- kernel.function("sys_geteuid16").return ?,
- kernel.function("sys32_geteuid16").return ?,
- kernel.function("sys_geteuid").return
+probe nd_syscall.geteuid.return = kprobe.function("sys_geteuid16").return ?,
+ kprobe.function("sys32_geteuid16").return ?,
+ kprobe.function("sys_geteuid").return
{
name = "geteuid"
retstr = returnstr(1)
@@ -1423,18 +1639,16 @@ probe nd_syscall.geteuid.return =
# long sys_getgid(void)
# long sys32_getgid16(void)
#
-probe nd_syscall.getgid =
- kernel.function("sys_getgid16") ?,
- kernel.function("sys32_getgid16") ?,
- kernel.function("sys_getgid")
+probe nd_syscall.getgid = kprobe.function("sys_getgid16") ?,
+ kprobe.function("sys32_getgid16") ?,
+ kprobe.function("sys_getgid")
{
name = "getgid"
argstr = ""
}
-probe nd_syscall.getgid.return =
- kernel.function("sys_getgid16").return ?,
- kernel.function("sys32_getgid16").return ?,
- kernel.function("sys_getgid").return
+probe nd_syscall.getgid.return = kprobe.function("sys_getgid16").return ?,
+ kprobe.function("sys32_getgid16").return ?,
+ kprobe.function("sys_getgid").return
{
name = "getgid"
retstr = returnstr(1)
@@ -1445,20 +1659,22 @@ probe nd_syscall.getgid.return =
# long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
# long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
#
-probe nd_syscall.getgroups =
- kernel.function("sys_getgroups") ?,
- kernel.function("sys_getgroups16") ?,
- kernel.function("sys32_getgroups16") ?
+probe nd_syscall.getgroups = kprobe.function("sys_getgroups") ?,
+ kprobe.function("sys_getgroups16") ?,
+ kprobe.function("sys32_getgroups16") ?
{
name = "getgroups"
- size = $gidsetsize
- list_uaddr = $grouplist
- argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+ // size = $gidsetsize
+ // list_uaddr = $grouplist
+ // argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+ asmlinkage()
+ size = int_arg(1)
+ list_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", size, list_uaddr)
}
-probe nd_syscall.getgroups.return =
- kernel.function("sys_getgroups").return ?,
- kernel.function("sys_getgroups16").return ?,
- kernel.function("sys32_getgroups16").return ?
+probe nd_syscall.getgroups.return = kprobe.function("sys_getgroups").return ?,
+ kprobe.function("sys_getgroups16").return ?,
+ kprobe.function("sys32_getgroups16").return ?
{
name = "getgroups"
retstr = returnstr(1)
@@ -1466,13 +1682,18 @@ probe nd_syscall.getgroups.return =
# gethostname ________________________________________________
# long sys_gethostname(char __user *name, int len)
-probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? {
+probe nd_syscall.gethostname = kprobe.function("sys_gethostname") ?
+{
name = "gethostname"
- name_uaddr = $name
- len = $len
+ // name_uaddr = $name
+ // len = $len
+ asmlinkage()
+ name_uaddr = pointer_arg(1)
+ len = int_arg(2)
argstr = sprintf ("%p, %d", name_uaddr, len)
}
-probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? {
+probe nd_syscall.gethostname.return = kprobe.function("sys_gethostname").return ?
+{
name = "gethostname"
retstr = returnstr(1)
}
@@ -1480,24 +1701,36 @@ probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return
# getitimer __________________________________________________
# sys_getitimer(int which, struct itimerval __user *value)
#
-probe nd_syscall.getitimer = kernel.function("sys_getitimer") {
+probe nd_syscall.getitimer = kprobe.function("sys_getitimer")
+{
name = "getitimer"
- which = $which
- value_uaddr = $value
- argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ // which = $which
+ // value_uaddr = $value
+ // argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr )
}
-probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return {
+probe nd_syscall.getitimer.return = kprobe.function("sys_getitimer").return
+{
name = "getitimer"
retstr = returnstr(1)
}
# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
-probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
+probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ?
+{
name = "getitimer"
- which = $which
- value_uaddr = $it
- argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ // which = $which
+ // value_uaddr = $it
+ // argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
+ asmlinkage()
+ which = int_arg(1)
+ value_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr)
}
-probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
+probe nd_syscall.compat_getitimer.return = kprobe.function("compat_sys_getitimer").return ?
+{
name = "getitimer"
retstr = returnstr(1)
}
@@ -1513,22 +1746,28 @@ probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer
# compat_ulong_t maxnode,
# compat_ulong_t addr, compat_ulong_t flags)
#
-probe nd_syscall.get_mempolicy =
- kernel.function("sys_get_mempolicy") ?,
- kernel.function("compat_sys_get_mempolicy") ?
+probe nd_syscall.get_mempolicy = kprobe.function("sys_get_mempolicy") ?,
+ kprobe.function("compat_sys_get_mempolicy") ?
{
name = "get_mempolicy"
- policy_uaddr = $policy
- nmask_uaddr = $nmask
- maxnode = $maxnode
- addr = $addr
- flags = $flags
- argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
- $nmask, $maxnode, $addr, $flags)
-}
-probe nd_syscall.get_mempolicy.return =
- kernel.function("sys_get_mempolicy").return ?,
- kernel.function("compat_sys_get_mempolicy").return ?
+ // policy_uaddr = $policy
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // addr = $addr
+ // flags = $flags
+ // argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
+ // $nmask, $maxnode, $addr, $flags)
+ asmlinkage()
+ policy_uaddr = pointer_arg(1)
+ nmask_uaddr = pointer_arg(2)
+ maxnode = ulong_arg(3)
+ addr = ulong_arg(4)
+ flags = ulong_arg(5)
+ argstr = sprintf("%p, %p, %d, %p, 0x%x", policy_uaddr,
+ nmask_uaddr, maxnode, addr, flags)
+}
+probe nd_syscall.get_mempolicy.return = kprobe.function("sys_get_mempolicy").return ?,
+ kprobe.function("compat_sys_get_mempolicy").return ?
{
name = "get_mempolicy"
retstr = returnstr(1)
@@ -1537,72 +1776,95 @@ probe nd_syscall.get_mempolicy.return =
# getpeername ________________________________________________
# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
#
-probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? {
+probe nd_syscall.getpeername = kprobe.function("sys_getpeername") ?
+{
name = "getpeername"
- s = $fd
- name_uaddr = $usockaddr
- namelen_uaddr = $usockaddr_len
- argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ // s = $fd
+ // name_uaddr = $usockaddr
+ // namelen_uaddr = $usockaddr_len
+ // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ asmlinkage()
+ s = int_arg(1)
+ name_uaddr = pointer_arg(2)
+ namelen_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
-probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? {
+probe nd_syscall.getpeername.return = kprobe.function("sys_getpeername").return ?
+{
name = "getpeername"
retstr = returnstr(1)
}
# getpgid ____________________________________________________
# long sys_getpgid(pid_t pid)
-probe nd_syscall.getpgid = kernel.function("sys_getpgid") {
+probe nd_syscall.getpgid = kprobe.function("sys_getpgid")
+{
name = "getpgid"
- pid = $pid
- argstr = sprintf("%d", $pid)
+ // pid = $pid
+ // argstr = sprintf("%d", $pid)
+ asmlinkage()
+ pid = int_arg(1)
+ argstr = sprintf("%d", pid)
}
-probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return {
+probe nd_syscall.getpgid.return = kprobe.function("sys_getpgid").return
+{
name = "getpgid"
retstr = returnstr(1)
}
# getpgrp ____________________________________________________
# long sys_getpgrp(void)
-probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? {
+probe nd_syscall.getpgrp = kprobe.function("sys_getpgrp") ?
+{
name = "getpgrp"
argstr = ""
}
-probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? {
+probe nd_syscall.getpgrp.return = kprobe.function("sys_getpgrp").return ?
+{
name = "getpgrp"
retstr = returnstr(1)
}
# getpid _____________________________________________________
# long sys_getpid(void)
-probe nd_syscall.getpid = kernel.function("sys_getpid") {
+probe nd_syscall.getpid = kprobe.function("sys_getpid")
+{
name = "getpid"
argstr = ""
}
-probe nd_syscall.getpid.return = kernel.function("sys_getpid").return {
+probe nd_syscall.getpid.return = kprobe.function("sys_getpid").return
+{
name = "getpid"
retstr = returnstr(1)
}
# getppid ____________________________________________________
# long sys_getppid(void)
-probe nd_syscall.getppid = kernel.function("sys_getppid") {
+probe nd_syscall.getppid = kprobe.function("sys_getppid")
+{
name = "getppid"
argstr = ""
}
-probe nd_syscall.getppid.return = kernel.function("sys_getppid").return {
+probe nd_syscall.getppid.return = kprobe.function("sys_getppid").return
+{
name = "getppid"
retstr = returnstr(1)
}
# getpriority ________________________________________________
# long sys_getpriority(int which, int who)
-probe nd_syscall.getpriority = kernel.function("sys_getpriority") {
+probe nd_syscall.getpriority = kprobe.function("sys_getpriority")
+{
name = "getpriority"
- which = $which
- who = $who
+ // which = $which
+ // who = $who
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
argstr = sprintf("%s, %d", _priority_which_str(which), who)
}
-probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return {
+probe nd_syscall.getpriority.return = kprobe.function("sys_getpriority").return
+{
name = "getpriority"
retstr = returnstr(1)
}
@@ -1614,19 +1876,22 @@ probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return
# long sys_getresgid16(old_uid_t __user *rgid,
# old_uid_t __user *egid,
# old_uid_t __user *sgid)
-probe nd_syscall.getresgid =
- kernel.function("sys_getresgid16") ?,
- kernel.function("sys_getresgid")
+probe nd_syscall.getresgid = kprobe.function("sys_getresgid16") ?,
+ kprobe.function("sys_getresgid")
{
name = "getresgid"
- rgid_uaddr = $rgid
- egid_uaddr = $egid
- sgid_uaddr = $sgid
- argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+ // rgid_uaddr = $rgid
+ // egid_uaddr = $egid
+ // sgid_uaddr = $sgid
+ // argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+ asmlinkage()
+ rgid_uaddr = pointer_arg(1)
+ egid_uaddr = pointer_arg(2)
+ sgid_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
}
-probe nd_syscall.getresgid.return =
- kernel.function("sys_getresgid16").return ?,
- kernel.function("sys_getresgid").return
+probe nd_syscall.getresgid.return = kprobe.function("sys_getresgid16").return ?,
+ kprobe.function("sys_getresgid").return
{
name = "getresgid"
retstr = returnstr(1)
@@ -1636,19 +1901,22 @@ probe nd_syscall.getresgid.return =
# long sys_getresuid(uid_t __user *ruid,
# uid_t __user *euid,
# uid_t __user *suid)
-probe nd_syscall.getresuid =
- kernel.function("sys_getresuid16") ?,
- kernel.function("sys_getresuid")
+probe nd_syscall.getresuid = kprobe.function("sys_getresuid16") ?,
+ kprobe.function("sys_getresuid")
{
name = "getresuid"
- ruid_uaddr = $ruid
- euid_uaddr = $euid
- suid_uaddr = $suid
- argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+ // ruid_uaddr = $ruid
+ // euid_uaddr = $euid
+ // suid_uaddr = $suid
+ // argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+ asmlinkage()
+ ruid_uaddr = pointer_arg(1)
+ euid_uaddr = pointer_arg(2)
+ suid_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
}
-probe nd_syscall.getresuid.return =
- kernel.function("sys_getresuid16").return ?,
- kernel.function("sys_getresuid").return
+probe nd_syscall.getresuid.return = kprobe.function("sys_getresuid16").return ?,
+ kprobe.function("sys_getresuid").return
{
name = "getresuid"
retstr = returnstr(1)
@@ -1658,18 +1926,22 @@ probe nd_syscall.getresuid.return =
# long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
# long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
-probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"),
- kernel.function("sys_old_getrlimit") ?,
- kernel.function("compat_sys_getrlimit") ?
+probe nd_syscall.getrlimit = kprobe.function("sys_getrlimit"),
+ kprobe.function("sys_old_getrlimit") ?,
+ kprobe.function("compat_sys_getrlimit") ?
{
name = "getrlimit"
- resource = $resource
- rlim_uaddr = $rlim
- argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+ // resource = $resource
+ // rlim_uaddr = $rlim
+ // argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+ asmlinkage()
+ resource = uint_arg(1)
+ rlim_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", _rlimit_resource_str(resource), rlim_uaddr)
}
-probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
- kernel.function("sys_old_getrlimit").return ?,
- kernel.function("compat_sys_getrlimit").return ?
+probe nd_syscall.getrlimit.return = kprobe.function("sys_getrlimit").return,
+ kprobe.function("sys_old_getrlimit").return ?,
+ kprobe.function("compat_sys_getrlimit").return ?
{
name = "getrlimit"
retstr = returnstr(1)
@@ -1677,7 +1949,8 @@ probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
# getrusage __________________________________________________
# long sys_getrusage(int who, struct rusage __user *ru)
-probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
+probe nd_syscall.getrusage = kprobe.function("sys_getrusage")
+{
name = "getrusage"
// who = $who
// if($who==-2)
@@ -1704,19 +1977,24 @@ probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
usage_uaddr = pointer_arg(2)
argstr = sprintf("%s, %p", who_str, usage_uaddr)
}
-probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return {
+probe nd_syscall.getrusage.return = kprobe.function("sys_getrusage").return
+{
name = "getrusage"
retstr = returnstr(1)
}
# getsid _____________________________________________________
# long sys_getsid(pid_t pid)
-probe nd_syscall.getsid = kernel.function("sys_getsid") {
+probe nd_syscall.getsid = kprobe.function("sys_getsid")
+{
name = "getsid"
- pid = $pid
+ // pid = $pid
+ asmlinkage()
+ pid = int_arg(1)
argstr = sprint(pid)
}
-probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
+probe nd_syscall.getsid.return = kprobe.function("sys_getsid").return
+{
name = "getsid"
retstr = returnstr(1)
}
@@ -1725,14 +2003,21 @@ probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
# long sys_getsockname(int fd,
# struct sockaddr __user *usockaddr,
# int __user *usockaddr_len)
-probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? {
+probe nd_syscall.getsockname = kprobe.function("sys_getsockname") ?
+{
name = "getsockname"
- s = $fd
- name_uaddr = $usockaddr
- namelen_uaddr = $usockaddr_len
- argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ // s = $fd
+ // name_uaddr = $usockaddr
+ // namelen_uaddr = $usockaddr_len
+ // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+ asmlinkage()
+ s = int_arg(1)
+ name_uaddr = pointer_arg(2)
+ namelen_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
}
-probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? {
+probe nd_syscall.getsockname.return = kprobe.function("sys_getsockname").return ?
+{
name = "getsockname"
retstr = returnstr(1)
}
@@ -1744,24 +2029,32 @@ probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return
# char __user *optval,
# int __user *optlen)
#
-probe nd_syscall.getsockopt =
- kernel.function("sys_getsockopt") ?,
- kernel.function("compat_sys_getsockopt") ?
+probe nd_syscall.getsockopt = kprobe.function("sys_getsockopt") ?,
+ kprobe.function("compat_sys_getsockopt") ?
{
name = "getsockopt"
- fd = $fd
- level = $level
- level_str = _sockopt_level_str($level)
- optname = $optname
- optname_str = _sockopt_optname_str($optname)
- optval_uaddr = $optval
- optlen_uaddr = $optlen
- argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
- _sockopt_optname_str($optname), $optval, $optlen)
-}
-probe nd_syscall.getsockopt.return =
- kernel.function("sys_getsockopt").return ?,
- kernel.function("compat_sys_getsockopt").return ?
+ // fd = $fd
+ // level = $level
+ // level_str = _sockopt_level_str($level)
+ // optname = $optname
+ // optname_str = _sockopt_optname_str($optname)
+ // optval_uaddr = $optval
+ // optlen_uaddr = $optlen
+ // argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
+ // _sockopt_optname_str($optname), $optval, $optlen)
+ asmlinkage()
+ fd = int_arg(1)
+ level = int_arg(2)
+ level_str = _sockopt_level_str(level)
+ optname = int_arg(3)
+ optname_str = _sockopt_optname_str(optname)
+ optval_uaddr = pointer_arg(4)
+ optlen_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %s, %s, %p, %p", fd, _sockopt_level_str(level),
+ _sockopt_optname_str(optname), optval_uaddr, optlen_uaddr)
+}
+probe nd_syscall.getsockopt.return = kprobe.function("sys_getsockopt").return ?,
+ kprobe.function("compat_sys_getsockopt").return ?
{
name = "getsockopt"
retstr = returnstr(1)
@@ -1769,11 +2062,13 @@ probe nd_syscall.getsockopt.return =
# gettid _____________________________________________________
# long sys_gettid(void)
-probe nd_syscall.gettid = kernel.function("sys_gettid") {
+probe nd_syscall.gettid = kprobe.function("sys_gettid")
+{
name = "gettid"
argstr = ""
}
-probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
+probe nd_syscall.gettid.return = kprobe.function("sys_gettid").return
+{
name = "gettid"
retstr = returnstr(1)
}
@@ -1785,21 +2080,23 @@ probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
# struct timezone __user *tz)
# long compat_sys_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
-probe nd_syscall.gettimeofday =
- kernel.function("sys_gettimeofday"),
- kernel.function("sys32_gettimeofday") ?,
- kernel.function("compat_sys_gettimeofday") ?
+probe nd_syscall.gettimeofday = kprobe.function("sys_gettimeofday"),
+ kprobe.function("sys32_gettimeofday") ?,
+ kprobe.function("compat_sys_gettimeofday") ?
{
name = "gettimeofday"
- tv_uaddr = $tv
- tz_uaddr = $tz
- argstr = sprintf("%p, %p", $tv, $tz)
+ // tv_uaddr = $tv
+ // tz_uaddr = $tz
+ // argstr = sprintf("%p, %p", $tv, $tz)
+ asmlinkage()
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+ argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr)
}
-probe nd_syscall.gettimeofday.return =
- kernel.function("sys_gettimeofday").return,
- kernel.function("sys32_gettimeofday").return ?,
- kernel.function("compat_sys_gettimeofday").return ?
+probe nd_syscall.gettimeofday.return = kprobe.function("sys_gettimeofday").return,
+ kprobe.function("sys32_gettimeofday").return ?,
+ kprobe.function("compat_sys_gettimeofday").return ?
{
name = "gettimeofday"
retstr = returnstr(1)
@@ -1810,18 +2107,16 @@ probe nd_syscall.gettimeofday.return =
# long sys_getuid16(void)
# long sys32_getuid16(void)
#
-probe nd_syscall.getuid =
- kernel.function("sys_getuid16") ?,
- kernel.function("sys32_getuid16") ?,
- kernel.function("sys_getuid")
+probe nd_syscall.getuid = kprobe.function("sys_getuid16") ?,
+ kprobe.function("sys32_getuid16") ?,
+ kprobe.function("sys_getuid")
{
name = "getuid"
argstr = ""
}
-probe nd_syscall.getuid.return =
- kernel.function("sys_getuid16").return ?,
- kernel.function("sys32_getuid16").return ?,
- kernel.function("sys_getuid").return
+probe nd_syscall.getuid.return = kprobe.function("sys_getuid16").return ?,
+ kprobe.function("sys32_getuid16").return ?,
+ kprobe.function("sys_getuid").return
{
name = "getuid"
retstr = returnstr(1)
@@ -1830,19 +2125,38 @@ probe nd_syscall.getuid.return =
# getxattr ___________________________________________________
# ssize_t sys_getxattr(char __user *path, char __user *name,
# void __user *value, size_t size)
-probe nd_syscall.getxattr = kernel.function("sys_getxattr") {
+probe nd_syscall.getxattr = kprobe.function("sys_getxattr")
+{
name = "getxattr"
- path = user_string($path)
+ // %( kernel_v >= "2.6.27" %?
+ // path = user_string($pathname)
+ // %:
+ // path = user_string($path)
+ // %)
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%s, %s, %p, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, size)
+ asmlinkage()
+ path = pointer_arg(1)
# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
argstr = sprintf("%s, %s, %p, %d",
- user_string_quoted($path),
- user_string_quoted($name),
+ user_string_quoted(path),
+ user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
-probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
+probe nd_syscall.getxattr.return = kprobe.function("sys_getxattr").return
+{
name = "getxattr"
retstr = returnstr(1)
}
@@ -1852,14 +2166,21 @@ probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
# unsigned long len,
# const char __user *uargs)
#
-probe nd_syscall.init_module = kernel.function("sys_init_module") ? {
+probe nd_syscall.init_module = kprobe.function("sys_init_module") ?
+{
name = "init_module"
- umod_uaddr = $umod
- len = $len
- uargs = user_string($uargs)
- argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+ // umod_uaddr = $umod
+ // len = $len
+ // uargs = user_string($uargs)
+ // argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+ asmlinkage()
+ umod_uaddr = pointer_arg(1)
+ len = ulong_arg(2)
+ uargs = user_string(pointer_arg(3))
+ argstr = sprintf("%p, %d, %s", umod_uaddr, len, user_string_quoted(pointer_arg(4)))
}
-probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? {
+probe nd_syscall.init_module.return = kprobe.function("sys_init_module").return ?
+{
name = "init_module"
retstr = returnstr(1)
}
@@ -1868,15 +2189,29 @@ probe nd_syscall.init_module.return = kernel.function("sys_init_module").return
#
# long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
#
-probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? {
+probe nd_syscall.inotify_add_watch = kprobe.function("sys_inotify_add_watch") ?
+{
name = "inotify_add_watch"
- fd = $fd
- path_uaddr = $path
- path = user_string($path)
- mask = $mask
- argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+ // fd = $fd
+ // mask = $mask
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($pathname), $mask)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+ // %)
+ asmlinkage()
+ fd = int_arg(1)
+ path_uaddr = pointer_arg(2)
+ path = user_string(path_uaddr)
+ mask = uint_arg(3)
+ argstr = sprintf("%d, %s, %d", fd, user_string_quoted(path_uaddr), mask)
}
-probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? {
+probe nd_syscall.inotify_add_watch.return = kprobe.function("sys_inotify_add_watch").return ?
+{
name = "inotify_add_watch"
retstr = returnstr(1)
}
@@ -1885,11 +2220,13 @@ probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_wat
#
# long sys_inotify_init(void)
#
-probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? {
+probe nd_syscall.inotify_init = kprobe.function("sys_inotify_init") ?
+{
name = "inotify_init"
argstr = ""
}
-probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? {
+probe nd_syscall.inotify_init.return = kprobe.function("sys_inotify_init").return ?
+{
name = "inotify_init"
retstr = returnstr(1)
}
@@ -1898,13 +2235,19 @@ probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").retur
#
# long sys_inotify_rm_watch(int fd, u32 wd)
#
-probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? {
+probe nd_syscall.inotify_rm_watch = kprobe.function("sys_inotify_rm_watch") ?
+{
name = "inotify_rm_watch"
- fd = $fd
- wd = $wd
- argstr = sprintf("%d, %d", $fd, $wd)
+ // fd = $fd
+ // wd = $wd
+ // argstr = sprintf("%d, %d", $fd, $wd)
+ asmlinkage()
+ fd = int_arg(1)
+ wd = uint_arg(2)
+ argstr = sprintf("%d, %d", fd, wd)
}
-probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? {
+probe nd_syscall.inotify_rm_watch.return = kprobe.function("sys_inotify_rm_watch").return ?
+{
name = "inotify_rm_watch"
retstr = returnstr(1)
}
@@ -1913,14 +2256,20 @@ probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch
# long sys_io_cancel(aio_context_t ctx_id,
# struct iocb __user *iocb,
# struct io_event __user *result)
-probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") {
+probe nd_syscall.io_cancel = kprobe.function("sys_io_cancel")
+{
name = "io_cancel"
- ctx_id = $ctx_id
- iocb_uaddr = $iocb
- result_uaddr = $result
+ // ctx_id = $ctx_id
+ // iocb_uaddr = $iocb
+ // result_uaddr = $result
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ iocb_uaddr = pointer_arg(2)
+ result_uaddr = pointer_arg(3)
argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
}
-probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
+probe nd_syscall.io_cancel.return = kprobe.function("sys_io_cancel").return
+{
name = "io_cancel"
retstr = returnstr(1)
}
@@ -1929,19 +2278,22 @@ probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
#
-probe nd_syscall.ioctl =
- kernel.function("sys_ioctl") ?,
- kernel.function("compat_sys_ioctl") ?
+probe nd_syscall.ioctl = kprobe.function("sys_ioctl") ?,
+ kprobe.function("compat_sys_ioctl") ?
{
name = "ioctl"
- fd = $fd
- request = $cmd
- argp = $arg
- argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+ // fd = $fd
+ // request = $cmd
+ // argp = $arg
+ // argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+ asmlinkage()
+ fd = int_arg(1)
+ request = int_arg(2)
+ argp = ulong_arg(3)
+ argstr = sprintf("%d, %d, %p", fd, request, argp)
}
-probe nd_syscall.ioctl.return =
- kernel.function("sys_ioctl").return ?,
- kernel.function("compat_sys_ioctl").return ?
+probe nd_syscall.ioctl.return = kprobe.function("sys_ioctl").return ?,
+ kprobe.function("compat_sys_ioctl").return ?
{
name = "ioctl"
retstr = returnstr(1)
@@ -1949,12 +2301,16 @@ probe nd_syscall.ioctl.return =
# io_destroy _________________________________________________
# long sys_io_destroy(aio_context_t ctx)
-probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") {
+probe nd_syscall.io_destroy = kprobe.function("sys_io_destroy")
+{
name = "io_destroy"
- ctx = $ctx
+ // ctx = $ctx
+ asmlinkage()
+ ctx = ulong_arg(1)
argstr = sprintf("%d", ctx)
}
-probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
+probe nd_syscall.io_destroy.return = kprobe.function("sys_io_destroy").return
+{
name = "io_destroy"
retstr = returnstr(1)
}
@@ -1971,23 +2327,30 @@ probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
# struct io_event __user *events,
# struct compat_timespec __user *timeout)
#
-probe nd_syscall.io_getevents =
- kernel.function("sys_io_getevents") ?,
- kernel.function("compat_sys_io_getevents") ?
+probe nd_syscall.io_getevents = kprobe.function("sys_io_getevents") ?,
+ kprobe.function("compat_sys_io_getevents") ?
{
name = "io_getevents"
- ctx_id = $ctx_id
- min_nr = $min_nr
- nr = $nr
- events_uaddr = $events
- timeout_uaddr = $timeout
- timestr = _struct_timespec_u($timeout,1)
- argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
- $nr, $events, $timeout, timestr)
-}
-probe nd_syscall.io_getevents.return =
- kernel.function("sys_io_getevents").return ?,
- kernel.function("compat_sys_io_getevents").return ?
+ // ctx_id = $ctx_id
+ // min_nr = $min_nr
+ // nr = $nr
+ // events_uaddr = $events
+ // timeout_uaddr = $timeout
+ // timestr = _struct_timespec_u($timeout, 1)
+ // argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
+ // $nr, $events, $timeout, timestr)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ min_nr = long_arg(2)
+ nr = long_arg(3)
+ events_uaddr = pointer_arg(4)
+ timeout_uaddr = pointer_arg(5)
+ timestr = _struct_timespec_u(timeout_uaddr, 1)
+ argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr,
+ nr, events_uaddr, timeout_uaddr, timestr)
+}
+probe nd_syscall.io_getevents.return = kprobe.function("sys_io_getevents").return ?,
+ kprobe.function("compat_sys_io_getevents").return ?
{
name = "io_getevents"
retstr = returnstr(1)
@@ -1996,14 +2359,21 @@ probe nd_syscall.io_getevents.return =
# ioperm _____________________________________________________
# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
#
-probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? {
+probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ?
+{
name = "ioperm"
- from = $from
- num = $num
- turn_on = $turn_on
- argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+ // from = $from
+ // num = $num
+ // turn_on = $turn_on
+ // argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+ asmlinkage()
+ from = ulong_arg(1)
+ num = ulong_arg(2)
+ turn_on = int_arg(3)
+ argstr = sprintf("%d, %d, %d", from, num, turn_on)
}
-probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
+probe nd_syscall.ioperm.return = kprobe.function("sys_ioperm").return ?
+{
name = "ioperm"
retstr = returnstr(1)
}
@@ -2011,27 +2381,39 @@ probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
# io_setup ___________________________________________________
# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
#
-probe nd_syscall.io_setup = kernel.function("sys_io_setup") {
+probe nd_syscall.io_setup = kprobe.function("sys_io_setup")
+{
name = "io_setup"
- maxevents = $nr_events
- ctxp_uaddr = $ctxp
- argstr = sprintf("%d, %p", $nr_events, $ctxp)
+ // maxevents = $nr_events
+ // ctxp_uaddr = $ctxp
+ // argstr = sprintf("%d, %p", $nr_events, $ctxp)
+ asmlinkage()
+ maxevents = uint_arg(1)
+ ctxp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
-probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return {
+probe nd_syscall.io_setup.return = kprobe.function("sys_io_setup").return
+{
name = "io_setup"
retstr = returnstr(1)
}
# long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
#
-probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? {
+probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ?
+{
name = "io_setup"
- maxevents = $nr_reqs
- ctxp_uaddr = $ctx32p
- argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+ // maxevents = $nr_reqs
+ // ctxp_uaddr = $ctx32p
+ // argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+ asmlinkage()
+ maxevents = uint_arg(1)
+ ctxp_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
-probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? {
+probe nd_syscall.compat_io_setup.return = kprobe.function("compat_sys_io_setup").return ?
+{
name = "io_setup"
retstr = returnstr(1)
}
@@ -2039,27 +2421,41 @@ probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup")
# io_submit __________________________________________________
# long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
#
-probe nd_syscall.io_submit = kernel.function("sys_io_submit") {
+probe nd_syscall.io_submit = kprobe.function("sys_io_submit")
+{
name = "io_submit"
- ctx_id = $ctx_id
- nr = $nr
- iocbpp_uaddr = $iocbpp
- argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+ // ctx_id = $ctx_id
+ // nr = $nr
+ // iocbpp_uaddr = $iocbpp
+ // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ nr = long_arg(2)
+ iocbpp_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
-probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return {
+probe nd_syscall.io_submit.return = kprobe.function("sys_io_submit").return
+{
name = "io_submit"
retstr = returnstr(1)
}
# long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
#
-probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? {
+probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ?
+{
name = "io_submit"
- ctx_id = $ctx_id
- nr = $nr
- iocbpp_uaddr = $iocb
- argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+ // ctx_id = $ctx_id
+ // nr = $nr
+ // iocbpp_uaddr = $iocb
+ // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+ asmlinkage()
+ ctx_id = ulong_arg(1)
+ nr = int_arg(2)
+ iocbpp_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
-probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? {
+probe nd_syscall.compat_io_submit.return = kprobe.function("compat_sys_io_submit").return ?
+{
name = "io_submit"
retstr = returnstr(1)
}
@@ -2067,13 +2463,19 @@ probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit
# ioprio_get _________________________________________________
# long sys_ioprio_get(int which, int who)
#
-probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? {
+probe nd_syscall.ioprio_get = kprobe.function("sys_ioprio_get") ?
+{
name = "ioprio_get"
- which = $which
- who = $who
- argstr = sprintf("%d, %d", $which, $who)
+ // which = $which
+ // who = $who
+ // argstr = sprintf("%d, %d", $which, $who)
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
+ argstr = sprintf("%d, %d", which, who)
}
-probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? {
+probe nd_syscall.ioprio_get.return = kprobe.function("sys_ioprio_get").return ?
+{
name = "ioprio_get"
retstr = returnstr(1)
}
@@ -2081,14 +2483,21 @@ probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ?
# ioprio_set _________________________________________________
# long sys_ioprio_set(int which, int who, int ioprio)
#
-probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? {
+probe nd_syscall.ioprio_set = kprobe.function("sys_ioprio_set") ?
+{
name = "ioprio_set"
- which = $which
- who = $who
- ioprio = $ioprio
- argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+ // which = $which
+ // who = $who
+ // ioprio = $ioprio
+ // argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+ asmlinkage()
+ which = int_arg(1)
+ who = int_arg(2)
+ ioprio = int_arg(3)
+ argstr = sprintf("%d, %d, %d", which, who, ioprio)
}
-probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? {
+probe nd_syscall.ioprio_set.return = kprobe.function("sys_ioprio_set").return ?
+{
name = "ioprio_set"
retstr = returnstr(1)
}
@@ -2103,20 +2512,24 @@ probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ?
# struct compat_kexec_segment __user *segments,
# unsigned long flags)
#
-probe nd_syscall.kexec_load =
- kernel.function("sys_kexec_load") ?,
- kernel.function("compat_sys_kexec_load") ?
+probe nd_syscall.kexec_load = kprobe.function("sys_kexec_load") ?,
+ kprobe.function("compat_sys_kexec_load") ?
{
name = "kexec_load"
- entry = $entry
- nr_segments = $nr_segments
- segments_uaddr = $segments
- flags = $flags
- argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+ // entry = $entry
+ // nr_segments = $nr_segments
+ // segments_uaddr = $segments
+ // flags = $flags
+ // argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+ asmlinkage()
+ entry = ulong_arg(1)
+ nr_segments = ulong_arg(2)
+ segments_uaddr = pointer_arg(3)
+ flags = ulong_arg(4)
+ argstr = sprintf("%p, %d, %p, %d", entry, nr_segments, segments_uaddr, flags)
}
-probe nd_syscall.kexec_load.return =
- kernel.function("sys_kexec_load").return ?,
- kernel.function("compat_sys_kexec_load").return ?
+probe nd_syscall.kexec_load.return = kprobe.function("sys_kexec_load").return ?,
+ kprobe.function("compat_sys_kexec_load").return ?
{
name = "kexec_load"
retstr = returnstr(1)
@@ -2130,17 +2543,17 @@ probe nd_syscall.kexec_load.return =
# unsigned long arg5)
# long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
#
-probe nd_syscall.keyctl =
- kernel.function("sys_keyctl") ?,
- kernel.function("compat_sys_keyctl") ?
+probe nd_syscall.keyctl = kprobe.function("sys_keyctl") ?,
+ kprobe.function("compat_sys_keyctl") ?
{
name = "keyctl"
- argstr = sprintf("%d, ...", $option)
+ // argstr = sprintf("%d, ...", $option)
+ asmlinkage()
+ argstr = sprintf("%d, ...", uint_arg(1))
}
-probe nd_syscall.keyctl.return =
- kernel.function("sys_keyctl").return ?,
- kernel.function("compat_sys_keyctl").return ?
+probe nd_syscall.keyctl.return = kprobe.function("sys_keyctl").return ?,
+ kprobe.function("compat_sys_keyctl").return ?
{
name = "keyctl"
retstr = returnstr(1)
@@ -2148,13 +2561,19 @@ probe nd_syscall.keyctl.return =
# kill _______________________________________________________
# long sys_kill(int pid, int sig)
-probe nd_syscall.kill = kernel.function("sys_kill") {
+probe nd_syscall.kill = kprobe.function("sys_kill")
+{
name = "kill"
- pid = $pid
- sig = $sig
- argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ // pid = $pid
+ // sig = $sig
+ // argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+ asmlinkage()
+ pid = int_arg(1)
+ sig = int_arg(2)
+ argstr = sprintf("%d, %s", pid, _signal_name(sig))
}
-probe nd_syscall.kill.return = kernel.function("sys_kill").return {
+probe nd_syscall.kill.return = kprobe.function("sys_kill").return
+{
name = "kill"
retstr = returnstr(1)
}
@@ -2162,14 +2581,21 @@ probe nd_syscall.kill.return = kernel.function("sys_kill").return {
# lchown _____________________________________________________
# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
#
-probe nd_syscall.lchown = kernel.function("sys_lchown") {
+probe nd_syscall.lchown = kprobe.function("sys_lchown")
+{
name = "lchown"
- path = user_string($filename)
- owner = __int32($user)
- group = __int32($group)
- argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+ // path = user_string($filename)
+ // owner = __int32($user)
+ // group = __int32($group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ owner = __int32(uint_arg(2))
+ group = __int32(uint_arg(3))
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
+probe nd_syscall.lchown.return = kprobe.function("sys_lchown").return
+{
name = "lchown"
retstr = returnstr(1)
}
@@ -2178,14 +2604,21 @@ probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
# long sys_lchown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
-probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? {
+probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ?
+{
name = "lchown16"
- path = user_string($filename)
- owner = __short($user)
- group = __short($group)
- argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ // path = user_string($filename)
+ // owner = __short($user)
+ // group = __short($group)
+ // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ owner = __short(uint_arg(2))
+ group = __short(uint_arg(3))
+ argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
}
-probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
+probe nd_syscall.lchown16.return = kprobe.function("sys_lchown16").return ?
+{
name = "lchown16"
retstr = returnstr(1)
}
@@ -2195,47 +2628,81 @@ probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
# void __user *value,
# size_t size)
#
-probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") {
+probe nd_syscall.lgetxattr = kprobe.function("sys_lgetxattr")
+{
name = "lgetxattr"
- path = user_string($path)
+ // %( kernel_v >= "2.6.27" %?
+ // path = user_string($pathname)
+ // %:
+ // path = user_string($path)
+ // %)
+ // # FIXME
+ // name2 = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // argstr = sprintf("%s, %s, %p, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, size)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
# FIXME
- name2 = user_string($name)
- value_uaddr = $value
- size = $size
+ name2 = user_string(pointer_arg(2))
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
argstr = sprintf("%s, %s, %p, %d",
- user_string_quoted($path),
- user_string_quoted($name),
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)),
value_uaddr, size)
}
-probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return {
+probe nd_syscall.lgetxattr.return = kprobe.function("sys_lgetxattr").return
+{
name = "lgetxattr"
retstr = returnstr(1)
}
# link _______________________________________________________
# long sys_link(const char __user * oldname,
# const char __user * newname)
-probe nd_syscall.link = kernel.function("sys_link") {
+probe nd_syscall.link = kprobe.function("sys_link")
+{
name = "link"
- oldpath = user_string($oldname)
- newpath = user_string($newname)
+ // oldpath = user_string($oldname)
+ // newpath = user_string($newname)
+ // argstr = sprintf("%s, %s",
+ // user_string_quoted($oldname),
+ // user_string_quoted($newname))
+ asmlinkage()
+ oldpath = user_string(pointer_arg(1))
+ newpath = user_string(pointer_arg(2))
argstr = sprintf("%s, %s",
- user_string_quoted($oldname),
- user_string_quoted($newname))
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)))
}
-probe nd_syscall.link.return = kernel.function("sys_link").return {
+probe nd_syscall.link.return = kprobe.function("sys_link").return
+{
name = "link"
retstr = returnstr(1)
}
# listen _____________________________________________________
# long sys_listen(int fd, int backlog)
-probe nd_syscall.listen = kernel.function("sys_listen") ? {
+probe nd_syscall.listen = kprobe.function("sys_listen") ?
+{
name = "listen"
- sockfd = $fd
- backlog = $backlog
- argstr = sprintf("%d, %d", $fd, $backlog)
+ // sockfd = $fd
+ // backlog = $backlog
+ // argstr = sprintf("%d, %d", $fd, $backlog)
+ asmlinkage()
+ sockfd = int_arg(1)
+ backlog = int_arg(2)
+ argstr = sprintf("%d, %d", sockfd, backlog)
}
-probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
+probe nd_syscall.listen.return = kprobe.function("sys_listen").return ?
+{
name = "listen"
retstr = returnstr(1)
}
@@ -2243,15 +2710,29 @@ probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
# listxattr __________________________________________________
# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
#
-probe nd_syscall.listxattr = kernel.function("sys_listxattr") {
+probe nd_syscall.listxattr = kprobe.function("sys_listxattr")
+{
name = "listxattr"
- path_uaddr = $path
- path = user_string($path)
- list_uaddr = $list
- size = $size
- argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // list_uaddr = $list
+ // size = $size
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
}
-probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
+probe nd_syscall.listxattr.return = kprobe.function("sys_listxattr").return
+{
name = "listxattr"
retstr = returnstr(1)
}
@@ -2259,15 +2740,29 @@ probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
# llistxattr _________________________________________________
# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
#
-probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") {
+probe nd_syscall.llistxattr = kprobe.function("sys_llistxattr")
+{
name = "llistxattr"
- path_uaddr = $path
- path = user_string($path)
- list_uaddr = $list
- size = $size
- argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // list_uaddr = $list
+ // size = $size
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ list_uaddr = pointer_arg(2)
+ size = ulong_arg(3)
+ argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
}
-probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
+probe nd_syscall.llistxattr.return = kprobe.function("sys_llistxattr").return
+{
name = "llistxattr"
retstr = returnstr(1)
}
@@ -2278,18 +2773,29 @@ probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
# unsigned long offset_low,
# loff_t __user * result,
# unsigned int origin)
-probe nd_syscall.llseek = kernel.function("sys_llseek") ? {
+probe nd_syscall.llseek = kprobe.function("sys_llseek") ?
+{
name = "llseek"
- fd = $fd
- offset_high = $offset_high
- offset_low = $offset_low
- result_uaddr = $result
- whence = $origin
- whence_str = _seek_whence_str($origin)
- argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
- $offset_low, $result, whence_str)
-}
-probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
+ // fd = $fd
+ // offset_high = $offset_high
+ // offset_low = $offset_low
+ // result_uaddr = $result
+ // whence = $origin
+ // whence_str = _seek_whence_str($origin)
+ // argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
+ // $offset_low, $result, whence_str)
+ asmlinkage()
+ fd = int_arg(1)
+ offset_high = ulong_arg(2)
+ offset_low = ulong_arg(3)
+ result_uaddr = pointer_arg(4)
+ whence = uint_arg(5)
+ whence_str = _seek_whence_str(whence)
+ argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
+ offset_low, result_uaddr, whence_str)
+}
+probe nd_syscall.llseek.return = kprobe.function("sys_llseek").return ?
+{
name = "llseek"
retstr = returnstr(1)
}
@@ -2297,14 +2803,21 @@ probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
# lookup_dcookie _____________________________________________
# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
#
-probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? {
+probe nd_syscall.lookup_dcookie = kprobe.function("sys_lookup_dcookie") ?
+{
name = "lookup_dcookie"
- cookie = $cookie64
- buffer_uaddr = $buf
- len = $len
- argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+ // cookie = $cookie64
+ // buffer_uaddr = $buf
+ // len = $len
+ // argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+ asmlinkage()
+ cookie = ulonglong_arg(1)
+ buffer_uaddr = pointer_arg(2)
+ len = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", cookie, buffer_uaddr, len)
}
-probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? {
+probe nd_syscall.lookup_dcookie.return = kprobe.function("sys_lookup_dcookie").return ?
+{
name = "lookup_dcookie"
retstr = returnstr(1)
}
@@ -2312,31 +2825,53 @@ probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").r
# lremovexattr _______________________________________________
# long sys_lremovexattr(char __user *path, char __user *name)
#
-probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") {
+probe nd_syscall.lremovexattr = kprobe.function("sys_lremovexattr")
+{
name = "lremovexattr"
- path_uaddr = $path
- path = user_string($path)
- name_uaddr = $name
- name2 = user_string($name)
- argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
+ // name_uaddr = $name
+ // name2 = user_string($name)
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name))
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
+ // %)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name2 = user_string(name_uaddr)
+ argstr = sprintf("%s, %s", user_string_quoted(path_uaddr), user_string_quoted(name_uaddr))
}
-probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return {
+probe nd_syscall.lremovexattr.return = kprobe.function("sys_lremovexattr").return
+{
name = "lremovexattr"
retstr = returnstr(1)
}
# lseek ______________________________________________________
# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
-probe nd_syscall.lseek = kernel.function("sys_lseek") {
- name = "lseek"
- fildes = $fd
-# offset = __int32($offset)
- offset = $offset
- whence = $origin
- whence_str = _seek_whence_str($origin)
- argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
-}
-probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
+probe nd_syscall.lseek = kprobe.function("sys_lseek")
+{
+ // name = "lseek"
+ // fildes = $fd
+ // # offset = __int32($offset)
+ // offset = $offset
+ // whence = $origin
+ // whence_str = _seek_whence_str($origin)
+ // argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
+ asmlinkage()
+ fildes = int_arg(1)
+ offset = long_arg(2)
+ whence = uint_arg(3)
+ whence_str = _seek_whence_str(whence)
+ argstr = sprintf("%d, %d, %s", fildes, offset, whence_str)
+}
+probe nd_syscall.lseek.return = kprobe.function("sys_lseek").return
+{
name = "lseek"
retstr = returnstr(1)
}
@@ -2348,21 +2883,44 @@ probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
# size_t size,
# int flags)
#
-probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") {
+probe nd_syscall.lsetxattr = kprobe.function("sys_lsetxattr")
+{
name = "lsetxattr"
- path_uaddr = $path
- path = user_string($path)
- name_uaddr = $name
- name_str = user_string($name)
- value_uaddr = $value
- size = $size
- flags = $flags
+ // %( kernel_v >= "2.6.27" %?
+ // path_uaddr = $pathname
+ // path = user_string($pathname)
+ // %:
+ // path_uaddr = $path
+ // path = user_string($path)
+ // %)
+ // name_uaddr = $name
+ // name_str = user_string($name)
+ // value_uaddr = $value
+ // size = $size
+ // flags = $flags
+ // argstr = sprintf("%s, %s, %p, %d, %d",
+ // %( kernel_v >= "2.6.27" %?
+ // user_string_quoted($pathname),
+ // %:
+ // user_string_quoted($path),
+ // %)
+ // user_string_quoted($name),
+ // value_uaddr, $size, $flags)
+ asmlinkage()
+ path_uaddr = pointer_arg(1)
+ path = user_string(path_uaddr)
+ name_uaddr = pointer_arg(2)
+ name_str = user_string(name_uaddr)
+ value_uaddr = pointer_arg(3)
+ size = ulong_arg(4)
+ flags = int_arg(5)
argstr = sprintf("%s, %s, %p, %d, %d",
- user_string_quoted($path),
- user_string_quoted($name),
- value_uaddr, $size, $flags)
+ user_string_quoted(path_uaddr),
+ user_string_quoted(name_uaddr),
+ value_uaddr, size, flags)
}
-probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
+probe nd_syscall.lsetxattr.return = kprobe.function("sys_lsetxattr").return
+{
name = "lsetxattr"
retstr = returnstr(1)
}
@@ -2376,26 +2934,28 @@ probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
# long sys_oabi_lstat64(char __user * filename,
# struct oldabi_stat64 __user * statbuf)
#
-probe nd_syscall.lstat =
- kernel.function("sys_lstat") ?,
- kernel.function("sys_newlstat") ?,
- kernel.function("compat_sys_newlstat") ?,
- kernel.function("sys32_lstat64") ?,
- kernel.function("sys_lstat64") ?,
- kernel.function("sys_oabi_lstat64") ?
+probe nd_syscall.lstat = kprobe.function("sys_lstat") ?,
+ kprobe.function("sys_newlstat") ?,
+ kprobe.function("compat_sys_newlstat") ?,
+ kprobe.function("sys32_lstat64") ?,
+ kprobe.function("sys_lstat64") ?,
+ kprobe.function("sys_oabi_lstat64") ?
{
name = "lstat"
- path = user_string($filename)
- buf_uaddr = $statbuf
- argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
-}
-probe nd_syscall.lstat.return =
- kernel.function("sys_lstat").return ?,
- kernel.function("sys_newlstat").return ?,
- kernel.function("compat_sys_newlstat").return ?,
- kernel.function("sys32_lstat64").return ?,
- kernel.function("sys_lstat64").return ?,
- kernel.function("sys_oabi_lstat64").return ?
+ // path = user_string($filename)
+ // buf_uaddr = $statbuf
+ // argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
+ asmlinkage()
+ path = user_string(pointer_arg(1))
+ buf_uaddr = pointer_arg(2)
+ argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr)
+}
+probe nd_syscall.lstat.return = kprobe.function("sys_lstat").return ?,
+ kprobe.function("sys_newlstat").return ?,
+ kprobe.function("compat_sys_newlstat").return ?,
+ kprobe.function("sys32_lstat64").return ?,
+ kprobe.function("sys_lstat64").return ?,
+ kprobe.function("sys_oabi_lstat64").return ?
{
name = "lstat"
retstr = returnstr(1)
@@ -2404,15 +2964,23 @@ probe nd_syscall.lstat.return =
# madvise ____________________________________________________
# long sys_madvise(unsigned long start, size_t len_in, int behavior)
#
-probe nd_syscall.madvise = kernel.function("sys_madvise") ? {
+probe nd_syscall.madvise = kprobe.function("sys_madvise") ?
+{
name = "madvise"
- start = $start
- length = $len_in
- advice = $behavior
- advice_str = _madvice_advice_str($behavior)
- argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+ // start = $start
+ // length = $len_in
+ // advice = $behavior
+ // advice_str = _madvice_advice_str($behavior)
+ // argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ advice = int_arg(3)
+ advice_str = _madvice_advice_str(advice)
+ argstr = sprintf("%p, %d, %s", start, length, _madvice_advice_str(advice))
}
-probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
+probe nd_syscall.madvise.return = kprobe.function("sys_madvise").return ?
+{
name = "madvise"
retstr = returnstr(1)
}
@@ -2432,23 +3000,30 @@ probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
# compat_ulong_t maxnode,
# compat_ulong_t flags)
#
-probe nd_syscall.mbind =
- kernel.function("sys_mbind") ?,
- kernel.function("compat_sys_mbind") ?
+probe nd_syscall.mbind = kprobe.function("sys_mbind") ?,
+ kprobe.function("compat_sys_mbind") ?
{
name = "mbind"
- start = $start
- len = $len
- mode = $mode
- nmask_uaddr = $nmask
- maxnode = $maxnode
- flags = $flags
- argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
- $nmask, $maxnode, $flags)
-}
-probe nd_syscall.mbind.return =
- kernel.function("sys_mbind").return ?,
- kernel.function("compat_sys_mbind").return ?
+ // start = $start
+ // len = $len
+ // mode = $mode
+ // nmask_uaddr = $nmask
+ // maxnode = $maxnode
+ // flags = $flags
+ // argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
+ // $nmask, $maxnode, $flags)
+ asmlinkage()
+ start = ulong_arg(1)
+ len = long_arg(2)
+ mode = ulong_arg(3)
+ nmask_uaddr = pointer_arg(4)
+ maxnode = ulong_arg(5)
+ flags = uint_arg(6)
+ argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", start, len, mode,
+ nmask_uaddr, maxnode, flags)
+}
+probe nd_syscall.mbind.return = kprobe.function("sys_mbind").return ?,
+ kprobe.function("compat_sys_mbind").return ?
{
name = "mbind"
retstr = returnstr(1)
@@ -2458,11 +3033,15 @@ probe nd_syscall.mbind.return =
# long sys_migrate_pages(pid_t pid, unsigned long maxnode,
# const unsigned long __user *old_nodes,
# const unsigned long __user *new_nodes)
-probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? {
+probe nd_syscall.migrate_pages = kprobe.function("sys_migrate_pages") ?
+{
name = "migrate_pages"
- argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+ // argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4))
}
-probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? {
+probe nd_syscall.migrate_pages.return = kprobe.function("sys_migrate_pages").return ?
+{
name = "migrate_pages"
retstr = returnstr(1)
}
@@ -2470,28 +3049,42 @@ probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").ret
# mincore ____________________________________________________
# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
#
-probe nd_syscall.mincore = kernel.function("sys_mincore") ? {
+probe nd_syscall.mincore = kprobe.function("sys_mincore") ?
+{
name = "mincore"
- start = $start
- length = $len
- vec_uaddr = $vec
- argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+ // start = $start
+ // length = $len
+ // vec_uaddr = $vec
+ // argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ vec_uaddr = pointer_arg(3)
+ argstr = sprintf("%p, %d, %p", start, length, vec_uaddr)
}
-probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? {
+probe nd_syscall.mincore.return = kprobe.function("sys_mincore").return ?
+{
name = "mincore"
retstr = returnstr(1)
}
# mkdir ______________________________________________________
# long sys_mkdir(const char __user * pathname, int mode)
-probe nd_syscall.mkdir = kernel.function("sys_mkdir") {
+probe nd_syscall.mkdir = kprobe.function("sys_mkdir")
+{
name = "mkdir"
- pathname_uaddr = $pathname
- pathname = user_string($pathname)
- mode = $mode
- argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ // pathname_uaddr = $pathname
+ // pathname = user_string($pathname)
+ // mode = $mode
+ // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+ asmlinkage()
+ pathname_uaddr = pointer_arg(1)
+ pathname = user_string(pathname_uaddr)
+ mode = int_arg(2)
+ argstr = sprintf("%s, %#o", user_string_quoted(pathname_uaddr), mode)
}
-probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
+probe nd_syscall.mkdir.return = kprobe.function("sys_mkdir").return
+{
name = "mkdir"
retstr = returnstr(1)
}
@@ -2499,29 +3092,43 @@ probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
# mkdirat ____________________________________________________
# new function with 2.6.16
# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
-probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? {
+probe nd_syscall.mkdirat = kprobe.function("sys_mkdirat") ?
+{
name = "mkdirat"
- dirfd = $dfd
- pathname = user_string($pathname)
- mode = $mode
- argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+ // dirfd = $dfd
+ // pathname = user_string($pathname)
+ // mode = $mode
+ // argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+ asmlinkage()
+ dirfd = int_arg(1)
+ pathname = user_string(pointer_arg(2))
+ mode = int_arg(3)
+ argstr = sprintf("%d, %s, %#o", dirfd, user_string_quoted(pointer_arg(2)), mode)
}
-probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? {
+probe nd_syscall.mkdirat.return = kprobe.function("sys_mkdirat").return ?
+{
name = "mkdirat"
retstr = returnstr(1)
}
# mknod
# long sys_mknod(const char __user * filename, int mode, unsigned dev)
-probe nd_syscall.mknod = kernel.function("sys_mknod") {
+probe nd_syscall.mknod = kprobe.function("sys_mknod")
+{
name = "mknod"
- pathname = user_string($filename)
- mode = $mode
- dev = $dev
- argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+ // pathname = user_string($filename)
+ // mode = $mode
+ // dev = $dev
+ // argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+ asmlinkage()
+ pathname = user_string(pointer_arg(1))
+ mode = int_arg(2)
+ dev = uint_arg(3)
+ argstr = sprintf("%s, %s, %p", user_string_quoted(pointer_arg(1)), _mknod_mode_str(mode), dev)
}
-probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
+probe nd_syscall.mknod.return = kprobe.function("sys_mknod").return
+{
name = "mknod"
retstr = returnstr(1)
}
@@ -2530,13 +3137,19 @@ probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
#
# long sys_mlock(unsigned long start, size_t len)
#
-probe nd_syscall.mlock = kernel.function("sys_mlock") ? {
+probe nd_syscall.mlock = kprobe.function("sys_mlock") ?
+{
name = "mlock"
- addr = $start
- len = $len
- argstr = sprintf("%p, %d", $start, $len)
+ // addr = $start
+ // len = $len
+ // argstr = sprintf("%p, %d", $start, $len)
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
+ argstr = sprintf("%p, %d", addr, len)
}
-probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
+probe nd_syscall.mlock.return = kprobe.function("sys_mlock").return ?
+{
name = "mlock"
retstr = returnstr(1)
}
@@ -2544,12 +3157,17 @@ probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
#
# long sys_mlockall(int flags)
#
-probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? {
+probe nd_syscall.mlockall = kprobe.function("sys_mlockall") ?
+{
name = "mlockall"
- flags = $flags
- argstr = _mlockall_flags_str($flags)
+ // flags = $flags
+ // argstr = _mlockall_flags_str($flags)
+ asmlinkage()
+ flags = int_arg(1)
+ argstr = _mlockall_flags_str(flags)
}
-probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
+probe nd_syscall.mlockall.return = kprobe.function("sys_mlockall").return ?
+{
name = "mlockall"
retstr = returnstr(1)
}
@@ -2557,14 +3175,21 @@ probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
# modify_ldt _________________________________________________
# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
#
-probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
+probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ?
+{
name = "modify_ldt"
- func = $func
- ptr_uaddr = $ptr
- bytecount = $bytecount
- argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+ // func = $func
+ // ptr_uaddr = $ptr
+ // bytecount = $bytecount
+ // argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+ asmlinkage()
+ func = int_arg(1)
+ ptr_uaddr = pointer_arg(2)
+ bytecount = ulong_arg(3)
+ argstr = sprintf("%d, %p, %d", func, ptr_uaddr, bytecount)
}
-probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
+probe nd_syscall.modify_ldt.return = kprobe.function("sys_modify_ldt").return ?
+{
name = "modify_ldt"
retstr = returnstr(1)
}
@@ -2582,16 +3207,16 @@ probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ?
# int __user *status,
# int flags)
#
-probe nd_syscall.move_pages =
- kernel.function("sys_move_pages") ?,
- kernel.function("compat_sys_move_pages") ?
+probe nd_syscall.move_pages = kprobe.function("sys_move_pages") ?,
+ kprobe.function("compat_sys_move_pages") ?
{
name = "move_pages"
- argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+ // argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6))
}
-probe nd_syscall.move_pages.return =
- kernel.function("sys_move_pages").return ?,
- kernel.function("compat_sys_move_pages").return ?
+probe nd_syscall.move_pages.return = kprobe.function("sys_move_pages").return ?,
+ kprobe.function("compat_sys_move_pages").return ?
{
name = "move_pages"
retstr = returnstr(1)
@@ -2608,26 +3233,36 @@ probe nd_syscall.move_pages.return =
# char __user * type,
# unsigned long flags,
# void __user * data)
-probe nd_syscall.mount =
- kernel.function("sys_mount"),
- kernel.function("compat_sys_mount") ?
+probe nd_syscall.mount = kprobe.function("sys_mount"),
+ kprobe.function("compat_sys_mount") ?
{
name = "mount"
- source = user_string($dev_name)
- target = user_string($dir_name)
- filesystemtype = user_string($type)
- mountflags = $flags
- mountflags_str = _mountflags_str($flags)
- data = text_strn(user_string($data),syscall_string_trunc,1)
+ // source = user_string($dev_name)
+ // target = user_string($dir_name)
+ // filesystemtype = user_string($type)
+ // mountflags = $flags
+ // mountflags_str = _mountflags_str($flags)
+ // data = text_strn(user_string($data), syscall_string_trunc, 1)
+ // argstr = sprintf("%s, %s, %s, %s, %s",
+ // user_string_quoted($dev_name),
+ // user_string_quoted($dir_name),
+ // user_string_quoted($type),
+ // mountflags_str, data)
+ asmlinkage()
+ source = user_string(pointer_arg(1))
+ target = user_string(pointer_arg(2))
+ filesystemtype = user_string(pointer_arg(3))
+ mountflags = ulong_arg(4)
+ mountflags_str = _mountflags_str(mountflags)
+ data = text_strn(user_string(pointer_arg(5)), syscall_string_trunc, 1)
argstr = sprintf("%s, %s, %s, %s, %s",
- user_string_quoted($dev_name),
- user_string_quoted($dir_name),
- user_string_quoted($type),
+ user_string_quoted(pointer_arg(1)),
+ user_string_quoted(pointer_arg(2)),
+ user_string_quoted(pointer_arg(3)),
mountflags_str, data)
}
-probe nd_syscall.mount.return =
- kernel.function("sys_mount").return,
- kernel.function("compat_sys_mount").return ?
+probe nd_syscall.mount.return = kprobe.function("sys_mount").return,
+ kprobe.function("compat_sys_mount").return ?
{
name = "mount"
retstr = returnstr(1)
@@ -2636,15 +3271,23 @@ probe nd_syscall.mount.return =
# mprotect ___________________________________________________
# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
#
-probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? {
+probe nd_syscall.mprotect = kprobe.function("sys_mprotect") ?
+{
name = "mprotect"
- addr = $start
- len = $len
- prot = $prot
- prot_str = _mprotect_prot_str($prot)
- argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+ // addr = $start
+ // len = $len
+ // prot = $prot
+ // prot_str = _mprotect_prot_str($prot)
+ // argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
+ prot = ulong_arg(3)
+ prot_str = _mprotect_prot_str(prot)
+ argstr = sprintf("%p, %d, %s", addr, len, _mprotect_prot_str(prot))
}
-probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
+probe nd_syscall.mprotect.return = kprobe.function("sys_mprotect").return ?
+{
name = "mprotect"
retstr = returnstr(1)
}
@@ -2657,19 +3300,22 @@ probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
# const struct compat_mq_attr __user *u_mqstat,
# struct compat_mq_attr __user *u_omqstat)
#
-probe nd_syscall.mq_getsetattr =
- kernel.function("sys_mq_getsetattr") ?,
- kernel.function("compat_sys_mq_getsetattr") ?
+probe nd_syscall.mq_getsetattr = kprobe.function("sys_mq_getsetattr") ?,
+ kprobe.function("compat_sys_mq_getsetattr") ?
{
name = "mq_getsetattr"
- mqdes = $mqdes
- u_mqstat_uaddr = $u_mqstat
- u_omqstat_uaddr = $u_omqstat
- argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+ // mqdes = $mqdes
+ // u_mqstat_uaddr = $u_mqstat
+ // u_omqstat_uaddr = $u_omqstat
+ // argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+ asmlinkage()
+ mqdes = int_arg(1)
+ u_mqstat_uaddr = pointer_arg(2)
+ u_omqstat_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %p, %p", mqdes, u_mqstat_uaddr, u_omqstat_uaddr)
}
-probe nd_syscall.mq_getsetattr.return =
- kernel.function("sys_mq_getsetattr").return ?,
- kernel.function("compat_sys_mq_getsetattr").return ?
+probe nd_syscall.mq_getsetattr.return = kprobe.function("sys_mq_getsetattr").return ?,
+ kprobe.function("compat_sys_mq_getsetattr").return ?
{
name = "mq_getsetattr"
retstr = returnstr(1)
@@ -2679,18 +3325,20 @@ probe nd_syscall.mq_getsetattr.return =
# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
# long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
#
-probe nd_syscall.mq_notify =
- kernel.function("sys_mq_notify") ?,
- kernel.function("compat_sys_mq_notify") ?
+probe nd_syscall.mq_notify = kprobe.function("sys_mq_notify") ?,
+ kprobe.function("compat_sys_mq_notify") ?
{
name = "mq_notify"
- mqdes = $mqdes
- notification_uaddr = $u_notification
- argstr = sprintf("%d, %p", $mqdes, $u_notification)
+ // mqdes = $mqdes
+ // notification_uaddr = $u_notification
+ // argstr = sprintf("%d, %p", $mqdes, $u_notification)
+ asmlinkage()
+ mqdes = int_arg(1)
+ notification_uaddr = pointer_arg(2)
+ argstr = sprintf("%d, %p", mqdes, notification_uaddr)
}
-probe nd_syscall.mq_notify.return =
- kernel.function("sys_mq_notify").return ?,
- kernel.function("compat_sys_mq_notify").return ?
+probe nd_syscall.mq_notify.return = kprobe.function("sys_mq_notify").return ?,
+ kprobe.function("compat_sys_mq_notify").return ?
{
name = "mq_notify"
retstr = returnstr(1)
@@ -2705,9 +3353,8 @@ probe nd_syscall.mq_notify.return =
# int oflag, compat_mode_t mode,
# struct compat_mq_attr __user *u_attr)
#
-probe nd_syscall.mq_open =
- kernel.function("sys_mq_open") ?,
- kernel.function("compat_sys_mq_open") ?
+probe nd_syscall.mq_open = kprobe.function("sys_mq_open") ?,
+ kprobe.function("compat_sys_mq_open") ?
{
name = "mq_open"
// name_uaddr = $u_name
@@ -2733,9 +3380,8 @@ probe nd_syscall.mq_open =
else
argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag))
}
-probe nd_syscall.mq_open.return =
- kernel.function("sys_mq_open").return ?,
- kernel.function("compat_sys_mq_open").return ?
+probe nd_syscall.mq_open.return = kprobe.function("sys_mq_open").return ?,
+ kprobe.function("compat_sys_mq_open").return ?
{
name = "mq_open"
retstr = returnstr(1)
@@ -2752,22 +3398,28 @@ probe nd_syscall.mq_open.return =
# size_t msg_len, unsigned int __user *u_msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe nd_syscall.mq_timedreceive =
- kernel.function("sys_mq_timedreceive") ?,
- kernel.function("compat_sys_mq_timedreceive") ?
+probe nd_syscall.mq_timedreceive = kprobe.function("sys_mq_timedreceive") ?,
+ kprobe.function("compat_sys_mq_timedreceive") ?
{
name = "mq_timedreceive"
- mqdes = $mqdes
- msg_ptr_uaddr = $u_msg_ptr
- msg_len = $msg_len
- msg_prio_uaddr = $u_msg_prio
- abs_timout_uaddr = $u_abs_timeout
- argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
- $u_msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedreceive.return =
- kernel.function("sys_mq_timedreceive").return ?,
- kernel.function("compat_sys_mq_timedreceive").return ?
+ // mqdes = $mqdes
+ // msg_ptr_uaddr = $u_msg_ptr
+ // msg_len = $msg_len
+ // msg_prio_uaddr = $u_msg_prio
+ // abs_timout_uaddr = $u_abs_timeout
+ // argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
+ // $u_msg_prio, $u_abs_timeout)
+ asmlinkage()
+ mqdes = int_arg(1)
+ msg_ptr_uaddr = pointer_arg(2)
+ msg_len = ulong_arg(3)
+ msg_prio_uaddr = pointer_arg(4)
+ abs_timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %d, %p, %p", mqdes, msg_ptr_uaddr, msg_len,
+ msg_prio_uaddr, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedreceive.return = kprobe.function("sys_mq_timedreceive").return ?,
+ kprobe.function("compat_sys_mq_timedreceive").return ?
{
name = "mq_timedreceive"
retstr = returnstr(1)
@@ -2784,22 +3436,28 @@ probe nd_syscall.mq_timedreceive.return =
# size_t msg_len, unsigned int msg_prio,
# const struct compat_timespec __user *u_abs_timeout)
#
-probe nd_syscall.mq_timedsend =
- kernel.function("sys_mq_timedsend") ?,
- kernel.function("compat_sys_mq_timedsend") ?
+probe nd_syscall.mq_timedsend = kprobe.function("sys_mq_timedsend") ?,
+ kprobe.function("compat_sys_mq_timedsend") ?
{
name = "mq_timedsend"
- mqdes = $mqdes
- msg_ptr_uaddr = $u_msg_ptr
- msg_len = $msg_len
- msg_prio = $msg_prio
- abs_timeout_uaddr = $u_abs_timeout
- argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
- $msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedsend.return =
- kernel.function("sys_mq_timedsend").return ?,
- kernel.function("compat_sys_mq_timedsend").return ?
+ // mqdes = $mqdes
+ // msg_ptr_uaddr = $u_msg_ptr
+ // msg_len = $msg_len
+ // msg_prio = $msg_prio
+ // abs_timeout_uaddr = $u_abs_timeout
+ // argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
+ // $msg_prio, $u_abs_timeout)
+ asmlinkage()
+ mqdes = int_arg(1)
+ msg_ptr_uaddr = pointer_arg(2)
+ msg_len = ulong_arg(3)
+ msg_prio = uint_arg(4)
+ abs_timeout_uaddr = pointer_arg(5)
+ argstr = sprintf("%d, %p, %d, %d, %p", mqdes, msg_ptr_uaddr, msg_len,
+ msg_prio, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedsend.return = kprobe.function("sys_mq_timedsend").return ?,
+ kprobe.function("compat_sys_mq_timedsend").return ?
{
name = "mq_timedsend"
retstr = returnstr(1)
@@ -2808,13 +3466,19 @@ probe nd_syscall.mq_timedsend.return =
# mq_unlink __________________________________________________
# long sys_mq_unlink(const char __user *u_name)
#
-probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? {
+probe nd_syscall.mq_unlink = kprobe.function("sys_mq_unlink") ?
+{
name = "mq_unlink"
- u_name_uaddr = $u_name
- u_name = user_string($u_name)
- argstr = user_string_quoted($u_name)
+ // u_name_uaddr = $u_name
+ // u_name = user_string($u_name)
+ // argstr = user_string_quoted($u_name)
+ asmlinkage()
+ u_name_uaddr = pointer_arg(1)
+ u_name = user_string(u_name_uaddr)
+ argstr = user_string_quoted(u_name_uaddr)
}
-probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
+probe nd_syscall.mq_unlink.return = kprobe.function("sys_mq_unlink").return ?
+{
name = "mq_unlink"
retstr = returnstr(1)
}
@@ -2826,22 +3490,28 @@ probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
# unsigned long flags,
# unsigned long new_addr)
#
-probe nd_syscall.mremap =
- kernel.function("sys_mremap") ?,
- kernel.function("ia64_mremap") ?
+probe nd_syscall.mremap = kprobe.function("sys_mremap") ?,
+ kprobe.function("ia64_mremap") ?
{
name = "mremap"
- old_address = $addr
- old_size = $old_len
- new_size = $new_len
- flags = $flags
- new_address = $new_addr
- argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
- _mremap_flags($flags), $new_addr)
-}
-probe nd_syscall.mremap.return =
- kernel.function("sys_mremap").return ?,
- kernel.function("ia64_mremap").return ?
+ // old_address = $addr
+ // old_size = $old_len
+ // new_size = $new_len
+ // flags = $flags
+ // new_address = $new_addr
+ // argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
+ // _mremap_flags($flags), $new_addr)
+ asmlinkage()
+ old_address = ulong_arg(1)
+ old_size = ulong_arg(2)
+ new_size = ulong_arg(3)
+ flags = ulong_arg(4)
+ new_address = ulong_arg(5)
+ argstr = sprintf("%p, %d, %d, %s, %p", old_address, old_size, new_size,
+ _mremap_flags(flags), new_address)
+}
+probe nd_syscall.mremap.return = kprobe.function("sys_mremap").return ?,
+ kprobe.function("ia64_mremap").return ?
{
name = "mremap"
retstr = returnstr(2)
@@ -2850,14 +3520,21 @@ probe nd_syscall.mremap.return =
# msgctl _____________________________________________________
# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
#
-probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? {
+probe nd_syscall.msgctl = kprobe.function("sys_msgctl") ?
+{
name = "msgctl"
- msqid = $msqid
- cmd = $cmd
- buf_uaddr = $buf
- argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+ // msqid = $msqid
+ // cmd = $cmd
+ // buf_uaddr = $buf
+ // argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+ asmlinkage()
+ msqid = int_arg(1)
+ cmd = int_arg(2)
+ buf_uaddr = pointer_arg(3)
+ argstr = sprintf("%d, %d, %p", msqid, cmd, buf_uaddr)
}
-probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
+probe nd_syscall.msgctl.return = kprobe.function("sys_msgctl").return ?
+{
name = "msgctl"
retstr = returnstr(1)
}
@@ -2865,11 +3542,15 @@ probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
#
# long compat_sys_msgctl(int first, int second, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? {
+probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ?
+{
name = "compat_sys_msgctl"
- argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ // argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %p", int_arg(1), int_arg(2), pointer_arg(3))
}
-probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? {
+probe nd_syscall.compat_sys_msgctl.return = kprobe.function("compat_sys_msgctl").return ?
+{
name = "compat_sys_msgctl"
retstr = returnstr(1)
}
@@ -2877,14 +3558,21 @@ probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl")
# msgget _____________________________________________________
# long sys_msgget (key_t key, int msgflg)
#
-probe nd_syscall.msgget = kernel.function("sys_msgget") ? {
+probe nd_syscall.msgget = kprobe.function("sys_msgget") ?
+{
name = "msgget"
- key = $key
- msgflg = $msgflg
- msgflg_str = _sys_open_flag_str($msgflg)
- argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+ // key = $key
+ // msgflg = $msgflg
+ // msgflg_str = _sys_open_flag_str($msgflg)
+ // argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+ asmlinkage()
+ key = int_arg(1)
+ msgflg = int_arg(2)
+ msgflg_str = _sys_open_flag_str(msgflg)
+ argstr = sprintf("%d, %s", key, _sys_open_flag_str(msgflg))
}
-probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
+probe nd_syscall.msgget.return = kprobe.function("sys_msgget").return ?
+{
name = "msgget"
retstr = returnstr(1)
}
@@ -2896,16 +3584,25 @@ probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
# long msgtyp,
# int msgflg)
#
-probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? {
+probe nd_syscall.msgrcv = kprobe.function("sys_msgrcv") ?
+{
name = "msgrcv"
- msqid = $msqid
- msgp_uaddr = $msgp
- msgsz = $msgsz
- msgtyp = $msgtyp
- msgflg = $msgflg
- argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
-}
-probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
+ // msqid = $msqid
+ // msgp_uaddr = $msgp
+ // msgsz = $msgsz
+ // msgtyp = $msgtyp
+ // msgflg = $msgflg
+ // argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
+ asmlinkage()
+ msqid = int_arg(1)
+ msgp_uaddr = pointer_arg(2)
+ msgsz = ulong_arg(3)
+ msgtyp = long_arg(4)
+ msgflg = int_arg(5)
+ argstr = sprintf("%d, %p, %d, %d, %d", msqid, msgp_uaddr, msgsz, msgtyp, msgflg)
+}
+probe nd_syscall.msgrcv.return = kprobe.function("sys_msgrcv").return ?
+{
name = "msgrcv"
retstr = returnstr(1)
}
@@ -2914,11 +3611,15 @@ probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
# long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
# int version, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? {
+probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ?
+{
name = "compat_sys_msgrcv"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(5))
}
-probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? {
+probe nd_syscall.compat_sys_msgrcv.return = kprobe.function("compat_sys_msgrcv").return ?
+{
name = "compat_sys_msgrcv"
retstr = returnstr(1)
}
@@ -2929,15 +3630,23 @@ probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv")
# size_t msgsz,
# int msgflg)
#
-probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? {
+probe nd_syscall.msgsnd = kprobe.function("sys_msgsnd") ?
+{
name = "msgsnd"
- msqid = $msqid
- msgp_uaddr = $msgp
- msgsz = $msgsz
- msgflg = $msgflg
- argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+ // msqid = $msqid
+ // msgp_uaddr = $msgp
+ // msgsz = $msgsz
+ // msgflg = $msgflg
+ // argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+ asmlinkage()
+ msqid = int_arg(1)
+ msgp_uaddr = pointer_arg(2)
+ msgsz = ulong_arg(3)
+ msgflg = int_arg(4)
+ argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
}
-probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
+probe nd_syscall.msgsnd.return = kprobe.function("sys_msgsnd").return ?
+{
name = "msgsnd"
retstr = returnstr(1)
}
@@ -2945,62 +3654,84 @@ probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
#
# long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
#
-probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? {
+probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ?
+{
name = "compat_sys_msgsnd"
- argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+ asmlinkage()
+ argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4))
}
-probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? {
+probe nd_syscall.compat_sys_msgsnd.return = kprobe.function("compat_sys_msgsnd").return ?
+{
name = "compat_sys_msgsnd"
retstr = returnstr(1)
}
# msync ______________________________________________________
# long sys_msync(unsigned long start, size_t len, int flags)
-probe nd_syscall.msync = kernel.function("sys_msync") ? {
+probe nd_syscall.msync = kprobe.function("sys_msync") ?
+{
name = "msync"
- start = $start
- length = $len
- flags = $flags
- argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
+ // start = $start
+ // length = $len
+ // flags = $flags
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
+ flags = int_arg(3)
+ argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags))
}
-probe nd_syscall.msync.return = kernel.function("sys_msync").return ? {
+probe nd_syscall.msync.return = kprobe.function("sys_msync").return ?
+{
name = "msync"
retstr = returnstr(1)
}
# munlock ____________________________________________________
# long sys_munlock(unsigned long start, size_t len)
-probe nd_syscall.munlock = kernel.function("sys_munlock") ? {
+probe nd_syscall.munlock = kprobe.function("sys_munlock") ?
+{
name = "munlock"
- addr = $start
- len = $len
+ // addr = $start
+ // len = $len
+ asmlinkage()
+ addr = ulong_arg(1)
+ len = ulong_arg(2)
argstr = sprintf("%p, %d", addr, len)
}
-probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? {
+probe nd_syscall.munlock.return = kprobe.function("sys_munlock").return ?
+{
name = "munlock"
retstr = returnstr(1)
}
# munlockall _________________________________________________
# long sys_munlockall(void)
-probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? {
+probe nd_syscall.munlockall = kprobe.function("sys_munlockall") ?
+{
name = "munlockall"
argstr = ""
}
-probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
+probe nd_syscall.munlockall.return = kprobe.function("sys_munlockall").return ?
+{
name = "munlockall"
retstr = returnstr(1)
}
# munmap _____________________________________________________
# long sys_munmap(unsigned long addr, size_t len)
-probe nd_syscall.munmap = kernel.function("sys_munmap") {
+probe nd_syscall.munmap = kprobe.function("sys_munmap")
+{
name = "munmap"
- start = $addr
- length = $len
+ // start = $addr
+ // length = $len
+ asmlinkage()
+ start = ulong_arg(1)
+ length = ulong_arg(2)
argstr = sprintf("%p, %d", start, length)
}
-probe nd_syscall.munmap.return = kernel.function("sys_munmap").return {
+probe nd_syscall.munmap.return = kprobe.function("sys_munmap").return
+{
name = "munmap"
retstr = returnstr(1)
}
--
1.5.6.5