From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25950 invoked by alias); 17 May 2009 19:09:18 -0000 Received: (qmail 25890 invoked by uid 22791); 17 May 2009 19:09:01 -0000 X-SWARE-Spam-Status: No, hits=-0.4 required=5.0 tests=AWL,BAYES_20,J_CHICKENPOX_26,J_CHICKENPOX_44,J_CHICKENPOX_83 X-Spam-Check-By: sourceware.org Received: from mail-ew0-f163.google.com (HELO mail-ew0-f163.google.com) (209.85.219.163) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sun, 17 May 2009 19:08:33 +0000 Received: by ewy7 with SMTP id 7so3655615ewy.24 for ; Sun, 17 May 2009 12:08:28 -0700 (PDT) Received: by 10.210.58.17 with SMTP id g17mr3531057eba.4.1242587308363; Sun, 17 May 2009 12:08:28 -0700 (PDT) Received: from debian (chello089079179132.chello.pl [89.79.179.132]) by mx.google.com with ESMTPS id 5sm1757178eyh.30.2009.05.17.12.08.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 17 May 2009 12:08:27 -0700 (PDT) Mail-From: 41d41d4952e8aea8c3f1f2a5f724745febb36f89 Mon Sep 17 00:00:00 2001 From: Przemyslaw Pawelczyk Date: Sun, 17 May 2009 19:09:00 -0000 Subject: [PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp. To: systemtap@sourceware.org Message-Id: <1242587305.670381.9610@debian> X-IsSubscribed: yes Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org X-SW-Source: 2009-q2/txt/msg00602.txt.bz2 Replace in-scope variables references with *_arg functions. Use 'kprobe' family of probes instead of 'kernel' family for dwarfless probing. Also fix a few typos and unify formatting. --- tapset/nd_syscalls.stp | 2691 ++++++++++++++++++++++++++++++------------------ 1 files changed, 1711 insertions(+), 980 deletions(-) diff --git a/tapset/nd_syscalls.stp b/tapset/nd_syscalls.stp index a0e5286..32c3640 100644 --- a/tapset/nd_syscalls.stp +++ b/tapset/nd_syscalls.stp @@ -12,9 +12,6 @@ * nd_syscalls.stp is a copy of syscalls.stp, modified to refer to * function arguments by number rather than name, so that this tapset * can be used even when the probed kernel lacks debugging information. - * - * So far, the names-to-numbers conversion covers only syscall.a* - * through syscall.c*, plus a few others. */ @@ -37,7 +34,8 @@ # accept _____________________________________________________ # long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr, # int __user *upeer_addrlen) -probe nd_syscall.accept = kernel.function("sys_accept") ? { +probe nd_syscall.accept = kprobe.function("sys_accept") ? +{ name = "accept" // sockfd = $fd // addr_uaddr = $upeer_sockaddr @@ -49,14 +47,16 @@ probe nd_syscall.accept = kernel.function("sys_accept") ? { addrlen_uaddr = pointer_arg(3) argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr) } -probe nd_syscall.accept.return = kernel.function("sys_accept").return ? { +probe nd_syscall.accept.return = kprobe.function("sys_accept").return ? +{ name = "accept" retstr = returnstr(1) } # access _____________________________________________________ # long sys_access(const char __user * filename, int mode) -probe nd_syscall.access = kernel.function("sys_access") { +probe nd_syscall.access = kprobe.function("sys_access") +{ name = "access" // pathname = user_string($filename) // mode = $mode @@ -68,22 +68,25 @@ probe nd_syscall.access = kernel.function("sys_access") { mode_str = _access_mode_str(mode) argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str) } -probe nd_syscall.access.return = kernel.function("sys_access").return { +probe nd_syscall.access.return = kprobe.function("sys_access").return +{ name = "access" retstr = returnstr(1) } # acct _______________________________________________________ # long sys_acct(const char __user *name) -probe nd_syscall.acct = kernel.function("sys_acct") ? { +probe nd_syscall.acct = kprobe.function("sys_acct") ? +{ name = "acct" - // filename = user_string($name) + // filename = user_string($name) // argstr = user_string_quoted($name) asmlinkage() filename = user_string(pointer_arg(1)) argstr = user_string_quoted(pointer_arg(1)) } -probe nd_syscall.acct.return = kernel.function("sys_acct").return ? { +probe nd_syscall.acct.return = kprobe.function("sys_acct").return ? +{ name = "acct" retstr = returnstr(1) } @@ -95,7 +98,8 @@ probe nd_syscall.acct.return = kernel.function("sys_acct").return ? { # size_t plen, # key_serial_t ringid) # -probe nd_syscall.add_key = kernel.function("sys_add_key") ? { +probe nd_syscall.add_key = kprobe.function("sys_add_key") ? +{ name = "add_key" // type_uaddr = $_type // description_auddr = $_description @@ -105,7 +109,7 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? { // argstr = sprintf("%s, %s, %s, %d, %d", // user_string_quoted($_type), // user_string_quoted($_description), - // text_strn(user_string($_payload),syscall_string_trunc,1), + // text_strn(user_string($_payload), syscall_string_trunc, 1), // $plen, $ringid) asmlinkage() type_uaddr = pointer_arg(1) @@ -116,49 +120,54 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? { argstr = sprintf("%s, %s, %s, %d, %d", user_string_quoted(type_uaddr), user_string_quoted(description_uaddr), - text_strn(user_string(payload_uaddr),syscall_string_trunc,1), + text_strn(user_string(payload_uaddr), syscall_string_trunc, 1), plen, ringid) } -probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? { +probe nd_syscall.add_key.return = kprobe.function("sys_add_key").return ? +{ name = "add_key" retstr = returnstr(1) } # adjtimex ___________________________________________________ # long sys_adjtimex(struct timex __user *txc_p) -probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") { +probe nd_syscall.adjtimex = kprobe.function("sys_adjtimex") +{ name = "adjtimex" /* - * buf_offset = __uget_timex_m($txc_p,1) - * buf_freq = __uget_timex_m($txc_p,2) - * buf_maxerror = __uget_timex_m($txc_p,3) - * buf_esterror = __uget_timex_m($txc_p,4) - * buf_status = __uget_timex_m($txc_p,5) - * buf_constant = __uget_timex_m($txc_p,6) - * buf_precision = __uget_timex_m($txc_p,7) - * buf_tolerance = __uget_timex_m($txc_p,8) - * buf_time_tv_sec = __uget_timex_m($txc_p,9) - * buf_time_tv_usec = __uget_timex_m($txc_p,10) - * buf_tick = __uget_timex_m($txc_p,11) + * buf_offset = __uget_timex_m($txc_p, 1) + * buf_freq = __uget_timex_m($txc_p, 2) + * buf_maxerror = __uget_timex_m($txc_p, 3) + * buf_esterror = __uget_timex_m($txc_p, 4) + * buf_status = __uget_timex_m($txc_p, 5) + * buf_constant = __uget_timex_m($txc_p, 6) + * buf_precision = __uget_timex_m($txc_p, 7) + * buf_tolerance = __uget_timex_m($txc_p, 8) + * buf_time_tv_sec = __uget_timex_m($txc_p, 9) + * buf_time_tv_usec = __uget_timex_m($txc_p, 10) + * buf_tick = __uget_timex_m($txc_p, 11) */ // argstr = sprintf("%p", $txc_p) asmlinkage() argstr = sprintf("%p", pointer_arg(1)) } -probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return { +probe nd_syscall.adjtimex.return = kprobe.function("sys_adjtimex").return +{ name = "adjtimex" // retstr = _adjtimex_return_str($return) retstr = _adjtimex_return_str(returnval()) } # long compat_sys_adjtimex(struct compat_timex __user *utp) -probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? { +probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ? +{ name = "compat_adjtimex" // argstr = sprintf("%p", $utp) asmlinkage() argstr = sprintf("%p", pointer_arg(1)) } -probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? { +probe nd_syscall.compat_adjtimex.return = kprobe.function("compat_sys_adjtimex").return ? +{ name = "compat_adjtimex" retstr = returnstr(1) } @@ -167,9 +176,8 @@ probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex") # unsigned long sys_alarm (unsigned int seconds) # long sys32_alarm(unsigned int seconds) # -probe nd_syscall.alarm = - kernel.function("sys_alarm") ?, - kernel.function("sys32_alarm") ? +probe nd_syscall.alarm = kprobe.function("sys_alarm") ?, + kprobe.function("sys32_alarm") ? { name = "alarm" // seconds = $seconds @@ -178,62 +186,64 @@ probe nd_syscall.alarm = seconds = uint_arg(1) argstr = sprint(seconds) } -probe nd_syscall.alarm.return = - kernel.function("sys_alarm").return ?, - kernel.function("sys32_alarm").return ? +probe nd_syscall.alarm.return = kprobe.function("sys_alarm").return ?, + kprobe.function("sys32_alarm").return ? { name = "alarm" retstr = returnstr(1) } # bdflush ____________________________________________________ -# long sys_bdflush(int func,long data) -probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? { +# long sys_bdflush(int func, long data) +probe nd_syscall.bdflush = kprobe.function("sys_bdflush") ? +{ name = "bdflush" // func = $func // data = $data - // if (($func>=2)&&($func%2==0)) - // data_str = sprintf("%p", $data) - // else - // data_str = sprintf("%d", $data) + // if (($func>=2)&&($func%2==0)) + // data_str = sprintf("%p", $data) + // else + // data_str = sprintf("%d", $data) asmlinkage() func = int_arg(1) data = long_arg(2) - if ((func>=2)&&(func%2==0)) - data_str = sprintf("%p", data) - else - data_str = sprintf("%d", data) - argstr = sprintf("%d, %s",func, data_str) + if ((func>=2)&&(func%2==0)) + data_str = sprintf("%p", data) + else + data_str = sprintf("%d", data) + argstr = sprintf("%d, %s", func, data_str) } -probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? { +probe nd_syscall.bdflush.return = kprobe.function("sys_bdflush").return ? +{ name = "bdflush" retstr = returnstr(1) } # bind _______________________________________________________ # long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen) -probe nd_syscall.bind = kernel.function("sys_bind") ? { +probe nd_syscall.bind = kprobe.function("sys_bind") ? +{ name = "bind" // sockfd = $fd // my_addr_uaddr = $umyaddr // addrlen = $addrlen - // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen) + // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen) asmlinkage() sockfd = int_arg(1) my_addr_uaddr = pointer_arg(2) addrlen = int_arg(3) - argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr,addrlen),addrlen) + argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr, addrlen), addrlen) } -probe nd_syscall.bind.return = kernel.function("sys_bind").return ? { +probe nd_syscall.bind.return = kprobe.function("sys_bind").return ? +{ name = "bind" retstr = returnstr(1) } # brk ________________________________________________________ # unsigned long sys_brk(unsigned long brk) -probe nd_syscall.brk = - kernel.function("sys_brk"), - kernel.function("ia64_brk") ? +probe nd_syscall.brk = kprobe.function("sys_brk"), + kprobe.function("ia64_brk") ? { name = "brk" // brk = $brk @@ -241,9 +251,8 @@ probe nd_syscall.brk = brk = ulong_arg(1) argstr = sprintf("%p", brk) } -probe nd_syscall.brk.return = - kernel.function("sys_brk").return, - kernel.function("ia64_brk").return ? +probe nd_syscall.brk.return = kprobe.function("sys_brk").return, + kprobe.function("ia64_brk").return ? { name = "brk" retstr = returnstr(1) @@ -262,7 +271,8 @@ probe nd_syscall.brk.return = * functions to export. */ # long sys_capget(cap_user_header_t header, cap_user_data_t dataptr) -probe nd_syscall.capget = kernel.function("sys_capget") { +probe nd_syscall.capget = kprobe.function("sys_capget") +{ name = "capget" // header_uaddr = $header // data_uaddr = $dataptr @@ -272,7 +282,8 @@ probe nd_syscall.capget = kernel.function("sys_capget") { data_uaddr = pointer_arg(2) argstr = sprintf("%p, %p", header_uaddr, data_uaddr) } -probe nd_syscall.capget.return = kernel.function("sys_capget").return { +probe nd_syscall.capget.return = kprobe.function("sys_capget").return +{ name = "capget" retstr = returnstr(1) } @@ -289,7 +300,8 @@ probe nd_syscall.capget.return = kernel.function("sys_capget").return { * functions to export. */ # long sys_capset(cap_user_header_t header, const cap_user_data_t data) -probe nd_syscall.capset = kernel.function("sys_capset") { +probe nd_syscall.capset = kprobe.function("sys_capset") +{ name = "capset" // header_uaddr = $header // data_uaddr = $data @@ -299,14 +311,16 @@ probe nd_syscall.capset = kernel.function("sys_capset") { data_uaddr = pointer_arg(2) argstr = sprintf("%p, %p", header_uaddr, data_uaddr) } -probe nd_syscall.capset.return = kernel.function("sys_capset").return { +probe nd_syscall.capset.return = kprobe.function("sys_capset").return +{ name = "capset" retstr = returnstr(1) } # chdir ______________________________________________________ # long sys_chdir(const char __user * filename) -probe nd_syscall.chdir = kernel.function("sys_chdir") { +probe nd_syscall.chdir = kprobe.function("sys_chdir") +{ name = "chdir" // path = user_string($filename) // argstr = user_string_quoted($filename) @@ -314,14 +328,16 @@ probe nd_syscall.chdir = kernel.function("sys_chdir") { path = user_string(pointer_arg(1)) argstr = user_string_quoted(pointer_arg(1)) } -probe nd_syscall.chdir.return = kernel.function("sys_chdir").return { +probe nd_syscall.chdir.return = kprobe.function("sys_chdir").return +{ name = "chdir" retstr = returnstr(1) } # chmod ______________________________________________________ # long sys_chmod(const char __user * filename, mode_t mode) -probe nd_syscall.chmod = kernel.function("sys_chmod") { +probe nd_syscall.chmod = kprobe.function("sys_chmod") +{ name = "chmod" // path = user_string($filename) // mode = $mode @@ -331,26 +347,29 @@ probe nd_syscall.chmod = kernel.function("sys_chmod") { mode = uint_arg(2) argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode) } -probe nd_syscall.chmod.return = kernel.function("sys_chmod").return { +probe nd_syscall.chmod.return = kprobe.function("sys_chmod").return +{ name = "chmod" retstr = returnstr(1) } # chown ______________________________________________________ # long sys_chown(const char __user * filename, uid_t user, gid_t group) -probe nd_syscall.chown = kernel.function("sys_chown") { +probe nd_syscall.chown = kprobe.function("sys_chown") +{ name = "chown" // path = user_string($filename) // owner = __int32($user) // group = __int32($group) - // argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group) + // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) asmlinkage() path = user_string(pointer_arg(1)) owner = __int32(uint_arg(2)) group = __int32(uint_arg(3)) - argstr = sprintf("%s, %d, %d",user_string_quoted(pointer_arg(1)), owner, group) + argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group) } -probe nd_syscall.chown.return = kernel.function("sys_chown").return { +probe nd_syscall.chown.return = kprobe.function("sys_chown").return +{ name = "chown" retstr = returnstr(1) } @@ -358,7 +377,8 @@ probe nd_syscall.chown.return = kernel.function("sys_chown").return { # long sys_chown16(const char __user * filename, old_uid_t user, # old_gid_t group) # -probe nd_syscall.chown16 = kernel.function("sys_chown16") ? { +probe nd_syscall.chown16 = kprobe.function("sys_chown16") ? +{ name = "chown16" // path = user_string($filename) // owner = __short($user) @@ -370,14 +390,16 @@ probe nd_syscall.chown16 = kernel.function("sys_chown16") ? { group = __short(uint_arg(3)) argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group) } -probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? { +probe nd_syscall.chown16.return = kprobe.function("sys_chown16").return ? +{ name = "chown16" retstr = returnstr(1) } # chroot _____________________________________________________ # long sys_chroot(const char __user * filename) -probe nd_syscall.chroot = kernel.function("sys_chroot") { +probe nd_syscall.chroot = kprobe.function("sys_chroot") +{ name = "chroot" // path = user_string($filename) // argstr = user_string_quoted($filename) @@ -385,7 +407,8 @@ probe nd_syscall.chroot = kernel.function("sys_chroot") { path = user_string(pointer_arg(1)) argstr = user_string_quoted(pointer_arg(1)) } -probe nd_syscall.chroot.return = kernel.function("sys_chroot").return { +probe nd_syscall.chroot.return = kprobe.function("sys_chroot").return +{ name = "chroot" retstr = returnstr(1) } @@ -394,9 +417,8 @@ probe nd_syscall.chroot.return = kernel.function("sys_chroot").return { # long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp) # long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp) # -probe nd_syscall.clock_getres = - kernel.function("sys_clock_getres"), - kernel.function("compat_clock_getres") ? +probe nd_syscall.clock_getres = kprobe.function("sys_clock_getres"), + kprobe.function("compat_clock_getres") ? { name = "clock_getres" // clk_id = $which_clock @@ -409,9 +431,8 @@ probe nd_syscall.clock_getres = res_uaddr = pointer_arg(2) argstr = sprintf("%s, %p", clk_id_str, res_uaddr) } -probe nd_syscall.clock_getres.return = - kernel.function("sys_clock_getres").return, - kernel.function("compat_clock_getres").return ? +probe nd_syscall.clock_getres.return = kprobe.function("sys_clock_getres").return, + kprobe.function("compat_clock_getres").return ? { name = "clock_getres" retstr = returnstr(1) @@ -420,8 +441,7 @@ probe nd_syscall.clock_getres.return = # clock_gettime ______________________________________________ # long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp) # -probe nd_syscall.clock_gettime = - kernel.function("sys_clock_gettime") +probe nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime") { name = "clock_gettime" // clk_id = $which_clock @@ -432,7 +452,7 @@ probe nd_syscall.clock_gettime = clk_id_str = _get_wc_str(clk_id) argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2)) } -probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return +probe nd_syscall.clock_gettime.return = kprobe.function("sys_clock_gettime").return { name = "clock_gettime" retstr = returnstr(1) @@ -444,14 +464,15 @@ probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").ret # const struct timespec __user *rqtp, # struct timespec __user *rmtp) # -probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") { +probe nd_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep") +{ name = "clock_nanosleep" // if ($flags == 1) // flag_str = "TIMER_ABSTIME" // else // flag_str = sprintf("0x%x", $flags) // argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str, - // _struct_timespec_u($rqtp,1), $rmtp) + // _struct_timespec_u($rqtp, 1), $rmtp) asmlinkage() flags = int_arg(2) if (flags == 1) @@ -459,9 +480,10 @@ probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") { else flag_str = sprintf("0x%x", flags) argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str, - _struct_timespec_u(pointer_arg(3),1), pointer_arg(4)) + _struct_timespec_u(pointer_arg(3), 1), pointer_arg(4)) } -probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return { +probe nd_syscall.clock_nanosleep.return = kprobe.function("sys_clock_nanosleep").return +{ name = "clock_nanosleep" retstr = returnstr(1) } @@ -471,9 +493,8 @@ probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep") # struct compat_timespec __user *rqtp, # struct compat_timespec __user *rmtp) # -probe nd_syscall.compat_clock_nanosleep = - kernel.function("compat_clock_nanosleep") ?, - kernel.function("compat_sys_clock_nanosleep") ? +probe nd_syscall.compat_clock_nanosleep = kprobe.function("compat_clock_nanosleep") ?, + kprobe.function("compat_sys_clock_nanosleep") ? { name = "compat_clock_nanosleep" // if ($flags == 1) @@ -481,7 +502,7 @@ probe nd_syscall.compat_clock_nanosleep = // else // flag_str = sprintf("0x%x", $flags) // argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str, - // _struct_compat_timespec_u($rqtp,1), $rmtp) + // _struct_compat_timespec_u($rqtp, 1), $rmtp) asmlinkage() flags = int_arg(2) if (flags == 1) @@ -489,12 +510,11 @@ probe nd_syscall.compat_clock_nanosleep = else flag_str = sprintf("0x%x", flags) argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str, - _struct_compat_timespec_u(pointer_arg(3),1), + _struct_compat_timespec_u(pointer_arg(3), 1), pointer_arg(4)) } -probe nd_syscall.compat_clock_nanosleep.return = - kernel.function("compat_clock_nanosleep").return ?, - kernel.function("compat_sys_clock_nanosleep").return ? +probe nd_syscall.compat_clock_nanosleep.return = kprobe.function("compat_clock_nanosleep").return ?, + kprobe.function("compat_sys_clock_nanosleep").return ? { name = "compat_clock_nanosleep" retstr = returnstr(1) @@ -504,68 +524,75 @@ probe nd_syscall.compat_clock_nanosleep.return = # long sys_clock_settime(clockid_t which_clock, # const struct timespec __user *tp) # -probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") { +probe nd_syscall.clock_settime = kprobe.function("sys_clock_settime") +{ name = "clock_settime" // clk_id = $which_clock // clk_id_str = _get_wc_str($which_clock) // tp_uaddr = $tp - // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1)) + // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1)) asmlinkage() clk_id = int_arg(1) clk_id_str = _get_wc_str(clk_id) tp_uaddr = pointer_arg(2) - argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr,1)) + argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr, 1)) } -probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return { +probe nd_syscall.clock_settime.return = kprobe.function("sys_clock_settime").return +{ name = "clock_settime" retstr = returnstr(1) } # close ______________________________________________________ # long sys_close(unsigned int fd) -probe nd_syscall.close = kernel.function("sys_close") { +probe nd_syscall.close = kprobe.function("sys_close") +{ name = "close" // fd = $fd asmlinkage() fd = int_arg(1) argstr = sprint(fd) } -probe nd_syscall.close.return = kernel.function("sys_close").return { +probe nd_syscall.close.return = kprobe.function("sys_close").return +{ name = "close" retstr = returnstr(1) } # connect ____________________________________________________ # long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen) -probe nd_syscall.connect = kernel.function("sys_connect") ? { +probe nd_syscall.connect = kprobe.function("sys_connect") ? +{ name = "connect" // sockfd = $fd // serv_addr_uaddr = $uservaddr // addrlen = $addrlen - // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen) + // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen) asmlinkage() sockfd = int_arg(1) serv_addr_uaddr = pointer_arg(2) addrlen = int_arg(3) - argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr,addrlen),addrlen) + argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr, addrlen), addrlen) } -probe nd_syscall.connect.return = kernel.function("sys_connect").return ? { +probe nd_syscall.connect.return = kprobe.function("sys_connect").return ? +{ name = "connect" retstr = returnstr(1) } # creat # long sys_creat(const char __user * pathname, int mode) -probe nd_syscall.creat = kernel.function("sys_creat") ? +probe nd_syscall.creat = kprobe.function("sys_creat") ? { name = "creat" // mode = $mode // pathname = user_string($pathname) // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode) + asmlinkage() mode = int_arg(2) pathname = user_string(pointer_arg(1)) argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode) } -probe nd_syscall.creat.return = kernel.function("sys_creat").return ? +probe nd_syscall.creat.return = kprobe.function("sys_creat").return ? { name = "creat" retstr = returnstr(1) @@ -573,20 +600,27 @@ probe nd_syscall.creat.return = kernel.function("sys_creat").return ? # delete_module ______________________________________________ # long sys_delete_module(const char __user *name_user, unsigned int flags) -probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? { +probe nd_syscall.delete_module = kprobe.function("sys_delete_module") ? +{ name = "delete_module" - name_user = user_string($name_user) - flags = $flags - argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags)) + // name_user = user_string($name_user) + // flags = $flags + // argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags)) + asmlinkage() + name_user = user_string(pointer_arg(1)) + flags = uint_arg(2) + argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), _module_flags_str(uint_arg(2))) } -probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? { +probe nd_syscall.delete_module.return = kprobe.function("sys_delete_module").return ? +{ name = "delete_module" retstr = returnstr(1) } # dup ________________________________________________________ # long sys_dup(unsigned int fildes) -probe nd_syscall.dup = kernel.function("sys_dup") { +probe nd_syscall.dup = kprobe.function("sys_dup") +{ name = "dup" // oldfd = $fildes // argstr = sprint($fildes) @@ -594,32 +628,44 @@ probe nd_syscall.dup = kernel.function("sys_dup") { old_fd = int_arg(1) argstr = sprint(old_fd) } -probe nd_syscall.dup.return = kernel.function("sys_dup").return { +probe nd_syscall.dup.return = kprobe.function("sys_dup").return +{ name = "dup" retstr = returnstr(1) } # dup2 _______________________________________________________ # long sys_dup2(unsigned int oldfd, unsigned int newfd) -probe nd_syscall.dup2 = kernel.function("sys_dup2") { +probe nd_syscall.dup2 = kprobe.function("sys_dup2") +{ name = "dup2" - oldfd = $oldfd - newfd = $newfd - argstr = sprintf("%d, %d", $oldfd, $newfd) + // oldfd = $oldfd + // newfd = $newfd + // argstr = sprintf("%d, %d", $oldfd, $newfd) + asmlinkage() + oldfd = int_arg(1) + newfd = int_arg(2) + argstr = sprintf("%d, %d", oldfd, newfd) } -probe nd_syscall.dup2.return = kernel.function("sys_dup2").return { +probe nd_syscall.dup2.return = kprobe.function("sys_dup2").return +{ name = "dup2" retstr = returnstr(1) } # epoll_create _______________________________________________ # long sys_epoll_create(int size) -probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? { +probe nd_syscall.epoll_create = kprobe.function("sys_epoll_create") ? +{ name = "epoll_create" - size = $size - argstr = sprint($size) + // size = $size + // argstr = sprint($size) + asmlinkage() + size = int_arg(1) + argstr = sprint(size) } -probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? { +probe nd_syscall.epoll_create.return = kprobe.function("sys_epoll_create").return ? +{ name = "epoll_create" retstr = returnstr(1) } @@ -630,21 +676,26 @@ probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").retur # long compat_sys_epoll_ctl(int epfd, int op, int fd, # struct compat_epoll_event __user *event) # -probe nd_syscall.epoll_ctl = - kernel.function("sys_epoll_ctl") ?, - kernel.function("compat_sys_epoll_ctl") ? +probe nd_syscall.epoll_ctl = kprobe.function("sys_epoll_ctl") ?, + kprobe.function("compat_sys_epoll_ctl") ? { name = "epoll_ctl" - epfd = $epfd - op = $op - op_str = _opoll_op_str($op) - fd = $fd - event_uaddr = $event - argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event) + // epfd = $epfd + // eop = $op + // eop_str = _opoll_op_str($op) + // efd = $fd + // eevent_uaddr = $event + // eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event) + asmlinkage() + epfd = int_arg(1) + op = int_arg(2) + op_str = _opoll_op_str(op) + fd = int_arg(3) + event_uaddr = pointer_arg(4) + argstr = sprintf("%d, %s, %d, %p", epfd, op_str, fd, event_uaddr) } -probe nd_syscall.epoll_ctl.return = - kernel.function("sys_epoll_ctl").return ?, - kernel.function("compat_sys_epoll_ctl").return ? +probe nd_syscall.epoll_ctl.return = kprobe.function("sys_epoll_ctl").return ?, + kprobe.function("compat_sys_epoll_ctl").return ? { name = "epoll_ctl" retstr = returnstr(1) @@ -661,17 +712,17 @@ probe nd_syscall.epoll_ctl.return = # const compat_sigset_t __user *sigmask, # compat_size_t sigsetsize) # -probe nd_syscall.epoll_pwait = - kernel.function("sys_epoll_pwait") ?, - kernel.function("compat_sys_epoll_pwait") ? +probe nd_syscall.epoll_pwait = kprobe.function("sys_epoll_pwait") ?, + kprobe.function("compat_sys_epoll_pwait") ? { name = "epoll_pwait" + asmlinkage() argstr = sprintf("%d, %p, %d, %d, %p, %d", - $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize) +// $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize) + int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6)) } -probe nd_syscall.epoll_pwait.return = - kernel.function("sys_epoll_pwait").return ?, - kernel.function("compat_sys_epoll_pwait").return ? +probe nd_syscall.epoll_pwait.return = kprobe.function("sys_epoll_pwait").return ?, + kprobe.function("compat_sys_epoll_pwait").return ? { name = "epoll_pwait" retstr = returnstr(1) @@ -685,20 +736,24 @@ probe nd_syscall.epoll_pwait.return = # struct compat_epoll_event __user *events, # int maxevents, int timeout) # -probe nd_syscall.epoll_wait = - kernel.function("sys_epoll_wait") ?, - kernel.function("compat_sys_epoll_wait") ? +probe nd_syscall.epoll_wait = kprobe.function("sys_epoll_wait") ?, + kprobe.function("compat_sys_epoll_wait") ? { name = "epoll_wait" - epfd = $epfd - events_uaddr = $events - maxevents = $maxevents - timeout = $timeout - argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout) + // epfd = $epfd + // events_uaddr = $events + // maxevents = $maxevents + // timeout = $timeout + // argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout) + asmlinkage() + epfd = int_arg(1) + events_uaddr = pointer_arg(2) + maxevents = int_arg(3) + timeout = int_arg(4) + argstr = sprintf("%d, %p, %d, %d", epfd, events_uaddr, maxevents, timeout) } -probe nd_syscall.epoll_wait.return = - kernel.function("sys_epoll_wait").return ?, - kernel.function("compat_sys_epoll_wait").return ? +probe nd_syscall.epoll_wait.return = kprobe.function("sys_epoll_wait").return ?, + kprobe.function("compat_sys_epoll_wait").return ? { name = "epoll_wait" retstr = returnstr(1) @@ -707,11 +762,15 @@ probe nd_syscall.epoll_wait.return = # eventfd _____________________________________________________ # long sys_eventfd(unsigned int count) # -probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? { +probe nd_syscall.eventfd = kprobe.function("sys_eventfd") ? +{ name = "eventfd" - argstr = sprint($count) + // argstr = sprint($count) + asmlinkage() + argstr = sprint(uint_arg(1)) } -probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? { +probe nd_syscall.eventfd.return = kprobe.function("sys_eventfd").return ? +{ name = "eventfd" retstr = returnstr(1) } @@ -723,18 +782,21 @@ probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? { # char __user *__user *argv, # char __user *__user *envp, # struct pt_regs * regs) -probe nd_syscall.execve = kernel.function("do_execve") { +probe nd_syscall.execve = kprobe.function("do_execve") +{ name = "execve" // filename = kernel_string($filename) // args = __get_argv($argv, 0) // argstr = sprintf("%s %s", filename, __get_argv($argv, 1)) + asmlinkage() filename = kernel_string(pointer_arg(1)) args = __get_argv(pointer_arg(2), 0) argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1)) } # v2.6.15-rc2 or earlier has problems with sys_execve return probes # another reason to probe on do_execve -probe nd_syscall.execve.return = kernel.function("do_execve").return { +probe nd_syscall.execve.return = kprobe.function("do_execve").return +{ name = "execve" retstr = returnstr(1) } @@ -742,33 +804,47 @@ probe nd_syscall.execve.return = kernel.function("do_execve").return { # compat_uptr_t __user *argv, # compat_uptr_t __user *envp, # struct pt_regs * regs) -probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? { +probe nd_syscall.compat_execve = kprobe.function("compat_do_execve") ? +{ name = "compat_execve" - filename = kernel_string($filename) - args = __get_compat_argv($argv, 0) - argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1)) + // filename = kernel_string($filename) + // args = __get_compat_argv($argv, 0) + // argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1)) + asmlinkage() + filename = kernel_string(pointer_arg(1)) + args = __get_compat_argv(pointer_arg(2), 0) + argstr = sprintf("%s %s", filename, __get_compat_argv(pointer_arg(2), 1)) } -probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return ? { +probe nd_syscall.compat_execve.return = kprobe.function("compat_do_execve").return ? +{ name = "compat_execve" retstr = returnstr(1) } # exit _______________________________________________________ # long sys_exit(int error_code) -probe nd_syscall.exit = kernel.function("do_exit") { +probe nd_syscall.exit = kprobe.function("do_exit") +{ name = "exit" - status = $code - argstr = sprint($code) + // status = $code + // argstr = sprint($code) + asmlinkage() + status = int_arg(1) + argstr = sprint(status) } probe nd_syscall.exit.return = end {} # exit_group _________________________________________________ # void sys_exit_group(int error_code) # -probe nd_syscall.exit_group = kernel.function("sys_exit_group") { +probe nd_syscall.exit_group = kprobe.function("sys_exit_group") +{ name = "exit_group" - status = $error_code - argstr = sprint($error_code) + // status = $error_code + // argstr = sprint($error_code) + asmlinkage() + status = int_arg(1) + argstr = sprint(status) } probe nd_syscall.exit_group.return = end {} @@ -777,15 +853,23 @@ probe nd_syscall.exit_group.return = end {} # fadvise64 __________________________________________________ # long sys_fadvise64(int fd, loff_t offset, size_t len, int advice) # -probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? { +probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") ? +{ name = "fadvise64" - fs = $fd - offset = $offset - len = $len - advice = $advice - argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice)) + // fd = $fd + // offset = $offset + // len = $len + // advice = $advice + // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice)) + asmlinkage() + fd = int_arg(1) + offset = longlong_arg(2) + len = ulong_arg(3) + advice = int_arg(4) + argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice)) } -probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? { +probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return ? +{ name = "fadvise64" retstr = returnstr(1) } @@ -793,15 +877,23 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? { # fadvise64_64 _______________________________________________ # long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice) # -probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") { +probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64") +{ name = "fadvise64_64" - fs = $fd - offset = $offset - len = $len - advice = $advice - argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice)) + // fd = $fd + // offset = $offset + // len = $len + // advice = $advice + // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice)) + asmlinkage() + fd = int_arg(1) + offset = longlong_arg(2) + len = ulong_arg(3) + advice = int_arg(4) + argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice)) } -probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return { +probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return +{ name = "fadvise64_64" retstr = returnstr(1) } @@ -811,15 +903,17 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu # fadvise64 __________________________________________________ # long sys_fadvise64(int fd, loff_t offset, size_t len, int advice) # -probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") { +probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") +{ name = "fadvise64" - fs = 0 + fd = 0 offset = 0 len = 0 advice = 0 argstr = "" } -probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return { +probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return +{ name = "fadvise64" retstr = returnstr(1) } @@ -827,15 +921,17 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return { # fadvise64_64 _______________________________________________ # long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice) # -probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") { +probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64") +{ name = "fadvise64_64" - fs = 0 + fd = 0 offset = 0 len = 0 advice = 0 argstr = "" } -probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return { +probe nd_syscall.fadvise64_64.return = kprobe.function("sys_fadvise64_64").return +{ name = "fadvise64_64" retstr = returnstr(1) } @@ -843,53 +939,77 @@ probe nd_syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").retu # fchdir _____________________________________________________ # long sys_fchdir(unsigned int fd) -probe nd_syscall.fchdir = kernel.function("sys_fchdir") { +probe nd_syscall.fchdir = kprobe.function("sys_fchdir") +{ name = "fchdir" - fd = $fd - argstr = sprint($fd) + // fd = $fd + // argstr = sprint($fd) + asmlinkage() + fd = int_arg(1) + argstr = sprint(fd) } -probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return { +probe nd_syscall.fchdir.return = kprobe.function("sys_fchdir").return +{ name = "fchdir" retstr = returnstr(1) } # fchmod _____________________________________________________ # long sys_fchmod(unsigned int fd, mode_t mode) -probe nd_syscall.fchmod = kernel.function("sys_fchmod") { +probe nd_syscall.fchmod = kprobe.function("sys_fchmod") +{ name = "fchmod" - fildes = $fd - mode = $mode - argstr = sprintf("%d, %#o", $fd, $mode) + // fildes = $fd + // mode = $mode + asmlinkage() + fildes = int_arg(1) + mode = uint_arg(2) # SAFE? + argstr = sprintf("%d, %#o", fildes, mode) } -probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return { +probe nd_syscall.fchmod.return = kprobe.function("sys_fchmod").return +{ name = "fchmod" retstr = returnstr(1) } # fchown _____________________________________________________ # long sys_fchown(unsigned int fd, uid_t user, gid_t group) -probe nd_syscall.fchown = kernel.function("sys_fchown") { +probe nd_syscall.fchown = kprobe.function("sys_fchown") +{ name = "fchown" - fd = $fd - owner = __int32($user) - group = __int32($group) - argstr = sprintf("%d, %d, %d", $fd, owner, group) + // fd = $fd + // owner = __int32($user) + // group = __int32($group) + // argstr = sprintf("%d, %d, %d", $fd, owner, group) + asmlinkage() + fd = int_arg(1) + owner = __int32(uint_arg(2)) + group = __int32(uint_arg(3)) + argstr = sprintf("%d, %d, %d", fd, owner, group) } -probe nd_syscall.fchown.return = kernel.function("sys_fchown").return { +probe nd_syscall.fchown.return = kprobe.function("sys_fchown").return +{ name = "fchown" retstr = returnstr(1) } # fchown16 ___________________________________________________ # long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group) -probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? { +probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ? +{ name = "fchown16" - fd = $fd - owner = __short($user) - group = __short($group) - argstr = sprintf("%d, %d, %d", $fd, owner, group) + // fd = $fd + // owner = __short($user) + // group = __short($group) + // argstr = sprintf("%d, %d, %d", $fd, owner, group) + asmlinkage() + fd = int_arg(1) + owner = __short(uint_arg(2)) + group = __short(uint_arg(3)) + argstr = sprintf("%d, %d, %d", fd, owner, group) } -probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? { +probe nd_syscall.fchown16.return = kprobe.function("sys_fchown16").return ? +{ name = "fchown16" retstr = returnstr(1) } @@ -900,24 +1020,28 @@ probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? { # long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg) # long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg) # -probe nd_syscall.fcntl = - kernel.function("sys_fcntl") ?, - kernel.function("sys_fcntl64") ?, - kernel.function("compat_sys_fcntl") ?, - kernel.function("compat_sys_fcntl64") ? +probe nd_syscall.fcntl = kprobe.function("sys_fcntl") ?, + kprobe.function("sys_fcntl64") ?, + kprobe.function("compat_sys_fcntl") ?, + kprobe.function("compat_sys_fcntl64") ? { name = "fcntl" - fd = $fd - cmd = $cmd - cmd_str = _fcntl_cmd_str($cmd) - arg = $arg - argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg) -} -probe nd_syscall.fcntl.return = - kernel.function("sys_fcntl").return ?, - kernel.function("sys_fcntl64").return ?, - kernel.function("compat_sys_fcntl").return ?, - kernel.function("compat_sys_fcntl64").return ? + // fd = $fd + // cmd = $cmd + // cmd_str = _fcntl_cmd_str($cmd) + // arg = $arg + // argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg) + asmlinkage() + fd = int_arg(1) + cmd = int_arg(2) + cmd_str = _fcntl_cmd_str(cmd) + arg = long_arg(3) + argstr = sprintf("%d, %s, %p", fd, cmd_str, arg) +} +probe nd_syscall.fcntl.return = kprobe.function("sys_fcntl").return ?, + kprobe.function("sys_fcntl64").return ?, + kprobe.function("compat_sys_fcntl").return ?, + kprobe.function("compat_sys_fcntl64").return ? { name = "fcntl" retstr = returnstr(1) @@ -925,12 +1049,16 @@ probe nd_syscall.fcntl.return = # fdatasync __________________________________________________ # long sys_fdatasync(unsigned int fd) -probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") { +probe nd_syscall.fdatasync = kprobe.function("sys_fdatasync") +{ name = "fdatasync" - fd = $fd + // fd = $fd + asmlinkage() + fd = int_arg(1) argstr = sprint(fd) } -probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return { +probe nd_syscall.fdatasync.return = kprobe.function("sys_fdatasync").return +{ name = "fdatasync" retstr = returnstr(1) } @@ -938,42 +1066,61 @@ probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return { # fgetxattr __________________________________________________ # ssize_t sys_fgetxattr(int fd, char __user *name, # void __user *value, size_t size) -probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") { +probe nd_syscall.fgetxattr = kprobe.function("sys_fgetxattr") +{ name = "fgetxattr" - filedes = $fd -#FIXME - name2 = user_string($name) - value_uaddr = $value - size = $size - argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size) -} -probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return { + // filedes = $fd + // name2 = user_string($name) + // value_uaddr = $value + // size = $size + // argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size) + asmlinkage() + filedes = int_arg(1) + # FIXME + name2 = user_string(pointer_arg(2)) + value_uaddr = pointer_arg(3) + size = ulong_arg(4) + argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size) +} +probe nd_syscall.fgetxattr.return = kprobe.function("sys_fgetxattr").return +{ name = "fgetxattr" retstr = returnstr(1) } # flistxattr _________________________________________________ # ssize_t sys_flistxattr(int fd, char __user *list, size_t size) -probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") { +probe nd_syscall.flistxattr = kprobe.function("sys_flistxattr") +{ name = "flistxattr" - filedes = $fd - list_uaddr = $list - size = $size + // filedes = $fd + // list_uaddr = $list + // size = $size + asmlinkage() + filedes = int_arg(1) + list_uaddr = pointer_arg(2) + size = ulong_arg(3) argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size) } -probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return { +probe nd_syscall.flistxattr.return = kprobe.function("sys_flistxattr").return +{ name = "flistxattr" retstr = returnstr(1) } # flock ______________________________________________________ # long sys_flock(unsigned int fd, unsigned int cmd) -probe nd_syscall.flock = kernel.function("sys_flock") { +probe nd_syscall.flock = kprobe.function("sys_flock") +{ name = "flock" - fd = $fd - operation = $cmd + // fd = $fd + // operation = $cmd + asmlinkage() + fd = int_arg(1) + operation = int_arg(2) argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation)) } -probe nd_syscall.flock.return = kernel.function("sys_flock").return { +probe nd_syscall.flock.return = kprobe.function("sys_flock").return +{ name = "flock" retstr = returnstr(1) } @@ -1016,13 +1163,15 @@ CATCH_DEREF_FAULT(); # unsigned long stack_size, # int __user *parent_tidptr, # int __user *child_tidptr) -probe nd_syscall.fork = kernel.function("do_fork") { +probe nd_syscall.fork = kprobe.function("do_fork") +{ // clone_flags = $clone_flags // stack_start = $stack_start // regs = $regs // stack_size = $stack_size // parent_tid_uaddr = $parent_tidptr // child_tid_uaddr = $child_tidptr + asmlinkage() clone_flags = ulong_arg(1) stack_start = ulong_arg(2) regs = pointer_arg(3) @@ -1042,19 +1191,27 @@ probe nd_syscall.fork = kernel.function("do_fork") { argstr = __fork_flags(clone_flags) } } -probe nd_syscall.fork.return = kernel.function("do_fork").return { +probe nd_syscall.fork.return = kprobe.function("do_fork").return +{ name = "fork" retstr = returnstr(1) } # fremovexattr _______________________________________________ # long sys_fremovexattr(int fd, char __user *name) -probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") { +probe nd_syscall.fremovexattr = kprobe.function("sys_fremovexattr") +{ name = "fremovexattr" - filedes = $fd - name_uaddr = $name - argstr = sprintf("FIXME PLEASE") + // filedes = $fd + // name2 = user_string($name) + // argstr = sprintf("%d, %s", $fd, user_string_quoted($name)) + asmlinkage() + filedes = int_arg(1) + # FIXME + name2 = user_string(pointer_arg(2)) + argstr = sprintf("%d, %s", filedes, user_string_quoted(pointer_arg(2))) } -probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return { +probe nd_syscall.fremovexattr.return = kprobe.function("sys_fremovexattr").return +{ name = "fremovexattr" retstr = returnstr(1) } @@ -1068,17 +1225,26 @@ probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").retur * size_t size, * int flags) */ -probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") { +probe nd_syscall.fsetxattr = kprobe.function("sys_fsetxattr") +{ name = "fsetxattr" - filedes = $fd -# FIXME - name2 = user_string($name) - value_uaddr = $value - size = $size - flags = $flags - argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags) -} -probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return { + // filedes = $fd + // name2 = user_string($name) + // value_uaddr = $value + // size = $size + // flags = $flags + // argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags) + asmlinkage() + filedes = int_arg(1) + # FIXME + name2 = user_string(pointer_arg(2)) + value_uaddr = pointer_arg(3) + size = ulong_arg(4) + flags = int_arg(5) + argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size, flags) +} +probe nd_syscall.fsetxattr.return = kprobe.function("sys_fsetxattr").return +{ name = "fsetxattr" retstr = returnstr(1) } @@ -1092,26 +1258,28 @@ probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return { # struct oldabi_stat64 __user * statbuf) # long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf) # -probe nd_syscall.fstat = - kernel.function("sys_fstat") ?, - kernel.function("sys_fstat64") ?, - kernel.function("sys32_fstat64") ?, - kernel.function("sys_newfstat") ?, - kernel.function("sys_oabi_fstat64") ?, - kernel.function("compat_sys_newfstat") ? +probe nd_syscall.fstat = kprobe.function("sys_fstat") ?, + kprobe.function("sys_fstat64") ?, + kprobe.function("sys32_fstat64") ?, + kprobe.function("sys_newfstat") ?, + kprobe.function("sys_oabi_fstat64") ?, + kprobe.function("compat_sys_newfstat") ? { name = "fstat" - filedes = $fd - buf_uaddr = $statbuf - argstr = sprintf("%d, %p", $fd, $statbuf) -} -probe nd_syscall.fstat.return = - kernel.function("sys_fstat").return ?, - kernel.function("sys_fstat64").return ?, - kernel.function("sys32_fstat64").return ?, - kernel.function("sys_newfstat").return ?, - kernel.function("sys_oabi_fstat64").return ?, - kernel.function("compat_sys_newfstat").return ? + // filedes = $fd + // buf_uaddr = $statbuf + // argstr = sprintf("%d, %p", $fd, $statbuf) + asmlinkage() + filedes = int_arg(1) + buf_uaddr = pointer_arg(2) + argstr = sprintf("%d, %p", filedes, buf_uaddr) +} +probe nd_syscall.fstat.return = kprobe.function("sys_fstat").return ?, + kprobe.function("sys_fstat64").return ?, + kprobe.function("sys32_fstat64").return ?, + kprobe.function("sys_newfstat").return ?, + kprobe.function("sys_oabi_fstat64").return ?, + kprobe.function("compat_sys_newfstat").return ? { name = "fstat" retstr = returnstr(1) @@ -1122,23 +1290,26 @@ probe nd_syscall.fstat.return = # long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag) # long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag) # long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag) -probe nd_syscall.fstatat = - kernel.function("sys_fstatat64") ?, - kernel.function("sys_newfstatat") ?, - kernel.function("compat_sys_newfstatat") ?, - kernel.function("sys32_fstatat64") ? +probe nd_syscall.fstatat = kprobe.function("sys_fstatat64") ?, + kprobe.function("sys_newfstatat") ?, + kprobe.function("compat_sys_newfstatat") ?, + kprobe.function("sys32_fstatat64") ? { name = "fstatat" - dirfd = $dfd - path = user_string($filename) - buf_uaddr = $statbuf - argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag)) + // dirfd = $dfd + // path = user_string($filename) + // buf_uaddr = $statbuf + // argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag)) + asmlinkage() + dirfd = int_arg(1) + path = user_string(pointer_arg(2)) + buf_uaddr = pointer_arg(3) + argstr = sprintf("%s, %s, %p, %s", _dfd_str(dirfd), user_string_quoted(pointer_arg(2)), buf_uaddr, _at_flag_str(int_arg(4))) } -probe nd_syscall.fstatat.return = - kernel.function("sys_fstatat64").return ?, - kernel.function("sys_newfstatat").return ?, - kernel.function("compat_sys_newfstatat").return ?, - kernel.function("sys32_fstatat64").return ? +probe nd_syscall.fstatat.return = kprobe.function("sys_fstatat64").return ?, + kprobe.function("sys_newfstatat").return ?, + kprobe.function("compat_sys_newfstatat").return ?, + kprobe.function("sys32_fstatat64").return ? { name = "fstatat" retstr = returnstr(1) @@ -1148,18 +1319,20 @@ probe nd_syscall.fstatat.return = # long sys_fstatfs(unsigned int fd, struct statfs __user * buf) # long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf) # -probe nd_syscall.fstatfs = - kernel.function("sys_fstatfs"), - kernel.function("compat_sys_fstatfs") ? +probe nd_syscall.fstatfs = kprobe.function("sys_fstatfs"), + kprobe.function("compat_sys_fstatfs") ? { name = "fstatfs" - fd = $fd - buf_uaddr = $buf - argstr = sprintf("%d, %p", $fd, $buf) + // fd = $fd + // buf_uaddr = $buf + // argstr = sprintf("%d, %p", $fd, $buf) + asmlinkage() + fd = int_arg(1) + buf_uaddr = pointer_arg(2) + argstr = sprintf("%d, %p", fd, buf_uaddr) } -probe nd_syscall.fstatfs.return = - kernel.function("sys_fstatfs").return, - kernel.function("compat_sys_fstatfs").return ? +probe nd_syscall.fstatfs.return = kprobe.function("sys_fstatfs").return, + kprobe.function("compat_sys_fstatfs").return ? { name = "fstatfs" retstr = returnstr(1) @@ -1169,19 +1342,22 @@ probe nd_syscall.fstatfs.return = # long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf) # long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf) # -probe nd_syscall.fstatfs64 = - kernel.function("sys_fstatfs64") ?, - kernel.function("compat_sys_fstatfs64") ? +probe nd_syscall.fstatfs64 = kprobe.function("sys_fstatfs64") ?, + kprobe.function("compat_sys_fstatfs64") ? { name = "fstatfs" - fd = $fd - sz = $sz - buf_uaddr = $buf - argstr = sprintf("%d, %d, %p", $fd, $sz, $buf) + // fd = $fd + // sz = $sz + // buf_uaddr = $buf + // argstr = sprintf("%d, %d, %p", $fd, $sz, $buf) + asmlinkage() + fd = int_arg(1) + sz = ulong_arg(2) + buf_uaddr = pointer_arg(3) + argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr) } -probe nd_syscall.fstatfs64.return = - kernel.function("sys_fstatfs64").return ?, - kernel.function("compat_sys_fstatfs64").return ? +probe nd_syscall.fstatfs64.return = kprobe.function("sys_fstatfs64").return ?, + kprobe.function("compat_sys_fstatfs64").return ? { name = "fstatfs" retstr = returnstr(1) @@ -1189,37 +1365,51 @@ probe nd_syscall.fstatfs64.return = # fsync ______________________________________________________ # long sys_fsync(unsigned int fd) -probe nd_syscall.fsync = kernel.function("sys_fsync") { +probe nd_syscall.fsync = kprobe.function("sys_fsync") +{ name = "fsync" - fd = $fd + // fd = $fd + asmlinkage() + fd = int_arg(1) argstr = sprint(fd) } -probe nd_syscall.fsync.return = kernel.function("sys_fsync").return { +probe nd_syscall.fsync.return = kprobe.function("sys_fsync").return +{ name = "fsync" retstr = returnstr(1) } # ftruncate __________________________________________________ # long sys_ftruncate(unsigned int fd, unsigned long length) -probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") { +probe nd_syscall.ftruncate = kprobe.function("sys_ftruncate") +{ name = "ftruncate" - fd = $fd - length = $length + // fd = $fd + // length = $length + asmlinkage() + fd = int_arg(1) + length = ulong_arg(2) argstr = sprintf("%d, %d", fd, length) } -probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return { +probe nd_syscall.ftruncate.return = kprobe.function("sys_ftruncate").return +{ name = "ftruncate" retstr = returnstr(1) } # ftruncate64 ________________________________________________ # long sys_ftruncate64(unsigned int fd, loff_t length) -probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? { +probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ? +{ name = "ftruncate" - fd = $fd - length = $length + // fd = $fd + // length = $length + asmlinkage() + fd = int_arg(1) + length = longlong_arg(2) argstr = sprintf("%d, %d", fd, length) } -probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? { +probe nd_syscall.ftruncate64.return = kprobe.function("sys_ftruncate64").return ? +{ name = "ftruncate" retstr = returnstr(1) } @@ -1235,7 +1425,8 @@ probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return # struct compat_timespec __user *utime, u32 __user *uaddr2, # u32 val3) # -probe nd_syscall.futex = kernel.function("sys_futex") ? { +probe nd_syscall.futex = kprobe.function("sys_futex") ? +{ name = "futex" // futex_uaddr = $uaddr // op = $op @@ -1245,7 +1436,7 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? { // val3 = $val3 // if (op == 0) // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), - // $val, _struct_timespec_u($utime,1)) + // $val, _struct_timespec_u($utime, 1)) // else // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), // $val) @@ -1259,16 +1450,18 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? { if (op == 0) argstr = sprintf("%p, %s, %d, %s", futex_uaddr, _futex_op_str(op), val, - _struct_timespec_u(utime_uaddr,1)) + _struct_timespec_u(utime_uaddr, 1)) else argstr = sprintf("%p, %s, %d", futex_uaddr, _futex_op_str(op), val) } -probe nd_syscall.futex.return = kernel.function("sys_futex").return ? { +probe nd_syscall.futex.return = kprobe.function("sys_futex").return ? +{ name = "futex" retstr = returnstr(1) } -probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? { +probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ? +{ name = "futex" // futex_uaddr = $uaddr // op = $op @@ -1278,7 +1471,7 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? { // val3 = $val3 // if (op == 0) // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), - // $val, _struct_compat_timespec_u($utime,1)) + // $val, _struct_compat_timespec_u($utime, 1)) // else // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), // $val) @@ -1292,12 +1485,13 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? { if (op == 0) argstr = sprintf("%p, %s, %d, %s", futex_uaddr, _futex_op_str(op), val, - _struct_compat_timespec_u(utime_uaddr,1)) + _struct_compat_timespec_u(utime_uaddr, 1)) else argstr = sprintf("%p, %s, %d", futex_uaddr, _futex_op_str(op), val) } -probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? { +probe nd_syscall.compat_futex.return = kprobe.function("compat_sys_futex").return ? +{ name = "futex" retstr = returnstr(1) } @@ -1308,69 +1502,95 @@ probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").retur # long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t) # -probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? { +probe nd_syscall.futimesat = kprobe.function("sys_futimesat") ? +{ name = "futimesat" - dirfd = $dfd - filename_uaddr = $filename - filename = user_string($filename) - tvp_uaddr = $utimes - argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), - _struct_timeval_u($utimes, 2)) -} -probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? { + // dirfd = $dfd + // filename_uaddr = $filename + // filename = user_string($filename) + // tvp_uaddr = $utimes + // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), + // _struct_timeval_u($utimes, 2)) + asmlinkage() + dirfd = int_arg(1) + filename_uaddr = pointer_arg(2) + filename = user_string(filename_uaddr) + tvp_uaddr = pointer_arg(3) + argstr = sprintf("%s, %s, %s", _dfd_str(dirfd), user_string_quoted(filename_uaddr), + _struct_timeval_u(tvp_uaddr, 2)) +} +probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ? +{ name = "futimesat" - dirfd = $dfd - filename_uaddr = $filename - filename = user_string($filename) - tvp_uaddr = $t - argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), - _struct_compat_timeval_u($t, 2)) -} -probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? { + // dirfd = $dfd + // filename_uaddr = $filename + // filename = user_string($filename) + // tvp_uaddr = $utimes + // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), + // _struct_timeval_u($utimes, 2)) + asmlinkage() + dirfd = uint_arg(1) + filename_uaddr = pointer_arg(2) + filename = user_string(pointer_arg(2)) + tvp_uaddr = pointer_arg(3) + argstr = sprintf("%s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)), + _struct_compat_timeval_u(pointer_arg(3), 2)) +} +probe nd_syscall.futimesat.return = kprobe.function("sys_futimesat").return ? +{ name = "futimesat" retstr = returnstr(1) } -probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? { +probe nd_syscall.compat_futimesat.return = kprobe.function("compat_sys_futimesat").return ? +{ name = "futimesat" retstr = returnstr(1) } # getcwd _____________________________________________________ # long sys_getcwd(char __user *buf, unsigned long size) -probe nd_syscall.getcwd = kernel.function("sys_getcwd") { +probe nd_syscall.getcwd = kprobe.function("sys_getcwd") +{ name = "getcwd" - buf_uaddr = $buf - size = $size + // buf_uaddr = $buf + // size = $size + asmlinkage() + buf_uaddr = pointer_arg(1) + size = ulong_arg(2) argstr = sprintf("%p, %d", buf_uaddr, size) } -probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return { +probe nd_syscall.getcwd.return = kprobe.function("sys_getcwd").return +{ name = "getcwd" retstr = returnstr(1) } # getdents ___________________________________________________ # long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count) -# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count) +# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count) # long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count) # long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count) # -probe nd_syscall.getdents = - kernel.function("sys_getdents") ?, - kernel.function("sys_getdents64") ?, - kernel.function("compat_sys_getdents") ?, - kernel.function("compat_sys_getdents64") ? +probe nd_syscall.getdents = kprobe.function("sys_getdents") ?, + kprobe.function("sys_getdents64") ?, + kprobe.function("compat_sys_getdents") ?, + kprobe.function("compat_sys_getdents64") ? { name = "getdents" - fd = $fd - dirp_uaddr = $dirent - count = $count - argstr = sprintf("%d, %p, %d", $fd, $dirent, $count) + // fd = $fd + // dirp_uaddr = $dirent + // count = $count + // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count) + asmlinkage() + fd = int_arg(1) + dirp_uaddr = pointer_arg(2) + count = uint_arg(3) + argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count) } -probe nd_syscall.getdents.return = - kernel.function("sys_getdents").return ?, - kernel.function("sys_getdents64").return ?, - kernel.function("compat_sys_getdents").return ?, - kernel.function("compat_sys_getdents64").return ? +probe nd_syscall.getdents.return = kprobe.function("sys_getdents").return ?, + kprobe.function("sys_getdents64").return ?, + kprobe.function("compat_sys_getdents").return ?, + kprobe.function("compat_sys_getdents64").return ? { name = "getdents" retstr = returnstr(1) @@ -1381,18 +1601,16 @@ probe nd_syscall.getdents.return = # long sys_getegid16(void) # long sys32_getegid16(void) # -probe nd_syscall.getegid = - kernel.function("sys_getegid16") ?, - kernel.function("sys32_getegid16") ?, - kernel.function("sys_getegid") +probe nd_syscall.getegid = kprobe.function("sys_getegid16") ?, + kprobe.function("sys32_getegid16") ?, + kprobe.function("sys_getegid") { name = "getegid" argstr = "" } -probe nd_syscall.getegid.return = - kernel.function("sys_getegid16").return ?, - kernel.function("sys32_getegid16").return ?, - kernel.function("sys_getegid").return +probe nd_syscall.getegid.return = kprobe.function("sys_getegid16").return ?, + kprobe.function("sys32_getegid16").return ?, + kprobe.function("sys_getegid").return { name = "getegid" retstr = returnstr(1) @@ -1402,18 +1620,16 @@ probe nd_syscall.getegid.return = # long sys_geteuid(void) # long sys32_geteuid16(void) # -probe nd_syscall.geteuid = - kernel.function("sys_geteuid16") ?, - kernel.function("sys32_geteuid16") ?, - kernel.function("sys_geteuid") +probe nd_syscall.geteuid = kprobe.function("sys_geteuid16") ?, + kprobe.function("sys32_geteuid16") ?, + kprobe.function("sys_geteuid") { name = "geteuid" argstr = "" } -probe nd_syscall.geteuid.return = - kernel.function("sys_geteuid16").return ?, - kernel.function("sys32_geteuid16").return ?, - kernel.function("sys_geteuid").return +probe nd_syscall.geteuid.return = kprobe.function("sys_geteuid16").return ?, + kprobe.function("sys32_geteuid16").return ?, + kprobe.function("sys_geteuid").return { name = "geteuid" retstr = returnstr(1) @@ -1423,18 +1639,16 @@ probe nd_syscall.geteuid.return = # long sys_getgid(void) # long sys32_getgid16(void) # -probe nd_syscall.getgid = - kernel.function("sys_getgid16") ?, - kernel.function("sys32_getgid16") ?, - kernel.function("sys_getgid") +probe nd_syscall.getgid = kprobe.function("sys_getgid16") ?, + kprobe.function("sys32_getgid16") ?, + kprobe.function("sys_getgid") { name = "getgid" argstr = "" } -probe nd_syscall.getgid.return = - kernel.function("sys_getgid16").return ?, - kernel.function("sys32_getgid16").return ?, - kernel.function("sys_getgid").return +probe nd_syscall.getgid.return = kprobe.function("sys_getgid16").return ?, + kprobe.function("sys32_getgid16").return ?, + kprobe.function("sys_getgid").return { name = "getgid" retstr = returnstr(1) @@ -1445,20 +1659,22 @@ probe nd_syscall.getgid.return = # long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist) # long sys32_getgroups16(int gidsetsize, u16 __user *grouplist) # -probe nd_syscall.getgroups = - kernel.function("sys_getgroups") ?, - kernel.function("sys_getgroups16") ?, - kernel.function("sys32_getgroups16") ? +probe nd_syscall.getgroups = kprobe.function("sys_getgroups") ?, + kprobe.function("sys_getgroups16") ?, + kprobe.function("sys32_getgroups16") ? { name = "getgroups" - size = $gidsetsize - list_uaddr = $grouplist - argstr = sprintf("%d, %p", $gidsetsize, $grouplist) + // size = $gidsetsize + // list_uaddr = $grouplist + // argstr = sprintf("%d, %p", $gidsetsize, $grouplist) + asmlinkage() + size = int_arg(1) + list_uaddr = pointer_arg(2) + argstr = sprintf("%d, %p", size, list_uaddr) } -probe nd_syscall.getgroups.return = - kernel.function("sys_getgroups").return ?, - kernel.function("sys_getgroups16").return ?, - kernel.function("sys32_getgroups16").return ? +probe nd_syscall.getgroups.return = kprobe.function("sys_getgroups").return ?, + kprobe.function("sys_getgroups16").return ?, + kprobe.function("sys32_getgroups16").return ? { name = "getgroups" retstr = returnstr(1) @@ -1466,13 +1682,18 @@ probe nd_syscall.getgroups.return = # gethostname ________________________________________________ # long sys_gethostname(char __user *name, int len) -probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? { +probe nd_syscall.gethostname = kprobe.function("sys_gethostname") ? +{ name = "gethostname" - name_uaddr = $name - len = $len + // name_uaddr = $name + // len = $len + asmlinkage() + name_uaddr = pointer_arg(1) + len = int_arg(2) argstr = sprintf ("%p, %d", name_uaddr, len) } -probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? { +probe nd_syscall.gethostname.return = kprobe.function("sys_gethostname").return ? +{ name = "gethostname" retstr = returnstr(1) } @@ -1480,24 +1701,36 @@ probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return # getitimer __________________________________________________ # sys_getitimer(int which, struct itimerval __user *value) # -probe nd_syscall.getitimer = kernel.function("sys_getitimer") { +probe nd_syscall.getitimer = kprobe.function("sys_getitimer") +{ name = "getitimer" - which = $which - value_uaddr = $value - argstr = sprintf("%s, %p", _itimer_which_str($which), $value) + // which = $which + // value_uaddr = $value + // argstr = sprintf("%s, %p", _itimer_which_str($which), $value) + asmlinkage() + which = int_arg(1) + value_uaddr = pointer_arg(2) + argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr ) } -probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return { +probe nd_syscall.getitimer.return = kprobe.function("sys_getitimer").return +{ name = "getitimer" retstr = returnstr(1) } # long compat_sys_getitimer(int which, struct compat_itimerval __user *it -probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? { +probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ? +{ name = "getitimer" - which = $which - value_uaddr = $it - argstr = sprintf("%s, %p", _itimer_which_str($which), $it) + // which = $which + // value_uaddr = $it + // argstr = sprintf("%s, %p", _itimer_which_str($which), $it) + asmlinkage() + which = int_arg(1) + value_uaddr = pointer_arg(2) + argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr) } -probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? { +probe nd_syscall.compat_getitimer.return = kprobe.function("compat_sys_getitimer").return ? +{ name = "getitimer" retstr = returnstr(1) } @@ -1513,22 +1746,28 @@ probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer # compat_ulong_t maxnode, # compat_ulong_t addr, compat_ulong_t flags) # -probe nd_syscall.get_mempolicy = - kernel.function("sys_get_mempolicy") ?, - kernel.function("compat_sys_get_mempolicy") ? +probe nd_syscall.get_mempolicy = kprobe.function("sys_get_mempolicy") ?, + kprobe.function("compat_sys_get_mempolicy") ? { name = "get_mempolicy" - policy_uaddr = $policy - nmask_uaddr = $nmask - maxnode = $maxnode - addr = $addr - flags = $flags - argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy, - $nmask, $maxnode, $addr, $flags) -} -probe nd_syscall.get_mempolicy.return = - kernel.function("sys_get_mempolicy").return ?, - kernel.function("compat_sys_get_mempolicy").return ? + // policy_uaddr = $policy + // nmask_uaddr = $nmask + // maxnode = $maxnode + // addr = $addr + // flags = $flags + // argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy, + // $nmask, $maxnode, $addr, $flags) + asmlinkage() + policy_uaddr = pointer_arg(1) + nmask_uaddr = pointer_arg(2) + maxnode = ulong_arg(3) + addr = ulong_arg(4) + flags = ulong_arg(5) + argstr = sprintf("%p, %p, %d, %p, 0x%x", policy_uaddr, + nmask_uaddr, maxnode, addr, flags) +} +probe nd_syscall.get_mempolicy.return = kprobe.function("sys_get_mempolicy").return ?, + kprobe.function("compat_sys_get_mempolicy").return ? { name = "get_mempolicy" retstr = returnstr(1) @@ -1537,72 +1776,95 @@ probe nd_syscall.get_mempolicy.return = # getpeername ________________________________________________ # long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len) # -probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? { +probe nd_syscall.getpeername = kprobe.function("sys_getpeername") ? +{ name = "getpeername" - s = $fd - name_uaddr = $usockaddr - namelen_uaddr = $usockaddr_len - argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len) + // s = $fd + // name_uaddr = $usockaddr + // namelen_uaddr = $usockaddr_len + // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len) + asmlinkage() + s = int_arg(1) + name_uaddr = pointer_arg(2) + namelen_uaddr = pointer_arg(3) + argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr) } -probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? { +probe nd_syscall.getpeername.return = kprobe.function("sys_getpeername").return ? +{ name = "getpeername" retstr = returnstr(1) } # getpgid ____________________________________________________ # long sys_getpgid(pid_t pid) -probe nd_syscall.getpgid = kernel.function("sys_getpgid") { +probe nd_syscall.getpgid = kprobe.function("sys_getpgid") +{ name = "getpgid" - pid = $pid - argstr = sprintf("%d", $pid) + // pid = $pid + // argstr = sprintf("%d", $pid) + asmlinkage() + pid = int_arg(1) + argstr = sprintf("%d", pid) } -probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return { +probe nd_syscall.getpgid.return = kprobe.function("sys_getpgid").return +{ name = "getpgid" retstr = returnstr(1) } # getpgrp ____________________________________________________ # long sys_getpgrp(void) -probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? { +probe nd_syscall.getpgrp = kprobe.function("sys_getpgrp") ? +{ name = "getpgrp" argstr = "" } -probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? { +probe nd_syscall.getpgrp.return = kprobe.function("sys_getpgrp").return ? +{ name = "getpgrp" retstr = returnstr(1) } # getpid _____________________________________________________ # long sys_getpid(void) -probe nd_syscall.getpid = kernel.function("sys_getpid") { +probe nd_syscall.getpid = kprobe.function("sys_getpid") +{ name = "getpid" argstr = "" } -probe nd_syscall.getpid.return = kernel.function("sys_getpid").return { +probe nd_syscall.getpid.return = kprobe.function("sys_getpid").return +{ name = "getpid" retstr = returnstr(1) } # getppid ____________________________________________________ # long sys_getppid(void) -probe nd_syscall.getppid = kernel.function("sys_getppid") { +probe nd_syscall.getppid = kprobe.function("sys_getppid") +{ name = "getppid" argstr = "" } -probe nd_syscall.getppid.return = kernel.function("sys_getppid").return { +probe nd_syscall.getppid.return = kprobe.function("sys_getppid").return +{ name = "getppid" retstr = returnstr(1) } # getpriority ________________________________________________ # long sys_getpriority(int which, int who) -probe nd_syscall.getpriority = kernel.function("sys_getpriority") { +probe nd_syscall.getpriority = kprobe.function("sys_getpriority") +{ name = "getpriority" - which = $which - who = $who + // which = $which + // who = $who + asmlinkage() + which = int_arg(1) + who = int_arg(2) argstr = sprintf("%s, %d", _priority_which_str(which), who) } -probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return { +probe nd_syscall.getpriority.return = kprobe.function("sys_getpriority").return +{ name = "getpriority" retstr = returnstr(1) } @@ -1614,19 +1876,22 @@ probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return # long sys_getresgid16(old_uid_t __user *rgid, # old_uid_t __user *egid, # old_uid_t __user *sgid) -probe nd_syscall.getresgid = - kernel.function("sys_getresgid16") ?, - kernel.function("sys_getresgid") +probe nd_syscall.getresgid = kprobe.function("sys_getresgid16") ?, + kprobe.function("sys_getresgid") { name = "getresgid" - rgid_uaddr = $rgid - egid_uaddr = $egid - sgid_uaddr = $sgid - argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid) + // rgid_uaddr = $rgid + // egid_uaddr = $egid + // sgid_uaddr = $sgid + // argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid) + asmlinkage() + rgid_uaddr = pointer_arg(1) + egid_uaddr = pointer_arg(2) + sgid_uaddr = pointer_arg(3) + argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr) } -probe nd_syscall.getresgid.return = - kernel.function("sys_getresgid16").return ?, - kernel.function("sys_getresgid").return +probe nd_syscall.getresgid.return = kprobe.function("sys_getresgid16").return ?, + kprobe.function("sys_getresgid").return { name = "getresgid" retstr = returnstr(1) @@ -1636,19 +1901,22 @@ probe nd_syscall.getresgid.return = # long sys_getresuid(uid_t __user *ruid, # uid_t __user *euid, # uid_t __user *suid) -probe nd_syscall.getresuid = - kernel.function("sys_getresuid16") ?, - kernel.function("sys_getresuid") +probe nd_syscall.getresuid = kprobe.function("sys_getresuid16") ?, + kprobe.function("sys_getresuid") { name = "getresuid" - ruid_uaddr = $ruid - euid_uaddr = $euid - suid_uaddr = $suid - argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid) + // ruid_uaddr = $ruid + // euid_uaddr = $euid + // suid_uaddr = $suid + // argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid) + asmlinkage() + ruid_uaddr = pointer_arg(1) + euid_uaddr = pointer_arg(2) + suid_uaddr = pointer_arg(3) + argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr) } -probe nd_syscall.getresuid.return = - kernel.function("sys_getresuid16").return ?, - kernel.function("sys_getresuid").return +probe nd_syscall.getresuid.return = kprobe.function("sys_getresuid16").return ?, + kprobe.function("sys_getresuid").return { name = "getresuid" retstr = returnstr(1) @@ -1658,18 +1926,22 @@ probe nd_syscall.getresuid.return = # long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim) # long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim) # long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim) -probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"), - kernel.function("sys_old_getrlimit") ?, - kernel.function("compat_sys_getrlimit") ? +probe nd_syscall.getrlimit = kprobe.function("sys_getrlimit"), + kprobe.function("sys_old_getrlimit") ?, + kprobe.function("compat_sys_getrlimit") ? { name = "getrlimit" - resource = $resource - rlim_uaddr = $rlim - argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim) + // resource = $resource + // rlim_uaddr = $rlim + // argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim) + asmlinkage() + resource = uint_arg(1) + rlim_uaddr = pointer_arg(2) + argstr = sprintf("%s, %p", _rlimit_resource_str(resource), rlim_uaddr) } -probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return, - kernel.function("sys_old_getrlimit").return ?, - kernel.function("compat_sys_getrlimit").return ? +probe nd_syscall.getrlimit.return = kprobe.function("sys_getrlimit").return, + kprobe.function("sys_old_getrlimit").return ?, + kprobe.function("compat_sys_getrlimit").return ? { name = "getrlimit" retstr = returnstr(1) @@ -1677,7 +1949,8 @@ probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return, # getrusage __________________________________________________ # long sys_getrusage(int who, struct rusage __user *ru) -probe nd_syscall.getrusage = kernel.function("sys_getrusage") { +probe nd_syscall.getrusage = kprobe.function("sys_getrusage") +{ name = "getrusage" // who = $who // if($who==-2) @@ -1704,19 +1977,24 @@ probe nd_syscall.getrusage = kernel.function("sys_getrusage") { usage_uaddr = pointer_arg(2) argstr = sprintf("%s, %p", who_str, usage_uaddr) } -probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return { +probe nd_syscall.getrusage.return = kprobe.function("sys_getrusage").return +{ name = "getrusage" retstr = returnstr(1) } # getsid _____________________________________________________ # long sys_getsid(pid_t pid) -probe nd_syscall.getsid = kernel.function("sys_getsid") { +probe nd_syscall.getsid = kprobe.function("sys_getsid") +{ name = "getsid" - pid = $pid + // pid = $pid + asmlinkage() + pid = int_arg(1) argstr = sprint(pid) } -probe nd_syscall.getsid.return = kernel.function("sys_getsid").return { +probe nd_syscall.getsid.return = kprobe.function("sys_getsid").return +{ name = "getsid" retstr = returnstr(1) } @@ -1725,14 +2003,21 @@ probe nd_syscall.getsid.return = kernel.function("sys_getsid").return { # long sys_getsockname(int fd, # struct sockaddr __user *usockaddr, # int __user *usockaddr_len) -probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? { +probe nd_syscall.getsockname = kprobe.function("sys_getsockname") ? +{ name = "getsockname" - s = $fd - name_uaddr = $usockaddr - namelen_uaddr = $usockaddr_len - argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len) + // s = $fd + // name_uaddr = $usockaddr + // namelen_uaddr = $usockaddr_len + // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len) + asmlinkage() + s = int_arg(1) + name_uaddr = pointer_arg(2) + namelen_uaddr = pointer_arg(3) + argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr) } -probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? { +probe nd_syscall.getsockname.return = kprobe.function("sys_getsockname").return ? +{ name = "getsockname" retstr = returnstr(1) } @@ -1744,24 +2029,32 @@ probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return # char __user *optval, # int __user *optlen) # -probe nd_syscall.getsockopt = - kernel.function("sys_getsockopt") ?, - kernel.function("compat_sys_getsockopt") ? +probe nd_syscall.getsockopt = kprobe.function("sys_getsockopt") ?, + kprobe.function("compat_sys_getsockopt") ? { name = "getsockopt" - fd = $fd - level = $level - level_str = _sockopt_level_str($level) - optname = $optname - optname_str = _sockopt_optname_str($optname) - optval_uaddr = $optval - optlen_uaddr = $optlen - argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level), - _sockopt_optname_str($optname), $optval, $optlen) -} -probe nd_syscall.getsockopt.return = - kernel.function("sys_getsockopt").return ?, - kernel.function("compat_sys_getsockopt").return ? + // fd = $fd + // level = $level + // level_str = _sockopt_level_str($level) + // optname = $optname + // optname_str = _sockopt_optname_str($optname) + // optval_uaddr = $optval + // optlen_uaddr = $optlen + // argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level), + // _sockopt_optname_str($optname), $optval, $optlen) + asmlinkage() + fd = int_arg(1) + level = int_arg(2) + level_str = _sockopt_level_str(level) + optname = int_arg(3) + optname_str = _sockopt_optname_str(optname) + optval_uaddr = pointer_arg(4) + optlen_uaddr = pointer_arg(5) + argstr = sprintf("%d, %s, %s, %p, %p", fd, _sockopt_level_str(level), + _sockopt_optname_str(optname), optval_uaddr, optlen_uaddr) +} +probe nd_syscall.getsockopt.return = kprobe.function("sys_getsockopt").return ?, + kprobe.function("compat_sys_getsockopt").return ? { name = "getsockopt" retstr = returnstr(1) @@ -1769,11 +2062,13 @@ probe nd_syscall.getsockopt.return = # gettid _____________________________________________________ # long sys_gettid(void) -probe nd_syscall.gettid = kernel.function("sys_gettid") { +probe nd_syscall.gettid = kprobe.function("sys_gettid") +{ name = "gettid" argstr = "" } -probe nd_syscall.gettid.return = kernel.function("sys_gettid").return { +probe nd_syscall.gettid.return = kprobe.function("sys_gettid").return +{ name = "gettid" retstr = returnstr(1) } @@ -1785,21 +2080,23 @@ probe nd_syscall.gettid.return = kernel.function("sys_gettid").return { # struct timezone __user *tz) # long compat_sys_gettimeofday(struct compat_timeval __user *tv, # struct timezone __user *tz) -probe nd_syscall.gettimeofday = - kernel.function("sys_gettimeofday"), - kernel.function("sys32_gettimeofday") ?, - kernel.function("compat_sys_gettimeofday") ? +probe nd_syscall.gettimeofday = kprobe.function("sys_gettimeofday"), + kprobe.function("sys32_gettimeofday") ?, + kprobe.function("compat_sys_gettimeofday") ? { name = "gettimeofday" - tv_uaddr = $tv - tz_uaddr = $tz - argstr = sprintf("%p, %p", $tv, $tz) + // tv_uaddr = $tv + // tz_uaddr = $tz + // argstr = sprintf("%p, %p", $tv, $tz) + asmlinkage() + tv_uaddr = pointer_arg(1) + tz_uaddr = pointer_arg(2) + argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr) } -probe nd_syscall.gettimeofday.return = - kernel.function("sys_gettimeofday").return, - kernel.function("sys32_gettimeofday").return ?, - kernel.function("compat_sys_gettimeofday").return ? +probe nd_syscall.gettimeofday.return = kprobe.function("sys_gettimeofday").return, + kprobe.function("sys32_gettimeofday").return ?, + kprobe.function("compat_sys_gettimeofday").return ? { name = "gettimeofday" retstr = returnstr(1) @@ -1810,18 +2107,16 @@ probe nd_syscall.gettimeofday.return = # long sys_getuid16(void) # long sys32_getuid16(void) # -probe nd_syscall.getuid = - kernel.function("sys_getuid16") ?, - kernel.function("sys32_getuid16") ?, - kernel.function("sys_getuid") +probe nd_syscall.getuid = kprobe.function("sys_getuid16") ?, + kprobe.function("sys32_getuid16") ?, + kprobe.function("sys_getuid") { name = "getuid" argstr = "" } -probe nd_syscall.getuid.return = - kernel.function("sys_getuid16").return ?, - kernel.function("sys32_getuid16").return ?, - kernel.function("sys_getuid").return +probe nd_syscall.getuid.return = kprobe.function("sys_getuid16").return ?, + kprobe.function("sys32_getuid16").return ?, + kprobe.function("sys_getuid").return { name = "getuid" retstr = returnstr(1) @@ -1830,19 +2125,38 @@ probe nd_syscall.getuid.return = # getxattr ___________________________________________________ # ssize_t sys_getxattr(char __user *path, char __user *name, # void __user *value, size_t size) -probe nd_syscall.getxattr = kernel.function("sys_getxattr") { +probe nd_syscall.getxattr = kprobe.function("sys_getxattr") +{ name = "getxattr" - path = user_string($path) + // %( kernel_v >= "2.6.27" %? + // path = user_string($pathname) + // %: + // path = user_string($path) + // %) + // name2 = user_string($name) + // value_uaddr = $value + // size = $size + // argstr = sprintf("%s, %s, %p, %d", + // %( kernel_v >= "2.6.27" %? + // user_string_quoted($pathname), + // %: + // user_string_quoted($path), + // %) + // user_string_quoted($name), + // value_uaddr, size) + asmlinkage() + path = pointer_arg(1) # FIXME - name2 = user_string($name) - value_uaddr = $value - size = $size + name2 = user_string(pointer_arg(2)) + value_uaddr = pointer_arg(3) + size = ulong_arg(4) argstr = sprintf("%s, %s, %p, %d", - user_string_quoted($path), - user_string_quoted($name), + user_string_quoted(path), + user_string_quoted(pointer_arg(2)), value_uaddr, size) } -probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return { +probe nd_syscall.getxattr.return = kprobe.function("sys_getxattr").return +{ name = "getxattr" retstr = returnstr(1) } @@ -1852,14 +2166,21 @@ probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return { # unsigned long len, # const char __user *uargs) # -probe nd_syscall.init_module = kernel.function("sys_init_module") ? { +probe nd_syscall.init_module = kprobe.function("sys_init_module") ? +{ name = "init_module" - umod_uaddr = $umod - len = $len - uargs = user_string($uargs) - argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs)) + // umod_uaddr = $umod + // len = $len + // uargs = user_string($uargs) + // argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs)) + asmlinkage() + umod_uaddr = pointer_arg(1) + len = ulong_arg(2) + uargs = user_string(pointer_arg(3)) + argstr = sprintf("%p, %d, %s", umod_uaddr, len, user_string_quoted(pointer_arg(4))) } -probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? { +probe nd_syscall.init_module.return = kprobe.function("sys_init_module").return ? +{ name = "init_module" retstr = returnstr(1) } @@ -1868,15 +2189,29 @@ probe nd_syscall.init_module.return = kernel.function("sys_init_module").return # # long sys_inotify_add_watch(int fd, const char __user *path, u32 mask) # -probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? { +probe nd_syscall.inotify_add_watch = kprobe.function("sys_inotify_add_watch") ? +{ name = "inotify_add_watch" - fd = $fd - path_uaddr = $path - path = user_string($path) - mask = $mask - argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask) + // fd = $fd + // mask = $mask + // %( kernel_v >= "2.6.27" %? + // path_uaddr = $pathname + // path = user_string($pathname) + // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($pathname), $mask) + // %: + // path_uaddr = $path + // path = user_string($path) + // argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask) + // %) + asmlinkage() + fd = int_arg(1) + path_uaddr = pointer_arg(2) + path = user_string(path_uaddr) + mask = uint_arg(3) + argstr = sprintf("%d, %s, %d", fd, user_string_quoted(path_uaddr), mask) } -probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? { +probe nd_syscall.inotify_add_watch.return = kprobe.function("sys_inotify_add_watch").return ? +{ name = "inotify_add_watch" retstr = returnstr(1) } @@ -1885,11 +2220,13 @@ probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_wat # # long sys_inotify_init(void) # -probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? { +probe nd_syscall.inotify_init = kprobe.function("sys_inotify_init") ? +{ name = "inotify_init" argstr = "" } -probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? { +probe nd_syscall.inotify_init.return = kprobe.function("sys_inotify_init").return ? +{ name = "inotify_init" retstr = returnstr(1) } @@ -1898,13 +2235,19 @@ probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").retur # # long sys_inotify_rm_watch(int fd, u32 wd) # -probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? { +probe nd_syscall.inotify_rm_watch = kprobe.function("sys_inotify_rm_watch") ? +{ name = "inotify_rm_watch" - fd = $fd - wd = $wd - argstr = sprintf("%d, %d", $fd, $wd) + // fd = $fd + // wd = $wd + // argstr = sprintf("%d, %d", $fd, $wd) + asmlinkage() + fd = int_arg(1) + wd = uint_arg(2) + argstr = sprintf("%d, %d", fd, wd) } -probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? { +probe nd_syscall.inotify_rm_watch.return = kprobe.function("sys_inotify_rm_watch").return ? +{ name = "inotify_rm_watch" retstr = returnstr(1) } @@ -1913,14 +2256,20 @@ probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch # long sys_io_cancel(aio_context_t ctx_id, # struct iocb __user *iocb, # struct io_event __user *result) -probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") { +probe nd_syscall.io_cancel = kprobe.function("sys_io_cancel") +{ name = "io_cancel" - ctx_id = $ctx_id - iocb_uaddr = $iocb - result_uaddr = $result + // ctx_id = $ctx_id + // iocb_uaddr = $iocb + // result_uaddr = $result + asmlinkage() + ctx_id = ulong_arg(1) + iocb_uaddr = pointer_arg(2) + result_uaddr = pointer_arg(3) argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr) } -probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return { +probe nd_syscall.io_cancel.return = kprobe.function("sys_io_cancel").return +{ name = "io_cancel" retstr = returnstr(1) } @@ -1929,19 +2278,22 @@ probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return { # long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg) # long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg) # -probe nd_syscall.ioctl = - kernel.function("sys_ioctl") ?, - kernel.function("compat_sys_ioctl") ? +probe nd_syscall.ioctl = kprobe.function("sys_ioctl") ?, + kprobe.function("compat_sys_ioctl") ? { name = "ioctl" - fd = $fd - request = $cmd - argp = $arg - argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg) + // fd = $fd + // request = $cmd + // argp = $arg + // argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg) + asmlinkage() + fd = int_arg(1) + request = int_arg(2) + argp = ulong_arg(3) + argstr = sprintf("%d, %d, %p", fd, request, argp) } -probe nd_syscall.ioctl.return = - kernel.function("sys_ioctl").return ?, - kernel.function("compat_sys_ioctl").return ? +probe nd_syscall.ioctl.return = kprobe.function("sys_ioctl").return ?, + kprobe.function("compat_sys_ioctl").return ? { name = "ioctl" retstr = returnstr(1) @@ -1949,12 +2301,16 @@ probe nd_syscall.ioctl.return = # io_destroy _________________________________________________ # long sys_io_destroy(aio_context_t ctx) -probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") { +probe nd_syscall.io_destroy = kprobe.function("sys_io_destroy") +{ name = "io_destroy" - ctx = $ctx + // ctx = $ctx + asmlinkage() + ctx = ulong_arg(1) argstr = sprintf("%d", ctx) } -probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return { +probe nd_syscall.io_destroy.return = kprobe.function("sys_io_destroy").return +{ name = "io_destroy" retstr = returnstr(1) } @@ -1971,23 +2327,30 @@ probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return { # struct io_event __user *events, # struct compat_timespec __user *timeout) # -probe nd_syscall.io_getevents = - kernel.function("sys_io_getevents") ?, - kernel.function("compat_sys_io_getevents") ? +probe nd_syscall.io_getevents = kprobe.function("sys_io_getevents") ?, + kprobe.function("compat_sys_io_getevents") ? { name = "io_getevents" - ctx_id = $ctx_id - min_nr = $min_nr - nr = $nr - events_uaddr = $events - timeout_uaddr = $timeout - timestr = _struct_timespec_u($timeout,1) - argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr, - $nr, $events, $timeout, timestr) -} -probe nd_syscall.io_getevents.return = - kernel.function("sys_io_getevents").return ?, - kernel.function("compat_sys_io_getevents").return ? + // ctx_id = $ctx_id + // min_nr = $min_nr + // nr = $nr + // events_uaddr = $events + // timeout_uaddr = $timeout + // timestr = _struct_timespec_u($timeout, 1) + // argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr, + // $nr, $events, $timeout, timestr) + asmlinkage() + ctx_id = ulong_arg(1) + min_nr = long_arg(2) + nr = long_arg(3) + events_uaddr = pointer_arg(4) + timeout_uaddr = pointer_arg(5) + timestr = _struct_timespec_u(timeout_uaddr, 1) + argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr, + nr, events_uaddr, timeout_uaddr, timestr) +} +probe nd_syscall.io_getevents.return = kprobe.function("sys_io_getevents").return ?, + kprobe.function("compat_sys_io_getevents").return ? { name = "io_getevents" retstr = returnstr(1) @@ -1996,14 +2359,21 @@ probe nd_syscall.io_getevents.return = # ioperm _____________________________________________________ # long sys_ioperm(unsigned long from, unsigned long num, int turn_on) # -probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? { +probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ? +{ name = "ioperm" - from = $from - num = $num - turn_on = $turn_on - argstr = sprintf("%d, %d, %d", $from, $num, $turn_on) + // from = $from + // num = $num + // turn_on = $turn_on + // argstr = sprintf("%d, %d, %d", $from, $num, $turn_on) + asmlinkage() + from = ulong_arg(1) + num = ulong_arg(2) + turn_on = int_arg(3) + argstr = sprintf("%d, %d, %d", from, num, turn_on) } -probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? { +probe nd_syscall.ioperm.return = kprobe.function("sys_ioperm").return ? +{ name = "ioperm" retstr = returnstr(1) } @@ -2011,27 +2381,39 @@ probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? { # io_setup ___________________________________________________ # long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp) # -probe nd_syscall.io_setup = kernel.function("sys_io_setup") { +probe nd_syscall.io_setup = kprobe.function("sys_io_setup") +{ name = "io_setup" - maxevents = $nr_events - ctxp_uaddr = $ctxp - argstr = sprintf("%d, %p", $nr_events, $ctxp) + // maxevents = $nr_events + // ctxp_uaddr = $ctxp + // argstr = sprintf("%d, %p", $nr_events, $ctxp) + asmlinkage() + maxevents = uint_arg(1) + ctxp_uaddr = pointer_arg(2) + argstr = sprintf("%d, %p", maxevents, ctxp_uaddr) } -probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return { +probe nd_syscall.io_setup.return = kprobe.function("sys_io_setup").return +{ name = "io_setup" retstr = returnstr(1) } # long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p) # -probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? { +probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ? +{ name = "io_setup" - maxevents = $nr_reqs - ctxp_uaddr = $ctx32p - argstr = sprintf("%d, %p", $nr_reqs, $ctx32p) + // maxevents = $nr_reqs + // ctxp_uaddr = $ctx32p + // argstr = sprintf("%d, %p", $nr_reqs, $ctx32p) + asmlinkage() + maxevents = uint_arg(1) + ctxp_uaddr = pointer_arg(2) + argstr = sprintf("%d, %p", maxevents, ctxp_uaddr) } -probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? { +probe nd_syscall.compat_io_setup.return = kprobe.function("compat_sys_io_setup").return ? +{ name = "io_setup" retstr = returnstr(1) } @@ -2039,27 +2421,41 @@ probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup") # io_submit __________________________________________________ # long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp) # -probe nd_syscall.io_submit = kernel.function("sys_io_submit") { +probe nd_syscall.io_submit = kprobe.function("sys_io_submit") +{ name = "io_submit" - ctx_id = $ctx_id - nr = $nr - iocbpp_uaddr = $iocbpp - argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp) + // ctx_id = $ctx_id + // nr = $nr + // iocbpp_uaddr = $iocbpp + // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp) + asmlinkage() + ctx_id = ulong_arg(1) + nr = long_arg(2) + iocbpp_uaddr = pointer_arg(3) + argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr) } -probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return { +probe nd_syscall.io_submit.return = kprobe.function("sys_io_submit").return +{ name = "io_submit" retstr = returnstr(1) } # long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb) # -probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? { +probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ? +{ name = "io_submit" - ctx_id = $ctx_id - nr = $nr - iocbpp_uaddr = $iocb - argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb) + // ctx_id = $ctx_id + // nr = $nr + // iocbpp_uaddr = $iocb + // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb) + asmlinkage() + ctx_id = ulong_arg(1) + nr = int_arg(2) + iocbpp_uaddr = pointer_arg(3) + argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr) } -probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? { +probe nd_syscall.compat_io_submit.return = kprobe.function("compat_sys_io_submit").return ? +{ name = "io_submit" retstr = returnstr(1) } @@ -2067,13 +2463,19 @@ probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit # ioprio_get _________________________________________________ # long sys_ioprio_get(int which, int who) # -probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? { +probe nd_syscall.ioprio_get = kprobe.function("sys_ioprio_get") ? +{ name = "ioprio_get" - which = $which - who = $who - argstr = sprintf("%d, %d", $which, $who) + // which = $which + // who = $who + // argstr = sprintf("%d, %d", $which, $who) + asmlinkage() + which = int_arg(1) + who = int_arg(2) + argstr = sprintf("%d, %d", which, who) } -probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? { +probe nd_syscall.ioprio_get.return = kprobe.function("sys_ioprio_get").return ? +{ name = "ioprio_get" retstr = returnstr(1) } @@ -2081,14 +2483,21 @@ probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? # ioprio_set _________________________________________________ # long sys_ioprio_set(int which, int who, int ioprio) # -probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? { +probe nd_syscall.ioprio_set = kprobe.function("sys_ioprio_set") ? +{ name = "ioprio_set" - which = $which - who = $who - ioprio = $ioprio - argstr = sprintf("%d, %d, %d", $which, $who, $ioprio) + // which = $which + // who = $who + // ioprio = $ioprio + // argstr = sprintf("%d, %d, %d", $which, $who, $ioprio) + asmlinkage() + which = int_arg(1) + who = int_arg(2) + ioprio = int_arg(3) + argstr = sprintf("%d, %d, %d", which, who, ioprio) } -probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? { +probe nd_syscall.ioprio_set.return = kprobe.function("sys_ioprio_set").return ? +{ name = "ioprio_set" retstr = returnstr(1) } @@ -2103,20 +2512,24 @@ probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? # struct compat_kexec_segment __user *segments, # unsigned long flags) # -probe nd_syscall.kexec_load = - kernel.function("sys_kexec_load") ?, - kernel.function("compat_sys_kexec_load") ? +probe nd_syscall.kexec_load = kprobe.function("sys_kexec_load") ?, + kprobe.function("compat_sys_kexec_load") ? { name = "kexec_load" - entry = $entry - nr_segments = $nr_segments - segments_uaddr = $segments - flags = $flags - argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags) + // entry = $entry + // nr_segments = $nr_segments + // segments_uaddr = $segments + // flags = $flags + // argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags) + asmlinkage() + entry = ulong_arg(1) + nr_segments = ulong_arg(2) + segments_uaddr = pointer_arg(3) + flags = ulong_arg(4) + argstr = sprintf("%p, %d, %p, %d", entry, nr_segments, segments_uaddr, flags) } -probe nd_syscall.kexec_load.return = - kernel.function("sys_kexec_load").return ?, - kernel.function("compat_sys_kexec_load").return ? +probe nd_syscall.kexec_load.return = kprobe.function("sys_kexec_load").return ?, + kprobe.function("compat_sys_kexec_load").return ? { name = "kexec_load" retstr = returnstr(1) @@ -2130,17 +2543,17 @@ probe nd_syscall.kexec_load.return = # unsigned long arg5) # long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5) # -probe nd_syscall.keyctl = - kernel.function("sys_keyctl") ?, - kernel.function("compat_sys_keyctl") ? +probe nd_syscall.keyctl = kprobe.function("sys_keyctl") ?, + kprobe.function("compat_sys_keyctl") ? { name = "keyctl" - argstr = sprintf("%d, ...", $option) + // argstr = sprintf("%d, ...", $option) + asmlinkage() + argstr = sprintf("%d, ...", uint_arg(1)) } -probe nd_syscall.keyctl.return = - kernel.function("sys_keyctl").return ?, - kernel.function("compat_sys_keyctl").return ? +probe nd_syscall.keyctl.return = kprobe.function("sys_keyctl").return ?, + kprobe.function("compat_sys_keyctl").return ? { name = "keyctl" retstr = returnstr(1) @@ -2148,13 +2561,19 @@ probe nd_syscall.keyctl.return = # kill _______________________________________________________ # long sys_kill(int pid, int sig) -probe nd_syscall.kill = kernel.function("sys_kill") { +probe nd_syscall.kill = kprobe.function("sys_kill") +{ name = "kill" - pid = $pid - sig = $sig - argstr = sprintf("%d, %s", $pid, _signal_name($sig)) + // pid = $pid + // sig = $sig + // argstr = sprintf("%d, %s", $pid, _signal_name($sig)) + asmlinkage() + pid = int_arg(1) + sig = int_arg(2) + argstr = sprintf("%d, %s", pid, _signal_name(sig)) } -probe nd_syscall.kill.return = kernel.function("sys_kill").return { +probe nd_syscall.kill.return = kprobe.function("sys_kill").return +{ name = "kill" retstr = returnstr(1) } @@ -2162,14 +2581,21 @@ probe nd_syscall.kill.return = kernel.function("sys_kill").return { # lchown _____________________________________________________ # long sys_lchown(const char __user * filename, uid_t user, gid_t group) # -probe nd_syscall.lchown = kernel.function("sys_lchown") { +probe nd_syscall.lchown = kprobe.function("sys_lchown") +{ name = "lchown" - path = user_string($filename) - owner = __int32($user) - group = __int32($group) - argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group) + // path = user_string($filename) + // owner = __int32($user) + // group = __int32($group) + // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) + asmlinkage() + path = user_string(pointer_arg(1)) + owner = __int32(uint_arg(2)) + group = __int32(uint_arg(3)) + argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group) } -probe nd_syscall.lchown.return = kernel.function("sys_lchown").return { +probe nd_syscall.lchown.return = kprobe.function("sys_lchown").return +{ name = "lchown" retstr = returnstr(1) } @@ -2178,14 +2604,21 @@ probe nd_syscall.lchown.return = kernel.function("sys_lchown").return { # long sys_lchown16(const char __user * filename, old_uid_t user, # old_gid_t group) # -probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? { +probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ? +{ name = "lchown16" - path = user_string($filename) - owner = __short($user) - group = __short($group) - argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) + // path = user_string($filename) + // owner = __short($user) + // group = __short($group) + // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) + asmlinkage() + path = user_string(pointer_arg(1)) + owner = __short(uint_arg(2)) + group = __short(uint_arg(3)) + argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group) } -probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? { +probe nd_syscall.lchown16.return = kprobe.function("sys_lchown16").return ? +{ name = "lchown16" retstr = returnstr(1) } @@ -2195,47 +2628,81 @@ probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? { # void __user *value, # size_t size) # -probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") { +probe nd_syscall.lgetxattr = kprobe.function("sys_lgetxattr") +{ name = "lgetxattr" - path = user_string($path) + // %( kernel_v >= "2.6.27" %? + // path = user_string($pathname) + // %: + // path = user_string($path) + // %) + // # FIXME + // name2 = user_string($name) + // value_uaddr = $value + // size = $size + // argstr = sprintf("%s, %s, %p, %d", + // %( kernel_v >= "2.6.27" %? + // user_string_quoted($pathname), + // %: + // user_string_quoted($path), + // %) + // user_string_quoted($name), + // value_uaddr, size) + asmlinkage() + path = user_string(pointer_arg(1)) # FIXME - name2 = user_string($name) - value_uaddr = $value - size = $size + name2 = user_string(pointer_arg(2)) + value_uaddr = pointer_arg(3) + size = ulong_arg(4) argstr = sprintf("%s, %s, %p, %d", - user_string_quoted($path), - user_string_quoted($name), + user_string_quoted(pointer_arg(1)), + user_string_quoted(pointer_arg(2)), value_uaddr, size) } -probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return { +probe nd_syscall.lgetxattr.return = kprobe.function("sys_lgetxattr").return +{ name = "lgetxattr" retstr = returnstr(1) } # link _______________________________________________________ # long sys_link(const char __user * oldname, # const char __user * newname) -probe nd_syscall.link = kernel.function("sys_link") { +probe nd_syscall.link = kprobe.function("sys_link") +{ name = "link" - oldpath = user_string($oldname) - newpath = user_string($newname) + // oldpath = user_string($oldname) + // newpath = user_string($newname) + // argstr = sprintf("%s, %s", + // user_string_quoted($oldname), + // user_string_quoted($newname)) + asmlinkage() + oldpath = user_string(pointer_arg(1)) + newpath = user_string(pointer_arg(2)) argstr = sprintf("%s, %s", - user_string_quoted($oldname), - user_string_quoted($newname)) + user_string_quoted(pointer_arg(1)), + user_string_quoted(pointer_arg(2))) } -probe nd_syscall.link.return = kernel.function("sys_link").return { +probe nd_syscall.link.return = kprobe.function("sys_link").return +{ name = "link" retstr = returnstr(1) } # listen _____________________________________________________ # long sys_listen(int fd, int backlog) -probe nd_syscall.listen = kernel.function("sys_listen") ? { +probe nd_syscall.listen = kprobe.function("sys_listen") ? +{ name = "listen" - sockfd = $fd - backlog = $backlog - argstr = sprintf("%d, %d", $fd, $backlog) + // sockfd = $fd + // backlog = $backlog + // argstr = sprintf("%d, %d", $fd, $backlog) + asmlinkage() + sockfd = int_arg(1) + backlog = int_arg(2) + argstr = sprintf("%d, %d", sockfd, backlog) } -probe nd_syscall.listen.return = kernel.function("sys_listen").return ? { +probe nd_syscall.listen.return = kprobe.function("sys_listen").return ? +{ name = "listen" retstr = returnstr(1) } @@ -2243,15 +2710,29 @@ probe nd_syscall.listen.return = kernel.function("sys_listen").return ? { # listxattr __________________________________________________ # ssize_t sys_listxattr(char __user *path, char __user *list, size_t size) # -probe nd_syscall.listxattr = kernel.function("sys_listxattr") { +probe nd_syscall.listxattr = kprobe.function("sys_listxattr") +{ name = "listxattr" - path_uaddr = $path - path = user_string($path) - list_uaddr = $list - size = $size - argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size) + // list_uaddr = $list + // size = $size + // %( kernel_v >= "2.6.27" %? + // path_uaddr = $pathname + // path = user_string($pathname) + // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size) + // %: + // path_uaddr = $path + // path = user_string($path) + // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size) + // %) + asmlinkage() + path_uaddr = pointer_arg(1) + path = user_string(path_uaddr) + list_uaddr = pointer_arg(2) + size = ulong_arg(3) + argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size) } -probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return { +probe nd_syscall.listxattr.return = kprobe.function("sys_listxattr").return +{ name = "listxattr" retstr = returnstr(1) } @@ -2259,15 +2740,29 @@ probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return { # llistxattr _________________________________________________ # ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size) # -probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") { +probe nd_syscall.llistxattr = kprobe.function("sys_llistxattr") +{ name = "llistxattr" - path_uaddr = $path - path = user_string($path) - list_uaddr = $list - size = $size - argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size) + // list_uaddr = $list + // size = $size + // %( kernel_v >= "2.6.27" %? + // path_uaddr = $pathname + // path = user_string($pathname) + // argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size) + // %: + // path_uaddr = $path + // path = user_string($path) + // argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size) + // %) + asmlinkage() + path_uaddr = pointer_arg(1) + path = user_string(path_uaddr) + list_uaddr = pointer_arg(2) + size = ulong_arg(3) + argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size) } -probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return { +probe nd_syscall.llistxattr.return = kprobe.function("sys_llistxattr").return +{ name = "llistxattr" retstr = returnstr(1) } @@ -2278,18 +2773,29 @@ probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return { # unsigned long offset_low, # loff_t __user * result, # unsigned int origin) -probe nd_syscall.llseek = kernel.function("sys_llseek") ? { +probe nd_syscall.llseek = kprobe.function("sys_llseek") ? +{ name = "llseek" - fd = $fd - offset_high = $offset_high - offset_low = $offset_low - result_uaddr = $result - whence = $origin - whence_str = _seek_whence_str($origin) - argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high, - $offset_low, $result, whence_str) -} -probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? { + // fd = $fd + // offset_high = $offset_high + // offset_low = $offset_low + // result_uaddr = $result + // whence = $origin + // whence_str = _seek_whence_str($origin) + // argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high, + // $offset_low, $result, whence_str) + asmlinkage() + fd = int_arg(1) + offset_high = ulong_arg(2) + offset_low = ulong_arg(3) + result_uaddr = pointer_arg(4) + whence = uint_arg(5) + whence_str = _seek_whence_str(whence) + argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high, + offset_low, result_uaddr, whence_str) +} +probe nd_syscall.llseek.return = kprobe.function("sys_llseek").return ? +{ name = "llseek" retstr = returnstr(1) } @@ -2297,14 +2803,21 @@ probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? { # lookup_dcookie _____________________________________________ # long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len) # -probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? { +probe nd_syscall.lookup_dcookie = kprobe.function("sys_lookup_dcookie") ? +{ name = "lookup_dcookie" - cookie = $cookie64 - buffer_uaddr = $buf - len = $len - argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len) + // cookie = $cookie64 + // buffer_uaddr = $buf + // len = $len + // argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len) + asmlinkage() + cookie = ulonglong_arg(1) + buffer_uaddr = pointer_arg(2) + len = ulong_arg(3) + argstr = sprintf("%d, %p, %d", cookie, buffer_uaddr, len) } -probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? { +probe nd_syscall.lookup_dcookie.return = kprobe.function("sys_lookup_dcookie").return ? +{ name = "lookup_dcookie" retstr = returnstr(1) } @@ -2312,31 +2825,53 @@ probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").r # lremovexattr _______________________________________________ # long sys_lremovexattr(char __user *path, char __user *name) # -probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") { +probe nd_syscall.lremovexattr = kprobe.function("sys_lremovexattr") +{ name = "lremovexattr" - path_uaddr = $path - path = user_string($path) - name_uaddr = $name - name2 = user_string($name) - argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name)) + // name_uaddr = $name + // name2 = user_string($name) + // %( kernel_v >= "2.6.27" %? + // path_uaddr = $pathname + // path = user_string($pathname) + // argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name)) + // %: + // path_uaddr = $path + // path = user_string($path) + // argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name)) + // %) + asmlinkage() + path_uaddr = pointer_arg(1) + path = user_string(path_uaddr) + name_uaddr = pointer_arg(2) + name2 = user_string(name_uaddr) + argstr = sprintf("%s, %s", user_string_quoted(path_uaddr), user_string_quoted(name_uaddr)) } -probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return { +probe nd_syscall.lremovexattr.return = kprobe.function("sys_lremovexattr").return +{ name = "lremovexattr" retstr = returnstr(1) } # lseek ______________________________________________________ # off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin) -probe nd_syscall.lseek = kernel.function("sys_lseek") { - name = "lseek" - fildes = $fd -# offset = __int32($offset) - offset = $offset - whence = $origin - whence_str = _seek_whence_str($origin) - argstr = sprintf("%d, %d, %s", $fd, offset, whence_str) -} -probe nd_syscall.lseek.return = kernel.function("sys_lseek").return { +probe nd_syscall.lseek = kprobe.function("sys_lseek") +{ + // name = "lseek" + // fildes = $fd + // # offset = __int32($offset) + // offset = $offset + // whence = $origin + // whence_str = _seek_whence_str($origin) + // argstr = sprintf("%d, %d, %s", $fd, offset, whence_str) + asmlinkage() + fildes = int_arg(1) + offset = long_arg(2) + whence = uint_arg(3) + whence_str = _seek_whence_str(whence) + argstr = sprintf("%d, %d, %s", fildes, offset, whence_str) +} +probe nd_syscall.lseek.return = kprobe.function("sys_lseek").return +{ name = "lseek" retstr = returnstr(1) } @@ -2348,21 +2883,44 @@ probe nd_syscall.lseek.return = kernel.function("sys_lseek").return { # size_t size, # int flags) # -probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") { +probe nd_syscall.lsetxattr = kprobe.function("sys_lsetxattr") +{ name = "lsetxattr" - path_uaddr = $path - path = user_string($path) - name_uaddr = $name - name_str = user_string($name) - value_uaddr = $value - size = $size - flags = $flags + // %( kernel_v >= "2.6.27" %? + // path_uaddr = $pathname + // path = user_string($pathname) + // %: + // path_uaddr = $path + // path = user_string($path) + // %) + // name_uaddr = $name + // name_str = user_string($name) + // value_uaddr = $value + // size = $size + // flags = $flags + // argstr = sprintf("%s, %s, %p, %d, %d", + // %( kernel_v >= "2.6.27" %? + // user_string_quoted($pathname), + // %: + // user_string_quoted($path), + // %) + // user_string_quoted($name), + // value_uaddr, $size, $flags) + asmlinkage() + path_uaddr = pointer_arg(1) + path = user_string(path_uaddr) + name_uaddr = pointer_arg(2) + name_str = user_string(name_uaddr) + value_uaddr = pointer_arg(3) + size = ulong_arg(4) + flags = int_arg(5) argstr = sprintf("%s, %s, %p, %d, %d", - user_string_quoted($path), - user_string_quoted($name), - value_uaddr, $size, $flags) + user_string_quoted(path_uaddr), + user_string_quoted(name_uaddr), + value_uaddr, size, flags) } -probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return { +probe nd_syscall.lsetxattr.return = kprobe.function("sys_lsetxattr").return +{ name = "lsetxattr" retstr = returnstr(1) } @@ -2376,26 +2934,28 @@ probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return { # long sys_oabi_lstat64(char __user * filename, # struct oldabi_stat64 __user * statbuf) # -probe nd_syscall.lstat = - kernel.function("sys_lstat") ?, - kernel.function("sys_newlstat") ?, - kernel.function("compat_sys_newlstat") ?, - kernel.function("sys32_lstat64") ?, - kernel.function("sys_lstat64") ?, - kernel.function("sys_oabi_lstat64") ? +probe nd_syscall.lstat = kprobe.function("sys_lstat") ?, + kprobe.function("sys_newlstat") ?, + kprobe.function("compat_sys_newlstat") ?, + kprobe.function("sys32_lstat64") ?, + kprobe.function("sys_lstat64") ?, + kprobe.function("sys_oabi_lstat64") ? { name = "lstat" - path = user_string($filename) - buf_uaddr = $statbuf - argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf) -} -probe nd_syscall.lstat.return = - kernel.function("sys_lstat").return ?, - kernel.function("sys_newlstat").return ?, - kernel.function("compat_sys_newlstat").return ?, - kernel.function("sys32_lstat64").return ?, - kernel.function("sys_lstat64").return ?, - kernel.function("sys_oabi_lstat64").return ? + // path = user_string($filename) + // buf_uaddr = $statbuf + // argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf) + asmlinkage() + path = user_string(pointer_arg(1)) + buf_uaddr = pointer_arg(2) + argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr) +} +probe nd_syscall.lstat.return = kprobe.function("sys_lstat").return ?, + kprobe.function("sys_newlstat").return ?, + kprobe.function("compat_sys_newlstat").return ?, + kprobe.function("sys32_lstat64").return ?, + kprobe.function("sys_lstat64").return ?, + kprobe.function("sys_oabi_lstat64").return ? { name = "lstat" retstr = returnstr(1) @@ -2404,15 +2964,23 @@ probe nd_syscall.lstat.return = # madvise ____________________________________________________ # long sys_madvise(unsigned long start, size_t len_in, int behavior) # -probe nd_syscall.madvise = kernel.function("sys_madvise") ? { +probe nd_syscall.madvise = kprobe.function("sys_madvise") ? +{ name = "madvise" - start = $start - length = $len_in - advice = $behavior - advice_str = _madvice_advice_str($behavior) - argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior)) + // start = $start + // length = $len_in + // advice = $behavior + // advice_str = _madvice_advice_str($behavior) + // argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior)) + asmlinkage() + start = ulong_arg(1) + length = ulong_arg(2) + advice = int_arg(3) + advice_str = _madvice_advice_str(advice) + argstr = sprintf("%p, %d, %s", start, length, _madvice_advice_str(advice)) } -probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? { +probe nd_syscall.madvise.return = kprobe.function("sys_madvise").return ? +{ name = "madvise" retstr = returnstr(1) } @@ -2432,23 +3000,30 @@ probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? { # compat_ulong_t maxnode, # compat_ulong_t flags) # -probe nd_syscall.mbind = - kernel.function("sys_mbind") ?, - kernel.function("compat_sys_mbind") ? +probe nd_syscall.mbind = kprobe.function("sys_mbind") ?, + kprobe.function("compat_sys_mbind") ? { name = "mbind" - start = $start - len = $len - mode = $mode - nmask_uaddr = $nmask - maxnode = $maxnode - flags = $flags - argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode, - $nmask, $maxnode, $flags) -} -probe nd_syscall.mbind.return = - kernel.function("sys_mbind").return ?, - kernel.function("compat_sys_mbind").return ? + // start = $start + // len = $len + // mode = $mode + // nmask_uaddr = $nmask + // maxnode = $maxnode + // flags = $flags + // argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode, + // $nmask, $maxnode, $flags) + asmlinkage() + start = ulong_arg(1) + len = long_arg(2) + mode = ulong_arg(3) + nmask_uaddr = pointer_arg(4) + maxnode = ulong_arg(5) + flags = uint_arg(6) + argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", start, len, mode, + nmask_uaddr, maxnode, flags) +} +probe nd_syscall.mbind.return = kprobe.function("sys_mbind").return ?, + kprobe.function("compat_sys_mbind").return ? { name = "mbind" retstr = returnstr(1) @@ -2458,11 +3033,15 @@ probe nd_syscall.mbind.return = # long sys_migrate_pages(pid_t pid, unsigned long maxnode, # const unsigned long __user *old_nodes, # const unsigned long __user *new_nodes) -probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? { +probe nd_syscall.migrate_pages = kprobe.function("sys_migrate_pages") ? +{ name = "migrate_pages" - argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes) + // argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes) + asmlinkage() + argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4)) } -probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? { +probe nd_syscall.migrate_pages.return = kprobe.function("sys_migrate_pages").return ? +{ name = "migrate_pages" retstr = returnstr(1) } @@ -2470,28 +3049,42 @@ probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").ret # mincore ____________________________________________________ # long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec) # -probe nd_syscall.mincore = kernel.function("sys_mincore") ? { +probe nd_syscall.mincore = kprobe.function("sys_mincore") ? +{ name = "mincore" - start = $start - length = $len - vec_uaddr = $vec - argstr = sprintf("%p, %d, %p", $start, $len, $vec) + // start = $start + // length = $len + // vec_uaddr = $vec + // argstr = sprintf("%p, %d, %p", $start, $len, $vec) + asmlinkage() + start = ulong_arg(1) + length = ulong_arg(2) + vec_uaddr = pointer_arg(3) + argstr = sprintf("%p, %d, %p", start, length, vec_uaddr) } -probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? { +probe nd_syscall.mincore.return = kprobe.function("sys_mincore").return ? +{ name = "mincore" retstr = returnstr(1) } # mkdir ______________________________________________________ # long sys_mkdir(const char __user * pathname, int mode) -probe nd_syscall.mkdir = kernel.function("sys_mkdir") { +probe nd_syscall.mkdir = kprobe.function("sys_mkdir") +{ name = "mkdir" - pathname_uaddr = $pathname - pathname = user_string($pathname) - mode = $mode - argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode) + // pathname_uaddr = $pathname + // pathname = user_string($pathname) + // mode = $mode + // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode) + asmlinkage() + pathname_uaddr = pointer_arg(1) + pathname = user_string(pathname_uaddr) + mode = int_arg(2) + argstr = sprintf("%s, %#o", user_string_quoted(pathname_uaddr), mode) } -probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return { +probe nd_syscall.mkdir.return = kprobe.function("sys_mkdir").return +{ name = "mkdir" retstr = returnstr(1) } @@ -2499,29 +3092,43 @@ probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return { # mkdirat ____________________________________________________ # new function with 2.6.16 # long sys_mkdirat(int dfd, const char __user *pathname, int mode) -probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? { +probe nd_syscall.mkdirat = kprobe.function("sys_mkdirat") ? +{ name = "mkdirat" - dirfd = $dfd - pathname = user_string($pathname) - mode = $mode - argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode) + // dirfd = $dfd + // pathname = user_string($pathname) + // mode = $mode + // argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode) + asmlinkage() + dirfd = int_arg(1) + pathname = user_string(pointer_arg(2)) + mode = int_arg(3) + argstr = sprintf("%d, %s, %#o", dirfd, user_string_quoted(pointer_arg(2)), mode) } -probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? { +probe nd_syscall.mkdirat.return = kprobe.function("sys_mkdirat").return ? +{ name = "mkdirat" retstr = returnstr(1) } # mknod # long sys_mknod(const char __user * filename, int mode, unsigned dev) -probe nd_syscall.mknod = kernel.function("sys_mknod") { +probe nd_syscall.mknod = kprobe.function("sys_mknod") +{ name = "mknod" - pathname = user_string($filename) - mode = $mode - dev = $dev - argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev) + // pathname = user_string($filename) + // mode = $mode + // dev = $dev + // argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev) + asmlinkage() + pathname = user_string(pointer_arg(1)) + mode = int_arg(2) + dev = uint_arg(3) + argstr = sprintf("%s, %s, %p", user_string_quoted(pointer_arg(1)), _mknod_mode_str(mode), dev) } -probe nd_syscall.mknod.return = kernel.function("sys_mknod").return { +probe nd_syscall.mknod.return = kprobe.function("sys_mknod").return +{ name = "mknod" retstr = returnstr(1) } @@ -2530,13 +3137,19 @@ probe nd_syscall.mknod.return = kernel.function("sys_mknod").return { # # long sys_mlock(unsigned long start, size_t len) # -probe nd_syscall.mlock = kernel.function("sys_mlock") ? { +probe nd_syscall.mlock = kprobe.function("sys_mlock") ? +{ name = "mlock" - addr = $start - len = $len - argstr = sprintf("%p, %d", $start, $len) + // addr = $start + // len = $len + // argstr = sprintf("%p, %d", $start, $len) + asmlinkage() + addr = ulong_arg(1) + len = ulong_arg(2) + argstr = sprintf("%p, %d", addr, len) } -probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? { +probe nd_syscall.mlock.return = kprobe.function("sys_mlock").return ? +{ name = "mlock" retstr = returnstr(1) } @@ -2544,12 +3157,17 @@ probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? { # # long sys_mlockall(int flags) # -probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? { +probe nd_syscall.mlockall = kprobe.function("sys_mlockall") ? +{ name = "mlockall" - flags = $flags - argstr = _mlockall_flags_str($flags) + // flags = $flags + // argstr = _mlockall_flags_str($flags) + asmlinkage() + flags = int_arg(1) + argstr = _mlockall_flags_str(flags) } -probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? { +probe nd_syscall.mlockall.return = kprobe.function("sys_mlockall").return ? +{ name = "mlockall" retstr = returnstr(1) } @@ -2557,14 +3175,21 @@ probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? { # modify_ldt _________________________________________________ # int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount) # -probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? { +probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ? +{ name = "modify_ldt" - func = $func - ptr_uaddr = $ptr - bytecount = $bytecount - argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount) + // func = $func + // ptr_uaddr = $ptr + // bytecount = $bytecount + // argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount) + asmlinkage() + func = int_arg(1) + ptr_uaddr = pointer_arg(2) + bytecount = ulong_arg(3) + argstr = sprintf("%d, %p, %d", func, ptr_uaddr, bytecount) } -probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? { +probe nd_syscall.modify_ldt.return = kprobe.function("sys_modify_ldt").return ? +{ name = "modify_ldt" retstr = returnstr(1) } @@ -2582,16 +3207,16 @@ probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? # int __user *status, # int flags) # -probe nd_syscall.move_pages = - kernel.function("sys_move_pages") ?, - kernel.function("compat_sys_move_pages") ? +probe nd_syscall.move_pages = kprobe.function("sys_move_pages") ?, + kprobe.function("compat_sys_move_pages") ? { name = "move_pages" - argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags) + // argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags) + asmlinkage() + argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6)) } -probe nd_syscall.move_pages.return = - kernel.function("sys_move_pages").return ?, - kernel.function("compat_sys_move_pages").return ? +probe nd_syscall.move_pages.return = kprobe.function("sys_move_pages").return ?, + kprobe.function("compat_sys_move_pages").return ? { name = "move_pages" retstr = returnstr(1) @@ -2608,26 +3233,36 @@ probe nd_syscall.move_pages.return = # char __user * type, # unsigned long flags, # void __user * data) -probe nd_syscall.mount = - kernel.function("sys_mount"), - kernel.function("compat_sys_mount") ? +probe nd_syscall.mount = kprobe.function("sys_mount"), + kprobe.function("compat_sys_mount") ? { name = "mount" - source = user_string($dev_name) - target = user_string($dir_name) - filesystemtype = user_string($type) - mountflags = $flags - mountflags_str = _mountflags_str($flags) - data = text_strn(user_string($data),syscall_string_trunc,1) + // source = user_string($dev_name) + // target = user_string($dir_name) + // filesystemtype = user_string($type) + // mountflags = $flags + // mountflags_str = _mountflags_str($flags) + // data = text_strn(user_string($data), syscall_string_trunc, 1) + // argstr = sprintf("%s, %s, %s, %s, %s", + // user_string_quoted($dev_name), + // user_string_quoted($dir_name), + // user_string_quoted($type), + // mountflags_str, data) + asmlinkage() + source = user_string(pointer_arg(1)) + target = user_string(pointer_arg(2)) + filesystemtype = user_string(pointer_arg(3)) + mountflags = ulong_arg(4) + mountflags_str = _mountflags_str(mountflags) + data = text_strn(user_string(pointer_arg(5)), syscall_string_trunc, 1) argstr = sprintf("%s, %s, %s, %s, %s", - user_string_quoted($dev_name), - user_string_quoted($dir_name), - user_string_quoted($type), + user_string_quoted(pointer_arg(1)), + user_string_quoted(pointer_arg(2)), + user_string_quoted(pointer_arg(3)), mountflags_str, data) } -probe nd_syscall.mount.return = - kernel.function("sys_mount").return, - kernel.function("compat_sys_mount").return ? +probe nd_syscall.mount.return = kprobe.function("sys_mount").return, + kprobe.function("compat_sys_mount").return ? { name = "mount" retstr = returnstr(1) @@ -2636,15 +3271,23 @@ probe nd_syscall.mount.return = # mprotect ___________________________________________________ # long sys_mprotect(unsigned long start, size_t len, unsigned long prot) # -probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? { +probe nd_syscall.mprotect = kprobe.function("sys_mprotect") ? +{ name = "mprotect" - addr = $start - len = $len - prot = $prot - prot_str = _mprotect_prot_str($prot) - argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot)) + // addr = $start + // len = $len + // prot = $prot + // prot_str = _mprotect_prot_str($prot) + // argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot)) + asmlinkage() + addr = ulong_arg(1) + len = ulong_arg(2) + prot = ulong_arg(3) + prot_str = _mprotect_prot_str(prot) + argstr = sprintf("%p, %d, %s", addr, len, _mprotect_prot_str(prot)) } -probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? { +probe nd_syscall.mprotect.return = kprobe.function("sys_mprotect").return ? +{ name = "mprotect" retstr = returnstr(1) } @@ -2657,19 +3300,22 @@ probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? { # const struct compat_mq_attr __user *u_mqstat, # struct compat_mq_attr __user *u_omqstat) # -probe nd_syscall.mq_getsetattr = - kernel.function("sys_mq_getsetattr") ?, - kernel.function("compat_sys_mq_getsetattr") ? +probe nd_syscall.mq_getsetattr = kprobe.function("sys_mq_getsetattr") ?, + kprobe.function("compat_sys_mq_getsetattr") ? { name = "mq_getsetattr" - mqdes = $mqdes - u_mqstat_uaddr = $u_mqstat - u_omqstat_uaddr = $u_omqstat - argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat) + // mqdes = $mqdes + // u_mqstat_uaddr = $u_mqstat + // u_omqstat_uaddr = $u_omqstat + // argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat) + asmlinkage() + mqdes = int_arg(1) + u_mqstat_uaddr = pointer_arg(2) + u_omqstat_uaddr = pointer_arg(3) + argstr = sprintf("%d, %p, %p", mqdes, u_mqstat_uaddr, u_omqstat_uaddr) } -probe nd_syscall.mq_getsetattr.return = - kernel.function("sys_mq_getsetattr").return ?, - kernel.function("compat_sys_mq_getsetattr").return ? +probe nd_syscall.mq_getsetattr.return = kprobe.function("sys_mq_getsetattr").return ?, + kprobe.function("compat_sys_mq_getsetattr").return ? { name = "mq_getsetattr" retstr = returnstr(1) @@ -2679,18 +3325,20 @@ probe nd_syscall.mq_getsetattr.return = # long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification) # long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification) # -probe nd_syscall.mq_notify = - kernel.function("sys_mq_notify") ?, - kernel.function("compat_sys_mq_notify") ? +probe nd_syscall.mq_notify = kprobe.function("sys_mq_notify") ?, + kprobe.function("compat_sys_mq_notify") ? { name = "mq_notify" - mqdes = $mqdes - notification_uaddr = $u_notification - argstr = sprintf("%d, %p", $mqdes, $u_notification) + // mqdes = $mqdes + // notification_uaddr = $u_notification + // argstr = sprintf("%d, %p", $mqdes, $u_notification) + asmlinkage() + mqdes = int_arg(1) + notification_uaddr = pointer_arg(2) + argstr = sprintf("%d, %p", mqdes, notification_uaddr) } -probe nd_syscall.mq_notify.return = - kernel.function("sys_mq_notify").return ?, - kernel.function("compat_sys_mq_notify").return ? +probe nd_syscall.mq_notify.return = kprobe.function("sys_mq_notify").return ?, + kprobe.function("compat_sys_mq_notify").return ? { name = "mq_notify" retstr = returnstr(1) @@ -2705,9 +3353,8 @@ probe nd_syscall.mq_notify.return = # int oflag, compat_mode_t mode, # struct compat_mq_attr __user *u_attr) # -probe nd_syscall.mq_open = - kernel.function("sys_mq_open") ?, - kernel.function("compat_sys_mq_open") ? +probe nd_syscall.mq_open = kprobe.function("sys_mq_open") ?, + kprobe.function("compat_sys_mq_open") ? { name = "mq_open" // name_uaddr = $u_name @@ -2733,9 +3380,8 @@ probe nd_syscall.mq_open = else argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag)) } -probe nd_syscall.mq_open.return = - kernel.function("sys_mq_open").return ?, - kernel.function("compat_sys_mq_open").return ? +probe nd_syscall.mq_open.return = kprobe.function("sys_mq_open").return ?, + kprobe.function("compat_sys_mq_open").return ? { name = "mq_open" retstr = returnstr(1) @@ -2752,22 +3398,28 @@ probe nd_syscall.mq_open.return = # size_t msg_len, unsigned int __user *u_msg_prio, # const struct compat_timespec __user *u_abs_timeout) # -probe nd_syscall.mq_timedreceive = - kernel.function("sys_mq_timedreceive") ?, - kernel.function("compat_sys_mq_timedreceive") ? +probe nd_syscall.mq_timedreceive = kprobe.function("sys_mq_timedreceive") ?, + kprobe.function("compat_sys_mq_timedreceive") ? { name = "mq_timedreceive" - mqdes = $mqdes - msg_ptr_uaddr = $u_msg_ptr - msg_len = $msg_len - msg_prio_uaddr = $u_msg_prio - abs_timout_uaddr = $u_abs_timeout - argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len, - $u_msg_prio, $u_abs_timeout) -} -probe nd_syscall.mq_timedreceive.return = - kernel.function("sys_mq_timedreceive").return ?, - kernel.function("compat_sys_mq_timedreceive").return ? + // mqdes = $mqdes + // msg_ptr_uaddr = $u_msg_ptr + // msg_len = $msg_len + // msg_prio_uaddr = $u_msg_prio + // abs_timout_uaddr = $u_abs_timeout + // argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len, + // $u_msg_prio, $u_abs_timeout) + asmlinkage() + mqdes = int_arg(1) + msg_ptr_uaddr = pointer_arg(2) + msg_len = ulong_arg(3) + msg_prio_uaddr = pointer_arg(4) + abs_timeout_uaddr = pointer_arg(5) + argstr = sprintf("%d, %p, %d, %p, %p", mqdes, msg_ptr_uaddr, msg_len, + msg_prio_uaddr, abs_timeout_uaddr) +} +probe nd_syscall.mq_timedreceive.return = kprobe.function("sys_mq_timedreceive").return ?, + kprobe.function("compat_sys_mq_timedreceive").return ? { name = "mq_timedreceive" retstr = returnstr(1) @@ -2784,22 +3436,28 @@ probe nd_syscall.mq_timedreceive.return = # size_t msg_len, unsigned int msg_prio, # const struct compat_timespec __user *u_abs_timeout) # -probe nd_syscall.mq_timedsend = - kernel.function("sys_mq_timedsend") ?, - kernel.function("compat_sys_mq_timedsend") ? +probe nd_syscall.mq_timedsend = kprobe.function("sys_mq_timedsend") ?, + kprobe.function("compat_sys_mq_timedsend") ? { name = "mq_timedsend" - mqdes = $mqdes - msg_ptr_uaddr = $u_msg_ptr - msg_len = $msg_len - msg_prio = $msg_prio - abs_timeout_uaddr = $u_abs_timeout - argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len, - $msg_prio, $u_abs_timeout) -} -probe nd_syscall.mq_timedsend.return = - kernel.function("sys_mq_timedsend").return ?, - kernel.function("compat_sys_mq_timedsend").return ? + // mqdes = $mqdes + // msg_ptr_uaddr = $u_msg_ptr + // msg_len = $msg_len + // msg_prio = $msg_prio + // abs_timeout_uaddr = $u_abs_timeout + // argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len, + // $msg_prio, $u_abs_timeout) + asmlinkage() + mqdes = int_arg(1) + msg_ptr_uaddr = pointer_arg(2) + msg_len = ulong_arg(3) + msg_prio = uint_arg(4) + abs_timeout_uaddr = pointer_arg(5) + argstr = sprintf("%d, %p, %d, %d, %p", mqdes, msg_ptr_uaddr, msg_len, + msg_prio, abs_timeout_uaddr) +} +probe nd_syscall.mq_timedsend.return = kprobe.function("sys_mq_timedsend").return ?, + kprobe.function("compat_sys_mq_timedsend").return ? { name = "mq_timedsend" retstr = returnstr(1) @@ -2808,13 +3466,19 @@ probe nd_syscall.mq_timedsend.return = # mq_unlink __________________________________________________ # long sys_mq_unlink(const char __user *u_name) # -probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? { +probe nd_syscall.mq_unlink = kprobe.function("sys_mq_unlink") ? +{ name = "mq_unlink" - u_name_uaddr = $u_name - u_name = user_string($u_name) - argstr = user_string_quoted($u_name) + // u_name_uaddr = $u_name + // u_name = user_string($u_name) + // argstr = user_string_quoted($u_name) + asmlinkage() + u_name_uaddr = pointer_arg(1) + u_name = user_string(u_name_uaddr) + argstr = user_string_quoted(u_name_uaddr) } -probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? { +probe nd_syscall.mq_unlink.return = kprobe.function("sys_mq_unlink").return ? +{ name = "mq_unlink" retstr = returnstr(1) } @@ -2826,22 +3490,28 @@ probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? { # unsigned long flags, # unsigned long new_addr) # -probe nd_syscall.mremap = - kernel.function("sys_mremap") ?, - kernel.function("ia64_mremap") ? +probe nd_syscall.mremap = kprobe.function("sys_mremap") ?, + kprobe.function("ia64_mremap") ? { name = "mremap" - old_address = $addr - old_size = $old_len - new_size = $new_len - flags = $flags - new_address = $new_addr - argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len, - _mremap_flags($flags), $new_addr) -} -probe nd_syscall.mremap.return = - kernel.function("sys_mremap").return ?, - kernel.function("ia64_mremap").return ? + // old_address = $addr + // old_size = $old_len + // new_size = $new_len + // flags = $flags + // new_address = $new_addr + // argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len, + // _mremap_flags($flags), $new_addr) + asmlinkage() + old_address = ulong_arg(1) + old_size = ulong_arg(2) + new_size = ulong_arg(3) + flags = ulong_arg(4) + new_address = ulong_arg(5) + argstr = sprintf("%p, %d, %d, %s, %p", old_address, old_size, new_size, + _mremap_flags(flags), new_address) +} +probe nd_syscall.mremap.return = kprobe.function("sys_mremap").return ?, + kprobe.function("ia64_mremap").return ? { name = "mremap" retstr = returnstr(2) @@ -2850,14 +3520,21 @@ probe nd_syscall.mremap.return = # msgctl _____________________________________________________ # long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf) # -probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? { +probe nd_syscall.msgctl = kprobe.function("sys_msgctl") ? +{ name = "msgctl" - msqid = $msqid - cmd = $cmd - buf_uaddr = $buf - argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf) + // msqid = $msqid + // cmd = $cmd + // buf_uaddr = $buf + // argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf) + asmlinkage() + msqid = int_arg(1) + cmd = int_arg(2) + buf_uaddr = pointer_arg(3) + argstr = sprintf("%d, %d, %p", msqid, cmd, buf_uaddr) } -probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? { +probe nd_syscall.msgctl.return = kprobe.function("sys_msgctl").return ? +{ name = "msgctl" retstr = returnstr(1) } @@ -2865,11 +3542,15 @@ probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? { # # long compat_sys_msgctl(int first, int second, void __user *uptr) # -probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? { +probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ? +{ name = "compat_sys_msgctl" - argstr = sprintf("%d, %d, %p", $first, $second, $uptr) + // argstr = sprintf("%d, %d, %p", $first, $second, $uptr) + asmlinkage() + argstr = sprintf("%d, %d, %p", int_arg(1), int_arg(2), pointer_arg(3)) } -probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? { +probe nd_syscall.compat_sys_msgctl.return = kprobe.function("compat_sys_msgctl").return ? +{ name = "compat_sys_msgctl" retstr = returnstr(1) } @@ -2877,14 +3558,21 @@ probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl") # msgget _____________________________________________________ # long sys_msgget (key_t key, int msgflg) # -probe nd_syscall.msgget = kernel.function("sys_msgget") ? { +probe nd_syscall.msgget = kprobe.function("sys_msgget") ? +{ name = "msgget" - key = $key - msgflg = $msgflg - msgflg_str = _sys_open_flag_str($msgflg) - argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg)) + // key = $key + // msgflg = $msgflg + // msgflg_str = _sys_open_flag_str($msgflg) + // argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg)) + asmlinkage() + key = int_arg(1) + msgflg = int_arg(2) + msgflg_str = _sys_open_flag_str(msgflg) + argstr = sprintf("%d, %s", key, _sys_open_flag_str(msgflg)) } -probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? { +probe nd_syscall.msgget.return = kprobe.function("sys_msgget").return ? +{ name = "msgget" retstr = returnstr(1) } @@ -2896,16 +3584,25 @@ probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? { # long msgtyp, # int msgflg) # -probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? { +probe nd_syscall.msgrcv = kprobe.function("sys_msgrcv") ? +{ name = "msgrcv" - msqid = $msqid - msgp_uaddr = $msgp - msgsz = $msgsz - msgtyp = $msgtyp - msgflg = $msgflg - argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg) -} -probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? { + // msqid = $msqid + // msgp_uaddr = $msgp + // msgsz = $msgsz + // msgtyp = $msgtyp + // msgflg = $msgflg + // argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg) + asmlinkage() + msqid = int_arg(1) + msgp_uaddr = pointer_arg(2) + msgsz = ulong_arg(3) + msgtyp = long_arg(4) + msgflg = int_arg(5) + argstr = sprintf("%d, %p, %d, %d, %d", msqid, msgp_uaddr, msgsz, msgtyp, msgflg) +} +probe nd_syscall.msgrcv.return = kprobe.function("sys_msgrcv").return ? +{ name = "msgrcv" retstr = returnstr(1) } @@ -2914,11 +3611,15 @@ probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? { # long compat_sys_msgrcv(int first, int second, int msgtyp, int third, # int version, void __user *uptr) # -probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? { +probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ? +{ name = "compat_sys_msgrcv" - argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) + // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) + asmlinkage() + argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(5)) } -probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? { +probe nd_syscall.compat_sys_msgrcv.return = kprobe.function("compat_sys_msgrcv").return ? +{ name = "compat_sys_msgrcv" retstr = returnstr(1) } @@ -2929,15 +3630,23 @@ probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv") # size_t msgsz, # int msgflg) # -probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? { +probe nd_syscall.msgsnd = kprobe.function("sys_msgsnd") ? +{ name = "msgsnd" - msqid = $msqid - msgp_uaddr = $msgp - msgsz = $msgsz - msgflg = $msgflg - argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg) + // msqid = $msqid + // msgp_uaddr = $msgp + // msgsz = $msgsz + // msgflg = $msgflg + // argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg) + asmlinkage() + msqid = int_arg(1) + msgp_uaddr = pointer_arg(2) + msgsz = ulong_arg(3) + msgflg = int_arg(4) + argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg) } -probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? { +probe nd_syscall.msgsnd.return = kprobe.function("sys_msgsnd").return ? +{ name = "msgsnd" retstr = returnstr(1) } @@ -2945,62 +3654,84 @@ probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? { # # long compat_sys_msgsnd(int first, int second, int third, void __user *uptr) # -probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? { +probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ? +{ name = "compat_sys_msgsnd" - argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) + // argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr) + asmlinkage() + argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4)) } -probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? { +probe nd_syscall.compat_sys_msgsnd.return = kprobe.function("compat_sys_msgsnd").return ? +{ name = "compat_sys_msgsnd" retstr = returnstr(1) } # msync ______________________________________________________ # long sys_msync(unsigned long start, size_t len, int flags) -probe nd_syscall.msync = kernel.function("sys_msync") ? { +probe nd_syscall.msync = kprobe.function("sys_msync") ? +{ name = "msync" - start = $start - length = $len - flags = $flags - argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags)) + // start = $start + // length = $len + // flags = $flags + asmlinkage() + start = ulong_arg(1) + length = ulong_arg(2) + flags = int_arg(3) + argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags)) } -probe nd_syscall.msync.return = kernel.function("sys_msync").return ? { +probe nd_syscall.msync.return = kprobe.function("sys_msync").return ? +{ name = "msync" retstr = returnstr(1) } # munlock ____________________________________________________ # long sys_munlock(unsigned long start, size_t len) -probe nd_syscall.munlock = kernel.function("sys_munlock") ? { +probe nd_syscall.munlock = kprobe.function("sys_munlock") ? +{ name = "munlock" - addr = $start - len = $len + // addr = $start + // len = $len + asmlinkage() + addr = ulong_arg(1) + len = ulong_arg(2) argstr = sprintf("%p, %d", addr, len) } -probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? { +probe nd_syscall.munlock.return = kprobe.function("sys_munlock").return ? +{ name = "munlock" retstr = returnstr(1) } # munlockall _________________________________________________ # long sys_munlockall(void) -probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? { +probe nd_syscall.munlockall = kprobe.function("sys_munlockall") ? +{ name = "munlockall" argstr = "" } -probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? { +probe nd_syscall.munlockall.return = kprobe.function("sys_munlockall").return ? +{ name = "munlockall" retstr = returnstr(1) } # munmap _____________________________________________________ # long sys_munmap(unsigned long addr, size_t len) -probe nd_syscall.munmap = kernel.function("sys_munmap") { +probe nd_syscall.munmap = kprobe.function("sys_munmap") +{ name = "munmap" - start = $addr - length = $len + // start = $addr + // length = $len + asmlinkage() + start = ulong_arg(1) + length = ulong_arg(2) argstr = sprintf("%p, %d", start, length) } -probe nd_syscall.munmap.return = kernel.function("sys_munmap").return { +probe nd_syscall.munmap.return = kprobe.function("sys_munmap").return +{ name = "munmap" retstr = returnstr(1) } -- 1.5.6.5