|
Server : Apache/2.2.2 (Fedora) System : Linux App1.pathumtani.go.th 2.6.20-1.2320.fc5smp #1 SMP Tue Jun 12 19:40:16 EDT 2007 i686 User : apache ( 48) PHP Version : 5.2.9 Disable Function : NONE Directory : /usr/share/systemtap/tapset/ |
Upload File : |
// syscalls tapset part 1 [A-M]
// Copyright (C) 2005 IBM Corp.
// Copyright (C) 2005, 2006 Red Hat Inc.
//
// This file is part of systemtap, and is free software. You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
/* Each syscall returns the calls parameters. In addition, the following
* variables are set:
*
* name - generally the syscall name minus the "sys_".
*
* argstr - a string containing the decoded args in an easy-to-read format.
* It doesn't need to contain everything, but should have all the
* important args. Set in entry probes only. Values enclosed in
* square brackets are user-space pointers. Values in curly
* braces are decoded structs.
*
* retstr - a string containing the return value in an easy-to-read format.
* Set in return probes only.
*/
# accept _____________________________________________________
# long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
# int __user *upeer_addrlen)
probe syscall.accept = kernel.function("sys_accept") {
name = "accept"
sockfd = $fd
addr_uaddr = $upeer_sockaddr
addrlen_uaddr = $upeer_addrlen
argstr = sprintf("%d, %p, %p", $fd, $upeer_sockaddr, $upeer_addrlen)
}
probe syscall.accept.return = kernel.function("sys_accept").return {
name = "accept"
retstr = returnstr(1)
}
# access _____________________________________________________
# long sys_access(const char __user * filename, int mode)
probe syscall.access = kernel.function("sys_access") {
name = "access"
pathname = user_string($filename)
mode = $mode
mode_str = _access_mode_str($mode)
argstr = sprintf("%s, %s", user_string_quoted($filename), mode_str)
}
probe syscall.access.return = kernel.function("sys_access").return {
name = "access"
retstr = returnstr(1)
}
# acct _______________________________________________________
# long sys_acct(const char __user *name)
probe syscall.acct = kernel.function("sys_acct") ? {
name = "acct"
filename = user_string($name)
argstr = user_string_quoted($name)
}
probe syscall.acct.return = kernel.function("sys_acct").return ? {
name = "acct"
retstr = returnstr(1)
}
# add_key ____________________________________________________
# long sys_add_key(const char __user *_type,
# const char __user *_description,
# const void __user *_payload,
# size_t plen,
# key_serial_t ringid)
#
probe syscall.add_key = kernel.function("sys_add_key") ? {
name = "add_key"
type_uaddr = $_type
description_auddr = $_description
payload_uaddr = $_payload
plen = $plen
ringid = $ringid
argstr = sprintf("%s, %s, %s, %d, %d",
user_string_quoted($_type),
user_string_quoted($_description),
text_strn(user_string($_payload),20,1),
$plen, $ringid)
}
probe syscall.add_key.return = kernel.function("sys_add_key").return ? {
name = "add_key"
retstr = returnstr(1)
}
# adjtimex ___________________________________________________
# long sys_adjtimex(struct timex __user *txc_p)
probe syscall.adjtimex = kernel.function("sys_adjtimex") {
name = "adjtimex"
buf_uaddr = $txc_p
/*
* buf_modes = __uget_timex_m($txc_p,0)
*/
buf_modes_str = _adjtx_mode_str(buf_modes)
/*
* buf_offset = __uget_timex_m($txc_p,1)
* buf_freq = __uget_timex_m($txc_p,2)
* buf_maxerror = __uget_timex_m($txc_p,3)
* buf_esterror = __uget_timex_m($txc_p,4)
* buf_status = __uget_timex_m($txc_p,5)
* buf_constant = __uget_timex_m($txc_p,6)
* buf_precision = __uget_timex_m($txc_p,7)
* buf_tolerance = __uget_timex_m($txc_p,8)
* buf_time_tv_sec = __uget_timex_m($txc_p,9)
* buf_time_tv_usec = __uget_timex_m($txc_p,10)
* buf_tick = __uget_timex_m($txc_p,11)
*/
argstr = buf_modes_str
}
probe syscall.adjtimex.return = kernel.function("sys_adjtimex").return {
name = "adjtimex"
retstr = returnstr(1)
}
# alarm ______________________________________________________
# unsigned long sys_alarm (unsigned int seconds)
probe syscall.alarm = kernel.function("sys_alarm") {
name = "alarm"
seconds = $seconds
argstr = sprint($seconds)
}
probe syscall.alarm.return = kernel.function("sys_alarm").return {
name = "alarm"
retstr = returnstr(1)
}
# bdflush ____________________________________________________
# long sys_bdflush(int func,long data)
probe syscall.bdflush = kernel.function("sys_bdflush") {
name = "bdflush"
func = $func
data = $data
argstr = sprintf("%d %p",func, data)
}
probe syscall.bdflush.return = kernel.function("sys_bdflush").return {
name = "bdflush"
retstr = returnstr(1)
}
# bind _______________________________________________________
# long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
probe syscall.bind = kernel.function("sys_bind") {
name = "bind"
sockfd = $fd
my_addr_uaddr = $umyaddr
addrlen = $addrlen
argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
}
probe syscall.bind.return = kernel.function("sys_bind").return {
name = "bind"
retstr = returnstr(1)
}
# brk ________________________________________________________
# unsigned long sys_brk(unsigned long brk)
probe syscall.brk = kernel.function("sys_brk") {
name = "brk"
brk = $brk
argstr = sprintf("%p", brk)
}
probe syscall.brk.return = kernel.function("sys_brk").return {
name = "brk"
retstr = returnstr(1)
}
# capget _____________________________________________________
/*
* NOTE
* this is probably not a good function
* to probe. The structures are always
* changing. It also seems like it is
* not really used. Cscope produced no
* reference of this function in the
* kernel (returned no callers). Perhaps
* cap_get_proc / cap_set_proc are better
* functions to export.
*/
# long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
probe syscall.capget = kernel.function("sys_capget") {
name = "capget"
header_uaddr = $header
data_uaddr = $dataptr
argstr = sprintf("%p, %p", $header, $dataptr)
}
probe syscall.capget.return = kernel.function("sys_capget").return {
name = "capget"
retstr = returnstr(1)
}
# capset _____________________________________________________
/*
* NOTE
* this is probably not a good function
* to probe. The structures are always
* changing. It also seems like it is
* not really used. Cscope produced no
* reference of this function in the
* kernel (returned no callers). Perhaps
* cap_get_proc / cap_set_proc are better
* functions to export.
*/
# long sys_capset(cap_user_header_t header, const cap_user_data_t data)
probe syscall.capset = kernel.function("sys_capset") {
name = "capset"
header_uaddr = $header
data_uaddr = $data
argstr = sprintf("%p, %p", $header, $data)
}
probe syscall.capset.return = kernel.function("sys_capset").return {
name = "capset"
retstr = returnstr(1)
}
# chdir ______________________________________________________
# long sys_chdir(const char __user * filename)
probe syscall.chdir = kernel.function("sys_chdir") {
name = "chdir"
path = user_string($filename)
argstr = user_string_quoted($filename)
}
probe syscall.chdir.return = kernel.function("sys_chdir").return {
name = "chdir"
retstr = returnstr(1)
}
# chmod ______________________________________________________
# long sys_chmod(const char __user * filename, mode_t mode)
probe syscall.chmod = kernel.function("sys_chmod") {
name = "chmod"
path = user_string($filename)
mode = $mode
argstr = sprintf("%s, %#o", user_string_quoted($filename), mode)
}
probe syscall.chmod.return = kernel.function("sys_chmod").return {
name = "chmod"
retstr = returnstr(1)
}
# chown ______________________________________________________
# long sys_chown(const char __user * filename, uid_t user, gid_t group)
probe syscall.chown = kernel.function("sys_chown") {
name = "chown"
path = user_string($filename)
owner = $user
group = $group
argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
}
probe syscall.chown.return = kernel.function("sys_chown").return {
name = "chown"
retstr = returnstr(1)
}
# chown16 ___________________________________________________
# long sys_chown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
probe syscall.chown16 = kernel.function("sys_chown16") ? {
name = "chown16"
path = user_string($filename)
owner = __short($user)
group = __short($group)
argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
}
probe syscall.chown16.return = kernel.function("sys_chown16").return ? {
name = "chown16"
retstr = returnstr(1)
}
# chroot _____________________________________________________
# long sys_chroot(const char __user * filename)
probe syscall.chroot = kernel.function("sys_chroot") {
name = "chroot"
path = user_string($filename)
argstr = user_string_quoted($filename)
}
probe syscall.chroot.return = kernel.function("sys_chroot").return {
name = "chroot"
retstr = returnstr(1)
}
# clock_getres _______________________________________________
# long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
probe syscall.clock_getres = kernel.function("sys_clock_getres") {
name = "clock_getres"
clk_id = $which_clock
clk_id_str = _get_wc_str($which_clock)
res_uaddr = $tp
argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
}
probe syscall.clock_getres.return = kernel.function("sys_clock_getres").return {
name = "clock_getres"
retstr = returnstr(1)
}
# clock_gettime ______________________________________________
# long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
probe syscall.clock_gettime = kernel.function("sys_clock_gettime") {
name = "clock_gettime"
clk_id = $which_clock
clk_id_str = _get_wc_str($which_clock)
tp_uaddr = $tp
argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
}
probe syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return {
name = "clock_gettime"
retstr = returnstr(1)
}
# clock_nanosleep ____________________________________________
# long sys_clock_nanosleep(clockid_t which_clock,
# int flags,
# const struct timespec __user *rqtp,
# struct timespec __user *rmtp)
#
probe syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
name = "clock_nanosleep"
clock_id = $which_clock
clock_id_str = _get_wc_str($which_clock)
flags = $flags
if ($flags == 0)
flag_str = "0"
else
flag_str = "TIMER_ABSTIME"
rqtp_uaddr = $rqtp
rmtp_uaddr = $rmtp
argstr = sprintf("%s, %s, %s, %p", clock_id_str, flag_str,
_struct_timespec_u($rqtp), $rmtp)
}
probe syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return {
name = "clock_nanosleep"
retstr = returnstr(1)
}
# clock_settime ______________________________________________
# long sys_clock_settime(clockid_t which_clock,
# const struct timespec __user *tp)
#
probe syscall.clock_settime = kernel.function("sys_clock_settime") {
name = "clock_settime"
clk_id = $which_clock
clk_id_str = _get_wc_str($which_clock)
tp_uaddr = $tp
argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp))
}
probe syscall.clock_settime.return = kernel.function("sys_clock_settime").return {
name = "clock_settime"
retstr = returnstr(1)
}
# close ______________________________________________________
# long sys_close(unsigned int fd)
probe syscall.close = kernel.function("sys_close") {
name = "close"
fd = $fd
argstr = sprint(fd)
}
probe syscall.close.return = kernel.function("sys_close").return {
name = "close"
retstr = returnstr(1)
}
# connect ____________________________________________________
# long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
probe syscall.connect = kernel.function("sys_connect") {
name = "connect"
sockfd = $fd
serv_addr_uaddr = $uservaddr
addrlen = $addrlen
argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
}
probe syscall.connect.return = kernel.function("sys_connect").return {
name = "connect"
retstr = returnstr(1)
}
# delete_module ______________________________________________
# long sys_delete_module(const char __user *name_user, unsigned int flags)
probe syscall.delete_module = kernel.function("sys_delete_module") {
name = "delete_module"
name_user = user_string($name_user)
flags = $flags
argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str(flags))
}
probe syscall.delete_module.return = kernel.function("sys_delete_module").return {
name = "delete_module"
retstr = returnstr(1)
}
# dup ________________________________________________________
# long sys_dup(unsigned int fildes)
probe syscall.dup = kernel.function("sys_dup") {
name = "dup"
oldfd = $fildes
argstr = sprint($fildes)
}
probe syscall.dup.return = kernel.function("sys_dup").return {
name = "dup"
retstr = returnstr(1)
}
# dup2 _______________________________________________________
# long sys_dup2(unsigned int oldfd, unsigned int newfd)
probe syscall.dup2 = kernel.function("sys_dup2") {
name = "dup2"
oldfd = $oldfd
newfd = $newfd
argstr = sprintf("%d, %d", $oldfd, $newfd)
}
probe syscall.dup2.return = kernel.function("sys_dup2").return {
name = "dup2"
retstr = returnstr(1)
}
# epoll_create _______________________________________________
# long sys_epoll_create(int size)
probe syscall.epoll_create = kernel.function("sys_epoll_create") {
name = "epoll_create"
size = $size
argstr = sprint($size)
}
probe syscall.epoll_create.return = kernel.function("sys_epoll_create").return {
name = "epoll_create"
retstr = returnstr(1)
}
# epoll_ctl __________________________________________________
#
# long sys_epoll_ctl(int epfd, int op, int fd, struct epoll_event __user *event)
#
probe syscall.epoll_ctl = kernel.function("sys_epoll_ctl") {
name = "epoll_ctl"
epfd = $epfd
op = $op
op_str = _opoll_op_str($op)
fd = $fd
event_uaddr = $event
argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
}
probe syscall.epoll_ctl.return = kernel.function("sys_epoll_ctl").return {
name = "epoll_ctl"
retstr = returnstr(1)
}
# epoll_wait _________________________________________________
#
# long sys_epoll_wait(int epfd, struct epoll_event __user *events,
# int maxevents, int timeout)
#
probe syscall.epoll_wait = kernel.function("sys_epoll_wait") {
name = "epoll_wait"
epfd = $epfd
events_uaddr = $events
maxevents = $maxevents
timeout = $timeout
argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
}
probe syscall.epoll_wait.return = kernel.function("sys_epoll_wait").return {
name = "epoll_wait"
retstr = returnstr(1)
}
# execve _____________________________________________________
# int sys_execve(struct pt_regs regs)
# which breaks out the args and immediately calls
# int do_execve(char * filename,
# char __user *__user *argv,
# char __user *__user *envp,
# struct pt_regs * regs)
probe syscall.execve = kernel.function("do_execve") {
name = "execve"
filename = __string($filename)
args = __get_argv($argv)
argstr = sprintf("%s %s", filename, args)
}
# v2.6.15-rc2 or earlier has problems with sys_execve return probes
# another reason to probe on do_execve
probe syscall.execve.return = kernel.function("do_execve").return {
name = "execve"
retstr = returnstr(1)
}
# exit _______________________________________________________
# long sys_exit(int error_code)
probe syscall.exit = kernel.function("do_exit") {
name = "exit"
status = $code
argstr = sprint($code)
}
probe syscall.exit.return = end {}
# exit_group _________________________________________________
# void sys_exit_group(int error_code)
#
probe syscall.exit_group = kernel.function("sys_exit_group") {
name = "exit_group"
status = $error_code
argstr = sprint($error_code)
}
probe syscall.exit_group.return = end {}
%(arch != "x86_64" %?
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
probe syscall.fadvise64 = kernel.function("sys_fadvise64") {
name = "fadvise64"
fs = $fd
offset = $offset
len = $len
advice = $advice
argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
}
probe syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
name = "fadvise64"
retstr = returnstr(1)
}
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
probe syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
name = "fadvise64_64"
fs = $fd
offset = $offset
len = $len
advice = $advice
argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
}
probe syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
name = "fadvise64_64"
retstr = returnstr(1)
}
%:
# FIXME x86_64 has problems resolving parameters
# fadvise64 __________________________________________________
# long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
#
probe syscall.fadvise64 = kernel.function("sys_fadvise64") {
name = "fadvise64"
fs = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
probe syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
name = "fadvise64"
retstr = returnstr(1)
}
# fadvise64_64 _______________________________________________
# long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
#
probe syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
name = "fadvise64_64"
fs = 0
offset = 0
len = 0
advice = 0
argstr = ""
}
probe syscall.fadvise64_64.return = kernel.function("sys_fadvise64_64").return {
name = "fadvise64_64"
retstr = returnstr(1)
}
%)
# fchdir _____________________________________________________
# long sys_fchdir(unsigned int fd)
probe syscall.fchdir = kernel.function("sys_fchdir") {
name = "fchdir"
fd = $fd
argstr = sprint($fd)
}
probe syscall.fchdir.return = kernel.function("sys_fchdir").return {
name = "fchdir"
retstr = returnstr(1)
}
# fchmod _____________________________________________________
# long sys_fchmod(unsigned int fd, mode_t mode)
probe syscall.fchmod = kernel.function("sys_fchmod") {
name = "fchmod"
fildes = $fd
mode = $mode
argstr = sprintf("%d, %#o", $fd, $mode)
}
probe syscall.fchmod.return = kernel.function("sys_fchmod").return {
name = "fchmod"
retstr = returnstr(1)
}
# fchown _____________________________________________________
# long sys_fchown(unsigned int fd, uid_t user, gid_t group)
probe syscall.fchown = kernel.function("sys_fchown") {
name = "fchown"
fd = $fd
owner = $user
group = $group
argstr = sprintf("%d, %d, %d", $fd, $user, $group)
}
probe syscall.fchown.return = kernel.function("sys_fchown").return {
name = "fchown"
retstr = returnstr(1)
}
# fchown16 ___________________________________________________
# long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
probe syscall.fchown16 = kernel.function("sys_fchown16") ? {
name = "fchown16"
fd = $fd
owner = __short($user)
group = __short($group)
argstr = sprintf("%d, %d, %d", $fd, owner, group)
}
probe syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
name = "fchown16"
retstr = returnstr(1)
}
# fcntl ______________________________________________________
# long sys_fcntl(int fd, unsigned int cmd, unsigned long arg)
probe syscall.fcntl = kernel.function("sys_fcntl") {
name = "fcntl"
fd = $fd
cmd = $cmd
cmd_str = _fcntl_cmd_str($cmd)
arg = $arg
argstr = sprintf("%d, %s, %p", $fd, cmd_str, $arg)
}
probe syscall.fcntl.return = kernel.function("sys_fcntl").return {
name = "fcntl"
retstr = returnstr(1)
}
# fdatasync __________________________________________________
# long sys_fdatasync(unsigned int fd)
probe syscall.fdatasync = kernel.function("sys_fdatasync") {
name = "fdatasync"
fd = $fd
argstr = sprint(fd)
}
probe syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
name = "fdatasync"
retstr = returnstr(1)
}
# fgetxattr __________________________________________________
# ssize_t sys_fgetxattr(int fd, char __user *name,
# void __user *value, size_t size)
probe syscall.fgetxattr = kernel.function("sys_fgetxattr") {
name = "fgetxattr"
filedes = $fd
#FIXME
name2 = user_string($name)
value_uaddr = $value
size = $size
argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
}
probe syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return {
name = "fgetxattr"
retstr = returnstr(1)
}
# flistxattr _________________________________________________
# ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
probe syscall.flistxattr = kernel.function("sys_flistxattr") {
name = "flistxattr"
filedes = $fd
list_uaddr = $list
size = $size
argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
}
probe syscall.flistxattr.return = kernel.function("sys_flistxattr").return {
name = "flistxattr"
retstr = returnstr(1)
}
# flock ______________________________________________________
# long sys_flock(unsigned int fd, unsigned int cmd)
probe syscall.flock = kernel.function("sys_flock") {
name = "flock"
fd = $fd
operation = $cmd
argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
}
probe syscall.flock.return = kernel.function("sys_flock").return {
name = "flock"
retstr = returnstr(1)
}
# fork _______________________________________________________
# long do_fork(unsigned long clone_flags,
# unsigned long stack_start,
# struct pt_regs *regs,
# unsigned long stack_size,
# int __user *parent_tidptr,
# int __user *child_tidptr)
probe syscall.fork = kernel.function("do_fork") {
clone_flags = $clone_flags
stack_start = $stack_start
regs = $regs
stack_size = $stack_size
parent_tid_uaddr = $parent_tidptr
child_tid_uaddr = $child_tidptr
if (stack_start == 0) {
name = "fork_kernel_thread"
argstr = __fork_flags(clone_flags)
} else if (clone_flags == 17)
name = "fork"
else if (clone_flags & 0x4000)
name = "vfork"
else {
name = "clone"
argstr = __fork_flags(clone_flags)
}
}
probe syscall.fork.return = kernel.function("do_fork").return {
name = "fork"
retstr = returnstr(1)
}
# fremovexattr _______________________________________________
# long sys_fremovexattr(int fd, char __user *name)
probe syscall.fremovexattr = kernel.function("sys_fremovexattr") {
name = "fremovexattr"
filedes = $fd
name_uaddr = $name
argstr = sprintf("FIXME PLEASE")
}
probe syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return {
name = "fremovexattr"
retstr = returnstr(1)
}
# fsetxattr __________________________________________________
/*
* asmlinkage long
* sys_fsetxattr(int fd,
* char __user *name,
* void __user *value,
* size_t size,
* int flags)
*/
probe syscall.fsetxattr = kernel.function("sys_fsetxattr") {
name = "fsetxattr"
filedes = $fd
# FIXME
name2 = user_string($name)
value_uaddr = $value
size = $size
flags = $flags
argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
}
probe syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
name = "fsetxattr"
retstr = returnstr(1)
}
# fstat ______________________________________________________
# long sys_fstat(unsigned int fd, struct __old_kernel_stat __user * statbuf)
# long sys_fstat64(unsigned long fd, struct stat64 __user * statbuf)
# long sys32_fstat64(unsigned int fd, struct stat64 __user *statbuf)
# long sys_newfstat(unsigned int fd, struct stat __user * statbuf)
# long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
#
probe syscall.fstat =
kernel.function("sys_fstat") ?,
kernel.function("sys_fstat64") ?,
kernel.function("sys32_fstat64") ?,
kernel.function("sys_newfstat") ?,
kernel.function("compat_sys_newfstat") ?
{
name = "fstat"
filedes = $fd
buf_uaddr = $statbuf
argstr = sprintf("%d, %p", $fd, $statbuf)
}
probe syscall.fstat.return =
kernel.function("sys_fstat").return ?,
kernel.function("sys_fstat64").return ?,
kernel.function("sys32_fstat64").return ?,
kernel.function("sys_newfstat").return ?,
kernel.function("compat_sys_newfstat").return ?
{
name = "fstat"
retstr = returnstr(1)
}
# fstatfs ____________________________________________________
# long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
# long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
#
probe syscall.fstatfs =
kernel.function("sys_fstatfs"),
kernel.function("compat_sys_fstatfs") ?
{
name = "fstatfs"
fd = $fd
buf_uaddr = $buf
argstr = sprintf("%d, %p", $fd, $buf)
}
probe syscall.fstatfs.return =
kernel.function("sys_fstatfs").return,
kernel.function("compat_sys_fstatfs").return ?
{
name = "fstatfs"
retstr = returnstr(1)
}
# fstatfs64 __________________________________________________
# long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
probe syscall.fstatfs64 = kernel.function("sys_fstatfs64") {
name = "fstatfs"
fd = $fd
sz = $sz
buf_uaddr = $buf
argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr)
}
probe syscall.fstatfs64.return = kernel.function("sys_fstatfs64").return {
name = "fstatfs"
retstr = returnstr(1)
}
# fsync ______________________________________________________
# long sys_fsync(unsigned int fd)
probe syscall.fsync = kernel.function("sys_fsync") {
name = "fsync"
fd = $fd
argstr = sprint(fd)
}
probe syscall.fsync.return = kernel.function("sys_fsync").return {
name = "fsync"
retstr = returnstr(1)
}
# ftruncate __________________________________________________
# long sys_ftruncate(unsigned int fd, unsigned long length)
probe syscall.ftruncate = kernel.function("sys_ftruncate") {
name = "ftruncate"
fd = $fd
length = $length
argstr = sprintf("%d, %d", fd, length)
}
probe syscall.ftruncate.return = kernel.function("sys_ftruncate").return {
name = "ftruncate"
retstr = returnstr(1)
}
# ftruncate64 ________________________________________________
# long sys_ftruncate64(unsigned int fd, loff_t length)
probe syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
name = "ftruncate"
fd = $fd
length = $length
argstr = sprintf("%d, %d", fd, length)
}
probe syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
name = "ftruncate"
retstr = returnstr(1)
}
# futex ______________________________________________________
# long sys_futex(u32 __user *uaddr,
# int op,
# int val,
# struct timespec __user *utime,
# u32 __user *uaddr2,
# int val3)
#
probe syscall.futex = kernel.function("sys_futex") {
name = "futex"
futex_uaddr = $uaddr
op = $op
val = $val
utime_uaddr = $utime
uaddr2_uaddr = $uaddr2
val3 = $val3
if (op == 0)
argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
$val, _struct_timespec_u($utime))
else
argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
$val)
}
probe syscall.futex.return = kernel.function("sys_futex").return {
name = "futex"
retstr = returnstr(1)
}
# getcwd _____________________________________________________
# long sys_getcwd(char __user *buf, unsigned long size)
probe syscall.getcwd = kernel.function("sys_getcwd") {
name = "getcwd"
buf_uaddr = $buf
size = $size
argstr = sprintf("%p, %d", buf_uaddr, size)
}
probe syscall.getcwd.return = kernel.function("sys_getcwd").return {
name = "getcwd"
retstr = returnstr(1)
}
# getdents ___________________________________________________
# long sys_getdents(unsigned int fd,
# struct linux_dirent __user * dirent,
# unsigned int count)
probe syscall.getdents = kernel.function("sys_getdents") {
name = "getdents"
fd = $fd
dirp_uaddr = $dirent
count = $count
argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
}
probe syscall.getdents.return = kernel.function("sys_getdents").return {
name = "getdents"
retstr = returnstr(1)
}
# getdents64 _________________________________________________
# long sys_getdents64(unsigned int fd,
# struct linux_dirent64 __user * dirent,
# unsigned int count)
probe syscall.getdents64 = kernel.function("sys_getdents64") {
name = "getdents"
fd = $fd
dirp_uaddr = $dirent
count = $count
argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
}
probe syscall.getdents64.return = kernel.function("sys_getdents64").return {
name = "getdents"
retstr = returnstr(1)
}
# getegid ____________________________________________________
# long sys_getegid(void)
probe syscall.getegid = kernel.function("sys_getegid") {
name = "getegid"
}
probe syscall.getegid.return = kernel.function("sys_getegid").return {
name = "getegid"
retstr = returnstr(1)
}
# getegid16 __________________________________________________
# long sys_getegid16(void)
probe syscall.getegid16 = kernel.function("sys_getegid16") ? {
name = "getegid16"
}
probe syscall.getegid16.return = kernel.function("sys_getegid16").return ? {
name = "getegid16"
retstr = returnstr(1)
}
# geteuid ____________________________________________________
# long sys_geteuid(void)
probe syscall.geteuid = kernel.function("sys_geteuid") {
name = "geteuid"
}
probe syscall.geteuid.return = kernel.function("sys_geteuid").return {
name = "geteuid"
retstr = returnstr(1)
}
# geteuid16 __________________________________________________
# long sys_geteuid16(void)
probe syscall.geteuid16 = kernel.function("sys_geteuid16") ? {
name = "geteuid16"
}
probe syscall.geteuid16.return = kernel.function("sys_geteuid16").return ? {
name = "geteuid16"
retstr = returnstr(1)
}
# getgid _____________________________________________________
# long sys_getgid(void)
probe syscall.getgid =kernel.function("sys_getgid") {
name = "getgid"
}
probe syscall.getgid.return = kernel.function("sys_getgid").return {
name = "getgid"
retstr = returnstr(1)
}
# getgid16 ___________________________________________________
# long sys_getgid16(void)
probe syscall.getgid16 = kernel.function("sys_getgid16") ? {
name = "getgid16"
}
probe syscall.getgid16.return = kernel.function("sys_getgid16").return ? {
name = "getgid16"
retstr = returnstr(1)
}
# getgroups __________________________________________________
# long sys_getgroups(int gidsetsize, gid_t __user *grouplist)
probe syscall.getgroups = kernel.function("sys_getgroups") {
name = "getgroups"
size = $gidsetsize
list_uaddr = $grouplist
argstr = sprintf("%d, %p", size, list_uaddr)
}
probe syscall.getgroups.return = kernel.function("sys_getgroups").return {
name = "getgroups"
retstr = returnstr(1)
}
# gethostname ________________________________________________
# long sys_gethostname(char __user *name, int len)
probe syscall.gethostname = kernel.function("sys_gethostname") {
name = "gethostname"
name_uaddr = $name
len = $len
argstr = sprintf ("%p, %d", name_uaddr, len)
}
probe syscall.gethostname.return = kernel.function("sys_gethostname").return {
name = "gethostname"
retstr = returnstr(1)
}
# getitimer __________________________________________________
# long sys_getitimer(int which, struct itimerval __user *value)
probe syscall.getitimer = kernel.function("sys_getitimer") {
name = "getitimer"
which = $which
value_uaddr = $value
argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
}
probe syscall.getitimer.return = kernel.function("sys_getitimer").return {
name = "getitimer"
retstr = returnstr(1)
}
# long compat_sys_getitimer(int which, struct compat_itimerval __user *it
probe syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
name = "getitimer"
which = $which
value_uaddr = $it
argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
}
probe syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
name = "getitimer"
retstr = returnstr(1)
}
# get_mempolicy ______________________________________________
# long sys_get_mempolicy(int __user *policy,
# unsigned long __user *nmask,
# unsigned long maxnode,
# unsigned long addr,
# unsigned long flags)
#
probe syscall.get_mempolicy = kernel.function("sys_get_mempolicy") ? {
name = "get_mempolicy"
policy_uaddr = $policy
nmask_uaddr = $nmask
maxnode = $maxnode
addr = $addr
flags = $flags
argstr = sprintf("%p, %p, %d, %p, %d", policy_uaddr,
nmask_uaddr, $maxnode, $addr, $flags)
}
probe syscall.get_mempolicy.return =
kernel.function("sys_get_mempolicy").return ? {
name = "get_mempolicy"
retstr = returnstr(1)
}
# getpeername ________________________________________________
# long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
#
probe syscall.getpeername = kernel.function("sys_getpeername") {
name = "getpeername"
s = $fd
name_uaddr = $usockaddr
namelen_uaddr = $usockaddr_len
argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
}
probe syscall.getpeername.return = kernel.function("sys_getpeername").return {
name = "getpeername"
retstr = returnstr(1)
}
# getpgid ____________________________________________________
# long sys_getpgid(void)
probe syscall.getpgid = kernel.function("sys_getpgid") {
name = "getpgid"
}
probe syscall.getpgid.return = kernel.function("sys_getpgid").return {
name = "getpgid"
retstr = returnstr(1)
}
# getpgrp ____________________________________________________
# long sys_getpgrp(void)
probe syscall.getpgrp = kernel.function("sys_getpgrp") {
name = "getpgrp"
}
probe syscall.getpgrp.return = kernel.function("sys_getpgrp").return {
name = "getpgrp"
retstr = returnstr(1)
}
# getpid _____________________________________________________
# long sys_getpid(void)
probe syscall.getpid = kernel.function("sys_getpid") {
name = "getpid"
}
probe syscall.getpid.return = kernel.function("sys_getpid").return {
name = "getpid"
retstr = returnstr(1)
}
# getppid ____________________________________________________
# long sys_getppid(void)
probe syscall.getppid = kernel.function("sys_getppid") {
name = "getppid"
}
probe syscall.getppid.return = kernel.function("sys_getppid").return {
name = "getppid"
}
# getpriority ________________________________________________
# long sys_getpriority(int which, int who)
probe syscall.getpriority = kernel.function("sys_getpriority") {
name = "getpriority"
which = $which
who = $who
argstr = sprintf("%s, %d", _priority_which_str(which), who)
}
probe syscall.getpriority.return = kernel.function("sys_getpriority").return {
name = "getpriority"
retstr = returnstr(1)
}
# getresgid __________________________________________________
# long sys_getresgid(gid_t __user *rgid,
# gid_t __user *egid,
# gid_t __user *sgid)
probe syscall.getresgid = kernel.function("sys_getresgid") {
name = "getresgid"
rgid_uaddr = $rgid
egid_uaddr = $egid
sgid_uaddr = $sgid
argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
}
probe syscall.getresgid.return = kernel.function("sys_getresgid").return {
name = "getresgid"
retstr = returnstr(1)
}
# getresgid16 ________________________________________________
# long sys_getresgid16(old_uid_t __user *rgid,
# old_uid_t __user *egid,
# old_uid_t __user *sgid)
probe syscall.getresgid16 = kernel.function("sys_getresgid16") ? {
name = "getresgid16"
rgid_uaddr = $rgid
egid_uaddr = $egid
sgid_uaddr = $sgid
argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
}
probe syscall.getresgid16.return = kernel.function("sys_getresgid16").return ? {
name = "getresgid16"
retstr = returnstr(1)
}
# getresuid __________________________________________________
# long sys_getresuid(uid_t __user *ruid,
# uid_t __user *euid,
# uid_t __user *suid)
probe syscall.getresuid = kernel.function("sys_getresuid") {
name = "getresuid"
ruid_uaddr = $ruid
euid_uaddr = $euid
suid_uaddr = $suid
argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
}
probe syscall.getresuid.return = kernel.function("sys_getresuid").return {
name = "getresuid"
retstr = returnstr(1)
}
# getresuid16 ________________________________________________
# long sys_getresuid16(old_uid_t __user *ruid,
# old_uid_t __user *euid,
# old_uid_t __user *suid)
probe syscall.getresuid16 = kernel.function("sys_getresuid16") ? {
name = "getresuid16"
ruid_uaddr = $ruid
euid_uaddr = $euid
suid_uaddr = $suid
argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
}
probe syscall.getresuid16.return = kernel.function("sys_getresuid16").return ? {
name = "getresuid16"
retstr = returnstr(1)
}
# getrlimit __________________________________________________
# long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
probe syscall.getrlimit = kernel.function("sys_getrlimit") {
name = "getrlimit"
resource = $resource
rlim_uaddr = $rlim
argstr = sprintf("%s, %p", _rlimit_resource_str($resource), rlim_uaddr)
}
probe syscall.getrlimit.return = kernel.function("sys_getrlimit").return {
name = "getrlimit"
retstr = returnstr(1)
}
# getrusage __________________________________________________
# long sys_getrusage(int who, struct rusage __user *ru)
probe syscall.getrusage = kernel.function("sys_getrusage") {
name = "getrusage"
who = $who
usage_uaddr = $ru
argstr = sprintf("%s, %p",_rusage_who_str($who), usage_uaddr)
}
probe syscall.getrusage.return = kernel.function("sys_getrusage").return {
name = "getrusage"
retstr = returnstr(1)
}
# getsid _____________________________________________________
# long sys_getsid(pid_t pid)
probe syscall.getsid = kernel.function("sys_getsid") {
name = "getsid"
pid = $pid
argstr = sprint(pid)
}
probe syscall.getsid.return = kernel.function("sys_getsid").return {
name = "getsid"
retstr = returnstr(1)
}
# getsockname ________________________________________________
# long sys_getsockname(int fd,
# struct sockaddr __user *usockaddr,
# int __user *usockaddr_len)
probe syscall.getsockname = kernel.function("sys_getsockname") {
name = "getsockname"
s = $fd
name_uaddr = $usockaddr
namelen_uaddr = $usockaddr_len
argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
}
probe syscall.getsockname.return = kernel.function("sys_getsockname").return {
name = "getsockname"
retstr = returnstr(1)
}
# getsockopt _________________________________________________
# long sys_getsockopt(int fd,
# int level,
# int optname,
# char __user *optval,
# int __user *optlen)
#
probe syscall.getsockopt = kernel.function("sys_getsockopt") {
name = "getsockopt"
fd = $fd
level = $level
level_str = _sockopt_level_str($level)
optname = $optname
optname_str = _sockopt_optname_str($optname)
optval_uaddr = $optval
optlen_uaddr = $optlen
argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
_sockopt_optname_str($optname), $optval, $optlen)
}
probe syscall.getsockopt.return = kernel.function("sys_getsockopt").return {
name = "getsockopt.return"
}
# gettid _____________________________________________________
# long sys_gettid(void)
probe syscall.gettid = kernel.function("sys_gettid") {
name = "gettid"
}
probe syscall.gettid.return = kernel.function("sys_gettid").return {
name = "gettid"
retstr = returnstr(1)
}
# gettimeofday _______________________________________________
# long sys_gettimeofday(struct timeval __user *tv,
# struct timezone __user *tz)
# long sys32_gettimeofday(struct compat_timeval __user *tv,
# struct timezone __user *tz)
probe syscall.gettimeofday =
kernel.function("sys_gettimeofday"),
kernel.function("sys32_gettimeofday") ?
{
name = "gettimeofday"
tv_uaddr = $tv
tz_uaddr = $tz
argstr = sprintf("%p, %p", $tv, $tz)
}
probe syscall.gettimeofday.return =
kernel.function("sys_gettimeofday").return,
kernel.function("sys32_gettimeofday").return ?
{
name = "gettimeofday"
retstr = returnstr(1)
}
# getuid _____________________________________________________
# long sys_getuid(void)
probe syscall.getuid = kernel.function("sys_getuid") {
name = "getuid"
}
probe syscall.getuid.return = kernel.function("sys_getuid").return {
name = "getuid"
retstr = returnstr(1)
}
# getuid16 ___________________________________________________
# long sys_getuid16(void)
probe syscall.getuid16 = kernel.function("sys_getuid16") ? {
name = "getuid16"
}
probe syscall.getuid16.return = kernel.function("sys_getuid16").return ? {
name = "getuid16"
retstr = returnstr(1)
}
# getxattr ___________________________________________________
# ssize_t sys_getxattr(char __user *path, char __user *name,
# void __user *value, size_t size)
probe syscall.getxattr = kernel.function("sys_getxattr") {
name = "getxattr"
path = user_string($path)
# FIXME
name2 = user_string($name)
value_uaddr = $value
size = $size
argstr = sprintf("%s, %s, %p, %d",
user_string_quoted($path),
user_string_quoted($name),
value_uaddr, size)
}
probe syscall.getxattr.return = kernel.function("sys_getxattr").return {
name = "getxattr"
retstr = returnstr(1)
}
# init_module ________________________________________________
# long sys_init_module(void __user *umod,
# unsigned long len,
# const char __user *uargs)
probe syscall.init_module = kernel.function("sys_init_module") {
name = "init_module"
umod_uaddr = $umod
len = $len
uargs = user_string($uargs)
argstr = sprintf("%p, %d, %s", umod_uaddr, len, uargs)
}
probe syscall.init_module.return = kernel.function("sys_init_module").return {
name = "init_module"
retstr = returnstr(1)
}
# io_cancel __________________________________________________
# long sys_io_cancel(aio_context_t ctx_id,
# struct iocb __user *iocb,
# struct io_event __user *result)
probe syscall.io_cancel = kernel.function("sys_io_cancel") {
name = "io_cancel"
ctx_id = $ctx_id
iocb_uaddr = $iocb
result_uaddr = $result
argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)
}
probe syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
name = "io_cancel"
retstr = returnstr(1)
}
# ioctl ______________________________________________________
# long sys_ioctl(unsigned int fd, unsigned int cmd,
# unsigned long arg)
probe syscall.ioctl = kernel.function("sys_ioctl") {
name = "ioctl"
fd = $fd
request = $cmd
argp = $arg
argstr = sprintf("%d, %d, %p", fd, request, argp)
}
probe syscall.ioctl.return = kernel.function("sys_ioctl").return {
name = "ioctl"
retstr = returnstr(1)
}
# io_destroy _________________________________________________
# long sys_io_destroy(aio_context_t ctx)
probe syscall.io_destroy = kernel.function("sys_io_destroy") {
name = "io_destroy"
ctx = $ctx
argstr = sprintf("%d", ctx)
}
probe syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
name = "io_destroy"
retstr = returnstr(1)
}
# io_getevents _______________________________________________
# long sys_io_getevents(aio_context_t ctx_id,
# long min_nr,
# long nr,
# struct io_event __user *events,
# struct timespec __user *timeout)
probe syscall.io_getevents = kernel.function("sys_io_getevents") {
name = "io_getevents"
ctx_id = $ctx_id
min_nr = $min_nr
nr = $nr
events_uaddr = $events
timeout_uaddr = $timeout
timestr = _struct_timespec_u($timeout)
argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr,
nr, events_uaddr, timeout_uaddr, timestr)
}
probe syscall.io_getevents.return = kernel.function("sys_io_getevents").return {
name = "io_getevents"
retstr = returnstr(1)
}
# ioperm _____________________________________________________
# long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
#
probe syscall.ioperm = kernel.function("sys_ioperm") ? {
name = "ioperm"
from = $from
num = $num
turn_on = $turn_on
argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
}
probe syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
name = "ioperm"
retstr = returnstr(1)
}
# io_setup ___________________________________________________
# long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
#
probe syscall.io_setup = kernel.function("sys_io_setup") {
name = "io_setup"
maxevents = $nr_events
ctxp_uaddr = $ctxp
argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
}
probe syscall.io_setup.return = kernel.function("sys_io_setup").return {
name = "io_setup"
retstr = returnstr(1)
}
# io_submit __________________________________________________
# long sys_io_submit(aio_context_t ctx_id,
# long nr,
# struct iocb __user * __user *iocbpp)
#
probe syscall.io_submit = kernel.function("sys_io_submit") {
name = "io_submit"
ctx_id = $ctx_id
nr = $nr
iocbpp_uaddr = $iocbpp
argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
}
probe syscall.io_submit.return = kernel.function("sys_io_submit").return {
name = "io_submit"
retstr = returnstr(1)
}
# ioprio_get _________________________________________________
# long sys_ioprio_get(int which, int who)
#
probe syscall.ioprio_get = kernel.function("sys_ioprio_get") ? {
name = "ioprio_get"
which = $which
who = $who
argstr = sprintf("%d, %d", $which, $who)
}
probe syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? {
name = "ioprio_get"
retstr = returnstr(1)
}
# ioprio_set _________________________________________________
# long sys_ioprio_set(int which, int who, int ioprio)
#
probe syscall.ioprio_set = kernel.function("sys_ioprio_set") ? {
name = "ioprio_set"
which = $which
who = $who
ioprio = $ioprio
argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
}
probe syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? {
name = "ioprio_set"
retstr = returnstr(1)
}
# kexec_load _________________________________________________
# long sys_kexec_load(unsigned long entry,
# unsigned long nr_segments,
# struct kexec_segment __user *segments,
# unsigned long flags)
#
probe syscall.kexec_load = kernel.function("sys_kexec_load") ? {
name = "kexec_load"
entry = $entry
nr_segments = $nr_segments
segments_uaddr = $segments
flags = $flags
argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
}
probe syscall.kexec_load.return = kernel.function("sys_kexec_load").return ? {
name = "kexec_load"
retstr = returnstr(1)
}
# keyctl _____________________________________________________
# long sys_keyctl(int option,
# unsigned long arg2,
# unsigned long arg3,
# unsigned long arg4,
# unsigned long arg5)
#
probe syscall.keyctl = kernel.function("sys_keyctl") ? {
name = "keyctl"
option = $option
arg2 = $arg2
arg3 = $arg3
arg4 = $arg4
arg5 = $arg5
argstr = sprintf("%d", $option)
}
probe syscall.keyctl.return = kernel.function("sys_keyctl").return ? {
name = "keyctl"
retstr = returnstr(1)
}
# kill _______________________________________________________
# long sys_kill(int pid, int sig)
probe syscall.kill = kernel.function("sys_kill") {
name = "kill"
pid = $pid
sig = $sig
argstr = sprintf("%d, %s", $pid, _signal_name($sig))
}
probe syscall.kill.return = kernel.function("sys_kill").return {
name = "kill"
retstr = returnstr(1)
}
# lchown _____________________________________________________
# long sys_lchown(const char __user * filename, uid_t user, gid_t group)
#
probe syscall.lchown = kernel.function("sys_lchown") {
name = "lchown"
path = user_string($filename)
owner = $user
group = $group
argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
}
probe syscall.lchown.return = kernel.function("sys_lchown").return {
name = "lchown"
retstr = returnstr(1)
}
# lchown16 ___________________________________________________
# long sys_lchown16(const char __user * filename, old_uid_t user,
# old_gid_t group)
#
probe syscall.lchown16 = kernel.function("sys_lchown16") ? {
name = "lchown16"
path = user_string($filename)
owner = __short($user)
group = __short($group)
argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
}
probe syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
name = "lchown16"
retstr = returnstr(1)
}
# lgetxattr __________________________________________________
# ssize_t sys_lgetxattr(char __user *path,
# char __user *name,
# void __user *value,
# size_t size)
#
probe syscall.lgetxattr = kernel.function("sys_lgetxattr") {
name = "lgetxattr"
path = user_string($path)
# FIXME
name2 = user_string($name)
value_uaddr = $value
size = $size
argstr = sprintf("%s, %s, %p, %d",
user_string_quoted($path),
user_string_quoted($name),
value_uaddr, size)
}
probe syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return {
name = "lgetxattr"
retstr = returnstr(1)
}
# link _______________________________________________________
# long sys_link(const char __user * oldname,
# const char __user * newname)
probe syscall.link = kernel.function("sys_link") {
name = "link"
oldpath = user_string($oldname)
newpath = user_string($newname)
argstr = sprintf("%s, %s",
user_string_quoted($oldname),
user_string_quoted($newname))
}
probe syscall.link.return = kernel.function("sys_link").return {
name = "link"
retstr = returnstr(1)
}
# listen _____________________________________________________
# long sys_listen(int fd, int backlog)
probe syscall.listen = kernel.function("sys_listen") {
name = "listen"
sockfd = $fd
backlog = $backlog
argstr = sprintf("%d, %d", $fd, $backlog)
}
probe syscall.listen.return = kernel.function("sys_listen").return {
name = "listen"
retstr = returnstr(1)
}
# listxattr __________________________________________________
# ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
#
probe syscall.listxattr = kernel.function("sys_listxattr") {
name = "listxattr"
path_uaddr = $path
path = user_string($path)
list_uaddr = $list
size = $size
argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
}
probe syscall.listxattr.return = kernel.function("sys_listxattr").return {
name = "listxattr"
retstr = returnstr(1)
}
# llistxattr _________________________________________________
# ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
#
probe syscall.llistxattr = kernel.function("sys_llistxattr") {
name = "llistxattr"
path_uaddr = $path
path = user_string($path)
list_uaddr = $list
size = $size
argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
}
probe syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
name = "llistxattr"
retstr = returnstr(1)
}
# llseek _____________________________________________________
# long sys_llseek(unsigned int fd,
# unsigned long offset_high,
# unsigned long offset_low,
# loff_t __user * result,
# unsigned int origin)
probe syscall.llseek = kernel.function("sys_llseek") {
name = "llseek"
fd = $fd
offset_high = $offset_high
offset_low = $offset_low
result_uaddr = $result
whence = $origin
whence_str = _seek_whence_str($origin)
argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
$offset_low, $result, whence_str)
}
probe syscall.llseek.return = kernel.function("sys_llseek").return {
name = "llseek"
retstr = returnstr(1)
}
# lookup_dcookie _____________________________________________
# long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
#
probe syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") {
name = "lookup_dcookie"
cookie = $cookie64
buffer_uaddr = $buf
len = $len
argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
}
probe syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return {
name = "lookup_dcookie"
retstr = returnstr(1)
}
# lremovexattr _______________________________________________
# long sys_lremovexattr(char __user *path, char __user *name)
#
probe syscall.lremovexattr = kernel.function("sys_lremovexattr") {
name = "lremovexattr"
path_uaddr = $path
path = user_string($path)
name_uaddr = $name
name2 = user_string($name)
argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name))
}
probe syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return {
name = "lremovexattr"
retstr = returnstr(1)
}
# lseek ______________________________________________________
# off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
probe syscall.lseek = kernel.function("sys_lseek") {
name = "lseek"
fildes = $fd
offset = $offset
whence = $origin
whence_str = _seek_whence_str($origin)
argstr = sprintf("%d, %d, %s", $fd, $offset, whence_str)
}
probe syscall.lseek.return = kernel.function("sys_lseek").return {
name = "lseek"
retstr = returnstr(1)
}
# lsetxattr __________________________________________________
# long sys_lsetxattr(char __user *path,
# char __user *name,
# void __user *value,
# size_t size,
# int flags)
#
probe syscall.lsetxattr = kernel.function("sys_lsetxattr") {
name = "lsetxattr"
path_uaddr = $path
path = user_string($path)
name_uaddr = $name
name_str = user_string($name)
value_uaddr = $value
size = $size
flags = $flags
argstr = sprintf("%s, %s, %p, %d, %d",
user_string_quoted($path),
user_string_quoted($name),
value_uaddr, $size, $flags)
}
probe syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
name = "lsetxattr"
retstr = returnstr(1)
}
# lstat ______________________________________________________
# long sys_lstat(char __user * filename, struct __old_kernel_stat __user * statbuf)
# long sys_newlstat(char __user * filename, struct stat __user * statbuf)
# long compat_sys_newlstat(char __user * filename, struct compat_stat __user *statbuf)
# long sys32_lstat64(char * filename, struct stat64 __user *statbuf)
#
probe syscall.lstat =
kernel.function("sys_lstat") ?,
kernel.function("sys_newlstat") ?,
kernel.function("compat_sys_newlstat") ?,
kernel.function("sys32_lstat64") ?
{
name = "lstat"
file_name = user_string($filename)
buf_uaddr = $statbuf
argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
}
probe syscall.lstat.return =
kernel.function("sys_lstat").return ?,
kernel.function("sys_newlstat").return ?,
kernel.function("compat_sys_newlstat").return ?,
kernel.function("sys32_lstat64").return ?
{
name = "lstat"
retstr = returnstr(1)
}
# madvise ____________________________________________________
# long sys_madvise(unsigned long start, size_t len_in, int behavior)
#
probe syscall.madvise = kernel.function("sys_madvise") {
name = "madvise"
start = $start
length = $len_in
advice = $behavior
advice_str = _madvice_advice_str($behavior)
argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
}
probe syscall.madvise.return = kernel.function("sys_madvise").return {
name = "madvise"
retstr = returnstr(1)
}
# mbind ______________________________________________________
# long sys_mbind(unsigned long start,
# unsigned long len,
# unsigned long mode,
# unsigned long __user *nmask,
# unsigned long maxnode,
# unsigned flags)
#
probe syscall.mbind = kernel.function("sys_mbind") ? {
name = "mbind"
start = $start
len = $len
mode = $mode
nmask_uaddr = $nmask
maxnode = $maxnode
flags = $flags
argstr = sprintf("%d, %d, %d, %p, %d, %d", $start, $len, $mode,
nmask_uaddr, $maxnode, $flags)
}
probe syscall.mbind.return = kernel.function("sys_mbind").return ? {
name = "mbind"
retstr = returnstr(1)
}
# mincore ____________________________________________________
# long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
#
probe syscall.mincore = kernel.function("sys_mincore") {
name = "mincore"
start = $start
length = $len
vec_uaddr = $vec
argstr = sprintf("%p, %d, %p", $start, $len, $vec)
}
probe syscall.mincore.return = kernel.function("sys_mincore").return {
name = "mincore"
retstr = returnstr(1)
}
# mkdir ______________________________________________________
# long sys_mkdir(const char __user * pathname, int mode)
probe syscall.mkdir = kernel.function("sys_mkdir") {
name = "mkdir"
pathname_uaddr = $pathname
pathname = user_string($pathname)
mode = $mode
argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
}
probe syscall.mkdir.return = kernel.function("sys_mkdir").return {
name = "mkdir"
retstr = returnstr(1)
}
# mkdirat ____________________________________________________
# new function with 2.6.16
# long sys_mkdirat(int dfd, const char __user *pathname, int mode)
probe syscall.mkdirat = kernel.function("sys_mkdirat") ? {
name = "mkdirat"
dirfd = $dfd
pathname = user_string($pathname)
mode = $mode
argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
}
probe syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? {
name = "mkdirat"
retstr = returnstr(1)
}
# mknod
# long sys_mknod(const char __user * filename, int mode, unsigned dev)
probe syscall.mknod = kernel.function("sys_mknod") {
name = "mknod"
pathname = user_string($filename)
mode = $mode
dev = $dev
argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
}
probe syscall.mknod.return = kernel.function("sys_mknod").return {
name = "mknod"
retstr = returnstr(1)
}
# mlock ______________________________________________________
#
# asmlinkage long
# sys_mlock(unsigned long start,
# size_t len)
#
probe syscall.mlock = kernel.function("sys_mlock") {
name = "mlock"
addr = $start
len = $len
argstr = sprintf("0x%p, %d", addr, len)
}
probe syscall.mlock.return = kernel.function("sys_mlock").return {
name = "mlock"
retstr = returnstr(1)
}
# mlockall ___________________________________________________
#
# asmlinkage long
# sys_mlockall(int flags)
#
probe syscall.mlockall = kernel.function("sys_mlockall") {
name = "mlockall"
flags = $flags
flags_str = _mlockall_flags_str($flags)
argstr = flags_str
}
probe syscall.mlockall.return = kernel.function("sys_mlockall").return {
name = "mlockall"
retstr = returnstr(1)
}
# mmap
# long sys_mmap(unsigned long addr, unsigned long len,
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long off)
probe syscall.mmap = kernel.function("sys_mmap") ? {
name = "mmap"
start = $addr
len = $len
prot = $prot
flags = $flags
fd = $fd
%(arch != "ppc64" %?
offset = $off
%:
offset = $offset
%)
argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
_mprotect_prot_str($prot), _mmap_flags($flags), $fd, offset)
}
probe syscall.mmap.return = kernel.function("sys_mmap").return ? {
name = "mmap"
retstr = returnstr(2)
}
# mmap2
# long sys_mmap2(unsigned long addr, unsigned long len,
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long pgoff)
# long sys32_mmap2(unsigned long addr, unsigned long len,
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long pgoff)
#
probe syscall.mmap2 =
kernel.function("sys_mmap2") ?,
kernel.function("sys32_mmap2") ?
{
name = "mmap2"
start = $addr
length = $len
prot = $prot
flags = $flags
fd = $fd
pgoffset = $pgoff
argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr,
$len, _mprotect_prot_str($prot), _mmap_flags($flags),
$fd, $pgoff)
}
probe syscall.mmap2.return =
kernel.function("sys_mmap2").return ?,
kernel.function("sys32_mmap2").return ?
{
name = "mmap2"
retstr = returnstr(2)
}
# modify_ldt _________________________________________________
# int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
#
probe syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
name = "modify_ldt"
func = $func
ptr_uaddr = $ptr
bytecount = $bytecount
argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
}
probe syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
name = "modify_ldt"
retstr = returnstr(1)
}
# mount ______________________________________________________
# long sys_mount(char __user * dev_name,
# char __user * dir_name,
# char __user * type,
# unsigned long flags,
# void __user * data)
# long compat_sys_mount(char __user * dev_name,
# char __user * dir_name,
# char __user * type,
# unsigned long flags,
# void __user * data)
probe syscall.mount =
kernel.function("sys_mount"),
kernel.function("compat_sys_mount") ?
{
name = "mount"
source = user_string($dev_name)
target = user_string($dir_name)
filesystemtype = user_string($type)
mountflags = $flags
mountflags_str = _mountflags_str($flags)
data = text_strn(user_string($data),30,1)
argstr = sprintf("%s, %s, %s, %s, %s",
user_string_quoted($dev_name),
user_string_quoted($dir_name),
user_string_quoted($type),
mountflags_str, data)
}
probe syscall.mount.return =
kernel.function("sys_mount").return,
kernel.function("compat_sys_mount").return ?
{
name = "mount"
retstr = returnstr(1)
}
# mprotect ___________________________________________________
# long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
#
probe syscall.mprotect = kernel.function("sys_mprotect") {
name = "mprotect"
addr = $start
len = $len
prot = $prot
prot_str = _mprotect_prot_str($prot)
argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
}
probe syscall.mprotect.return = kernel.function("sys_mprotect").return {
name = "mprotect"
retstr = returnstr(1)
}
# mq_getsetattr ______________________________________________
# long sys_mq_getsetattr(mqd_t mqdes,
# const struct mq_attr __user *u_mqstat,
# struct mq_attr __user *u_omqstat)
#
probe syscall.mq_getsetattr = kernel.function("sys_mq_getsetattr") {
name = "mq_getsetattr"
mqdes = $mqdes
u_mqstat_uaddr = $u_mqstat
u_omqstat_uaddr = $u_omqstat
argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
}
probe syscall.mq_getsetattr.return = kernel.function("sys_mq_getsetattr").return {
name = "mq_getsetattr"
retstr = returnstr(1)
}
# mq_notify __________________________________________________
# long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
#
probe syscall.mq_notify = kernel.function("sys_mq_notify") {
name = "mq_notify"
mqdes = $mqdes
notification_uaddr = $u_notification
argstr = sprintf("%d, %p", $mqdes, $u_notification)
}
probe syscall.mq_notify.return = kernel.function("sys_mq_notify").return {
name = "mq_notify"
retstr = returnstr(1)
}
# mq_open ____________________________________________________
# long sys_mq_open(const char __user *u_name,
# int oflag,
# mode_t mode,
# struct mq_attr __user *u_attr)
#
probe syscall.mq_open = kernel.function("sys_mq_open") {
name = "mq_open"
name_uaddr = $u_name
filename = user_string($u_name)
mode = $mode
u_attr_uaddr = $u_attr
oflag = $oflag
if (oflag & 64)
argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name),
_sys_open_flag_str(oflag), $mode, $u_attr)
else
argstr = sprintf("%s, %s", user_string_quoted($u_name), _sys_open_flag_str(oflag))
}
probe syscall.mq_open.return = kernel.function("sys_mq_open").return {
name = "mq_open"
retstr = returnstr(1)
}
# mq_timedreceive ____________________________________________
# ssize_t sys_mq_timedreceive(mqd_t mqdes,
# char __user *u_msg_ptr,
# size_t msg_len,
# unsigned int __user *u_msg_prio,
# const struct timespec __user *u_abs_timeout)
#
probe syscall.mq_timedreceive = kernel.function("sys_mq_timedreceive") {
name = "mq_timedreceive"
mqdes = $mqdes
msg_ptr_uaddr = $u_msg_ptr
msg_len = $msg_len
msg_prio_uaddr = $u_msg_prio
abs_timout_uaddr = $u_abs_timeout
argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
$u_msg_prio, $u_abs_timeout)
}
probe syscall.mq_timedreceive.return = kernel.function("sys_mq_timedreceive").return {
name = "mq_timedreceive"
retstr = returnstr(1)
}
# mq_timedsend _______________________________________________
# long sys_mq_timedsend(mqd_t mqdes,
# const char __user *u_msg_ptr,
# size_t msg_len,
# unsigned int msg_prio,
# const struct timespec __user *u_abs_timeout)
#
probe syscall.mq_timedsend = kernel.function("sys_mq_timedsend") {
name = "mq_timedsend"
mqdes = $mqdes
msg_ptr_uaddr = $u_msg_ptr
msg_len = $msg_len
msg_prio = $msg_prio
abs_timeout_uaddr = $u_abs_timeout
argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
$msg_prio, $u_abs_timeout)
}
probe syscall.mq_timedsend.return = kernel.function("sys_mq_timedsend").return {
name = "mq_timedsend"
retstr = returnstr(1)
}
# mq_unlink __________________________________________________
# long sys_mq_unlink(const char __user *u_name)
#
probe syscall.mq_unlink = kernel.function("sys_mq_unlink") {
name = "mq_unlink"
u_name_uaddr = $u_name
u_name = user_string($u_name)
argstr = user_string_quoted($u_name)
}
probe syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return {
name = "mq_unlink"
retstr = returnstr(1)
}
# mremap _____________________________________________________
# unsigned long sys_mremap(unsigned long addr,
# unsigned long old_len,
# unsigned long new_len,
# unsigned long flags,
# unsigned long new_addr)
#
probe syscall.mremap = kernel.function("sys_mremap") {
name = "mremap"
old_address = $addr
old_size = $old_len
new_size = $new_len
flags = $flags
new_address = $new_addr
argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
_mmap_flags($flags), $new_addr)
}
probe syscall.mremap.return = kernel.function("sys_mremap").return {
name = "mremap"
retstr = returnstr(2)
}
# msgctl _____________________________________________________
# long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
#
probe syscall.msgctl = kernel.function("sys_msgctl") {
name = "msgctl"
msqid = $msqid
cmd = $cmd
buf_uaddr = $buf
argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
}
probe syscall.msgctl.return = kernel.function("sys_msgctl").return {
name = "msgctl"
retstr = returnstr(1)
}
# msgget _____________________________________________________
# long sys_msgget (key_t key, int msgflg)
#
probe syscall.msgget = kernel.function("sys_msgget") {
name = "msgget"
key = $key
msgflg = $msgflg
msgflg_str = _sys_open_flag_str($msgflg)
argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
}
probe syscall.msgget.return = kernel.function("sys_msgget").return {
name = "msgget"
retstr = returnstr(1)
}
# msgrcv _____________________________________________________
# long sys_msgrcv (int msqid,
# struct msgbuf __user *msgp,
# size_t msgsz,
# long msgtyp,
# int msgflg)
#
probe syscall.msgrcv = kernel.function("sys_msgrcv") {
name = "msgrcv"
msqid = $msqid
msgp_uaddr = $msgp
msgsz = $msgsz
msgtyp = $msgtyp
msgflg = $msgflg
argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
}
probe syscall.msgrcv.return = kernel.function("sys_msgrcv").return {
name = "msgrcv"
retstr = returnstr(1)
}
# msgsnd _____________________________________________________
# long sys_msgsnd (int msqid,
# struct msgbuf __user *msgp,
# size_t msgsz,
# int msgflg)
#
probe syscall.msgsnd = kernel.function("sys_msgsnd") {
name = "msgsnd"
msqid = $msqid
msgp_uaddr = $msgp
msgsz = $msgsz
msgflg = $msgflg
argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
}
probe syscall.msgsnd.return = kernel.function("sys_msgsnd").return {
name = "msgsnd"
retstr = returnstr(1)}
# msync ______________________________________________________
# long sys_msync(unsigned long start, size_t len, int flags)
probe syscall.msync = kernel.function("sys_msync") {
name = "msync"
start = $start
length = $len
flags = $flags
argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
}
probe syscall.msync.return = kernel.function("sys_msync").return {
name = "msync.return"
retstr = returnstr(1)
}
# munlock ____________________________________________________
# long sys_munlock(unsigned long start, size_t len)
probe syscall.munlock = kernel.function("sys_munlock") {
name = "munlock"
addr = $start
len = $len
argstr = sprintf("%p, %d", addr, len)
}
probe syscall.munlock.return = kernel.function("sys_munlock").return {
name = "munlock"
retstr = returnstr(1)
}
# munlockall _________________________________________________
# long sys_munlockall(void)
probe syscall.munlockall = kernel.function("sys_munlockall") {
name = "munlockall"
}
probe syscall.munlockall.return = kernel.function("sys_munlockall").return {
name = "munlockall"
retstr = returnstr(1)
}
# munmap _____________________________________________________
# long sys_munmap(unsigned long addr, size_t len)
probe syscall.munmap = kernel.function("sys_munmap") {
name = "munmap"
start = $addr
length = $len
argstr = sprintf("%p, %d", start, length)
}
probe syscall.munmap.return = kernel.function("sys_munmap").return {
name = "munmap"
retstr = returnstr(1)
}