#ifndef __NR_connect
#define __NR_connect (__NR_syscall_max + 1)
#endif
+#ifndef __NR_epoll_wait
+#define __NR_epoll_wait (__NR_syscall_max + 1)
+#endif
+#ifndef __NR_execveat
+#define __NR_execveat (__NR_syscall_max + 1)
+#endif
#ifndef __NR_fadvise64_64
#define __NR_fadvise64_64 (__NR_syscall_max + 1)
#endif
#ifndef __NR_getsockname
#define __NR_getsockname (__NR_syscall_max + 1)
#endif
+#ifndef __NR_getsockopt
+#define __NR_getsockopt (__NR_syscall_max + 1)
+#endif
#ifndef __NR_ipc
#define __NR_ipc (__NR_syscall_max + 1)
#endif
#ifndef __NR_recvmsg
#define __NR_recvmsg (__NR_syscall_max + 1)
#endif
+#ifndef __NR_renameat2
+#define __NR_renameat2 (__NR_syscall_max + 1)
+#endif
+#ifndef __NR_semtimedop
+#define __NR_semtimedop (__NR_syscall_max + 1)
+#endif
#ifndef __NR_send
#define __NR_send (__NR_syscall_max + 1)
#endif
#ifndef __NR_sendto
#define __NR_sendto (__NR_syscall_max + 1)
#endif
-#ifndef __NR_getsockopt
-#define __NR_getsockopt (__NR_syscall_max + 1)
-#endif
-#ifndef __NR_renameat2
-#define __NR_renameat2 (__NR_syscall_max + 1)
-#endif
-#ifndef __NR_semtimedop
-#define __NR_semtimedop (__NR_syscall_max + 1)
-#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt (__NR_syscall_max + 1)
#endif
+#ifndef __NR_shmctl
+#define __NR_shmctl (__NR_syscall_max + 1)
+#endif
#ifndef __NR_shutdown
#define __NR_shutdown (__NR_syscall_max + 1)
#endif
#ifndef __NR_sigprocmask
#define __NR_sigprocmask (__NR_syscall_max + 1)
#endif
-#ifndef __NR_epoll_wait
-#define __NR_epoll_wait (__NR_syscall_max + 1)
-#endif
-#ifndef __NR_shmctl
-#define __NR_shmctl (__NR_syscall_max + 1)
-#endif
#ifndef __NR_socket
#define __NR_socket (__NR_syscall_max + 1)
#endif
+#ifndef __NR_socketcall
+#define __NR_socketcall (__NR_syscall_max + 1)
+#endif
#ifndef __NR_socketpair
#define __NR_socketpair (__NR_syscall_max + 1)
#endif
+#ifndef __NR_stime
+#define __NR_stime (__NR_syscall_max + 1)
+#endif
#ifndef __NR_truncate
#define __NR_truncate (__NR_syscall_max + 1)
#endif
-#ifndef __NR_socketcall
-#define __NR_socketcall (__NR_syscall_max + 1)
-#endif
#if defined(__x86_64__)
#ifndef __NR_ia32_chroot
#define __NR_ia32_chroot 61
#endif
+#ifndef __NR_ia32_clock_adjtime
+#define __NR_ia32_clock_adjtime 343
+#endif
+#ifndef __NR_ia32_clock_gettime
+#define __NR_ia32_clock_gettime 265
+#endif
+#ifndef __NR_ia32_clock_getres
+#define __NR_ia32_clock_getres 266
+#endif
+#ifndef __NR_ia32_clock_nanosleep
+#define __NR_ia32_clock_nanosleep 267
+#endif
+#ifndef __NR_ia32_clock_settime
+#define __NR_ia32_clock_settime 264
+#endif
#ifndef __NR_ia32_clone
#define __NR_ia32_clone 120
#endif
#ifndef __NR_ia32_epoll_wait
#define __NR_ia32_epoll_wait 256
#endif
+#ifndef __NR_ia32_eventfd
+#define __NR_ia32_eventfd 323
+#endif
#ifndef __NR_ia32_eventfd2
#define __NR_ia32_eventfd2 328
#endif
+#ifndef __NR_ia32_execve
+#define __NR_ia32_execve 11
+#endif
+#ifndef __NR_ia32_execveat
+#define __NR_ia32_execveat 358
+#endif
#ifndef __NR_ia32_exit
#define __NR_ia32_exit 1
#endif
#ifndef __NR_ia32_faccessat
#define __NR_ia32_faccessat 307
#endif
+#ifndef __NR_ia32_fanotify_init
+#define __NR_ia32_fanotify_init 338
+#endif
+#ifndef __NR_ia32_fanotify_mark
+#define __NR_ia32_fanotify_mark 339
+#endif
#ifndef __NR_ia32_fchdir
#define __NR_ia32_fchdir 133
#endif
#ifndef __NR_ia32_getsid
#define __NR_ia32_getsid 147
#endif
+#ifndef __NR_ia32_gettimeofday
+#define __NR_ia32_gettimeofday 78
+#endif
#ifndef __NR_ia32_inotify_init1
#define __NR_ia32_inotify_init1 332
#endif
#ifndef __NR_ia32_sendmmsg
#define __NR_ia32_sendmmsg 345
#endif
+#ifndef __NR_ia32_setdomainname
+#define __NR_ia32_setdomainname 121
+#endif
#ifndef __NR_ia32_setfsgid32
#define __NR_ia32_setfsgid32 216
#endif
#ifndef __NR_ia32_setreuid32
#define __NR_ia32_setreuid32 203
#endif
+#ifndef __NR_ia32_settimeofday
+#define __NR_ia32_settimeofday 79
+#endif
#ifndef __NR_ia32_setuid32
#define __NR_ia32_setuid32 213
#endif
#ifndef __NR_ia32_socketcall
#define __NR_ia32_socketcall 102
#endif
+#ifndef __NR_ia32_stime
+#define __NR_ia32_stime 25
+#endif
#ifndef __NR_ia32_symlink
#define __NR_ia32_symlink 83
#endif
#ifndef __NR_ia32_symlinkat
#define __NR_ia32_symlinkat 304
#endif
+#ifndef __NR_ia32_time
+#define __NR_ia32_time 13
+#endif
#ifndef __NR_ia32_truncate
#define __NR_ia32_truncate 92
#endif
#define __NR_compat_capset __NR_ia32_capset
#define __NR_compat_chdir __NR_ia32_chdir
#define __NR_compat_chroot __NR_ia32_chroot
+#define __NR_compat_clock_adjtime __NR_ia32_clock_adjtime
+#define __NR_compat_clock_gettime __NR_ia32_clock_gettime
+#define __NR_compat_clock_getres __NR_ia32_clock_getres
+#define __NR_compat_clock_nanosleep __NR_ia32_clock_nanosleep
+#define __NR_compat_clock_settime __NR_ia32_clock_settime
#define __NR_compat_clone __NR_ia32_clone
#define __NR_compat_close __NR_ia32_close
#define __NR_compat_creat __NR_ia32_creat
#define __NR_compat_dup2 __NR_ia32_dup2
#define __NR_compat_dup3 __NR_ia32_dup3
#define __NR_compat_epoll_wait __NR_ia32_epoll_wait
+#define __NR_compat_eventfd __NR_ia32_eventfd
#define __NR_compat_eventfd2 __NR_ia32_eventfd2
+#define __NR_compat_execve __NR_ia32_execve
+#define __NR_compat_execveat __NR_ia32_execveat
#define __NR_compat_exit __NR_ia32_exit
#define __NR_compat_exit_group __NR_ia32_exit_group
#define __NR_compat_faccessat __NR_ia32_faccessat
+#define __NR_compat_fanotify_init __NR_ia32_fanotify_init
+#define __NR_compat_fanotify_mark __NR_ia32_fanotify_mark
#define __NR_compat_fchdir __NR_ia32_fchdir
#define __NR_compat_fchmodat __NR_ia32_fchmodat
#define __NR_compat_fchownat __NR_ia32_fchownat
#define __NR_compat_getpgid __NR_ia32_getpgid
#define __NR_compat_getrandom __NR_ia32_getrandom
#define __NR_compat_getsid __NR_ia32_getsid
+#define __NR_compat_gettimeofday __NR_ia32_gettimeofday
#define __NR_compat_inotify_init1 __NR_ia32_inotify_init1
#define __NR_compat_io_cancel __NR_ia32_io_cancel
#define __NR_compat_io_destroy __NR_ia32_io_destroy
#define __NR_compat_rmdir __NR_ia32_rmdir
#define __NR_compat_rt_sigprocmask __NR_ia32_rt_sigprocmask
#define __NR_compat_sendmmsg __NR_ia32_sendmmsg
+#define __NR_compat_setdomainname __NR_ia32_setdomainname
+#define __NR_compat_settimeofday __NR_ia32_settimeofday
#define __NR_compat_shmctl __NR_ia32_shmctl
#define __NR_compat_socketcall __NR_ia32_socketcall
+#define __NR_compat_stime __NR_ia32_stime
#define __NR_compat_symlink __NR_ia32_symlink
#define __NR_compat_symlinkat __NR_ia32_symlinkat
+#define __NR_compat_time __NR_ia32_time
#define __NR_compat_truncate __NR_ia32_truncate
#define __NR_compat_umount2 __NR_ia32_umount2
#define __NR_compat_wait4 __NR_ia32_wait4
#define __NR_compat_capset __NR_capset
#define __NR_compat_chdir __NR_chdir
#define __NR_compat_chroot __NR_chroot
+#define __NR_compat_clock_adjtime __NR_clock_adjtime
+#define __NR_compat_clock_gettime __NR_clock_gettime
+#define __NR_compat_clock_getres __NR_clock_getres
+#define __NR_compat_clock_nanosleep __NR_clock_nanosleep
+#define __NR_compat_clock_settime __NR_clock_settime
#define __NR_compat_clone __NR_clone
#define __NR_compat_close __NR_close
#define __NR_compat_creat __NR_creat
#define __NR_compat_dup2 __NR_dup2
#define __NR_compat_dup3 __NR_dup3
#define __NR_compat_epoll_wait __NR_epoll_wait
+#define __NR_compat_eventfd __NR_eventfd
#define __NR_compat_eventfd2 __NR_eventfd2
+#define __NR_compat_execve __NR_execve
+#define __NR_compat_execveat __NR_execveat
#define __NR_compat_exit __NR_exit
#define __NR_compat_exit_group __NR_exit_group
#define __NR_compat_faccessat __NR_faccessat
+#define __NR_compat_fanotify_init __NR_fanotify_init
+#define __NR_compat_fanotify_mark __NR_fanotify_mark
#define __NR_compat_fchdir __NR_fchdir
#define __NR_compat_fchmodat __NR_fchmodat
#define __NR_compat_fchownat __NR_fchownat
#define __NR_compat_getpgid __NR_getpgid
#define __NR_compat_getrandom __NR_getrandom
#define __NR_compat_getsid __NR_getsid
+#define __NR_compat_gettimeofday __NR_gettimeofday
#define __NR_compat_inotify_init1 __NR_inotify_init1
#define __NR_compat_io_cancel __NR_io_cancel
#define __NR_compat_io_destroy __NR_io_destroy
#define __NR_compat_rmdir __NR_rmdir
#define __NR_compat_rt_sigprocmask __NR_rt_sigprocmask
#define __NR_compat_sendmmsg __NR_sendmmsg
+#define __NR_compat_setdomainname __NR_setdomainname
+#define __NR_compat_settimeofday __NR_settimeofday
#define __NR_compat_shmctl __NR_shmctl
#define __NR_compat_socketcall __NR_socketcall
+#define __NR_compat_stime __NR_stime
#define __NR_compat_symlink __NR_symlink
#define __NR_compat_symlinkat __NR_symlinkat
+#define __NR_compat_time __NR_time
#define __NR_compat_truncate __NR_truncate
#define __NR_compat_umount2 __NR_umount2
#define __NR_compat_wait4 __NR_wait4
argstr = sprintf("%s, %s", clk_id_str, tx_uaddr_str)
%)
+@define _SYSCALL_CLOCK_ADJTIME_REGARGS
+%(
+ clk_id = int_arg(1)
+ clk_id_str = _get_wc_str(clk_id)
+ tx_uaddr = pointer_arg(2)
+%)
+
probe syscall.clock_adjtime = dw_syscall.clock_adjtime !, nd_syscall.clock_adjtime ? {}
probe syscall.clock_adjtime.return = dw_syscall.clock_adjtime.return !, nd_syscall.clock_adjtime.return ? {}
# nd_clock_adjtime _____________________________________________________
-probe nd_syscall.clock_adjtime = __nd_syscall.clock_adjtime ?,
- __nd_syscall.compat_clock_adjtime ?
+probe nd_syscall.clock_adjtime = nd1_syscall.clock_adjtime!, nd2_syscall.clock_adjtime!, tp_syscall.clock_adjtime
+ { }
+
+probe nd1_syscall.clock_adjtime = __nd1_syscall.clock_adjtime ?,
+ __nd1_syscall.compat_clock_adjtime ?
{
@_SYSCALL_CLOCK_ADJTIME_NAME
}
-probe __nd_syscall.clock_adjtime = kprobe.function("sys_clock_adjtime").call
+probe __nd1_syscall.clock_adjtime = kprobe.function("sys_clock_adjtime").call
{
@__syscall_gate_compat_simple
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- tx_uaddr = pointer_arg(2)
+ @_SYSCALL_CLOCK_ADJTIME_REGARGS
tx_uaddr_str = _struct_timex_u(tx_uaddr)
@_SYSCALL_CLOCK_ADJTIME_ARGSTR
}
-probe __nd_syscall.compat_clock_adjtime =
+probe __nd1_syscall.compat_clock_adjtime =
kprobe.function("compat_sys_clock_adjtime").call ?
{
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- tx_uaddr = pointer_arg(2)
+ @_SYSCALL_CLOCK_ADJTIME_REGARGS
+ tx_uaddr_str = _struct_compat_timex_u(tx_uaddr)
+ @_SYSCALL_CLOCK_ADJTIME_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd1_syscall.clock_adjtime = __nd2_syscall.clock_adjtime ?,
+ __nd2_syscall.compat_clock_adjtime ?
+{
+ @_SYSCALL_CLOCK_ADJTIME_NAME
+}
+probe __nd2_syscall.clock_adjtime = kprobe.function(@arch_syscall_prefix "sys_clock_adjtime").call
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_ADJTIME_REGARGS
+ tx_uaddr_str = _struct_timex_u(tx_uaddr)
+ @_SYSCALL_CLOCK_ADJTIME_ARGSTR
+}
+probe __nd2_syscall.compat_clock_adjtime =
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_adjtime").call ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_ADJTIME_REGARGS
tx_uaddr_str = _struct_compat_timex_u(tx_uaddr)
@_SYSCALL_CLOCK_ADJTIME_ARGSTR
}
-probe nd_syscall.clock_adjtime.return = __nd_syscall.clock_adjtime.return ?,
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_adjtime = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_adjtime"), @const("__NR_compat_clock_adjtime"))
+ @_SYSCALL_CLOCK_ADJTIME_NAME
+ @_SYSCALL_CLOCK_ADJTIME_REGARGS
+ if (@__compat_task)
+ tx_uaddr_str = _struct_compat_timex_u(tx_uaddr)
+ else
+ tx_uaddr_str = _struct_timex_u(tx_uaddr)
+ @_SYSCALL_CLOCK_ADJTIME_ARGSTR
+}
+
+probe nd_syscall.clock_adjtime.return = nd1_syscall.clock_adjtime.return!, nd2_syscall.clock_adjtime.return!, tp_syscall.clock_adjtime.return
+ { }
+
+probe nd1_syscall.clock_adjtime.return = __nd1_syscall.clock_adjtime.return ?,
kprobe.function("compat_sys_clock_adjtime").return ?
{
@_SYSCALL_CLOCK_ADJTIME_NAME
retstr = returnstr(1)
}
-probe __nd_syscall.clock_adjtime.return =
+probe __nd1_syscall.clock_adjtime.return =
kprobe.function("sys_clock_adjtime").return
{
@__syscall_gate_compat_simple
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_adjtime.return = kprobe.function(@arch_syscall_prefix "sys_clock_adjtime").return ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_adjtime").return ?
+{
+ @_SYSCALL_CLOCK_ADJTIME_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_adjtime.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_adjtime"), @const("__NR_compat_clock_adjtime"))
+ @_SYSCALL_CLOCK_ADJTIME_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%s, %p", clk_id_str, res_uaddr)
%)
+@define _SYSCALL_CLOCK_GETRES_REGARGS
+%(
+ clk_id = int_arg(1)
+ clk_id_str = _get_wc_str(clk_id)
+ res_uaddr = pointer_arg(2)
+%)
+
probe syscall.clock_getres = dw_syscall.clock_getres !, nd_syscall.clock_getres ? {}
probe syscall.clock_getres.return = dw_syscall.clock_getres.return !, nd_syscall.clock_getres.return ? {}
# nd_clock_getres _____________________________________________________
-probe nd_syscall.clock_getres = kprobe.function("compat_clock_getres") ?,
+probe nd_syscall.clock_getres = nd1_syscall.clock_getres!, nd2_syscall.clock_getres!, tp_syscall.clock_getres
+ { }
+
+probe nd1_syscall.clock_getres = kprobe.function("compat_clock_getres") ?,
kprobe.function("compat_sys_clock_getres") ?,
- __nd_syscall.clock_getres ?
+ __nd1_syscall.clock_getres ?
{
asmlinkage()
@_SYSCALL_CLOCK_GETRES_NAME
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- res_uaddr = pointer_arg(2)
+ @_SYSCALL_CLOCK_GETRES_REGARGS
@_SYSCALL_CLOCK_GETRES_ARGSTR
}
-probe __nd_syscall.clock_getres = kprobe.function("sys_clock_getres")
+probe __nd1_syscall.clock_getres = kprobe.function("sys_clock_getres")
{
@__syscall_gate(@const("__NR_clock_getres"))
}
-probe nd_syscall.clock_getres.return =
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_getres = kprobe.function(@arch_syscall_prefix "compat_sys_clock_getres") ?,
+ kprobe.function(@arch_syscall_prefix "sys_clock_getres") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_GETRES_NAME
+ @_SYSCALL_CLOCK_GETRES_REGARGS
+ @_SYSCALL_CLOCK_GETRES_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_getres = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_getres"), @const("__NR_compat_clock_getres"))
+ @_SYSCALL_CLOCK_GETRES_NAME
+ @_SYSCALL_CLOCK_GETRES_REGARGS
+ @_SYSCALL_CLOCK_GETRES_ARGSTR
+}
+
+probe nd_syscall.clock_getres.return = nd1_syscall.clock_getres.return!, nd2_syscall.clock_getres.return!, tp_syscall.clock_getres.return
+ { }
+
+probe nd1_syscall.clock_getres.return =
kprobe.function("compat_clock_getres").return ?,
kprobe.function("compat_sys_clock_getres").return ?,
- __nd_syscall.clock_getres.return ?
+ __nd1_syscall.clock_getres.return ?
{
@_SYSCALL_CLOCK_GETRES_NAME
retstr = returnstr(1)
}
-probe __nd_syscall.clock_getres.return =
+probe __nd1_syscall.clock_getres.return =
kprobe.function("sys_clock_getres").return
{
@__syscall_gate(@const("__NR_clock_getres"))
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_getres.return =
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_getres").return ?,
+ kprobe.function(@arch_syscall_prefix "sys_clock_getres").return ?
+{
+ @_SYSCALL_CLOCK_GETRES_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_getres.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_getres"), @const("__NR_compat_clock_getres"))
+ @_SYSCALL_CLOCK_GETRES_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%s, %p", clk_id_str, tp_uaddr)
%)
+@define _SYSCALL_CLOCK_GETTIME_REGARGS
+%(
+ clk_id = int_arg(1)
+ clk_id_str = _get_wc_str(clk_id)
+ tp_uaddr = pointer_arg(2)
+%)
+
probe syscall.clock_gettime = dw_syscall.clock_gettime !, nd_syscall.clock_gettime ? {}
probe syscall.clock_gettime.return = dw_syscall.clock_gettime.return !, nd_syscall.clock_gettime.return ? {}
# nd_clock_gettime _____________________________________________________
-probe nd_syscall.clock_gettime = __nd_syscall.clock_gettime,
+probe nd_syscall.clock_gettime = nd1_syscall.clock_gettime!, nd2_syscall.clock_gettime!, tp_syscall.clock_gettime
+ { }
+
+probe nd1_syscall.clock_gettime = __nd1_syscall.clock_gettime,
kprobe.function("compat_sys_clock_gettime") ?
{
@_SYSCALL_CLOCK_GETTIME_NAME
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- tp_uaddr = pointer_arg(2)
+ @_SYSCALL_CLOCK_GETTIME_REGARGS
@_SYSCALL_CLOCK_GETTIME_ARGSTR
}
-probe __nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime").call
+probe __nd1_syscall.clock_gettime = kprobe.function("sys_clock_gettime").call
{
@__syscall_gate(@const("__NR_clock_gettime"))
}
-probe nd_syscall.clock_gettime.return = __nd_syscall.clock_gettime.return,
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_gettime = kprobe.function(@arch_syscall_prefix "sys_clock_gettime") ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_gettime") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_GETTIME_NAME
+ @_SYSCALL_CLOCK_GETTIME_REGARGS
+ @_SYSCALL_CLOCK_GETTIME_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_gettime = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_gettime"), @const("__NR_compat_clock_gettime"))
+ @_SYSCALL_CLOCK_GETTIME_NAME
+ @_SYSCALL_CLOCK_GETTIME_REGARGS
+ @_SYSCALL_CLOCK_GETTIME_ARGSTR
+}
+
+probe nd_syscall.clock_gettime.return = nd1_syscall.clock_gettime.return!, nd2_syscall.clock_gettime.return!, tp_syscall.clock_gettime.return
+ { }
+
+probe nd1_syscall.clock_gettime.return = __nd1_syscall.clock_gettime.return,
kprobe.function("compat_sys_clock_gettime").return ?
{
@_SYSCALL_CLOCK_GETTIME_NAME
retstr = returnstr(1)
}
-probe __nd_syscall.clock_gettime.return =
+probe __nd1_syscall.clock_gettime.return =
kprobe.function("sys_clock_gettime").return
{
@__syscall_gate(@const("__NR_clock_gettime"))
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_gettime.return = kprobe.function(@arch_syscall_prefix "sys_clock_gettime").return ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_gettime").return ?
+{
+ @_SYSCALL_CLOCK_GETTIME_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_gettime.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_gettime"), @const("__NR_compat_clock_gettime"))
+ @_SYSCALL_CLOCK_GETTIME_NAME
+ retstr = return_str(1,$ret)
+}
req_str, rem_uaddr)
%)
+@define _SYSCALL_CLOCK_NANOSLEEP_REGARGS
+%(
+ clk_id = int_arg(1)
+ clk_id_str = _get_wc_str(clk_id)
+ flags = int_arg(2)
+%(systemtap_v <= "2.6" %?
+ flag_str = _stp_clock_nanosleep_flags_str(flags)
+%)
+ flags_str = _stp_clock_nanosleep_flags_str(flags)
+ req_uaddr = pointer_arg(3)
+ rem_uaddr = pointer_arg(4)
+%)
+
probe syscall.clock_nanosleep = dw_syscall.clock_nanosleep !, nd_syscall.clock_nanosleep {}
probe syscall.clock_nanosleep.return = dw_syscall.clock_nanosleep.return !, nd_syscall.clock_nanosleep.return {}
# nd_clock_nanosleep _____________________________________________________
-probe nd_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep").call
+probe nd_syscall.clock_nanosleep = nd1_syscall.clock_nanosleep!, nd2_syscall.clock_nanosleep!, tp_syscall.clock_nanosleep
+ { }
+
+probe nd1_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep").call
{
@__syscall_gate(@const("__NR_clock_nanosleep"))
@_SYSCALL_CLOCK_NANOSLEEP_NAME
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- flags = int_arg(2)
-%(systemtap_v <= "2.6" %?
- flag_str = _stp_clock_nanosleep_flags_str(flags)
-%)
- flags_str = _stp_clock_nanosleep_flags_str(flags)
- req_uaddr = pointer_arg(3)
+ @_SYSCALL_CLOCK_NANOSLEEP_REGARGS
+ req_str = _struct_timespec_u(req_uaddr, 1)
+ @_SYSCALL_CLOCK_NANOSLEEP_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_nanosleep = kprobe.function(@arch_syscall_prefix "sys_clock_nanosleep").call
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ @_SYSCALL_CLOCK_NANOSLEEP_REGARGS
req_str = _struct_timespec_u(req_uaddr, 1)
- rem_uaddr = pointer_arg(4)
@_SYSCALL_CLOCK_NANOSLEEP_ARGSTR
}
-probe nd_syscall.clock_nanosleep.return =
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_nanosleep = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_clock_nanosleep"))
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ @_SYSCALL_CLOCK_NANOSLEEP_REGARGS
+ req_str = _struct_timespec_u(req_uaddr, 1)
+ @_SYSCALL_CLOCK_NANOSLEEP_ARGSTR
+}
+
+probe nd_syscall.clock_nanosleep.return = nd1_syscall.clock_nanosleep.return!, nd2_syscall.clock_nanosleep.return!, tp_syscall.clock_nanosleep.return
+ { }
+
+probe nd1_syscall.clock_nanosleep.return =
kprobe.function("sys_clock_nanosleep").return ?
{
@__syscall_gate(@const("__NR_clock_nanosleep"))
retstr = returnstr(1)
}
+/* kernel 4.17+ */
+probe nd2_syscall.clock_nanosleep.return =
+ kprobe.function(@arch_syscall_prefix "sys_clock_nanosleep").return ?
+{
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_nanosleep.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_clock_nanosleep"))
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ retstr = return_str(1,$ret)
+}
+
# compat_clock_nanosleep ________________________________________
#
# long compat_clock_nanosleep(clockid_t which_clock, int flags,
# nd_compat_clock_nanosleep _____________________________________________________
-probe nd_syscall.compat_clock_nanosleep =
+probe nd_syscall.compat_clock_nanosleep = nd1_syscall.compat_clock_nanosleep!, nd2_syscall.compat_clock_nanosleep!, tp_syscall.compat_clock_nanosleep
+ { }
+
+probe nd1_syscall.compat_clock_nanosleep =
kprobe.function("compat_clock_nanosleep").call ?,
kprobe.function("compat_sys_clock_nanosleep").call ?
{
@_SYSCALL_CLOCK_NANOSLEEP_NAME
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- flags = int_arg(2)
-%(systemtap_v <= "2.6" %?
- flag_str = _stp_clock_nanosleep_flags_str(flags)
-%)
- flags_str = _stp_clock_nanosleep_flags_str(flags)
- req_uaddr = pointer_arg(3)
+ @_SYSCALL_CLOCK_NANOSLEEP_REGARGS
+ req_str = _struct_compat_timespec_u(req_uaddr, 1)
+ @_SYSCALL_CLOCK_NANOSLEEP_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.compat_clock_nanosleep =
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_nanosleep") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ @_SYSCALL_CLOCK_NANOSLEEP_REGARGS
req_str = _struct_compat_timespec_u(req_uaddr, 1)
- rem_uaddr = pointer_arg(4)
@_SYSCALL_CLOCK_NANOSLEEP_ARGSTR
}
-probe nd_syscall.compat_clock_nanosleep.return =
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.compat_clock_nanosleep = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_clock_nanosleep"))
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ @_SYSCALL_CLOCK_NANOSLEEP_REGARGS
+ req_str = _struct_compat_timespec_u(req_uaddr, 1)
+ @_SYSCALL_CLOCK_NANOSLEEP_ARGSTR
+}
+
+probe nd_syscall.compat_clock_nanosleep.return = nd1_syscall.compat_clock_nanosleep.return!, nd2_syscall.compat_clock_nanosleep.return!, tp_syscall.compat_clock_nanosleep.return
+ { }
+
+probe nd1_syscall.compat_clock_nanosleep.return =
kprobe.function("compat_clock_nanosleep").return ?,
kprobe.function("compat_sys_clock_nanosleep").return ?
{
@_SYSCALL_CLOCK_NANOSLEEP_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.compat_clock_nanosleep.return =
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_nanosleep").return ?
+{
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.compat_clock_nanosleep.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_clock_nanosleep"))
+ @_SYSCALL_CLOCK_NANOSLEEP_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%s, %s", clk_id_str, tp_uaddr_str)
%)
+@define _SYSCALL_CLOCK_SETTIME_REGARGS
+%(
+ clk_id = int_arg(1)
+ clk_id_str = _get_wc_str(clk_id)
+ tp_uaddr = pointer_arg(2)
+%)
+
probe syscall.clock_settime = dw_syscall.clock_settime !, nd_syscall.clock_settime ? {}
probe syscall.clock_settime.return = dw_syscall.clock_settime.return !, nd_syscall.clock_settime.return ? {}
# nd_clock_settime _____________________________________________________
-probe nd_syscall.clock_settime = __nd_syscall.clock_settime,
- __nd_syscall.compat_clock_settime ?
+probe nd_syscall.clock_settime = nd1_syscall.clock_settime!, nd2_syscall.clock_settime!, tp_syscall.clock_settime
+ { }
+
+probe nd1_syscall.clock_settime = __nd1_syscall.clock_settime,
+ __nd1_syscall.compat_clock_settime ?
{
@_SYSCALL_CLOCK_SETTIME_NAME
}
-probe __nd_syscall.clock_settime = kprobe.function("sys_clock_settime").call
+probe __nd1_syscall.clock_settime = kprobe.function("sys_clock_settime").call
{
@__syscall_gate(@const("__NR_clock_settime"))
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- tp_uaddr = pointer_arg(2)
+ @_SYSCALL_CLOCK_SETTIME_REGARGS
tp_uaddr_str = _struct_timespec_u(tp_uaddr, 1)
@_SYSCALL_CLOCK_SETTIME_ARGSTR
}
-probe __nd_syscall.compat_clock_settime =
+probe __nd1_syscall.compat_clock_settime =
kprobe.function("compat_sys_clock_settime").call ?
{
asmlinkage()
- clk_id = int_arg(1)
- clk_id_str = _get_wc_str(clk_id)
- tp_uaddr = pointer_arg(2)
+ @_SYSCALL_CLOCK_SETTIME_REGARGS
+ tp_uaddr_str = _struct_compat_timespec_u(tp_uaddr, 1)
+ @_SYSCALL_CLOCK_SETTIME_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_settime = __nd2_syscall.clock_settime,
+ __nd2_syscall.compat_clock_settime ?
+{
+ @_SYSCALL_CLOCK_SETTIME_NAME
+}
+probe __nd2_syscall.clock_settime = kprobe.function(@arch_syscall_prefix "sys_clock_settime").call
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_SETTIME_REGARGS
+ tp_uaddr_str = _struct_timespec_u(tp_uaddr, 1)
+ @_SYSCALL_CLOCK_SETTIME_ARGSTR
+}
+probe __nd2_syscall.compat_clock_settime =
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_settime").call ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_CLOCK_SETTIME_REGARGS
tp_uaddr_str = _struct_compat_timespec_u(tp_uaddr, 1)
@_SYSCALL_CLOCK_SETTIME_ARGSTR
}
-probe nd_syscall.clock_settime.return = __nd_syscall.clock_settime.return,
- __nd_syscall.compat_clock_settime.return ?
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_settime = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_settime"), @const("__NR_compat_clock_settime"))
+ @_SYSCALL_CLOCK_SETTIME_NAME
+ @_SYSCALL_CLOCK_SETTIME_REGARGS
+ if (@__compat_task)
+ tp_uaddr_str = _struct_compat_timespec_u(tp_uaddr, 1)
+ else
+ tp_uaddr_str = _struct_timespec_u(tp_uaddr, 1)
+ @_SYSCALL_CLOCK_SETTIME_ARGSTR
+}
+
+probe nd_syscall.clock_settime.return = nd1_syscall.clock_settime.return!, nd2_syscall.clock_settime.return!, tp_syscall.clock_settime.return
+ { }
+
+probe nd1_syscall.clock_settime.return = __nd1_syscall.clock_settime.return,
+ __nd1_syscall.compat_clock_settime.return ?
{
@_SYSCALL_CLOCK_SETTIME_NAME
}
-probe __nd_syscall.clock_settime.return =
+probe __nd1_syscall.clock_settime.return =
kprobe.function("sys_clock_settime").return
{
@__syscall_gate(@const("__NR_clock_settime"))
retstr = returnstr(1)
}
-probe __nd_syscall.compat_clock_settime.return =
+probe __nd1_syscall.compat_clock_settime.return =
kprobe.function("compat_sys_clock_settime").return ?
{
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.clock_settime.return = kprobe.function(@arch_syscall_prefix "sys_clock_settime").return ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_clock_settime").return ?
+{
+ @_SYSCALL_CLOCK_SETTIME_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.clock_settime.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_clock_settime"), @const("__NR_compat_clock_settime"))
+ @_SYSCALL_CLOCK_SETTIME_NAME
+ retstr = return_str(1,$ret)
+}
# nd_eventfd _____________________________________________________
-probe nd_syscall.eventfd = __nd_syscall.eventfd2 ?, __nd_syscall.eventfd ?
+probe nd_syscall.eventfd = nd1_syscall.eventfd!, nd2_syscall.eventfd!, tp_syscall.eventfd
+ { }
+
+probe nd1_syscall.eventfd = __nd1_syscall.eventfd2 ?, __nd1_syscall.eventfd ?
{
}
-probe __nd_syscall.eventfd2 = kprobe.function("sys_eventfd2")
+probe __nd1_syscall.eventfd2 = kprobe.function("sys_eventfd2")
{
@__syscall_compat_gate(@const("__NR_eventfd2"), @const("__NR_compat_eventfd2"))
name = "eventfd2"
flags_str = _eventfd2_flag_str(flags)
argstr = sprintf("%u, %s", count, flags_str)
}
-probe __nd_syscall.eventfd = kprobe.function("sys_eventfd")
+probe __nd1_syscall.eventfd = kprobe.function("sys_eventfd")
{
name = "eventfd"
asmlinkage()
flags_str = "0x0"
argstr = sprint(count)
}
-probe nd_syscall.eventfd.return = __nd_syscall.eventfd2.return ?,
- __nd_syscall.eventfd.return ?
+
+/* kernel 4.17+ */
+probe nd2_syscall.eventfd = __nd2_syscall.eventfd2 ?, __nd2_syscall.eventfd ?
+{
+}
+probe __nd2_syscall.eventfd2 = kprobe.function(@arch_syscall_prefix "sys_eventfd2") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ name = "eventfd2"
+ count = uint_arg(1)
+ flags = int_arg(2)
+ flags_str = _eventfd2_flag_str(flags)
+ argstr = sprintf("%u, %s", count, flags_str)
+}
+probe __nd2_syscall.eventfd = kprobe.function(@arch_syscall_prefix "sys_eventfd")
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ name = "eventfd"
+ count = uint_arg(1)
+ flags = 0
+ flags_str = "0x0"
+ argstr = sprint(count)
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.eventfd = __tp_syscall.eventfd2 ?, __tp_syscall.eventfd ?
+{
+}
+probe __tp_syscall.eventfd2 = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_eventfd2"), @const("__NR_compat_eventfd2"))
+ name = "eventfd2"
+ count = uint_arg(1)
+ flags = int_arg(2)
+ flags_str = _eventfd2_flag_str(flags)
+ argstr = sprintf("%u, %s", count, flags_str)
+}
+probe __tp_syscall.eventfd = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_eventfd"), @const("__NR_compat_eventfd"))
+ name = "eventfd"
+ count = uint_arg(1)
+ flags = 0
+ flags_str = "0x0"
+ argstr = sprint(count)
+}
+
+probe nd_syscall.eventfd.return = nd1_syscall.eventfd.return!, nd2_syscall.eventfd.return!, tp_syscall.eventfd.return
+ { }
+
+probe nd1_syscall.eventfd.return = __nd1_syscall.eventfd2.return ?,
+ __nd1_syscall.eventfd.return ?
{
retstr = returnstr(1)
}
-probe __nd_syscall.eventfd2.return = kprobe.function("sys_eventfd2").return
+probe __nd1_syscall.eventfd2.return = kprobe.function("sys_eventfd2").return
+{
+ @__syscall_compat_gate(@const("__NR_eventfd2"), @const("__NR_compat_eventfd2"))
+ name = "eventfd2"
+}
+probe __nd1_syscall.eventfd.return = kprobe.function("sys_eventfd").return
+{
+ name = "eventfd"
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.eventfd.return = __nd2_syscall.eventfd2.return ?,
+ __nd2_syscall.eventfd.return ?
+{
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+probe __nd2_syscall.eventfd2.return = kprobe.function(@arch_syscall_prefix "sys_eventfd2").return
+{
+ name = "eventfd2"
+}
+probe __nd2_syscall.eventfd.return = kprobe.function(@arch_syscall_prefix "sys_eventfd").return
+{
+ name = "eventfd"
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.eventfd.return = __tp_syscall.eventfd2.return ?,
+ __tp_syscall.eventfd.return ?
+{
+ __set_syscall_pt_regs($regs)
+ retstr = return_str(1,$ret)
+}
+probe __tp_syscall.eventfd2.return = kernel.trace("sys_exit")
{
@__syscall_compat_gate(@const("__NR_eventfd2"), @const("__NR_compat_eventfd2"))
name = "eventfd2"
}
-probe __nd_syscall.eventfd.return = kprobe.function("sys_eventfd").return
+probe __tp_syscall.eventfd.return = kernel.trace("sys_exit")
{
+ @__syscall_compat_gate(@const("__NR_eventfd"), @const("__NR_compat_eventfd"))
name = "eventfd"
}
argstr = sprintf("%s, %s, %s", filename, args, env_str)
%)
+@define _SYSCALL_EXECVE_REGARGS
+%(
+ filename = user_string_quoted(pointer_arg(1))
+ args = __get_argv(pointer_arg(2), 0)
+ env_str = __get_argv(pointer_arg(3), 0)
+%)
+
+@define _SYSCALL_COMPAT_EXECVE_REGARGS
+%(
+ filename = user_string_quoted(pointer_arg(1))
+ args = __get_compat_argv(pointer_arg(2), 0)
+ env_str = __get_compat_argv(pointer_arg(3), 0)
+%)
+
probe syscall.execve = dw_syscall.execve !, nd_syscall.execve {}
probe syscall.execve.return = dw_syscall.execve.return !,
nd_syscall.execve.return {}
# nd_execve _____________________________________________________
-probe nd_syscall.execve = kprobe.function("sys_execve")
+probe nd_syscall.execve = nd1_syscall.execve!, nd2_syscall.execve!, tp_syscall.execve
+ { }
+
+probe nd1_syscall.execve = kprobe.function("sys_execve")
{
@_SYSCALL_EXECVE_NAME
asmlinkage()
- filename = user_string_quoted(pointer_arg(1))
- args = __get_argv(pointer_arg(2), 0)
- env_str = __get_argv(pointer_arg(3), 0)
+ @_SYSCALL_EXECVE_REGARGS
+ @_SYSCALL_EXECVE_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.execve = kprobe.function(@arch_syscall_prefix "sys_execve") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_EXECVE_NAME
+ @_SYSCALL_EXECVE_REGARGS
+ @_SYSCALL_EXECVE_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.execve = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_execve"))
+ @_SYSCALL_EXECVE_NAME
+ @_SYSCALL_EXECVE_REGARGS
@_SYSCALL_EXECVE_ARGSTR
}
-probe nd_syscall.execve.return = kprobe.function("sys_execve").return
+
+probe nd_syscall.execve.return = nd1_syscall.execve.return!, nd2_syscall.execve.return!, tp_syscall.execve.return
+ { }
+
+probe nd1_syscall.execve.return = kprobe.function("sys_execve").return
{
@_SYSCALL_EXECVE_NAME
retstr = returnstr(1)
}
+/* kernel 4.17+ */
+probe nd2_syscall.execve.return = kprobe.function(@arch_syscall_prefix "sys_execve").return ?
+{
+ @_SYSCALL_EXECVE_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.execve.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_execve"))
+ @_SYSCALL_EXECVE_NAME
+ retstr = return_str(1,$ret)
+}
+
# In kernels >= 3.7, compat_sys_execve() has been moved to generic
# code, so we can use it with confidence. For kernels < 3.7,
# compat_execve support is in arch-specific tapset code.
# asmlinkage long compat_sys_execve(const char __user * filename,
# const compat_uptr_t __user * argv,
# const compat_uptr_t __user * envp)
-probe nd_syscall.compat_execve = kprobe.function("compat_sys_execve").call ?
+
+probe nd_syscall.compat_execve = nd1_syscall.compat_execve!, nd2_syscall.compat_execve!, tp_syscall.compat_execve
+ { }
+
+probe nd1_syscall.compat_execve = kprobe.function("compat_sys_execve").call ?
{
@_SYSCALL_EXECVE_NAME
asmlinkage()
- filename = user_string_quoted(pointer_arg(1))
- args = __get_compat_argv(pointer_arg(2), 0)
- env_str = __get_compat_argv(pointer_arg(3), 0)
+ @_SYSCALL_COMPAT_EXECVE_REGARGS
+ @_SYSCALL_EXECVE_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.compat_execve = kprobe.function(@arch_syscall_prefix "compat_sys_execve") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_EXECVE_NAME
+ @_SYSCALL_COMPAT_EXECVE_REGARGS
@_SYSCALL_EXECVE_ARGSTR
}
-probe nd_syscall.compat_execve.return =
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.compat_execve = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_execve"))
+ @_SYSCALL_EXECVE_NAME
+ @_SYSCALL_COMPAT_EXECVE_REGARGS
+ @_SYSCALL_EXECVE_ARGSTR
+}
+
+probe nd_syscall.compat_execve.return = nd1_syscall.compat_execve.return!, nd2_syscall.compat_execve.return!, tp_syscall.compat_execve.return
+ { }
+
+probe nd1_syscall.compat_execve.return =
kprobe.function("compat_sys_execve").return ?
{
@_SYSCALL_EXECVE_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.compat_execve.return = kprobe.function(@arch_syscall_prefix "compat_sys_execve").return ?
+{
+ @_SYSCALL_EXECVE_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.compat_execve.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_execve"))
+ @_SYSCALL_EXECVE_NAME
+ retstr = return_str(1,$ret)
+}
%)
env_str, flags_str)
%)
+@define _SYSCALL_EXECVEAT_REGARGS
+%(
+ dirfd = int_arg(1)
+ dirfd_str = _dfd_str(dirfd)
+%(systemtap_v <= "2.8" %?
+ # All other "at" syscalls (faccessat, fchmodat, fchownat,
+ # etc.) name their file descriptor argument 'dirfd', so let's
+ # do the same.
+ fd = dirfd
+ fd_str = dirfd_str
+%)
+ filename = user_string_quoted(pointer_arg(2))
+ args = __get_argv(pointer_arg(3), 0)
+ env_str = __get_argv(pointer_arg(4), 0)
+ flags = int_arg(5)
+ flags_str = _at_flag_str(flags)
+%)
+
+@define _SYSCALL_COMPAT_EXECVEAT_REGARGS
+%(
+ dirfd = int_arg(1)
+ dirfd_str = _dfd_str(dirfd)
+%(systemtap_v <= "2.8" %?
+ # All other "at" syscalls (faccessat, fchmodat, fchownat,
+ # etc.) name their file descriptor argument 'dirfd', so let's
+ # do the same.
+ fd = dirfd
+ fd_str = dirfd_str
+%)
+ filename = user_string_quoted(pointer_arg(2))
+ args = __get_compat_argv(pointer_arg(3), 0)
+ env_str = __get_compat_argv(pointer_arg(4), 0)
+ flags = int_arg(5)
+ flags_str = _at_flag_str(flags)
+%)
+
probe syscall.execveat = dw_syscall.execveat !, nd_syscall.execveat ? {}
probe syscall.execveat.return = dw_syscall.execveat.return !,
nd_syscall.execveat.return ? {}
# nd_execveat _____________________________________________________
-probe nd_syscall.execveat = kprobe.function("sys_execveat").call ?
+probe nd_syscall.execveat = nd1_syscall.execveat!, nd2_syscall.execveat!, tp_syscall.execveat
+ { }
+
+probe nd1_syscall.execveat = kprobe.function("sys_execveat").call ?
{
asmlinkage()
@_SYSCALL_EXECVEAT_NAME
- dirfd = int_arg(1)
- dirfd_str = _dfd_str(dirfd)
-%(systemtap_v <= "2.8" %?
- # All other "at" syscalls (faccessat, fchmodat, fchownat,
- # etc.) name their file descriptor argument 'dirfd', so let's
- # do the same.
- fd = dirfd
- fd_str = dirfd_str
-%)
- filename = user_string_quoted(pointer_arg(2))
- args = __get_argv(pointer_arg(3), 0)
- env_str = __get_argv(pointer_arg(4), 0)
- flags = int_arg(5)
- flags_str = _at_flag_str(flags)
+ @_SYSCALL_EXECVEAT_REGARGS
+ @_SYSCALL_EXECVEAT_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.execveat = kprobe.function(@arch_syscall_prefix "sys_execveat") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_EXECVEAT_NAME
+ @_SYSCALL_EXECVEAT_REGARGS
@_SYSCALL_EXECVEAT_ARGSTR
}
-probe nd_syscall.execveat.return = kprobe.function("sys_execveat").return ?
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.execveat = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_execveat"))
+ @_SYSCALL_EXECVEAT_NAME
+ @_SYSCALL_EXECVEAT_REGARGS
+ @_SYSCALL_EXECVEAT_ARGSTR
+}
+
+probe nd_syscall.execveat.return = nd1_syscall.execveat.return!, nd2_syscall.execveat.return!, tp_syscall.execveat.return
+ { }
+
+probe nd1_syscall.execveat.return = kprobe.function("sys_execveat").return ?
{
@_SYSCALL_EXECVEAT_NAME
retstr = returnstr(1)
}
-probe nd_syscall.compat_execveat = kprobe.function("compat_sys_execveat").call ?
+/* kernel 4.17+ */
+probe nd2_syscall.execveat.return = kprobe.function(@arch_syscall_prefix "sys_execveat").return ?
{
@_SYSCALL_EXECVEAT_NAME
- dirfd = int_arg(1)
- dirfd_str = _dfd_str(dirfd)
-%(systemtap_v <= "2.8" %?
- # All other "at" syscalls (faccessat, fchmodat, fchownat,
- # etc.) name their file descriptor argument 'dirfd', so let's
- # do the same.
- fd = dirfd
- fd_str = dirfd_str
-%)
- filename = user_string_quoted(pointer_arg(2))
- args = __get_compat_argv(pointer_arg(3), 0)
- env_str = __get_compat_argv(pointer_arg(4), 0)
- flags = int_arg(5)
- flags_str = _at_flag_str(flags)
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.execveat.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_execveat"))
+ @_SYSCALL_EXECVEAT_NAME
+ retstr = return_str(1,$ret)
+}
+
+probe nd_syscall.compat_execveat = nd1_syscall.compat_execveat!, nd2_syscall.compat_execveat!, tp_syscall.compat_execveat
+ { }
+
+probe nd1_syscall.compat_execveat = kprobe.function("compat_sys_execveat").call ?
+{
+ @_SYSCALL_EXECVEAT_NAME
+ @_SYSCALL_COMPAT_EXECVEAT_REGARGS
@_SYSCALL_EXECVEAT_ARGSTR
}
-probe nd_syscall.compat_execveat.return =
+
+/* kernel 4.17+ */
+probe nd2_syscall.compat_execveat = kprobe.function(@arch_syscall_prefix "compat_sys_execveat") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_EXECVEAT_NAME
+ @_SYSCALL_COMPAT_EXECVEAT_REGARGS
+ @_SYSCALL_EXECVEAT_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.compat_execveat = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_execveat"))
+ @_SYSCALL_EXECVEAT_NAME
+ @_SYSCALL_COMPAT_EXECVEAT_REGARGS
+ @_SYSCALL_EXECVEAT_ARGSTR
+}
+
+probe nd_syscall.compat_execveat.return = nd1_syscall.compat_execveat.return!, nd2_syscall.compat_execveat.return!, tp_syscall.compat_execveat.return
+ { }
+
+probe nd1_syscall.compat_execveat.return =
kprobe.function("compat_sys_execveat").return ?
{
@_SYSCALL_EXECVEAT_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.compat_execveat.return = kprobe.function(@arch_syscall_prefix "compat_sys_execveat").return ?
+{
+ @_SYSCALL_EXECVEAT_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.compat_execveat.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_execveat"))
+ @_SYSCALL_EXECVEAT_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%s, %s", flags_str, event_f_flags_str)
%)
+@define _SYSCALL_FANOTIFY_INIT_REGARGS
+%(
+ flags = uint_arg(1)
+ flags_str = _fanotify_init_flags_str(flags)
+ event_f_flags = uint_arg(2)
+ event_f_flags_str = _sys_open_flag_str(event_f_flags)
+%)
+
probe syscall.fanotify_init = dw_syscall.fanotify_init !, nd_syscall.fanotify_init ? {}
probe syscall.fanotify_init.return = dw_syscall.fanotify_init.return !, nd_syscall.fanotify_init.return ? {}
# nd_fanotify_init _____________________________________________________
-probe nd_syscall.fanotify_init = kprobe.function("sys_fanotify_init") ?
+probe nd_syscall.fanotify_init = nd1_syscall.fanotify_init!, nd2_syscall.fanotify_init!, tp_syscall.fanotify_init
+ { }
+
+probe nd1_syscall.fanotify_init = kprobe.function("sys_fanotify_init") ?
{
@_SYSCALL_FANOTIFY_INIT_NAME
asmlinkage()
- flags = uint_arg(1)
- flags_str = _fanotify_init_flags_str(flags)
- event_f_flags = uint_arg(2)
- event_f_flags_str = _sys_open_flag_str(event_f_flags)
+ @_SYSCALL_FANOTIFY_INIT_REGARGS
+ @_SYSCALL_FANOTIFY_INIT_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.fanotify_init = kprobe.function(@arch_syscall_prefix "sys_fanotify_init") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_FANOTIFY_INIT_NAME
+ @_SYSCALL_FANOTIFY_INIT_REGARGS
+ @_SYSCALL_FANOTIFY_INIT_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.fanotify_init = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_fanotify_init"), @const("__NR_compat_fanotify_init"))
+ @_SYSCALL_FANOTIFY_INIT_NAME
+ @_SYSCALL_FANOTIFY_INIT_REGARGS
@_SYSCALL_FANOTIFY_INIT_ARGSTR
}
-probe nd_syscall.fanotify_init.return =
+
+probe nd_syscall.fanotify_init.return = nd1_syscall.fanotify_init.return!, nd2_syscall.fanotify_init.return!, tp_syscall.fanotify_init.return
+ { }
+
+probe nd1_syscall.fanotify_init.return =
kprobe.function("sys_fanotify_init").return ?
{
@_SYSCALL_FANOTIFY_INIT_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.fanotify_init.return = kprobe.function(@arch_syscall_prefix "sys_fanotify_init").return ?
+{
+ @_SYSCALL_FANOTIFY_INIT_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.fanotify_init.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_fanotify_init"), @const("__NR_compat_fanotify_init"))
+ @_SYSCALL_FANOTIFY_INIT_NAME
+ retstr = return_str(1,$ret)
+}
dirfd_str, pathname)
%)
+@define _SYSCALL_FANOTIFY_MARK_REGARGS
+%(
+ fanotify_fd = int_arg(1)
+ flags = uint_arg(2)
+%( CONFIG_64BIT == "y" %?
+ mask = ulonglong_arg(3)
+ dirfd = int_arg(4)
+ pathname = user_string_quoted(pointer_arg(5))
+%:
+ # On a 32-bit kernel, 'long long' arguments take the space of
+ # 2 arguments, so we have to adjust the following argument
+ # numbers.
+ mask = ulonglong_arg(3)
+ dirfd = int_arg(5)
+ pathname = user_string_quoted(pointer_arg(6))
+%)
+%)
+
+@define _SYSCALL_COMPAT_FANOTIFY_MARK_REGARGS
+%(
+ fanotify_fd = int_arg(1)
+ flags = uint_arg(2)
+ if (@__BIG_ENDIAN)
+ mask = ((uint_arg(3) << 32) | uint_arg(4))
+ else
+ mask = ((uint_arg(4) << 32) | uint_arg(3))
+ dirfd = int_arg(5)
+ pathname = user_string_quoted(pointer_arg(6))
+%)
+
probe syscall.fanotify_mark = dw_syscall.fanotify_mark !, nd_syscall.fanotify_mark ? {}
probe syscall.fanotify_mark.return = dw_syscall.fanotify_mark.return !, nd_syscall.fanotify_mark.return ? {}
# nd_fanotify_mark _____________________________________________________
-probe nd_syscall.fanotify_mark = __nd_syscall.fanotify_mark ?,
- __nd_syscall.compat_fanotify_mark ?
+probe nd_syscall.fanotify_mark = nd1_syscall.fanotify_mark!, nd2_syscall.fanotify_mark!, tp_syscall.fanotify_mark
+ { }
+
+probe nd1_syscall.fanotify_mark = __nd1_syscall.fanotify_mark ?,
+ __nd1_syscall.compat_fanotify_mark ?
{
@_SYSCALL_FANOTIFY_MARK_NAME
flags_str = _fanotify_mark_flags_str(flags)
dirfd_str = _dfd_str(dirfd)
@_SYSCALL_FANOTIFY_MARK_ARGSTR
}
-probe __nd_syscall.fanotify_mark = kprobe.function("sys_fanotify_mark") ?
+probe __nd1_syscall.fanotify_mark = kprobe.function("sys_fanotify_mark") ?
{
@__syscall_gate_compat_simple
asmlinkage()
- fanotify_fd = int_arg(1)
- flags = uint_arg(2)
-%( CONFIG_64BIT == "y" %?
- mask = ulonglong_arg(3)
- dirfd = int_arg(4)
- pathname = user_string_quoted(pointer_arg(5))
-%:
- # On a 32-bit kernel, 'long long' arguments take the space of
- # 2 arguments, so we have to adjust the following argument
- # numbers.
- mask = ulonglong_arg(3)
- dirfd = int_arg(5)
- pathname = user_string_quoted(pointer_arg(6))
-%)
+ @_SYSCALL_FANOTIFY_MARK_REGARGS
}
-probe __nd_syscall.compat_fanotify_mark =
+probe __nd1_syscall.compat_fanotify_mark =
kprobe.function("compat_sys_fanotify_mark") ?
{
asmlinkage()
- fanotify_fd = int_arg(1)
- flags = uint_arg(2)
- if (@__BIG_ENDIAN)
- mask = ((uint_arg(3) << 32) | uint_arg(4))
- else
- mask = ((uint_arg(4) << 32) | uint_arg(3))
- dirfd = int_arg(5)
- pathname = user_string_quoted(pointer_arg(6))
+ @_SYSCALL_COMPAT_FANOTIFY_MARK_REGARGS
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.fanotify_mark = __nd2_syscall.fanotify_mark ?,
+ __nd2_syscall.compat_fanotify_mark ?
+{
+ @_SYSCALL_FANOTIFY_MARK_NAME
+ flags_str = _fanotify_mark_flags_str(flags)
+ mask_str = _fanotify_mark_mask_str(mask)
+ dirfd_str = _dfd_str(dirfd)
+ @_SYSCALL_FANOTIFY_MARK_ARGSTR
+}
+probe __nd2_syscall.fanotify_mark = kprobe.function(@arch_syscall_prefix "sys_fanotify_mark") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_FANOTIFY_MARK_REGARGS
+}
+probe __nd2_syscall.compat_fanotify_mark =
+ kprobe.function(@arch_syscall_prefix "compat_sys_fanotify_mark") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_COMPAT_FANOTIFY_MARK_REGARGS
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.fanotify_mark = __tp_syscall.fanotify_mark ?,
+ __tp_syscall.compat_fanotify_mark ?
+{
+ @_SYSCALL_FANOTIFY_MARK_NAME
+ flags_str = _fanotify_mark_flags_str(flags)
+ mask_str = _fanotify_mark_mask_str(mask)
+ dirfd_str = _dfd_str(dirfd)
+ @_SYSCALL_FANOTIFY_MARK_ARGSTR
+}
+probe __tp_syscall.fanotify_mark = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_fanotify_mark"))
+ @_SYSCALL_FANOTIFY_MARK_REGARGS
+}
+probe __tp_syscall.compat_fanotify_mark = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_fanotify_mark"))
+ @_SYSCALL_COMPAT_FANOTIFY_MARK_REGARGS
}
-probe nd_syscall.fanotify_mark.return =
+
+probe nd_syscall.fanotify_mark.return = nd1_syscall.fanotify_mark.return!, nd2_syscall.fanotify_mark.return!, tp_syscall.fanotify_mark.return
+ { }
+
+probe nd1_syscall.fanotify_mark.return =
kprobe.function("sys_fanotify_mark").return ?,
kprobe.function("compat_sys_fanotify_mark").return ?
{
@_SYSCALL_FANOTIFY_MARK_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.fanotify_mark.return =
+ kprobe.function(@arch_syscall_prefix "sys_fanotify_mark").return ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_fanotify_mark").return ?
+{
+ @_SYSCALL_FANOTIFY_MARK_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.fanotify_mark.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_fanotify_mark"), @const("__NR_compat_fanotify_mark"))
+ @_SYSCALL_FANOTIFY_MARK_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr)
%)
+@define _SYSCALL_GETTIMEOFDAY_REGARGS
+%(
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+%)
+
probe syscall.gettimeofday = dw_syscall.gettimeofday !, nd_syscall.gettimeofday ? {}
probe syscall.gettimeofday.return = dw_syscall.gettimeofday.return !, nd_syscall.gettimeofday.return ? {}
# nd_gettimeofday _____________________________________________________
-probe nd_syscall.gettimeofday = kprobe.function("compat_sys_gettimeofday") ?,
- kprobe.function("sys32_gettimeofday") ?,
- kprobe.function("sys_gettimeofday") ?
+probe nd_syscall.gettimeofday = nd1_syscall.gettimeofday!, nd2_syscall.gettimeofday!, tp_syscall.gettimeofday
+ { }
+
+probe nd1_syscall.gettimeofday = kprobe.function("compat_sys_gettimeofday") ?,
+ kprobe.function("sys32_gettimeofday") ?,
+ kprobe.function("sys_gettimeofday") ?
{
@_SYSCALL_GETTIMEOFDAY_NAME
asmlinkage()
- tv_uaddr = pointer_arg(1)
- tz_uaddr = pointer_arg(2)
+ @_SYSCALL_GETTIMEOFDAY_REGARGS
+ @_SYSCALL_GETTIMEOFDAY_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.gettimeofday = kprobe.function(@arch_syscall_prefix "compat_sys_gettimeofday") ?,
+ kprobe.function(@arch_syscall_prefix "sys_gettimeofday") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_GETTIMEOFDAY_NAME
+ @_SYSCALL_GETTIMEOFDAY_REGARGS
@_SYSCALL_GETTIMEOFDAY_ARGSTR
}
-probe nd_syscall.gettimeofday.return = kprobe.function("compat_sys_gettimeofday").return ?,
- kprobe.function("sys32_gettimeofday").return ?,
- kprobe.function("sys_gettimeofday").return ?
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.gettimeofday = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_gettimeofday"), @const("__NR_compat_gettimeofday"))
+ @_SYSCALL_GETTIMEOFDAY_NAME
+ @_SYSCALL_GETTIMEOFDAY_REGARGS
+ @_SYSCALL_GETTIMEOFDAY_ARGSTR
+}
+
+probe nd_syscall.gettimeofday.return = nd1_syscall.gettimeofday.return!, nd2_syscall.gettimeofday.return!, tp_syscall.gettimeofday.return
+ { }
+
+probe nd1_syscall.gettimeofday.return = kprobe.function("compat_sys_gettimeofday").return ?,
+ kprobe.function("sys32_gettimeofday").return ?,
+ kprobe.function("sys_gettimeofday").return ?
{
@_SYSCALL_GETTIMEOFDAY_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.gettimeofday.return = kprobe.function(@arch_syscall_prefix "compat_sys_gettimeofday").return ?,
+ kprobe.function(@arch_syscall_prefix "sys_gettimeofday").return ?
+{
+ @_SYSCALL_GETTIMEOFDAY_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.gettimeofday.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_gettimeofday"), @const("__NR_compat_gettimeofday"))
+ @_SYSCALL_GETTIMEOFDAY_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%s, %d", domainname_str, len)
%)
+@define _SYSCALL_SETDOMAINNAME_REGARGS
+%(
+ domainname_uaddr = pointer_arg(1)
+%( systemtap_v <= "2.8" %?
+ hostname_uaddr = domainname_uaddr
+%)
+ domainname_str = user_string_quoted(domainname_uaddr)
+ len = int_arg(2)
+%)
+
probe syscall.setdomainname = dw_syscall.setdomainname !,
nd_syscall.setdomainname ? {}
probe syscall.setdomainname.return = dw_syscall.setdomainname.return !,
# nd_setdomainname _____________________________________________________
-probe nd_syscall.setdomainname = kprobe.function("sys_setdomainname") ?
+probe nd_syscall.setdomainname = nd1_syscall.setdomainname!, nd2_syscall.setdomainname!, tp_syscall.setdomainname
+ { }
+
+probe nd1_syscall.setdomainname = kprobe.function("sys_setdomainname") ?
{
@_SYSCALL_SETDOMAINNAME_NAME
asmlinkage()
- domainname_uaddr = pointer_arg(1)
-%( systemtap_v <= "2.8" %?
- hostname_uaddr = domainname_uaddr
-%)
- domainname_str = user_string_quoted(domainname_uaddr)
- len = int_arg(2)
+ @_SYSCALL_SETDOMAINNAME_REGARGS
+ @_SYSCALL_SETDOMAINNAME_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.setdomainname = kprobe.function(@arch_syscall_prefix "sys_setdomainname") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_SETDOMAINNAME_NAME
+ @_SYSCALL_SETDOMAINNAME_REGARGS
@_SYSCALL_SETDOMAINNAME_ARGSTR
}
-probe nd_syscall.setdomainname.return = kprobe.function("sys_setdomainname").return ?
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.setdomainname = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_setdomainname"), @const("__NR_compat_setdomainname"))
+ @_SYSCALL_SETDOMAINNAME_NAME
+ @_SYSCALL_SETDOMAINNAME_REGARGS
+ @_SYSCALL_SETDOMAINNAME_ARGSTR
+}
+
+probe nd_syscall.setdomainname.return = nd1_syscall.setdomainname.return!, nd2_syscall.setdomainname.return!, tp_syscall.setdomainname.return
+ { }
+
+probe nd1_syscall.setdomainname.return = kprobe.function("sys_setdomainname").return ?
{
@_SYSCALL_SETDOMAINNAME_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.setdomainname.return = kprobe.function(@arch_syscall_prefix "sys_setdomainname").return ?
+{
+ @_SYSCALL_SETDOMAINNAME_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.setdomainname.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_setdomainname"), @const("__NR_compat_setdomainname"))
+ @_SYSCALL_SETDOMAINNAME_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%s, %s", tv_str, tz_str)
%)
+@define _SYSCALL_SETTIMEOFDAY_REGARGS
+%(
+ tv_uaddr = pointer_arg(1)
+ tz_uaddr = pointer_arg(2)
+ tz_str = _struct_timezone_u(tz_uaddr)
+%)
+
probe syscall.settimeofday = dw_syscall.settimeofday !,
nd_syscall.settimeofday ? {}
probe syscall.settimeofday.return = dw_syscall.settimeofday.return !,
# nd_settimeofday _____________________________________________________
-probe nd_syscall.settimeofday = kprobe.function("sys_settimeofday") ?
+probe nd_syscall.settimeofday = nd1_syscall.settimeofday!, nd2_syscall.settimeofday!, tp_syscall.settimeofday
+ { }
+
+probe nd1_syscall.settimeofday = kprobe.function("sys_settimeofday") ?
{
@_SYSCALL_SETTIMEOFDAY_NAME
asmlinkage()
- tv_uaddr = pointer_arg(1)
+ @_SYSCALL_SETTIMEOFDAY_REGARGS
tv_str = _struct_timeval_u(tv_uaddr, 1)
- tz_uaddr = pointer_arg(2)
- tz_str = _struct_timezone_u(tz_uaddr)
@_SYSCALL_SETTIMEOFDAY_ARGSTR
}
-probe nd_syscall.settimeofday.return = kprobe.function("sys_settimeofday").return ?
+
+/* kernel 4.17+ */
+probe nd2_syscall.settimeofday = kprobe.function(@arch_syscall_prefix "sys_settimeofday") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ @_SYSCALL_SETTIMEOFDAY_REGARGS
+ tv_str = _struct_timeval_u(tv_uaddr, 1)
+ @_SYSCALL_SETTIMEOFDAY_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.settimeofday = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_settimeofday"))
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ @_SYSCALL_SETTIMEOFDAY_REGARGS
+ tv_str = _struct_timeval_u(tv_uaddr, 1)
+ @_SYSCALL_SETTIMEOFDAY_ARGSTR
+}
+
+probe nd_syscall.settimeofday.return = nd1_syscall.settimeofday.return!, nd2_syscall.settimeofday.return!, tp_syscall.settimeofday.return
+ { }
+
+probe nd1_syscall.settimeofday.return = kprobe.function("sys_settimeofday").return ?
{
@_SYSCALL_SETTIMEOFDAY_NAME
retstr = returnstr(1)
}
+/* kernel 4.17+ */
+probe nd2_syscall.settimeofday.return = kprobe.function(@arch_syscall_prefix "sys_settimeofday").return ?
+{
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.settimeofday.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_gate(@const("__NR_settimeofday"))
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ retstr = return_str(1,$ret)
+}
+
#
# long sys32_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
# long compat_sys_settimeofday(struct compat_timeval __user *tv, struct timezone __user *tz)
# nd_settimeofday32 _____________________________________________________
-probe nd_syscall.settimeofday32 = kprobe.function("sys32_settimeofday") ?,
- kprobe.function("compat_sys_settimeofday") ?
+probe nd_syscall.settimeofday32 = nd1_syscall.settimeofday32!, nd2_syscall.settimeofday32!, tp_syscall.settimeofday32
+ { }
+
+probe nd1_syscall.settimeofday32 = kprobe.function("sys32_settimeofday") ?,
+ kprobe.function("compat_sys_settimeofday") ?
{
@_SYSCALL_SETTIMEOFDAY_NAME
asmlinkage()
- tv_uaddr = pointer_arg(1)
+ @_SYSCALL_SETTIMEOFDAY_REGARGS
tv_str = _struct_compat_timeval_u(tv_uaddr, 1)
- tz_uaddr = pointer_arg(2)
- tz_str = _struct_timezone_u(tz_uaddr)
@_SYSCALL_SETTIMEOFDAY_ARGSTR
}
-probe nd_syscall.settimeofday32.return = kprobe.function("sys32_settimeofday").return ?,
- kprobe.function("compat_sys_settimeofday").return ?
+
+/* kernel 4.17+ */
+probe nd2_syscall.settimeofday32 = kprobe.function(@arch_syscall_prefix "compat_sys_settimeofday") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ @_SYSCALL_SETTIMEOFDAY_REGARGS
+ tv_str = _struct_compat_timeval_u(tv_uaddr, 1)
+ @_SYSCALL_SETTIMEOFDAY_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.settimeofday32 = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_settimeofday"))
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ @_SYSCALL_SETTIMEOFDAY_REGARGS
+ tv_str = _struct_compat_timeval_u(tv_uaddr, 1)
+ @_SYSCALL_SETTIMEOFDAY_ARGSTR
+}
+
+probe nd_syscall.settimeofday32.return = nd1_syscall.settimeofday32.return!, nd2_syscall.settimeofday32.return!, tp_syscall.settimeofday32.return
+ { }
+
+probe nd1_syscall.settimeofday32.return = kprobe.function("sys32_settimeofday").return ?,
+ kprobe.function("compat_sys_settimeofday").return ?
{
@_SYSCALL_SETTIMEOFDAY_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.settimeofday32.return = kprobe.function(@arch_syscall_prefix "compat_sys_settimeofday").return ?
+{
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.settimeofday32.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__compat_syscall_gate(@const("__NR_compat_settimeofday"))
+ @_SYSCALL_SETTIMEOFDAY_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%p", t_uaddr)
%)
+@define _SYSCALL_STIME_REGARGS
+%(
+ t_uaddr = pointer_arg(1)
+%)
+
probe syscall.stime = dw_syscall.stime !, nd_syscall.stime ? {}
probe syscall.stime.return = dw_syscall.stime.return !,
nd_syscall.stime.return ? {}
# nd_stime _____________________________________________________
-probe nd_syscall.stime = kprobe.function("compat_sys_stime") ?,
+probe nd_syscall.stime = nd1_syscall.stime!, nd2_syscall.stime!, tp_syscall.stime
+ { }
+
+probe nd1_syscall.stime = kprobe.function("compat_sys_stime") ?,
kprobe.function("sys_stime") ?
{
@_SYSCALL_STIME_NAME
asmlinkage()
- t_uaddr = pointer_arg(1)
+ @_SYSCALL_STIME_REGARGS
/* FIXME. Decode time */
@_SYSCALL_STIME_ARGSTR
}
-probe nd_syscall.stime.return = kprobe.function("compat_sys_stime").return ?,
+
+/* kernel 4.17+ */
+probe nd2_syscall.stime = kprobe.function(@arch_syscall_prefix "compat_sys_stime") ?,
+ kprobe.function(@arch_syscall_prefix "sys_stime") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_STIME_NAME
+ @_SYSCALL_STIME_REGARGS
+ /* FIXME. Decode time */
+ @_SYSCALL_STIME_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.stime = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_stime"), @const("__NR_compat_stime"))
+ @_SYSCALL_STIME_NAME
+ @_SYSCALL_STIME_REGARGS
+ @_SYSCALL_STIME_ARGSTR
+}
+
+probe nd_syscall.stime.return = nd1_syscall.stime.return!, nd2_syscall.stime.return!, tp_syscall.stime.return
+ { }
+
+probe nd1_syscall.stime.return = kprobe.function("compat_sys_stime").return ?,
kprobe.function("sys_stime").return ?
{
@_SYSCALL_STIME_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.stime.return = kprobe.function(@arch_syscall_prefix "compat_sys_stime") ?,
+ kprobe.function(@arch_syscall_prefix "sys_stime").return ?
+{
+ @_SYSCALL_STIME_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.stime.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_stime"), @const("__NR_compat_stime"))
+ @_SYSCALL_STIME_NAME
+ retstr = return_str(1,$ret)
+}
argstr = sprintf("%p", t_uaddr)
%)
+@define _SYSCALL_TIME_REGARGS
+%(
+ t_uaddr = pointer_arg(1)
+%)
+
probe syscall.time = dw_syscall.time !, nd_syscall.time ? {}
probe syscall.time.return = dw_syscall.time.return !, nd_syscall.time.return ? {}
# nd_time _____________________________________________________
-probe nd_syscall.time = kprobe.function("sys32_time") ?,
+probe nd_syscall.time = nd1_syscall.time!, nd2_syscall.time!, tp_syscall.time
+ { }
+
+probe nd1_syscall.time = kprobe.function("sys32_time") ?,
kprobe.function("sys_time64") ?,
kprobe.function("compat_sys_time") ?,
kprobe.function("sys_time") ?
{
@_SYSCALL_TIME_NAME
asmlinkage()
- t_uaddr = pointer_arg(1)
+ @_SYSCALL_TIME_REGARGS
+ @_SYSCALL_TIME_ARGSTR
+}
+
+/* kernel 4.17+ */
+probe nd2_syscall.time = kprobe.function(@arch_syscall_prefix "sys_time") ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_time") ?
+{
+ __set_syscall_pt_regs(pointer_arg(1))
+ @_SYSCALL_TIME_NAME
+ @_SYSCALL_TIME_REGARGS
+ @_SYSCALL_TIME_ARGSTR
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.time = kernel.trace("sys_enter")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_time"), @const("__NR_compat_time"))
+ @_SYSCALL_TIME_NAME
+ @_SYSCALL_TIME_REGARGS
@_SYSCALL_TIME_ARGSTR
}
-probe nd_syscall.time.return = kprobe.function("sys32_time").return ?,
+
+probe nd_syscall.time.return = nd1_syscall.time.return!, nd2_syscall.time.return!, tp_syscall.time.return
+ { }
+
+probe nd1_syscall.time.return = kprobe.function("sys32_time").return ?,
kprobe.function("sys_time64").return ?,
kprobe.function("compat_sys_time").return ?,
kprobe.function("sys_time").return ?
@_SYSCALL_TIME_NAME
retstr = returnstr(1)
}
+
+/* kernel 4.17+ */
+probe nd2_syscall.time.return = kprobe.function(@arch_syscall_prefix "sys_time").return ?,
+ kprobe.function(@arch_syscall_prefix "compat_sys_time") ?
+{
+ @_SYSCALL_TIME_NAME
+ retstr = returnstr(1) /* NB: not in the $regs */
+}
+
+/* kernel 3.5+, but undesirable because it affects all syscalls */
+probe tp_syscall.time.return = kernel.trace("sys_exit")
+{
+ __set_syscall_pt_regs($regs)
+ @__syscall_compat_gate(@const("__NR_time"), @const("__NR_compat_time"))
+ @_SYSCALL_TIME_NAME
+ retstr = return_str(1,$ret)
+}
git://sourceware.org / systemtap.git / commitdiff