probe nd_syscall.accept = __nd_syscall.accept4 ?, __nd_syscall.accept ?
{
name = "accept"
- // sockfd = $fd
- // addr_uaddr = $upeer_sockaddr
- // addrlen_uaddr = $upeer_addrlen
- // argstr = sprintf("%d, %p, %p, %s", $fd, $upeer_sockaddr,
- // $upeer_addrlen, flags_str)
asmlinkage()
sockfd = int_arg(1)
addr_uaddr = pointer_arg(2)
probe nd_syscall.access = kprobe.function("sys_access") ?
{
name = "access"
- // pathname = user_string($filename)
- // mode = $mode
- // mode_str = _access_mode_str($mode)
- // argstr = sprintf("%s, %s", user_string_quoted($filename), mode_str)
asmlinkage()
pathname = user_string_quoted(pointer_arg(1))
mode = int_arg(2)
probe nd_syscall.acct = kprobe.function("sys_acct") ?
{
name = "acct"
- // filename = user_string($name)
- // argstr = user_string_quoted($name)
asmlinkage()
filename = user_string_quoted(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
probe nd_syscall.add_key = kprobe.function("sys_add_key") ?
{
name = "add_key"
- // type_uaddr = $_type
- // description_auddr = $_description
- // payload_uaddr = $_payload
- // plen = $plen
- // ringid = $ringid
- // argstr = sprintf("%s, %s, %s, %d, %d",
- // user_string_quoted($_type),
- // user_string_quoted($_description),
- // text_strn(user_string($_payload), syscall_string_trunc, 1),
- // $plen, $ringid)
asmlinkage()
type_uaddr = pointer_arg(1)
description_uaddr = pointer_arg(2)
* buf_time_tv_usec = __uget_timex_m($txc_p, 10)
* buf_tick = __uget_timex_m($txc_p, 11)
*/
- // argstr = sprintf("%p", $txc_p)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.adjtimex.return = kprobe.function("sys_adjtimex").return ?
{
name = "adjtimex"
- // retstr = _adjtimex_return_str($return)
retstr = _adjtimex_return_str(returnval())
}
# long compat_sys_adjtimex(struct compat_timex __user *utp)
probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ?
{
name = "compat_adjtimex"
- // argstr = sprintf("%p", $utp)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
kprobe.function("sys_alarm") ?
{
name = "alarm"
- // seconds = $seconds
- // argstr = sprint($seconds)
asmlinkage()
seconds = uint_arg(1)
argstr = sprint(seconds)
probe nd_syscall.bdflush = kprobe.function("sys_bdflush") ?
{
name = "bdflush"
- // func = $func
- // data = $data
- // if (($func >= 2) && ($func % 2 == 0))
- // data_str = sprintf("%p", $data)
- // else
- // data_str = sprintf("%d", $data)
asmlinkage()
func = int_arg(1)
data = long_arg(2)
probe nd_syscall.bind = kprobe.function("sys_bind") ?
{
name = "bind"
- // sockfd = $fd
- // my_addr_uaddr = $umyaddr
- // addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
my_addr_uaddr = pointer_arg(2)
kprobe.function("sys_brk") ?
{
name = "brk"
- // brk = $brk
asmlinkage()
brk = ulong_arg(1)
argstr = sprintf("%p", brk)
probe nd_syscall.capget = kprobe.function("sys_capget") ?
{
name = "capget"
- // header_uaddr = $header
- // data_uaddr = $dataptr
- // argstr = sprintf("%p, %p", $header, $dataptr)
asmlinkage()
header_uaddr = pointer_arg(1)
data_uaddr = pointer_arg(2)
probe nd_syscall.capset = kprobe.function("sys_capset") ?
{
name = "capset"
- // header_uaddr = $header
- // data_uaddr = $data
- // argstr = sprintf("%p, %p", $header, $data)
asmlinkage()
header_uaddr = pointer_arg(1)
data_uaddr = pointer_arg(2)
probe nd_syscall.chdir = kprobe.function("sys_chdir") ?
{
name = "chdir"
- // path = user_string($filename)
- // argstr = user_string_quoted($filename)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
probe nd_syscall.chmod = kprobe.function("sys_chmod") ?
{
name = "chmod"
- // path = user_string($filename)
- // mode = $mode
- // argstr = sprintf("%s, %#o", user_string_quoted($filename), mode)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
mode = uint_arg(2)
probe nd_syscall.chown = kprobe.function("sys_chown") ?
{
name = "chown"
- // path = user_string($filename)
- // owner = __int32($user)
- // group = __int32($group)
- // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
owner = __int32(uint_arg(2))
probe nd_syscall.chown16 = kprobe.function("sys_chown16") ?
{
name = "chown16"
- // path = user_string($filename)
- // owner = __short($user)
- // group = __short($group)
- // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
owner = __short(uint_arg(2))
probe nd_syscall.chroot = kprobe.function("sys_chroot") ?
{
name = "chroot"
- // path = user_string($filename)
- // argstr = user_string_quoted($filename)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
kprobe.function("sys_clock_getres") ?
{
name = "clock_getres"
- // clk_id = $which_clock
- // clk_id_str = _get_wc_str($which_clock)
- // res_uaddr = $tp
- // argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
probe nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime") ?
{
name = "clock_gettime"
- // clk_id = $which_clock
- // clk_id_str = _get_wc_str($which_clock)
- // argstr = sprintf("%s, %p", _get_wc_str($which_clock), $tp)
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
{
@__syscall_gate(%{ __NR_clock_nanosleep %})
name = "clock_nanosleep"
- // if ($flags == 1)
- // flag_str = "TIMER_ABSTIME"
- // else
- // flag_str = sprintf("0x%x", $flags)
- // argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
kprobe.function("compat_sys_clock_nanosleep").call ?
{
name = "clock_nanosleep"
- // if ($flags == 1)
- // flag_str = "TIMER_ABSTIME"
- // else
- // flag_str = sprintf("0x%x", $flags)
- // argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
- // _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
flags = int_arg(2)
if (flags == 1)
probe __nd_syscall.clock_settime = kprobe.function("sys_clock_settime").call
{
@__syscall_gate(%{ __NR_clock_settime %})
- // clk_id = $which_clock
- // clk_id_str = _get_wc_str($which_clock)
- // tp_uaddr = $tp
- // argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
probe __nd_syscall.compat_clock_settime =
kprobe.function("compat_sys_clock_settime").call ?
{
- // clk_id = $which_clock
- // clk_id_str = _get_wc_str($which_clock)
- // tp_uaddr = $tp
- // argstr = sprintf("%s, %s", clk_id_str,
- // _struct_compat_timespec_u($tp, 1))
asmlinkage()
clk_id = int_arg(1)
clk_id_str = _get_wc_str(clk_id)
{
@__syscall_compat_gate(%{ __NR_close %}, %{ __NR_compat_close %})
name = "close"
- // fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
probe nd_syscall.connect = kprobe.function("sys_connect") ?
{
name = "connect"
- // sockfd = $fd
- // serv_addr_uaddr = $uservaddr
- // addrlen = $addrlen
- // argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
asmlinkage()
sockfd = int_arg(1)
serv_addr_uaddr = pointer_arg(2)
probe nd_syscall.creat = kprobe.function("sys_creat") ?
{
name = "creat"
- // mode = $mode
- // pathname = user_string($pathname)
- // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
asmlinkage()
mode = int_arg(2)
pathname = user_string_quoted(pointer_arg(1))
probe nd_syscall.delete_module = kprobe.function("sys_delete_module") ?
{
name = "delete_module"
- // name_user = user_string($name_user)
- // flags = $flags
- // argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
asmlinkage()
name_user = user_string_quoted(pointer_arg(1))
flags = uint_arg(2)
probe nd_syscall.dup = kprobe.function("sys_dup") ?
{
name = "dup"
- // oldfd = $fildes
- // argstr = sprint($fildes)
asmlinkage()
# 'old_fd' should have been 'oldfd. Deprecate the old name.
%(systemtap_v <= "1.4" %?
probe nd_syscall.dup2 = kprobe.function("sys_dup2")
{
name = "dup2"
- // oldfd = $oldfd
- // newfd = $newfd
- // # The dup2 syscall doesn't have a 'flags' argument. But, the
- // # syscall.dup2 and syscall.dup3 probes used to be combined, so
- // # both probes need a 'flags' variable.
- // flags = 0
- // argstr = sprintf("%d, %d", $oldfd, $newfd)
asmlinkage()
oldfd = int_arg(1)
newfd = int_arg(2)
{
@__syscall_compat_gate(%{ __NR_dup3 %}, %{ __NR_compat_dup3 %})
name = "dup3";
- // oldfd = $oldfd
- // newfd = $newfd
- // flags = $flags
- // argstr = sprintf("%d, %d, %s", $oldfd, $newfd, _dup3_flag_str(flags));
asmlinkage()
oldfd = int_arg(1)
newfd = int_arg(2)
}
probe __nd_syscall.epoll_create1 = kprobe.function("sys_epoll_create1")
{
- // size = @defined($size) ? $size : 0;
- // flags = @defined($flags) ? $flags : 0;
asmlinkage()
size = 0;
flags = int_arg(1)
probe __nd_syscall.epoll_create = kprobe.function("sys_epoll_create")
{
name = "epoll_create"
- // size = $size
- // argstr = sprint($size)
asmlinkage()
size = int_arg(1)
flags = 0
kprobe.function("sys_epoll_ctl") ?
{
name = "epoll_ctl"
- // epfd = $epfd
- // eop = $op
- // eop_str = _opoll_op_str($op)
- // efd = $fd
- // eevent_uaddr = $event
- // eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
asmlinkage()
epfd = int_arg(1)
op = int_arg(2)
name = "epoll_pwait"
asmlinkage()
argstr = sprintf("%d, %p, %d, %d, %p, %d",
-// $epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6))
}
probe nd_syscall.epoll_pwait.return = kprobe.function("compat_sys_epoll_pwait").return ?,
kprobe.function("sys_epoll_wait") ?
{
name = "epoll_wait"
- // epfd = $epfd
- // events_uaddr = $events
- // maxevents = $maxevents
- // timeout = $timeout
- // argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
asmlinkage()
epfd = int_arg(1)
events_uaddr = pointer_arg(2)
probe __nd_syscall.eventfd = kprobe.function("sys_eventfd")
{
name = "eventfd"
- // argstr = sprint($count)
asmlinkage()
flags = 0
argstr = sprint(uint_arg(1))
probe nd_syscall.execve = kprobe.function("sys_execve")
{
name = "execve"
- // filename = user_string($filename)
- // args = __get_argv($argv, 0)
- // argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
asmlinkage()
filename = user_string_quoted(pointer_arg(1))
args = __get_argv(pointer_arg(2), 0)
probe nd_syscall.compat_execve = kprobe.function("compat_sys_execve").call ?
{
name = "compat_execve"
- // filename = user_string($filename)
- // args = __get_compat_argv($argv, 0)
- // argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
asmlinkage()
filename = user_string_quoted(pointer_arg(1))
args = __get_compat_argv(pointer_arg(2), 0)
probe nd_syscall.compat_execve = kprobe.function("compat_do_execve").call ?
{
name = "compat_execve"
- // filename = kernel_string($filename)
- // args = __get_compat_argv($argv, 0)
- // argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
filename = kernel_string(pointer_arg(1))
args = __get_compat_argv(pointer_arg(2), 0)
argstr = sprintf("%s %s", filename,
probe nd_syscall.exit = kprobe.function("do_exit").call
{
name = "exit"
- // status = $code
- // argstr = sprint($code)
asmlinkage()
status = int_arg(1)
argstr = sprint(status)
probe nd_syscall.exit_group = kprobe.function("sys_exit_group").call ?
{
name = "exit_group"
- // status = $error_code
- // argstr = sprint($error_code)
asmlinkage()
status = int_arg(1)
argstr = sprint(status)
@__syscall_compat_gate(%{ __NR_faccessat %},
%{ __NR_compat_faccessat %})
name = "faccessat"
- // dirfd = $dfd
- // dirfd_str = _dfd_str($dfd)
- // pathname = user_string($filename)
- // mode = $mode
- // mode_str = _access_mode_str($mode)
- // argstr = sprintf("%s, %s, %s", dirfd_str, user_string_quoted($filename), mode_str)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") ?
{
name = "fadvise64"
- // fd = $fd
- // offset = $offset
- // len = $len
- // advice = $advice
- // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
asmlinkage()
fd = int_arg(1)
offset = longlong_arg(2)
probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64") ?
{
name = "fadvise64_64"
- // fd = $fd
- // offset = $offset
- // len = $len
- // advice = $advice
- // argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
asmlinkage()
fd = int_arg(1)
offset = longlong_arg(2)
probe nd_syscall.fchdir = kprobe.function("sys_fchdir") ?
{
name = "fchdir"
- // fd = $fd
- // argstr = sprint($fd)
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
probe nd_syscall.fchmod = kprobe.function("sys_fchmod") ?
{
name = "fchmod"
- // fildes = $fd
- // mode = $mode
asmlinkage()
fildes = int_arg(1)
mode = uint_arg(2) # SAFE?
@__syscall_compat_gate(%{ __NR_fchmodat %},
%{ __NR_compat_fchmodat %})
name = "fchmodat"
- // dirfd = $dfd
- // dirfd_str = _dfd_str($dfd)
- // pathname = user_string($filename)
- // mode = $mode
- // argstr = sprintf("%s, %s, %#o", dirfd_str, user_string_quoted($filename), $mode)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
probe nd_syscall.fchown = kprobe.function("sys_fchown") ?
{
name = "fchown"
- // fd = $fd
- // owner = __int32($user)
- // group = __int32($group)
- // argstr = sprintf("%d, %d, %d", $fd, owner, group)
asmlinkage()
fd = int_arg(1)
owner = __int32(uint_arg(2))
probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ?
{
name = "fchown16"
- // fd = $fd
- // owner = __short($user)
- // group = __short($group)
- // argstr = sprintf("%d, %d, %d", $fd, owner, group)
asmlinkage()
fd = int_arg(1)
owner = __short(uint_arg(2))
@__syscall_compat_gate(%{ __NR_fchownat %},
%{ __NR_compat_fchownat %})
name = "fchownat"
- // dirfd = $dfd
- // dirfd_str = _dfd_str($dfd)
- // pathname = user_string($filename)
- // owner = __int32($user)
- // group = __int32($group)
- // flags = $flag
- // flags_str = _at_flag_str($flag)
- // argstr = sprintf("%s, %s, %d, %d, %s",
- // dirfd_str, user_string_quoted($filename), owner, group, flags_str)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
kprobe.function("sys_fcntl") ?
{
name = "fcntl"
- // fd = $fd
- // cmd = $cmd
- // cmd_str = _fcntl_cmd_str($cmd)
- // arg = $arg
- // argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
asmlinkage()
fd = int_arg(1)
cmd = int_arg(2)
probe nd_syscall.fdatasync = kprobe.function("sys_fdatasync") ?
{
name = "fdatasync"
- // fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
probe nd_syscall.fgetxattr = kprobe.function("sys_fgetxattr") ?
{
name = "fgetxattr"
- // filedes = $fd
- // name2 = user_string($name)
- // value_uaddr = $value
- // size = $size
- // argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size)
asmlinkage()
filedes = int_arg(1)
# 'name2' should have been 'name_str'. Deprecate the old name.
probe nd_syscall.flistxattr = kprobe.function("sys_flistxattr") ?
{
name = "flistxattr"
- // filedes = $fd
- // list_uaddr = $list
- // size = $size
asmlinkage()
filedes = int_arg(1)
list_uaddr = pointer_arg(2)
probe nd_syscall.flock = kprobe.function("sys_flock") ?
{
name = "flock"
- // fd = $fd
- // operation = $cmd
asmlinkage()
fd = int_arg(1)
operation = int_arg(2)
probe nd_syscall.fremovexattr = kprobe.function("sys_fremovexattr") ?
{
name = "fremovexattr"
- // filedes = $fd
- // name2 = user_string($name)
- // argstr = sprintf("%d, %s", $fd, user_string_quoted($name))
asmlinkage()
filedes = int_arg(1)
probe nd_syscall.fsetxattr = kprobe.function("sys_fsetxattr") ?
{
name = "fsetxattr"
- // filedes = $fd
- // name2 = user_string($name)
- // value_uaddr = $value
- // size = $size
- // flags = $flags
- // argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
asmlinkage()
filedes = int_arg(1)
# 'name2' should have been 'name_str'. Deprecate the old name.
kprobe.function("compat_sys_newfstat") ?
{
name = "fstat"
- // filedes = $fd
- // buf_uaddr = $statbuf
- // argstr = sprintf("%d, %p", $fd, $statbuf)
asmlinkage()
filedes = int_arg(1)
buf_uaddr = pointer_arg(2)
kprobe.function("sys32_fstatat64") ?
{
name = "fstatat"
- // dirfd = $dfd
- // path = user_string($filename)
- // buf_uaddr = $statbuf
- // argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
asmlinkage()
dirfd = int_arg(1)
path = user_string_quoted(pointer_arg(2))
kprobe.function("sys_fstatfs") ?
{
name = "fstatfs"
- // fd = $fd
- // buf_uaddr = $buf
- // argstr = sprintf("%d, %p", $fd, $buf)
asmlinkage()
fd = int_arg(1)
buf_uaddr = pointer_arg(2)
kprobe.function("sys_fstatfs64") ?
{
name = "fstatfs"
- // fd = $fd
- // sz = $sz
- // buf_uaddr = $buf
- // argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
asmlinkage()
fd = int_arg(1)
sz = ulong_arg(2)
probe nd_syscall.fsync = kprobe.function("sys_fsync") ?
{
name = "fsync"
- // fd = $fd
asmlinkage()
fd = int_arg(1)
argstr = sprint(fd)
__nd_syscall.compat_ftruncate ?
{
name = "ftruncate"
- // fd = $fd
- // length = $length
asmlinkage()
fd = int_arg(1)
argstr = sprintf("%d, %d", fd, length)
probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ?
{
name = "ftruncate"
- // fd = $fd
- // length = $length
asmlinkage()
fd = int_arg(1)
length = longlong_arg(2)
probe nd_syscall.futex = kprobe.function("sys_futex") ?
{
name = "futex"
- // futex_uaddr = $uaddr
- // op = $op
- // val = $val
- // utime_uaddr = $utime
- // uaddr2_uaddr = $uaddr2
- // val3 = $val3
- // if (op == 0)
- // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_timespec_u($utime, 1))
- // else
- // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
- // $val)
asmlinkage()
futex_uaddr = pointer_arg(1)
op = int_arg(2)
probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ?
{
name = "futex"
- // futex_uaddr = $uaddr
- // op = $op
- // val = $val
- // utime_uaddr = $utime
- // uaddr2_uaddr = $uaddr2
- // val3 = $val3
- // if (op == 0)
- // argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op),
- // $val, _struct_compat_timespec_u($utime, 1))
- // else
- // argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op),
- // $val)
asmlinkage()
futex_uaddr = pointer_arg(1)
op = int_arg(2)
probe nd_syscall.futimesat = kprobe.function("sys_futimesat") ?
{
name = "futimesat"
- // dirfd = $dfd
- // filename_uaddr = $filename
- // filename = user_string($filename)
- // tvp_uaddr = $utimes
- // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- // _struct_timeval_u($utimes, 2))
asmlinkage()
dirfd = int_arg(1)
filename_uaddr = pointer_arg(2)
probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ?
{
name = "futimesat"
- // dirfd = $dfd
- // filename_uaddr = $filename
- // filename = user_string($filename)
- // tvp_uaddr = $utimes
- // argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),
- // _struct_timeval_u($utimes, 2))
asmlinkage()
dirfd = uint_arg(1)
filename_uaddr = pointer_arg(2)
probe nd_syscall.getcwd = kprobe.function("sys_getcwd") ?
{
name = "getcwd"
- // buf_uaddr = $buf
- // size = $size
asmlinkage()
buf_uaddr = pointer_arg(1)
size = ulong_arg(2)
kprobe.function("compat_sys_getdents64") ?
{
name = "getdents"
- // fd = $fd
- // dirp_uaddr = $dirent
- // count = $count
- // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
asmlinkage()
fd = int_arg(1)
dirp_uaddr = pointer_arg(2)
kprobe.function("sys_getgroups") ?
{
name = "getgroups"
- // size = $gidsetsize
- // list_uaddr = $grouplist
- // argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
asmlinkage()
size = int_arg(1)
list_uaddr = pointer_arg(2)
probe nd_syscall.gethostname = kprobe.function("sys_gethostname") ?
{
name = "gethostname"
- // name_uaddr = $name
- // len = $len
asmlinkage()
name_uaddr = pointer_arg(1)
len = int_arg(2)
probe nd_syscall.getitimer = kprobe.function("sys_getitimer") ?
{
name = "getitimer"
- // which = $which
- // value_uaddr = $value
- // argstr = sprintf("%s, %p", _itimer_which_str($which), $value)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ?
{
name = "getitimer"
- // which = $which
- // value_uaddr = $it
- // argstr = sprintf("%s, %p", _itimer_which_str($which), $it)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
kprobe.function("sys_get_mempolicy") ?
{
name = "get_mempolicy"
- // policy_uaddr = $policy
- // nmask_uaddr = $nmask
- // maxnode = $maxnode
- // addr = $addr
- // flags = $flags
- // argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
- // $nmask, $maxnode, $addr, $flags)
asmlinkage()
policy_uaddr = pointer_arg(1)
nmask_uaddr = pointer_arg(2)
probe nd_syscall.getpeername = kprobe.function("sys_getpeername") ?
{
name = "getpeername"
- // s = $fd
- // name_uaddr = $usockaddr
- // namelen_uaddr = $usockaddr_len
- // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
asmlinkage()
s = int_arg(1)
name_uaddr = pointer_arg(2)
{
@__syscall_compat_gate(%{ __NR_getpgid %}, %{ __NR_compat_getpgid %})
name = "getpgid"
- // pid = $pid
- // argstr = sprintf("%d", $pid)
asmlinkage()
pid = int_arg(1)
argstr = sprintf("%d", pid)
probe nd_syscall.getpriority = kprobe.function("sys_getpriority") ?
{
name = "getpriority"
- // which = $which
- // who = $who
asmlinkage()
which = int_arg(1)
who = int_arg(2)
kprobe.function("sys_getresgid") ?
{
name = "getresgid"
- // rgid_uaddr = $rgid
- // egid_uaddr = $egid
- // sgid_uaddr = $sgid
- // argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
asmlinkage()
rgid_uaddr = pointer_arg(1)
egid_uaddr = pointer_arg(2)
kprobe.function("sys_getresuid") ?
{
name = "getresuid"
- // ruid_uaddr = $ruid
- // euid_uaddr = $euid
- // suid_uaddr = $suid
- // argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
asmlinkage()
ruid_uaddr = pointer_arg(1)
euid_uaddr = pointer_arg(2)
kprobe.function("compat_sys_getrlimit") ?
{
name = "getrlimit"
- // resource = $resource
- // rlim_uaddr = $rlim
- // argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
asmlinkage()
resource = uint_arg(1)
rlim_uaddr = pointer_arg(2)
kprobe.function("compat_sys_getrusage").call ?
{
name = "getrusage"
- // who = $who
- // if ($who == -2) {
- // # RUSAGE_BOTH is not valid argument for sys_getrusage
- // who_str = sprintf("UNKNOWN VALUE: %d", $who)
- // } else
- // who_str = _rusage_who_str($who)
- // usage_uaddr = $ru
asmlinkage()
who = int_arg(1)
if (who == -2) {
probe nd_syscall.getsid = kprobe.function("sys_getsid") ?
{
name = "getsid"
- // pid = $pid
asmlinkage()
pid = int_arg(1)
argstr = sprint(pid)
probe nd_syscall.getsockname = kprobe.function("sys_getsockname") ?
{
name = "getsockname"
- // s = $fd
- // name_uaddr = $usockaddr
- // namelen_uaddr = $usockaddr_len
- // argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
asmlinkage()
s = int_arg(1)
name_uaddr = pointer_arg(2)
kprobe.function("sys_getsockopt") ?
{
name = "getsockopt"
- // fd = $fd
- // level = $level
- // level_str = _sockopt_level_str($level)
- // optname = $optname
- // optname_str = _sockopt_optname_str($optname)
- // optval_uaddr = $optval
- // optlen_uaddr = $optlen
- // argstr = sprintf("%d, %s, %s, %p, %p", $fd, _sockopt_level_str($level),
- // _sockopt_optname_str($optname), $optval, $optlen)
asmlinkage()
fd = int_arg(1)
level = int_arg(2)
kprobe.function("sys_gettimeofday") ?
{
name = "gettimeofday"
- // tv_uaddr = $tv
- // tz_uaddr = $tz
- // argstr = sprintf("%p, %p", $tv, $tz)
asmlinkage()
tv_uaddr = pointer_arg(1)
tz_uaddr = pointer_arg(2)
probe nd_syscall.getxattr = kprobe.function("sys_getxattr") ?
{
name = "getxattr"
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // name2 = user_string($name)
- // value_uaddr = $value
- // size = $size
- // argstr = sprintf("%s, %s, %p, %d",
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // user_string_quoted($name),
- // value_uaddr, size)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
# 'name2' should have been 'name_str'. Deprecate the old name.
probe nd_syscall.init_module = kprobe.function("sys_init_module") ?
{
name = "init_module"
- // umod_uaddr = $umod
- // len = $len
- // uargs = user_string($uargs)
- // argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
asmlinkage()
umod_uaddr = pointer_arg(1)
len = ulong_arg(2)
probe nd_syscall.inotify_add_watch = kprobe.function("sys_inotify_add_watch") ?
{
name = "inotify_add_watch"
- // fd = $fd
- // mask = $mask
- // path_uaddr = (@defined($pathname) ? $pathname : $path)
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // argstr = sprintf("%d, %s, %s", $fd,
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // _inotify_watch_mask_str($mask))
asmlinkage()
fd = int_arg(1)
path_uaddr = pointer_arg(2)
probe nd_syscall.inotify_rm_watch = kprobe.function("sys_inotify_rm_watch") ?
{
name = "inotify_rm_watch"
- // fd = $fd
- // wd = $wd
- // argstr = sprintf("%d, %d", $fd, $wd)
asmlinkage()
fd = int_arg(1)
wd = uint_arg(2)
probe nd_syscall.io_cancel = kprobe.function("sys_io_cancel") ?
{
name = "io_cancel"
- // ctx_id = $ctx_id
- // iocb_uaddr = $iocb
- // result_uaddr = $result
asmlinkage()
ctx_id = ulong_arg(1)
iocb_uaddr = pointer_arg(2)
kprobe.function("sys_ioctl") ?
{
name = "ioctl"
- // fd = $fd
- // request = $cmd
- // argp = $arg
- // argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
asmlinkage()
fd = int_arg(1)
request = int_arg(2)
probe nd_syscall.io_destroy = kprobe.function("sys_io_destroy") ?
{
name = "io_destroy"
- // ctx = $ctx
asmlinkage()
ctx = ulong_arg(1)
argstr = sprintf("%d", ctx)
probe nd_syscall.io_getevents = kprobe.function("sys_io_getevents") ?
{
name = "io_getevents"
- // ctx_id = $ctx_id
- // min_nr = $min_nr
- // nr = $nr
- // events_uaddr = $events
- // timeout_uaddr = $timeout
- // timestr = _struct_timespec_u($timeout, 1)
- // argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
- // $nr, $events, $timeout, timestr)
asmlinkage()
ctx_id = ulong_arg(1)
min_nr = long_arg(2)
kprobe.function("compat_sys_io_getevents") ?
{
name = "io_getevents"
- // ctx_id = $ctx_id
- // min_nr = $min_nr
- // nr = $nr
- // events_uaddr = $events
- // timeout_uaddr = $timeout
- // timestr = _struct_compat_compat_timespec_u($timeout, 1)
- // argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
- // $nr, $events, $timeout, timestr)
asmlinkage()
ctx_id = ulong_arg(1)
min_nr = long_arg(2)
probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ?
{
name = "ioperm"
- // from = $from
- // num = $num
- // turn_on = $turn_on
- // argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
asmlinkage()
from = ulong_arg(1)
num = ulong_arg(2)
probe nd_syscall.io_setup = kprobe.function("sys_io_setup") ?
{
name = "io_setup"
- // maxevents = $nr_events
- // ctxp_uaddr = $ctxp
- // argstr = sprintf("%d, %p", $nr_events, $ctxp)
asmlinkage()
maxevents = uint_arg(1)
ctxp_uaddr = pointer_arg(2)
probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ?
{
name = "io_setup"
- // maxevents = $nr_reqs
- // ctxp_uaddr = $ctx32p
- // argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
asmlinkage()
maxevents = uint_arg(1)
ctxp_uaddr = pointer_arg(2)
probe nd_syscall.io_submit = kprobe.function("sys_io_submit") ?
{
name = "io_submit"
- // ctx_id = $ctx_id
- // nr = $nr
- // iocbpp_uaddr = $iocbpp
- // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
asmlinkage()
ctx_id = ulong_arg(1)
nr = long_arg(2)
probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ?
{
name = "io_submit"
- // ctx_id = $ctx_id
- // nr = $nr
- // iocbpp_uaddr = $iocb
- // argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
asmlinkage()
ctx_id = ulong_arg(1)
nr = int_arg(2)
probe nd_syscall.ioprio_get = kprobe.function("sys_ioprio_get") ?
{
name = "ioprio_get"
- // which = $which
- // who = $who
- // argstr = sprintf("%d, %d", $which, $who)
asmlinkage()
which = int_arg(1)
who = int_arg(2)
probe nd_syscall.ioprio_set = kprobe.function("sys_ioprio_set") ?
{
name = "ioprio_set"
- // which = $which
- // who = $who
- // ioprio = $ioprio
- // argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
asmlinkage()
which = int_arg(1)
who = int_arg(2)
kprobe.function("sys_kexec_load") ?
{
name = "kexec_load"
- // entry = $entry
- // nr_segments = $nr_segments
- // segments_uaddr = $segments
- // flags = $flags
- // argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
asmlinkage()
entry = ulong_arg(1)
nr_segments = ulong_arg(2)
kprobe.function("sys_keyctl") ?
{
name = "keyctl"
- // argstr = sprintf("%d, ...", $option)
asmlinkage()
argstr = sprintf("%d, ...", uint_arg(1))
probe nd_syscall.kill = kprobe.function("sys_kill") ?
{
name = "kill"
- // pid = $pid
- // sig = $sig
- // argstr = sprintf("%d, %s", $pid, _signal_name($sig))
asmlinkage()
pid = int_arg(1)
sig = int_arg(2)
probe nd_syscall.lchown = kprobe.function("sys_lchown") ?
{
name = "lchown"
- // path = user_string($filename)
- // owner = __int32($user)
- // group = __int32($group)
- // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
owner = __int32(uint_arg(2))
probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ?
{
name = "lchown16"
- // path = user_string($filename)
- // owner = __short($user)
- // group = __short($group)
- // argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
owner = __short(uint_arg(2))
probe nd_syscall.lgetxattr = kprobe.function("sys_lgetxattr") ?
{
name = "lgetxattr"
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // # FIXME
- // name2 = user_string($name)
- // value_uaddr = $value
- // size = $size
- // argstr = sprintf("%s, %s, %p, %d",
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // user_string_quoted($name),
- // value_uaddr, size)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
# 'name2' should have been 'name_str'. Deprecate the old name.
probe nd_syscall.link = kprobe.function("sys_link") ?
{
name = "link"
- // oldpath = user_string($oldname)
- // newpath = user_string($newname)
- // argstr = sprintf("%s, %s",
- // user_string_quoted($oldname),
- // user_string_quoted($newname))
asmlinkage()
oldpath = user_string_quoted(pointer_arg(1))
newpath = user_string_quoted(pointer_arg(2))
{
@__syscall_compat_gate(%{ __NR_linkat %}, %{ __NR_compat_linkat %})
name = "linkat"
- // olddirfd = $olddfd
- // olddirfd_str = _dfd_str($olddfd)
- // oldpath = user_string($oldname)
- // newdirfd = $newdfd
- // newdirfd_str = _dfd_str($newdfd)
- // newpath = user_string($newname)
- // flags = $flags
- // flags_str = _at_flag_str($flags)
- // argstr = sprintf("%s, %s, %s, %s, %s",
- // olddirfd_str, user_string_quoted($oldname),
- // newdirfd_str, user_string_quoted($newname),
- // flags_str)
asmlinkage()
olddirfd = int_arg(1)
olddirfd_str = _dfd_str(olddirfd)
probe nd_syscall.listen = kprobe.function("sys_listen") ?
{
name = "listen"
- // sockfd = $fd
- // backlog = $backlog
- // argstr = sprintf("%d, %d", $fd, $backlog)
asmlinkage()
sockfd = int_arg(1)
backlog = int_arg(2)
probe nd_syscall.listxattr = kprobe.function("sys_listxattr") ?
{
name = "listxattr"
- // list_uaddr = $list
- // size = $size
- // path_uaddr = (@defined($pathname) ? $pathname : $path)
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // argstr = sprintf("%s, %p, %d",
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // $list, $size)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string_quoted(path_uaddr)
probe nd_syscall.llistxattr = kprobe.function("sys_llistxattr") ?
{
name = "llistxattr"
- // list_uaddr = $list
- // size = $size
- // path_uaddr = (@defined($pathname) ? $pathname : $path)
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // argstr = sprintf("%s, %p, %d",
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // $list, $size)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string_quoted(path_uaddr)
probe nd_syscall.llseek = kprobe.function("sys_llseek") ?
{
name = "llseek"
- // fd = $fd
- // offset_high = $offset_high
- // offset_low = $offset_low
- // result_uaddr = $result
- // whence = $origin
- // whence_str = _seek_whence_str($origin)
- // argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
- // $offset_low, $result, whence_str)
asmlinkage()
fd = int_arg(1)
offset_high = ulong_arg(2)
probe nd_syscall.lookup_dcookie = kprobe.function("sys_lookup_dcookie") ?
{
name = "lookup_dcookie"
- // cookie = $cookie64
- // buffer_uaddr = $buf
- // len = $len
- // argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
asmlinkage()
cookie = ulonglong_arg(1)
buffer_uaddr = pointer_arg(2)
probe nd_syscall.lremovexattr = kprobe.function("sys_lremovexattr") ?
{
name = "lremovexattr"
- // name_uaddr = $name
- // name2 = user_string($name)
- // path_uaddr = (@defined($pathname) ? $pathname : $path)
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // argstr = sprintf("%s, %s",
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // user_string_quoted($name))
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string_quoted(path_uaddr)
probe nd_syscall.lseek = __nd_syscall.lseek, __nd_syscall.compat_lseek ?
{
name = "lseek"
- // fildes = $fd
- // # offset = __int32($offset)
- // offset = $offset
- // whence = $origin
- // whence_str = _seek_whence_str($origin)
- // argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
asmlinkage()
fildes = int_arg(1)
whence = uint_arg(3)
}
probe __nd_syscall.lseek = kprobe.function("sys_lseek")
{
- // offset = $offset
asmlinkage()
offset = long_arg(2)
}
probe __nd_syscall.compat_lseek = kprobe.function("compat_sys_lseek")
{
- // offset = __int32($offset)
asmlinkage()
offset = s32_arg(2)
}
probe nd_syscall.lsetxattr = kprobe.function("sys_lsetxattr") ?
{
name = "lsetxattr"
- // path_uaddr = (@defined($pathname) ? $pathname : $path)
- // path = user_string(@defined($pathname) ? $pathname : $path)
- // name_uaddr = $name
- // name_str = user_string($name)
- // value_uaddr = $value
- // size = $size
- // flags = $flags
- // argstr = sprintf("%s, %s, %p, %d, %d",
- // user_string_quoted(@defined($pathname) ? $pathname : $path),
- // user_string_quoted($name),
- // value_uaddr, $size, $flags)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string_quoted(path_uaddr)
kprobe.function("sys_oabi_lstat64") ?
{
name = "lstat"
- // path = user_string($filename)
- // buf_uaddr = $statbuf
- // argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
buf_uaddr = pointer_arg(2)
probe nd_syscall.madvise = kprobe.function("sys_madvise") ?
{
name = "madvise"
- // start = $start
- // length = $len_in
- // advice = $behavior
- // advice_str = _madvice_advice_str($behavior)
- // argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
kprobe.function("sys_mbind") ?
{
name = "mbind"
- // start = $start
- // len = $len
- // mode = $mode
- // nmask_uaddr = $nmask
- // maxnode = $maxnode
- // flags = $flags
- // argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
- // $nmask, $maxnode, $flags)
asmlinkage()
start = ulong_arg(1)
len = long_arg(2)
probe nd_syscall.migrate_pages = kprobe.function("sys_migrate_pages") ?
{
name = "migrate_pages"
- // argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
asmlinkage()
argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4))
}
probe nd_syscall.mincore = kprobe.function("sys_mincore") ?
{
name = "mincore"
- // start = $start
- // length = $len
- // vec_uaddr = $vec
- // argstr = sprintf("%p, %d, %p", $start, $len, $vec)
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
probe nd_syscall.mkdir = kprobe.function("sys_mkdir") ?
{
name = "mkdir"
- // pathname_uaddr = $pathname
- // pathname = user_string($pathname)
- // mode = $mode
- // argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
asmlinkage()
pathname_uaddr = pointer_arg(1)
pathname = user_string_quoted(pathname_uaddr)
{
@__syscall_compat_gate(%{ __NR_mkdirat %}, %{ __NR_compat_mkdirat %})
name = "mkdirat"
- // dirfd = $dfd
- // pathname = user_string($pathname)
- // mode = $mode
- // argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
asmlinkage()
dirfd = int_arg(1)
pathname = user_string_quoted(pointer_arg(2))
probe nd_syscall.mknod = kprobe.function("sys_mknod") ?
{
name = "mknod"
- // pathname = user_string($filename)
- // mode = $mode
- // dev = $dev
- // argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
asmlinkage()
pathname = user_string_quoted(pointer_arg(1))
mode = int_arg(2)
probe nd_syscall.mknodat = kprobe.function("sys_mknodat") ?
{
name = "mknodat"
- // dirfd = $dfd
- // dirfd_str = _dfd_str($dfd)
- // pathname = user_string($filename)
- // mode = $mode
- // mode_str = _mknod_mode_str($mode)
- // dev = $dev
- // argstr = sprintf("%s, %s, %s, %p",
- // dirfd_str, user_string_quoted($filename), mode_str, $dev)
asmlinkage()
dirfd = int_arg(1)
dirfd_str = _dfd_str(dirfd)
probe nd_syscall.mlock = kprobe.function("sys_mlock") ?
{
name = "mlock"
- // addr = $start
- // len = $len
- // argstr = sprintf("%p, %d", $start, $len)
asmlinkage()
addr = ulong_arg(1)
len = ulong_arg(2)
probe nd_syscall.mlockall = kprobe.function("sys_mlockall") ?
{
name = "mlockall"
- // flags = $flags
- // argstr = _mlockall_flags_str($flags)
asmlinkage()
flags = int_arg(1)
argstr = _mlockall_flags_str(flags)
probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ?
{
name = "modify_ldt"
- // func = $func
- // ptr_uaddr = $ptr
- // bytecount = $bytecount
- // argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
asmlinkage()
func = int_arg(1)
ptr_uaddr = pointer_arg(2)
kprobe.function("sys_move_pages") ?
{
name = "move_pages"
- // argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
asmlinkage()
argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6))
}
kprobe.function("sys_mount") ?
{
name = "mount"
- // source = user_string($dev_name)
- // target = user_string($dir_name)
- // filesystemtype = user_string($type)
- // mountflags = $flags
- // mountflags_str = _mountflags_str($flags)
- // data = text_strn(user_string($data), syscall_string_trunc, 1)
- // argstr = sprintf("%s, %s, %s, %s, %s",
- // user_string_quoted($dev_name),
- // user_string_quoted($dir_name),
- // user_string_quoted($type),
- // mountflags_str, data)
asmlinkage()
source = user_string_quoted(pointer_arg(1))
target = user_string_quoted(pointer_arg(2))
probe nd_syscall.mmap2 = kprobe.function("sys_mmap_pgoff") ?
{
name = "mmap2"
- // start = $addr
- // length = $len
- // prot = $prot
- // flags = $flags
- // # Although the kernel gets an unsigned long fd, on the
- // # user-side it is a signed int. Fix this.
- // fd = __int32($fd)
- // # $pgoff is the number of pages. Convert this back into a
- // # number of bytes.
- // pgoffset = $pgoff * %{ PAGE_SIZE %}
- // argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
- // _mprotect_prot_str($prot), _mmap_flags($flags),
- // __int32($fd), pgoffset)
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
probe nd_syscall.mprotect = kprobe.function("sys_mprotect") ?
{
name = "mprotect"
- // addr = $start
- // len = $len
- // prot = $prot
- // prot_str = _mprotect_prot_str($prot)
- // argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
asmlinkage()
addr = ulong_arg(1)
len = ulong_arg(2)
kprobe.function("sys_mq_getsetattr") ?
{
name = "mq_getsetattr"
- // mqdes = $mqdes
- // u_mqstat_uaddr = $u_mqstat
- // u_omqstat_uaddr = $u_omqstat
- // argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
asmlinkage()
mqdes = int_arg(1)
u_mqstat_uaddr = pointer_arg(2)
kprobe.function("sys_mq_notify") ?
{
name = "mq_notify"
- // mqdes = $mqdes
- // notification_uaddr = $u_notification
- // argstr = sprintf("%d, %p", $mqdes, $u_notification)
asmlinkage()
mqdes = int_arg(1)
notification_uaddr = pointer_arg(2)
kprobe.function("sys_mq_open") ?
{
name = "mq_open"
- // name_uaddr = $u_name
- // filename = user_string($u_name)
- // mode = $mode
- // u_attr_uaddr = $u_attr
- // oflag = $oflag
- // if (oflag & 64)
- // argstr = sprintf("%s, %s, %#o, %p", user_string_quoted($u_name),
- // _sys_open_flag_str($oflag), $mode, $u_attr)
- // else
- // argstr = sprintf("%s, %s", user_string_quoted($u_name), _sys_open_flag_str($oflag))
asmlinkage()
name_uaddr = pointer_arg(1)
filename = user_string_quoted(name_uaddr)
kprobe.function("sys_mq_timedreceive") ?
{
name = "mq_timedreceive"
- // mqdes = $mqdes
- // msg_ptr_uaddr = $u_msg_ptr
- // msg_len = $msg_len
- // msg_prio_uaddr = $u_msg_prio
- // abs_timout_uaddr = $u_abs_timeout
- // argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
- // $u_msg_prio, $u_abs_timeout)
asmlinkage()
mqdes = int_arg(1)
msg_ptr_uaddr = pointer_arg(2)
kprobe.function("sys_mq_timedsend") ?
{
name = "mq_timedsend"
- // mqdes = $mqdes
- // msg_ptr_uaddr = $u_msg_ptr
- // msg_len = $msg_len
- // msg_prio = $msg_prio
- // abs_timeout_uaddr = $u_abs_timeout
- // argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
- // $msg_prio, $u_abs_timeout)
asmlinkage()
mqdes = int_arg(1)
msg_ptr_uaddr = pointer_arg(2)
probe nd_syscall.mq_unlink = kprobe.function("sys_mq_unlink") ?
{
name = "mq_unlink"
- // u_name_uaddr = $u_name
- // u_name = user_string($u_name)
- // argstr = user_string_quoted($u_name)
asmlinkage()
u_name_uaddr = pointer_arg(1)
u_name = user_string_quoted(u_name_uaddr)
kprobe.function("sys_mremap") ?
{
name = "mremap"
- // old_address = $addr
- // old_size = $old_len
- // new_size = $new_len
- // flags = $flags
- // new_address = $new_addr
- // argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
- // _mremap_flags($flags), $new_addr)
asmlinkage()
old_address = ulong_arg(1)
old_size = ulong_arg(2)
probe nd_syscall.msgctl = kprobe.function("sys_msgctl") ?
{
name = "msgctl"
- // msqid = $msqid
- // cmd = $cmd
- // buf_uaddr = $buf
- // argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
asmlinkage()
msqid = int_arg(1)
cmd = int_arg(2)
probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ?
{
name = "compat_sys_msgctl"
- // msqid = $first
- // cmd = $second
- // buf_uaddr = $uptr
- // argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
asmlinkage()
msqid = int_arg(1)
cmd = int_arg(2)
probe nd_syscall.msgget = kprobe.function("sys_msgget") ?
{
name = "msgget"
- // key = $key
- // msgflg = $msgflg
- // msgflg_str = _sys_open_flag_str($msgflg)
- // argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
asmlinkage()
key = int_arg(1)
msgflg = int_arg(2)
probe nd_syscall.msgrcv = kprobe.function("sys_msgrcv") ?
{
name = "msgrcv"
- // msqid = $msqid
- // msgp_uaddr = $msgp
- // msgsz = $msgsz
- // msgtyp = $msgtyp
- // msgflg = $msgflg
- // argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(2)
probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ?
{
name = "compat_sys_msgrcv"
- // msqid = $first
- // msgp_uaddr = $uptr
- // msgsz = $second
- // msgtyp = $msgtyp
- // msgflg = $third
- // argstr = sprintf("%d, %p, %d, %d", $first, $uptr, $second, $third)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(5)
probe nd_syscall.msgsnd = kprobe.function("sys_msgsnd") ?
{
name = "msgsnd"
- // msqid = $msqid
- // msgp_uaddr = $msgp
- // msgsz = $msgsz
- // msgflg = $msgflg
- // argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(2)
probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ?
{
name = "compat_sys_msgsnd"
- // msqid = $first
- // msgp_uaddr = $uptr
- // msgsz = $second
- // msgflg = $third
- // argstr = sprintf("%d, %p, %d, %d", $first, $uptr, $second, $third)
asmlinkage()
msqid = int_arg(1)
msgp_uaddr = pointer_arg(4)
probe nd_syscall.msync = kprobe.function("sys_msync") ?
{
name = "msync"
- // start = $start
- // length = $len
- // flags = $flags
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
probe nd_syscall.munlock = kprobe.function("sys_munlock") ?
{
name = "munlock"
- // addr = $start
- // len = $len
asmlinkage()
addr = ulong_arg(1)
len = ulong_arg(2)
probe nd_syscall.munmap = kprobe.function("sys_munmap") ?
{
name = "munmap"
- // start = $addr
- // length = $len
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
probe nd_syscall.nanosleep = kprobe.function("sys_nanosleep") ?
{
name = "nanosleep"
- // req_uaddr = $rqtp
- // rem_uaddr = $rmtp
- // argstr = sprintf("%s, %p", _struct_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
req_uaddr = pointer_arg(1)
rem_uaddr = pointer_arg(2)
probe nd_syscall.compat_nanosleep = kprobe.function("compat_sys_nanosleep") ?
{
name = "nanosleep"
- // req_uaddr = $rqtp
- // rem_uaddr = $rmtp
- // argstr = sprintf("%s, %p", _struct_compat_timespec_u($rqtp, 1), $rmtp)
asmlinkage()
req_uaddr = pointer_arg(1)
rem_uaddr = pointer_arg(2)
kprobe.function("compat_sys_nfsservctl") ?
{
name = "nfsservctl"
- // cmd = $cmd
- // argp_uaddr = $arg
- // resp_uaddr = $res
- // argstr = sprintf("%s, %p, %p", _nfsctl_cmd_str($cmd), $arg, $res)
asmlinkage()
cmd = int_arg(1)
argp_uaddr = pointer_arg(2)
probe nd_syscall.nice = kprobe.function("sys_nice") ?
{
name = "nice"
- // inc = $increment
- // argstr = sprintf("%d", $increment)
asmlinkage()
inc = int_arg(1)
argstr = sprintf("%d", inc)
{
@__syscall_compat_gate(%{ __NR_open %}, %{ __NR_compat_open %})
name = "open"
- // filename = user_string($filename)
- // flags = $flags
- // mode = $mode
- // if (flags & 64)
- // argstr = sprintf("%s, %s, %#o", user_string_quoted($filename),
- // _sys_open_flag_str($flags), $mode)
- // else
- // argstr = sprintf("%s, %s", user_string_quoted($filename),
- // _sys_open_flag_str($flags))
asmlinkage()
filename = user_string_quoted(pointer_arg(1))
flags = int_arg(2)
kprobe.function("sys_openat") ?
{
name = "openat"
- // filename = user_string($filename)
- // flags = $flags
- // mode = $mode
- // if ($flags & 64)
- // argstr = sprintf("%s, %s, %s, %#o", _dfd_str($dfd),
- // user_string_quoted($filename),
- // _sys_open_flag_str($flags), $mode)
- // else
- // argstr = sprintf("%s, %s, %s", _dfd_str($dfd),
- // user_string_quoted($filename),
- // _sys_open_flag_str($flags))
asmlinkage()
filename = user_string_quoted(pointer_arg(2))
flags = int_arg(3)
probe nd_syscall.personality = kprobe.function("sys_personality") ?
{
name = "personality"
- // persona = $personality
asmlinkage()
persona = ulong_arg(1)
argstr = sprintf("%p", persona);
probe nd_syscall.pivot_root = kprobe.function("sys_pivot_root") ?
{
name = "pivot_root"
- // new_root_str = user_string($new_root)
- // old_root_str = user_string($put_old)
- // argstr = sprintf("%s, %s", user_string_quoted($new_root),
- // user_string_quoted($put_old))
asmlinkage()
new_root_str = user_string_quoted(pointer_arg(1))
old_root_str = user_string_quoted(pointer_arg(2))
probe nd_syscall.poll = kprobe.function("sys_poll") ?
{
name = "poll"
- // ufds_uaddr = $ufds
- // nfds = $nfds
- // timeout = $timeout
- // argstr = sprintf("%p, %d, %d", $ufds, $nfds, timeout)
asmlinkage()
ufds_uaddr = pointer_arg(1)
nfds = uint_arg(2)
probe nd_syscall.ppoll = kprobe.function("sys_ppoll") ?
{
name = "ppoll"
- // argstr = sprintf("%p, %d, %s, %p, %d",
- // $ufds,
- // $nfds,
- // _struct_timespec_u($tsp, 1),
- // $sigmask,
- // $sigsetsize)
asmlinkage()
argstr = sprintf("%p, %d, %s, %p, %d",
pointer_arg(1),
probe nd_syscall.compat_ppoll = kprobe.function("compat_sys_ppoll") ?
{
name = "ppoll"
- // argstr = sprintf("%p, %d, %s, %p, %d",
- // $ufds,
- // $nfds,
- // _struct_compat_timespec_u($tsp, 1),
- // $sigmask,
- // $sigsetsize)
asmlinkage()
argstr = sprintf("%p, %d, %s, %p, %d",
pointer_arg(1),
probe nd_syscall.prctl = kprobe.function("sys_prctl") ?
{
name = "prctl"
- // option = $option
- // arg2 = $arg2
- // arg3 = $arg3
- // arg4 = $arg4
- // arg5 = $arg5
asmlinkage()
option = int_arg(1)
arg2 = ulong_arg(2)
probe nd_syscall.pread = kprobe.function("sys_pread64") ?
{
name = "pread"
- // fd = $fd
- // buf_uaddr = $buf
- // count = $count
- // offset = $pos
- // argstr = sprintf("%d, %p, %d, %d", $fd, $buf, $count, $pos)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
}
probe __nd_syscall.preadv = kprobe.function("sys_preadv")
{
- # fd = $fd
- # vector_uaddr = $vec
- # count = $vlen
- # offset = ($pos_h << %{ BITS_PER_LONG %}) + $pos_l
- # argstr = sprintf("%d, %p, %d, 0x%x", $fd, $vec, $vlen,
- # ($pos_h << %{ BITS_PER_LONG %}) + $pos_l)
asmlinkage()
fd = int_arg(1)
vector_uaddr = pointer_arg(2)
}
probe __nd_syscall.compat_preadv = kprobe.function("compat_sys_preadv")
{
- # fd = $fd
- # vector_uaddr = $vec
- # count = $vlen
- # offset = ($pos_high << 32) + $pos_low
- # argstr = sprintf("%d, %p, %d, 0x%x", $fd, $vec, $vlen,
- # ($pos_high << 32) + $pos_low)
fd = int_arg(1)
vector_uaddr = pointer_arg(2)
count = int_arg(3)
probe nd_syscall.pselect6 = kprobe.function("sys_pselect6") ?
{
name = "pselect6"
- // argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
- // _struct_timespec_u($tsp, 1), $sig)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1) , pointer_arg(2), pointer_arg(3), pointer_arg(4),
_struct_timespec_u(pointer_arg(5), 1), pointer_arg(6))
probe nd_syscall.compat_pselect6 = kprobe.function("compat_sys_pselect6") ?
{
name = "pselect6"
- // argstr = sprintf("%d, %p, %p, %p, %s, %p", $n, $inp, $outp, $exp,
- // _struct_compat_timespec_u($tsp, 1), $sig)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p", int_arg(1), pointer_arg(2), pointer_arg(3), pointer_arg(4),
_struct_compat_timespec_u(pointer_arg(5), 1), pointer_arg(6))
probe nd_syscall.pselect7 = kprobe.function("sys_pselect7") ?
{
name = "pselect7"
- // argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
- // _struct_timespec_u($tsp, 1), $sigmask, $sigsetsize)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1),
pointer_arg(2), pointer_arg(3), pointer_arg(4),
kprobe.function("compat_sys_pselect7") ?
{
name = "pselect7"
- //argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", $n, $inp, $outp, $exp,
- // _struct_compat_timespec_u($tsp, 1), $sigmask, $sigsetsize)
asmlinkage()
argstr = sprintf("%d, %p, %p, %p, %s, %p, %d", int_arg(1),
pointer_arg(2), pointer_arg(3), pointer_arg(4),
probe nd_syscall.ptrace = kprobe.function("sys_ptrace") ?
{
name = "ptrace"
- // request = $request
- // pid = $pid
- // addr = $addr
- // data = $data
asmlinkage()
request = long_arg(1)
pid = long_arg(2)
name = "ptrace"
retstr = returnstr(1)
- // long_arg values are not available here.
geteventmsg_data = 0
arch_prctl_addr = 0
}
probe nd_syscall.pwrite = kprobe.function("sys_pwrite64") ?
{
name = "pwrite"
- // fd = $fd
- // buf_uaddr = $buf
- // count = $count
- // offset = $pos
- // argstr = sprintf("%d, %s, %d, %d", $fd,
- // text_strn(user_string($buf), syscall_string_trunc, 1),
- // $count, $pos)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
probe nd_syscall.pwrite32 = kprobe.function("sys32_pwrite64") ?
{
name = "pwrite"
- // fd = $fd
- // buf_uaddr = $buf
- // count = $count
- // offset = ($poshi << 32) + $poslo
-// %( arch == "s390" %?
- // buf_uaddr = $ubuf
- // argstr = sprintf("%d, %s, %d, %d", $fd,
- // text_strn(user_string($ubuf), syscall_string_trunc, 1),
- // $count, ($poshi << 32) + $poslo)
-// %:
- // buf_uaddr = $buf
- // argstr = sprintf("%d, %s, %d, %d", $fd,
- // text_strn(user_string($buf), syscall_string_trunc, 1),
- // $count, ($poshi << 32) + $poslo)
-// %)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
}
probe __nd_syscall.pwritev = kprobe.function("sys_pwritev").call
{
- // fd = $fd
- // vector_uaddr = $vec
- // count = $vlen
- // offset = ($pos_h << %{ BITS_PER_LONG %}) + $pos_l
- // argstr = sprintf("%d, %p, %d, 0x%x", $fd, $vec, $vlen,
- // ($pos_h << %{ BITS_PER_LONG %}) + $pos_l)
asmlinkage()
fd = int_arg(1)
vector_uaddr = pointer_arg(2)
}
probe __nd_syscall.compat_pwritev = kprobe.function("compat_sys_pwritev").call
{
- // fd = $fd
- // vector_uaddr = $vec
- // count = $vlen
- // offset = ($pos_high << 32) + $pos_low
- // argstr = sprintf("%d, %p, %d, 0x%x", $fd, $vec, $vlen,
- // ($pos_high << 32) + $pos_low)
asmlinkage()
fd = int_arg(1)
vector_uaddr = pointer_arg(2)
probe nd_syscall.quotactl = kprobe.function("sys_quotactl") ?
{
name = "quotactl"
- // cmd = $cmd
- // cmd_str = _quotactl_cmd_str($cmd)
- // special = $special
- // special_str = user_string($special)
- // id = $id
- // addr_uaddr = $addr
- // argstr = sprintf("%s, %s, %d, %p", cmd_str, special_str, $id, $addr)
asmlinkage()
cmd = uint_arg(1)
cmd_str = _quotactl_cmd_str(cmd)
probe nd_syscall.read = kprobe.function("sys_read") ?
{
name = "read"
- // fd = $fd
- // buf_uaddr = $buf
- // count = $count
- // argstr = sprintf("%d, %p, %d", $fd, $buf, $count)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
probe nd_syscall.readahead = kprobe.function("sys_readahead") ?
{
name = "readahead"
- // fd = $fd
- // offset = $offset
- // count = $count
asmlinkage()
fd = int_arg(1)
offset = longlong_arg(2)
kprobe.function("old32_readdir") ?
{
name = "readdir"
- // argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
asmlinkage()
argstr = sprintf("%d, %p, %d", uint_arg(1), pointer_arg(2), uint_arg(3))
}
probe nd_syscall.readlink = kprobe.function("sys_readlink") ?
{
name = "readlink"
- // path = user_string($path)
- // buf_uaddr = $buf
- // bufsiz = $bufsiz
- // argstr = sprintf("%s, %p, %d", user_string_quoted($path),
- // $buf, $bufsiz)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
buf_uaddr = pointer_arg(2)
@__syscall_compat_gate(%{ __NR_readlinkat %},
%{ __NR_compat_readlinkat %})
name = "readlinkat"
- //dfd = $dfd
- // path = user_string($path)
- // buf_uaddr = $buf
- // bufsiz = $bufsiz
- // argstr = sprintf("%s, %s, %p, %d", _dfd_str($dfd), user_string_quoted($path),
- // $buf, $bufsiz)
asmlinkage()
dfd = int_arg(1)
path = user_string_quoted(pointer_arg(2))
kprobe.function("sys_readv") ?
{
name = "readv"
- // vector_uaddr = $vec
- // count = $vlen
- // fd = $fd
- // argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
asmlinkage()
vector_uaddr = pointer_arg(2)
count = int_arg(3)
probe nd_syscall.reboot = kprobe.function("sys_reboot") ?
{
name = "reboot"
- // magic = $magic1
- // magic_str = _reboot_magic_str($magic1)
- // magic2 = $magic2
- // magic2_str =_reboot_magic_str($magic2)
- // flag = $cmd
- // flag_str = _reboot_flag_str($cmd)
- // arg_uaddr = $arg
- // argstr = sprintf("%s, %s, %s, %p", magic_str, magic2_str,
- // flag_str, $arg)
asmlinkage()
magic = int_arg(1)
magic_str = _reboot_magic_str(magic)
probe nd_syscall.remap_file_pages = kprobe.function("sys_remap_file_pages") ?
{
name = "remap_file_pages"
- // start = $start
- // size = $size
- // prot = (@defined($prot) ? $prot : $__prot)
- // pgoff = $pgoff
- // flags = $flags
asmlinkage()
start = ulong_arg(1)
size = ulong_arg(2)
probe nd_syscall.removexattr = kprobe.function("sys_removexattr") ?
{
name = "removexattr"
- // path = user_string($path)
- // name_str = user_string($name)
- // argstr = sprintf("%s, %s", user_string_quoted($path),
- // user_string_quoted($name))
asmlinkage()
path = user_string_quoted(pointer_arg(1))
name_str = user_string_quoted(pointer_arg(2))
probe nd_syscall.rename = kprobe.function("sys_rename") ?
{
name = "rename"
- // oldpath = user_string($oldname)
- // newpath = user_string($newname)
- // argstr = sprintf("%s, %s", user_string_quoted($oldname),
- // user_string_quoted($newname))
asmlinkage()
oldpath = user_string_quoted(pointer_arg(1))
newpath = user_string_quoted(pointer_arg(2))
{
@__syscall_compat_gate(%{ __NR_renameat %}, %{ __NR_compat_renameat %})
name = "renameat"
- // olddfd = $olddfd
- // olddfd_str = _dfd_str($olddfd)
- // oldname = $oldname
- // oldname_str = user_string($oldname)
- // newdfd = $newdfd
- // newdfd_str = _dfd_str($newdfd)
- // newname = $newname
- // newname_str = user_string($newname)
- // argstr = sprintf("%s, %s, %s, %s",
- // olddfd_str, user_string_quoted($oldname),
- // newdfd_str, user_string_quoted($newname))
asmlinkage()
olddfd = int_arg(1)
olddfd_str = _dfd_str(olddfd)
probe nd_syscall.request_key = kprobe.function("sys_request_key") ?
{
name = "request_key"
- // type_uaddr = $_type
- // description_uaddr = $_description
- // callout_info_uaddr = $_callout_info
- // destringid = $destringid
- // argstr = sprintf("%p, %p, %p, %p", $_type, $_description, $_callout_info, $destringid)
asmlinkage()
type_uaddr = pointer_arg(1)
description_uaddr = pointer_arg(2)
probe nd_syscall.rmdir = kprobe.function("sys_rmdir") ?
{
name = "rmdir"
- // pathname = user_string($pathname)
- // argstr = user_string_quoted($pathname)
asmlinkage()
pathname = user_string_quoted(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
probe nd_syscall.rt_sigaction = kprobe.function("sys_rt_sigaction") ?
{
name = "rt_sigaction"
- // sig = $sig
- // act_uaddr = $act
- // oact_uaddr = $oact
- // sigsetsize = $sigsetsize
- // argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
- // _struct_sigaction_u($act), $oact, $sigsetsize)
asmlinkage()
sig = int_arg(1)
act_uaddr = pointer_arg(2)
kprobe.function("compat_sys_rt_sigaction") ?
{
name = "rt_sigaction"
- // sig = $sig
- // act_uaddr = $act
- // oact_uaddr = $oact
- // sigsetsize = $sigsetsize
- // argstr = sprintf("%s, {%s}, %p, %d", _signal_name($sig),
- // _struct_sigaction32_u($act), $oact, $sigsetsize)
asmlinkage()
sig = int_arg(1)
act_uaddr = pointer_arg(2)
__nd_syscall.compat_rt_sigpending ?
{
name = "rt_sigpending"
- // set_uaddr = $set
- // sigsetsize = $sigsetsize
- // argstr = sprintf("%p, %d", $set, $sigsetsize)
asmlinkage()
set_uaddr = pointer_arg(1)
sigsetsize = ulong_arg(2)
@__syscall_gate(%{ __NR_rt_sigprocmask %})
%)
name = "rt_sigprocmask"
- // how = $how
- // how_str = _sigprocmask_how_str($how)
- // set_uaddr = $set
- // oldset_uaddr = $oset
- // argstr = sprintf("%s, [%s], %p, %d", how_str, _stp_sigset_u($set),
- // $oset, $sigsetsize)
asmlinkage()
how = int_arg(1)
how_str = _sigprocmask_how_str(how)
// In kernels 3.4+, the following kernel commit changed the
// way rt_sigprocmask is handled on x86:
- //
+ //
// commit 2c73ce734653f96542a070f3c3b3e3d1cd0fba02
// Author: H. Peter Anvin <hpa@zytor.com>
// Date: Sun Feb 19 09:48:01 2012 -0800
- //
- // x86-64, ia32: Drop sys32_rt_sigprocmask
//
+ // x86-64, ia32: Drop sys32_rt_sigprocmask
+ //
// On those kernels, a call to the 32-bit rt_sigprocmask goes
// straight to the 64-bit rt_sigprocmask function.
%( arch == "x86_64" && kernel_v >= "3.4" && CONFIG_COMPAT == "y" %?
kprobe.function("sys32_rt_sigprocmask") ?
{
name = "rt_sigprocmask"
- // how = $how
- // how_str = _sigprocmask_how_str($how)
- // set_uaddr = @choose_defined($set, $nset)
- // oldset_uaddr = $oset
- // argstr = sprintf("%s, [%s], %p, %d", how_str,
- // _stp_compat_sigset_u(set_uaddr), $oset, $sigsetsize)
if (ppfunc() != "compat_sys_rt_sigprocmask")
asmlinkage()
how = int_arg(1)
probe nd_syscall.rt_sigqueueinfo = kprobe.function("sys_rt_sigqueueinfo") ?
{
name = "rt_sigqueueinfo"
- // pid = $pid
- // sig = $sig
- // uinfo_uaddr = $uinfo
- // argstr = sprintf("%d, %s, %p", $pid, _signal_name($sig), $uinfo)
asmlinkage()
pid = int_arg(1)
sig = int_arg(2)
__nd_syscall.compat_rt_sigtimedwait ?
{
name = "rt_sigtimedwait"
- // uthese_uaddr = $uthese
- // uinfo_uaddr = $uinfo
- // uts_uaddr = $uts
- // sigsetsize = $sigsetsize
- // argstr = sprintf("%p, %p, %p, %d", $uthese, $uinfo, $uts, $sigsetsize)
asmlinkage()
uthese_uaddr = pointer_arg(1)
uinfo_uaddr = pointer_arg(2)
probe nd_syscall.sched_getaffinity = kprobe.function("sys_sched_getaffinity") ?
{
name = "sched_getaffinity"
- // pid = $pid
- // len = $len
- // mask_uaddr = $user_mask_ptr
asmlinkage()
pid = int_arg(1)
len = uint_arg(2)
probe nd_syscall.sched_getparam = kprobe.function("sys_sched_getparam") ?
{
name = "sched_getparam"
- // pid = $pid
- // p_uaddr = $param
asmlinkage()
pid = int_arg(1)
p_uaddr = pointer_arg(2)
probe nd_syscall.sched_get_priority_max = kprobe.function("sys_sched_get_priority_max") ?
{
name = "sched_get_priority_max"
- // policy = $policy
asmlinkage()
policy = int_arg(1)
argstr = sprint(policy)
probe nd_syscall.sched_get_priority_min = kprobe.function("sys_sched_get_priority_min") ?
{
name = "sched_get_priority_min"
- // policy = $policy
asmlinkage()
policy = int_arg(1)
argstr = sprint(policy)
probe nd_syscall.sched_getscheduler = kprobe.function("sys_sched_getscheduler") ?
{
name = "sched_getscheduler"
- // pid = $pid
- // argstr = sprint($pid)
asmlinkage()
pid = int_arg(1)
argstr = sprint(pid)
probe nd_syscall.sched_rr_get_interval = kprobe.function("sys_sched_rr_get_interval") ?
{
name = "sched_rr_get_interval"
- // pid = $pid
- // tp_uaddr = $interval
- // argstr = sprintf("%d, %s", $pid, _struct_timespec_u($interval, 1))
asmlinkage()
pid = int_arg(1)
tp_uaddr = pointer_arg(2)
probe nd_syscall.sched_setaffinity = kprobe.function("sys_sched_setaffinity") ?
{
name = "sched_setaffinity"
- // pid = $pid
- // len = $len
- // mask_uaddr = $user_mask_ptr
- // argstr = sprintf("%d, %d, %p", $pid, $len, $user_mask_ptr)
asmlinkage()
pid = int_arg(1)
len = uint_arg(2)
probe nd_syscall.sched_setparam = kprobe.function("sys_sched_setparam") ?
{
name = "sched_setparam"
- // pid = $pid
- // p_uaddr = $param
- // argstr = sprintf("%d, %p", $pid, $param)
asmlinkage()
pid = int_arg(1)
p_uaddr = pointer_arg(2)
probe nd_syscall.sched_setscheduler = kprobe.function("sys_sched_setscheduler") ?
{
name = "sched_setscheduler"
- // pid = $pid
- // policy = $policy
- // policy_str = _sched_policy_str($policy)
- // p_uaddr = $param
- // argstr = sprintf("%d, %s, %p", $pid, policy_str, $param)
asmlinkage()
pid = int_arg(1)
policy = int_arg(2)
probe nd_syscall.select = kprobe.function("sys_select") ?
{
name = "select"
- // n = $n
- // readfds_uaddr = $inp
- // writefds_uaddr = $outp
- // exceptfds_uaddr = $exp
- // timeout_uaddr = $tvp
- // argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
- // _struct_timeval_u($tvp, 1))
asmlinkage()
n = int_arg(1)
readfds_uaddr = pointer_arg(2)
probe nd_syscall.compat_select = kprobe.function("compat_sys_select") ?
{
name = "select"
- // n = $n
- // readfds_uaddr = $inp
- // writefds_uaddr = $outp
- // exceptfds_uaddr = $exp
- // timeout_uaddr = $tvp
- // argstr = sprintf("%d, %p, %p, %p, %s", $n, $inp, $outp, $exp,
- // _struct_compat_timeval_u($tvp, 1))
asmlinkage()
n = int_arg(1)
readfds_uaddr = pointer_arg(2)
probe nd_syscall.semctl = kprobe.function("sys_semctl") ?
{
name = "semctl"
- // semid = $semid
- // semnum = $semnum
- // cmd = $cmd
- /*
- * unsupported type tag identifier '$arg'
- * arg = $arg
- */
- // argstr = sprintf("%d, %d, %s", $semid, $semnum, _semctl_cmd($cmd))
asmlinkage()
semid = int_arg(1)
semnum = int_arg(2)
probe nd_syscall.compat_sys_semctl = kprobe.function("compat_sys_semctl") ?
{
name = "compat_sys_semctl"
- // semid = @choose_defined($semid, $first)
- // semnum = @choose_defined($semnum, $second)
- // cmd = @choose_defined($cmd, $third)
- // argstr = sprintf("%d, %d, %s", semid, semnum, _semctl_cmd(cmd))
- // NB: no asmlinkage()
semid = int_arg(1)
semnum = int_arg(2)
cmd = int_arg(3)
probe nd_syscall.semget = kprobe.function("sys_semget") ?
{
name = "semget"
- // key = $key
- // nsems = $nsems
- // semflg = $semflg
- // argstr = sprintf("%d, %d, %s", $key, $nsems, __sem_flags($semflg))
asmlinkage()
key = int_arg(1)
nsems = int_arg(2)
probe nd_syscall.semop = kprobe.function("sys_semtimedop") ?
{
name = "semop"
- // semid = $semid
- // [t]sops_uaddr = $tsops
- // nsops = $nsops
- // argstr = sprintf("%d, %p, %d", $semid, $tsops, $nsops)
asmlinkage()
semid = int_arg(1)
%( systemtap_v < "2.3" %?
probe nd_syscall.semtimedop = kprobe.function("sys_semtimedop") ?
{
name = "semtimedop"
- // semid = $semid
- // sops_uaddr = $tsops
- // nsops = $nsops
- // timeout_uaddr = $timeout
- // argstr = sprintf("%d, %p, %d, %s", $semid, $tsops, $nsops,
- // _struct_timespec_u($timeout, 1))
asmlinkage()
semid = int_arg(1)
sops_uaddr = pointer_arg(2)
probe nd_syscall.compat_sys_semtimedop = kprobe.function("compat_sys_semtimedop") ?
{
name = "compat_sys_semtimedop"
- // semid = $semid
- // sops_uaddr = $tsems
- // nsops = $nsops
- // timeout_uaddr = $timeout
- // argstr = sprintf("%d, %p, %d, %s", $semid, $tsems, $nsops,
- // _struct_compat_timespec_u($timeout, 1))
- // no asmlinkage
semid = int_arg(1)
sops_uaddr = pointer_arg(2)
nsops = uint_arg(3)
probe nd_syscall.send = kprobe.function("sys_send") ?
{
name = "send"
- // s = $fd
- // buf_uaddr = $buff
- // len = $len
- // flags = $flags
- // flags_str = _msg_flags_str($flags)
- // argstr = sprintf("%d, %p, %d, %s", $fd, $buff, $len, flags_str)
asmlinkage()
s = int_arg(1)
buf_uaddr = pointer_arg(2)
kprobe.function("sys32_sendfile").call ?
{
name = "sendfile"
- // out_fd = __int32($out_fd)
- // in_fd = __int32($in_fd)
- // offset_uaddr = $offset
- // count = $count
- // argstr = sprintf("%d, %d, %p, %u", out_fd, in_fd, $offset, $count)
asmlinkage()
out_fd = int_arg(1)
in_fd = int_arg(2)
probe nd_syscall.sendmsg = kprobe.function("sys_sendmsg") ?
{
name = "sendmsg"
- // s = $fd
- // msg_uaddr = $msg
- // flags = $flags
- // flags_str = _msg_flags_str($flags)
- // argstr = sprintf("%d, %p, %s", $fd, $msg, _msg_flags_str($flags))
asmlinkage()
s = int_arg(1)
msg_uaddr = pointer_arg(2)
probe nd_syscall.compat_sys_sendmsg = kprobe.function("compat_sys_sendmsg") ?
{
name = "compat_sys_sendmsg"
- // s = $fd
- // msg_uaddr = $msg
- // flags = $flags
- // flags_str = _msg_flags_str($flags)
- // argstr = sprintf("%d, %p, %s", $fd, $msg, _msg_flags_str($flags))
asmlinkage()
s = int_arg(1)
msg_uaddr = pointer_arg(2)
probe nd_syscall.sendmmsg = kprobe.function("sys_sendmmsg").call ?
{
name = "sendmmsg"
- // s = $fd
- // mmsg_uaddr = $mmsg
- // vlen = $vlen
- // flags = $flags
- // flags_str = _msg_flags_str($flags)
- // argstr = sprintf("%d, %p, %d, %s", $fd, $mmsg, $vlen,
- // _msg_flags_str($flags))
asmlinkage()
s = int_arg(1)
mmsg_uaddr = pointer_arg(2)
probe nd_syscall.sendto = kprobe.function("sys_sendto") ?
{
name = "sendto"
- // s = $fd
- // buf_uaddr = $buff
- // len = $len
- // flags = $flags
- // flags_str = _msg_flags_str($flags)
- // to_uaddr = $addr
- // tolen = $addr_len
- // argstr = sprintf("%d, %p, %d, %s, %s, %d", $fd, $buff,
- // $len, flags_str, _struct_sockaddr_u($addr, $addr_len), $addr_len)
asmlinkage()
s = int_arg(1)
buf_uaddr = pointer_arg(2)
probe nd_syscall.setdomainname = kprobe.function("sys_setdomainname") ?
{
name = "setdomainname"
- // hostname_uaddr = $name
- // len = $len
- // argstr = sprintf("%p, %d", $name, $len)
asmlinkage()
hostname_uaddr = pointer_arg(1)
len = int_arg(2)
kprobe.function("sys_setfsgid") ?
{
name = "setfsgid"
- // fsgid = $gid
- // argstr = sprint($gid)
asmlinkage()
fsgid = uint_arg(1)
argstr = sprint(fsgid)
kprobe.function("sys_setfsuid") ?
{
name = "setfsuid"
- // fsuid = $uid
- // argstr = sprint($uid)
asmlinkage()
fsuid = uint_arg(1)
argstr = sprint(fsuid)
kprobe.function("sys_setgid") ?
{
name = "setgid"
- // gid = $gid
- // argstr = sprint($gid)
asmlinkage()
gid = uint_arg(1)
argstr = sprint(gid)
kprobe.function("sys_setgroups") ?
{
name = "setgroups"
- // size = $gidsetsize
- // list_uaddr = $grouplist
- // argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
asmlinkage()
size = int_arg(1)
list_uaddr = pointer_arg(2)
probe nd_syscall.sethostname = kprobe.function("sys_sethostname") ?
{
name = "sethostname"
- // hostname_uaddr = $name
- // name_str = user_string($name)
- // len = $len
- // argstr = sprintf("%s, %d", user_string_quoted($name), $len)
asmlinkage()
hostname_uaddr = pointer_arg(1)
name_str = user_string_quoted(hostname_uaddr)
probe nd_syscall.setitimer = kprobe.function("sys_setitimer") ?
{
name = "setitimer"
- // which = $which
- // value_uaddr = $value
- // ovalue_uaddr = $ovalue
- // argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
- // _struct_itimerval_u($value), $ovalue)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
probe nd_syscall.compat_setitimer = kprobe.function("compat_sys_setitimer") ?
{
name = "setitimer"
- // which = $which
- // value_uaddr = $in
- // ovalue_uaddr = $out
- // argstr = sprintf("%s, %s, %p", _itimer_which_str($which),
- // _struct_compat_itimerval_u($in), $out)
asmlinkage()
which = int_arg(1)
value_uaddr = pointer_arg(2)
kprobe.function("sys_set_mempolicy") ?
{
name = "set_mempolicy"
- // mode = $mode
- // nmask_uaddr = $nmask
- // maxnode = $maxnode
- // argstr = sprintf("%d, %p, %d", $mode, $nmask, $maxnode)
asmlinkage()
mode = int_arg(1)
nmask_uaddr = pointer_arg(2)
probe nd_syscall.setpgid = kprobe.function("sys_setpgid") ?
{
name = "setpgid"
- // pid = $pid
- // pgid = $pgid
- // argstr = sprintf("%d, %d", $pid, $pgid)
asmlinkage()
pid = int_arg(1)
pgid = int_arg(2)
probe nd_syscall.setpriority = kprobe.function("sys_setpriority") ?
{
name = "setpriority"
- // which = $which
- // which_str = _priority_which_str($which)
- // who = $who
- // prio = $niceval
- // argstr = sprintf("%s, %d, %d", which_str, $who, $niceval)
asmlinkage()
which = int_arg(1)
which_str = _priority_which_str(which)
probe nd_syscall.setregid = kprobe.function("sys_setregid") ?
{
name = "setregid"
- // rgid = __int32($rgid)
- // egid = __int32($egid)
asmlinkage()
rgid = __int32(uint_arg(1))
egid = __int32(uint_arg(2))
probe nd_syscall.setregid16 = kprobe.function("sys_setregid16") ?
{
name = "setregid"
- // rgid = __short($rgid)
- // egid = __short($egid)
asmlinkage()
rgid = __short(uint_arg(1))
egid = __short(uint_arg(2))
probe nd_syscall.setresgid = kprobe.function("sys_setresgid") ?
{
name = "setresgid"
- // rgid = __int32($rgid)
- // egid = __int32($egid)
- // sgid = __int32($sgid)
asmlinkage()
rgid = __int32(uint_arg(1))
egid = __int32(uint_arg(2))
probe nd_syscall.setresgid16 = kprobe.function("sys_setresgid16") ?
{
name = "setresgid"
- // rgid = __short($rgid)
- // egid = __short($egid)
- // sgid = __short($sgid)
asmlinkage()
rgid = __short(uint_arg(1))
egid = __short(uint_arg(2))
probe nd_syscall.setresuid = kprobe.function("sys_setresuid") ?
{
name = "setresuid"
- // ruid = __int32($ruid)
- // euid = __int32($euid)
- // suid = __int32($suid)
asmlinkage()
ruid = __int32(uint_arg(1))
euid = __int32(uint_arg(2))
probe nd_syscall.setresuid16 = kprobe.function("sys_setresuid16") ?
{
name = "setresuid"
- // ruid = __short($ruid)
- // reuid = __short($euid)
- // rsuid = __short($suid)
asmlinkage()
ruid = __short(uint_arg(1))
euid = __short(uint_arg(2))
probe nd_syscall.setreuid = kprobe.function("sys_setreuid") ?
{
name = "setreuid"
- // ruid = __int32($ruid)
- // euid = __int32($euid)
asmlinkage()
ruid = __int32(uint_arg(1))
euid = __int32(uint_arg(2))
probe nd_syscall.setreuid16 = kprobe.function("sys_setreuid16") ?
{
name = "setreuid"
- // ruid = __short($ruid)
- // euid = __short($euid)
asmlinkage()
ruid = __short(uint_arg(1))
euid = __short(uint_arg(2))
probe nd_syscall.setrlimit = kprobe.function("sys_setrlimit") ?
{
name = "setrlimit"
- // resource = $resource
- // rlim_uaddr = $rlim
- // argstr = sprintf("%s, %s", _rlimit_resource_str($resource),
- // _struct_rlimit_u($rlim))
asmlinkage()
resource = uint_arg(1)
rlim_uaddr = pointer_arg(2)
kprobe.function("sys_setsockopt") ?
{
name = "setsockopt"
- // fd = $fd
- // level = $level
- // level_str = _sockopt_level_str($level)
- // optname = $optname
- // optname_str = _sockopt_optname_str($optname)
- // optval_uaddr = $optval
- // optlen = $optlen
- // argstr = sprintf("%d, %s, %s, %p, %d", $fd, level_str,
- // optname_str, $optval, $optlen)
asmlinkage()
fd = int_arg(1)
level = int_arg(2)
probe nd_syscall.set_tid_address = kprobe.function("sys_set_tid_address") ?
{
name = "set_tid_address"
- // tidptr_uaddr = $tidptr
asmlinkage()
tidptr_uaddr = pointer_arg(1)
argstr = sprintf("%p", tidptr_uaddr)
probe nd_syscall.settimeofday = kprobe.function("sys_settimeofday") ?
{
name = "settimeofday"
- // ttv_uaddr = $tv
- // ttz_uaddr = $tz
- // targstr = sprintf("%s, %s", _struct_timeval_u($tv, 1), _struct_timezone_u($tz))
asmlinkage()
tv_uaddr = pointer_arg(1)
tz_uaddr = pointer_arg(2)
kprobe.function("compat_sys_settimeofday") ?
{
name = "settimeofday"
- // tv_uaddr = $tv
- // tz_uaddr = $tz
- // argstr = sprintf("%s, %s", _struct_compat_timeval_u($tv, 1), _struct_timezone_u($tz))
asmlinkage()
tv_uaddr = pointer_arg(1)
tz_uaddr = pointer_arg(2)
kprobe.function("sys_setuid") ?
{
name = "setuid"
- // uid = $uid
- // argstr = sprint($uid)
asmlinkage()
uid = uint_arg(1)
argstr = sprint(uid)
probe nd_syscall.setxattr = kprobe.function("sys_setxattr") ?
{
name = "setxattr"
- // path_uaddr = $path
- // path = user_string($path)
- // name_uaddr = $name
- // name_str = user_string($name)
- // value_uaddr = $value
- // size = $size
- // flags = $flags
- // argstr = sprintf("%s, %s, %p, %d, %d",
- // user_string_quoted($path),
- // user_string_quoted($name),
- // value_uaddr, $size, $flags)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string_quoted(path_uaddr)
probe nd_syscall.shmat = kprobe.function("sys_shmat") ?
{
name = "shmat"
- // shmid = $shmid
- // shmaddr_uaddr = $shmaddr
- // shmflg = $shmflg
- // argstr = sprintf("%d, %p, %s", $shmid, $shmaddr, _shmat_flags_str($shmflg))
asmlinkage()
shmid = int_arg(1)
shmaddr_uaddr = pointer_arg(2)
probe nd_syscall.compat_sys_shmat = kprobe.function("compat_sys_shmat") ?
{
name = "compat_sys_shmat"
- // %( systemtap_v <= "2.3" %?
- // first = @choose_defined($shmid, $first)
- // second = @choose_defined($shmflg, $second)
- // third = @choose_defined($third, 0)
- // uptr_uaddr = @choose_defined($shmaddr, $uptr)
- // %)
- // shmid = @choose_defined($shmid, $first)
- // shmaddr_uaddr = @choose_defined($shmaddr, $uptr)
- // shmflg = @choose_defined($shmflg, $second)
- // argstr = sprintf("%d, %p, %s", shmid, shmaddr_uaddr,
- // _shmat_flags_str(shmflg))
- // no asmlinkage
%( systemtap_v < "2.3" %?
first = int_arg(1)
probe nd_syscall.shmctl = kprobe.function("sys_shmctl") ?
{
name = "shmctl"
- // shmid = $shmid
- // cmd = $cmd
- // buf_uaddr = $buf
- // argstr = sprintf("%d, %s, %p", $shmid, _semctl_cmd($cmd), $buf)
asmlinkage()
shmid = int_arg(1)
cmd = int_arg(2)
probe nd_syscall.compat_sys_shmctl = kprobe.function("compat_sys_shmctl") ?
{
name = "compat_sys_shmctl"
- // first = $first
- // second = $second
- // uptr_uaddr = $uptr
- // argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
- // no asmlinkages
first = int_arg(1)
second = int_arg(2)
uptr_uaddr = pointer_arg(3)
probe nd_syscall.shmdt = kprobe.function("sys_shmdt") ?
{
name = "shmdt"
- // shmaddr_uaddr = $shmaddr
- // argstr = sprintf("%p", $shmaddr)
asmlinkage()
shmaddr_uaddr = pointer_arg(1)
argstr = sprintf("%p", shmaddr_uaddr)
probe nd_syscall.shmget = kprobe.function("sys_shmget") ?
{
name = "shmget"
- // key = $key
- // size = $size
- // shmflg = $shmflg
- // argstr = sprintf("%d, %d, %d", $key, $size, $shmflg)
asmlinkage()
key = int_arg(1)
size = ulong_arg(2)
probe nd_syscall.shutdown = kprobe.function("sys_shutdown") ?
{
name = "shutdown"
- // s = $fd
- // how = $how
- // how_str = _shutdown_how_str($how)
- // argstr = sprintf("%d, %s", $fd, how_str)
asmlinkage()
s = int_arg(1)
how = int_arg(2)
probe nd_syscall.sigaction = kprobe.function("sys_sigaction") ?
{
name = "sigaction"
- // sig = $sig
- // act_uaddr = $act
- // oact_uaddr = $oact
- // argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_sigaction_u($act), $oact)
%( arch != "powerpc" %? asmlinkage() %)
sig = int_arg(1)
act_uaddr = pointer_arg(2)
kprobe.function("compat_sys_sigaction") ?
{
name = "sigaction"
- // sig = $sig
- // sact_uaddr = $act
- // soact_uaddr = $oact
- // argstr = sprintf("%s, {%s}, %p", _signal_name($sig), _struct_old_sigaction32_u($act), $oact)
asmlinkage()
sig = int_arg(1)
act_uaddr = pointer_arg(2)
probe nd_syscall.sigaltstack = kprobe.function("sys_sigaltstack")
{
name = "sigaltstack"
- // uss_uaddr = $uss
- // uoss_uaddr = $uoss
- // argstr = sprintf("%p, %p", $uss, $uoss)
asmlinkage()
uss_uaddr = pointer_arg(1)
uoss_uaddr = pointer_arg(2)
probe nd_syscall.signal = kprobe.function("sys_signal") ?
{
name = "signal"
- // sig = $sig
- // handler = $handler
- // argstr = sprintf("%s, %s", _signal_name($sig), _sighandler_str($handler))
asmlinkage()
sig = int_arg(1)
handler = pointer_arg(2)
flags = int_arg(4)
if (flags == 0) {
name = "signalfd"
- // argstr = sprintf("%d, %p, %d", $ufd, $user_mask, $sizemask)
argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2),
ulong_arg(3))
} else {
name = "signalfd4"
- // argstr = sprintf("%d, %p, %d, %s", $ufd, $user_mask,
- // $sizemask, _signalfd4_flags_str($flags))
argstr = sprintf("%d, %p, %d, %s", int_arg(1), pointer_arg(2),
ulong_arg(3), _signalfd4_flags_str(flags))
}
name = "signalfd"
asmlinkage()
flags = 0
- // argstr = sprintf("%d, %p, %d", $ufd, $user_mask, $sizemask)
argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2),
ulong_arg(3))
}
flags = int_arg(4)
if (flags == 0) {
name = "signalfd"
- // argstr = sprintf("%d, %p, %d", $ufd, $sigmask, $sigsetsize)
argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2),
u32_arg(3))
} else {
name = "signalfd4"
- // argstr = sprintf("%d, %p, %d, %s", $ufd, $sigmask,
- // $sigsetsize, _signalfd4_flags_str($flags))
argstr = sprintf("%d, %p, %d, %s", int_arg(1),
pointer_arg(2), u32_arg(3),
_signalfd4_flags_str(flags))
asmlinkage()
flags = 0
name = "signalfd"
- // argstr = sprintf("%d, %p, %d", $ufd, $sigmask, $sigsetsize)
argstr = sprintf("%d, %p, %d", int_arg(1), pointer_arg(2),
u32_arg(3))
}
probe nd_syscall.sigpending = kprobe.function("sys_sigpending") ?
{
name = "sigpending"
- // argstr = sprintf("%p", $set)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
kprobe.function("compat_sys_sigprocmask") ?
{
name = "sigprocmask"
- // how = $how
- // how_str = _sigprocmask_how_str($how)
- // set_uaddr = $set
- // oldset_uaddr = $oset
- // argstr = sprintf("%s, %p, %p", how_str, $set, $oset)
asmlinkage()
how = int_arg(1)
how_str = _sigprocmask_how_str(how)
probe nd_syscall.socket = kprobe.function("sys_socket") ?
{
name = "socket"
- // family = __int32($family)
- // type = __int32($type)
- // protocol = __int32($protocol)
- // argstr = sprintf("%s, %s, %s", _sock_family_str(family),
- // _sock_type_str(type),
- // _sock_protocol_str(family, protocol))
asmlinkage()
family = int_arg(1)
type = int_arg(2)
probe nd_syscall.socketpair = kprobe.function("sys_socketpair") ?
{
name = "socketpair"
- // family = __int32($family)
- // type = __int32($type)
- // protocol = __int32($protocol)
- // sv_uaddr = $usockvec
- // argstr = sprintf("%s, %s, %s, %p",
- // _sock_family_str(family),
- // _sock_type_str(type),
- // _sock_protocol_str(family, protocol),
- // sv_uaddr)
asmlinkage()
family = int_arg(1)
type = int_arg(2)
probe nd_syscall.splice = kprobe.function("sys_splice") ?
{
name = "splice"
- // argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
- // $fd_in, $off_in, $fd_out, $off_out, $len, $flags)
asmlinkage()
argstr = sprintf("%d, %p, %d, %p, %d, 0x%x",
int_arg(1), pointer_arg(2), int_arg(3), pointer_arg(4), ulong_arg(5), uint_arg(6))
probe nd_syscall.ssetmask = kprobe.function("sys_ssetmask") ?
{
name = "ssetmask"
- // newmask = $newmask
- // argstr = sprint($newmask)
asmlinkage()
newmask = int_arg(1)
argstr = sprint(newmask)
kprobe.function("compat_sys_newstat") ?
{
name = "stat"
- // filename_uaddr = $filename
- // filename = user_string($filename)
- // buf_uaddr = $statbuf
- // argstr = sprintf("%s, %p", user_string_quoted($filename), buf_uaddr)
asmlinkage()
filename_uaddr = pointer_arg(1)
filename = user_string_quoted(filename_uaddr)
kprobe.function("sys_statfs") ?
{
name = "statfs"
- // path = user_string($path)
- // buf_uaddr = $buf
- // argstr = sprintf("%s, %p", user_string_quoted($path), $buf)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
buf_uaddr = pointer_arg(2)
kprobe.function("sys_statfs64") ?
{
name = "statfs"
- // path = user_string($path)
- // sz = $sz
- // buf_uaddr = $buf
- // argstr = sprintf("%s, %d, %p", user_string_quoted($path), $sz, $buf)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
sz = ulong_arg(2)
kprobe.function("sys_stime") ?
{
name = "stime"
- // t_uaddr = $tptr
/* FIXME. Decode time */
- // argstr = sprintf("%p", $tptr)
asmlinkage()
t_uaddr = pointer_arg(1)
argstr = sprintf("%p", t_uaddr)
probe nd_syscall.swapoff = kprobe.function("sys_swapoff") ?
{
name = "swapoff"
- // path = user_string($specialfile)
- // argstr = user_string_quoted($specialfile)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
argstr = user_string_quoted(pointer_arg(1))
probe nd_syscall.swapon = kprobe.function("sys_swapon") ?
{
name = "swapon"
- // path = user_string($specialfile)
- // swapflags = $swap_flags
- // argstr = sprintf("%s, %d", user_string_quoted($specialfile), swapflags)
asmlinkage()
path = user_string_quoted(pointer_arg(1))
swapflags = int_arg(2)
probe nd_syscall.symlink = kprobe.function("sys_symlink") ?
{
name = "symlink"
- // oldpath = user_string($oldname)
- // newpath = user_string($newname)
- // argstr = sprintf("%s, %s", user_string_quoted($oldname),
- // user_string_quoted($newname))
asmlinkage()
oldpath = user_string_quoted(pointer_arg(1))
newpath = user_string_quoted(pointer_arg(2))
@__syscall_compat_gate(%{ __NR_symlinkat %},
%{ __NR_compat_symlinkat %})
name = "symlinkat"
-// oldname = $oldname
-// oldname_str = user_string($oldname)
-// newdfd = $newdfd
-// newdfd_str = _dfd_str($newdfd)
-// newname = $newname
-// newname_str = user_string($newname)
-// argstr = sprintf("%s, %s, %s", user_string_quoted($oldname),
-// newdfd_str, user_string_quoted($newname))
asmlinkage()
oldname = pointer_arg(1)
oldname_str = user_string_quoted(oldname)
kprobe.function("sys_sysctl") ?
{
name = "sysctl"
- // argstr = sprintf("%p", $args)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.sysfs = kprobe.function("sys_sysfs") ?
{
name = "sysfs"
- // option = $option
- // arg1 = $arg1
- // arg2 = $arg2
- // if (option == 1)
- // argstr = sprintf("%d, %s, %d", $option, user_string_quoted($arg1), $arg2)
- // else if (option == 2)
- // argstr = sprintf("%d, %d, %p", $option, $arg1, $arg2)
- // else if (option == 3)
- // argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
- // else
- // argstr = sprintf("%d, %d, %d", $option, $arg1, $arg2)
asmlinkage()
option = int_arg(1)
arg1 = ulong_arg(2)
kprobe.function("sys_sysinfo") ?
{
name = "sysinfo"
- // info_uaddr = $info
- // argstr = sprintf("%p", $info)
asmlinkage()
info_uaddr = pointer_arg(1)
argstr = sprintf("%p", info_uaddr)
probe nd_syscall.syslog = kprobe.function("sys_syslog") ?
{
name = "syslog"
- // type = $type
- // bufp_uaddr = $buf
- // len = $len
- // argstr = sprintf("%d, %p, %d", $type, $buf, $len)
asmlinkage()
type = int_arg(1)
bufp_uaddr = pointer_arg(2)
probe nd_syscall.tee = kprobe.function("sys_tee") ?
{
name = "tee"
- // argstr = sprintf("%d, %d, %d, 0x%x", $fdin, $fdout, $len, $flags)
asmlinkage()
argstr = sprintf("%d, %d, %d, 0x%x", int_arg(1), int_arg(2), ulong_arg(3), uint_arg(4))
}
probe nd_syscall.tgkill = kprobe.function("sys_tgkill") ?
{
name = "tgkill"
- // tgid = $tgid
- // pid = $pid
- // sig = $sig
- // argstr = sprintf("%d, %d, %s", $tgid, $pid, _signal_name($sig))
asmlinkage()
tgid = int_arg(1)
pid = int_arg(2)
kprobe.function("sys_time") ?
{
name = "time"
- // t_uaddr = $tloc
- // argstr = sprintf("%p", $tloc)
asmlinkage()
t_uaddr = pointer_arg(1)
argstr = sprintf("%p", t_uaddr)
probe nd_syscall.timer_create = kprobe.function("sys_timer_create") ?
{
name = "timer_create"
- // clockid = $which_clock
- // clockid_str = _get_wc_str($which_clock)
- // evp_uaddr = $timer_event_spec
- // timerid_uaddr = $created_timer_id
- // argstr = sprintf("%s, %p, %p", clockid_str, $timer_event_spec, $created_timer_id)
asmlinkage()
clockid = int_arg(1)
clockid_str = _get_wc_str(clockid)
probe nd_syscall.timer_delete = kprobe.function("sys_timer_delete") ?
{
name = "timer_delete"
- // timerid = $timer_id
- // argstr = sprint($timer_id)
asmlinkage()
timerid = int_arg(1)
argstr = sprint(timerid)
probe nd_syscall.timer_getoverrun = kprobe.function("sys_timer_getoverrun") ?
{
name = "timer_getoverrun"
- // timerid = $timer_id
- // argstr = sprint($timer_id)
asmlinkage()
timerid = int_arg(1)
argstr = sprint(timerid)
probe nd_syscall.timer_gettime = kprobe.function("sys_timer_gettime") ?
{
name = "timer_gettime"
- // timerid = $timer_id
- // value_uaddr = $setting
- // argstr = sprintf("%d, %p", $timer_id, $setting)
asmlinkage()
timerid = int_arg(1)
value_uaddr = pointer_arg(2)
__nd_syscall.compat_timer_settime ?
{
name = "timer_settime"
- // timerid = $timer_id
- // flags = $flags
- // value_uaddr = $new_setting
- // ovalue_uaddr = $old_setting
asmlinkage()
}
probe __nd_syscall.timer_settime = kprobe.function("sys_timer_settime").call
{
- // argstr = sprintf("%d, %d, %s, %p", $timer_id, $flags,
- // _struct_itimerspec_u($new_setting),
- // $old_setting)
@__syscall_gate(%{ __NR_timer_settime %})
asmlinkage()
timerid = int_arg(1)
probe __nd_syscall.compat_timer_settime =
kprobe.function("compat_sys_timer_settime").call ?
{
- // argstr = sprintf("%d, %d, %s, %p", $timer_id, $flags,
- // _struct_compat_itimerspec_u($new), $old)
asmlinkage()
timerid = int_arg(1)
flags = int_arg(2)
kprobe.function("compat_sys_timerfd") ?
{
name = "timerfd"
- // argstr = sprintf("%d, %d, 0x%x", $ufd, $clockid, $flags)
asmlinkage()
argstr = sprintf("%d, %d, 0x%x", int_arg(1), int_arg(2), int_arg(3))
}
kprobe.function("sys_times") ?
{
name = "times"
- // argstr = sprintf("%p", $tbuf)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.tkill = kprobe.function("sys_tkill") ?
{
name = "tkill"
- // pid = $pid
- // sig = $sig
- // argstr = sprintf("%d, %s", $pid, _signal_name($sig))
asmlinkage()
pid = int_arg(1)
sig = int_arg(2)
__nd_syscall.compat_truncate ?
{
name = "truncate"
- // path_uaddr = $path
- // path = user_string($path)
- // length = $length
- // argstr = sprintf("%s, %d", user_string_quoted($path), $length)
asmlinkage()
path_uaddr = pointer_arg(1)
path = user_string_quoted(path_uaddr)
probe nd_syscall.tux = kprobe.function("sys_tux") ?
{
name = "tux"
- // action = $action
- // u_info_uaddr = $u_info
- // argstr = sprintf("%d, %p", $action, $u_info)
- // no sys_tux in recent kernels; guessing asmlinkage
asmlinkage()
action = uint_arg(1)
u_info_uaddr = pointer_arg(2)
probe nd_syscall.umask = kprobe.function("sys_umask") ?
{
name = "umask"
- // mask = $mask
- // argstr = sprintf("%#o", $mask)
asmlinkage()
mask = int_arg(1)
argstr = sprintf("%#o", mask)
probe __nd_syscall.umount = kprobe.function("sys_umount")
{
@__syscall_compat_gate(%{ __NR_umount2 %}, %{ __NR_compat_umount2 %})
- // target = user_string($name)
- // flags = $flags
- // flags_str = _umountflags_str($flags)
- // argstr = sprintf("%s, %s", user_string_quoted($name), flags_str)
asmlinkage()
target = user_string_quoted(pointer_arg(1))
flags = int_arg(2)
}
probe __nd_syscall.oldumount = kprobe.function("sys_oldumount") ?
{
- // target = user_string_quoted($name)
- // flags = 0
- // flags_str = "0"
- // argstr = sprintf("%s, 0", user_string_quoted($name))
asmlinkage()
target = user_string_quoted(pointer_arg(1))
flags = 0
kprobe.function("sys_newuname") ?
{
name = "uname"
- // argstr = sprintf("%p", $name)
_func_name = ppfunc()
if (_func_name != "sys32_uname") {
if (_func_name == "sys_uname" || _func_name == "sys_olduname") {
probe nd_syscall.unlink = kprobe.function("sys_unlink") ?
{
name = "unlink"
- // pathname_uaddr = $pathname
- // pathname = user_string($pathname)
- // argstr = user_string_quoted($pathname)
asmlinkage()
pathname_uaddr = pointer_arg(1)
pathname = user_string_quoted(pathname_uaddr)
probe nd_syscall.unlinkat = kprobe.function("sys_unlinkat") ?
{
name = "unlinkat"
- // dfd = $dfd
- // dfd_str = _dfd_str($dfd)
- // pathname = $pathname
- // pathname_str = user_string($pathname)
- // flag = $flag
- // flag_str = _at_flag_str($flag)
- // argstr = sprintf("%s, %s, %s", dfd_str, user_string_quoted($pathname), flag_str)
asmlinkage()
dfd = int_arg(1)
dfd_str = _dfd_str(dfd)
probe nd_syscall.unshare = kprobe.function("sys_unshare") ?
{
name = "unshare"
- // unshare_flags = $unshare_flags
asmlinkage()
unshare_flags = ulong_arg(1)
argstr = __fork_flags(unshare_flags)
probe nd_syscall.uselib = kprobe.function("sys_uselib") ?
{
name = "uselib"
- // library_uaddr = $library
- // library = user_string($library)
- // argstr = user_string_quoted($library)
asmlinkage()
library_uaddr = pointer_arg(1)
library = user_string_quoted(library_uaddr)
probe nd_syscall.ustat = kprobe.function("sys_ustat") ?
{
name = "ustat"
- // dev = $dev
- // ubuf_uaddr = $ubuf
- // argstr = sprintf("%d, %p", $dev, $ubuf)
asmlinkage()
dev = uint_arg(1)
ubuf_uaddr = pointer_arg(2)
probe nd_syscall.ustat32 = kprobe.function("sys32_ustat") ?
{
name = "ustat"
- // dev = $dev
- // ubuf_uaddr = (@defined($u) ? $u : $u32p)
- // argstr = sprintf("%d, %p", $dev, (@defined($u) ? $u : $u32p))
- // no asmlinkage
dev = uint_arg(1)
ubuf_uaddr = pointer_arg(2)
argstr = sprintf("%d, %p", dev, ubuf_uaddr)
probe nd_syscall.ustat32 = kprobe.function("compat_sys_ustat") ?
{
name = "ustat"
- // dev = $dev
- // ubuf_uaddr = (@defined($u) ? $u : $u32p)
- // argstr = sprintf("%d, %p", $dev, (@defined($u) ? $u : $u32p))
- // asmlinkage
asmlinkage()
dev = uint_arg(1)
ubuf_uaddr = pointer_arg(2)
probe nd_syscall.utimes = kprobe.function("sys_utimes") ?
{
name = "utimes"
- // filename_uaddr = $filename
- // filename = user_string($filename)
- // tvp_uaddr = $utimes
- // argstr = sprintf("%s, %s", user_string_quoted($filename),
- // _struct_timeval_u($utimes, 2))
asmlinkage()
filename_uaddr = pointer_arg(1)
filename = user_string_quoted(filename_uaddr)
probe nd_syscall.compat_sys_utimes = kprobe.function("compat_sys_utimes") ?
{
name = "utimes"
- // filename = user_string($filename)
- // argstr = sprintf("%s, %s", user_string_quoted($filename),
- // _struct_compat_timeval_u($t, 2))
asmlinkage()
filename = user_string_quoted(pointer_arg(1))
argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)),
probe nd_syscall.utimensat = kprobe.function("sys_utimensat") ?
{
name = "utimensat"
- // argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_timespec_u($utimes, 2),
- // _at_flag_str($flags))
asmlinkage()
argstr = sprintf("%s, %s, %s, %s", _dfd_str(int_arg(1)), user_string_quoted(pointer_arg(2)),
_struct_timespec_u(pointer_arg(3), 2), _at_flag_str(int_arg(4)))
probe nd_syscall.compat_utimensat = kprobe.function("compat_sys_utimensat") ?
{
name = "utimensat"
- // argstr = sprintf("%s, %s, %s, %s", _dfd_str($dfd), user_string_quoted($filename), _struct_compat_timespec_u($t, 2),
- // _at_flag_str($flags))
asmlinkage()
argstr = sprintf("%s, %s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),
_struct_compat_timespec_u(pointer_arg(3), 2), _at_flag_str(int_arg(4)))
probe nd_syscall.vmsplice = kprobe.function("sys_vmsplice") ?
{
name = "vmsplice"
- // argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
asmlinkage()
argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), ulong_arg(3), uint_arg(4))
}
probe nd_syscall.compat_vmsplice = kprobe.function("compat_sys_vmsplice") ?
{
name = "vmsplice"
- // argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov32, $nr_segs, $flags)
asmlinkage()
argstr = sprintf("%d, %p, %d, 0x%x", int_arg(1), pointer_arg(2), uint_arg(3), uint_arg(4))
}
kprobe.function("compat_sys_wait4") ?
{
name = "wait4"
- // pid = (@defined($upid) ? $upid : $pid)
- // status_uaddr = $stat_addr
- // options = $options & 0xffffffff
- // options_str = _wait4_opt_str(options)
- // rusage_uaddr = $ru
- // argstr = sprintf("%d, %p, %s, %p",
- // (@defined($upid) ? $upid : $pid),
- // $stat_addr, _wait4_opt_str($options), $ru)
asmlinkage()
pid = int_arg(1)
status_uaddr = pointer_arg(2)
probe nd_syscall.waitid = kprobe.function("sys_waitid") ?
{
name = "waitid"
- // pid = (@defined($upid) ? $upid : $pid)
- // which = $which
- // which_str = _waitid_which_str($which)
- // infop_uaddr = $infop
- // options = $options
- // options_str = _waitid_opt_str($options)
- // rusage_uaddr = $ru
- // argstr = sprintf("%d, %d, %p, %s, %p", $which,
- // (@defined($upid) ? $upid : $pid), $infop,
- // _waitid_opt_str($options), $ru)
asmlinkage()
pid = int_arg(1)
which = int_arg(2)
probe nd_syscall.write = kprobe.function("sys_write") ?
{
name = "write"
- // fd = $fd
- // buf_uaddr = $buf
- // count = $count
- // argstr = sprintf("%d, %s, %d", $fd, text_strn(user_string($buf), syscall_string_trunc, 1), $count)
asmlinkage()
fd = uint_arg(1)
buf_uaddr = pointer_arg(2)
kprobe.function("sys_writev") ?
{
name = "writev"
- // vector_uaddr = $vec
- // count = $vlen
- // fd = $fd
- // argstr = sprintf("%d, %p, %d", $fd, $vec, $vlen)
asmlinkage()
vector_uaddr = pointer_arg(2)
count = int_arg(3)