}
%)
+# execveat ______________________________________________
+# SYSCALL_DEFINE5(execveat,
+# int, fd, const char __user *, filename,
+# const char __user *const __user *, argv,
+# const char __user *const __user *, envp,
+# int, flags)
+#
+probe nd_syscall.execveat = kprobe.function("do_execveat").call ?
+{
+ name = "execveat"
+ fd = __int32(1)
+ fd_str = _dfd_str(fd)
+ filename = user_string_quoted(pointer_arg(2))
+ args = __get_argv(pointer_arg(3), 0)
+ flags = int_arg(5)
+ flags_str = _at_flag_str(flags)
+ argstr = sprintf("%s %s %s %s", fd_str, filename, args, flags_str)
+}
+probe nd_syscall.execveat.return = kprobe.function("do_execveat").return ?
+{
+ name = "execveat"
+ retstr = returnstr(1)
+}
+
%( kernel_v >= "3.7" %?
# In kernels >= 3.7, compat_sys_execve() has been moved to generic
# code, so we can use it with confidence.
}
%)
+probe nd_syscall.compat_execveat = kprobe.function("compat_do_execveat").call ?
+{
+ name = "compat_execveat"
+ fd = __int32(1)
+ fd_str = _dfd_str(fd)
+ filename = user_string_quoted(pointer_arg(2))
+ args = __get_argv(pointer_arg(3), 0)
+ flags = int32_arg(5)
+ flags_str = _at_flag_str(flags)
+ argstr = sprintf("%s %s %s %s", fd_str, filename, args, flags_str)
+
+}
+probe nd_syscall.compat_execveat.return = kprobe.function("compat_do_execveat").return ?
+{
+ name = "compat_execveat"
+ retstr = returnstr(1)
+}
+
# exit _______________________________________________________
# long sys_exit(int error_code)
probe nd_syscall.exit = kprobe.function("sys_exit").call
}
%)
+# execveat ______________________________________________
+# SYSCALL_DEFINE5(execveat,
+# int, fd, const char __user *, filename,
+# const char __user *const __user *, argv,
+# const char __user *const __user *, envp,
+# int, flags)
+#
+probe syscall.execveat = kernel.function("sys_execveat").call ?
+{
+ name = "execveat"
+ fd = __int32($fd)
+ fd_str = _dfd_str(__int32($fd))
+ filename = user_string_quoted(@__pointer($filename))
+ flags = int_arg($flags)
+ flags_str = _at_flag_str(__int32($flags))
+ __argv = @choose_defined($__argv, $argv)
+ args = __get_argv(__argv, 0)
+ argstr = sprintf("%s %s %s %s", fd_str, filename, __get_argv(__argv, 1), flags_str)
+}
+
+probe syscall.execveat.return = kernel.function("sys_execveat").return ?
+{
+ name = "execveat"
+ retstr = return_str(1, $return)
+}
+
%( kernel_v >= "3.7" %?
# In kernels >= 3.7, compat_sys_execve() has been moved to generic
# code, so we can use it with confidence.
retstr = return_str(1, $return)
}
%)
+probe syscall.compat_execveat = kernel.function("compat_sys_execveat").call ?
+{
+ name = "compat_execveat"
+ fd = __int32($fd)
+ fd_str = _dfd_str(__int32($fd))
+ filename = user_string_quoted(@__pointer($filename))
+ flags = int_arg($flags)
+ flags_str = _at_flag_str(__int32($flags))
+ __argv = @choose_defined($__argv, $argv)
+ args = __get_argv(__argv, 0)
+ argstr = sprintf("%s %s %s %s", fd_str, filename, __get_argv(__argv, 1), flags_str)
+}
+
+probe syscall.compat_execveat.return = kernel.function("compat_sys_execveat").return ?
+{
+ name = "compat_execveat"
+ retstr = return_str(1, $return)
+}
# exit _______________________________________________________
# long sys_exit(int error_code)
printf("%s, %s\n", name, retstr)
}
+probe nd_syscall.execveat, nd_syscall.compat_execveat ?
+{
+ printf("%s, %s\n", name, argstr)
+ printf("%d, %s, %s, %d(%s), %s\n", fd, fd_str, filename, flags, flags_str, args)
+}
+
+probe nd_syscall.execveat.return, nd_syscall.compat_execveat.return ?
+{
+ printf("%s, %s\n", name, retstr)
+}
+
probe nd_syscall.exit
{
printf("%s, %s\n", name, argstr)
printf("%s, %s\n", name, retstr)
}
+probe syscall.execveat, syscall.compat_execveat ?
+{
+ printf("%s, %s\n", name, argstr)
+ printf("%d, %s, %s, %d(%s), %s\n", fd, fd_str, filename, flags, flags_str, args)
+}
+
+probe syscall.execveat.return, syscall.compat_execveat.return ?
+{
+ printf("%s, %s\n", name, retstr)
+}
probe syscall.exit
{
printf("%s, %s\n", name, argstr)
--- /dev/null
+#include <sys/syscall.h>
+#include <fcntl.h>
+#include <unistd.h>
+#if !defined(SYS_execveat) && defined(__NR_execveat)
+#define SYS_execveat __NR_execveat
+#endif
+
+int main() {
+#ifdef SYS_execveat
+ syscall(SYS_execveat, -1, "/bin/true", -1L, NULL, NULL);
+ //staptest// execveat (-1 "/bin/true" 0x0) = -NNNN (EFAULT)
+ syscall(SYS_execveat, -1, "/bin/true", NULL, -1L, NULL);
+ //staptest// execveat (-1 "/bin/true" 0x0) = -NNNN (EFAULT)
+ syscall(SYS_execveat, -1, "/bin/true", NULL, NULL, -1);
+ //staptest// execveat (-1 "/bin/true" AT_SYMLINK_NOFOLLOW|AT_REMOVEDIR|AT_SYMLINK_FOLLOW|AT_NO_AUTOMOUNT|AT_EMPTY_PATH|XXXX) = -NNNN
+ syscall(SYS_execveat, AT_FDCWD, "", NULL, NULL, NULL);
+ //staptest// execveat (AT_FDCWD "" 0x0) = -NNNN (ENOENT)
+ syscall(SYS_execveat, -1, -1L, NULL, NULL, NULL);
+#if __WORDSIZE == 64
+ //staptest// execveat (-1 [16]?[f]+ 0x0) = -NNNN (EFAULT)
+#else
+ //staptest// execveat (-1 [8]?[f]+ 0x0) = -NNNN (EFAULT)
+#endif
+ syscall(SYS_execveat, -1, "/bin/true", NULL, NULL, NULL);
+ //staptest// execveat (-1 "/bin/true" 0x0) = NNNN
+#endif
+ return 0;
+}
+