From bf16266782e1f2588b519a50d9684279d4e21036 Mon Sep 17 00:00:00 2001
From: Lukas Berk <lberk@redhat.com>
Date: Wed, 18 Feb 2015 15:26:07 -0500
Subject: [PATCH] Linux 3.19 added the execveat syscall, adding tapset support

tapset/linux/nd_syscalls.stp - no debuginfo tapset
tapset/linux/syscalls.stp - regular tapset
testsuite/buildok/nd_syscalls-detailed.stp - update no debuginfo testcase
testsuite/buildok/syscalls-detailed.stp - update testcase
testsuite/systemtap.syscall/execveat.c - new syscall testcase
---
 tapset/linux/nd_syscalls.stp               | 42 +++++++++++++++++++++
 tapset/linux/syscalls.stp                  | 44 ++++++++++++++++++++++
 testsuite/buildok/nd_syscalls-detailed.stp | 11 ++++++
 testsuite/buildok/syscalls-detailed.stp    | 10 +++++
 testsuite/systemtap.syscall/execveat.c     | 29 ++++++++++++++
 5 files changed, 136 insertions(+)
 create mode 100644 testsuite/systemtap.syscall/execveat.c

diff --git a/tapset/linux/nd_syscalls.stp b/tapset/linux/nd_syscalls.stp
index 307242150..6c1d452d1 100644
--- a/tapset/linux/nd_syscalls.stp
+++ b/tapset/linux/nd_syscalls.stp
@@ -1164,6 +1164,30 @@ probe nd_syscall.execve.return = kprobe.function("do_execve").return
 }
 %)
 
+# execveat ______________________________________________
+# SYSCALL_DEFINE5(execveat,
+#		int, fd, const char __user *, filename,
+#		const char __user *const __user *, argv,
+#		const char __user *const __user *, envp,
+#		int, flags)
+#
+probe nd_syscall.execveat = kprobe.function("do_execveat").call ?
+{
+        name = "execveat"
+	 fd = __int32(1)
+	 fd_str = _dfd_str(fd)
+        filename = user_string_quoted(pointer_arg(2))
+        args = __get_argv(pointer_arg(3), 0)
+	 flags = int_arg(5)
+	 flags_str = _at_flag_str(flags)
+        argstr = sprintf("%s %s %s %s", fd_str, filename, args, flags_str)
+}
+probe nd_syscall.execveat.return = kprobe.function("do_execveat").return ?
+{
+        name = "execveat"
+	 retstr = returnstr(1)
+}
+
 %( kernel_v >= "3.7" %?
 # In kernels >= 3.7, compat_sys_execve() has been moved to generic
 # code, so we can use it with confidence.
@@ -1210,6 +1234,24 @@ probe nd_syscall.compat_execve.return =
 }
 %)
 
+probe nd_syscall.compat_execveat = kprobe.function("compat_do_execveat").call ?
+{
+        name = "compat_execveat"
+	 fd = __int32(1)
+	 fd_str = _dfd_str(fd) 
+        filename = user_string_quoted(pointer_arg(2))
+        args = __get_argv(pointer_arg(3), 0)
+	 flags = int32_arg(5)
+	 flags_str = _at_flag_str(flags)
+        argstr = sprintf("%s %s %s %s", fd_str, filename, args, flags_str)
+
+}
+probe nd_syscall.compat_execveat.return = kprobe.function("compat_do_execveat").return ?
+{
+        name = "compat_execveat"
+	 retstr = returnstr(1)
+}
+
 # exit _______________________________________________________
 # long sys_exit(int error_code)
 probe nd_syscall.exit = kprobe.function("sys_exit").call
diff --git a/tapset/linux/syscalls.stp b/tapset/linux/syscalls.stp
index c06c96f40..ca3168222 100644
--- a/tapset/linux/syscalls.stp
+++ b/tapset/linux/syscalls.stp
@@ -1069,6 +1069,32 @@ probe syscall.execve.return = kernel.function("do_execve").return
 }
 %)
 
+# execveat ______________________________________________
+# SYSCALL_DEFINE5(execveat,
+#		int, fd, const char __user *, filename,
+#		const char __user *const __user *, argv,
+#		const char __user *const __user *, envp,
+#		int, flags)
+#
+probe syscall.execveat = kernel.function("sys_execveat").call ?
+{
+        name = "execveat"
+        fd = __int32($fd)
+        fd_str = _dfd_str(__int32($fd))
+        filename = user_string_quoted(@__pointer($filename))
+        flags = int_arg($flags)
+	 flags_str = _at_flag_str(__int32($flags))
+        __argv = @choose_defined($__argv, $argv)
+        args = __get_argv(__argv, 0)
+        argstr = sprintf("%s %s %s %s", fd_str, filename, __get_argv(__argv, 1), flags_str)
+}
+
+probe syscall.execveat.return = kernel.function("sys_execveat").return ?
+{
+        name = "execveat"
+        retstr = return_str(1, $return)
+}
+
 %( kernel_v >= "3.7" %?
 # In kernels >= 3.7, compat_sys_execve() has been moved to generic
 # code, so we can use it with confidence.
@@ -1116,6 +1142,24 @@ probe syscall.compat_execve.return =
 	retstr = return_str(1, $return)
 }
 %)
+probe syscall.compat_execveat = kernel.function("compat_sys_execveat").call ?
+{
+        name = "compat_execveat"
+        fd = __int32($fd)
+        fd_str = _dfd_str(__int32($fd))
+        filename = user_string_quoted(@__pointer($filename))
+        flags = int_arg($flags)
+	 flags_str = _at_flag_str(__int32($flags))
+        __argv = @choose_defined($__argv, $argv)
+        args = __get_argv(__argv, 0)
+        argstr = sprintf("%s %s %s %s", fd_str, filename, __get_argv(__argv, 1), flags_str)
+}
+
+probe syscall.compat_execveat.return = kernel.function("compat_sys_execveat").return ?
+{
+        name = "compat_execveat"
+        retstr = return_str(1, $return)
+}
 
 # exit _______________________________________________________
 # long sys_exit(int error_code)
diff --git a/testsuite/buildok/nd_syscalls-detailed.stp b/testsuite/buildok/nd_syscalls-detailed.stp
index cd39032ff..e759d1d5f 100755
--- a/testsuite/buildok/nd_syscalls-detailed.stp
+++ b/testsuite/buildok/nd_syscalls-detailed.stp
@@ -342,6 +342,17 @@ probe nd_syscall.execve.return, nd_syscall.compat_execve.return ?
 	printf("%s, %s\n", name, retstr)
 }
 
+probe nd_syscall.execveat, nd_syscall.compat_execveat ?
+{
+        printf("%s, %s\n", name, argstr)
+        printf("%d, %s, %s, %d(%s), %s\n", fd, fd_str, filename, flags, flags_str, args)
+}
+
+probe nd_syscall.execveat.return, nd_syscall.compat_execveat.return ?
+{
+        printf("%s, %s\n", name, retstr)
+}
+
 probe nd_syscall.exit
 {
 	printf("%s, %s\n", name, argstr)
diff --git a/testsuite/buildok/syscalls-detailed.stp b/testsuite/buildok/syscalls-detailed.stp
index 85635e417..f3f3ddcee 100755
--- a/testsuite/buildok/syscalls-detailed.stp
+++ b/testsuite/buildok/syscalls-detailed.stp
@@ -342,6 +342,16 @@ probe syscall.execve.return, syscall.compat_execve.return ?
 	printf("%s, %s\n", name, retstr)
 }
 
+probe syscall.execveat, syscall.compat_execveat ?
+{
+        printf("%s, %s\n", name, argstr)
+	 printf("%d, %s, %s, %d(%s), %s\n", fd, fd_str, filename, flags, flags_str, args)
+}
+
+probe syscall.execveat.return, syscall.compat_execveat.return ?
+{
+        printf("%s, %s\n", name, retstr)
+}
 probe syscall.exit
 {
 	printf("%s, %s\n", name, argstr)
diff --git a/testsuite/systemtap.syscall/execveat.c b/testsuite/systemtap.syscall/execveat.c
new file mode 100644
index 000000000..fa8c63038
--- /dev/null
+++ b/testsuite/systemtap.syscall/execveat.c
@@ -0,0 +1,29 @@
+#include <sys/syscall.h>
+#include <fcntl.h>
+#include <unistd.h>
+#if !defined(SYS_execveat) && defined(__NR_execveat)
+#define SYS_execveat __NR_execveat
+#endif
+
+int main() {
+#ifdef SYS_execveat
+  syscall(SYS_execveat, -1, "/bin/true", -1L, NULL, NULL);
+  //staptest// execveat (-1 "/bin/true"  0x0) = -NNNN (EFAULT)
+  syscall(SYS_execveat, -1, "/bin/true", NULL, -1L, NULL);
+  //staptest// execveat (-1 "/bin/true"  0x0) = -NNNN (EFAULT)
+  syscall(SYS_execveat, -1, "/bin/true", NULL, NULL, -1);
+  //staptest// execveat (-1 "/bin/true"  AT_SYMLINK_NOFOLLOW|AT_REMOVEDIR|AT_SYMLINK_FOLLOW|AT_NO_AUTOMOUNT|AT_EMPTY_PATH|XXXX) = -NNNN
+  syscall(SYS_execveat, AT_FDCWD, "", NULL, NULL, NULL);
+  //staptest// execveat (AT_FDCWD ""  0x0) = -NNNN (ENOENT)
+  syscall(SYS_execveat, -1, -1L, NULL, NULL, NULL);
+#if __WORDSIZE == 64
+  //staptest// execveat (-1 [16]?[f]+  0x0) = -NNNN (EFAULT)
+#else
+  //staptest// execveat (-1 [8]?[f]+  0x0) = -NNNN (EFAULT)
+#endif
+  syscall(SYS_execveat, -1, "/bin/true", NULL, NULL, NULL);
+  //staptest// execveat (-1 "/bin/true"  0x0) = NNNN
+#endif
+  return 0;
+}
+
-- 
2.43.5