From e5a7e59f6cdee56491b15fd4b9f0433ec6ea45fb Mon Sep 17 00:00:00 2001
From: Martin Cermak <mcermak@redhat.com>
Date: Thu, 22 Dec 2016 16:51:03 +0100
Subject: [PATCH] PR20333/execve

---
 tapset/linux/nd_syscalls.stp |  51 ----------------
 tapset/linux/sysc_execve.stp | 109 +++++++++++++++++++++++++++++++++++
 tapset/linux/syscalls.stp    |  56 ------------------
 3 files changed, 109 insertions(+), 107 deletions(-)
 create mode 100644 tapset/linux/sysc_execve.stp

diff --git a/tapset/linux/nd_syscalls.stp b/tapset/linux/nd_syscalls.stp
index 1e7d072c5..16653d0a0 100644
--- a/tapset/linux/nd_syscalls.stp
+++ b/tapset/linux/nd_syscalls.stp
@@ -1,54 +1,3 @@
-
-# execve _____________________________________________________
-%( kernel_v >= "3.7" %?
-# In kernels >= 3.7, sys_execve() has been moved to generic code, so we
-# can use it with confidence. For kernels < 3.7, execve support is in
-# arch-specific tapset code.
-#
-# execve _____________________________________________________
-# SYSCALL_DEFINE3(execve,
-#		const char __user *, filename,
-#		const char __user *const __user *, argv,
-#		const char __user *const __user *, envp)
-probe nd_syscall.execve = kprobe.function("sys_execve")
-{
-	name = "execve"
-	asmlinkage()
-	filename = user_string_quoted(pointer_arg(1))
-	args = __get_argv(pointer_arg(2), 0)
-	env_str = __count_envp(pointer_arg(3))
-	argstr = sprintf("%s, %s, %s", filename, args, env_str)
-}
-probe nd_syscall.execve.return = kprobe.function("sys_execve").return
-{
-	name = "execve"
-	retstr = returnstr(1)
-}
-
-# In kernels >= 3.7, compat_sys_execve() has been moved to generic
-# code, so we can use it with confidence. For kernels < 3.7,
-# compat_execve support is in arch-specific tapset code.
-#
-# asmlinkage long compat_sys_execve(const char __user * filename,
-#	const compat_uptr_t __user * argv,
-#	const compat_uptr_t __user * envp)
-probe nd_syscall.compat_execve = kprobe.function("compat_sys_execve").call ?
-{
-	name = "execve"
-	asmlinkage()
-	filename = user_string_quoted(pointer_arg(1))
-	args = __get_compat_argv(pointer_arg(2), 0)
-	env_str = __count_compat_envp(pointer_arg(3))
-	argstr = sprintf("%s, %s, %s", filename, args, env_str)
-}
-probe nd_syscall.compat_execve.return =
-	kprobe.function("compat_sys_execve").return ?
-{
-	name = "execve"
-	retstr = returnstr(1)
-}
-%)
-
 # execveat ______________________________________________
 # SYSCALL_DEFINE5(execveat,
 #		int, fd, const char __user *, filename,
diff --git a/tapset/linux/sysc_execve.stp b/tapset/linux/sysc_execve.stp
new file mode 100644
index 000000000..0e8b8c93c
--- /dev/null
+++ b/tapset/linux/sysc_execve.stp
@@ -0,0 +1,109 @@
+# execve _____________________________________________________
+# NB: kprocess.exec[_complete] is aliased to syscall.execve[.return]
+%( kernel_v >= "3.7" %?
+# In kernels >= 3.7, sys_execve() has been moved to generic code, so we
+# can use it with confidence. For kernels < 3.7, execve support is in
+# arch-specific tapset code.
+#
+# SYSCALL_DEFINE3(execve,
+#		const char __user *, filename,
+#		const char __user *const __user *, argv,
+#		const char __user *const __user *, envp)
+
+@define _SYSCALL_EXECVE_NAME
+%(
+	name = "execve"
+%)
+
+@define _SYSCALL_EXECVE_ARGSTR
+%(
+	argstr = sprintf("%s, %s, %s", filename, args, env_str)
+%)
+
+probe syscall.execve = dw_syscall.execve !, nd_syscall.execve {}
+probe syscall.execve.return = dw_syscall.execve.return !, nd_syscall.execve.return {}
+
+# dw_execve _____________________________________________________
+
+probe dw_syscall.execve = kernel.function("sys_execve").call
+{
+	@_SYSCALL_EXECVE_NAME
+	filename = user_string_quoted(@choose_defined($filename, $name))
+	# kernel 3.0 changed the pointer's name to __argv
+	__argv = @choose_defined($__argv, $argv)
+	args = __get_argv(__argv, 0)
+	__envp = @choose_defined($__envp, $envp)
+	env_str = __count_envp(__envp)
+	@_SYSCALL_EXECVE_ARGSTR
+}
+probe dw_syscall.execve.return = kernel.function("sys_execve").return
+{
+	@_SYSCALL_EXECVE_NAME
+	retstr = return_str(1, $return)
+}
+
+# In kernels >= 3.7, compat_sys_execve() has been moved to generic
+# code, so we can use it with confidence. For kernels < 3.7,
+# compat_execve support is in arch-specific tapset code.
+#
+# asmlinkage long compat_sys_execve(const char __user * filename,
+#	const compat_uptr_t __user * argv,
+#	const compat_uptr_t __user * envp)
+probe syscall.compat_execve = kernel.function("compat_sys_execve").call ?
+{
+	@_SYSCALL_EXECVE_NAME
+	filename = user_string_quoted($filename)
+	# kernel 3.0 changed the pointer's name to __argv
+	__argv = @choose_defined($__argv, $argv)
+	args = __get_compat_argv(__argv, 0)
+	__envp = @choose_defined($__envp, $envp)
+	env_str = __count_compat_envp(__envp)
+	@_SYSCALL_EXECVE_ARGSTR
+}
+probe syscall.compat_execve.return =
+	kernel.function("compat_sys_execve").return ?
+{
+	@_SYSCALL_EXECVE_NAME
+	retstr = return_str(1, $return)
+}
+
+# nd_execve _____________________________________________________
+
+probe nd_syscall.execve = kprobe.function("sys_execve")
+{
+	@_SYSCALL_EXECVE_NAME
+	asmlinkage()
+	filename = user_string_quoted(pointer_arg(1))
+	args = __get_argv(pointer_arg(2), 0)
+	env_str = __count_envp(pointer_arg(3))
+	@_SYSCALL_EXECVE_ARGSTR
+}
+probe nd_syscall.execve.return = kprobe.function("sys_execve").return
+{
+	@_SYSCALL_EXECVE_NAME
+	retstr = returnstr(1)
+}
+
+# In kernels >= 3.7, compat_sys_execve() has been moved to generic
+# code, so we can use it with confidence. For kernels < 3.7,
+# compat_execve support is in arch-specific tapset code.
+#
+# asmlinkage long compat_sys_execve(const char __user * filename,
+#	const compat_uptr_t __user * argv,
+#	const compat_uptr_t __user * envp)
+probe nd_syscall.compat_execve = kprobe.function("compat_sys_execve").call ?
+{
+	@_SYSCALL_EXECVE_NAME
+	asmlinkage()
+	filename = user_string_quoted(pointer_arg(1))
+	args = __get_compat_argv(pointer_arg(2), 0)
+	env_str = __count_compat_envp(pointer_arg(3))
+	@_SYSCALL_EXECVE_ARGSTR
+}
+probe nd_syscall.compat_execve.return =
+	kprobe.function("compat_sys_execve").return ?
+{
+	@_SYSCALL_EXECVE_NAME
+	retstr = returnstr(1)
+}
+%)
diff --git a/tapset/linux/syscalls.stp b/tapset/linux/syscalls.stp
index 2c5c15e57..5d4bee61b 100644
--- a/tapset/linux/syscalls.stp
+++ b/tapset/linux/syscalls.stp
@@ -1,59 +1,3 @@
-
-# execve _____________________________________________________
-# NB: kprocess.exec[_complete] is aliased to syscall.execve[.return]
-%( kernel_v >= "3.7" %?
-# In kernels >= 3.7, sys_execve() has been moved to generic code, so we
-# can use it with confidence. For kernels < 3.7, execve support is in
-# arch-specific tapset code.
-#
-# SYSCALL_DEFINE3(execve,
-#		const char __user *, filename,
-#		const char __user *const __user *, argv,
-#		const char __user *const __user *, envp)
-probe syscall.execve = kernel.function("sys_execve").call
-{
-	name = "execve"
-	filename = user_string_quoted(@choose_defined($filename, $name))
-	# kernel 3.0 changed the pointer's name to __argv
-	__argv = @choose_defined($__argv, $argv)
-	args = __get_argv(__argv, 0)
-	__envp = @choose_defined($__envp, $envp)
-	env_str = __count_envp(__envp)
-	argstr = sprintf("%s, %s, %s", filename, args, env_str)
-}
-probe syscall.execve.return = kernel.function("sys_execve").return
-{
-	name = "execve"
-	retstr = return_str(1, $return)
-}
-
-# In kernels >= 3.7, compat_sys_execve() has been moved to generic
-# code, so we can use it with confidence. For kernels < 3.7,
-# compat_execve support is in arch-specific tapset code.
-#
-# asmlinkage long compat_sys_execve(const char __user * filename,
-#	const compat_uptr_t __user * argv,
-#	const compat_uptr_t __user * envp)
-probe syscall.compat_execve = kernel.function("compat_sys_execve").call ?
-{
-	name = "execve"
-	filename = user_string_quoted($filename)
-	# kernel 3.0 changed the pointer's name to __argv
-	__argv = @choose_defined($__argv, $argv)
-	args = __get_compat_argv(__argv, 0)
-	__envp = @choose_defined($__envp, $envp)
-	env_str = __count_compat_envp(__envp)
-	argstr = sprintf("%s, %s, %s", filename, __get_compat_argv(__argv, 0),
-			 __count_compat_envp(__envp))
-}
-probe syscall.compat_execve.return =
-	kernel.function("compat_sys_execve").return ?
-{
-	name = "execve"
-	retstr = return_str(1, $return)
-}
-%)
-
 # execveat ______________________________________________
 # SYSCALL_DEFINE5(execveat,
 #		int, fd, const char __user *, filename,
-- 
2.43.5