관리-도구

편집 파일: sysc_getdents.stp

# getdents ___________________________________________________
# long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
# long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
# long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
#

@define _SYSCALL_GETDENTS_NAME
%(
	name = "getdents"
%)

@define _SYSCALL_GETDENTS_ARGSTR
%(
	argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
%)

@define _SYSCALL_GATE
%(
%( arch == "s390" && kernel_v >= "3.15" %?
	# s390 switched from assembly compat wrappers to C-based
	# wrappers in kernel 3.15.
	@__syscall_gate_compat_simple
%)
%)

@define _SYSCALL_GETDENTS_REGARGS
%(
	fd = int_arg(1)
	dirp_uaddr = pointer_arg(2)
	count = uint_arg(3)
%)

probe syscall.getdents = dw_syscall.getdents !, nd_syscall.getdents ? {}
probe syscall.getdents.return = dw_syscall.getdents.return !,
                                nd_syscall.getdents.return ? {}

# dw_getdents _____________________________________________________

probe dw_syscall.getdents = __syscall.getdents ?,
                         kernel.function("compat_sys_getdents").call ?,
                         kernel.function("compat_sys_getdents64").call ?
{
	@_SYSCALL_GETDENTS_NAME
	fd = __int32($fd)
	dirp_uaddr = $dirent
	count = __uint32($count)
	@_SYSCALL_GETDENTS_ARGSTR
}
probe __syscall.getdents = kernel.function("sys_getdents").call ?,
                           kernel.function("sys_getdents64").call ?
{
	@_SYSCALL_GATE
}
probe dw_syscall.getdents.return = __syscall.getdents.return ?,
	kernel.function("compat_sys_getdents").return ?,
	kernel.function("compat_sys_getdents64").return ?
{
	@_SYSCALL_GETDENTS_NAME
	@SYSC_RETVALSTR($return)
}
probe __syscall.getdents.return = kernel.function("sys_getdents").return ?,
                                  kernel.function("sys_getdents64").return ?
{
	@_SYSCALL_GATE
}

# nd_getdents _____________________________________________________

probe nd_syscall.getdents = nd1_syscall.getdents!, nd2_syscall.getdents!, tp_syscall.getdents
  { }

probe nd1_syscall.getdents = __nd1_syscall.getdents ?,
                             kprobe.function("compat_sys_getdents") ?,
                             kprobe.function("compat_sys_getdents64") ?
{
	@_SYSCALL_GETDENTS_NAME
	asmlinkage()
	@_SYSCALL_GETDENTS_REGARGS
	@_SYSCALL_GETDENTS_ARGSTR
}
probe __nd1_syscall.getdents = kprobe.function("sys_getdents") ?,
                               kprobe.function("sys_getdents64") ?
{
	@_SYSCALL_GATE
}

/* kernel 4.17+ */
probe nd2_syscall.getdents = kprobe.function(@arch_syscall_prefix "sys_getdents") ?,
                             kprobe.function(@arch_syscall_prefix "sys_getdents64") ?,
                             kprobe.function(@arch_syscall_prefix "compat_sys_getdents") ?,
                             kprobe.function(@arch_syscall_prefix "compat_sys_getdents64") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_GETDENTS_NAME
	@_SYSCALL_GETDENTS_REGARGS
	@_SYSCALL_GETDENTS_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.getdents = __tp_syscall.getdents, __tp_syscall.getdents64
{
	__set_syscall_pt_regs($regs)
	@_SYSCALL_GETDENTS_NAME
	@_SYSCALL_GETDENTS_REGARGS
	@_SYSCALL_GETDENTS_ARGSTR
}
probe __tp_syscall.getdents = kernel.trace("sys_enter")
{
	@__syscall_compat_gate(@const("__NR_getdents"), @const("__NR_compat_getdents"))
}
probe __tp_syscall.getdents64 = kernel.trace("sys_enter")
{
	@__syscall_compat_gate(@const("__NR_getdents64"), @const("__NR_compat_getdents64"))
}

probe nd_syscall.getdents.return = nd1_syscall.getdents.return!, nd2_syscall.getdents.return!, tp_syscall.getdents.return
  { }
  
probe nd1_syscall.getdents.return = __nd1_syscall.getdents.return ?,
	kprobe.function("compat_sys_getdents").return ?,
	kprobe.function("compat_sys_getdents64").return ?
{
	@_SYSCALL_GETDENTS_NAME
	@SYSC_RETVALSTR(returnval())
}
probe __nd1_syscall.getdents.return = kprobe.function("sys_getdents").return ?,
                                      kprobe.function("sys_getdents64").return ?
{
	@_SYSCALL_GATE
}

/* kernel 4.17+ */
probe nd2_syscall.getdents.return = kprobe.function(@arch_syscall_prefix "sys_getdents").return ?,
                                    kprobe.function(@arch_syscall_prefix "sys_getdents64").return ?,
                                    kprobe.function(@arch_syscall_prefix "compat_sys_getdents").return ?,
                                    kprobe.function(@arch_syscall_prefix "compat_sys_getdents64").return ?
{
	@_SYSCALL_GETDENTS_NAME
	@SYSC_RETVALSTR(returnval())
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.getdents.return = __tp_syscall.getdents.return, __tp_syscall.getdents64.return 
{
	__set_syscall_pt_regs($regs)
	@_SYSCALL_GETDENTS_NAME
	@SYSC_RETVALSTR($ret)
}
probe __tp_syscall.getdents.return = kernel.trace("sys_exit")
{
	@__syscall_compat_gate(@const("__NR_getdents"), @const("__NR_compat_getdents"))
}
probe __tp_syscall.getdents64.return = kernel.trace("sys_exit")
{
	@__syscall_compat_gate(@const("__NR_getdents64"), @const("__NR_compat_getdents64"))
}