관리-도구

편집 파일: sysc_ioctl.stp

# ioctl ______________________________________________________
# long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
# long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
#

@define _SYSCALL_IOCTL_NAME
%(
	name = "ioctl"
%)

@define _SYSCALL_IOCTL_ARGSTR
%(
	argstr = sprintf("%d, %d, %p", fd, request, argp)
%)

@define _SYSCALL_IOCTL_REGARGS
%(
	fd = int_arg(1)
	request = int_arg(2)
	argp = ulong_arg(3)
%)

probe syscall.ioctl = dw_syscall.ioctl !, nd_syscall.ioctl ? {}
probe syscall.ioctl.return = dw_syscall.ioctl.return !, nd_syscall.ioctl.return ? {}

# dw_ioctl _____________________________________________________

probe dw_syscall.ioctl = __syscall.ioctl ?,
	kernel.function("compat_sys_ioctl").call ?
{
	@_SYSCALL_IOCTL_NAME
	fd = __int32($fd)
	request = __int32($cmd)
	argp = @__compat_ulong(@choose_defined($arg, $arg32))
	@_SYSCALL_IOCTL_ARGSTR
}
probe __syscall.ioctl = kernel.function("sys_ioctl").call
{
	@__syscall_gate(@const("__NR_ioctl"))
}
probe dw_syscall.ioctl.return =
	__syscall.ioctl.return ?,
	kernel.function("compat_sys_ioctl").return ?
{
	@_SYSCALL_IOCTL_NAME
	@SYSC_RETVALSTR($return)
}
probe __syscall.ioctl.return = kernel.function("sys_ioctl").return
{
	@__syscall_gate(@const("__NR_ioctl"))
}

# nd_ioctl _____________________________________________________

probe nd_syscall.ioctl = nd1_syscall.ioctl!, nd2_syscall.ioctl!, tp_syscall.ioctl
  { }

probe nd1_syscall.ioctl = __nd1_syscall.ioctl,
	kprobe.function("compat_sys_ioctl") ?
{
	asmlinkage()
	@_SYSCALL_IOCTL_NAME
	@_SYSCALL_IOCTL_REGARGS
	@_SYSCALL_IOCTL_ARGSTR
}
probe __nd1_syscall.ioctl = kprobe.function("sys_ioctl")
{
	@__syscall_gate(@const("__NR_ioctl"))
}

/* kernel 4.17+ */
probe nd2_syscall.ioctl = kprobe.function(@arch_syscall_prefix "sys_ioctl") ?,
	kprobe.function(@arch_syscall_prefix "compat_sys_ioctl") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_IOCTL_NAME
	@_SYSCALL_IOCTL_REGARGS
	@_SYSCALL_IOCTL_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.ioctl = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_ioctl"), @const("__NR_compat_ioctl"))
	@_SYSCALL_IOCTL_NAME
	@_SYSCALL_IOCTL_REGARGS
	@_SYSCALL_IOCTL_ARGSTR
}

probe nd_syscall.ioctl.return = nd1_syscall.ioctl.return!, nd2_syscall.ioctl.return!, tp_syscall.ioctl.return
  { }
  
probe nd1_syscall.ioctl.return =
	__nd1_syscall.ioctl.return,
	kprobe.function("compat_sys_ioctl").return ?
{
	@_SYSCALL_IOCTL_NAME
	@SYSC_RETVALSTR(returnval())
}
probe __nd1_syscall.ioctl.return = kprobe.function("sys_ioctl").return
{
	@__syscall_gate(@const("__NR_ioctl"))
}

/* kernel 4.17+ */
probe nd2_syscall.ioctl.return = kprobe.function(@arch_syscall_prefix "sys_ioctl").return ?,
	kprobe.function(@arch_syscall_prefix "compat_sys_ioctl").return ?
{
	@_SYSCALL_IOCTL_NAME
	@SYSC_RETVALSTR(returnval())
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.ioctl.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_ioctl"), @const("__NR_compat_ioctl"))
	@_SYSCALL_IOCTL_NAME
	@SYSC_RETVALSTR($ret)
}