관리-도구

편집 파일: sysc_msgget.stp

# msgget _____________________________________________________
# long sys_msgget (key_t key, int msgflg)
#

@define _SYSCALL_MSGGET_NAME
%(
	name = "msgget"
%)

@define _SYSCALL_MSGGET_ARGSTR
%(
	argstr = sprintf("%s, %s", key_str, msgflg_str)
%)

@define _SYSCALL_MSGGET_REGARGS
%(
	key = int_arg(1)
	key_str = _stp_msgget_key_str(key)
	msgflg = int_arg(2)
	msgflg_str = __sem_flags(msgflg)
%)

@define _SYSCALL_IPC_MSGGET_REGARGS
%(
	key = int_arg(2)
	key_str = _stp_msgget_key_str(key)
	msgflg = int_arg(3)
	msgflg_str = __sem_flags(msgflg)
%)

probe syscall.msgget = dw_syscall.msgget !, nd_syscall.msgget ? {}
probe syscall.msgget.return = dw_syscall.msgget.return !, nd_syscall.msgget.return ? {}

# dw_msgget _____________________________________________________

probe dw_syscall.msgget = kernel.function("sys_msgget").call ?
{
	@_SYSCALL_MSGGET_NAME
	key = __int32($key)
	key_str = _stp_msgget_key_str(__int32($key))
	msgflg = __int32($msgflg)
	msgflg_str = __sem_flags(__int32($msgflg))
	@_SYSCALL_MSGGET_ARGSTR
}
probe dw_syscall.msgget.return = kernel.function("sys_msgget").return ?
{
	@_SYSCALL_MSGGET_NAME
	@SYSC_RETVALSTR($return)
}

# nd_msgget _____________________________________________________

probe nd_syscall.msgget = nd1_syscall.msgget!, nd2_syscall.msgget!, tp_syscall.msgget
  { }

probe nd1_syscall.msgget = kprobe.function("sys_msgget") ?
{
	@_SYSCALL_MSGGET_NAME
	asmlinkage()
	@_SYSCALL_MSGGET_REGARGS
	@_SYSCALL_MSGGET_ARGSTR
}

/* kernel 4.17+ */
probe nd2_syscall.msgget = __nd2_syscall.msgget ?,
	__nd2_syscall.compat_ipc.msgget ?
{
	@_SYSCALL_MSGGET_NAME
	@_SYSCALL_MSGGET_ARGSTR
}
probe __nd2_syscall.msgget = kprobe.function(@arch_syscall_prefix "sys_msgget") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_MSGGET_REGARGS
}
probe __nd2_syscall.compat_ipc.msgget =
	kprobe.function(@arch_syscall_prefix "compat_sys_ipc") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	if ((uint_arg(1) & 0xffff) != @const("MSGGET")) next;
	@_SYSCALL_IPC_MSGGET_REGARGS
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.msgget = __tp_syscall.msgget, __tp_syscall.ipc.msgget
{
	@_SYSCALL_MSGGET_NAME
	@_SYSCALL_MSGGET_ARGSTR
}
probe __tp_syscall.msgget = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_gate(@const("__NR_msgget"))
	@_SYSCALL_MSGGET_REGARGS
}
probe __tp_syscall.ipc.msgget = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_ipc"), @const("__NR_compat_ipc"))
	if ((uint_arg(1) & 0xffff) != @const("MSGGET")) next;
	@_SYSCALL_IPC_MSGGET_REGARGS
}

probe nd_syscall.msgget.return = nd1_syscall.msgget.return!, nd2_syscall.msgget.return!, tp_syscall.msgget.return
  { }
  
probe nd1_syscall.msgget.return = kprobe.function("sys_msgget").return ?
{
	@_SYSCALL_MSGGET_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 4.17+ */
probe nd2_syscall.msgget.return =
	__nd2_syscall.compat_ipc.msgget.return ?,
	kprobe.function(@arch_syscall_prefix "sys_msgget").return ?
{
	@_SYSCALL_MSGGET_NAME
	@SYSC_RETVALSTR(returnval())
}
probe __nd2_syscall.compat_ipc.msgget.return =
	kprobe.function(@arch_syscall_prefix "compat_sys_ipc").return ?
{
	__set_syscall_pt_regs(@entry(pointer_arg(1)))
	if ((uint_arg(1) & 0xffff) != @const("MSGGET")) next;
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.msgget.return = __tp_syscall.msgget.return, __tp_syscall.ipc.msgget.return
{
	@_SYSCALL_MSGGET_NAME
	@SYSC_RETVALSTR($ret)
}
probe __tp_syscall.msgget.return = kernel.trace("sys_exit")
{
	@__syscall_gate(@const("__NR_msgget"))
}
probe __tp_syscall.ipc.msgget.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_ipc"), @const("__NR_compat_ipc"))
	if ((uint_arg(1) & 0xffff) != @const("MSGGET")) next;
}