관리-도구
편집 파일: sysc_setregid.stp
# setregid ___________________________________________________ # long sys_setregid(gid_t rgid, gid_t egid) # @define _SYSCALL_SETREGID_NAME %( name = "setregid" %) @define _SYSCALL_SETREGID_ARGSTR %( argstr = sprintf("%d, %d", rgid, egid) %) @define _SYSCALL_GATE %( %( arch == "x86_64" %? // There are actually 3 x86_64 setregid syscalls numbers (which // get mapped to 2 syscall functions: // - __NR_setregid which gets mapped to sys_setregid() // - __NR_ia32_setregid32 which also gets mapped to // sys_setregid() // - __NR_ia32_setregid which gets mapped to sys_setregid16() // (which is a wrapper around sys_setregid()) // So, we need to avoid sys_setregid() calls that come from // sys_setregid16(). @__syscall_compat_gate(@const("__NR_setregid"), @const("__NR_ia32_setregid32")) %: %( arch == "i386" %? // On i386, there are 2 setregid syscall numbers: // - __NR_setregid which gets mapped to sys_setregid16 // - __NR_setregid32 which gets mapped to sys_setregid // Since this gets called from a probe on sys_setregid, we'll // make sure this is really __NR_setregid32. @__syscall_nr_gate(@const("__NR_setregid32")) %) %) %) @define _SYSCALL_SETREGID_REGARGS %( rgid = __int32(uint_arg(1)) egid = __int32(uint_arg(2)) %) @define _SYSCALL_SETREGID16_REGARGS %( rgid = __short(uint_arg(1)) egid = __short(uint_arg(2)) %) probe syscall.setregid = dw_syscall.setregid !, nd_syscall.setregid ? {} probe syscall.setregid.return = dw_syscall.setregid.return !, nd_syscall.setregid.return ? {} # dw_setregid _____________________________________________________ probe dw_syscall.setregid = kernel.function("sys_setregid").call { @_SYSCALL_GATE @_SYSCALL_SETREGID_NAME rgid = __int32($rgid) egid = __int32($egid) @_SYSCALL_SETREGID_ARGSTR } probe dw_syscall.setregid.return = kernel.function("sys_setregid").return { @_SYSCALL_GATE @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR($return) } # nd_setregid _____________________________________________________ probe nd_syscall.setregid = nd1_syscall.setregid!, nd2_syscall.setregid!, tp_syscall.setregid { } probe nd1_syscall.setregid = kprobe.function("sys_setregid") ? { @_SYSCALL_GATE @_SYSCALL_SETREGID_NAME asmlinkage() @_SYSCALL_SETREGID_REGARGS @_SYSCALL_SETREGID_ARGSTR } /* kernel 4.17+ */ probe nd2_syscall.setregid = kprobe.function(@arch_syscall_prefix "sys_setregid") ? { __set_syscall_pt_regs(pointer_arg(1)) @_SYSCALL_SETREGID_NAME @_SYSCALL_SETREGID_REGARGS @_SYSCALL_SETREGID_ARGSTR } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.setregid = kernel.trace("sys_enter") { __set_syscall_pt_regs($regs) @__syscall_compat_gate(@const("__NR_setregid"), @const("__NR_compat_setregid32")) @_SYSCALL_SETREGID_NAME @_SYSCALL_SETREGID_REGARGS @_SYSCALL_SETREGID_ARGSTR } probe nd_syscall.setregid.return = nd1_syscall.setregid.return!, nd2_syscall.setregid.return!, tp_syscall.setregid.return { } probe nd1_syscall.setregid.return = kprobe.function("sys_setregid").return ? { @_SYSCALL_GATE @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 4.17+ */ probe nd2_syscall.setregid.return = kprobe.function(@arch_syscall_prefix "sys_setregid").return ? { @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.setregid.return = kernel.trace("sys_exit") { __set_syscall_pt_regs($regs) @__syscall_compat_gate(@const("__NR_setregid"), @const("__NR_compat_setregid32")) @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR($ret) } # setregid16 _________________________________________________ # long sys_setregid16(old_gid_t rgid, old_gid_t egid) # probe syscall.setregid16 = dw_syscall.setregid16 !, nd_syscall.setregid16 ? {} probe syscall.setregid16.return = dw_syscall.setregid16.return !, nd_syscall.setregid16.return ? {} # dw_setregid16 _____________________________________________________ probe dw_syscall.setregid16 = kernel.function("sys_setregid16").call ? { @_SYSCALL_SETREGID_NAME rgid = __short($rgid) egid = __short($egid) @_SYSCALL_SETREGID_ARGSTR } probe dw_syscall.setregid16.return = kernel.function("sys_setregid16").return ? { @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR($return) } # nd_setregid16 _____________________________________________________ probe nd_syscall.setregid16 = nd1_syscall.setregid16!, nd2_syscall.setregid16!, tp_syscall.setregid16 { } probe nd1_syscall.setregid16 = kprobe.function("sys_setregid16") ? { @_SYSCALL_SETREGID_NAME asmlinkage() @_SYSCALL_SETREGID16_REGARGS @_SYSCALL_SETREGID_ARGSTR } /* kernel 4.17+ */ probe nd2_syscall.setregid16 = kprobe.function(@arch_syscall_prefix "sys_setregid16") ? { __set_syscall_pt_regs(pointer_arg(1)) @_SYSCALL_SETREGID_NAME @_SYSCALL_SETREGID16_REGARGS @_SYSCALL_SETREGID_ARGSTR } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.setregid16 = kernel.trace("sys_enter") { __set_syscall_pt_regs($regs) @__compat_syscall_gate(@const("__NR_compat_setregid")) @_SYSCALL_SETREGID_NAME @_SYSCALL_SETREGID16_REGARGS @_SYSCALL_SETREGID_ARGSTR } probe nd_syscall.setregid16.return = nd1_syscall.setregid16.return!, nd2_syscall.setregid16.return!, tp_syscall.setregid16.return { } probe nd1_syscall.setregid16.return = kprobe.function("sys_setregid16").return ? { @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 4.17+ */ probe nd2_syscall.setregid16.return = kprobe.function(@arch_syscall_prefix "sys_setregid16").return ? { @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.setregid16.return = kernel.trace("sys_exit") { __set_syscall_pt_regs($regs) @__compat_syscall_gate(@const("__NR_compat_setregid")) @_SYSCALL_SETREGID_NAME @SYSC_RETVALSTR($ret) }