관리-도구

편집 파일: sysc_uname.stp

# uname ______________________________________________________
#
# int sys_uname(struct old_utsname __user *name)
# long sys_newuname(struct new_utsname __user * name)
# int sys_olduname(struct oldold_utsname __user * name)
# int sys32_olduname(struct oldold_utsname __user * name)
# long sys32_uname(struct old_utsname __user * name)
#

@define _SYSCALL_UNAME_NAME
%(
	name = "uname"
%)

@define _SYSCALL_UNAME_ARGSTR
%(
	argstr = sprintf("%p", name_uaddr)
%)

@define _SYSCALL_UNAME_REGARGS
%(
	name_uaddr = pointer_arg(1)
%)

probe syscall.uname = dw_syscall.uname !, nd_syscall.uname ? {}
probe syscall.uname.return = dw_syscall.uname.return !, nd_syscall.uname.return ? {}

# dw_uname _____________________________________________________

probe dw_syscall.uname = kernel.function("sys_uname").call ?,
                      kernel.function("sys_olduname").call ?,
                      kernel.function("sys32_olduname").call ?,
                      kernel.function("sys32_uname").call ?,
                      kernel.function("sys_newuname").call ?
{
	@_SYSCALL_UNAME_NAME
	name_uaddr = $name
	@_SYSCALL_UNAME_ARGSTR
}

probe dw_syscall.uname.return = kernel.function("sys_uname").return ?,
                             kernel.function("sys_olduname").return ?,
                             kernel.function("sys32_olduname").return ?,
                             kernel.function("sys32_uname").return ?,
                             kernel.function("sys_newuname").return ?
{
	@_SYSCALL_UNAME_NAME
	@SYSC_RETVALSTR($return)
}

# nd_uname _____________________________________________________

probe nd_syscall.uname = nd1_syscall.uname!, nd2_syscall.uname!, tp_syscall.uname
  { }

probe nd1_syscall.uname = kprobe.function("sys_uname") ?,
                          kprobe.function("sys_olduname") ?,
                          kprobe.function("sys32_olduname") ?,
                          kprobe.function("sys32_uname") ?,
                          kprobe.function("sys_newuname") ?
{
	@_SYSCALL_UNAME_NAME
	_func_name = ppfunc()
	if (_func_name != "sys32_uname") {
		if (_func_name == "sys_uname" || _func_name == "sys_olduname") {
			%( arch != "powerpc" %? asmlinkage() %)
		} else
			asmlinkage()
	}
	@_SYSCALL_UNAME_REGARGS
	@_SYSCALL_UNAME_ARGSTR
}

/* kernel 4.17+ */
probe nd2_syscall.uname =
	kprobe.function(@arch_syscall_prefix "sys_uname") ?,
	kprobe.function(@arch_syscall_prefix "sys_olduname") ?,
	kprobe.function(@arch_syscall_prefix "sys_newuname") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_UNAME_NAME
	@_SYSCALL_UNAME_REGARGS
	@_SYSCALL_UNAME_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.uname = __tp_syscall.uname,
                         __tp_syscall.olduname,
			 __tp_syscall.newuname
{
	__set_syscall_pt_regs($regs)
	@_SYSCALL_UNAME_NAME
	@_SYSCALL_UNAME_REGARGS
	@_SYSCALL_UNAME_ARGSTR
}
probe __tp_syscall.uname = kernel.trace("sys_enter")
{
	@__syscall_compat_gate(@const("__NR_olduname"), @const("__NR_compat_olduname"))
}
probe __tp_syscall.olduname = kernel.trace("sys_enter")
{
	@__syscall_compat_gate(@const("__NR_oldolduname"), @const("__NR_compat_oldolduname"))
}
probe __tp_syscall.newuname = kernel.trace("sys_enter")
{
	@__syscall_compat_gate(@const("__NR_uname"), @const("__NR_compat_uname"))
}

probe nd_syscall.uname.return = nd1_syscall.uname.return!, nd2_syscall.uname.return!, tp_syscall.uname.return
  { }

probe nd1_syscall.uname.return = kprobe.function("sys_uname").return ?,
                                 kprobe.function("sys_olduname").return ?,
                                 kprobe.function("sys32_olduname").return ?,
                                 kprobe.function("sys32_uname").return ?,
                                 kprobe.function("sys_newuname").return ?
{
	@_SYSCALL_UNAME_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 4.17+ */
probe nd2_syscall.uname.return =
	kprobe.function(@arch_syscall_prefix "sys_uname").return ?,
	kprobe.function(@arch_syscall_prefix "sys_olduname").return ?,
	kprobe.function(@arch_syscall_prefix "sys_newuname").return ?
{
	@_SYSCALL_UNAME_NAME
	@SYSC_RETVALSTR(returnval())
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.uname.return = __tp_syscall.uname.return,
                                __tp_syscall.olduname.return,
				__tp_syscall.newuname.return
{
	__set_syscall_pt_regs($regs)
	@_SYSCALL_UNAME_NAME
	@SYSC_RETVALSTR($ret)
}
probe __tp_syscall.uname.return = kernel.trace("sys_exit")
{
	@__syscall_compat_gate(@const("__NR_olduname"), @const("__NR_compat_olduname"))
}
probe __tp_syscall.olduname.return = kernel.trace("sys_exit")
{
	@__syscall_compat_gate(@const("__NR_oldolduname"), @const("__NR_compat_oldolduname"))
}
probe __tp_syscall.newuname.return = kernel.trace("sys_exit")
{
	@__syscall_compat_gate(@const("__NR_uname"), @const("__NR_compat_uname"))
}