관리-도구

편집 파일: sysc_utimes.stp

# utimes _____________________________________________________
#
# long sys_utimes(char __user * filename, struct timeval __user * utimes)
#

@define _SYSCALL_UTIMES_NAME
%(
	name = "utimes"
%)

@define _SYSCALL_UTIMES_ARGSTR
%(
	argstr = sprintf("%s, %s", filename, tvp_uaddr_str) 
%)

@define _SYSCALL_UTIMES_REGARGS
%(
	filename_uaddr = pointer_arg(1)
	filename = user_string_quoted(filename_uaddr)
	tvp_uaddr = pointer_arg(2)
	tvp_uaddr_str = _struct_timeval_u(tvp_uaddr, 2)
%)

@define _SYSCALL_COMPAT_SYS_UTIMES_REGARGS
%(
	filename = user_string_quoted(pointer_arg(1))
	timeval = pointer_arg(2)
	tvp_uaddr_str = _struct_compat_timeval_u(timeval, 2)
%)

probe syscall.utimes = dw_syscall.utimes !, nd_syscall.utimes ? {}
probe syscall.utimes.return = dw_syscall.utimes.return !,
                              nd_syscall.utimes.return ? {}

# dw_utimes _____________________________________________________

probe dw_syscall.utimes = kernel.function("sys_utimes").call
{
	@_SYSCALL_UTIMES_NAME
	filename_uaddr = $filename
	filename = user_string_quoted($filename)
	tvp_uaddr = $utimes
	tvp_uaddr_str = _struct_timeval_u(tvp_uaddr, 2)
	@_SYSCALL_UTIMES_ARGSTR
}
probe dw_syscall.utimes.return = kernel.function("sys_utimes").return
{
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR($return)
}

# nd_utimes _____________________________________________________

probe nd_syscall.utimes = nd1_syscall.utimes!, nd2_syscall.utimes!, tp_syscall.utimes
  { }

probe nd1_syscall.utimes = kprobe.function("sys_utimes") ?
{
	@_SYSCALL_UTIMES_NAME
	asmlinkage()
	@_SYSCALL_UTIMES_REGARGS
	@_SYSCALL_UTIMES_ARGSTR
}

/* kernel 4.17+ */
probe nd2_syscall.utimes = kprobe.function(@arch_syscall_prefix "sys_utimes") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_UTIMES_NAME
	@_SYSCALL_UTIMES_REGARGS
	@_SYSCALL_UTIMES_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.utimes = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_gate(@const("__NR_utimes"))
	@_SYSCALL_UTIMES_NAME
	@_SYSCALL_UTIMES_REGARGS
	@_SYSCALL_UTIMES_ARGSTR
}

probe nd_syscall.utimes.return = nd1_syscall.utimes.return!, nd2_syscall.utimes.return!, tp_syscall.utimes.return
  { }
  
probe nd1_syscall.utimes.return = kprobe.function("sys_utimes").return ?
{
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 4.17+ */
probe nd2_syscall.utimes.return = kprobe.function(@arch_syscall_prefix "sys_utimes").return ?
{
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR(returnval())
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.utimes.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__syscall_gate(@const("__NR_utimes"))
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR($ret)
}

# compat_sys_utimes ________________________________________
#
# long compat_sys_utimes(char __user *filename, struct compat_timeval __user *t)
#

probe syscall.compat_sys_utimes = dw_syscall.compat_sys_utimes !,
                                  nd_syscall.compat_sys_utimes ? {}
probe syscall.compat_sys_utimes.return = dw_syscall.compat_sys_utimes.return !,
                                         nd_syscall.compat_sys_utimes.return ? {}

# dw_compat_sys_utimes _____________________________________________________

probe dw_syscall.compat_sys_utimes = kernel.function("compat_sys_utimes").call ?
{
	@_SYSCALL_UTIMES_NAME
	filename = user_string_quoted(@__pointer($filename))
	timeval = @__pointer($t)
	tvp_uaddr_str = _struct_compat_timeval_u(timeval, 2)
	@_SYSCALL_UTIMES_ARGSTR
}
probe dw_syscall.compat_sys_utimes.return = kernel.function("compat_sys_utimes").return ?
{
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR($return)
}

# nd_compat_sys_utimes _____________________________________________________

probe nd_syscall.compat_sys_utimes = nd1_syscall.compat_sys_utimes!, nd2_syscall.compat_sys_utimes!, tp_syscall.compat_sys_utimes
  { }

probe nd1_syscall.compat_sys_utimes = kprobe.function("compat_sys_utimes") ?
{
	@_SYSCALL_UTIMES_NAME
	asmlinkage()
	@_SYSCALL_COMPAT_SYS_UTIMES_REGARGS
	@_SYSCALL_UTIMES_ARGSTR
}

/* kernel 4.17+ */
probe nd2_syscall.compat_sys_utimes = kprobe.function(@arch_syscall_prefix "compat_sys_utimes") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_UTIMES_NAME
	@_SYSCALL_COMPAT_SYS_UTIMES_REGARGS
	@_SYSCALL_UTIMES_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.compat_sys_utimes = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__compat_syscall_gate(@const("__NR_compat_utimes"))
	@_SYSCALL_UTIMES_NAME
	@_SYSCALL_COMPAT_SYS_UTIMES_REGARGS
	@_SYSCALL_UTIMES_ARGSTR
}

probe nd_syscall.compat_sys_utimes.return = nd1_syscall.compat_sys_utimes.return!, nd2_syscall.compat_sys_utimes.return!, tp_syscall.compat_sys_utimes.return
  { }
  
probe nd1_syscall.compat_sys_utimes.return = kprobe.function("compat_sys_utimes").return ?
{
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 4.17+ */
probe nd2_syscall.compat_sys_utimes.return = kprobe.function(@arch_syscall_prefix "compat_sys_utimes").return ?
{
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR(returnval())
}
 
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.compat_sys_utimes.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__compat_syscall_gate(@const("__NR_compat_utimes"))
	@_SYSCALL_UTIMES_NAME
	@SYSC_RETVALSTR($ret)
}