File: sysc_execve.stp

package info (click to toggle)
systemtap 4.0-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 36,436 kB
  • sloc: cpp: 72,388; ansic: 58,430; xml: 47,797; exp: 40,417; sh: 10,793; python: 2,759; perl: 2,252; tcl: 1,305; makefile: 1,119; lisp: 105; java: 102; awk: 101; asm: 91; sed: 16
file content (151 lines) | stat: -rw-r--r-- 4,776 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
 
%( kernel_v < "3.7" %?
# execve _____________________________________________________
#
# In kernels < 3.7, sys_execve() was in arch-specific code (and had
# varying arguments). It was just a wrapper around generic
# do_execve(), but the wrapper could error out before calling
# do_execve(). So, we'll have to handle it in arch-specific tapset
# code to catch all calls.
#
# The following kernel commit (first appearing in 2.6.32):
#
#   commit 3e86a8c617413e344143839c514e9b0c1713065c
#   Author: Heiko Carstens <heiko.carstens@de.ibm.com>
#   Date:   Tue Sep 22 22:58:42 2009 +0200
#
#       [S390] Convert sys_execve to function with parameters.
#
#       Use function parameters instead of accessing the pt_regs structure
#       to get the parameters.
#
# Changed the function from:
#
#   asmlinkage long sys_execve(struct pt_regs regs)
#
# To:
#
#   SYSCALL_DEFINE3(execve, char __user *, name, char __user * __user *, argv,
#		char __user * __user *, envp)

@define _SYSCALL_EXECVE_NAME
%(
	name = "execve"
%)

@define _SYSCALL_EXECVE_ARGSTR
%(
	argstr = sprintf("%s, %s, %s", filename, args, env_str)
%)

probe syscall.execve = dw_syscall.execve !, nd_syscall.execve {}
probe syscall.execve.return = dw_syscall.execve.return !,
                              nd_syscall.execve.return {}

# dw_execve _____________________________________________________

probe dw_syscall.execve = kernel.function("sys_execve").call
{
	@_SYSCALL_EXECVE_NAME
%( kernel_v < "2.6.32" %?
	# The fact that the struct is passed in instead of a pointer
	# confuses things.
	__regs = &@cast(ulong_arg(1), "pt_regs", "kernel<asm/ptrace.h>")
	filename = user_string_quoted(__regs->orig_gpr2)
	args = __get_argv(__regs->gprs[3], 0)
	env_str = __get_argv(__regs->gprs[4], 0)
%:
	filename = user_string_quoted(@choose_defined($name, $filename))
	args = __get_argv($argv, 0)
	env_str = __get_argv($envp, 0)
%)
	@_SYSCALL_EXECVE_ARGSTR
}
probe dw_syscall.execve.return = kernel.function("sys_execve").return
{
	@_SYSCALL_EXECVE_NAME
	@SYSC_RETVALSTR($return)
}

# nd_execve _____________________________________________________

probe nd_syscall.execve = kprobe.function("sys_execve")
{
	@_SYSCALL_EXECVE_NAME
%( kernel_v < "2.6.32" %?
	__regs = &@cast(ulong_arg(1), "pt_regs", "kernel<asm/ptrace.h>")
	filename = user_string_quoted(__regs->orig_gpr2)
	args = __get_argv(__regs->gprs[3], 0)
	env_str = __get_argv(__regs->gprs[4], 0)
%:
	filename = user_string_quoted(pointer_arg(1))
	args = __get_argv(pointer_arg(2), 0)
	env_str = __get_argv(pointer_arg(3), 0)
%)
	@_SYSCALL_EXECVE_ARGSTR
}
probe nd_syscall.execve.return = kprobe.function("sys_execve").return
{
	@_SYSCALL_EXECVE_NAME
	@SYSC_RETVALSTR(returnval())
}

# execve _____________________________________________________
#
#   asmlinkage long sys32_execve(struct pt_regs regs)
#   asmlinkage long sys32_execve(char __user *name, compat_uptr_t __user *argv,
#			     compat_uptr_t __user *envp)

probe syscall.compat_execve = dw_syscall.compat_execve !, nd_syscall.compat_execve ? {}
probe syscall.compat_execve.return = dw_syscall.compat_execve.return !,
                                     nd_syscall.compat_execve.return ? {}

# dw_compat_execve _____________________________________________________

probe dw_syscall.compat_execve = kernel.function("sys32_execve").call ?
{
	@_SYSCALL_EXECVE_NAME
%( kernel_v < "2.6.32" %?
	# The fact that the struct is passed in instead of a pointer
	# confuses things.
	__regs = &@cast(ulong_arg(1), "pt_regs", "kernel<asm/ptrace.h>")
	filename = user_string_quoted(__regs->orig_gpr2 & 0x7fffffff)
	args = __get_compat_argv(__regs->gprs[3] & 0x7fffffff, 0)
	env_str = __get_compat_argv(__regs->gprs[4] & 0x7fffffff, 0)
%:
	filename = user_string_quoted(@choose_defined($name, $filename))
	args = __get_compat_argv($argv, 0)
	env_str = __get_compat_argv($envp, 0)
%)
	@_SYSCALL_EXECVE_ARGSTR
}
probe dw_syscall.compat_execve.return = kernel.function("sys32_execve").return ?
{
	@_SYSCALL_EXECVE_NAME
	@SYSC_RETVALSTR($return)
}

# nd_compat_execve _____________________________________________________

probe nd_syscall.compat_execve = kprobe.function("sys32_execve") ?
{
	asmlinkage()
	@_SYSCALL_EXECVE_NAME
%( kernel_v < "2.6.32" %?
	__regs = &@cast(ulong_arg(1), "pt_regs", "kernel<asm/ptrace.h>")
	filename = user_string_quoted(__regs->orig_gpr2 & 0x7fffffff)
	args = __get_compat_argv(__regs->gprs[3] & 0x7fffffff, 0)
	env_str = __get_compat_argv(__regs->gprs[4] & 0x7fffffff, 0)
%:
	filename = user_string_quoted(pointer_arg(1))
	args = __get_compat_argv(pointer_arg(2), 0)
	env_str = __get_compat_argv(pointer_arg(3), 0)
%)
	@_SYSCALL_EXECVE_ARGSTR
}
probe nd_syscall.compat_execve.return =
	kprobe.function("sys32_execve").return ?
{
	@_SYSCALL_EXECVE_NAME
	@SYSC_RETVALSTR(returnval())
}
%)