1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
# sysfs ______________________________________________________
#
# asmlinkage long
# sys_sysfs(int option,
# unsigned long arg1,
# unsigned long arg2)
#
probe syscall.sysfs = dw_syscall.sysfs !, nd_syscall.sysfs ? {}
probe syscall.sysfs.return = dw_syscall.sysfs.return !, nd_syscall.sysfs.return ? {}
@define _SYSCALL_SYSFS_REGARGS_STORE
%(
if (@probewrite(option))
set_int_arg(1, option)
if (@probewrite(arg1))
set_ulong_arg(2, arg1)
if (@probewrite(arg2))
set_ulong_arg(3, arg2)
%)
# dw_sysfs _____________________________________________________
probe dw_syscall.sysfs = kernel.function("sys_sysfs").call
{
name = "sysfs"
option = __int32($option)
arg1 = $arg1
arg2 = $arg2
if (option == 1)
argstr = sprintf("%d, %s", __int32($option),
user_string_quoted($arg1))
else if (option == 2)
argstr = sprintf("%d, %d, %p", __int32($option), $arg1, $arg2)
else if (option == 3)
argstr = sprintf("%d", __int32($option))
else
argstr = sprintf("%d, 0x%x, 0x%x", __int32($option), $arg1,
$arg2)
}
probe dw_syscall.sysfs.return = kernel.function("sys_sysfs").return
{
name = "sysfs"
@SYSC_RETVALSTR($return)
}
# nd_sysfs _____________________________________________________
probe nd_syscall.sysfs = nd1_syscall.sysfs!, nd2_syscall.sysfs!, tp_syscall.sysfs
{ }
probe nd1_syscall.sysfs = kprobe.function("sys_sysfs") ?
{
name = "sysfs"
asmlinkage()
option = int_arg(1)
arg1 = ulong_arg(2)
arg2 = ulong_arg(3)
if (option == 1)
argstr = sprintf("%d, %s", option, user_string_quoted(arg1))
else if (option == 2)
argstr = sprintf("%d, %d, %p", option, arg1, arg2)
else if (option == 3)
argstr = sprintf("%d", option)
else
argstr = sprintf("%d, 0x%x, 0x%x", option, arg1, arg2)
}
/* kernel 4.17+ */
probe nd2_syscall.sysfs = kprobe.function(@arch_syscall_prefix "sys_sysfs") ?
{
__set_syscall_pt_regs(pointer_arg(1))
name = "sysfs"
option = int_arg(1)
arg1 = ulong_arg(2)
arg2 = ulong_arg(3)
if (option == 1)
argstr = sprintf("%d, %s", option, user_string_quoted(arg1))
else if (option == 2)
argstr = sprintf("%d, %d, %p", option, arg1, arg2)
else if (option == 3)
argstr = sprintf("%d", option)
else
argstr = sprintf("%d, 0x%x, 0x%x", option, arg1, arg2)
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_SYSFS_REGARGS_STORE %)
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.sysfs = kernel.trace("sys_enter")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR_sysfs"), @const("__NR_compat_sysfs"))
name = "sysfs"
option = int_arg(1)
arg1 = ulong_arg(2)
arg2 = ulong_arg(3)
if (option == 1)
argstr = sprintf("%d, %s", option, user_string_quoted(arg1))
else if (option == 2)
argstr = sprintf("%d, %d, %p", option, arg1, arg2)
else if (option == 3)
argstr = sprintf("%d", option)
else
argstr = sprintf("%d, 0x%x, 0x%x", option, arg1, arg2)
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_SYSFS_REGARGS_STORE %)
}
probe nd_syscall.sysfs.return = nd1_syscall.sysfs.return!, nd2_syscall.sysfs.return!, tp_syscall.sysfs.return
{ }
probe nd1_syscall.sysfs.return = kprobe.function("sys_sysfs").return ?
{
name = "sysfs"
@SYSC_RETVALSTR(returnval())
}
/* kernel 4.17+ */
probe nd2_syscall.sysfs.return = kprobe.function(@arch_syscall_prefix "sys_sysfs").return ?
{
name = "sysfs"
@SYSC_RETVALSTR(returnval())
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.sysfs.return = kernel.trace("sys_exit")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR_sysfs"), @const("__NR_compat_sysfs"))
name = "sysfs"
@SYSC_RETVALSTR($ret)
}
|
