Server : Apache System : Linux server2.corals.io 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 09:17:08 EST 2021 x86_64 User : corals ( 1002) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /opt/rh/gcc-toolset-11/root/usr/share/systemtap/tapset/linux/ |
# personality ________________________________________________
#
# asmlinkage long
# sys_personality(unsigned int personality)
# personality type changed from ulong to uint32 in upstream commit 485d5276
# (v2.6.35-rc2~25). But rhel6 distribution kernel has the backport in 2.6.32.
#
@define _SYSCALL_PERSONALITY_NAME
%(
name = "personality"
%)
@define _SYSCALL_PERSONALITY_ARGSTR
%(
argstr = sprintf("%#x", persona);
%)
@define _SYSCALL_PERSONALITY_REGARGS
%(
persona = uint_arg(1)
%)
@define _SYSCALL_PERSONALITY_REGARGS_STORE
%(
if (@probewrite(persona))
set_uint_arg(1, persona)
%)
probe syscall.personality = dw_syscall.personality !, nd_syscall.personality ? {}
probe syscall.personality.return = dw_syscall.personality.return !,
nd_syscall.personality.return ? {}
# dw_personality _____________________________________________________
probe dw_syscall.personality = kernel.function("sys_personality").call
{
@_SYSCALL_PERSONALITY_NAME
persona = __uint32($personality)
@_SYSCALL_PERSONALITY_ARGSTR
}
probe dw_syscall.personality.return = kernel.function("sys_personality").return
{
@_SYSCALL_PERSONALITY_NAME
@SYSC_RETVALSTR($return)
}
# nd_personality _____________________________________________________
probe nd_syscall.personality = nd1_syscall.personality!, nd2_syscall.personality!, tp_syscall.personality
{ }
probe nd1_syscall.personality = kprobe.function("sys_personality") ?
{
@_SYSCALL_PERSONALITY_NAME
asmlinkage()
@_SYSCALL_PERSONALITY_REGARGS
@_SYSCALL_PERSONALITY_ARGSTR
}
/* kernel 4.17+ */
probe nd2_syscall.personality = kprobe.function(@arch_syscall_prefix "sys_personality") ?
{
__set_syscall_pt_regs(pointer_arg(1))
@_SYSCALL_PERSONALITY_NAME
@_SYSCALL_PERSONALITY_REGARGS
@_SYSCALL_PERSONALITY_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_PERSONALITY_REGARGS_STORE %)
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.personality = kernel.trace("sys_enter")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR_personality"), @const("__NR_compat_personality"))
@_SYSCALL_PERSONALITY_NAME
@_SYSCALL_PERSONALITY_REGARGS
@_SYSCALL_PERSONALITY_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_PERSONALITY_REGARGS_STORE %)
}
probe nd_syscall.personality.return = nd1_syscall.personality.return!, nd2_syscall.personality.return!, tp_syscall.personality.return
{ }
probe nd1_syscall.personality.return = kprobe.function("sys_personality").return ?
{
@_SYSCALL_PERSONALITY_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 4.17+ */
probe nd2_syscall.personality.return = kprobe.function(@arch_syscall_prefix "sys_personality").return ?
{
@_SYSCALL_PERSONALITY_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.personality.return = kernel.trace("sys_exit")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR_personality"), @const("__NR_compat_personality"))
@_SYSCALL_PERSONALITY_NAME
@SYSC_RETVALSTR($ret)
}