Created
February 24, 2017 18:20
-
-
Save vitalyvch/c1315b2261912da171c2ea729dc37a39 to your computer and use it in GitHub Desktop.
ErrLog-4.4-1.txt
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| INFO:check_bpf_jit_status: ENABLED. | |
| >>>>> Generated eBPF code <<<<< | |
| /* | |
| * Copyright 2016-2017, Intel Corporation | |
| * | |
| * Redistribution and use in source and binary forms, with or without | |
| * modification, are permitted provided that the following conditions | |
| * are met: | |
| * | |
| * * Redistributions of source code must retain the above copyright | |
| * notice, this list of conditions and the following disclaimer. | |
| * | |
| * * Redistributions in binary form must reproduce the above copyright | |
| * notice, this list of conditions and the following disclaimer in | |
| * the documentation and/or other materials provided with the | |
| * distribution. | |
| * | |
| * * Neither the name of the copyright holder nor the names of its | |
| * contributors may be used to endorse or promote products derived | |
| * from this software without specific prior written permission. | |
| * | |
| * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |
| * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |
| * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |
| * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |
| * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
| * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |
| * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
| * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
| * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
| * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
| * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
| */ | |
| /* | |
| * trace_head.c -- The head for generated eBPF code. Uses BCC, eBPF. | |
| */ | |
| #include <uapi/linux/ptrace.h> | |
| #include <uapi/linux/limits.h> | |
| #include <linux/sched.h> | |
| /* | |
| * trace.h -- Data exchange packet between packet filter and reader callback | |
| */ | |
| #ifndef TRACE_H | |
| #define TRACE_H | |
| /* | |
| * The longest syscall's name is equal to 26 characters: | |
| * 'SyS_sched_get_priority_max'. | |
| * Let's to add a space for '\0' and few extra bytes. | |
| */ | |
| enum { E_SC_NAME_SIZE = 32 }; | |
| struct ev_dt_t { | |
| /* | |
| * This fild is set for glibc-defined syscalls and describe | |
| * a series of packets for every syscall. | |
| * | |
| * It is needed because we are limited with stack size of | |
| * 512 bytes and used part of stack is initilaized with zeros | |
| * on every call of syscall handlers. | |
| * | |
| * the value equals to 0 means that this is "single-packet" syscall | |
| * and there will be no additional packets sent. | |
| * the value bigger than 0 means that this is a first packet and there | |
| * will be sent 'packet_type' more additional packets. | |
| * the value less than 0 means that this is additional packet with | |
| * serial number 'packet_type'. | |
| * | |
| * Content of additional packets is defined by syscall number in | |
| * first packet. There are no additional packets for "sc_id == -2" | |
| */ | |
| s64 packet_type; | |
| /* | |
| * Syscall's signature. All packets with same signature belongs to same | |
| * call of same syscall. We need two timestamps here, because we | |
| * can get nesting of syscalls from same pid_tid by calling syscall | |
| * from signal handler, before syscall called from main context has | |
| * returned. | |
| * | |
| * XXX By the fact sc_id is not neaded here, but its presence simplifies | |
| * a lot of processing, so let's keep it here. | |
| */ | |
| struct { | |
| u64 pid_tid; | |
| /* Timestamps */ | |
| u64 start_ts_nsec; | |
| u64 finish_ts_nsec; | |
| /* | |
| * the value equals to -1 means "header" | |
| * | |
| * the value equals to -2 means that syscall's num is | |
| * unknown for glibc and the field sc_name should be | |
| * used to figuring out syscall. | |
| */ | |
| s64 sc_id; | |
| }; | |
| union { | |
| /* Body of first packet */ | |
| struct { | |
| s64 ret; | |
| s64 arg_1; | |
| s64 arg_2; | |
| s64 arg_3; | |
| s64 arg_4; | |
| s64 arg_5; | |
| s64 arg_6; | |
| union { | |
| /* should be last in this structure */ | |
| char sc_name[E_SC_NAME_SIZE]; | |
| /* | |
| * Body of string argument. The content and | |
| * meaning of argument is defined by | |
| * syscall's number in the sc_id field. | |
| */ | |
| char aux_str[1]; /* NAME_MAX */ | |
| }; | |
| }; | |
| /* Body of header */ | |
| struct { | |
| s64 argc; | |
| char argv[]; | |
| } header; | |
| /* | |
| * Body of string argument. The content and meaning of argument | |
| * is defined by syscall's number (in the first packet) in | |
| * the sc_id field. | |
| */ | |
| char str[1]; /* NAME_MAX */ | |
| }; | |
| }; | |
| #endif /* TRACE_H */ | |
| struct first_step_t { | |
| s64 arg_1; | |
| s64 arg_2; | |
| s64 arg_3; | |
| s64 arg_4; | |
| s64 arg_5; | |
| s64 arg_6; | |
| u64 start_ts_nsec; | |
| }; | |
| /* The set of our children_pid */ | |
| BPF_HASH(children_map, u64, u64); | |
| BPF_HASH(tmp_i, u64, struct first_step_t); | |
| BPF_PERF_OUTPUT(events); | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_read -- SyS_read() entry handler | |
| */ | |
| int | |
| kprobe__SyS_read(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_read -- SyS_read() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_read(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_read; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_write -- SyS_write() entry handler | |
| */ | |
| int | |
| kprobe__SyS_write(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_write -- SyS_write() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_write(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_write; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_open -- SyS_open() entry handler | |
| */ | |
| int | |
| kprobe__SyS_open(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_open -- SyS_open() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_open(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_open; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_close -- SyS_close() entry handler | |
| */ | |
| int | |
| kprobe__SyS_close(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_close -- SyS_close() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_close(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_close; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_newstat -- SyS_newstat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_newstat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_newstat -- SyS_newstat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_newstat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_stat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_newfstat -- SyS_newfstat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_newfstat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_newfstat -- SyS_newfstat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_newfstat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fstat; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_newlstat -- SyS_newlstat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_newlstat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_newlstat -- SyS_newlstat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_newlstat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_lstat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_poll -- SyS_poll() entry handler | |
| */ | |
| int | |
| kprobe__SyS_poll(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_poll -- SyS_poll() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_poll(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_poll; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_lseek -- SyS_lseek() entry handler | |
| */ | |
| int | |
| kprobe__SyS_lseek(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_lseek -- SyS_lseek() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_lseek(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_lseek; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mmap -- SyS_mmap() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mmap(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mmap -- SyS_mmap() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mmap(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mmap; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mprotect -- SyS_mprotect() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mprotect(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mprotect -- SyS_mprotect() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mprotect(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mprotect; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_munmap -- SyS_munmap() entry handler | |
| */ | |
| int | |
| kprobe__SyS_munmap(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_munmap -- SyS_munmap() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_munmap(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_munmap; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_brk -- SyS_brk() entry handler | |
| */ | |
| int | |
| kprobe__SyS_brk(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_brk -- SyS_brk() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_brk(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_brk; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_sigaction -- SyS_rt_sigaction() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_sigaction(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_sigaction -- SyS_rt_sigaction() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_sigaction(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigaction; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_sigprocmask -- SyS_rt_sigprocmask() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_sigprocmask(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_sigprocmask -- SyS_rt_sigprocmask() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_sigprocmask(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigprocmask; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_rt_sigreturn -- sys_rt_sigreturn() entry handler | |
| */ | |
| int | |
| kprobe__sys_rt_sigreturn(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_rt_sigreturn -- sys_rt_sigreturn() exit handler | |
| */ | |
| int | |
| kretprobe__sys_rt_sigreturn(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigreturn; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ioctl -- SyS_ioctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ioctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ioctl -- SyS_ioctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ioctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ioctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pread64 -- SyS_pread64() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pread64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pread64 -- SyS_pread64() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pread64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pread64; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pwrite64 -- SyS_pwrite64() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pwrite64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pwrite64 -- SyS_pwrite64() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pwrite64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pwrite64; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_readv -- SyS_readv() entry handler | |
| */ | |
| int | |
| kprobe__SyS_readv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_readv -- SyS_readv() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_readv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_readv; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_writev -- SyS_writev() entry handler | |
| */ | |
| int | |
| kprobe__SyS_writev(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_writev -- SyS_writev() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_writev(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_writev; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_access -- SyS_access() entry handler | |
| */ | |
| int | |
| kprobe__SyS_access(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_access -- SyS_access() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_access(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_access; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pipe -- SyS_pipe() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pipe(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pipe -- SyS_pipe() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pipe(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pipe; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_select -- SyS_select() entry handler | |
| */ | |
| int | |
| kprobe__SyS_select(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_select -- SyS_select() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_select(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_select; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_sched_yield -- sys_sched_yield() entry handler | |
| */ | |
| int | |
| kprobe__sys_sched_yield(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_sched_yield -- sys_sched_yield() exit handler | |
| */ | |
| int | |
| kretprobe__sys_sched_yield(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_yield; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mremap -- SyS_mremap() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mremap(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mremap -- SyS_mremap() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mremap(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mremap; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_msync -- SyS_msync() entry handler | |
| */ | |
| int | |
| kprobe__SyS_msync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_msync -- SyS_msync() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_msync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_msync; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mincore -- SyS_mincore() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mincore(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mincore -- SyS_mincore() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mincore(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mincore; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_madvise -- SyS_madvise() entry handler | |
| */ | |
| int | |
| kprobe__SyS_madvise(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_madvise -- SyS_madvise() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_madvise(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_madvise; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_shmget -- SyS_shmget() entry handler | |
| */ | |
| int | |
| kprobe__SyS_shmget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_shmget -- SyS_shmget() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_shmget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_shmget; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_shmat -- SyS_shmat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_shmat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_shmat -- SyS_shmat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_shmat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_shmat; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_shmctl -- SyS_shmctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_shmctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_shmctl -- SyS_shmctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_shmctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_shmctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_dup -- SyS_dup() entry handler | |
| */ | |
| int | |
| kprobe__SyS_dup(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_dup -- SyS_dup() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_dup(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_dup; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_dup2 -- SyS_dup2() entry handler | |
| */ | |
| int | |
| kprobe__SyS_dup2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_dup2 -- SyS_dup2() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_dup2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_dup2; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_pause -- sys_pause() entry handler | |
| */ | |
| int | |
| kprobe__sys_pause(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_pause -- sys_pause() exit handler | |
| */ | |
| int | |
| kretprobe__sys_pause(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pause; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_nanosleep -- SyS_nanosleep() entry handler | |
| */ | |
| int | |
| kprobe__SyS_nanosleep(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_nanosleep -- SyS_nanosleep() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_nanosleep(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_nanosleep; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getitimer -- SyS_getitimer() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getitimer(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getitimer -- SyS_getitimer() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getitimer(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getitimer; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_alarm -- SyS_alarm() entry handler | |
| */ | |
| int | |
| kprobe__SyS_alarm(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_alarm -- SyS_alarm() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_alarm(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_alarm; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setitimer -- SyS_setitimer() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setitimer(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setitimer -- SyS_setitimer() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setitimer(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setitimer; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_getpid -- sys_getpid() entry handler | |
| */ | |
| int | |
| kprobe__sys_getpid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_getpid -- sys_getpid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_getpid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getpid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sendfile -- SyS_sendfile() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sendfile(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sendfile -- SyS_sendfile() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sendfile(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sendfile; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_socket -- SyS_socket() entry handler | |
| */ | |
| int | |
| kprobe__SyS_socket(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_socket -- SyS_socket() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_socket(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_socket; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_connect -- SyS_connect() entry handler | |
| */ | |
| int | |
| kprobe__SyS_connect(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_connect -- SyS_connect() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_connect(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_connect; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_accept -- SyS_accept() entry handler | |
| */ | |
| int | |
| kprobe__SyS_accept(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_accept -- SyS_accept() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_accept(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_accept; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sendto -- SyS_sendto() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sendto(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sendto -- SyS_sendto() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sendto(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sendto; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_recvfrom -- SyS_recvfrom() entry handler | |
| */ | |
| int | |
| kprobe__SyS_recvfrom(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_recvfrom -- SyS_recvfrom() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_recvfrom(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_recvfrom; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sendmsg -- SyS_sendmsg() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sendmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sendmsg -- SyS_sendmsg() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sendmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sendmsg; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_recvmsg -- SyS_recvmsg() entry handler | |
| */ | |
| int | |
| kprobe__SyS_recvmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_recvmsg -- SyS_recvmsg() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_recvmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_recvmsg; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_shutdown -- SyS_shutdown() entry handler | |
| */ | |
| int | |
| kprobe__SyS_shutdown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_shutdown -- SyS_shutdown() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_shutdown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_shutdown; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_bind -- SyS_bind() entry handler | |
| */ | |
| int | |
| kprobe__SyS_bind(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_bind -- SyS_bind() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_bind(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_bind; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_listen -- SyS_listen() entry handler | |
| */ | |
| int | |
| kprobe__SyS_listen(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_listen -- SyS_listen() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_listen(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_listen; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getsockname -- SyS_getsockname() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getsockname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getsockname -- SyS_getsockname() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getsockname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getsockname; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getpeername -- SyS_getpeername() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getpeername(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getpeername -- SyS_getpeername() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getpeername(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getpeername; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_socketpair -- SyS_socketpair() entry handler | |
| */ | |
| int | |
| kprobe__SyS_socketpair(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_socketpair -- SyS_socketpair() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_socketpair(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_socketpair; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setsockopt -- SyS_setsockopt() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setsockopt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setsockopt -- SyS_setsockopt() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setsockopt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setsockopt; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getsockopt -- SyS_getsockopt() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getsockopt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getsockopt -- SyS_getsockopt() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getsockopt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getsockopt; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_clone -- SyS_clone() entry handler | |
| */ | |
| int | |
| kprobe__SyS_clone(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_clone -- SyS_clone() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_clone(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_clone; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_fork -- sys_fork() entry handler | |
| */ | |
| int | |
| kprobe__sys_fork(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_fork -- sys_fork() exit handler | |
| */ | |
| int | |
| kretprobe__sys_fork(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fork; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_vfork -- sys_vfork() entry handler | |
| */ | |
| int | |
| kprobe__sys_vfork(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_vfork -- sys_vfork() exit handler | |
| */ | |
| int | |
| kretprobe__sys_vfork(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_vfork; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_execve -- SyS_execve() entry handler | |
| */ | |
| int | |
| kprobe__SyS_execve(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_execve -- SyS_execve() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_execve(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_execve; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_exit -- SyS_exit() entry handler | |
| */ | |
| int | |
| kprobe__SyS_exit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_exit -- SyS_exit() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_exit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_exit; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_wait4 -- SyS_wait4() entry handler | |
| */ | |
| int | |
| kprobe__SyS_wait4(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_wait4 -- SyS_wait4() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_wait4(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_wait4; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_kill -- SyS_kill() entry handler | |
| */ | |
| int | |
| kprobe__SyS_kill(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_kill -- SyS_kill() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_kill(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_kill; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_uname -- SyS_uname() entry handler | |
| */ | |
| int | |
| kprobe__SyS_uname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_uname -- SyS_uname() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_uname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_uname; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_semget -- SyS_semget() entry handler | |
| */ | |
| int | |
| kprobe__SyS_semget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_semget -- SyS_semget() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_semget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_semget; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_semop -- SyS_semop() entry handler | |
| */ | |
| int | |
| kprobe__SyS_semop(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_semop -- SyS_semop() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_semop(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_semop; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_semctl -- SyS_semctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_semctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_semctl -- SyS_semctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_semctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_semctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_shmdt -- SyS_shmdt() entry handler | |
| */ | |
| int | |
| kprobe__SyS_shmdt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_shmdt -- SyS_shmdt() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_shmdt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_shmdt; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_msgget -- SyS_msgget() entry handler | |
| */ | |
| int | |
| kprobe__SyS_msgget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_msgget -- SyS_msgget() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_msgget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_msgget; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_msgsnd -- SyS_msgsnd() entry handler | |
| */ | |
| int | |
| kprobe__SyS_msgsnd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_msgsnd -- SyS_msgsnd() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_msgsnd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_msgsnd; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_msgrcv -- SyS_msgrcv() entry handler | |
| */ | |
| int | |
| kprobe__SyS_msgrcv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_msgrcv -- SyS_msgrcv() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_msgrcv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_msgrcv; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_msgctl -- SyS_msgctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_msgctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_msgctl -- SyS_msgctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_msgctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_msgctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fcntl -- SyS_fcntl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fcntl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fcntl -- SyS_fcntl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fcntl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fcntl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_flock -- SyS_flock() entry handler | |
| */ | |
| int | |
| kprobe__SyS_flock(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_flock -- SyS_flock() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_flock(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_flock; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fsync -- SyS_fsync() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fsync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fsync -- SyS_fsync() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fsync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fsync; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fdatasync -- SyS_fdatasync() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fdatasync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fdatasync -- SyS_fdatasync() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fdatasync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fdatasync; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_truncate -- SyS_truncate() entry handler | |
| */ | |
| int | |
| kprobe__SyS_truncate(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_truncate -- SyS_truncate() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_truncate(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_truncate; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ftruncate -- SyS_ftruncate() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ftruncate(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ftruncate -- SyS_ftruncate() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ftruncate(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ftruncate; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getdents -- SyS_getdents() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getdents(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getdents -- SyS_getdents() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getdents(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getdents; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getcwd -- SyS_getcwd() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getcwd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getcwd -- SyS_getcwd() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getcwd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getcwd; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_chdir -- SyS_chdir() entry handler | |
| */ | |
| int | |
| kprobe__SyS_chdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_chdir -- SyS_chdir() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_chdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_chdir; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fchdir -- SyS_fchdir() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fchdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fchdir -- SyS_fchdir() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fchdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fchdir; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_1_2_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rename -- SyS_rename() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rename(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rename -- SyS_rename() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rename(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_rename; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_1); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mkdir -- SyS_mkdir() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mkdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mkdir -- SyS_mkdir() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mkdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mkdir; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rmdir -- SyS_rmdir() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rmdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rmdir -- SyS_rmdir() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rmdir(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_rmdir; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_creat -- SyS_creat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_creat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_creat -- SyS_creat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_creat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_creat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_1_2_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_link -- SyS_link() entry handler | |
| */ | |
| int | |
| kprobe__SyS_link(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_link -- SyS_link() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_link(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_link; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_1); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_unlink -- SyS_unlink() entry handler | |
| */ | |
| int | |
| kprobe__SyS_unlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_unlink -- SyS_unlink() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_unlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_unlink; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_1_2_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_symlink -- SyS_symlink() entry handler | |
| */ | |
| int | |
| kprobe__SyS_symlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_symlink -- SyS_symlink() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_symlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_symlink; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_1); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_readlink -- SyS_readlink() entry handler | |
| */ | |
| int | |
| kprobe__SyS_readlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_readlink -- SyS_readlink() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_readlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_readlink; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_chmod -- SyS_chmod() entry handler | |
| */ | |
| int | |
| kprobe__SyS_chmod(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_chmod -- SyS_chmod() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_chmod(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_chmod; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fchmod -- SyS_fchmod() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fchmod(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fchmod -- SyS_fchmod() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fchmod(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fchmod; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_chown -- SyS_chown() entry handler | |
| */ | |
| int | |
| kprobe__SyS_chown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_chown -- SyS_chown() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_chown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_chown; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fchown -- SyS_fchown() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fchown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fchown -- SyS_fchown() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fchown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fchown; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_lchown -- SyS_lchown() entry handler | |
| */ | |
| int | |
| kprobe__SyS_lchown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_lchown -- SyS_lchown() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_lchown(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_lchown; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_umask -- SyS_umask() entry handler | |
| */ | |
| int | |
| kprobe__SyS_umask(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_umask -- SyS_umask() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_umask(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_umask; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_gettimeofday -- SyS_gettimeofday() entry handler | |
| */ | |
| int | |
| kprobe__SyS_gettimeofday(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_gettimeofday -- SyS_gettimeofday() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_gettimeofday(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_gettimeofday; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getrlimit -- SyS_getrlimit() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getrlimit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getrlimit -- SyS_getrlimit() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getrlimit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getrlimit; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getrusage -- SyS_getrusage() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getrusage(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getrusage -- SyS_getrusage() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getrusage(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getrusage; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sysinfo -- SyS_sysinfo() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sysinfo(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sysinfo -- SyS_sysinfo() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sysinfo(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sysinfo; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_times -- SyS_times() entry handler | |
| */ | |
| int | |
| kprobe__SyS_times(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_times -- SyS_times() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_times(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_times; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ptrace -- SyS_ptrace() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ptrace(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ptrace -- SyS_ptrace() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ptrace(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ptrace; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_getuid -- sys_getuid() entry handler | |
| */ | |
| int | |
| kprobe__sys_getuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_getuid -- sys_getuid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_getuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_syslog -- SyS_syslog() entry handler | |
| */ | |
| int | |
| kprobe__SyS_syslog(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_syslog -- SyS_syslog() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_syslog(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_syslog; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_getgid -- sys_getgid() entry handler | |
| */ | |
| int | |
| kprobe__sys_getgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_getgid -- sys_getgid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_getgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setuid -- SyS_setuid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setuid -- SyS_setuid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setgid -- SyS_setgid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setgid -- SyS_setgid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_geteuid -- sys_geteuid() entry handler | |
| */ | |
| int | |
| kprobe__sys_geteuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_geteuid -- sys_geteuid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_geteuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_geteuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_getegid -- sys_getegid() entry handler | |
| */ | |
| int | |
| kprobe__sys_getegid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_getegid -- sys_getegid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_getegid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getegid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setpgid -- SyS_setpgid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setpgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setpgid -- SyS_setpgid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setpgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setpgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_getppid -- sys_getppid() entry handler | |
| */ | |
| int | |
| kprobe__sys_getppid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_getppid -- sys_getppid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_getppid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getppid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_getpgrp -- sys_getpgrp() entry handler | |
| */ | |
| int | |
| kprobe__sys_getpgrp(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_getpgrp -- sys_getpgrp() exit handler | |
| */ | |
| int | |
| kretprobe__sys_getpgrp(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getpgrp; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_setsid -- sys_setsid() entry handler | |
| */ | |
| int | |
| kprobe__sys_setsid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_setsid -- sys_setsid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_setsid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setsid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setreuid -- SyS_setreuid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setreuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setreuid -- SyS_setreuid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setreuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setreuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setregid -- SyS_setregid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setregid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setregid -- SyS_setregid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setregid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setregid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getgroups -- SyS_getgroups() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getgroups(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getgroups -- SyS_getgroups() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getgroups(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getgroups; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setgroups -- SyS_setgroups() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setgroups(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setgroups -- SyS_setgroups() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setgroups(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setgroups; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setresuid -- SyS_setresuid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setresuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setresuid -- SyS_setresuid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setresuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setresuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getresuid -- SyS_getresuid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getresuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getresuid -- SyS_getresuid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getresuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getresuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setresgid -- SyS_setresgid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setresgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setresgid -- SyS_setresgid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setresgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setresgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getresgid -- SyS_getresgid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getresgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getresgid -- SyS_getresgid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getresgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getresgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getpgid -- SyS_getpgid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getpgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getpgid -- SyS_getpgid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getpgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getpgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setfsuid -- SyS_setfsuid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setfsuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setfsuid -- SyS_setfsuid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setfsuid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setfsuid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setfsgid -- SyS_setfsgid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setfsgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setfsgid -- SyS_setfsgid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setfsgid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setfsgid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getsid -- SyS_getsid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getsid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getsid -- SyS_getsid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getsid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getsid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_capget -- SyS_capget() entry handler | |
| */ | |
| int | |
| kprobe__SyS_capget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_capget -- SyS_capget() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_capget(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_capget; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_capset -- SyS_capset() entry handler | |
| */ | |
| int | |
| kprobe__SyS_capset(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_capset -- SyS_capset() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_capset(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_capset; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_sigpending -- SyS_rt_sigpending() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_sigpending(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_sigpending -- SyS_rt_sigpending() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_sigpending(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigpending; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_sigtimedwait -- SyS_rt_sigtimedwait() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_sigtimedwait(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_sigtimedwait -- SyS_rt_sigtimedwait() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_sigtimedwait(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigtimedwait; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_sigqueueinfo -- SyS_rt_sigqueueinfo() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_sigqueueinfo(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_sigqueueinfo -- SyS_rt_sigqueueinfo() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_sigqueueinfo(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigqueueinfo; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_sigsuspend -- SyS_rt_sigsuspend() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_sigsuspend(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_sigsuspend -- SyS_rt_sigsuspend() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_sigsuspend(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_sigsuspend; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sigaltstack -- SyS_sigaltstack() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sigaltstack(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sigaltstack -- SyS_sigaltstack() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sigaltstack(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sigaltstack; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_utime -- SyS_utime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_utime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_utime -- SyS_utime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_utime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_utime; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mknod -- SyS_mknod() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mknod(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mknod -- SyS_mknod() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mknod(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mknod; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_uselib -- SyS_uselib() entry handler | |
| */ | |
| int | |
| kprobe__SyS_uselib(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_uselib -- SyS_uselib() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_uselib(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_uselib; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_personality -- SyS_personality() entry handler | |
| */ | |
| int | |
| kprobe__SyS_personality(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_personality -- SyS_personality() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_personality(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_personality; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ustat -- SyS_ustat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ustat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ustat -- SyS_ustat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ustat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ustat; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_statfs -- SyS_statfs() entry handler | |
| */ | |
| int | |
| kprobe__SyS_statfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_statfs -- SyS_statfs() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_statfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_statfs; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fstatfs -- SyS_fstatfs() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fstatfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fstatfs -- SyS_fstatfs() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fstatfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fstatfs; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sysfs -- SyS_sysfs() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sysfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sysfs -- SyS_sysfs() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sysfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sysfs; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getpriority -- SyS_getpriority() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getpriority(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getpriority -- SyS_getpriority() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getpriority(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getpriority; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setpriority -- SyS_setpriority() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setpriority(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setpriority -- SyS_setpriority() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setpriority(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setpriority; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_setparam -- SyS_sched_setparam() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_setparam(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_setparam -- SyS_sched_setparam() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_setparam(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_setparam; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_getparam -- SyS_sched_getparam() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_getparam(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_getparam -- SyS_sched_getparam() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_getparam(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_getparam; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_setscheduler -- SyS_sched_setscheduler() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_setscheduler(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_setscheduler -- SyS_sched_setscheduler() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_setscheduler(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_setscheduler; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_getscheduler -- SyS_sched_getscheduler() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_getscheduler(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_getscheduler -- SyS_sched_getscheduler() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_getscheduler(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_getscheduler; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_get_priority_max -- SyS_sched_get_priority_max() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_get_priority_max(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_get_priority_max -- SyS_sched_get_priority_max() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_get_priority_max(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_get_priority_max; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_get_priority_min -- SyS_sched_get_priority_min() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_get_priority_min(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_get_priority_min -- SyS_sched_get_priority_min() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_get_priority_min(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_get_priority_min; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_rr_get_interval -- SyS_sched_rr_get_interval() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_rr_get_interval(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_rr_get_interval -- SyS_sched_rr_get_interval() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_rr_get_interval(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_rr_get_interval; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mlock -- SyS_mlock() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mlock(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mlock -- SyS_mlock() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mlock(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mlock; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_munlock -- SyS_munlock() entry handler | |
| */ | |
| int | |
| kprobe__SyS_munlock(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_munlock -- SyS_munlock() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_munlock(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_munlock; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mlockall -- SyS_mlockall() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mlockall(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mlockall -- SyS_mlockall() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mlockall(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mlockall; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_munlockall -- sys_munlockall() entry handler | |
| */ | |
| int | |
| kprobe__sys_munlockall(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_munlockall -- sys_munlockall() exit handler | |
| */ | |
| int | |
| kretprobe__sys_munlockall(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_munlockall; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_vhangup -- sys_vhangup() entry handler | |
| */ | |
| int | |
| kprobe__sys_vhangup(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_vhangup -- sys_vhangup() exit handler | |
| */ | |
| int | |
| kretprobe__sys_vhangup(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_vhangup; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_modify_ldt -- sys_modify_ldt() entry handler | |
| */ | |
| int | |
| kprobe__sys_modify_ldt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_modify_ldt -- sys_modify_ldt() exit handler | |
| */ | |
| int | |
| kretprobe__sys_modify_ldt(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_modify_ldt; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_1_2_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pivot_root -- SyS_pivot_root() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pivot_root(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pivot_root -- SyS_pivot_root() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pivot_root(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_pivot_root; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_1); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sysctl -- SyS_sysctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sysctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sysctl -- SyS_sysctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sysctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR__sysctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_prctl -- SyS_prctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_prctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_prctl -- SyS_prctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_prctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_prctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_arch_prctl -- sys_arch_prctl() entry handler | |
| */ | |
| int | |
| kprobe__sys_arch_prctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_arch_prctl -- sys_arch_prctl() exit handler | |
| */ | |
| int | |
| kretprobe__sys_arch_prctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_arch_prctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_adjtimex -- SyS_adjtimex() entry handler | |
| */ | |
| int | |
| kprobe__SyS_adjtimex(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_adjtimex -- SyS_adjtimex() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_adjtimex(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_adjtimex; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setrlimit -- SyS_setrlimit() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setrlimit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setrlimit -- SyS_setrlimit() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setrlimit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setrlimit; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_chroot -- SyS_chroot() entry handler | |
| */ | |
| int | |
| kprobe__SyS_chroot(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_chroot -- SyS_chroot() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_chroot(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_chroot; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_sync -- sys_sync() entry handler | |
| */ | |
| int | |
| kprobe__sys_sync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_sync -- sys_sync() exit handler | |
| */ | |
| int | |
| kretprobe__sys_sync(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sync; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_acct -- SyS_acct() entry handler | |
| */ | |
| int | |
| kprobe__SyS_acct(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_acct -- SyS_acct() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_acct(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_acct; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_settimeofday -- SyS_settimeofday() entry handler | |
| */ | |
| int | |
| kprobe__SyS_settimeofday(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_settimeofday -- SyS_settimeofday() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_settimeofday(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_settimeofday; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_1_2_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mount -- SyS_mount() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mount(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mount -- SyS_mount() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mount(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mount; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_1); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_swapon -- SyS_swapon() entry handler | |
| */ | |
| int | |
| kprobe__SyS_swapon(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_swapon -- SyS_swapon() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_swapon(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_swapon; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_swapoff -- SyS_swapoff() entry handler | |
| */ | |
| int | |
| kprobe__SyS_swapoff(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_swapoff -- SyS_swapoff() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_swapoff(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_swapoff; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_reboot -- SyS_reboot() entry handler | |
| */ | |
| int | |
| kprobe__SyS_reboot(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_reboot -- SyS_reboot() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_reboot(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_reboot; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sethostname -- SyS_sethostname() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sethostname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sethostname -- SyS_sethostname() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sethostname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sethostname; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setdomainname -- SyS_setdomainname() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setdomainname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setdomainname -- SyS_setdomainname() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setdomainname(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setdomainname; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_iopl -- SyS_iopl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_iopl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_iopl -- SyS_iopl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_iopl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_iopl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_ioperm -- sys_ioperm() entry handler | |
| */ | |
| int | |
| kprobe__sys_ioperm(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_ioperm -- sys_ioperm() exit handler | |
| */ | |
| int | |
| kretprobe__sys_ioperm(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ioperm; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_init_module -- SyS_init_module() entry handler | |
| */ | |
| int | |
| kprobe__SyS_init_module(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_init_module -- SyS_init_module() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_init_module(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_init_module; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_delete_module -- SyS_delete_module() entry handler | |
| */ | |
| int | |
| kprobe__SyS_delete_module(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_delete_module -- SyS_delete_module() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_delete_module(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_delete_module; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_quotactl -- SyS_quotactl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_quotactl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_quotactl -- SyS_quotactl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_quotactl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_quotactl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_gettid -- sys_gettid() entry handler | |
| */ | |
| int | |
| kprobe__sys_gettid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_gettid -- sys_gettid() exit handler | |
| */ | |
| int | |
| kretprobe__sys_gettid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_gettid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_readahead -- SyS_readahead() entry handler | |
| */ | |
| int | |
| kprobe__SyS_readahead(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_readahead -- SyS_readahead() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_readahead(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_readahead; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setxattr -- SyS_setxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setxattr -- SyS_setxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_setxattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_lsetxattr -- SyS_lsetxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_lsetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_lsetxattr -- SyS_lsetxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_lsetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_lsetxattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fsetxattr -- SyS_fsetxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fsetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fsetxattr -- SyS_fsetxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fsetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fsetxattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getxattr -- SyS_getxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getxattr -- SyS_getxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_getxattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_lgetxattr -- SyS_lgetxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_lgetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_lgetxattr -- SyS_lgetxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_lgetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_lgetxattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fgetxattr -- SyS_fgetxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fgetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fgetxattr -- SyS_fgetxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fgetxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fgetxattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_listxattr -- SyS_listxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_listxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_listxattr -- SyS_listxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_listxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_listxattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_llistxattr -- SyS_llistxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_llistxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_llistxattr -- SyS_llistxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_llistxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_llistxattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_flistxattr -- SyS_flistxattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_flistxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_flistxattr -- SyS_flistxattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_flistxattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_flistxattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_removexattr -- SyS_removexattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_removexattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_removexattr -- SyS_removexattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_removexattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_removexattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_lremovexattr -- SyS_lremovexattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_lremovexattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_lremovexattr -- SyS_lremovexattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_lremovexattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_lremovexattr; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fremovexattr -- SyS_fremovexattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fremovexattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fremovexattr -- SyS_fremovexattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fremovexattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fremovexattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_tkill -- SyS_tkill() entry handler | |
| */ | |
| int | |
| kprobe__SyS_tkill(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_tkill -- SyS_tkill() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_tkill(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_tkill; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_time -- SyS_time() entry handler | |
| */ | |
| int | |
| kprobe__SyS_time(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_time -- SyS_time() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_time(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_time; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_futex -- SyS_futex() entry handler | |
| */ | |
| int | |
| kprobe__SyS_futex(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_futex -- SyS_futex() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_futex(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_futex; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_setaffinity -- SyS_sched_setaffinity() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_setaffinity(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_setaffinity -- SyS_sched_setaffinity() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_setaffinity(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_setaffinity; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_getaffinity -- SyS_sched_getaffinity() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_getaffinity(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_getaffinity -- SyS_sched_getaffinity() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_getaffinity(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_getaffinity; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_set_thread_area -- SyS_set_thread_area() entry handler | |
| */ | |
| int | |
| kprobe__SyS_set_thread_area(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_set_thread_area -- SyS_set_thread_area() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_set_thread_area(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_set_thread_area; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_io_setup -- SyS_io_setup() entry handler | |
| */ | |
| int | |
| kprobe__SyS_io_setup(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_io_setup -- SyS_io_setup() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_io_setup(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_io_setup; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_io_destroy -- SyS_io_destroy() entry handler | |
| */ | |
| int | |
| kprobe__SyS_io_destroy(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_io_destroy -- SyS_io_destroy() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_io_destroy(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_io_destroy; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_io_getevents -- SyS_io_getevents() entry handler | |
| */ | |
| int | |
| kprobe__SyS_io_getevents(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_io_getevents -- SyS_io_getevents() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_io_getevents(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_io_getevents; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_io_submit -- SyS_io_submit() entry handler | |
| */ | |
| int | |
| kprobe__SyS_io_submit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_io_submit -- SyS_io_submit() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_io_submit(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_io_submit; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_io_cancel -- SyS_io_cancel() entry handler | |
| */ | |
| int | |
| kprobe__SyS_io_cancel(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_io_cancel -- SyS_io_cancel() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_io_cancel(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_io_cancel; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_get_thread_area -- SyS_get_thread_area() entry handler | |
| */ | |
| int | |
| kprobe__SyS_get_thread_area(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_get_thread_area -- SyS_get_thread_area() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_get_thread_area(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_get_thread_area; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_lookup_dcookie -- SyS_lookup_dcookie() entry handler | |
| */ | |
| int | |
| kprobe__SyS_lookup_dcookie(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_lookup_dcookie -- SyS_lookup_dcookie() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_lookup_dcookie(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_lookup_dcookie; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_epoll_create -- SyS_epoll_create() entry handler | |
| */ | |
| int | |
| kprobe__SyS_epoll_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_epoll_create -- SyS_epoll_create() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_epoll_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_epoll_create; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_remap_file_pages -- SyS_remap_file_pages() entry handler | |
| */ | |
| int | |
| kprobe__SyS_remap_file_pages(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_remap_file_pages -- SyS_remap_file_pages() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_remap_file_pages(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_remap_file_pages; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getdents64 -- SyS_getdents64() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getdents64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getdents64 -- SyS_getdents64() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getdents64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getdents64; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_set_tid_address -- SyS_set_tid_address() entry handler | |
| */ | |
| int | |
| kprobe__SyS_set_tid_address(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_set_tid_address -- SyS_set_tid_address() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_set_tid_address(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_set_tid_address; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_restart_syscall -- sys_restart_syscall() entry handler | |
| */ | |
| int | |
| kprobe__sys_restart_syscall(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_restart_syscall -- sys_restart_syscall() exit handler | |
| */ | |
| int | |
| kretprobe__sys_restart_syscall(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_restart_syscall; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_semtimedop -- SyS_semtimedop() entry handler | |
| */ | |
| int | |
| kprobe__SyS_semtimedop(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_semtimedop -- SyS_semtimedop() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_semtimedop(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_semtimedop; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fadvise64 -- SyS_fadvise64() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fadvise64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fadvise64 -- SyS_fadvise64() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fadvise64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fadvise64; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timer_create -- SyS_timer_create() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timer_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timer_create -- SyS_timer_create() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timer_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timer_create; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timer_settime -- SyS_timer_settime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timer_settime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timer_settime -- SyS_timer_settime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timer_settime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timer_settime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timer_gettime -- SyS_timer_gettime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timer_gettime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timer_gettime -- SyS_timer_gettime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timer_gettime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timer_gettime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timer_getoverrun -- SyS_timer_getoverrun() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timer_getoverrun(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timer_getoverrun -- SyS_timer_getoverrun() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timer_getoverrun(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timer_getoverrun; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timer_delete -- SyS_timer_delete() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timer_delete(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timer_delete -- SyS_timer_delete() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timer_delete(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timer_delete; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_clock_settime -- SyS_clock_settime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_clock_settime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_clock_settime -- SyS_clock_settime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_clock_settime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_clock_settime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_clock_gettime -- SyS_clock_gettime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_clock_gettime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_clock_gettime -- SyS_clock_gettime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_clock_gettime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_clock_gettime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_clock_getres -- SyS_clock_getres() entry handler | |
| */ | |
| int | |
| kprobe__SyS_clock_getres(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_clock_getres -- SyS_clock_getres() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_clock_getres(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_clock_getres; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_clock_nanosleep -- SyS_clock_nanosleep() entry handler | |
| */ | |
| int | |
| kprobe__SyS_clock_nanosleep(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_clock_nanosleep -- SyS_clock_nanosleep() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_clock_nanosleep(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_clock_nanosleep; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_exit_group -- SyS_exit_group() entry handler | |
| */ | |
| int | |
| kprobe__SyS_exit_group(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_exit_group -- SyS_exit_group() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_exit_group(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_exit_group; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_epoll_wait -- SyS_epoll_wait() entry handler | |
| */ | |
| int | |
| kprobe__SyS_epoll_wait(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_epoll_wait -- SyS_epoll_wait() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_epoll_wait(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_epoll_wait; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_epoll_ctl -- SyS_epoll_ctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_epoll_ctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_epoll_ctl -- SyS_epoll_ctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_epoll_ctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_epoll_ctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_tgkill -- SyS_tgkill() entry handler | |
| */ | |
| int | |
| kprobe__SyS_tgkill(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_tgkill -- SyS_tgkill() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_tgkill(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_tgkill; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_utimes -- SyS_utimes() entry handler | |
| */ | |
| int | |
| kprobe__SyS_utimes(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_utimes -- SyS_utimes() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_utimes(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_utimes; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mbind -- SyS_mbind() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mbind(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mbind -- SyS_mbind() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mbind(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mbind; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_set_mempolicy -- SyS_set_mempolicy() entry handler | |
| */ | |
| int | |
| kprobe__SyS_set_mempolicy(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_set_mempolicy -- SyS_set_mempolicy() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_set_mempolicy(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_set_mempolicy; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_get_mempolicy -- SyS_get_mempolicy() entry handler | |
| */ | |
| int | |
| kprobe__SyS_get_mempolicy(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_get_mempolicy -- SyS_get_mempolicy() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_get_mempolicy(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_get_mempolicy; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mq_open -- SyS_mq_open() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mq_open(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mq_open -- SyS_mq_open() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mq_open(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mq_open; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mq_unlink -- SyS_mq_unlink() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mq_unlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mq_unlink -- SyS_mq_unlink() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mq_unlink(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mq_unlink; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mq_timedsend -- SyS_mq_timedsend() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mq_timedsend(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mq_timedsend -- SyS_mq_timedsend() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mq_timedsend(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mq_timedsend; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mq_timedreceive -- SyS_mq_timedreceive() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mq_timedreceive(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mq_timedreceive -- SyS_mq_timedreceive() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mq_timedreceive(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mq_timedreceive; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mq_notify -- SyS_mq_notify() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mq_notify(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mq_notify -- SyS_mq_notify() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mq_notify(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mq_notify; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mq_getsetattr -- SyS_mq_getsetattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mq_getsetattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mq_getsetattr -- SyS_mq_getsetattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mq_getsetattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mq_getsetattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_kexec_load -- SyS_kexec_load() entry handler | |
| */ | |
| int | |
| kprobe__SyS_kexec_load(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_kexec_load -- SyS_kexec_load() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_kexec_load(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_kexec_load; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_waitid -- SyS_waitid() entry handler | |
| */ | |
| int | |
| kprobe__SyS_waitid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_waitid -- SyS_waitid() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_waitid(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_waitid; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_add_key -- SyS_add_key() entry handler | |
| */ | |
| int | |
| kprobe__SyS_add_key(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_add_key -- SyS_add_key() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_add_key(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_add_key; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_request_key -- SyS_request_key() entry handler | |
| */ | |
| int | |
| kprobe__SyS_request_key(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_request_key -- SyS_request_key() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_request_key(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_request_key; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_keyctl -- SyS_keyctl() entry handler | |
| */ | |
| int | |
| kprobe__SyS_keyctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_keyctl -- SyS_keyctl() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_keyctl(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_keyctl; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ioprio_set -- SyS_ioprio_set() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ioprio_set(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ioprio_set -- SyS_ioprio_set() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ioprio_set(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ioprio_set; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ioprio_get -- SyS_ioprio_get() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ioprio_get(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ioprio_get -- SyS_ioprio_get() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ioprio_get(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ioprio_get; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__sys_inotify_init -- sys_inotify_init() entry handler | |
| */ | |
| int | |
| kprobe__sys_inotify_init(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__sys_inotify_init -- sys_inotify_init() exit handler | |
| */ | |
| int | |
| kretprobe__sys_inotify_init(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_inotify_init; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_inotify_add_watch -- SyS_inotify_add_watch() entry handler | |
| */ | |
| int | |
| kprobe__SyS_inotify_add_watch(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_inotify_add_watch -- SyS_inotify_add_watch() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_inotify_add_watch(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_inotify_add_watch; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_inotify_rm_watch -- SyS_inotify_rm_watch() entry handler | |
| */ | |
| int | |
| kprobe__SyS_inotify_rm_watch(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_inotify_rm_watch -- SyS_inotify_rm_watch() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_inotify_rm_watch(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_inotify_rm_watch; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_migrate_pages -- SyS_migrate_pages() entry handler | |
| */ | |
| int | |
| kprobe__SyS_migrate_pages(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_migrate_pages -- SyS_migrate_pages() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_migrate_pages(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_migrate_pages; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_openat -- SyS_openat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_openat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_openat -- SyS_openat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_openat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_openat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mkdirat -- SyS_mkdirat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mkdirat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mkdirat -- SyS_mkdirat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mkdirat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mkdirat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mknodat -- SyS_mknodat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mknodat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mknodat -- SyS_mknodat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mknodat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_mknodat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fchownat -- SyS_fchownat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fchownat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fchownat -- SyS_fchownat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fchownat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_fchownat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_futimesat -- SyS_futimesat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_futimesat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_futimesat -- SyS_futimesat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_futimesat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_futimesat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_newfstatat -- SyS_newfstatat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_newfstatat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_newfstatat -- SyS_newfstatat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_newfstatat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_newfstatat; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_unlinkat -- SyS_unlinkat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_unlinkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_unlinkat -- SyS_unlinkat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_unlinkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_unlinkat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_2_4_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_renameat -- SyS_renameat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_renameat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_renameat -- SyS_renameat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_renameat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_renameat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_2); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_4); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_2_4_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_linkat -- SyS_linkat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_linkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_linkat -- SyS_linkat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_linkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_linkat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_2); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_4); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_1_3_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_symlinkat -- SyS_symlinkat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_symlinkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_symlinkat -- SyS_symlinkat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_symlinkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_symlinkat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_1); | |
| bpf_probe_read((&u.ev.aux_str) + NAME_MAX / 2, | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_3); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_readlinkat -- SyS_readlinkat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_readlinkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_readlinkat -- SyS_readlinkat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_readlinkat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_readlinkat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fchmodat -- SyS_fchmodat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fchmodat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fchmodat -- SyS_fchmodat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fchmodat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_fchmodat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_faccessat -- SyS_faccessat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_faccessat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_faccessat -- SyS_faccessat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_faccessat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_faccessat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pselect6 -- SyS_pselect6() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pselect6(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pselect6 -- SyS_pselect6() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pselect6(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pselect6; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_ppoll -- SyS_ppoll() entry handler | |
| */ | |
| int | |
| kprobe__SyS_ppoll(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_ppoll -- SyS_ppoll() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_ppoll(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_ppoll; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_unshare -- SyS_unshare() entry handler | |
| */ | |
| int | |
| kprobe__SyS_unshare(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_unshare -- SyS_unshare() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_unshare(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_unshare; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_set_robust_list -- SyS_set_robust_list() entry handler | |
| */ | |
| int | |
| kprobe__SyS_set_robust_list(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_set_robust_list -- SyS_set_robust_list() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_set_robust_list(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_set_robust_list; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_get_robust_list -- SyS_get_robust_list() entry handler | |
| */ | |
| int | |
| kprobe__SyS_get_robust_list(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_get_robust_list -- SyS_get_robust_list() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_get_robust_list(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_get_robust_list; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_splice -- SyS_splice() entry handler | |
| */ | |
| int | |
| kprobe__SyS_splice(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_splice -- SyS_splice() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_splice(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_splice; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_tee -- SyS_tee() entry handler | |
| */ | |
| int | |
| kprobe__SyS_tee(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_tee -- SyS_tee() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_tee(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_tee; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sync_file_range -- SyS_sync_file_range() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sync_file_range(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sync_file_range -- SyS_sync_file_range() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sync_file_range(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sync_file_range; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_vmsplice -- SyS_vmsplice() entry handler | |
| */ | |
| int | |
| kprobe__SyS_vmsplice(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_vmsplice -- SyS_vmsplice() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_vmsplice(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_vmsplice; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_move_pages -- SyS_move_pages() entry handler | |
| */ | |
| int | |
| kprobe__SyS_move_pages(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_move_pages -- SyS_move_pages() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_move_pages(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_move_pages; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_utimensat -- SyS_utimensat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_utimensat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_utimensat -- SyS_utimensat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_utimensat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_utimensat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_epoll_pwait -- SyS_epoll_pwait() entry handler | |
| */ | |
| int | |
| kprobe__SyS_epoll_pwait(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_epoll_pwait -- SyS_epoll_pwait() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_epoll_pwait(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_epoll_pwait; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_signalfd -- SyS_signalfd() entry handler | |
| */ | |
| int | |
| kprobe__SyS_signalfd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_signalfd -- SyS_signalfd() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_signalfd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_signalfd; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timerfd_create -- SyS_timerfd_create() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timerfd_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timerfd_create -- SyS_timerfd_create() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timerfd_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timerfd_create; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_eventfd -- SyS_eventfd() entry handler | |
| */ | |
| int | |
| kprobe__SyS_eventfd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_eventfd -- SyS_eventfd() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_eventfd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_eventfd; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fallocate -- SyS_fallocate() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fallocate(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fallocate -- SyS_fallocate() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fallocate(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fallocate; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timerfd_settime -- SyS_timerfd_settime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timerfd_settime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timerfd_settime -- SyS_timerfd_settime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timerfd_settime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timerfd_settime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_timerfd_gettime -- SyS_timerfd_gettime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_timerfd_gettime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_timerfd_gettime -- SyS_timerfd_gettime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_timerfd_gettime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_timerfd_gettime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_accept4 -- SyS_accept4() entry handler | |
| */ | |
| int | |
| kprobe__SyS_accept4(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_accept4 -- SyS_accept4() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_accept4(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_accept4; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_signalfd4 -- SyS_signalfd4() entry handler | |
| */ | |
| int | |
| kprobe__SyS_signalfd4(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_signalfd4 -- SyS_signalfd4() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_signalfd4(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_signalfd4; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_eventfd2 -- SyS_eventfd2() entry handler | |
| */ | |
| int | |
| kprobe__SyS_eventfd2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_eventfd2 -- SyS_eventfd2() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_eventfd2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_eventfd2; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_epoll_create1 -- SyS_epoll_create1() entry handler | |
| */ | |
| int | |
| kprobe__SyS_epoll_create1(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_epoll_create1 -- SyS_epoll_create1() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_epoll_create1(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_epoll_create1; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_dup3 -- SyS_dup3() entry handler | |
| */ | |
| int | |
| kprobe__SyS_dup3(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_dup3 -- SyS_dup3() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_dup3(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_dup3; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pipe2 -- SyS_pipe2() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pipe2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pipe2 -- SyS_pipe2() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pipe2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pipe2; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_inotify_init1 -- SyS_inotify_init1() entry handler | |
| */ | |
| int | |
| kprobe__SyS_inotify_init1(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_inotify_init1 -- SyS_inotify_init1() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_inotify_init1(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_inotify_init1; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_preadv -- SyS_preadv() entry handler | |
| */ | |
| int | |
| kprobe__SyS_preadv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_preadv -- SyS_preadv() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_preadv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_preadv; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_pwritev -- SyS_pwritev() entry handler | |
| */ | |
| int | |
| kprobe__SyS_pwritev(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_pwritev -- SyS_pwritev() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_pwritev(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_pwritev; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_rt_tgsigqueueinfo -- SyS_rt_tgsigqueueinfo() entry handler | |
| */ | |
| int | |
| kprobe__SyS_rt_tgsigqueueinfo(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_rt_tgsigqueueinfo -- SyS_rt_tgsigqueueinfo() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_rt_tgsigqueueinfo(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_rt_tgsigqueueinfo; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_recvmmsg -- SyS_recvmmsg() entry handler | |
| */ | |
| int | |
| kprobe__SyS_recvmmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_recvmmsg -- SyS_recvmmsg() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_recvmmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_recvmmsg; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fanotify_init -- SyS_fanotify_init() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fanotify_init(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fanotify_init -- SyS_fanotify_init() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fanotify_init(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fanotify_init; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_fanotify_mark -- SyS_fanotify_mark() entry handler | |
| */ | |
| int | |
| kprobe__SyS_fanotify_mark(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_fanotify_mark -- SyS_fanotify_mark() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_fanotify_mark(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_fanotify_mark; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_prlimit64 -- SyS_prlimit64() entry handler | |
| */ | |
| int | |
| kprobe__SyS_prlimit64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_prlimit64 -- SyS_prlimit64() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_prlimit64(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_prlimit64; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_name_to_handle_at -- SyS_name_to_handle_at() entry handler | |
| */ | |
| int | |
| kprobe__SyS_name_to_handle_at(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_name_to_handle_at -- SyS_name_to_handle_at() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_name_to_handle_at(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_name_to_handle_at; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_open_by_handle_at -- SyS_open_by_handle_at() entry handler | |
| */ | |
| int | |
| kprobe__SyS_open_by_handle_at(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_open_by_handle_at -- SyS_open_by_handle_at() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_open_by_handle_at(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_open_by_handle_at; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_clock_adjtime -- SyS_clock_adjtime() entry handler | |
| */ | |
| int | |
| kprobe__SyS_clock_adjtime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_clock_adjtime -- SyS_clock_adjtime() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_clock_adjtime(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_clock_adjtime; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_syncfs -- SyS_syncfs() entry handler | |
| */ | |
| int | |
| kprobe__SyS_syncfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_syncfs -- SyS_syncfs() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_syncfs(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_syncfs; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sendmmsg -- SyS_sendmmsg() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sendmmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sendmmsg -- SyS_sendmmsg() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sendmmsg(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sendmmsg; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_setns -- SyS_setns() entry handler | |
| */ | |
| int | |
| kprobe__SyS_setns(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_setns -- SyS_setns() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_setns(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_setns; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getcpu -- SyS_getcpu() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getcpu(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getcpu -- SyS_getcpu() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getcpu(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getcpu; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_process_vm_readv -- SyS_process_vm_readv() entry handler | |
| */ | |
| int | |
| kprobe__SyS_process_vm_readv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_process_vm_readv -- SyS_process_vm_readv() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_process_vm_readv(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_process_vm_readv; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_process_vm_writev -- SyS_process_vm_writev() entry handler | |
| */ | |
| int | |
| kprobe__SyS_process_vm_writev(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_process_vm_writev -- SyS_process_vm_writev() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_process_vm_writev(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_process_vm_writev; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_kcmp -- SyS_kcmp() entry handler | |
| */ | |
| int | |
| kprobe__SyS_kcmp(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_kcmp -- SyS_kcmp() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_kcmp(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_kcmp; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_finit_module -- SyS_finit_module() entry handler | |
| */ | |
| int | |
| kprobe__SyS_finit_module(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_finit_module -- SyS_finit_module() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_finit_module(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_finit_module; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_setattr -- SyS_sched_setattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_setattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_setattr -- SyS_sched_setattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_setattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_setattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_sched_getattr -- SyS_sched_getattr() entry handler | |
| */ | |
| int | |
| kprobe__SyS_sched_getattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_sched_getattr -- SyS_sched_getattr() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_sched_getattr(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_sched_getattr; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fs_path_2_4_arg_tmpl-sl.c -- Trace syscalls with numbers known from | |
| * libc and filename as first argument. Single-packet version. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_renameat2 -- SyS_renameat2() entry handler | |
| */ | |
| int | |
| kprobe__SyS_renameat2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_renameat2 -- SyS_renameat2() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_renameat2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_renameat2; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX / 2, (void *)fsp->arg_2); | |
| bpf_probe_read((&u.ev.aux_str) + (NAME_MAX / 2), | |
| NAME_MAX - (NAME_MAX / 2), | |
| (void *)fsp->arg_4); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_seccomp -- SyS_seccomp() entry handler | |
| */ | |
| int | |
| kprobe__SyS_seccomp(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_seccomp -- SyS_seccomp() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_seccomp(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_seccomp; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_getrandom -- SyS_getrandom() entry handler | |
| */ | |
| int | |
| kprobe__SyS_getrandom(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_getrandom -- SyS_getrandom() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_getrandom(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_getrandom; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_file_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * filename as first argument. Single-packet version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_memfd_create -- SyS_memfd_create() entry handler | |
| */ | |
| int | |
| kprobe__SyS_memfd_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_memfd_create -- SyS_memfd_create() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_memfd_create(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_memfd_create; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_1); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_kexec_file_load -- SyS_kexec_file_load() entry handler | |
| */ | |
| int | |
| kprobe__SyS_kexec_file_load(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_kexec_file_load -- SyS_kexec_file_load() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_kexec_file_load(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_kexec_file_load; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_bpf -- SyS_bpf() entry handler | |
| */ | |
| int | |
| kprobe__SyS_bpf(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_bpf -- SyS_bpf() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_bpf(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_bpf; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_fileat_tmpl-sl.c -- Trace syscalls with numbers known from libc and | |
| * a fd as first arg and a filename as second argument. Single-packet | |
| * version. Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_execveat -- SyS_execveat() entry handler | |
| */ | |
| int | |
| kprobe__SyS_execveat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_execveat -- SyS_execveat() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_execveat(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| enum { _pad_size = offsetof(struct ev_dt_t, aux_str) + NAME_MAX }; | |
| union { | |
| struct ev_dt_t ev; | |
| char _pad[_pad_size]; | |
| } u; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| u.ev.packet_type = 0; /* No additional packets */ | |
| u.ev.sc_id = __NR_execveat; /* SysCall ID */ | |
| u.ev.arg_1 = fsp->arg_1; | |
| u.ev.arg_2 = fsp->arg_2; | |
| u.ev.arg_3 = fsp->arg_3; | |
| u.ev.arg_4 = fsp->arg_4; | |
| u.ev.arg_5 = fsp->arg_5; | |
| u.ev.arg_6 = fsp->arg_6; | |
| u.ev.pid_tid = pid_tid; | |
| u.ev.start_ts_nsec = fsp->start_ts_nsec; | |
| u.ev.finish_ts_nsec = cur_nsec; | |
| u.ev.ret = PT_REGS_RC(ctx); | |
| bpf_probe_read(&u.ev.aux_str, NAME_MAX, (void *)fsp->arg_2); | |
| events.perf_submit(ctx, &u.ev, _pad_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_userfaultfd -- SyS_userfaultfd() entry handler | |
| */ | |
| int | |
| kprobe__SyS_userfaultfd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_userfaultfd -- SyS_userfaultfd() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_userfaultfd(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_userfaultfd; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_membarrier -- SyS_membarrier() entry handler | |
| */ | |
| int | |
| kprobe__SyS_membarrier(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_membarrier -- SyS_membarrier() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_membarrier(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_membarrier; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| /* | |
| * trace_libc_tmpl.c -- Trace syscalls with numbers known from libc. | |
| * Uses BCC, eBPF. | |
| */ | |
| /* | |
| * kprobe__SyS_mlock2 -- SyS_mlock2() entry handler | |
| */ | |
| int | |
| kprobe__SyS_mlock2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t fs; | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| /* | |
| * pid_check_ff_disabled_hook.c -- Pid check hook for no-follow-fork mode. | |
| */ | |
| { | |
| if ((pid_tid >> 32) != 3198) { | |
| return 0; | |
| } | |
| } | |
| fs.start_ts_nsec = bpf_ktime_get_ns(); | |
| fs.arg_1 = PT_REGS_PARM1(ctx); | |
| fs.arg_2 = PT_REGS_PARM2(ctx); | |
| fs.arg_3 = PT_REGS_PARM3(ctx); | |
| fs.arg_4 = PT_REGS_PARM4(ctx); | |
| fs.arg_5 = PT_REGS_PARM5(ctx); | |
| fs.arg_6 = PT_REGS_PARM6(ctx); | |
| tmp_i.update(&pid_tid, &fs); | |
| return 0; | |
| }; | |
| /* | |
| * kretprobe__SyS_mlock2 -- SyS_mlock2() exit handler | |
| */ | |
| int | |
| kretprobe__SyS_mlock2(struct pt_regs *ctx) | |
| { | |
| struct first_step_t *fsp; | |
| struct ev_dt_t ev; | |
| u64 cur_nsec = bpf_ktime_get_ns(); | |
| u64 pid_tid = bpf_get_current_pid_tgid(); | |
| fsp = tmp_i.lookup(&pid_tid); | |
| if (fsp == 0) | |
| return 0; | |
| ev.packet_type = 0; /* No additional packets */ | |
| ev.sc_id = __NR_mlock2; /* SysCall ID */ | |
| ev.arg_1 = fsp->arg_1; | |
| ev.arg_2 = fsp->arg_2; | |
| ev.arg_3 = fsp->arg_3; | |
| ev.arg_4 = fsp->arg_4; | |
| ev.arg_5 = fsp->arg_5; | |
| ev.arg_6 = fsp->arg_6; | |
| ev.pid_tid = pid_tid; | |
| ev.start_ts_nsec = fsp->start_ts_nsec; | |
| ev.finish_ts_nsec = cur_nsec; | |
| ev.ret = PT_REGS_RC(ctx); | |
| enum { ev_size = offsetof(struct ev_dt_t, sc_name) }; | |
| events.perf_submit(ctx, &ev, ev_size); | |
| tmp_i.delete(&pid_tid); | |
| return 0; | |
| } | |
| >>>>> EndOf generated eBPF code <<<<<< | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_read'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+37 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (7b) *(u64 *)(r10 -96) = r1 | |
| 14: (79) r1 = *(u64 *)(r0 +0) | |
| 15: (7b) *(u64 *)(r10 -80) = r1 | |
| 16: (79) r1 = *(u64 *)(r0 +8) | |
| 17: (7b) *(u64 *)(r10 -72) = r1 | |
| 18: (79) r1 = *(u64 *)(r0 +16) | |
| 19: (7b) *(u64 *)(r10 -64) = r1 | |
| 20: (79) r1 = *(u64 *)(r0 +24) | |
| 21: (7b) *(u64 *)(r10 -56) = r1 | |
| 22: (79) r1 = *(u64 *)(r0 +32) | |
| 23: (7b) *(u64 *)(r10 -48) = r1 | |
| 24: (79) r1 = *(u64 *)(r0 +40) | |
| 25: (7b) *(u64 *)(r10 -40) = r1 | |
| 26: (79) r1 = *(u64 *)(r10 -136) | |
| 27: (7b) *(u64 *)(r10 -120) = r1 | |
| 28: (79) r1 = *(u64 *)(r0 +48) | |
| 29: (7b) *(u64 *)(r10 -112) = r1 | |
| 30: (7b) *(u64 *)(r10 -104) = r7 | |
| 31: (79) r1 = *(u64 *)(r6 +80) | |
| 32: (7b) *(u64 *)(r10 -88) = r1 | |
| 33: (18) r7 = 0x16ed8540 | |
| 35: (85) call 8 | |
| 36: (bf) r4 = r10 | |
| 37: (07) r4 += -128 | |
| 38: (bf) r1 = r6 | |
| 39: (bf) r2 = r7 | |
| 40: (bf) r3 = r0 | |
| 41: (b7) r5 = 96 | |
| 42: (85) call 25 | |
| 43: (18) r1 = 0x4be85e80 | |
| 45: (bf) r2 = r10 | |
| 46: (07) r2 += -136 | |
| 47: (85) call 3 | |
| 48: (b7) r0 = 0 | |
| 49: (95) exit | |
| from 10 to 48: R0=imm0 R6=ctx R7=inv R10=fp | |
| 48: (b7) r0 = 0 | |
| 49: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_read'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_write'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 1 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_write'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_open'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 2 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_open: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_open to 'SyS_open'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_close'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 3 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_close'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_newstat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 4 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_newstat: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_newstat to 'SyS_newstat'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_newfstat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 5 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_newfstat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_newlstat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 6 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_newlstat: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_newlstat to 'SyS_newlstat'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_poll'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 7 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_poll'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_lseek'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 8 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_lseek'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mmap'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 9 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_mmap'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mprotect'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 10 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_mprotect'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_munmap'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 11 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_munmap'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_brk'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 12 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_brk'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rt_sigaction'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 13 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_rt_sigaction'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rt_sigprocmask'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 14 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_rt_sigprocmask'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_rt_sigreturn'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 15 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_rt_sigreturn'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_ioctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 16 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_ioctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_pread64'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 17 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_pread64'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_pwrite64'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 18 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_pwrite64'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_readv'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 19 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_readv'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_writev'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 20 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_writev'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_access'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 21 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_access: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_access to 'SyS_access'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_pipe'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 22 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_pipe'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_select'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 23 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_select'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_sched_yield'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 24 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_sched_yield'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mremap'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 25 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_mremap'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_msync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 26 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_msync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mincore'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 27 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_mincore'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_madvise'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 28 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_madvise'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_shmget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 29 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_shmget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_shmat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 30 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_shmat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_shmctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 31 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_shmctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_dup'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 32 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_dup'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_dup2'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 33 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_dup2'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_pause'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 34 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_pause'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_nanosleep'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 35 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_nanosleep'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getitimer'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 36 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getitimer'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_alarm'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 37 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_alarm'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setitimer'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 38 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setitimer'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_getpid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 39 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_getpid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sendfile'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 40 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sendfile'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_socket'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 41 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_socket'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_connect'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 42 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_connect'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_accept'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 43 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_accept'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sendto'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 44 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sendto'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_recvfrom'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 45 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_recvfrom'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sendmsg'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 46 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sendmsg'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_recvmsg'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 47 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_recvmsg'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_shutdown'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 48 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_shutdown'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_bind'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 49 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_bind'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_listen'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 50 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_listen'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getsockname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 51 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getsockname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getpeername'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 52 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getpeername'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_socketpair'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 53 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_socketpair'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setsockopt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 54 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setsockopt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getsockopt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 55 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getsockopt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_clone'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 56 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_clone'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_fork'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 57 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_fork'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_vfork'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 58 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_vfork'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_execve'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 59 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_execve: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_execve to 'SyS_execve'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_exit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 60 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_exit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_wait4'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 61 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_wait4'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_kill'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 62 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_kill'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_uname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 63 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_uname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_semget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 64 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_semget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_semop'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 65 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_semop'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_semctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 66 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_semctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_shmdt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 67 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_shmdt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_msgget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 68 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_msgget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_msgsnd'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 69 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_msgsnd'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_msgrcv'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 70 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_msgrcv'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_msgctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 71 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_msgctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fcntl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 72 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fcntl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_flock'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 73 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_flock'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fsync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 74 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fsync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fdatasync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 75 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fdatasync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_truncate'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 76 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_truncate: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_truncate to 'SyS_truncate'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_ftruncate'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 77 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_ftruncate'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getdents'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 78 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getdents'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getcwd'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 79 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getcwd'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_chdir'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 80 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_chdir: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_chdir to 'SyS_chdir'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fchdir'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 81 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fchdir'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rename'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (bf) r8 = r0 | |
| 11: (15) if r8 == 0x0 goto pc+48 | |
| R0=map_value_or_null(ks=8,vs=56) R6=ctx R7=inv R8=map_value(ks=8,vs=56) R10=fp | |
| 12: (b7) r1 = 0 | |
| 13: (7b) *(u64 *)(r10 -352) = r1 | |
| 14: (b7) r1 = 82 | |
| 15: (7b) *(u64 *)(r10 -320) = r1 | |
| 16: (79) r1 = *(u64 *)(r8 +0) | |
| 17: (7b) *(u64 *)(r10 -304) = r1 | |
| 18: (79) r1 = *(u64 *)(r8 +8) | |
| 19: (7b) *(u64 *)(r10 -296) = r1 | |
| 20: (79) r1 = *(u64 *)(r8 +16) | |
| 21: (7b) *(u64 *)(r10 -288) = r1 | |
| 22: (79) r1 = *(u64 *)(r8 +24) | |
| 23: (7b) *(u64 *)(r10 -280) = r1 | |
| 24: (79) r1 = *(u64 *)(r8 +32) | |
| 25: (7b) *(u64 *)(r10 -272) = r1 | |
| 26: (79) r1 = *(u64 *)(r8 +40) | |
| 27: (7b) *(u64 *)(r10 -264) = r1 | |
| 28: (79) r1 = *(u64 *)(r10 -360) | |
| 29: (7b) *(u64 *)(r10 -344) = r1 | |
| 30: (79) r1 = *(u64 *)(r8 +48) | |
| 31: (7b) *(u64 *)(r10 -336) = r1 | |
| 32: (7b) *(u64 *)(r10 -328) = r7 | |
| 33: (79) r1 = *(u64 *)(r6 +80) | |
| 34: (7b) *(u64 *)(r10 -312) = r1 | |
| 35: (79) r3 = *(u64 *)(r8 +0) | |
| 36: (bf) r1 = r10 | |
| 37: (07) r1 += -256 | |
| 38: (b7) r2 = 127 | |
| 39: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 127 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_rename: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_rename to 'SyS_rename'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mkdir'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 83 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_mkdir: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_mkdir to 'SyS_mkdir'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rmdir'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 84 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_rmdir: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_rmdir to 'SyS_rmdir'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_creat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 85 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_creat: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_creat to 'SyS_creat'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_link'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (bf) r8 = r0 | |
| 11: (15) if r8 == 0x0 goto pc+48 | |
| R0=map_value_or_null(ks=8,vs=56) R6=ctx R7=inv R8=map_value(ks=8,vs=56) R10=fp | |
| 12: (b7) r1 = 0 | |
| 13: (7b) *(u64 *)(r10 -352) = r1 | |
| 14: (b7) r1 = 86 | |
| 15: (7b) *(u64 *)(r10 -320) = r1 | |
| 16: (79) r1 = *(u64 *)(r8 +0) | |
| 17: (7b) *(u64 *)(r10 -304) = r1 | |
| 18: (79) r1 = *(u64 *)(r8 +8) | |
| 19: (7b) *(u64 *)(r10 -296) = r1 | |
| 20: (79) r1 = *(u64 *)(r8 +16) | |
| 21: (7b) *(u64 *)(r10 -288) = r1 | |
| 22: (79) r1 = *(u64 *)(r8 +24) | |
| 23: (7b) *(u64 *)(r10 -280) = r1 | |
| 24: (79) r1 = *(u64 *)(r8 +32) | |
| 25: (7b) *(u64 *)(r10 -272) = r1 | |
| 26: (79) r1 = *(u64 *)(r8 +40) | |
| 27: (7b) *(u64 *)(r10 -264) = r1 | |
| 28: (79) r1 = *(u64 *)(r10 -360) | |
| 29: (7b) *(u64 *)(r10 -344) = r1 | |
| 30: (79) r1 = *(u64 *)(r8 +48) | |
| 31: (7b) *(u64 *)(r10 -336) = r1 | |
| 32: (7b) *(u64 *)(r10 -328) = r7 | |
| 33: (79) r1 = *(u64 *)(r6 +80) | |
| 34: (7b) *(u64 *)(r10 -312) = r1 | |
| 35: (79) r3 = *(u64 *)(r8 +0) | |
| 36: (bf) r1 = r10 | |
| 37: (07) r1 += -256 | |
| 38: (b7) r2 = 127 | |
| 39: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 127 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_link: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_link to 'SyS_link'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_unlink'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 87 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_unlink: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_unlink to 'SyS_unlink'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_symlink'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (bf) r8 = r0 | |
| 11: (15) if r8 == 0x0 goto pc+48 | |
| R0=map_value_or_null(ks=8,vs=56) R6=ctx R7=inv R8=map_value(ks=8,vs=56) R10=fp | |
| 12: (b7) r1 = 0 | |
| 13: (7b) *(u64 *)(r10 -352) = r1 | |
| 14: (b7) r1 = 88 | |
| 15: (7b) *(u64 *)(r10 -320) = r1 | |
| 16: (79) r1 = *(u64 *)(r8 +0) | |
| 17: (7b) *(u64 *)(r10 -304) = r1 | |
| 18: (79) r1 = *(u64 *)(r8 +8) | |
| 19: (7b) *(u64 *)(r10 -296) = r1 | |
| 20: (79) r1 = *(u64 *)(r8 +16) | |
| 21: (7b) *(u64 *)(r10 -288) = r1 | |
| 22: (79) r1 = *(u64 *)(r8 +24) | |
| 23: (7b) *(u64 *)(r10 -280) = r1 | |
| 24: (79) r1 = *(u64 *)(r8 +32) | |
| 25: (7b) *(u64 *)(r10 -272) = r1 | |
| 26: (79) r1 = *(u64 *)(r8 +40) | |
| 27: (7b) *(u64 *)(r10 -264) = r1 | |
| 28: (79) r1 = *(u64 *)(r10 -360) | |
| 29: (7b) *(u64 *)(r10 -344) = r1 | |
| 30: (79) r1 = *(u64 *)(r8 +48) | |
| 31: (7b) *(u64 *)(r10 -336) = r1 | |
| 32: (7b) *(u64 *)(r10 -328) = r7 | |
| 33: (79) r1 = *(u64 *)(r6 +80) | |
| 34: (7b) *(u64 *)(r10 -312) = r1 | |
| 35: (79) r3 = *(u64 *)(r8 +0) | |
| 36: (bf) r1 = r10 | |
| 37: (07) r1 += -256 | |
| 38: (b7) r2 = 127 | |
| 39: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 127 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_symlink: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_symlink to 'SyS_symlink'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_readlink'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 89 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_readlink: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_readlink to 'SyS_readlink'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_chmod'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 90 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_chmod: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_chmod to 'SyS_chmod'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fchmod'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 91 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fchmod'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_chown'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 92 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_chown: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_chown to 'SyS_chown'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fchown'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 93 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fchown'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_lchown'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 94 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_lchown: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_lchown to 'SyS_lchown'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_umask'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 95 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_umask'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_gettimeofday'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 96 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_gettimeofday'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getrlimit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 97 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getrlimit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getrusage'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 98 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getrusage'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sysinfo'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 99 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sysinfo'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_times'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 100 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_times'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_ptrace'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 101 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_ptrace'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_getuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 102 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_getuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_syslog'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 103 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_syslog'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_getgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 104 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_getgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 105 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 106 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_geteuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 107 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_geteuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_getegid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 108 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_getegid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setpgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 109 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setpgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_getppid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 110 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_getppid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_getpgrp'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 111 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_getpgrp'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_setsid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 112 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_setsid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setreuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 113 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setreuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setregid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 114 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setregid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getgroups'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 115 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getgroups'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setgroups'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 116 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setgroups'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setresuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 117 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setresuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getresuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 118 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getresuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setresgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 119 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setresgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getresgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 120 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getresgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getpgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 121 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getpgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setfsuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 122 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setfsuid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setfsgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 123 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setfsgid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getsid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 124 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getsid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_capget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 125 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_capget'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_capset'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 126 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_capset'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rt_sigpending'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 127 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_rt_sigpending'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rt_sigtimedwait'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 128 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_rt_sigtimedwait'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rt_sigqueueinfo'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 129 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_rt_sigqueueinfo'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_rt_sigsuspend'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 130 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_rt_sigsuspend'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sigaltstack'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 131 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sigaltstack'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_utime'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 132 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_utime: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_utime to 'SyS_utime'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mknod'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 133 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_mknod: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_mknod to 'SyS_mknod'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_uselib'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 134 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_uselib: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_uselib to 'SyS_uselib'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_personality'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 135 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_personality'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_ustat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 136 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_ustat'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_statfs'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 137 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_statfs: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_statfs to 'SyS_statfs'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fstatfs'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 138 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fstatfs'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sysfs'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 139 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sysfs'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getpriority'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 140 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getpriority'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setpriority'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 141 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setpriority'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_setparam'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 142 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_setparam'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_getparam'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 143 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_getparam'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_setscheduler'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 144 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_setscheduler'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_getscheduler'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 145 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_getscheduler'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_get_priority_max'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 146 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_get_priority_max'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_get_priority_min'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 147 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_get_priority_min'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_rr_get_interval'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 148 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_rr_get_interval'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mlock'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 149 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_mlock'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_munlock'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 150 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_munlock'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mlockall'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 151 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_mlockall'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_munlockall'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 152 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_munlockall'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_vhangup'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 153 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_vhangup'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_modify_ldt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 154 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_modify_ldt'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_pivot_root'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (bf) r8 = r0 | |
| 11: (15) if r8 == 0x0 goto pc+48 | |
| R0=map_value_or_null(ks=8,vs=56) R6=ctx R7=inv R8=map_value(ks=8,vs=56) R10=fp | |
| 12: (b7) r1 = 0 | |
| 13: (7b) *(u64 *)(r10 -352) = r1 | |
| 14: (b7) r1 = 155 | |
| 15: (7b) *(u64 *)(r10 -320) = r1 | |
| 16: (79) r1 = *(u64 *)(r8 +0) | |
| 17: (7b) *(u64 *)(r10 -304) = r1 | |
| 18: (79) r1 = *(u64 *)(r8 +8) | |
| 19: (7b) *(u64 *)(r10 -296) = r1 | |
| 20: (79) r1 = *(u64 *)(r8 +16) | |
| 21: (7b) *(u64 *)(r10 -288) = r1 | |
| 22: (79) r1 = *(u64 *)(r8 +24) | |
| 23: (7b) *(u64 *)(r10 -280) = r1 | |
| 24: (79) r1 = *(u64 *)(r8 +32) | |
| 25: (7b) *(u64 *)(r10 -272) = r1 | |
| 26: (79) r1 = *(u64 *)(r8 +40) | |
| 27: (7b) *(u64 *)(r10 -264) = r1 | |
| 28: (79) r1 = *(u64 *)(r10 -360) | |
| 29: (7b) *(u64 *)(r10 -344) = r1 | |
| 30: (79) r1 = *(u64 *)(r8 +48) | |
| 31: (7b) *(u64 *)(r10 -336) = r1 | |
| 32: (7b) *(u64 *)(r10 -328) = r7 | |
| 33: (79) r1 = *(u64 *)(r6 +80) | |
| 34: (7b) *(u64 *)(r10 -312) = r1 | |
| 35: (79) r3 = *(u64 *)(r8 +0) | |
| 36: (bf) r1 = r10 | |
| 37: (07) r1 += -256 | |
| 38: (b7) r2 = 127 | |
| 39: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 127 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_pivot_root: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_pivot_root to 'SyS_pivot_root'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sysctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 156 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sysctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_prctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 157 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_prctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_arch_prctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 158 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_arch_prctl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_adjtimex'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 159 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_adjtimex'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setrlimit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 160 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setrlimit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_chroot'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 161 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_chroot: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_chroot to 'SyS_chroot'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_sync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 162 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_sync'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_acct'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 163 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_acct: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_acct to 'SyS_acct'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_settimeofday'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 164 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_settimeofday'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_mount'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (bf) r8 = r0 | |
| 11: (15) if r8 == 0x0 goto pc+48 | |
| R0=map_value_or_null(ks=8,vs=56) R6=ctx R7=inv R8=map_value(ks=8,vs=56) R10=fp | |
| 12: (b7) r1 = 0 | |
| 13: (7b) *(u64 *)(r10 -352) = r1 | |
| 14: (b7) r1 = 165 | |
| 15: (7b) *(u64 *)(r10 -320) = r1 | |
| 16: (79) r1 = *(u64 *)(r8 +0) | |
| 17: (7b) *(u64 *)(r10 -304) = r1 | |
| 18: (79) r1 = *(u64 *)(r8 +8) | |
| 19: (7b) *(u64 *)(r10 -296) = r1 | |
| 20: (79) r1 = *(u64 *)(r8 +16) | |
| 21: (7b) *(u64 *)(r10 -288) = r1 | |
| 22: (79) r1 = *(u64 *)(r8 +24) | |
| 23: (7b) *(u64 *)(r10 -280) = r1 | |
| 24: (79) r1 = *(u64 *)(r8 +32) | |
| 25: (7b) *(u64 *)(r10 -272) = r1 | |
| 26: (79) r1 = *(u64 *)(r8 +40) | |
| 27: (7b) *(u64 *)(r10 -264) = r1 | |
| 28: (79) r1 = *(u64 *)(r10 -360) | |
| 29: (7b) *(u64 *)(r10 -344) = r1 | |
| 30: (79) r1 = *(u64 *)(r8 +48) | |
| 31: (7b) *(u64 *)(r10 -336) = r1 | |
| 32: (7b) *(u64 *)(r10 -328) = r7 | |
| 33: (79) r1 = *(u64 *)(r6 +80) | |
| 34: (7b) *(u64 *)(r10 -312) = r1 | |
| 35: (79) r3 = *(u64 *)(r8 +0) | |
| 36: (bf) r1 = r10 | |
| 37: (07) r1 += -256 | |
| 38: (b7) r2 = 127 | |
| 39: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 127 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_mount: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_mount to 'SyS_mount'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_swapon'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 167 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_swapon: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_swapon to 'SyS_swapon'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_swapoff'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 168 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_swapoff: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_swapoff to 'SyS_swapoff'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_reboot'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 169 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_reboot'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sethostname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 170 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sethostname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setdomainname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 171 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_setdomainname'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_iopl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 172 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_iopl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_ioperm'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 173 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_ioperm'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_init_module'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 175 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_init_module'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_delete_module'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 176 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_delete_module: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_delete_module to 'SyS_delete_module'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_quotactl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 179 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_quotactl'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_gettid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 186 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_gettid'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_readahead'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 187 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_readahead'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_setxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 188 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_setxattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_setxattr to 'SyS_setxattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_lsetxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 189 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_lsetxattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_lsetxattr to 'SyS_lsetxattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fsetxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 190 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fsetxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 191 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_getxattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_getxattr to 'SyS_getxattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_lgetxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 192 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_lgetxattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_lgetxattr to 'SyS_lgetxattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fgetxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 193 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fgetxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_listxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 194 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_listxattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_listxattr to 'SyS_listxattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_llistxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 195 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_llistxattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_llistxattr to 'SyS_llistxattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_flistxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 196 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_flistxattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_removexattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 197 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_removexattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_removexattr to 'SyS_removexattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_lremovexattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -360) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -360 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+43 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -352) = r1 | |
| 13: (b7) r1 = 198 | |
| 14: (7b) *(u64 *)(r10 -320) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -304) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -296) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -288) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -280) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -272) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -264) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -360) | |
| 28: (7b) *(u64 *)(r10 -344) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -336) = r1 | |
| 31: (7b) *(u64 *)(r10 -328) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -312) = r1 | |
| 34: (79) r3 = *(u64 *)(r0 +0) | |
| 35: (bf) r1 = r10 | |
| 36: (07) r1 += -256 | |
| 37: (b7) r2 = 255 | |
| 38: (85) call 4 | |
| invalid indirect read from stack off -256+0 size 255 | |
| ERROR:load_obj_code_into_ebpf_vm:Failed to load BPF program kretprobe__SyS_lremovexattr: Permission denied | |
| ERROR:attach_single_sc:Can't attach kretprobe__SyS_lremovexattr to 'SyS_lremovexattr'. Ignoring. | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_fremovexattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 199 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_fremovexattr'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_tkill'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 200 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_tkill'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_time'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 201 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_time'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_futex'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 202 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_futex'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_setaffinity'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 203 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_setaffinity'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_sched_getaffinity'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 204 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_sched_getaffinity'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_set_thread_area'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 205 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_set_thread_area'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_io_setup'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 206 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_io_setup'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_io_destroy'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 207 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_io_destroy'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_io_getevents'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 208 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_io_getevents'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_io_submit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 209 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_io_submit'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_io_cancel'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 210 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_io_cancel'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_get_thread_area'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 211 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_get_thread_area'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_lookup_dcookie'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 212 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_lookup_dcookie'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_epoll_create'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 213 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_epoll_create'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_remap_file_pages'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 216 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_remap_file_pages'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_getdents64'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 217 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_getdents64'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_set_tid_address'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 218 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__SyS_set_tid_address'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__sys_restart_syscall'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = r0 | |
| 5: (18) r1 = 0x4be85e80 | |
| 7: (bf) r2 = r10 | |
| 8: (07) r2 += -136 | |
| 9: (85) call 1 | |
| 10: (15) if r0 == 0x0 goto pc+38 | |
| R0=map_value(ks=8,vs=56) R6=ctx R7=inv R10=fp | |
| 11: (b7) r1 = 0 | |
| 12: (7b) *(u64 *)(r10 -128) = r1 | |
| 13: (b7) r1 = 219 | |
| 14: (7b) *(u64 *)(r10 -96) = r1 | |
| 15: (79) r1 = *(u64 *)(r0 +0) | |
| 16: (7b) *(u64 *)(r10 -80) = r1 | |
| 17: (79) r1 = *(u64 *)(r0 +8) | |
| 18: (7b) *(u64 *)(r10 -72) = r1 | |
| 19: (79) r1 = *(u64 *)(r0 +16) | |
| 20: (7b) *(u64 *)(r10 -64) = r1 | |
| 21: (79) r1 = *(u64 *)(r0 +24) | |
| 22: (7b) *(u64 *)(r10 -56) = r1 | |
| 23: (79) r1 = *(u64 *)(r0 +32) | |
| 24: (7b) *(u64 *)(r10 -48) = r1 | |
| 25: (79) r1 = *(u64 *)(r0 +40) | |
| 26: (7b) *(u64 *)(r10 -40) = r1 | |
| 27: (79) r1 = *(u64 *)(r10 -136) | |
| 28: (7b) *(u64 *)(r10 -120) = r1 | |
| 29: (79) r1 = *(u64 *)(r0 +48) | |
| 30: (7b) *(u64 *)(r10 -112) = r1 | |
| 31: (7b) *(u64 *)(r10 -104) = r7 | |
| 32: (79) r1 = *(u64 *)(r6 +80) | |
| 33: (7b) *(u64 *)(r10 -88) = r1 | |
| 34: (18) r7 = 0x16ed8540 | |
| 36: (85) call 8 | |
| 37: (bf) r4 = r10 | |
| 38: (07) r4 += -128 | |
| 39: (bf) r1 = r6 | |
| 40: (bf) r2 = r7 | |
| 41: (bf) r3 = r0 | |
| 42: (b7) r5 = 96 | |
| 43: (85) call 25 | |
| 44: (18) r1 = 0x4be85e80 | |
| 46: (bf) r2 = r10 | |
| 47: (07) r2 += -136 | |
| 48: (85) call 3 | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| from 10 to 49: R0=imm0 R6=ctx R7=inv R10=fp | |
| 49: (b7) r0 = 0 | |
| 50: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kprobe__sys_restart_syscall'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 14 | |
| 2: (7b) *(u64 *)(r10 -64) = r0 | |
| 3: (18) r1 = 0x0 | |
| 5: (5f) r0 &= r1 | |
| 6: (18) r1 = 0x0 | |
| 8: (5d) if r0 != r1 goto pc+22 | |
| R0=inv R1=inv R6=ctx R10=fp | |
| 9: (85) call 5 | |
| 10: (7b) *(u64 *)(r10 -8) = r0 | |
| 11: (79) r1 = *(u64 *)(r6 +112) | |
| 12: (7b) *(u64 *)(r10 -56) = r1 | |
| 13: (79) r1 = *(u64 *)(r6 +104) | |
| 14: (7b) *(u64 *)(r10 -48) = r1 | |
| 15: (79) r1 = *(u64 *)(r6 +96) | |
| 16: (7b) *(u64 *)(r10 -40) = r1 | |
| 17: (79) r1 = *(u64 *)(r6 +88) | |
| 18: (7b) *(u64 *)(r10 -32) = r1 | |
| 19: (79) r1 = *(u64 *)(r6 +72) | |
| 20: (7b) *(u64 *)(r10 -24) = r1 | |
| 21: (79) r1 = *(u64 *)(r6 +64) | |
| 22: (7b) *(u64 *)(r10 -16) = r1 | |
| 23: (18) r1 = 0x4be85e80 | |
| 25: (bf) r2 = r10 | |
| 26: (07) r2 += -64 | |
| 27: (bf) r3 = r10 | |
| 28: (07) r3 += -56 | |
| 29: (b7) r4 = 0 | |
| 30: (85) call 2 | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| from 8 to 31: R0=inv R1=inv R6=ctx R10=fp | |
| 31: (b7) r0 = 0 | |
| 32: (95) exit | |
| DEBUG:load_obj_code_into_ebpf_vm('kretprobe__SyS_semtimedop'): | |
| 0: (bf) r6 = r1 | |
| 1: (85) call 5 | |
| 2: (bf) r7 = r0 | |
| 3: (85) call 14 | |
| 4: (7b) *(u64 *)(r10 -136) = |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment