One Hat Cyber Team

Your IP : 216.73.216.115

Server IP : 194.44.31.54

Server : Linux zen.imath.kiev.ua 4.18.0-553.77.1.el8_10.x86_64 #1 SMP Fri Oct 3 14:30:23 UTC 2025 x86_64

Server Software : Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k

PHP Version : 5.6.40

Buat File | Buat Folder

Dir : ~/usr/share/systemtap/tapset/linux/

View File Name : sysc_memfd_secret.stp

# memfd_secret _____________________________________________________
# long sys_memfd_secret (unsigned int flags)

/* kernel 5.14+ */
@define _SYSCALL_MEMFD_SECRET_NAME
%(
 name = "memfd_secret"
%)

@define _SYSCALL_MEMFD_SECRET_ARGSTR
%(
 argstr = sprintf("%s", flags_str)
%)

@define _SYSCALL_MEMFD_SECRET_REGARGS
%(
 flags = uint_arg(1)
 flags_str = _mfd_flags_str(uint_arg(1))
%)

@define _SYSCALL_MEMFD_SECRET_REGARGS_STORE
%(
 if (@probewrite(flags))
  set_uint_arg(1, flags)
%)

probe syscall.memfd_secret = dw_syscall.memfd_secret !, nd_syscall.memfd_secret ? {}
probe syscall.memfd_secret.return = dw_syscall.memfd_secret.return !, nd_syscall.memfd_secret.return ? {}

# dw_memfd_secret _____________________________________________________

probe dw_syscall.memfd_secret = kernel.function("sys_memfd_secret").call ?
{
 @_SYSCALL_MEMFD_SECRET_NAME
 flags = $flags
 flags_str = _mfd_flags_str($flags)
 @_SYSCALL_MEMFD_SECRET_ARGSTR
}
probe dw_syscall.memfd_secret.return = kernel.function("sys_memfd_secret").return ?
{
 @_SYSCALL_MEMFD_SECRET_NAME
 @SYSC_RETVALSTR($return)
}

# nd_memfd_secret _____________________________________________________

probe nd_syscall.memfd_secret = nd1_syscall.memfd_secret!, nd2_syscall.memfd_secret!, tp_syscall.memfd_secret
  { }

probe nd1_syscall.memfd_secret = kprobe.function("sys_memfd_secret") ?
{
 @_SYSCALL_MEMFD_SECRET_NAME
 asmlinkage()
 @_SYSCALL_MEMFD_SECRET_REGARGS
 @_SYSCALL_MEMFD_SECRET_ARGSTR
}

probe nd2_syscall.memfd_secret = kprobe.function(@arch_syscall_prefix "sys_memfd_secret") ?
{
 __set_syscall_pt_regs(pointer_arg(1))
 @_SYSCALL_MEMFD_SECRET_NAME
 @_SYSCALL_MEMFD_SECRET_REGARGS
 @_SYSCALL_MEMFD_SECRET_ARGSTR
},
{
        %( @_IS_SREG_KERNEL %? @_SYSCALL_MEMFD_SECRET_REGARGS_STORE %)
}

probe tp_syscall.memfd_secret = kernel.trace("sys_enter")
{
 __set_syscall_pt_regs($regs)
 @__syscall_compat_gate(@const("__NR_memfd_secret"), @const("__NR_compat_memfd_secret"))
 @_SYSCALL_MEMFD_SECRET_NAME
 @_SYSCALL_MEMFD_SECRET_REGARGS
 @_SYSCALL_MEMFD_SECRET_ARGSTR
},
{
        %( @_IS_SREG_KERNEL %? @_SYSCALL_MEMFD_SECRET_REGARGS_STORE %)
}

probe nd_syscall.memfd_secret.return = nd1_syscall.memfd_secret.return!, nd2_syscall.memfd_secret.return!, tp_syscall.memfd_secret.return
  { }

probe nd1_syscall.memfd_secret.return = kprobe.function("sys_memfd_secret").return ?
{
 @_SYSCALL_MEMFD_SECRET_NAME
 @SYSC_RETVALSTR(returnval())
}

probe nd2_syscall.memfd_secret.return = kprobe.function(@arch_syscall_prefix "sys_memfd_secret").return ?
{
 @_SYSCALL_MEMFD_SECRET_NAME
 @SYSC_RETVALSTR(returnval())
}

probe tp_syscall.memfd_secret.return = kernel.trace("sys_exit")
{
 __set_syscall_pt_regs($regs)
 @__syscall_compat_gate(@const("__NR_memfd_secret"), @const("__NR_compat_memfd_secret"))
 @_SYSCALL_MEMFD_SECRET_NAME
 @SYSC_RETVALSTR($ret)
}