System call probe manager

Edit online

The syscall probe manager supports probes at the entry and exit of well-defined and documented base AIX system calls. These are the system calls that have the same interface at the libc.a (or C library) entry point and in the kernel entry point. Either the system call is a pass-through (the C library simply imports the symbol from the kernel and the exports it with no code in the library) or there is trivial code for the interface inside the library.

The syscall probe manager accepts a 4-tuple probe specification in one of the following formats:

```
syscall:*:<system_call_name>:entry
```
```
syscall:*:<system_call_name>:exit
```

where the system_call_name field is to be substituted by the actual system call name. These indicate that a probe be placed at the entry and exit of system calls. Assigning the * to the second field indicates that the probe will be fired for all processes.

Note: Different privileges are required for enabling system call probes. Probing every process in the system requires higher privileges than probing your own processes.

Additionally, the syscall probe manager also accepts a 4-tuple probe specification in one of the following formats:

syscall:<process_ID>:<system_call_name>:entry

syscall:<process_ID>:<system_call_name>:exit

where a process ID can be specified as the second field of the probe specification to support probing of specific processes.

The system call names accepted by the syscall probe manager are the names of the libc.a interfaces and not the kernel's internal system call names. For example, the read subroutine is exported by libc.a, but the actual system call name or kernel entry point is kread. The syscall probe manager will internally translate a libc interface to its kernel entry point and enable the probe at entry into the kread kernel routine. Because of this, if multiple C library interfaces invoke the kread routine, the probe pointfires for those interfaces also. Generally, this is not a problem because for most of the system calls supported by the syscall probe manager, there is a 1-to-1 mapping between the libc interface and the kernel routine.

For each syscall probe, there is an equivalent probe point in the library code provided by the uft probe manager. The uft probe manager does support all library interfaces (unless it is a passthrough interface and there is no code for the call or references to it in the library at all) including those not supported by the syscall probe manager. However, the syscall probe manager has two advantages:

The syscall probe manager can probe every process in the system by specifying asterisk as the second field.
The syscall probe manager is more efficient than the uft probe manager because it does not need to switch from user mode to kernel mode and back to run the probe actions.

For more information about the full list of system calls supported by the syscall probe manager see ProbeVue.