package stramon-lib

  1. Overview
  2. Docs

Syscall data and handler

Naming convention

Syscall names which collide with reserved OCaml keywords are suffixed with _, e.g. open becomes open_, unless collision does not occur due to name being part of a longer name, e.g. part of a longer function name.

This is to ensure easy lookup as the original syscall names remain searchable.

type literal = [
  1. | `Const of string
  2. | `Int of int64
]
type open_ = {
  1. path : string;
  2. flags : literal list;
  3. mode : literal list;
  4. ret : int;
}
type openat = {
  1. relative_to : string;
  2. path : string;
  3. flags : literal list;
  4. mode : literal list;
}
type read = {
  1. path : string;
  2. byte_count_requested : int;
  3. byte_count_read : int;
  4. errno : string option;
  5. errno_msg : string option;
}
type socket = {
  1. domain : string;
  2. typ : literal list;
  3. protocol : string;
  4. errno : string option;
  5. errno_msg : string option;
}
type chown = {
  1. path : string;
  2. owner : int;
  3. group : int;
  4. ret : int;
}
type fchownat = {
  1. relative_to : string;
  2. path : string;
  3. owner : int;
  4. group : int;
  5. ret : int;
  6. flags : literal list;
}
type chmod = {
  1. path : string;
  2. mode : int;
  3. ret : int;
}
type fchmodat = {
  1. relative_to : string;
  2. path : string;
  3. mode : int;
  4. ret : int;
  5. flags : literal list;
}
type stat = {
  1. path : string;
  2. uid : int;
  3. gid : int;
  4. ret : int;
}
type fstatat = {
  1. relative_to : string;
  2. path : string;
  3. uid : int;
  4. gid : int;
  5. ret : int;
  6. flags : literal list;
}
type statx = {
  1. relative_to : string;
  2. path : string;
  3. flags : literal list;
  4. mask : literal list;
  5. uid : int;
  6. gid : int;
  7. ret : int;
}
type sockaddr_in = {
  1. port : int;
  2. addr : string;
}
type sockaddr_in6 = {
  1. port : int;
  2. flow_info : int64;
  3. addr : string;
  4. scope_id : int64;
}
type sockaddr = [
  1. | `AF_INET of sockaddr_in
  2. | `AF_INET6 of sockaddr_in6
]
type connect = {
  1. socket : string;
  2. addr : sockaddr;
}
type accept = {
  1. socket : string;
  2. addr : sockaddr option;
}
type bind = {
  1. socket : string;
  2. addr : sockaddr;
}
type listen = {
  1. socket : string;
}
type 'a handler = [
  1. | `open_ of 'a -> int -> open_ -> 'a
  2. | `openat of 'a -> int -> openat -> 'a
  3. | `read of 'a -> int -> read -> 'a
  4. | `socket of 'a -> int -> socket -> 'a
  5. | `chown of 'a -> int -> chown -> 'a
  6. | `fchown of 'a -> int -> chown -> 'a
  7. | `lchown of 'a -> int -> chown -> 'a
  8. | `fchownat of 'a -> int -> fchownat -> 'a
  9. | `chmod of 'a -> int -> chmod -> 'a
  10. | `fchmod of 'a -> int -> chmod -> 'a
  11. | `fchmodat of 'a -> int -> fchmodat -> 'a
  12. | `stat of 'a -> int -> stat -> 'a
  13. | `fstat of 'a -> int -> stat -> 'a
  14. | `lstat of 'a -> int -> stat -> 'a
  15. | `fstatat64 of 'a -> int -> fstatat -> 'a
  16. | `newfstatat of 'a -> int -> fstatat -> 'a
  17. | `statx of 'a -> int -> statx -> 'a
  18. | `accept of 'a -> int -> accept -> 'a
  19. | `connect of 'a -> int -> connect -> 'a
  20. | `bind of 'a -> int -> bind -> 'a
  21. | `listen of 'a -> int -> listen -> 'a
]

A handler receives the user-defined "context", process id, and finally the syscall specific data.

The context is the data passed from one call of handler to the next.

All handlers of the same monitoring session (same monitor call) share the same context.

OCaml

Innovation. Community. Security.