Add syscall logging example

56394581 · Gabor Buella · 0c6d03de · 56394581 · 56394581 · 56394581
Commit 56394581 authored Jul 07, 2017 by Gabor Buella
4 changed files
--- a/examples/CMakeLists.txt
+++ b/examples/CMakeLists.txt
@@ -36,3 +36,6 @@ target_link_libraries(icap PRIVATE syscall_intercept_shared)
 add_library(fork_ban SHARED fork_ban.c)

 target_link_libraries(fork_ban PRIVATE syscall_intercept_shared)
+
+add_library(syscall_logger SHARED syscall_logger.c syscall_desc.c)
+target_link_libraries(syscall_logger PRIVATE syscall_intercept_shared)
--- a/examples/syscall_desc.c
+++ b/examples/syscall_desc.c
+/*
+ * Copyright 2017, Intel Corporation
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *
+ *     * Neither the name of the copyright holder nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "syscall_desc.h"
+
+#include <stddef.h>
+#include <syscall.h>
+
+#define SARGS(name, r, ...) \
+	[SYS_##name] = {#name, r, {__VA_ARGS__, }}
+
+static const struct syscall_desc table[] = {
+	SARGS(read, rdec, arg_fd, arg_, arg_),
+	SARGS(write, rdec, arg_fd, arg_, arg_),
+	SARGS(open, rdec, arg_cstr, arg_, arg_),
+	SARGS(close, rdec, arg_fd),
+	SARGS(stat, rdec, arg_cstr, arg_),
+	SARGS(fstat, rdec, arg_fd, arg_),
+	SARGS(lstat, rdec, arg_cstr, arg_),
+	SARGS(poll, rdec, arg_, arg_, arg_),
+	SARGS(lseek, rdec, arg_fd, arg_, arg_),
+	SARGS(mmap, rhex, arg_, arg_, arg_, arg_, arg_fd, arg_),
+	SARGS(mprotect, rdec, arg_, arg_, arg_),
+	SARGS(munmap, rdec, arg_, arg_, arg_, arg_, arg_fd, arg_),
+	SARGS(brk, rdec, arg_),
+	SARGS(rt_sigaction, rdec, arg_, arg_, arg_),
+	SARGS(rt_sigprocmask, rdec, arg_, arg_, arg_, arg_),
+	SARGS(rt_sigreturn, rdec, arg_none),
+	SARGS(ioctl, rdec, arg_fd, arg_, arg_),
+	SARGS(pread64, rdec, arg_fd, arg_, arg_, arg_),
+	SARGS(pwrite64, rdec, arg_fd, arg_, arg_, arg_),
+	SARGS(readv, rdec, arg_fd, arg_, arg_),
+	SARGS(writev, rdec, arg_fd, arg_, arg_),
+	SARGS(access, rdec, arg_cstr, arg_),
+	SARGS(pipe, rdec, arg_),
+	SARGS(select, rdec, arg_, arg_, arg_, arg_, arg_),
+	SARGS(sched_yield, rdec, arg_none),
+	SARGS(mremap, rhex, arg_, arg_, arg_, arg_, arg_),
+	SARGS(msync, rdec, arg_, arg_, arg_),
+	SARGS(mincore, rdec, arg_, arg_, arg_),
+	SARGS(madvise, rdec, arg_, arg_, arg_),
+	SARGS(shmget, rdec, arg_, arg_, arg_),
+	SARGS(shmat, rhex, arg_, arg_, arg_),
+	SARGS(shmctl, rdec, arg_, arg_, arg_),
+	SARGS(dup, rdec, arg_fd),
+	SARGS(dup2, rdec, arg_fd, arg_fd),
+	SARGS(pause, rdec, arg_none),
+	SARGS(nanosleep, rdec, arg_, arg_),
+	SARGS(getitimer, rdec, arg_, arg_),
+	SARGS(alarm, runsigned, arg_),
+	SARGS(setitimer, rdec, arg_, arg_, arg_),
+	SARGS(getpid, rdec, arg_none),
+	SARGS(sendfile, rdec, arg_fd, arg_fd, arg_, arg_),
+	SARGS(socket, rdec, arg_, arg_, arg_),
+	SARGS(connect, rdec, arg_fd, arg_, arg_),
+	SARGS(accept, rdec, arg_fd, arg_, arg_),
+	SARGS(sendto, rdec, arg_fd, arg_, arg_, arg_),
+	SARGS(recvfrom, rdec, arg_fd, arg_, arg_, arg_, arg_, arg_),
+	SARGS(sendmsg, rdec, arg_fd, arg_, arg_),
+	SARGS(recvmsg, rdec, arg_fd, arg_, arg_),
+	SARGS(shutdown, rdec, arg_fd, arg_),
+	SARGS(bind, rdec, arg_fd, arg_, arg_),
+	SARGS(listen, rdec, arg_fd, arg_),
+	SARGS(getsockname, rdec, arg_fd, arg_, arg_),
+	SARGS(getpeername, rdec, arg_fd, arg_, arg_),
+	SARGS(socketpair, rdec, arg_, arg_, arg_, arg_),
+	SARGS(setsockopt, rdec, arg_fd, arg_, arg_, arg_, arg_),
+	SARGS(getsockopt, rdec, arg_fd, arg_, arg_, arg_, arg_),
+	SARGS(clone, rdec, arg_, arg_, arg_, arg_, arg_, arg_),
+	SARGS(fork, rdec, arg_none),
+	SARGS(vfork, rdec, arg_none),
+	SARGS(execve, rdec, arg_, arg_, arg_),
+	SARGS(exit, rdec, arg_),
+	SARGS(wait4, rdec, arg_, arg_, arg_, arg_),
+	SARGS(kill, rdec, arg_, arg_),
+	SARGS(uname, rdec, arg_),
+	SARGS(semget, rdec, arg_, arg_, arg_),
+	SARGS(semop, rdec, arg_, arg_, arg_),
+	SARGS(semctl, rdec, arg_, arg_, arg_, arg_, arg_, arg_),
+	SARGS(shmdt, rdec, arg_),
+	SARGS(msgget, rdec, arg_, arg_),
+	SARGS(msgsnd, rdec, arg_, arg_, arg_, arg_),
+	SARGS(msgrcv, rdec, arg_, arg_, arg_, arg_, arg_),
+	SARGS(msgctl, rdec, arg_, arg_, arg_),
+	SARGS(fcntl, rdec, arg_fd, arg_, arg_),
+	SARGS(flock, rdec, arg_fd, arg_),
+	SARGS(fsync, rdec, arg_fd),
+	SARGS(fdatasync, rdec, arg_fd),
+	SARGS(truncate, rdec, arg_cstr, arg_),
+	SARGS(ftruncate, rdec, arg_fd, arg_),
+	SARGS(getdents, rdec, arg_fd, arg_, arg_),
+	SARGS(getcwd, rdec, arg_, arg_),
+	SARGS(chdir, rdec, arg_cstr),
+	SARGS(fchdir, rdec, arg_fd),
+	SARGS(rename, rdec, arg_cstr, arg_cstr),
+	SARGS(mkdir, rdec, arg_cstr, arg_),
+	SARGS(rmdir, rdec, arg_cstr),
+	SARGS(creat, rdec, arg_cstr, arg_),
+	SARGS(link, rdec, arg_cstr, arg_cstr),
+	SARGS(unlink, rdec, arg_cstr),
+	SARGS(symlink, rdec, arg_cstr, arg_cstr),
+	SARGS(readlink, rdec, arg_cstr, arg_, arg_),
+	SARGS(chmod, rdec, arg_cstr, arg_),
+	SARGS(fchmod, rdec, arg_fd, arg_),
+	SARGS(chown, rdec, arg_cstr, arg_, arg_),
+	SARGS(fchown, rdec, arg_fd, arg_, arg_),
+	SARGS(lchown, rdec, arg_cstr, arg_, arg_),
+	SARGS(umask, roct, arg_),
+	SARGS(gettimeofday, rdec, arg_, arg_),
+	SARGS(getrlimit, rdec, arg_, arg_),
+	SARGS(getrusage, rdec, arg_, arg_),
+	SARGS(sysinfo, rdec, arg_, arg_),
+	SARGS(times, rdec, arg_),
+	SARGS(ptrace, rhex, arg_, arg_, arg_, arg_),
+	SARGS(getuid, rdec, arg_none),
+	SARGS(syslog, rdec, arg_, arg_, arg_),
+	SARGS(getgid, rdec, arg_none),
+	SARGS(setuid, rdec, arg_),
+	SARGS(setgid, rdec, arg_),
+	SARGS(geteuid, rdec, arg_none),
+	SARGS(getegid, rdec, arg_none),
+	SARGS(setpgid, rdec, arg_none),
+	SARGS(getpgrp, rdec, arg_none),
+	SARGS(setsid, rdec, arg_none),
+	SARGS(setreuid, rdec, arg_, arg_),
+	SARGS(setregid, rdec, arg_, arg_),
+	SARGS(getgroups, rdec, arg_, arg_),
+	SARGS(setgroups, rdec, arg_, arg_),
+	SARGS(setresuid, rdec, arg_, arg_, arg_),
+	SARGS(getresuid, rdec, arg_, arg_, arg_),
+	SARGS(setresgid, rdec, arg_, arg_, arg_),
+	SARGS(getresgid, rdec, arg_, arg_, arg_),
+	SARGS(getpgid, rdec, arg_),
+	SARGS(setfsuid, rdec, arg_),
+	SARGS(setfsgid, rdec, arg_),
+	SARGS(getsid, rdec, arg_),
+	SARGS(capget, rdec, arg_, arg_),
+	SARGS(capset, rdec, arg_, arg_),
+	SARGS(rt_sigpending, rdec, arg_),
+	SARGS(rt_sigtimedwait, rdec, arg_, arg_, arg_, arg_),
+	SARGS(rt_sigqueueinfo, rdec, arg_, arg_, arg_),
+	SARGS(rt_sigsuspend, rdec, arg_, arg_),
+	SARGS(sigaltstack, rdec, arg_, arg_),
+	SARGS(utime, rdec, arg_cstr, arg_),
+	SARGS(mknod, rdec, arg_cstr, arg_, arg_),
+	SARGS(uselib, rdec, arg_cstr),
+	SARGS(personality, rdec, arg_),
+	SARGS(ustat, rdec, arg_, arg_),
+	SARGS(statfs, rdec, arg_cstr, arg_),
+	SARGS(fstatfs, rdec, arg_fd, arg_),
+	SARGS(sysfs, rdec, arg_, arg_, arg_),
+	SARGS(getpriority, rdec, arg_, arg_),
+	SARGS(setpriority, rdec, arg_, arg_, arg_),
+	SARGS(sched_setparam, rdec, arg_, arg_),
+	SARGS(sched_getparam, rdec, arg_, arg_),
+	SARGS(sched_setscheduler, rdec, arg_, arg_, arg_),
+	SARGS(sched_getscheduler, rdec, arg_),
+	SARGS(sched_get_priority_max, rdec, arg_),
+	SARGS(sched_get_priority_min, rdec, arg_),
+	SARGS(sched_rr_get_interval, rdec, arg_, arg_),
+	SARGS(mlock, rdec, arg_, arg_),
+	SARGS(munlock, rdec, arg_, arg_),
+	SARGS(mlockall, rdec, arg_),
+	SARGS(munlockall, rdec, arg_none),
+	SARGS(vhangup, rdec, arg_none),
+	SARGS(modify_ldt, rdec, arg_, arg_, arg_),
+	SARGS(pivot_root, rdec, arg_cstr, arg_),
+	SARGS(_sysctl, rdec, arg_),
+	SARGS(prctl, rdec, arg_, arg_, arg_, arg_, arg_),
+	SARGS(arch_prctl, rdec, arg_, arg_, arg_),
+	SARGS(adjtimex, rdec, arg_),
+	SARGS(setrlimit, rdec, arg_, arg_),
+	SARGS(chroot, rdec, arg_cstr),
+	SARGS(sync, rdec, arg_none),
+	SARGS(acct, rdec, arg_cstr),
+	SARGS(settimeofday, rdec, arg_, arg_),
+	SARGS(mount, rdec, arg_cstr, arg_cstr, arg_, arg_, arg_),
+	SARGS(umount2, rdec, arg_cstr, arg_),
+	SARGS(swapon, rdec, arg_cstr, arg_),
+	SARGS(swapoff, rdec, arg_cstr),
+	SARGS(reboot, rdec, arg_, arg_, arg_, arg_),
+	SARGS(sethostname, rdec, arg_, arg_),
+	SARGS(setdomainname, rdec, arg_, arg_),
+	SARGS(iopl, rdec, arg_),
+	SARGS(ioperm, rdec, arg_, arg_, arg_),
+	SARGS(gettid, rdec, arg_none),
+	SARGS(readahead, rdec, arg_fd, arg_, arg_),
+	SARGS(setxattr, rdec, arg_cstr, arg_cstr, arg_, arg_, arg_),
+	SARGS(lsetxattr, rdec, arg_cstr, arg_cstr, arg_, arg_, arg_),
+	SARGS(fsetxattr, rdec, arg_fd, arg_cstr, arg_, arg_, arg_),
+	SARGS(getxattr, rdec, arg_cstr, arg_cstr, arg_, arg_),
+	SARGS(lgetxattr, rdec, arg_cstr, arg_cstr, arg_, arg_),
+	SARGS(fgetxattr, rdec, arg_fd, arg_cstr, arg_, arg_),
+	SARGS(listxattr, rdec, arg_cstr, arg_, arg_),
+	SARGS(llistxattr, rdec, arg_cstr, arg_, arg_),
+	SARGS(flistxattr, rdec, arg_cstr, arg_, arg_),
+	SARGS(removexattr, rdec, arg_cstr, arg_cstr),
+	SARGS(lremovexattr, rdec, arg_cstr, arg_cstr),
+	SARGS(fremovexattr, rdec, arg_fd, arg_cstr),
+	SARGS(tkill, rdec, arg_, arg_),
+	SARGS(time, rdec, arg_),
+	SARGS(futex, rdec, arg_, arg_, arg_, arg_, arg_, arg_),
+	SARGS(sched_setaffinity, rdec, arg_, arg_, arg_),
+	SARGS(sched_getaffinity, rdec, arg_, arg_, arg_),
+	SARGS(set_thread_area, rdec, arg_),
+	SARGS(io_setup, rdec, arg_, arg_),
+	SARGS(io_destroy, rdec, arg_),
+	SARGS(io_getevents, rdec, arg_, arg_, arg_, arg_, arg_),
+	SARGS(io_submit, rdec, arg_, arg_, arg_),
+	SARGS(io_cancel, rdec, arg_, arg_, arg_),
+	SARGS(get_thread_area, rdec, arg_),
+	SARGS(lookup_dcookie, rdec, arg_, arg_, arg_),
+	SARGS(epoll_create, rdec, arg_),
+	SARGS(getdents64, rdec, arg_fd, arg_, arg_),
+	SARGS(set_tid_address, rdec, arg_),
+	SARGS(semtimedop, rdec, arg_, arg_, arg_, arg_),
+	SARGS(fadvise64, rdec, arg_fd, arg_, arg_, arg_),
+	SARGS(timer_create, rdec, arg_, arg_, arg_),
+	SARGS(timer_settime, rdec, arg_, arg_, arg_, arg_),
+	SARGS(timer_gettime, rdec, arg_, arg_),
+	SARGS(timer_getoverrun, rdec, arg_),
+	SARGS(timer_delete, rdec, arg_)
+	/* to be continued... at this point I got tired */
+};
+
+#undef SARGS
+
+const struct syscall_desc *
+get_syscall_desc(long syscall_number)
+{
+	if (syscall_number < 0)
+		return NULL;
+
+	if ((size_t)syscall_number >= (sizeof(table) / sizeof(table[0])))
+		return NULL;
+
+	return table + syscall_number;
+}
--- a/examples/syscall_desc.h
+++ b/examples/syscall_desc.h
+/*
+ * Copyright 2017, Intel Corporation
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *
+ *     * Neither the name of the copyright holder nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SYSCALL_INTERCEPT_EXAMPLE_LOGGING_H
+#define SYSCALL_INTERCEPT_EXAMPLE_LOGGING_H
+
+enum arg_type {
+	arg_none,
+	arg_fd,
+	arg_cstr,
+	arg_ /* no special formatting implemented yet, print as hex number */
+};
+
+enum return_type {
+	rhex,
+	rdec,
+	runsigned,
+	roct
+};
+
+struct syscall_desc {
+	const char *name;
+	enum return_type return_type;
+	enum arg_type args[6];
+};
+
+const struct syscall_desc *get_syscall_desc(long syscall_number);
+
+#endif
--- a/examples/syscall_logger.c
+++ b/examples/syscall_logger.c
+/*
+ * Copyright 2017, Intel Corporation
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *
+ *     * Neither the name of the copyright holder nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "libsyscall_intercept_hook_point.h"
+#include "syscall_desc.h"
+
+#include <limits.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syscall.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <string.h>
+
+long log_fd;
+
+static char buffer[0x20000];
+static char *nextc;
+
+static size_t
+buffer_avaliable(void)
+{
+	return (size_t)(sizeof(buffer) - (size_t)(nextc - buffer));
+}
+
+static const char xdigit[16] = "0123456789abcdef";
+
+static void
+print_fd(long n)
+{
+	if (n == AT_FDCWD)
+		nextc += sprintf(nextc, "AT_FDCWD");
+	else
+		nextc += sprintf(nextc, "%ld", n);
+}
+
+static void
+print_hex(long n)
+{
+	nextc += sprintf(nextc, "0x%lx", n);
+}
+
+#define CSTR_MAX_LEN 0x100
+
+static void
+print_cstr_escaped(const char *path)
+{
+	size_t len = 0;
+	*nextc++ = '"';
+	while (*path != '\0' && len < CSTR_MAX_LEN) {
+		if (*path == '\n') {
+			*nextc++ = '\\';
+			*nextc++ = 'n';
+		} else if (*path == '\\') {
+			*nextc++ = '\\';
+			*nextc++ = '\\';
+		} else if (*path == '\t') {
+			*nextc++ = '\\';
+			*nextc++ = 't';
+		} else if (*path == '\"') {
+			*nextc++ = '\\';
+			*nextc++ = '"';
+		} else if (isprint((unsigned char)*path)) {
+			*nextc++ = *path;
+		} else {
+			*nextc++ = '\\';
+			*nextc++ = 'x';
+			*nextc++ = xdigit[((unsigned char)*path) / 0x10];
+			*nextc++ = xdigit[((unsigned char)*path) % 0x10];
+		}
+
+		++len;
+		++path;
+	}
+
+	if (*path != '\0') {
+		*nextc++ = '.';
+		*nextc++ = '.';
+		*nextc++ = '.';
+	}
+
+	*nextc++ = '"';
+}
+
+static void
+dump_log(void)
+{
+	if (nextc == buffer)
+		return;
+
+	syscall_no_intercept(SYS_write, log_fd, buffer, nextc - buffer);
+
+	nextc = buffer;
+}
+
+static void
+print_cstr(const char *name)
+{
+	while (*name != '\0')
+		*nextc++ = *name++;
+}
+
+static void
+print_rdec(long n)
+{
+	nextc += sprintf(nextc, "%ld", n);
+
+	if (n < 0 && n >= -((long)INT_MAX)) {
+		print_cstr(" (");
+
+		/* See the glibc related man page for strerror_r */
+#if (_POSIX_C_SOURCE >= 200112L) && !defined(_GNU_SOURCE)
+		if (strerror_r((int)(0 - n), nextc, 0x100) == 0)
+			nextc += strlen(nextc);
+		else
+			print_cstr("unknown error code");
+#else
+		char *strerr_result = strerror_r((int)(0 - n), nextc, 0x100);
+		if (strerr_result != nextc)
+			print_cstr(strerr_result);
+		else
+			nextc += strlen(nextc);
+#endif
+
+		print_cstr(")");
+	}
+}
+
+static void
+print_runsigned(long n)
+{
+	nextc += sprintf(nextc, "%lu", (unsigned long)n);
+}
+
+static void
+print_roct(long n)
+{
+	nextc += sprintf(nextc, "%lo", n);
+}
+
+#define MIN_AVAILABLE_REQUIRED (0x100 + 8 * CSTR_MAX_LEN)
+
+static void
+print_unknown_syscall(long syscall_number, long args[static 6], long result)
+{
+	nextc += sprintf(nextc, "syscall(%ld", syscall_number);
+	for (unsigned i = 0; i < 6; ++i)
+		nextc += sprintf(nextc, ", 0x%lx", args[i]);
+	nextc += sprintf(nextc, ") = 0x%lx\n", result);
+}
+
+static void
+print_known_syscall(const struct syscall_desc *desc,
+			const long args[static 6], long result)
+{
+	print_cstr(desc->name);
+	*nextc++ = '(';
+
+	for (unsigned i = 0; desc->args[i] != arg_none; ++i) {
+		if (i > 0)
+			print_cstr(", ");
+
+		switch (desc->args[i]) {
+		case arg_fd:
+			print_fd(args[i]);
+			break;
+		case arg_cstr:
+			print_hex(args[i]);
+			print_cstr_escaped((const char *)(args[i]));
+			break;
+		default:
+			print_hex(args[i]);
+			break;
+		}
+	}
+
+	print_cstr(") = ");
+	switch (desc->return_type) {
+	case rhex:
+		print_hex(result);
+		break;
+	case rdec:
+		print_rdec(result);
+		break;
+	case runsigned:
+		print_runsigned(result);
+		break;
+	case roct:
+		print_roct(result);
+		break;
+	}
+	*nextc++ = '\n';
+}
+
+static int
+hook(long syscall_number,
+		long arg0, long arg1,
+		long arg2, long arg3,
+		long arg4, long arg5,
+		long *result)
+{
+	*result = syscall_no_intercept(syscall_number,
+					arg0, arg1, arg2, arg3, arg4, arg5);
+
+	long args[6] = {arg0, arg1, arg2, arg3, arg4, arg5};
+
+	const struct syscall_desc *desc = get_syscall_desc(syscall_number);
+
+	if (desc != NULL)
+		print_known_syscall(desc, args, *result);
+	else
+		print_unknown_syscall(syscall_number, args, *result);
+
+	if (buffer_avaliable() < MIN_AVAILABLE_REQUIRED)
+		dump_log();
+
+	return 0;
+}
+
+static __attribute__((constructor)) void
+start(void)
+{
+	const char *path = getenv("SYSCALL_LOG_PATH");
+
+	nextc = buffer;
+
+	if (path == NULL)
+		syscall_no_intercept(SYS_exit_group, 3);
+
+	log_fd = syscall_no_intercept(SYS_open, path, O_CREAT | O_RDWR, 0700);
+
+	if (log_fd < 0)
+		syscall_no_intercept(SYS_exit_group, 4);
+
+	intercept_hook_point = &hook;
+}
+
+static __attribute__((destructor)) void
+end(void)
+{
+	dump_log();
+}