Systrack v0.8

New arch support: IBM Z-Architecture S390 64-bit and compat 32-bit, tested on v4.0+ kernels. Thanks to Ilya Leoshkevich (@iii-i) for the initial implementation (#3).

Improvements:

• Produce lighter builds (hopefully) stripping apparmor and USB support as they do not affect syscalls.
• Reduce possibility of build errors disabling -Werror where possible.
• Detect and deprioritize symbols coming from interprocedural optimization (xxx.localalias) implemented in recent compiler versions for more precise syscall symbol and name detection.
• Improve Kconfig parsing, sanity checks and warnings about Kconfig options.
• arm64: new arch-specific dummy syscall implementation detection helper.

Bug fixes:

• Fix internal Versioned{Dict,List} caching implementation, used for Kconfig options mostly.
• Fix command formatting in debug logs, which should be now correctly copy-pasteable into a shell as is.
• arm64: fix broken pkey syscalls detection. Implemented in v6.12 under ARM64_POE config, but was wrongly detected as present on earlier kernels.
• powerpc, riscv: fix some imprecise/incorrect Kconfig option versioning and dependenceis.

Internal changes:

• Move kconfig parsing logic into own Kconfig class.
• Improve Kernel exception semantics: throw exceptions at analysis time instead of causing program exit.
• Improve Arch subclass method overrides and implement unit test to perform sanity checks around abstract methods.

Systrack v0.8-rc1

Systrack v0.8-rc1

Systrack v0.7

New arch support: RISC-V 32-bit and 64-bit, tested on v4.15+ kernels (i.e., since the first Linux version supporting RISC-V).

Improvements:

• Improve dummy syscall implementation detection: try to first match known "ni_syscall" code.
• Improve error messages and debug/info logs, pretty printing command-line arguments and executed commands instead of dumping their tuple/list representation.
• mips: implement simple arch-specific dummy syscall detection.
• arm64: remove "arm64_" arch-specific prefix from syscall names.

Bug fixes:

• mips: new dummy syscall detection now correctly identifies some dummy syscalls that were previously missed (notably cachestat).

Internal changes:

• Archs can now specify multiple kernel Makefile config targets to run one after the other as a "base" config.

Systrack v0.7-rc2

Systrack v0.7-rc2

Systrack v0.7-rc1

Systrack v0.7-rc1

Systrack v0.6

Improvements:

• More robust and comprehensive syscall definition location search.

Bug fixes:

• Fix broken syscall definition location search and subsequent signature
  extraction. Some syscalls were incorrectly reported as defined in place of
  others, also causing the wrong signature to be extracted. Do not fully trust
  the output of addr2line and perform full syscall name matching to fix this.
  PowerPC was notably affected the most by this issue.

Systrack v0.5.1

Improvements:

• x86: improve x86 syscall extraction code fixing undetected CALL targets.

Internal changes:

• x86: add some tests for syscall extraction based on v6.11 kernel build.

Systrack v0.5

We tried so hard, and got so far, but in the end, we need a disassembler! x86 mitigations have defeated us, we no longer have syscall tables to rely on. Kernel developers were kind enough to write very simple ABI-specific switch-based handlers to dispach syscalls, so analysis is still possible... just significantly more complicated.

Breaking changes:

• Drop support for Python 3.6 and 3.7. Systrack now requires Python 3.8+. This is because of the new dependency on iced-x86.

Improvements:

• x86: support new kernels (6.9+) with no syscall tables.
• Remove unnecessary spaces between asterisks for double pointers in function signatures.
• Avoid KFCI __{cfi,pfx}_ symbols when looking for ni_syscall symbols.

Internal changes:

• Depend on iced-x86 for disassembling x86 instructions and on jinja2 for HTML output directly. Remove optional dependencies and only build one package.
• Rename test folder to tests to use the hatch test as test commnad.
• Improve logging reproducibility by sorting more debugging log output.
• Improve broken Python package metadata (Python packaging moment).

Systrack v0.5-rc1

Systrack v0.5-rc1

Systrack v0.4

New arch support: PowerPC 32-bit, tested on v5.0+ kernels.

Improvements:

• Improve kconfig dependency checking logic for better warning/error messages.
• PowerPC PPC64: improve esoteric fast switch_endian syscall detection.
• Better (narrower) emoji spacing in HTML output.

Bug fixes:

• Correctly report delete_module depending on CONFIG_MODULE_UNLOAD=y.
• Fix incorrectly handled shared syscall table in x86-64 x32 ABI resulting in duplicated and unwanted entries in the output for kernels older than v5.4.
• Fix chance of building kernels without memfd_create, memfd_secret, delete_module (and possibly others) by always enabling MEMFD_CREATE, MODULE_UNLOAD, NET and SECRETMEM when available.
• Fix wrong handling of relative --kdir path (e.g., .) in some cases.
• Fix missed detection of non-implemented syscalls pointing to kernel/sys_ni.c when DWARF debug info contains relative paths.
• x86 x32: fix some x64 syscalls reported twice because both the x64 number and the historycally misnumbered x32 numbers (512-547) were being considered valid.

Internal changes:

• Ignore sound/ and user/ dirs to speed up grepping syscall definitions.
• Implement some basic unit tests for powerpc dummy/esoteric syscall detection.