1

I'd like to lookup Linux syscalls for amd64 and i386 by name/number in Go, and was wondering if there's a built-in mapping available somewhere within the Go standard library, or a third-party module.

I can see here that the Go developers have hardcoded Linux syscall numbers into the syscall module:

It looks like they've generated each of these files using GCC: https://golang.org/src/syscall/mksysnum_linux.pl

Example syscalls (amd64):

// mksysnum_linux.pl /usr/include/asm/unistd_32.h
// Code generated by the command above; DO NOT EDIT.

// +build 386,linux

package syscall

const (
    SYS_RESTART_SYSCALL        = 0
    SYS_EXIT                   = 1
    SYS_FORK                   = 2
    SYS_READ                   = 3
    SYS_WRITE                  = 4
    SYS_OPEN                   = 5
    SYS_CLOSE                  = 6
...

Would my best bet be to hard-code this mapping within my code, or is there a maintained mapping available somewhere?

I'm not looking for the mapping between syscall names/numbers on a particular Linux system, I'm looking for a (likely) mapping between syscall names/numbers on any (modern) Linux system on amd64/i386.

I understand that syscall numbers may change, but this is intended as a best-effort approach.

bp256r1
  • 133
  • 1
  • 7

1 Answers1

0

The mapping is in the kernel source, for example one architecture's mapping is /usr/include/asm/unistd_32.h

You should read that file side-by-side with the perl script that parses it, (the script is only a page long, and matches a very small number of #define patterns in the header file... some of the patterns will match many times in a row, finding the whole list of syscalls by name and number)

Also refer to this question (cross-site dupe):

Ben Voigt
  • 277,958
  • 43
  • 419
  • 720
  • I'll edit my question - I'm not looking for the mapping between syscall names/numbers on a particular endpoint, I'm looking for a (likely) mapping between syscall names/numbers on any Linux system on amd64/i386 - it's being used to filter audit events by syscall name/number. – bp256r1 Feb 19 '21 at 00:11
  • 1
    @bp256r1: You know the numbers are different between amd64 and i386 right? Read the linked question and answers and the other one I linked to. These mappings are very stable FOR A PARTICULAR ARCHITECTURE, you don't need to worry about this endpoint vs that one and particular kernel versions, you do need to know what architecture, and do your lookup against the latest kernel sources because new syscalls do get added from time to time. – Ben Voigt Feb 19 '21 at 00:13
  • Yes, I know that syscall numbers are only stable for a given architecture - I linked to two different tables in the original question - I thought that syscall numbers could change from kernel-to-kernel (e.g. if Oracle added their own system call or something). – bp256r1 Feb 19 '21 at 00:17
  • @bp256r1: it's theoretically possible for the syscall numbers to be different in every kernel version. It's quite *impractical* for this to occur though, so anyone who adds a system call either plans ahead and is careful to use a number that won't need to change, or ... well, you probably should avoid that system call. :-) (If they messed *that* up, what else did they get wrong?) – torek Feb 19 '21 at 00:37