Is there a command to list all syscall names and numbers on linux in bash?

Asked 23/9, 2011 at 12:32 Answered 3/3, 2023 at 14:18

I know syscall 1 means write,

but is there a command to list all implemented syscall names and numbers on linux in bash?

Mont answered 23/9, 2011 at 12:32 Comment(2)

What manner of unportable beast are you writing? – Hereditary 23/9, 2011 at 12:41

Note that syscall numbers vary across platforms. For example, write is syscall 1 for x86_64; but for 32-bit x86, syscall 1 is exit (write is 4). – Expectancy 23/9, 2011 at 20:26

The man page points to the header file sys/syscall.h. It has all the defined constants, and it's located at /usr/include/sys/syscall.h. (That's the location on OS X, which I'm using, but I think it'll be the same for most Linux distros, too.)

Hague answered 23/9, 2011 at 12:36 Comment(4)

@lexer: if you plan to do any kind of programming then you really will need to install man before you go much further – Ottava 23/9, 2011 at 12:42

I amended my answer. The man page really just points to the header file. Still, it would be good to have man installed, man! :) – Hague 23/9, 2011 at 12:44

on debian, the syscall numbers are found in /usr/include/x86_64-linux-gnu/asm/unistd_64.h – Greenwood 2/5, 2017 at 16:17

The "portable" sys/syscall.h header is, on Linux, defined with lines like # define SYS_write __NR_write. The Linux-specific asm/unistd.h includes the right header for the current ABI (i386, x86-64, or x32), e.g. asm/unistd_64.h for x86-64. It's this header that has the actual numeric constants for __NR_write and so on, but for portability to other Unix systems you may want to use sys/syscall.h and the SYS_write names for the constants. For hand-written asm, in GAS syntax just #include <sys/syscall.h> and use the symbolic names. For NASM, do some text processing. – Taboo 7/2 at 11:10

I tries @dolmen's answer, but it didn't work for me, so I did something similar like this (linux mint x86_64)

echo -e '#include <sys/syscall.h>' | \
cpp -dM | grep "#define __NR_.*[0-9]$" | \
cut -d' ' -f 2,3 | cut -d_ -f 4-

.. outputs about 500 lines like:

waitid 247
fdatasync 75
mq_getsetattr 245
sched_getaffinity 204
connect 42
epoll_pwait 281
init_module 175
....

I can create a sed command file with this:

echo -e '#include <sys/syscall.h>' | cpp -dM | grep "#define __NR_.*[0-9]$" | cut -d' ' -f 2,3 | cut -d_ -f 4- | sed 's|\(.*\) \(.*\)|s/syscall=\2 /syscall=\1 /|' > syscalls.sed

So I can translate those numbers from logs, like this:

dmesg | grep ' audit:' | sed -f syscalls.sed

which looks like:

[171511.625242] audit: type=AUDIT_AVC audit(1677790613.406:135): apparmor="DENIED" operation="capable" profile="/usr/bin/man" pid=211339 comm="nroff" capability=1  capname="dac_override"
[173576.575868] audit: type=AUDIT_SECCOMP audit(1677847162.251:136): auid=4294967295 uid=33 gid=33 ses=4294967295 pid=200272 comm="apache2" exe="/usr/sbin/apache2" sig=31 arch=c000003e syscall=madvise compat=0 ip=0x7f5cf03eea7b code=0x80000000
[173593.434960] audit: type=AUDIT_SECCOMP audit(1677847179.107:137): auid=4294967295 uid=33 gid=33 ses=4294967295 pid=200266 comm="apache2" exe="/usr/sbin/apache2" sig=31 arch=c000003e syscall=madvise compat=0 ip=0x7f5cf03eea7b code=0x80000000

(it converts '28' to 'madvise')

Leiva answered 3/3, 2023 at 14:18 Comment(0)

Here is a oneliner that I just wrote. It works at least on Linux and requires a C compiler on the machine as it uses /usr/bin/cpp and system include files.

{ echo -e '#include <sys/syscall.h>\n#define X(c) #c c'; sed -n 's/#define \(SYS_[^ ]*\).*/X(\1)/p' $(echo -e '#include <sys/syscall.h>' | cpp | sed -n 's/# [0-9]* "\([^<"]*\)".*/\1/p') | sort -u; } | cpp -P | grep ' [0-9]*$'

Dagostino answered 2/5, 2017 at 15:46 Comment(0)

Recommended topics

Hot tags