diff options
| author | Paul Buetow <paul@buetow.org> | 2025-07-12 00:54:24 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2025-07-12 00:54:24 +0300 |
| commit | 5356927b4a0f9772d84e707a2f5e1c507902085f (patch) | |
| tree | 7cb8d018fb4494d87f618f31346199cc289a3b15 | |
| parent | 41540f7431d95256d889e0388a114dc1c1114f89 (diff) | |
initial classification
| -rw-r--r-- | internal/c/generate_tracepoints_c.raku | 385 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints.c | 5481 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 2 | ||||
| -rw-r--r-- | internal/c/types.h | 5 | ||||
| -rw-r--r-- | internal/tracepoints/generated_tracepoints.go | 2 | ||||
| -rw-r--r-- | internal/types/generated_types.go | 446 |
6 files changed, 842 insertions, 5479 deletions
diff --git a/internal/c/generate_tracepoints_c.raku b/internal/c/generate_tracepoints_c.raku index ad8a83b..11c4e0f 100644 --- a/internal/c/generate_tracepoints_c.raku +++ b/internal/c/generate_tracepoints_c.raku @@ -134,10 +134,389 @@ class PathnameTracepoint does TracepointTemplate { } } -class RetTracepoint does TracepointTemplate { +role TracepointClassification { + has %!map = + accept => 'noio', + accept4 => 'noio', + access => 'noio', + acct => 'noio', + add_key => 'noio', + adjtimex => 'noio', + alarm => 'noio', + arch_prctl => 'noio', + bind => 'noio', + bpf => 'noio', + brk => 'noio', + cachestat => 'noio', + capget => 'noio', + capset => 'noio', + chdir => 'noio', + chmod => 'noio', + chown => 'noio', + chroot => 'noio', + clock_adjtime => 'noio', + clock_getres => 'noio', + clock_gettime => 'noio', + clock_nanosleep => 'noio', + clock_settime => 'noio', + clone => 'noio', + clone3 => 'noio', + close => 'noio', + close_range => 'noio', + connect => 'noio', + copy_file_range => 'transfer', + creat => 'noio', + delete_module => 'noio', + dup => 'noio', + dup2 => 'noio', + dup3 => 'noio', + epoll_create => 'noio', + epoll_create1 => 'noio', + epoll_ctl => 'noio', + epoll_pwait => 'noio', + epoll_pwait2 => 'noio', + epoll_wait => 'noio', + eventfd => 'noio', + eventfd2 => 'noio', + execve => 'noio', + execveat => 'noio', + exit => 'noio', + exit_group => 'noio', + faccessat => 'noio', + faccessat2 => 'noio', + fadvise64 => 'noio', + fallocate => 'noio', + fanotify_init => 'noio', + fanotify_mark => 'noio', + fchdir => 'noio', + fchmod => 'noio', + fchmodat => 'noio', + fchmodat2 => 'noio', + fchown => 'noio', + fchownat => 'noio', + fcntl => 'noio', + fdatasync => 'noio', + fgetxattr => 'noio', + finit_module => 'noio', + flistxattr => 'noio', + flock => 'noio', + fork => 'noio', + fremovexattr => 'noio', + fsconfig => 'noio', + fsetxattr => 'noio', + fsmount => 'noio', + fsopen => 'noio', + fspick => 'noio', + fstatfs => 'noio', + fsync => 'noio', + ftruncate => 'noio', + futex => 'noio', + futex_requeue => 'noio', + futex_wait => 'noio', + futex_waitv => 'noio', + futex_wake => 'noio', + futimesat => 'noio', + get_mempolicy => 'noio', + get_robust_list => 'noio', + getcpu => 'noio', + getcwd => 'noio', + getdents => 'read', + getdents64 => 'read', + getegid => 'noio', + geteuid => 'noio', + getgid => 'noio', + getgroups => 'noio', + getitimer => 'noio', + getpeername => 'noio', + getpgid => 'noio', + getpgrp => 'noio', + getpid => 'noio', + getppid => 'noio', + getpriority => 'noio', + getrandom => 'noio', + getresgid => 'noio', + getresuid => 'noio', + getrlimit => 'noio', + getrusage => 'noio', + getsid => 'noio', + getsockname => 'noio', + getsockopt => 'noio', + gettid => 'noio', + gettimeofday => 'noio', + getuid => 'noio', + getxattr => 'noio', + getxattrat => 'noio', + init_module => 'noio', + inotify_add_watch => 'noio', + inotify_init => 'noio', + inotify_init1 => 'noio', + inotify_rm_watch => 'noio', + io_cancel => 'noio', + io_destroy => 'noio', + io_getevents => 'noio', + io_pgetevents => 'noio', + io_setup => 'noio', + io_submit => 'noio', + io_uring_enter => 'noio', + io_uring_register => 'noio', + io_uring_setup => 'noio', + ioctl => 'noio', + ioperm => 'noio', + iopl => 'noio', + ioprio_get => 'noio', + ioprio_set => 'noio', + kcmp => 'noio', + kexec_file_load => 'noio', + kexec_load => 'noio', + keyctl => 'noio', + kill => 'noio', + landlock_add_rule => 'noio', + landlock_create_ruleset => 'noio', + landlock_restrict_self => 'noio', + lchown => 'noio', + lgetxattr => 'noio', + link => 'noio', + linkat => 'noio', + listen => 'noio', + listmount => 'noio', + listxattr => 'noio', + listxattrat => 'noio', + llistxattr => 'noio', + lremovexattr => 'noio', + lseek => 'noio', + lsetxattr => 'noio', + lsm_get_self_attr => 'noio', + lsm_list_modules => 'noio', + lsm_set_self_attr => 'noio', + madvise => 'noio', + map_shadow_stack => 'noio', + mbind => 'noio', + membarrier => 'noio', + memfd_create => 'noio', + memfd_secret => 'noio', + migrate_pages => 'noio', + mincore => 'noio', + mkdir => 'noio', + mkdirat => 'noio', + mknod => 'noio', + mknodat => 'noio', + mlock => 'noio', + mlock2 => 'noio', + mlockall => 'noio', + mmap => 'noio', + modify_ldt => 'noio', + mount => 'noio', + mount_setattr => 'noio', + move_mount => 'noio', + move_pages => 'noio', + mprotect => 'noio', + mq_getsetattr => 'noio', + mq_notify => 'noio', + mq_open => 'noio', + mq_timedreceive => 'noio', + mq_timedsend => 'noio', + mq_unlink => 'noio', + mremap => 'noio', + mseal => 'noio', + msgctl => 'noio', + msgget => 'noio', + msgrcv => 'noio', + msgsnd => 'noio', + msync => 'noio', + munlock => 'noio', + munlockall => 'noio', + munmap => 'noio', + name_to_handle_at => 'noio', + nanosleep => 'noio', + newfstat => 'noio', + newfstatat => 'noio', + newlstat => 'noio', + newstat => 'noio', + newuname => 'noio', + open => 'noio', + open_by_handle_at => 'noio', + open_tree => 'noio', + open_tree_attr => 'noio', + openat => 'noio', + openat2 => 'noio', + pause => 'noio', + perf_event_open => 'noio', + personality => 'noio', + pidfd_getfd => 'noio', + pidfd_open => 'noio', + pidfd_send_signal => 'noio', + pipe => 'noio', + pipe2 => 'noio', + pivot_root => 'noio', + pkey_alloc => 'noio', + pkey_free => 'noio', + pkey_mprotect => 'noio', + poll => 'noio', + ppoll => 'noio', + prctl => 'noio', + pread64 => 'read', + preadv => 'read', + preadv2 => 'read', + prlimit64 => 'noio', + process_madvise => 'noio', + process_mrelease => 'noio', + process_vm_readv => 'read', + process_vm_writev => 'write', + pselect6 => 'noio', + ptrace => 'noio', + pwrite64 => 'write', + pwritev => 'write', + pwritev2 => 'write', + quotactl => 'noio', + quotactl_fd => 'noio', + read => 'read', + readahead => 'noio', + readlink => 'read', + readlinkat => 'read', + readv => 'read', + reboot => 'noio', + recvfrom => 'read', + recvmmsg => 'read', + recvmsg => 'read', + remap_file_pages => 'noio', + removexattr => 'noio', + removexattrat => 'noio', + rename => 'noio', + renameat => 'noio', + renameat2 => 'noio', + request_key => 'noio', + restart_syscall => 'noio', + rmdir => 'noio', + rseq => 'noio', + rt_sigaction => 'noio', + rt_sigpending => 'noio', + rt_sigprocmask => 'noio', + rt_sigqueueinfo => 'noio', + rt_sigreturn => 'noio', + rt_sigsuspend => 'noio', + rt_sigtimedwait => 'noio', + rt_tgsigqueueinfo => 'noio', + sched_get_priority_max => 'noio', + sched_get_priority_min => 'noio', + sched_getaffinity => 'noio', + sched_getattr => 'noio', + sched_getparam => 'noio', + sched_getscheduler => 'noio', + sched_rr_get_interval => 'noio', + sched_setaffinity => 'noio', + sched_setattr => 'noio', + sched_setparam => 'noio', + sched_setscheduler => 'noio', + sched_yield => 'noio', + seccomp => 'noio', + select => 'noio', + semctl => 'noio', + semget => 'noio', + semop => 'noio', + semtimedop => 'noio', + sendfile64 => 'transfer', + sendmmsg => 'write', + sendmsg => 'write', + sendto => 'write', + set_mempolicy => 'noio', + set_mempolicy_home_node => 'noio', + set_robust_list => 'noio', + set_tid_address => 'noio', + setdomainname => 'noio', + setfsgid => 'noio', + setfsuid => 'noio', + setgid => 'noio', + setgroups => 'noio', + sethostname => 'noio', + setitimer => 'noio', + setns => 'noio', + setpgid => 'noio', + setpriority => 'noio', + setregid => 'noio', + setresgid => 'noio', + setresuid => 'noio', + setreuid => 'noio', + setrlimit => 'noio', + setsid => 'noio', + setsockopt => 'noio', + settimeofday => 'noio', + setuid => 'noio', + setxattr => 'noio', + setxattrat => 'noio', + shmat => 'noio', + shmctl => 'noio', + shmdt => 'noio', + shmget => 'noio', + shutdown => 'noio', + sigaltstack => 'noio', + signalfd => 'noio', + signalfd4 => 'noio', + socket => 'noio', + socketpair => 'noio', + splice => 'transfer', + statfs => 'noio', + statmount => 'noio', + statx => 'noio', + swapoff => 'noio', + swapon => 'noio', + symlink => 'noio', + symlinkat => 'noio', + sync => 'noio', + sync_file_range => 'noio', + syncfs => 'noio', + sysfs => 'noio', + sysinfo => 'noio', + syslog => 'noio', + tee => 'transfer', + tgkill => 'noio', + time => 'noio', + timer_create => 'noio', + timer_delete => 'noio', + timer_getoverrun => 'noio', + timer_gettime => 'noio', + timer_settime => 'noio', + timerfd_create => 'noio', + timerfd_gettime => 'noio', + timerfd_settime => 'noio', + times => 'noio', + tkill => 'noio', + truncate => 'noio', + umask => 'noio', + umount => 'noio', + unlink => 'noio', + unlinkat => 'noio', + unshare => 'noio', + uretprobe => 'noio', + userfaultfd => 'noio', + ustat => 'noio', + utime => 'noio', + utimensat => 'noio', + utimes => 'noio', + vfork => 'noio', + vhangup => 'noio', + vmsplice => 'transfer', + wait4 => 'noio', + waitid => 'noio', + write => 'write', + writev => 'write'; + + method classify-tracepoint(Str \name --> Str) { + my Str \syscall = name.subst(/^SYS_EXIT_/, '').lc; + die "Syscall '{syscall}' for tracepoint '{name}' not found in classification map" + unless %!map<syscall>:exists; + given %!map{syscall} { + when 'read' { 'READ_CLASSIFIED' } + when 'write' { 'WRITE_CLASSIFIED' } + default { 'OTHER_CLASSIFIED' } + } + } +} + +class RetTracepoint does TracepointTemplate does TracepointClassification { method generate-bpf-c-tracepoint(%vals --> Str) { - my Str $extra = q:to/BPF_C_CODE/; - ev->ret = ctx->ret; + my Str $extra = qq:to/BPF_C_CODE/; + ev->ret = ctx->ret; + ev->ret_type = {self.classify-tracepoint: %vals<name>}; BPF_C_CODE self.template: %vals.append( ( event-struct => 'ret_event', :$extra ).hash ); } diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index bf17d18..9a50b17 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1,5287 +1,256 @@ // Code generated - don't change manually! -/// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -/// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related +/// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related +/// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related +/// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related +/// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related +/// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related +/// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related +/// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related +/// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related +/// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related +/// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related /// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -/// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -/// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -/// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -/// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -/// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -/// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -/// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -/// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -/// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -/// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -/// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -/// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -/// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related +/// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related +/// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related +/// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related /// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -/// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -/// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -/// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -/// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related +/// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related +/// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related +/// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related +/// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related +/// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related +/// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related +/// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related +/// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related +/// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related +/// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related +/// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related +/// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related +/// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related +/// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related +/// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related /// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related +/// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related +/// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related +/// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related +/// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related +/// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related +/// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related +/// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related +/// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related +/// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related +/// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related +/// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related +/// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related /// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -/// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -/// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -/// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -/// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related +/// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related +/// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related +/// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related +/// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related +/// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related +/// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related +/// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related +/// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related +/// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related +/// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related +/// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related +/// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related +/// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related +/// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related +/// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related /// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -/// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -/// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -/// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -/// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -/// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -/// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -/// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -/// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -/// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -/// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -/// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related +/// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related +/// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related +/// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related +/// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related +/// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related +/// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related +/// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related +/// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related +/// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related +/// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related +/// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related +/// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related +/// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related +/// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related /// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -/// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -/// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -/// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -/// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -/// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related -/// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related +/// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related +/// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related +/// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related /// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -/// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related -/// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -/// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -/// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -/// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related +/// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related +/// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related +/// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related +/// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related +/// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related +/// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related +/// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related +/// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related +/// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related +/// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related +/// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related +/// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related +/// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related +/// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related +/// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related +/// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related +/// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related /// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -/// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -/// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related +/// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related +/// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related +/// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related +/// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related +/// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related +/// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related +/// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related +/// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related +/// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related +/// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related +/// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related +/// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related +/// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related +/// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related +/// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related +/// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related +/// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related +/// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related +/// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related +/// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related +/// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related +/// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related +/// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related +/// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related +/// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related +/// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related +/// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related +/// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related +/// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related /// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -/// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related +/// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related +/// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related +/// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related /// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -/// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -/// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -/// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -/// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -/// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related +/// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related /// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -/// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -/// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -/// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -/// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related +/// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related +/// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related +/// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related +/// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related +/// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related +/// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related +/// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related +/// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related +/// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related +/// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related +/// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related +/// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related /// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -/// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -/// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related -/// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -/// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -/// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -/// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -/// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -/// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related +/// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related +/// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related /// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -/// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -/// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -/// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -/// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -/// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -/// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -/// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -/// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -/// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -/// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -/// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -/// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -/// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -/// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -/// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -/// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -/// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related -/// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related +/// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related +/// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related /// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -/// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -/// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -/// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -/// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -/// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -/// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -/// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -/// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -/// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -/// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -/// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -/// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -/// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -/// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related +/// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related +/// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related /// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related +/// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related +/// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related +/// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related +/// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related +/// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related +/// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related +/// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related +/// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related +/// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related +/// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related +/// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related +/// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related +/// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related +/// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related +/// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related /// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -/// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -/// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -/// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -/// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -/// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related +/// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related +/// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related /// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -/// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -/// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -/// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -/// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -/// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -/// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related +/// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related +/// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related +/// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related +/// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related +/// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related +/// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related +/// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related /// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -/// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -/// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related +/// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related +/// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related +/// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related +/// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related +/// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related +/// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related /// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -/// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -/// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -/// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -/// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -/// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -/// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -/// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -/// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -/// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -/// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related -/// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -/// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -/// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related +/// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related +/// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related +/// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related +/// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related +/// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related /// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -/// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -/// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -/// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -/// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -/// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -/// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -/// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -/// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -/// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -/// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related +/// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related +/// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related /// Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related +/// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related +/// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related /// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -/// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -/// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -/// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -/// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related +/// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related +/// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related +/// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related +/// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related +/// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related +/// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related +/// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related +/// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related +/// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related +/// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related +/// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related +/// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related +/// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related +/// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related +/// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related +/// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related /// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -/// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -/// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -/// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -/// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -/// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -/// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -/// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -/// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -/// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -/// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -/// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -/// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -/// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -/// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related +/// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related +/// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related +/// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related +/// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related +/// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related +/// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related /// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related +/// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related +/// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related +/// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related +/// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related +/// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related +/// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related +/// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related +/// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related +/// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related +/// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related +/// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related +/// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related /// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -/// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -/// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related +/// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related /// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -/// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -/// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -/// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -/// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -/// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -/// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -/// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -/// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -/// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related -/// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related -/// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -/// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -/// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related -/// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related +/// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related +/// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related /// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -/// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -/// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -/// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -/// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -/// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -/// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -/// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -/// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -/// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -/// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related /// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -/// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -/// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -/// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related +/// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related +/// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related +/// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related +/// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related /// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -/// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -/// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -/// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -/// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -/// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -/// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -/// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -/// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -/// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -/// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -/// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -/// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -/// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -/// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -/// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -/// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -/// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -/// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -/// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -/// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related -/// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -/// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -/// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -/// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -/// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -/// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -/// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -/// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -/// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -/// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -/// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -/// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -/// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related - -#define SYS_ENTER_IO_URING_REGISTER 1513 -#define SYS_EXIT_IO_URING_REGISTER 1512 -#define SYS_ENTER_IO_URING_ENTER 1494 -#define SYS_EXIT_IO_URING_ENTER 1493 -#define SYS_ENTER_IO_URING_SETUP 1492 -#define SYS_EXIT_IO_URING_SETUP 1491 -#define SYS_ENTER_QUOTACTL_FD 1151 -#define SYS_EXIT_QUOTACTL_FD 1150 -#define SYS_ENTER_FLOCK 1120 -#define SYS_EXIT_FLOCK 1119 -#define SYS_ENTER_IO_SETUP 1104 -#define SYS_EXIT_IO_SETUP 1103 -#define SYS_ENTER_IO_DESTROY 1102 -#define SYS_EXIT_IO_DESTROY 1101 -#define SYS_ENTER_IO_SUBMIT 1100 -#define SYS_EXIT_IO_SUBMIT 1099 -#define SYS_ENTER_IO_CANCEL 1098 -#define SYS_EXIT_IO_CANCEL 1097 -#define SYS_ENTER_IO_GETEVENTS 1096 -#define SYS_EXIT_IO_GETEVENTS 1095 -#define SYS_ENTER_IO_PGETEVENTS 1094 -#define SYS_EXIT_IO_PGETEVENTS 1093 -#define SYS_ENTER_FANOTIFY_MARK 1062 -#define SYS_EXIT_FANOTIFY_MARK 1061 -#define SYS_ENTER_FSPICK 1050 -#define SYS_EXIT_FSPICK 1049 -#define SYS_ENTER_FSCONFIG 1048 -#define SYS_EXIT_FSCONFIG 1047 -#define SYS_ENTER_STATFS 1046 -#define SYS_EXIT_STATFS 1045 -#define SYS_ENTER_FSTATFS 1044 -#define SYS_EXIT_FSTATFS 1043 -#define SYS_ENTER_UTIMENSAT 1038 -#define SYS_EXIT_UTIMENSAT 1037 -#define SYS_ENTER_FUTIMESAT 1036 -#define SYS_EXIT_FUTIMESAT 1035 -#define SYS_ENTER_SYNC 1030 -#define SYS_EXIT_SYNC 1029 -#define SYS_ENTER_SYNCFS 1028 -#define SYS_EXIT_SYNCFS 1027 -#define SYS_ENTER_FSYNC 1026 -#define SYS_EXIT_FSYNC 1025 -#define SYS_ENTER_FDATASYNC 1024 -#define SYS_EXIT_FDATASYNC 1023 -#define SYS_ENTER_SYNC_FILE_RANGE 1022 -#define SYS_EXIT_SYNC_FILE_RANGE 1021 -#define SYS_ENTER_VMSPLICE 1020 -#define SYS_EXIT_VMSPLICE 1019 -#define SYS_ENTER_SETXATTRAT 982 -#define SYS_EXIT_SETXATTRAT 981 -#define SYS_ENTER_SETXATTR 980 -#define SYS_EXIT_SETXATTR 979 -#define SYS_ENTER_LSETXATTR 978 -#define SYS_EXIT_LSETXATTR 977 -#define SYS_ENTER_FSETXATTR 976 -#define SYS_EXIT_FSETXATTR 975 -#define SYS_ENTER_GETXATTRAT 974 -#define SYS_EXIT_GETXATTRAT 973 -#define SYS_ENTER_GETXATTR 972 -#define SYS_EXIT_GETXATTR 971 -#define SYS_ENTER_LGETXATTR 970 -#define SYS_EXIT_LGETXATTR 969 -#define SYS_ENTER_FGETXATTR 968 -#define SYS_EXIT_FGETXATTR 967 -#define SYS_ENTER_LISTXATTRAT 966 -#define SYS_EXIT_LISTXATTRAT 965 -#define SYS_ENTER_LISTXATTR 964 -#define SYS_EXIT_LISTXATTR 963 -#define SYS_ENTER_LLISTXATTR 962 -#define SYS_EXIT_LLISTXATTR 961 -#define SYS_ENTER_FLISTXATTR 960 -#define SYS_EXIT_FLISTXATTR 959 -#define SYS_ENTER_REMOVEXATTRAT 958 -#define SYS_EXIT_REMOVEXATTRAT 957 -#define SYS_ENTER_REMOVEXATTR 956 -#define SYS_EXIT_REMOVEXATTR 955 -#define SYS_ENTER_LREMOVEXATTR 954 -#define SYS_EXIT_LREMOVEXATTR 953 -#define SYS_ENTER_FREMOVEXATTR 952 -#define SYS_EXIT_FREMOVEXATTR 951 -#define SYS_ENTER_OPEN_TREE 948 -#define SYS_EXIT_OPEN_TREE 947 -#define SYS_ENTER_MOUNT_SETATTR 938 -#define SYS_EXIT_MOUNT_SETATTR 937 -#define SYS_ENTER_CLOSE_RANGE 930 -#define SYS_EXIT_CLOSE_RANGE 929 -#define SYS_ENTER_DUP3 928 -#define SYS_EXIT_DUP3 927 -#define SYS_ENTER_DUP2 926 -#define SYS_EXIT_DUP2 925 -#define SYS_ENTER_DUP 924 -#define SYS_EXIT_DUP 923 -#define SYS_ENTER_GETDENTS 910 -#define SYS_EXIT_GETDENTS 909 -#define SYS_ENTER_GETDENTS64 908 -#define SYS_EXIT_GETDENTS64 907 -#define SYS_ENTER_IOCTL 906 -#define SYS_EXIT_IOCTL 905 -#define SYS_ENTER_FCNTL 904 -#define SYS_EXIT_FCNTL 903 -#define SYS_ENTER_MKDIRAT 898 -#define SYS_EXIT_MKDIRAT 897 -#define SYS_ENTER_MKDIR 896 -#define SYS_EXIT_MKDIR 895 -#define SYS_ENTER_RMDIR 894 -#define SYS_EXIT_RMDIR 893 -#define SYS_ENTER_UNLINKAT 892 -#define SYS_EXIT_UNLINKAT 891 -#define SYS_ENTER_UNLINK 890 -#define SYS_EXIT_UNLINK 889 -#define SYS_ENTER_SYMLINKAT 888 -#define SYS_EXIT_SYMLINKAT 887 -#define SYS_ENTER_SYMLINK 886 -#define SYS_EXIT_SYMLINK 885 -#define SYS_ENTER_LINKAT 884 -#define SYS_EXIT_LINKAT 883 -#define SYS_ENTER_LINK 882 -#define SYS_EXIT_LINK 881 -#define SYS_ENTER_RENAMEAT2 880 -#define SYS_EXIT_RENAMEAT2 879 -#define SYS_ENTER_RENAMEAT 878 -#define SYS_EXIT_RENAMEAT 877 -#define SYS_ENTER_RENAME 876 -#define SYS_EXIT_RENAME 875 -#define SYS_ENTER_NEWSTAT 866 -#define SYS_EXIT_NEWSTAT 865 -#define SYS_ENTER_NEWLSTAT 864 -#define SYS_EXIT_NEWLSTAT 863 -#define SYS_ENTER_NEWFSTATAT 862 -#define SYS_EXIT_NEWFSTATAT 861 -#define SYS_ENTER_NEWFSTAT 860 -#define SYS_EXIT_NEWFSTAT 859 -#define SYS_ENTER_READLINKAT 858 -#define SYS_EXIT_READLINKAT 857 -#define SYS_ENTER_READLINK 856 -#define SYS_EXIT_READLINK 855 -#define SYS_ENTER_STATX 854 -#define SYS_EXIT_STATX 853 -#define SYS_ENTER_LSEEK 852 -#define SYS_EXIT_LSEEK 851 -#define SYS_ENTER_READ 850 -#define SYS_EXIT_READ 849 -#define SYS_ENTER_WRITE 848 -#define SYS_EXIT_WRITE 847 -#define SYS_ENTER_PREAD64 846 -#define SYS_EXIT_PREAD64 845 -#define SYS_ENTER_PWRITE64 844 -#define SYS_EXIT_PWRITE64 843 -#define SYS_ENTER_READV 842 -#define SYS_EXIT_READV 841 -#define SYS_ENTER_WRITEV 840 -#define SYS_EXIT_WRITEV 839 -#define SYS_ENTER_PREADV 838 -#define SYS_EXIT_PREADV 837 -#define SYS_ENTER_PREADV2 836 -#define SYS_EXIT_PREADV2 835 -#define SYS_ENTER_PWRITEV 834 -#define SYS_EXIT_PWRITEV 833 -#define SYS_ENTER_PWRITEV2 832 -#define SYS_EXIT_PWRITEV2 831 -#define SYS_ENTER_TRUNCATE 826 -#define SYS_EXIT_TRUNCATE 825 -#define SYS_ENTER_FTRUNCATE 824 -#define SYS_EXIT_FTRUNCATE 823 -#define SYS_ENTER_FALLOCATE 822 -#define SYS_EXIT_FALLOCATE 821 -#define SYS_ENTER_FACCESSAT 820 -#define SYS_EXIT_FACCESSAT 819 -#define SYS_ENTER_FACCESSAT2 818 -#define SYS_EXIT_FACCESSAT2 817 -#define SYS_ENTER_ACCESS 816 -#define SYS_EXIT_ACCESS 815 -#define SYS_ENTER_CHDIR 814 -#define SYS_EXIT_CHDIR 813 -#define SYS_ENTER_FCHDIR 812 -#define SYS_EXIT_FCHDIR 811 -#define SYS_ENTER_CHROOT 810 -#define SYS_EXIT_CHROOT 809 -#define SYS_ENTER_FCHMOD 808 -#define SYS_EXIT_FCHMOD 807 -#define SYS_ENTER_FCHMODAT2 806 -#define SYS_EXIT_FCHMODAT2 805 -#define SYS_ENTER_FCHMODAT 804 -#define SYS_EXIT_FCHMODAT 803 -#define SYS_ENTER_CHMOD 802 -#define SYS_EXIT_CHMOD 801 -#define SYS_ENTER_FCHOWNAT 800 -#define SYS_EXIT_FCHOWNAT 799 -#define SYS_ENTER_CHOWN 798 -#define SYS_EXIT_CHOWN 797 -#define SYS_ENTER_LCHOWN 796 -#define SYS_EXIT_LCHOWN 795 -#define SYS_ENTER_FCHOWN 794 -#define SYS_EXIT_FCHOWN 793 -#define SYS_ENTER_OPEN 792 -#define SYS_EXIT_OPEN 791 -#define SYS_ENTER_OPENAT 790 -#define SYS_EXIT_OPENAT 789 -#define SYS_ENTER_OPENAT2 788 -#define SYS_EXIT_OPENAT2 787 -#define SYS_ENTER_CREAT 786 -#define SYS_EXIT_CREAT 785 -#define SYS_ENTER_CLOSE 784 -#define SYS_EXIT_CLOSE 783 -#define SYS_ENTER_READAHEAD 620 -#define SYS_EXIT_READAHEAD 619 -#define SYS_ENTER_FADVISE64 618 -#define SYS_EXIT_FADVISE64 617 -#define SYS_ENTER_CACHESTAT 599 -#define SYS_EXIT_CACHESTAT 598 -#define SYS_ENTER_FINIT_MODULE 409 -#define SYS_EXIT_FINIT_MODULE 408 -#define SYS_ENTER_SYSLOG 349 -#define SYS_EXIT_SYSLOG 348 -#define SYS_ENTER_MMAP 102 -#define SYS_EXIT_MMAP 101 - -/// sys_enter_io_uring_register is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_uring_register") -int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_REGISTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_uring_register is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_uring_register") -int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_REGISTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_uring_enter is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_uring_enter") -int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_ENTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_uring_enter is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_uring_enter") -int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_ENTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_uring_setup is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_uring_setup") -int handle_sys_enter_io_uring_setup(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_SETUP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_uring_setup is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_uring_setup") -int handle_sys_exit_io_uring_setup(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_SETUP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_quotactl_fd is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_quotactl_fd is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_flock is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_flock is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_setup is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_setup") -int handle_sys_enter_io_setup(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_SETUP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_setup is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_setup") -int handle_sys_exit_io_setup(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_SETUP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_destroy is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_destroy") -int handle_sys_enter_io_destroy(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_DESTROY; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_destroy is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_destroy") -int handle_sys_exit_io_destroy(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_DESTROY; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_submit is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_submit") -int handle_sys_enter_io_submit(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_SUBMIT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_submit is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_submit") -int handle_sys_exit_io_submit(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_SUBMIT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_cancel is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_cancel") -int handle_sys_enter_io_cancel(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_CANCEL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_cancel is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_cancel") -int handle_sys_exit_io_cancel(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_CANCEL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_getevents is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_getevents") -int handle_sys_enter_io_getevents(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_GETEVENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_getevents is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_getevents") -int handle_sys_exit_io_getevents(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_GETEVENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_io_pgetevents is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_pgetevents") -int handle_sys_enter_io_pgetevents(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_PGETEVENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_io_pgetevents is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_io_pgetevents") -int handle_sys_exit_io_pgetevents(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_PGETEVENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fanotify_mark is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fanotify_mark") -int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FANOTIFY_MARK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fanotify_mark is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fanotify_mark") -int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FANOTIFY_MARK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fspick is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fspick") -int handle_sys_enter_fspick(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FSPICK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fspick is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fspick") -int handle_sys_exit_fspick(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSPICK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fsconfig is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fsconfig") -int handle_sys_enter_fsconfig(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSCONFIG; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fsconfig is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fsconfig") -int handle_sys_exit_fsconfig(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSCONFIG; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_statfs is a struct path_event -SEC("tracepoint/syscalls/sys_enter_statfs") -int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_statfs is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_statfs") -int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fstatfs is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fstatfs is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_utimensat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_utimensat") -int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UTIMENSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_utimensat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_utimensat") -int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UTIMENSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_futimesat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_futimesat") -int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FUTIMESAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_futimesat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_futimesat") -int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FUTIMESAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_sync is a struct null_event -SEC("tracepoint/syscalls/sys_enter_sync") -int handle_sys_enter_sync(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_sync is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_sync") -int handle_sys_exit_sync(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_syncfs is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_syncfs") -int handle_sys_enter_syncfs(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_SYNCFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_syncfs is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_syncfs") -int handle_sys_exit_syncfs(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNCFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fsync is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fsync is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fdatasync is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fdatasync is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_sync_file_range is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_sync_file_range") -int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_sync_file_range is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_sync_file_range") -int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_vmsplice is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_vmsplice") -int handle_sys_enter_vmsplice(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_VMSPLICE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_vmsplice is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_vmsplice") -int handle_sys_exit_vmsplice(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_VMSPLICE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_setxattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_setxattrat") -int handle_sys_enter_setxattrat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_setxattrat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_setxattrat") -int handle_sys_exit_setxattrat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_setxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_setxattr") -int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_setxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_setxattr") -int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_lsetxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lsetxattr") -int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LSETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_lsetxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_lsetxattr") -int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fsetxattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fsetxattr") -int handle_sys_enter_fsetxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fsetxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fsetxattr") -int handle_sys_exit_fsetxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_getxattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_getxattrat") -int handle_sys_enter_getxattrat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_getxattrat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_getxattrat") -int handle_sys_exit_getxattrat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_getxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_getxattr") -int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_getxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_getxattr") -int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_lgetxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lgetxattr") -int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LGETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_lgetxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_lgetxattr") -int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LGETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fgetxattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fgetxattr") -int handle_sys_enter_fgetxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FGETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fgetxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fgetxattr") -int handle_sys_exit_fgetxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FGETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_listxattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_listxattrat") -int handle_sys_enter_listxattrat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_listxattrat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_listxattrat") -int handle_sys_exit_listxattrat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_listxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_listxattr") -int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_listxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_listxattr") -int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_llistxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_llistxattr") -int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LLISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_llistxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_llistxattr") -int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LLISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_flistxattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_flistxattr") -int handle_sys_enter_flistxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_flistxattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_flistxattr") -int handle_sys_exit_flistxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_removexattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_removexattrat") -int handle_sys_enter_removexattrat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_removexattrat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_removexattrat") -int handle_sys_exit_removexattrat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_removexattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_removexattr") -int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_removexattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_removexattr") -int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_lremovexattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lremovexattr") -int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LREMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_lremovexattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_lremovexattr") -int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LREMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fremovexattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fremovexattr") -int handle_sys_enter_fremovexattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FREMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fremovexattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fremovexattr") -int handle_sys_exit_fremovexattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FREMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_open_tree is a struct open_event -SEC("tracepoint/syscalls/sys_enter_open_tree") -int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN_TREE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[2]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_open_tree is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_open_tree") -int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN_TREE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_mount_setattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_mount_setattr") -int handle_sys_enter_mount_setattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MOUNT_SETATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_mount_setattr is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_mount_setattr") -int handle_sys_exit_mount_setattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MOUNT_SETATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_close_range is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_close_range") -int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE_RANGE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_close_range is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_close_range") -int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE_RANGE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_dup3 is a struct dup3_event -SEC("tracepoint/syscalls/sys_enter_dup3") -int handle_sys_enter_dup3(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_DUP3_EVENT; - ev->trace_id = SYS_ENTER_DUP3; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - ev->flags = (__s32)ctx->args[2]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_dup3 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_dup3") -int handle_sys_exit_dup3(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_DUP3; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_dup2 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_dup2") -int handle_sys_enter_dup2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_DUP2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_dup2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_dup2") -int handle_sys_exit_dup2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_DUP2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_dup is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_dup") -int handle_sys_enter_dup(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_DUP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_dup is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_dup") -int handle_sys_exit_dup(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_DUP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_getdents is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_getdents is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_getdents64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_getdents64 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_ioctl is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_ioctl is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fcntl is a struct fcntl_event -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FCNTL_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = ctx->args[0]; - ev->cmd = ctx->args[1]; - ev->arg = ctx->args[2]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fcntl is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_mkdirat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_mkdirat") -int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_mkdirat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_mkdirat") -int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_mkdir is a struct path_event -SEC("tracepoint/syscalls/sys_enter_mkdir") -int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_mkdir is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_mkdir") -int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_rmdir is a struct path_event -SEC("tracepoint/syscalls/sys_enter_rmdir") -int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_RMDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_rmdir is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_rmdir") -int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RMDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_unlinkat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_unlinkat") -int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_unlinkat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_unlinkat") -int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_unlink is a struct path_event -SEC("tracepoint/syscalls/sys_enter_unlink") -int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_unlink is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_unlink") -int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_symlinkat is a struct name_event -SEC("tracepoint/syscalls/sys_enter_symlinkat") -int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_symlinkat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_symlinkat") -int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_symlink is a struct name_event -SEC("tracepoint/syscalls/sys_enter_symlink") -int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_symlink is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_symlink") -int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_linkat is a struct name_event -SEC("tracepoint/syscalls/sys_enter_linkat") -int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_linkat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_linkat") -int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_link is a struct name_event -SEC("tracepoint/syscalls/sys_enter_link") -int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_link is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_link") -int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_renameat2 is a struct name_event -SEC("tracepoint/syscalls/sys_enter_renameat2") -int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_renameat2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_renameat2") -int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_renameat is a struct name_event -SEC("tracepoint/syscalls/sys_enter_renameat") -int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_renameat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_renameat") -int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_rename is a struct name_event -SEC("tracepoint/syscalls/sys_enter_rename") -int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAME; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_rename is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_rename") -int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAME; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_newstat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_newstat") -int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NEWSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_newstat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_newstat") -int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_newlstat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_newlstat") -int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NEWLSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_newlstat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_newlstat") -int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWLSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_newfstatat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_newfstatat") -int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTATAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_newfstatat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_newfstatat") -int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTATAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_newfstat is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_newfstat") -int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_newfstat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_newfstat") -int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_readlinkat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_readlinkat") -int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_readlinkat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_readlinkat") -int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_readlink is a struct path_event -SEC("tracepoint/syscalls/sys_enter_readlink") -int handle_sys_enter_readlink(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_readlink is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_readlink") -int handle_sys_exit_readlink(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_statx is a struct path_event -SEC("tracepoint/syscalls/sys_enter_statx") -int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATX; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_statx is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_statx") -int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATX; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_lseek is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_lseek") -int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_LSEEK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_lseek is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_lseek") -int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSEEK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_read is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_read") -int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READ; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_read is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_read") -int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READ; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_write is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_write") -int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_write is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_write") -int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_pread64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pread64") -int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREAD64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_pread64 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_pread64") -int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREAD64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_pwrite64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pwrite64") -int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITE64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_pwrite64 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_pwrite64") -int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITE64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_readv is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_readv") -int handle_sys_enter_readv(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_readv is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_readv") -int handle_sys_exit_readv(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_writev is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_writev") -int handle_sys_enter_writev(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITEV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_writev is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_writev") -int handle_sys_exit_writev(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITEV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_preadv is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_preadv") -int handle_sys_enter_preadv(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREADV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_preadv is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_preadv") -int handle_sys_exit_preadv(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREADV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_preadv2 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_preadv2") -int handle_sys_enter_preadv2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREADV2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_preadv2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_preadv2") -int handle_sys_exit_preadv2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREADV2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_pwritev is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pwritev") -int handle_sys_enter_pwritev(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITEV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_pwritev is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_pwritev") -int handle_sys_exit_pwritev(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITEV; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_pwritev2 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pwritev2") -int handle_sys_enter_pwritev2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITEV2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_pwritev2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_pwritev2") -int handle_sys_exit_pwritev2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITEV2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_truncate is a struct path_event -SEC("tracepoint/syscalls/sys_enter_truncate") -int handle_sys_enter_truncate(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_TRUNCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_truncate is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_truncate") -int handle_sys_exit_truncate(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_TRUNCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_ftruncate is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_ftruncate") -int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FTRUNCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_ftruncate is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_ftruncate") -int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FTRUNCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fallocate is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fallocate") -int handle_sys_enter_fallocate(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FALLOCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fallocate is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fallocate") -int handle_sys_exit_fallocate(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FALLOCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_faccessat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_faccessat") -int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FACCESSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_faccessat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_faccessat") -int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FACCESSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_faccessat2 is a struct path_event -SEC("tracepoint/syscalls/sys_enter_faccessat2") -int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FACCESSAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_faccessat2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_faccessat2") -int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FACCESSAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_access is a struct path_event -SEC("tracepoint/syscalls/sys_enter_access") -int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_ACCESS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_access is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_access") -int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_ACCESS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_chdir is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chdir") -int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_chdir is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_chdir") -int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fchdir is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fchdir") -int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fchdir is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fchdir") -int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_chroot is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chroot") -int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHROOT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_chroot is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_chroot") -int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHROOT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fchmod is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fchmod") -int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fchmod is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fchmod") -int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fchmodat2 is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fchmodat2") -int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FCHMODAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fchmodat2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fchmodat2") -int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMODAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fchmodat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fchmodat") -int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FCHMODAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fchmodat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fchmodat") -int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMODAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_chmod is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chmod") -int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_chmod is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_chmod") -int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fchownat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fchownat") -int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FCHOWNAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fchownat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fchownat") -int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWNAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_chown is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chown") -int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_chown is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_chown") -int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_lchown is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lchown") -int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_lchown is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_lchown") -int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fchown is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fchown") -int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fchown is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fchown") -int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_open is a struct open_event -SEC("tracepoint/syscalls/sys_enter_open") -int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[1]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_open is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_open") -int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_openat is a struct open_event -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPENAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[2]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_openat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPENAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_openat2 is a struct open_event -SEC("tracepoint/syscalls/sys_enter_openat2") -int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPENAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_openat2 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_openat2") -int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPENAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_creat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_creat") -int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CREAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_creat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_creat") -int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CREAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_close is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_close") -int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_close is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_close") -int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_readahead is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_readahead") -int handle_sys_enter_readahead(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READAHEAD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_readahead is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_readahead") -int handle_sys_exit_readahead(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READAHEAD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_fadvise64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fadvise64") -int handle_sys_enter_fadvise64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FADVISE64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_fadvise64 is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_fadvise64") -int handle_sys_exit_fadvise64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FADVISE64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_cachestat is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_cachestat") -int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CACHESTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_cachestat is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_cachestat") -int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CACHESTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_finit_module is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_finit_module") -int handle_sys_enter_finit_module(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FINIT_MODULE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_finit_module is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_finit_module") -int handle_sys_exit_finit_module(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FINIT_MODULE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_syslog is a struct null_event -SEC("tracepoint/syscalls/sys_enter_syslog") -int handle_sys_enter_syslog(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYSLOG; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_syslog is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_syslog") -int handle_sys_exit_syslog(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYSLOG; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_enter_mmap is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_mmap") -int handle_sys_enter_mmap(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_MMAP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -/// sys_exit_mmap is a struct ret_event -SEC("tracepoint/syscalls/sys_exit_mmap") -int handle_sys_exit_mmap(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MMAP; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - - +/// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related +/// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related +/// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related +/// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related +/// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 6032eca..4cad263 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -324,6 +324,7 @@ sys_enter_newstat is a struct path_event sys_enter_openat2 is a struct open_event sys_enter_openat is a struct open_event sys_enter_open is a struct open_event +sys_enter_open_tree_attr is a struct open_event sys_enter_open_tree is a struct open_event sys_enter_pread64 is a struct fd_event sys_enter_preadv2 is a struct fd_event @@ -432,6 +433,7 @@ sys_exit_newstat is a struct ret_event sys_exit_openat2 is a struct ret_event sys_exit_openat is a struct ret_event sys_exit_open is a struct ret_event +sys_exit_open_tree_attr is a struct ret_event sys_exit_open_tree is a struct ret_event sys_exit_pread64 is a struct ret_event sys_exit_preadv2 is a struct ret_event diff --git a/internal/c/types.h b/internal/c/types.h index 2c16312..6465f8f 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -20,6 +20,10 @@ #define ENTER_DUP3_EVENT 15 #define EXIT_DUP3_EVENT 16 +#define OTHER_CLASSIFIED 0 +#define READ_CLASSIFIED 1 +#define WRITE_CLASSIFIED 2 + struct open_event { __u32 event_type; __u32 trace_id; @@ -55,6 +59,7 @@ struct ret_event { __s64 ret; __u32 pid; __u32 tid; + __u32 ret_type; }; struct name_event { diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go index 1d29345..3b15334 100644 --- a/internal/tracepoints/generated_tracepoints.go +++ b/internal/tracepoints/generated_tracepoints.go @@ -86,6 +86,8 @@ var List = []string{ "sys_exit_open_tree", "sys_enter_mount_setattr", "sys_exit_mount_setattr", + "sys_enter_open_tree_attr", + "sys_exit_open_tree_attr", "sys_enter_close_range", "sys_exit_close_range", "sys_enter_dup3", diff --git a/internal/types/generated_types.go b/internal/types/generated_types.go index 9f220dd..09369e5 100644 --- a/internal/types/generated_types.go +++ b/internal/types/generated_types.go @@ -12,11 +12,11 @@ type EventType uint32 type TraceId uint32 var traceId2String = map[TraceId]string{ - 1513: "enter_io_uring_register", 1512: "exit_io_uring_register", 1494: "enter_io_uring_enter", 1493: "exit_io_uring_enter", 1492: "enter_io_uring_setup", 1491: "exit_io_uring_setup", 1151: "enter_quotactl_fd", 1150: "exit_quotactl_fd", 1120: "enter_flock", 1119: "exit_flock", 1104: "enter_io_setup", 1103: "exit_io_setup", 1102: "enter_io_destroy", 1101: "exit_io_destroy", 1100: "enter_io_submit", 1099: "exit_io_submit", 1098: "enter_io_cancel", 1097: "exit_io_cancel", 1096: "enter_io_getevents", 1095: "exit_io_getevents", 1094: "enter_io_pgetevents", 1093: "exit_io_pgetevents", 1062: "enter_fanotify_mark", 1061: "exit_fanotify_mark", 1050: "enter_fspick", 1049: "exit_fspick", 1048: "enter_fsconfig", 1047: "exit_fsconfig", 1046: "enter_statfs", 1045: "exit_statfs", 1044: "enter_fstatfs", 1043: "exit_fstatfs", 1038: "enter_utimensat", 1037: "exit_utimensat", 1036: "enter_futimesat", 1035: "exit_futimesat", 1030: "enter_sync", 1029: "exit_sync", 1028: "enter_syncfs", 1027: "exit_syncfs", 1026: "enter_fsync", 1025: "exit_fsync", 1024: "enter_fdatasync", 1023: "exit_fdatasync", 1022: "enter_sync_file_range", 1021: "exit_sync_file_range", 1020: "enter_vmsplice", 1019: "exit_vmsplice", 982: "enter_setxattrat", 981: "exit_setxattrat", 980: "enter_setxattr", 979: "exit_setxattr", 978: "enter_lsetxattr", 977: "exit_lsetxattr", 976: "enter_fsetxattr", 975: "exit_fsetxattr", 974: "enter_getxattrat", 973: "exit_getxattrat", 972: "enter_getxattr", 971: "exit_getxattr", 970: "enter_lgetxattr", 969: "exit_lgetxattr", 968: "enter_fgetxattr", 967: "exit_fgetxattr", 966: "enter_listxattrat", 965: "exit_listxattrat", 964: "enter_listxattr", 963: "exit_listxattr", 962: "enter_llistxattr", 961: "exit_llistxattr", 960: "enter_flistxattr", 959: "exit_flistxattr", 958: "enter_removexattrat", 957: "exit_removexattrat", 956: "enter_removexattr", 955: "exit_removexattr", 954: "enter_lremovexattr", 953: "exit_lremovexattr", 952: "enter_fremovexattr", 951: "exit_fremovexattr", 948: "enter_open_tree", 947: "exit_open_tree", 938: "enter_mount_setattr", 937: "exit_mount_setattr", 930: "enter_close_range", 929: "exit_close_range", 928: "enter_dup3", 927: "exit_dup3", 926: "enter_dup2", 925: "exit_dup2", 924: "enter_dup", 923: "exit_dup", 910: "enter_getdents", 909: "exit_getdents", 908: "enter_getdents64", 907: "exit_getdents64", 906: "enter_ioctl", 905: "exit_ioctl", 904: "enter_fcntl", 903: "exit_fcntl", 898: "enter_mkdirat", 897: "exit_mkdirat", 896: "enter_mkdir", 895: "exit_mkdir", 894: "enter_rmdir", 893: "exit_rmdir", 892: "enter_unlinkat", 891: "exit_unlinkat", 890: "enter_unlink", 889: "exit_unlink", 888: "enter_symlinkat", 887: "exit_symlinkat", 886: "enter_symlink", 885: "exit_symlink", 884: "enter_linkat", 883: "exit_linkat", 882: "enter_link", 881: "exit_link", 880: "enter_renameat2", 879: "exit_renameat2", 878: "enter_renameat", 877: "exit_renameat", 876: "enter_rename", 875: "exit_rename", 866: "enter_newstat", 865: "exit_newstat", 864: "enter_newlstat", 863: "exit_newlstat", 862: "enter_newfstatat", 861: "exit_newfstatat", 860: "enter_newfstat", 859: "exit_newfstat", 858: "enter_readlinkat", 857: "exit_readlinkat", 856: "enter_readlink", 855: "exit_readlink", 854: "enter_statx", 853: "exit_statx", 852: "enter_lseek", 851: "exit_lseek", 850: "enter_read", 849: "exit_read", 848: "enter_write", 847: "exit_write", 846: "enter_pread64", 845: "exit_pread64", 844: "enter_pwrite64", 843: "exit_pwrite64", 842: "enter_readv", 841: "exit_readv", 840: "enter_writev", 839: "exit_writev", 838: "enter_preadv", 837: "exit_preadv", 836: "enter_preadv2", 835: "exit_preadv2", 834: "enter_pwritev", 833: "exit_pwritev", 832: "enter_pwritev2", 831: "exit_pwritev2", 826: "enter_truncate", 825: "exit_truncate", 824: "enter_ftruncate", 823: "exit_ftruncate", 822: "enter_fallocate", 821: "exit_fallocate", 820: "enter_faccessat", 819: "exit_faccessat", 818: "enter_faccessat2", 817: "exit_faccessat2", 816: "enter_access", 815: "exit_access", 814: "enter_chdir", 813: "exit_chdir", 812: "enter_fchdir", 811: "exit_fchdir", 810: "enter_chroot", 809: "exit_chroot", 808: "enter_fchmod", 807: "exit_fchmod", 806: "enter_fchmodat2", 805: "exit_fchmodat2", 804: "enter_fchmodat", 803: "exit_fchmodat", 802: "enter_chmod", 801: "exit_chmod", 800: "enter_fchownat", 799: "exit_fchownat", 798: "enter_chown", 797: "exit_chown", 796: "enter_lchown", 795: "exit_lchown", 794: "enter_fchown", 793: "exit_fchown", 792: "enter_open", 791: "exit_open", 790: "enter_openat", 789: "exit_openat", 788: "enter_openat2", 787: "exit_openat2", 786: "enter_creat", 785: "exit_creat", 784: "enter_close", 783: "exit_close", 620: "enter_readahead", 619: "exit_readahead", 618: "enter_fadvise64", 617: "exit_fadvise64", 599: "enter_cachestat", 598: "exit_cachestat", 409: "enter_finit_module", 408: "exit_finit_module", 349: "enter_syslog", 348: "exit_syslog", 102: "enter_mmap", 101: "exit_mmap", + 1524: "enter_io_uring_register", 1523: "exit_io_uring_register", 1505: "enter_io_uring_enter", 1504: "exit_io_uring_enter", 1503: "enter_io_uring_setup", 1502: "exit_io_uring_setup", 1161: "enter_quotactl_fd", 1160: "exit_quotactl_fd", 1130: "enter_flock", 1129: "exit_flock", 1114: "enter_io_setup", 1113: "exit_io_setup", 1112: "enter_io_destroy", 1111: "exit_io_destroy", 1110: "enter_io_submit", 1109: "exit_io_submit", 1108: "enter_io_cancel", 1107: "exit_io_cancel", 1106: "enter_io_getevents", 1105: "exit_io_getevents", 1104: "enter_io_pgetevents", 1103: "exit_io_pgetevents", 1072: "enter_fanotify_mark", 1071: "exit_fanotify_mark", 1060: "enter_fspick", 1059: "exit_fspick", 1058: "enter_fsconfig", 1057: "exit_fsconfig", 1056: "enter_statfs", 1055: "exit_statfs", 1054: "enter_fstatfs", 1053: "exit_fstatfs", 1048: "enter_utimensat", 1047: "exit_utimensat", 1046: "enter_futimesat", 1045: "exit_futimesat", 1040: "enter_sync", 1039: "exit_sync", 1038: "enter_syncfs", 1037: "exit_syncfs", 1036: "enter_fsync", 1035: "exit_fsync", 1034: "enter_fdatasync", 1033: "exit_fdatasync", 1032: "enter_sync_file_range", 1031: "exit_sync_file_range", 1030: "enter_vmsplice", 1029: "exit_vmsplice", 992: "enter_setxattrat", 991: "exit_setxattrat", 990: "enter_setxattr", 989: "exit_setxattr", 988: "enter_lsetxattr", 987: "exit_lsetxattr", 986: "enter_fsetxattr", 985: "exit_fsetxattr", 984: "enter_getxattrat", 983: "exit_getxattrat", 982: "enter_getxattr", 981: "exit_getxattr", 980: "enter_lgetxattr", 979: "exit_lgetxattr", 978: "enter_fgetxattr", 977: "exit_fgetxattr", 976: "enter_listxattrat", 975: "exit_listxattrat", 974: "enter_listxattr", 973: "exit_listxattr", 972: "enter_llistxattr", 971: "exit_llistxattr", 970: "enter_flistxattr", 969: "exit_flistxattr", 968: "enter_removexattrat", 967: "exit_removexattrat", 966: "enter_removexattr", 965: "exit_removexattr", 964: "enter_lremovexattr", 963: "exit_lremovexattr", 962: "enter_fremovexattr", 961: "exit_fremovexattr", 958: "enter_open_tree", 957: "exit_open_tree", 948: "enter_mount_setattr", 947: "exit_mount_setattr", 946: "enter_open_tree_attr", 945: "exit_open_tree_attr", 938: "enter_close_range", 937: "exit_close_range", 936: "enter_dup3", 935: "exit_dup3", 934: "enter_dup2", 933: "exit_dup2", 932: "enter_dup", 931: "exit_dup", 918: "enter_getdents", 917: "exit_getdents", 916: "enter_getdents64", 915: "exit_getdents64", 914: "enter_ioctl", 913: "exit_ioctl", 912: "enter_fcntl", 911: "exit_fcntl", 906: "enter_mkdirat", 905: "exit_mkdirat", 904: "enter_mkdir", 903: "exit_mkdir", 902: "enter_rmdir", 901: "exit_rmdir", 900: "enter_unlinkat", 899: "exit_unlinkat", 898: "enter_unlink", 897: "exit_unlink", 896: "enter_symlinkat", 895: "exit_symlinkat", 894: "enter_symlink", 893: "exit_symlink", 892: "enter_linkat", 891: "exit_linkat", 890: "enter_link", 889: "exit_link", 888: "enter_renameat2", 887: "exit_renameat2", 886: "enter_renameat", 885: "exit_renameat", 884: "enter_rename", 883: "exit_rename", 874: "enter_newstat", 873: "exit_newstat", 872: "enter_newlstat", 871: "exit_newlstat", 870: "enter_newfstatat", 869: "exit_newfstatat", 868: "enter_newfstat", 867: "exit_newfstat", 866: "enter_readlinkat", 865: "exit_readlinkat", 864: "enter_readlink", 863: "exit_readlink", 862: "enter_statx", 861: "exit_statx", 860: "enter_lseek", 859: "exit_lseek", 858: "enter_read", 857: "exit_read", 856: "enter_write", 855: "exit_write", 854: "enter_pread64", 853: "exit_pread64", 852: "enter_pwrite64", 851: "exit_pwrite64", 850: "enter_readv", 849: "exit_readv", 848: "enter_writev", 847: "exit_writev", 846: "enter_preadv", 845: "exit_preadv", 844: "enter_preadv2", 843: "exit_preadv2", 842: "enter_pwritev", 841: "exit_pwritev", 840: "enter_pwritev2", 839: "exit_pwritev2", 834: "enter_truncate", 833: "exit_truncate", 832: "enter_ftruncate", 831: "exit_ftruncate", 830: "enter_fallocate", 829: "exit_fallocate", 828: "enter_faccessat", 827: "exit_faccessat", 826: "enter_faccessat2", 825: "exit_faccessat2", 824: "enter_access", 823: "exit_access", 822: "enter_chdir", 821: "exit_chdir", 820: "enter_fchdir", 819: "exit_fchdir", 818: "enter_chroot", 817: "exit_chroot", 816: "enter_fchmod", 815: "exit_fchmod", 814: "enter_fchmodat2", 813: "exit_fchmodat2", 812: "enter_fchmodat", 811: "exit_fchmodat", 810: "enter_chmod", 809: "exit_chmod", 808: "enter_fchownat", 807: "exit_fchownat", 806: "enter_chown", 805: "exit_chown", 804: "enter_lchown", 803: "exit_lchown", 802: "enter_fchown", 801: "exit_fchown", 800: "enter_open", 799: "exit_open", 798: "enter_openat", 797: "exit_openat", 796: "enter_openat2", 795: "exit_openat2", 794: "enter_creat", 793: "exit_creat", 792: "enter_close", 791: "exit_close", 625: "enter_readahead", 624: "exit_readahead", 623: "enter_fadvise64", 622: "exit_fadvise64", 604: "enter_cachestat", 603: "exit_cachestat", 410: "enter_finit_module", 409: "exit_finit_module", 351: "enter_syslog", 350: "exit_syslog", 100: "enter_mmap", 99: "exit_mmap", } var traceId2Name = map[TraceId]string{ - 1513: "io_uring_register", 1512: "io_uring_register", 1494: "io_uring_enter", 1493: "io_uring_enter", 1492: "io_uring_setup", 1491: "io_uring_setup", 1151: "quotactl_fd", 1150: "quotactl_fd", 1120: "flock", 1119: "flock", 1104: "io_setup", 1103: "io_setup", 1102: "io_destroy", 1101: "io_destroy", 1100: "io_submit", 1099: "io_submit", 1098: "io_cancel", 1097: "io_cancel", 1096: "io_getevents", 1095: "io_getevents", 1094: "io_pgetevents", 1093: "io_pgetevents", 1062: "fanotify_mark", 1061: "fanotify_mark", 1050: "fspick", 1049: "fspick", 1048: "fsconfig", 1047: "fsconfig", 1046: "statfs", 1045: "statfs", 1044: "fstatfs", 1043: "fstatfs", 1038: "utimensat", 1037: "utimensat", 1036: "futimesat", 1035: "futimesat", 1030: "sync", 1029: "sync", 1028: "syncfs", 1027: "syncfs", 1026: "fsync", 1025: "fsync", 1024: "fdatasync", 1023: "fdatasync", 1022: "sync_file_range", 1021: "sync_file_range", 1020: "vmsplice", 1019: "vmsplice", 982: "setxattrat", 981: "setxattrat", 980: "setxattr", 979: "setxattr", 978: "lsetxattr", 977: "lsetxattr", 976: "fsetxattr", 975: "fsetxattr", 974: "getxattrat", 973: "getxattrat", 972: "getxattr", 971: "getxattr", 970: "lgetxattr", 969: "lgetxattr", 968: "fgetxattr", 967: "fgetxattr", 966: "listxattrat", 965: "listxattrat", 964: "listxattr", 963: "listxattr", 962: "llistxattr", 961: "llistxattr", 960: "flistxattr", 959: "flistxattr", 958: "removexattrat", 957: "removexattrat", 956: "removexattr", 955: "removexattr", 954: "lremovexattr", 953: "lremovexattr", 952: "fremovexattr", 951: "fremovexattr", 948: "open_tree", 947: "open_tree", 938: "mount_setattr", 937: "mount_setattr", 930: "close_range", 929: "close_range", 928: "dup3", 927: "dup3", 926: "dup2", 925: "dup2", 924: "dup", 923: "dup", 910: "getdents", 909: "getdents", 908: "getdents64", 907: "getdents64", 906: "ioctl", 905: "ioctl", 904: "fcntl", 903: "fcntl", 898: "mkdirat", 897: "mkdirat", 896: "mkdir", 895: "mkdir", 894: "rmdir", 893: "rmdir", 892: "unlinkat", 891: "unlinkat", 890: "unlink", 889: "unlink", 888: "symlinkat", 887: "symlinkat", 886: "symlink", 885: "symlink", 884: "linkat", 883: "linkat", 882: "link", 881: "link", 880: "renameat2", 879: "renameat2", 878: "renameat", 877: "renameat", 876: "rename", 875: "rename", 866: "newstat", 865: "newstat", 864: "newlstat", 863: "newlstat", 862: "newfstatat", 861: "newfstatat", 860: "newfstat", 859: "newfstat", 858: "readlinkat", 857: "readlinkat", 856: "readlink", 855: "readlink", 854: "statx", 853: "statx", 852: "lseek", 851: "lseek", 850: "read", 849: "read", 848: "write", 847: "write", 846: "pread64", 845: "pread64", 844: "pwrite64", 843: "pwrite64", 842: "readv", 841: "readv", 840: "writev", 839: "writev", 838: "preadv", 837: "preadv", 836: "preadv2", 835: "preadv2", 834: "pwritev", 833: "pwritev", 832: "pwritev2", 831: "pwritev2", 826: "truncate", 825: "truncate", 824: "ftruncate", 823: "ftruncate", 822: "fallocate", 821: "fallocate", 820: "faccessat", 819: "faccessat", 818: "faccessat2", 817: "faccessat2", 816: "access", 815: "access", 814: "chdir", 813: "chdir", 812: "fchdir", 811: "fchdir", 810: "chroot", 809: "chroot", 808: "fchmod", 807: "fchmod", 806: "fchmodat2", 805: "fchmodat2", 804: "fchmodat", 803: "fchmodat", 802: "chmod", 801: "chmod", 800: "fchownat", 799: "fchownat", 798: "chown", 797: "chown", 796: "lchown", 795: "lchown", 794: "fchown", 793: "fchown", 792: "open", 791: "open", 790: "openat", 789: "openat", 788: "openat2", 787: "openat2", 786: "creat", 785: "creat", 784: "close", 783: "close", 620: "readahead", 619: "readahead", 618: "fadvise64", 617: "fadvise64", 599: "cachestat", 598: "cachestat", 409: "finit_module", 408: "finit_module", 349: "syslog", 348: "syslog", 102: "mmap", 101: "mmap", + 1524: "io_uring_register", 1523: "io_uring_register", 1505: "io_uring_enter", 1504: "io_uring_enter", 1503: "io_uring_setup", 1502: "io_uring_setup", 1161: "quotactl_fd", 1160: "quotactl_fd", 1130: "flock", 1129: "flock", 1114: "io_setup", 1113: "io_setup", 1112: "io_destroy", 1111: "io_destroy", 1110: "io_submit", 1109: "io_submit", 1108: "io_cancel", 1107: "io_cancel", 1106: "io_getevents", 1105: "io_getevents", 1104: "io_pgetevents", 1103: "io_pgetevents", 1072: "fanotify_mark", 1071: "fanotify_mark", 1060: "fspick", 1059: "fspick", 1058: "fsconfig", 1057: "fsconfig", 1056: "statfs", 1055: "statfs", 1054: "fstatfs", 1053: "fstatfs", 1048: "utimensat", 1047: "utimensat", 1046: "futimesat", 1045: "futimesat", 1040: "sync", 1039: "sync", 1038: "syncfs", 1037: "syncfs", 1036: "fsync", 1035: "fsync", 1034: "fdatasync", 1033: "fdatasync", 1032: "sync_file_range", 1031: "sync_file_range", 1030: "vmsplice", 1029: "vmsplice", 992: "setxattrat", 991: "setxattrat", 990: "setxattr", 989: "setxattr", 988: "lsetxattr", 987: "lsetxattr", 986: "fsetxattr", 985: "fsetxattr", 984: "getxattrat", 983: "getxattrat", 982: "getxattr", 981: "getxattr", 980: "lgetxattr", 979: "lgetxattr", 978: "fgetxattr", 977: "fgetxattr", 976: "listxattrat", 975: "listxattrat", 974: "listxattr", 973: "listxattr", 972: "llistxattr", 971: "llistxattr", 970: "flistxattr", 969: "flistxattr", 968: "removexattrat", 967: "removexattrat", 966: "removexattr", 965: "removexattr", 964: "lremovexattr", 963: "lremovexattr", 962: "fremovexattr", 961: "fremovexattr", 958: "open_tree", 957: "open_tree", 948: "mount_setattr", 947: "mount_setattr", 946: "open_tree_attr", 945: "open_tree_attr", 938: "close_range", 937: "close_range", 936: "dup3", 935: "dup3", 934: "dup2", 933: "dup2", 932: "dup", 931: "dup", 918: "getdents", 917: "getdents", 916: "getdents64", 915: "getdents64", 914: "ioctl", 913: "ioctl", 912: "fcntl", 911: "fcntl", 906: "mkdirat", 905: "mkdirat", 904: "mkdir", 903: "mkdir", 902: "rmdir", 901: "rmdir", 900: "unlinkat", 899: "unlinkat", 898: "unlink", 897: "unlink", 896: "symlinkat", 895: "symlinkat", 894: "symlink", 893: "symlink", 892: "linkat", 891: "linkat", 890: "link", 889: "link", 888: "renameat2", 887: "renameat2", 886: "renameat", 885: "renameat", 884: "rename", 883: "rename", 874: "newstat", 873: "newstat", 872: "newlstat", 871: "newlstat", 870: "newfstatat", 869: "newfstatat", 868: "newfstat", 867: "newfstat", 866: "readlinkat", 865: "readlinkat", 864: "readlink", 863: "readlink", 862: "statx", 861: "statx", 860: "lseek", 859: "lseek", 858: "read", 857: "read", 856: "write", 855: "write", 854: "pread64", 853: "pread64", 852: "pwrite64", 851: "pwrite64", 850: "readv", 849: "readv", 848: "writev", 847: "writev", 846: "preadv", 845: "preadv", 844: "preadv2", 843: "preadv2", 842: "pwritev", 841: "pwritev", 840: "pwritev2", 839: "pwritev2", 834: "truncate", 833: "truncate", 832: "ftruncate", 831: "ftruncate", 830: "fallocate", 829: "fallocate", 828: "faccessat", 827: "faccessat", 826: "faccessat2", 825: "faccessat2", 824: "access", 823: "access", 822: "chdir", 821: "chdir", 820: "fchdir", 819: "fchdir", 818: "chroot", 817: "chroot", 816: "fchmod", 815: "fchmod", 814: "fchmodat2", 813: "fchmodat2", 812: "fchmodat", 811: "fchmodat", 810: "chmod", 809: "chmod", 808: "fchownat", 807: "fchownat", 806: "chown", 805: "chown", 804: "lchown", 803: "lchown", 802: "fchown", 801: "fchown", 800: "open", 799: "open", 798: "openat", 797: "openat", 796: "openat2", 795: "openat2", 794: "creat", 793: "creat", 792: "close", 791: "close", 625: "readahead", 624: "readahead", 623: "fadvise64", 622: "fadvise64", 604: "cachestat", 603: "cachestat", 410: "finit_module", 409: "finit_module", 351: "syslog", 350: "syslog", 100: "mmap", 99: "mmap", } func (s TraceId) String() string { @@ -53,6 +53,9 @@ const ENTER_FCNTL_EVENT = 13 const EXIT_FCNTL_EVENT = 14 const ENTER_DUP3_EVENT = 15 const EXIT_DUP3_EVENT = 16 +const RET_EVENT_IS_OTHER = 0 +const RET_EVENT_IS_READ = 1 +const RET_EVENT_IS_WRITE = 2 type OpenEvent struct { EventType EventType @@ -263,10 +266,11 @@ type RetEvent struct { Ret int64 Pid uint32 Tid uint32 + RetType uint32 } func (r RetEvent) String() string { - return fmt.Sprintf("EventType:%v TraceId:%v Time:%v Ret:%v Pid:%v Tid:%v", r.EventType, r.TraceId, r.Time, r.Ret, r.Pid, r.Tid) + return fmt.Sprintf("EventType:%v TraceId:%v Time:%v Ret:%v Pid:%v Tid:%v RetType:%v", r.EventType, r.TraceId, r.Time, r.Ret, r.Pid, r.Tid, r.RetType) } func (r RetEvent) Equals(other any) bool { @@ -274,7 +278,7 @@ func (r RetEvent) Equals(other any) bool { if !ok { return false } - return r.EventType == otherConcrete.EventType && r.TraceId == otherConcrete.TraceId && r.Time == otherConcrete.Time && r.Ret == otherConcrete.Ret && r.Pid == otherConcrete.Pid && r.Tid == otherConcrete.Tid + return r.EventType == otherConcrete.EventType && r.TraceId == otherConcrete.TraceId && r.Time == otherConcrete.Time && r.Ret == otherConcrete.Ret && r.Pid == otherConcrete.Pid && r.Tid == otherConcrete.Tid && r.RetType == otherConcrete.RetType } func (r *RetEvent) GetEventType() EventType { @@ -595,219 +599,221 @@ func (d *Dup3Event) Recycle() { poolOfDup3Events.Put(d) } -const SYS_ENTER_IO_URING_REGISTER TraceId = 1513 -const SYS_EXIT_IO_URING_REGISTER TraceId = 1512 -const SYS_ENTER_IO_URING_ENTER TraceId = 1494 -const SYS_EXIT_IO_URING_ENTER TraceId = 1493 -const SYS_ENTER_IO_URING_SETUP TraceId = 1492 -const SYS_EXIT_IO_URING_SETUP TraceId = 1491 -const SYS_ENTER_QUOTACTL_FD TraceId = 1151 -const SYS_EXIT_QUOTACTL_FD TraceId = 1150 -const SYS_ENTER_FLOCK TraceId = 1120 -const SYS_EXIT_FLOCK TraceId = 1119 -const SYS_ENTER_IO_SETUP TraceId = 1104 -const SYS_EXIT_IO_SETUP TraceId = 1103 -const SYS_ENTER_IO_DESTROY TraceId = 1102 -const SYS_EXIT_IO_DESTROY TraceId = 1101 -const SYS_ENTER_IO_SUBMIT TraceId = 1100 -const SYS_EXIT_IO_SUBMIT TraceId = 1099 -const SYS_ENTER_IO_CANCEL TraceId = 1098 -const SYS_EXIT_IO_CANCEL TraceId = 1097 -const SYS_ENTER_IO_GETEVENTS TraceId = 1096 -const SYS_EXIT_IO_GETEVENTS TraceId = 1095 -const SYS_ENTER_IO_PGETEVENTS TraceId = 1094 -const SYS_EXIT_IO_PGETEVENTS TraceId = 1093 -const SYS_ENTER_FANOTIFY_MARK TraceId = 1062 -const SYS_EXIT_FANOTIFY_MARK TraceId = 1061 -const SYS_ENTER_FSPICK TraceId = 1050 -const SYS_EXIT_FSPICK TraceId = 1049 -const SYS_ENTER_FSCONFIG TraceId = 1048 -const SYS_EXIT_FSCONFIG TraceId = 1047 -const SYS_ENTER_STATFS TraceId = 1046 -const SYS_EXIT_STATFS TraceId = 1045 -const SYS_ENTER_FSTATFS TraceId = 1044 -const SYS_EXIT_FSTATFS TraceId = 1043 -const SYS_ENTER_UTIMENSAT TraceId = 1038 -const SYS_EXIT_UTIMENSAT TraceId = 1037 -const SYS_ENTER_FUTIMESAT TraceId = 1036 -const SYS_EXIT_FUTIMESAT TraceId = 1035 -const SYS_ENTER_SYNC TraceId = 1030 -const SYS_EXIT_SYNC TraceId = 1029 -const SYS_ENTER_SYNCFS TraceId = 1028 -const SYS_EXIT_SYNCFS TraceId = 1027 -const SYS_ENTER_FSYNC TraceId = 1026 -const SYS_EXIT_FSYNC TraceId = 1025 -const SYS_ENTER_FDATASYNC TraceId = 1024 -const SYS_EXIT_FDATASYNC TraceId = 1023 -const SYS_ENTER_SYNC_FILE_RANGE TraceId = 1022 -const SYS_EXIT_SYNC_FILE_RANGE TraceId = 1021 -const SYS_ENTER_VMSPLICE TraceId = 1020 -const SYS_EXIT_VMSPLICE TraceId = 1019 -const SYS_ENTER_SETXATTRAT TraceId = 982 -const SYS_EXIT_SETXATTRAT TraceId = 981 -const SYS_ENTER_SETXATTR TraceId = 980 -const SYS_EXIT_SETXATTR TraceId = 979 -const SYS_ENTER_LSETXATTR TraceId = 978 -const SYS_EXIT_LSETXATTR TraceId = 977 -const SYS_ENTER_FSETXATTR TraceId = 976 -const SYS_EXIT_FSETXATTR TraceId = 975 -const SYS_ENTER_GETXATTRAT TraceId = 974 -const SYS_EXIT_GETXATTRAT TraceId = 973 -const SYS_ENTER_GETXATTR TraceId = 972 -const SYS_EXIT_GETXATTR TraceId = 971 -const SYS_ENTER_LGETXATTR TraceId = 970 -const SYS_EXIT_LGETXATTR TraceId = 969 -const SYS_ENTER_FGETXATTR TraceId = 968 -const SYS_EXIT_FGETXATTR TraceId = 967 -const SYS_ENTER_LISTXATTRAT TraceId = 966 -const SYS_EXIT_LISTXATTRAT TraceId = 965 -const SYS_ENTER_LISTXATTR TraceId = 964 -const SYS_EXIT_LISTXATTR TraceId = 963 -const SYS_ENTER_LLISTXATTR TraceId = 962 -const SYS_EXIT_LLISTXATTR TraceId = 961 -const SYS_ENTER_FLISTXATTR TraceId = 960 -const SYS_EXIT_FLISTXATTR TraceId = 959 -const SYS_ENTER_REMOVEXATTRAT TraceId = 958 -const SYS_EXIT_REMOVEXATTRAT TraceId = 957 -const SYS_ENTER_REMOVEXATTR TraceId = 956 -const SYS_EXIT_REMOVEXATTR TraceId = 955 -const SYS_ENTER_LREMOVEXATTR TraceId = 954 -const SYS_EXIT_LREMOVEXATTR TraceId = 953 -const SYS_ENTER_FREMOVEXATTR TraceId = 952 -const SYS_EXIT_FREMOVEXATTR TraceId = 951 -const SYS_ENTER_OPEN_TREE TraceId = 948 -const SYS_EXIT_OPEN_TREE TraceId = 947 -const SYS_ENTER_MOUNT_SETATTR TraceId = 938 -const SYS_EXIT_MOUNT_SETATTR TraceId = 937 -const SYS_ENTER_CLOSE_RANGE TraceId = 930 -const SYS_EXIT_CLOSE_RANGE TraceId = 929 -const SYS_ENTER_DUP3 TraceId = 928 -const SYS_EXIT_DUP3 TraceId = 927 -const SYS_ENTER_DUP2 TraceId = 926 -const SYS_EXIT_DUP2 TraceId = 925 -const SYS_ENTER_DUP TraceId = 924 -const SYS_EXIT_DUP TraceId = 923 -const SYS_ENTER_GETDENTS TraceId = 910 -const SYS_EXIT_GETDENTS TraceId = 909 -const SYS_ENTER_GETDENTS64 TraceId = 908 -const SYS_EXIT_GETDENTS64 TraceId = 907 -const SYS_ENTER_IOCTL TraceId = 906 -const SYS_EXIT_IOCTL TraceId = 905 -const SYS_ENTER_FCNTL TraceId = 904 -const SYS_EXIT_FCNTL TraceId = 903 -const SYS_ENTER_MKDIRAT TraceId = 898 -const SYS_EXIT_MKDIRAT TraceId = 897 -const SYS_ENTER_MKDIR TraceId = 896 -const SYS_EXIT_MKDIR TraceId = 895 -const SYS_ENTER_RMDIR TraceId = 894 -const SYS_EXIT_RMDIR TraceId = 893 -const SYS_ENTER_UNLINKAT TraceId = 892 -const SYS_EXIT_UNLINKAT TraceId = 891 -const SYS_ENTER_UNLINK TraceId = 890 -const SYS_EXIT_UNLINK TraceId = 889 -const SYS_ENTER_SYMLINKAT TraceId = 888 -const SYS_EXIT_SYMLINKAT TraceId = 887 -const SYS_ENTER_SYMLINK TraceId = 886 -const SYS_EXIT_SYMLINK TraceId = 885 -const SYS_ENTER_LINKAT TraceId = 884 -const SYS_EXIT_LINKAT TraceId = 883 -const SYS_ENTER_LINK TraceId = 882 -const SYS_EXIT_LINK TraceId = 881 -const SYS_ENTER_RENAMEAT2 TraceId = 880 -const SYS_EXIT_RENAMEAT2 TraceId = 879 -const SYS_ENTER_RENAMEAT TraceId = 878 -const SYS_EXIT_RENAMEAT TraceId = 877 -const SYS_ENTER_RENAME TraceId = 876 -const SYS_EXIT_RENAME TraceId = 875 -const SYS_ENTER_NEWSTAT TraceId = 866 -const SYS_EXIT_NEWSTAT TraceId = 865 -const SYS_ENTER_NEWLSTAT TraceId = 864 -const SYS_EXIT_NEWLSTAT TraceId = 863 -const SYS_ENTER_NEWFSTATAT TraceId = 862 -const SYS_EXIT_NEWFSTATAT TraceId = 861 -const SYS_ENTER_NEWFSTAT TraceId = 860 -const SYS_EXIT_NEWFSTAT TraceId = 859 -const SYS_ENTER_READLINKAT TraceId = 858 -const SYS_EXIT_READLINKAT TraceId = 857 -const SYS_ENTER_READLINK TraceId = 856 -const SYS_EXIT_READLINK TraceId = 855 -const SYS_ENTER_STATX TraceId = 854 -const SYS_EXIT_STATX TraceId = 853 -const SYS_ENTER_LSEEK TraceId = 852 -const SYS_EXIT_LSEEK TraceId = 851 -const SYS_ENTER_READ TraceId = 850 -const SYS_EXIT_READ TraceId = 849 -const SYS_ENTER_WRITE TraceId = 848 -const SYS_EXIT_WRITE TraceId = 847 -const SYS_ENTER_PREAD64 TraceId = 846 -const SYS_EXIT_PREAD64 TraceId = 845 -const SYS_ENTER_PWRITE64 TraceId = 844 -const SYS_EXIT_PWRITE64 TraceId = 843 -const SYS_ENTER_READV TraceId = 842 -const SYS_EXIT_READV TraceId = 841 -const SYS_ENTER_WRITEV TraceId = 840 -const SYS_EXIT_WRITEV TraceId = 839 -const SYS_ENTER_PREADV TraceId = 838 -const SYS_EXIT_PREADV TraceId = 837 -const SYS_ENTER_PREADV2 TraceId = 836 -const SYS_EXIT_PREADV2 TraceId = 835 -const SYS_ENTER_PWRITEV TraceId = 834 -const SYS_EXIT_PWRITEV TraceId = 833 -const SYS_ENTER_PWRITEV2 TraceId = 832 -const SYS_EXIT_PWRITEV2 TraceId = 831 -const SYS_ENTER_TRUNCATE TraceId = 826 -const SYS_EXIT_TRUNCATE TraceId = 825 -const SYS_ENTER_FTRUNCATE TraceId = 824 -const SYS_EXIT_FTRUNCATE TraceId = 823 -const SYS_ENTER_FALLOCATE TraceId = 822 -const SYS_EXIT_FALLOCATE TraceId = 821 -const SYS_ENTER_FACCESSAT TraceId = 820 -const SYS_EXIT_FACCESSAT TraceId = 819 -const SYS_ENTER_FACCESSAT2 TraceId = 818 -const SYS_EXIT_FACCESSAT2 TraceId = 817 -const SYS_ENTER_ACCESS TraceId = 816 -const SYS_EXIT_ACCESS TraceId = 815 -const SYS_ENTER_CHDIR TraceId = 814 -const SYS_EXIT_CHDIR TraceId = 813 -const SYS_ENTER_FCHDIR TraceId = 812 -const SYS_EXIT_FCHDIR TraceId = 811 -const SYS_ENTER_CHROOT TraceId = 810 -const SYS_EXIT_CHROOT TraceId = 809 -const SYS_ENTER_FCHMOD TraceId = 808 -const SYS_EXIT_FCHMOD TraceId = 807 -const SYS_ENTER_FCHMODAT2 TraceId = 806 -const SYS_EXIT_FCHMODAT2 TraceId = 805 -const SYS_ENTER_FCHMODAT TraceId = 804 -const SYS_EXIT_FCHMODAT TraceId = 803 -const SYS_ENTER_CHMOD TraceId = 802 -const SYS_EXIT_CHMOD TraceId = 801 -const SYS_ENTER_FCHOWNAT TraceId = 800 -const SYS_EXIT_FCHOWNAT TraceId = 799 -const SYS_ENTER_CHOWN TraceId = 798 -const SYS_EXIT_CHOWN TraceId = 797 -const SYS_ENTER_LCHOWN TraceId = 796 -const SYS_EXIT_LCHOWN TraceId = 795 -const SYS_ENTER_FCHOWN TraceId = 794 -const SYS_EXIT_FCHOWN TraceId = 793 -const SYS_ENTER_OPEN TraceId = 792 -const SYS_EXIT_OPEN TraceId = 791 -const SYS_ENTER_OPENAT TraceId = 790 -const SYS_EXIT_OPENAT TraceId = 789 -const SYS_ENTER_OPENAT2 TraceId = 788 -const SYS_EXIT_OPENAT2 TraceId = 787 -const SYS_ENTER_CREAT TraceId = 786 -const SYS_EXIT_CREAT TraceId = 785 -const SYS_ENTER_CLOSE TraceId = 784 -const SYS_EXIT_CLOSE TraceId = 783 -const SYS_ENTER_READAHEAD TraceId = 620 -const SYS_EXIT_READAHEAD TraceId = 619 -const SYS_ENTER_FADVISE64 TraceId = 618 -const SYS_EXIT_FADVISE64 TraceId = 617 -const SYS_ENTER_CACHESTAT TraceId = 599 -const SYS_EXIT_CACHESTAT TraceId = 598 -const SYS_ENTER_FINIT_MODULE TraceId = 409 -const SYS_EXIT_FINIT_MODULE TraceId = 408 -const SYS_ENTER_SYSLOG TraceId = 349 -const SYS_EXIT_SYSLOG TraceId = 348 -const SYS_ENTER_MMAP TraceId = 102 -const SYS_EXIT_MMAP TraceId = 101 +const SYS_ENTER_IO_URING_REGISTER TraceId = 1524 +const SYS_EXIT_IO_URING_REGISTER TraceId = 1523 +const SYS_ENTER_IO_URING_ENTER TraceId = 1505 +const SYS_EXIT_IO_URING_ENTER TraceId = 1504 +const SYS_ENTER_IO_URING_SETUP TraceId = 1503 +const SYS_EXIT_IO_URING_SETUP TraceId = 1502 +const SYS_ENTER_QUOTACTL_FD TraceId = 1161 +const SYS_EXIT_QUOTACTL_FD TraceId = 1160 +const SYS_ENTER_FLOCK TraceId = 1130 +const SYS_EXIT_FLOCK TraceId = 1129 +const SYS_ENTER_IO_SETUP TraceId = 1114 +const SYS_EXIT_IO_SETUP TraceId = 1113 +const SYS_ENTER_IO_DESTROY TraceId = 1112 +const SYS_EXIT_IO_DESTROY TraceId = 1111 +const SYS_ENTER_IO_SUBMIT TraceId = 1110 +const SYS_EXIT_IO_SUBMIT TraceId = 1109 +const SYS_ENTER_IO_CANCEL TraceId = 1108 +const SYS_EXIT_IO_CANCEL TraceId = 1107 +const SYS_ENTER_IO_GETEVENTS TraceId = 1106 +const SYS_EXIT_IO_GETEVENTS TraceId = 1105 +const SYS_ENTER_IO_PGETEVENTS TraceId = 1104 +const SYS_EXIT_IO_PGETEVENTS TraceId = 1103 +const SYS_ENTER_FANOTIFY_MARK TraceId = 1072 +const SYS_EXIT_FANOTIFY_MARK TraceId = 1071 +const SYS_ENTER_FSPICK TraceId = 1060 +const SYS_EXIT_FSPICK TraceId = 1059 +const SYS_ENTER_FSCONFIG TraceId = 1058 +const SYS_EXIT_FSCONFIG TraceId = 1057 +const SYS_ENTER_STATFS TraceId = 1056 +const SYS_EXIT_STATFS TraceId = 1055 +const SYS_ENTER_FSTATFS TraceId = 1054 +const SYS_EXIT_FSTATFS TraceId = 1053 +const SYS_ENTER_UTIMENSAT TraceId = 1048 +const SYS_EXIT_UTIMENSAT TraceId = 1047 +const SYS_ENTER_FUTIMESAT TraceId = 1046 +const SYS_EXIT_FUTIMESAT TraceId = 1045 +const SYS_ENTER_SYNC TraceId = 1040 +const SYS_EXIT_SYNC TraceId = 1039 +const SYS_ENTER_SYNCFS TraceId = 1038 +const SYS_EXIT_SYNCFS TraceId = 1037 +const SYS_ENTER_FSYNC TraceId = 1036 +const SYS_EXIT_FSYNC TraceId = 1035 +const SYS_ENTER_FDATASYNC TraceId = 1034 +const SYS_EXIT_FDATASYNC TraceId = 1033 +const SYS_ENTER_SYNC_FILE_RANGE TraceId = 1032 +const SYS_EXIT_SYNC_FILE_RANGE TraceId = 1031 +const SYS_ENTER_VMSPLICE TraceId = 1030 +const SYS_EXIT_VMSPLICE TraceId = 1029 +const SYS_ENTER_SETXATTRAT TraceId = 992 +const SYS_EXIT_SETXATTRAT TraceId = 991 +const SYS_ENTER_SETXATTR TraceId = 990 +const SYS_EXIT_SETXATTR TraceId = 989 +const SYS_ENTER_LSETXATTR TraceId = 988 +const SYS_EXIT_LSETXATTR TraceId = 987 +const SYS_ENTER_FSETXATTR TraceId = 986 +const SYS_EXIT_FSETXATTR TraceId = 985 +const SYS_ENTER_GETXATTRAT TraceId = 984 +const SYS_EXIT_GETXATTRAT TraceId = 983 +const SYS_ENTER_GETXATTR TraceId = 982 +const SYS_EXIT_GETXATTR TraceId = 981 +const SYS_ENTER_LGETXATTR TraceId = 980 +const SYS_EXIT_LGETXATTR TraceId = 979 +const SYS_ENTER_FGETXATTR TraceId = 978 +const SYS_EXIT_FGETXATTR TraceId = 977 +const SYS_ENTER_LISTXATTRAT TraceId = 976 +const SYS_EXIT_LISTXATTRAT TraceId = 975 +const SYS_ENTER_LISTXATTR TraceId = 974 +const SYS_EXIT_LISTXATTR TraceId = 973 +const SYS_ENTER_LLISTXATTR TraceId = 972 +const SYS_EXIT_LLISTXATTR TraceId = 971 +const SYS_ENTER_FLISTXATTR TraceId = 970 +const SYS_EXIT_FLISTXATTR TraceId = 969 +const SYS_ENTER_REMOVEXATTRAT TraceId = 968 +const SYS_EXIT_REMOVEXATTRAT TraceId = 967 +const SYS_ENTER_REMOVEXATTR TraceId = 966 +const SYS_EXIT_REMOVEXATTR TraceId = 965 +const SYS_ENTER_LREMOVEXATTR TraceId = 964 +const SYS_EXIT_LREMOVEXATTR TraceId = 963 +const SYS_ENTER_FREMOVEXATTR TraceId = 962 +const SYS_EXIT_FREMOVEXATTR TraceId = 961 +const SYS_ENTER_OPEN_TREE TraceId = 958 +const SYS_EXIT_OPEN_TREE TraceId = 957 +const SYS_ENTER_MOUNT_SETATTR TraceId = 948 +const SYS_EXIT_MOUNT_SETATTR TraceId = 947 +const SYS_ENTER_OPEN_TREE_ATTR TraceId = 946 +const SYS_EXIT_OPEN_TREE_ATTR TraceId = 945 +const SYS_ENTER_CLOSE_RANGE TraceId = 938 +const SYS_EXIT_CLOSE_RANGE TraceId = 937 +const SYS_ENTER_DUP3 TraceId = 936 +const SYS_EXIT_DUP3 TraceId = 935 +const SYS_ENTER_DUP2 TraceId = 934 +const SYS_EXIT_DUP2 TraceId = 933 +const SYS_ENTER_DUP TraceId = 932 +const SYS_EXIT_DUP TraceId = 931 +const SYS_ENTER_GETDENTS TraceId = 918 +const SYS_EXIT_GETDENTS TraceId = 917 +const SYS_ENTER_GETDENTS64 TraceId = 916 +const SYS_EXIT_GETDENTS64 TraceId = 915 +const SYS_ENTER_IOCTL TraceId = 914 +const SYS_EXIT_IOCTL TraceId = 913 +const SYS_ENTER_FCNTL TraceId = 912 +const SYS_EXIT_FCNTL TraceId = 911 +const SYS_ENTER_MKDIRAT TraceId = 906 +const SYS_EXIT_MKDIRAT TraceId = 905 +const SYS_ENTER_MKDIR TraceId = 904 +const SYS_EXIT_MKDIR TraceId = 903 +const SYS_ENTER_RMDIR TraceId = 902 +const SYS_EXIT_RMDIR TraceId = 901 +const SYS_ENTER_UNLINKAT TraceId = 900 +const SYS_EXIT_UNLINKAT TraceId = 899 +const SYS_ENTER_UNLINK TraceId = 898 +const SYS_EXIT_UNLINK TraceId = 897 +const SYS_ENTER_SYMLINKAT TraceId = 896 +const SYS_EXIT_SYMLINKAT TraceId = 895 +const SYS_ENTER_SYMLINK TraceId = 894 +const SYS_EXIT_SYMLINK TraceId = 893 +const SYS_ENTER_LINKAT TraceId = 892 +const SYS_EXIT_LINKAT TraceId = 891 +const SYS_ENTER_LINK TraceId = 890 +const SYS_EXIT_LINK TraceId = 889 +const SYS_ENTER_RENAMEAT2 TraceId = 888 +const SYS_EXIT_RENAMEAT2 TraceId = 887 +const SYS_ENTER_RENAMEAT TraceId = 886 +const SYS_EXIT_RENAMEAT TraceId = 885 +const SYS_ENTER_RENAME TraceId = 884 +const SYS_EXIT_RENAME TraceId = 883 +const SYS_ENTER_NEWSTAT TraceId = 874 +const SYS_EXIT_NEWSTAT TraceId = 873 +const SYS_ENTER_NEWLSTAT TraceId = 872 +const SYS_EXIT_NEWLSTAT TraceId = 871 +const SYS_ENTER_NEWFSTATAT TraceId = 870 +const SYS_EXIT_NEWFSTATAT TraceId = 869 +const SYS_ENTER_NEWFSTAT TraceId = 868 +const SYS_EXIT_NEWFSTAT TraceId = 867 +const SYS_ENTER_READLINKAT TraceId = 866 +const SYS_EXIT_READLINKAT TraceId = 865 +const SYS_ENTER_READLINK TraceId = 864 +const SYS_EXIT_READLINK TraceId = 863 +const SYS_ENTER_STATX TraceId = 862 +const SYS_EXIT_STATX TraceId = 861 +const SYS_ENTER_LSEEK TraceId = 860 +const SYS_EXIT_LSEEK TraceId = 859 +const SYS_ENTER_READ TraceId = 858 +const SYS_EXIT_READ TraceId = 857 +const SYS_ENTER_WRITE TraceId = 856 +const SYS_EXIT_WRITE TraceId = 855 +const SYS_ENTER_PREAD64 TraceId = 854 +const SYS_EXIT_PREAD64 TraceId = 853 +const SYS_ENTER_PWRITE64 TraceId = 852 +const SYS_EXIT_PWRITE64 TraceId = 851 +const SYS_ENTER_READV TraceId = 850 +const SYS_EXIT_READV TraceId = 849 +const SYS_ENTER_WRITEV TraceId = 848 +const SYS_EXIT_WRITEV TraceId = 847 +const SYS_ENTER_PREADV TraceId = 846 +const SYS_EXIT_PREADV TraceId = 845 +const SYS_ENTER_PREADV2 TraceId = 844 +const SYS_EXIT_PREADV2 TraceId = 843 +const SYS_ENTER_PWRITEV TraceId = 842 +const SYS_EXIT_PWRITEV TraceId = 841 +const SYS_ENTER_PWRITEV2 TraceId = 840 +const SYS_EXIT_PWRITEV2 TraceId = 839 +const SYS_ENTER_TRUNCATE TraceId = 834 +const SYS_EXIT_TRUNCATE TraceId = 833 +const SYS_ENTER_FTRUNCATE TraceId = 832 +const SYS_EXIT_FTRUNCATE TraceId = 831 +const SYS_ENTER_FALLOCATE TraceId = 830 +const SYS_EXIT_FALLOCATE TraceId = 829 +const SYS_ENTER_FACCESSAT TraceId = 828 +const SYS_EXIT_FACCESSAT TraceId = 827 +const SYS_ENTER_FACCESSAT2 TraceId = 826 +const SYS_EXIT_FACCESSAT2 TraceId = 825 +const SYS_ENTER_ACCESS TraceId = 824 +const SYS_EXIT_ACCESS TraceId = 823 +const SYS_ENTER_CHDIR TraceId = 822 +const SYS_EXIT_CHDIR TraceId = 821 +const SYS_ENTER_FCHDIR TraceId = 820 +const SYS_EXIT_FCHDIR TraceId = 819 +const SYS_ENTER_CHROOT TraceId = 818 +const SYS_EXIT_CHROOT TraceId = 817 +const SYS_ENTER_FCHMOD TraceId = 816 +const SYS_EXIT_FCHMOD TraceId = 815 +const SYS_ENTER_FCHMODAT2 TraceId = 814 +const SYS_EXIT_FCHMODAT2 TraceId = 813 +const SYS_ENTER_FCHMODAT TraceId = 812 +const SYS_EXIT_FCHMODAT TraceId = 811 +const SYS_ENTER_CHMOD TraceId = 810 +const SYS_EXIT_CHMOD TraceId = 809 +const SYS_ENTER_FCHOWNAT TraceId = 808 +const SYS_EXIT_FCHOWNAT TraceId = 807 +const SYS_ENTER_CHOWN TraceId = 806 +const SYS_EXIT_CHOWN TraceId = 805 +const SYS_ENTER_LCHOWN TraceId = 804 +const SYS_EXIT_LCHOWN TraceId = 803 +const SYS_ENTER_FCHOWN TraceId = 802 +const SYS_EXIT_FCHOWN TraceId = 801 +const SYS_ENTER_OPEN TraceId = 800 +const SYS_EXIT_OPEN TraceId = 799 +const SYS_ENTER_OPENAT TraceId = 798 +const SYS_EXIT_OPENAT TraceId = 797 +const SYS_ENTER_OPENAT2 TraceId = 796 +const SYS_EXIT_OPENAT2 TraceId = 795 +const SYS_ENTER_CREAT TraceId = 794 +const SYS_EXIT_CREAT TraceId = 793 +const SYS_ENTER_CLOSE TraceId = 792 +const SYS_EXIT_CLOSE TraceId = 791 +const SYS_ENTER_READAHEAD TraceId = 625 +const SYS_EXIT_READAHEAD TraceId = 624 +const SYS_ENTER_FADVISE64 TraceId = 623 +const SYS_EXIT_FADVISE64 TraceId = 622 +const SYS_ENTER_CACHESTAT TraceId = 604 +const SYS_EXIT_CACHESTAT TraceId = 603 +const SYS_ENTER_FINIT_MODULE TraceId = 410 +const SYS_EXIT_FINIT_MODULE TraceId = 409 +const SYS_ENTER_SYSLOG TraceId = 351 +const SYS_EXIT_SYSLOG TraceId = 350 +const SYS_ENTER_MMAP TraceId = 100 +const SYS_EXIT_MMAP TraceId = 99 |