diff options
| author | Paul Buetow <paul@buetow.org> | 2024-03-09 18:18:41 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-03-09 23:48:02 +0200 |
| commit | 60defe5b1312b0cdcaaa62659ec851971b3c018d (patch) | |
| tree | 7fa215b3e7e03e62f45e0834bbf5bd8bea75828e | |
| parent | 478a1eb094a7d9e050cef60f80d9a8af1835dfcf (diff) | |
Also auto-generate open syscalls.
| -rw-r--r-- | internal/c/generated/tracepoints.c | 2118 | ||||
| -rw-r--r-- | internal/c/generated/tracepoints.raku | 203 | ||||
| -rw-r--r-- | internal/c/ioriotng.bpf.c | 3 | ||||
| -rw-r--r-- | internal/c/tracepoints/open.c | 71 | ||||
| -rw-r--r-- | internal/c/types.h | 1 | ||||
| -rw-r--r-- | internal/eventloop.go | 2 | ||||
| -rw-r--r-- | internal/generated/tracepoints/tracepoints.go | 252 | ||||
| -rw-r--r-- | internal/generated/types/types.go | 263 |
8 files changed, 1966 insertions, 947 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index 8ba2028..e1cb7d6 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -1,114 +1,177 @@ // Code generated - don't change manually! -#define SYS_EXIT_CACHESTAT 527 -#define SYS_ENTER_CACHESTAT 528 -#define SYS_EXIT_CLOSE_RANGE 700 -#define SYS_ENTER_CLOSE_RANGE 701 -#define SYS_EXIT_CLOSE 702 -#define SYS_ENTER_CLOSE 703 -#define SYS_EXIT_CREAT 704 -#define SYS_ENTER_CREAT 705 -#define SYS_EXIT_FCHOWN 712 -#define SYS_ENTER_FCHOWN 713 -#define SYS_EXIT_FCHMOD 726 -#define SYS_ENTER_FCHMOD 727 -#define SYS_EXIT_FCHDIR 730 -#define SYS_ENTER_FCHDIR 731 -#define SYS_EXIT_FTRUNCATE 742 -#define SYS_ENTER_FTRUNCATE 743 -#define SYS_EXIT_COPY_FILE_RANGE 746 -#define SYS_ENTER_COPY_FILE_RANGE 747 -#define SYS_EXIT_PWRITE64 762 -#define SYS_ENTER_PWRITE64 763 -#define SYS_EXIT_PREAD64 764 -#define SYS_ENTER_PREAD64 765 -#define SYS_EXIT_WRITE 766 -#define SYS_ENTER_WRITE 767 -#define SYS_EXIT_READ 768 -#define SYS_ENTER_READ 769 -#define SYS_EXIT_LSEEK 770 -#define SYS_ENTER_LSEEK 771 -#define SYS_EXIT_READLINKAT 776 -#define SYS_ENTER_READLINKAT 777 -#define SYS_EXIT_NEWFSTAT 778 -#define SYS_ENTER_NEWFSTAT 779 -#define SYS_EXIT_RENAME 794 -#define SYS_ENTER_RENAME 795 -#define SYS_EXIT_RENAMEAT 796 -#define SYS_ENTER_RENAMEAT 797 -#define SYS_EXIT_RENAMEAT2 798 -#define SYS_ENTER_RENAMEAT2 799 -#define SYS_EXIT_LINK 800 -#define SYS_ENTER_LINK 801 -#define SYS_EXIT_LINKAT 802 -#define SYS_ENTER_LINKAT 803 -#define SYS_EXIT_SYMLINK 804 -#define SYS_ENTER_SYMLINK 805 -#define SYS_EXIT_SYMLINKAT 806 -#define SYS_ENTER_SYMLINKAT 807 -#define SYS_EXIT_UNLINK 808 -#define SYS_ENTER_UNLINK 809 -#define SYS_EXIT_UNLINKAT 810 -#define SYS_ENTER_UNLINKAT 811 -#define SYS_EXIT_RMDIR 812 -#define SYS_ENTER_RMDIR 813 -#define SYS_EXIT_MKDIR 814 -#define SYS_ENTER_MKDIR 815 -#define SYS_EXIT_MKDIRAT 816 -#define SYS_ENTER_MKDIRAT 817 -#define SYS_EXIT_FCNTL 822 -#define SYS_ENTER_FCNTL 823 -#define SYS_EXIT_IOCTL 824 -#define SYS_ENTER_IOCTL 825 -#define SYS_EXIT_GETDENTS64 826 -#define SYS_ENTER_GETDENTS64 827 -#define SYS_EXIT_GETDENTS 828 -#define SYS_ENTER_GETDENTS 829 -#define SYS_EXIT_LREMOVEXATTR 862 -#define SYS_ENTER_LREMOVEXATTR 863 -#define SYS_EXIT_REMOVEXATTR 864 -#define SYS_ENTER_REMOVEXATTR 865 -#define SYS_EXIT_LLISTXATTR 868 -#define SYS_ENTER_LLISTXATTR 869 -#define SYS_EXIT_LISTXATTR 870 -#define SYS_ENTER_LISTXATTR 871 -#define SYS_EXIT_LGETXATTR 874 -#define SYS_ENTER_LGETXATTR 875 -#define SYS_EXIT_GETXATTR 876 -#define SYS_ENTER_GETXATTR 877 -#define SYS_EXIT_LSETXATTR 880 -#define SYS_ENTER_LSETXATTR 881 -#define SYS_EXIT_SETXATTR 882 -#define SYS_ENTER_SETXATTR 883 -#define SYS_EXIT_SYNC_FILE_RANGE 922 -#define SYS_ENTER_SYNC_FILE_RANGE 923 -#define SYS_EXIT_FDATASYNC 924 -#define SYS_ENTER_FDATASYNC 925 -#define SYS_EXIT_FSYNC 926 -#define SYS_ENTER_FSYNC 927 -#define SYS_EXIT_FSTATFS 944 -#define SYS_ENTER_FSTATFS 945 -#define SYS_EXIT_STATFS 946 -#define SYS_ENTER_STATFS 947 -#define SYS_EXIT_INOTIFY_RM_WATCH 954 -#define SYS_ENTER_INOTIFY_RM_WATCH 955 -#define SYS_EXIT_INOTIFY_ADD_WATCH 956 -#define SYS_ENTER_INOTIFY_ADD_WATCH 957 -#define SYS_EXIT_FANOTIFY_MARK 962 -#define SYS_ENTER_FANOTIFY_MARK 963 -#define SYS_EXIT_FLOCK 1020 -#define SYS_ENTER_FLOCK 1021 -#define SYS_EXIT_QUOTACTL_FD 1051 -#define SYS_ENTER_QUOTACTL_FD 1052 -#define SYS_EXIT_MQ_UNLINK 1321 -#define SYS_ENTER_MQ_UNLINK 1322 -#define SYS_EXIT_IO_URING_REGISTER 1377 -#define SYS_ENTER_IO_URING_REGISTER 1378 -#define SYS_EXIT_IO_URING_ENTER 1381 #define SYS_ENTER_IO_URING_ENTER 1382 +#define SYS_EXIT_IO_URING_ENTER 1381 +#define SYS_ENTER_IO_URING_REGISTER 1378 +#define SYS_EXIT_IO_URING_REGISTER 1377 +#define SYS_ENTER_QUOTACTL_FD 1052 +#define SYS_EXIT_QUOTACTL_FD 1051 +#define SYS_ENTER_FLOCK 1021 +#define SYS_EXIT_FLOCK 1020 +#define SYS_ENTER_FANOTIFY_MARK 963 +#define SYS_EXIT_FANOTIFY_MARK 962 +#define SYS_ENTER_INOTIFY_ADD_WATCH 957 +#define SYS_EXIT_INOTIFY_ADD_WATCH 956 +#define SYS_ENTER_STATFS 947 +#define SYS_EXIT_STATFS 946 +#define SYS_ENTER_FSTATFS 945 +#define SYS_EXIT_FSTATFS 944 +#define SYS_ENTER_UTIMENSAT 939 +#define SYS_EXIT_UTIMENSAT 938 +#define SYS_ENTER_FUTIMESAT 937 +#define SYS_EXIT_FUTIMESAT 936 +#define SYS_ENTER_FSYNC 927 +#define SYS_EXIT_FSYNC 926 +#define SYS_ENTER_FDATASYNC 925 +#define SYS_EXIT_FDATASYNC 924 +#define SYS_ENTER_SETXATTR 883 +#define SYS_EXIT_SETXATTR 882 +#define SYS_ENTER_LSETXATTR 881 +#define SYS_EXIT_LSETXATTR 880 +#define SYS_ENTER_GETXATTR 877 +#define SYS_EXIT_GETXATTR 876 +#define SYS_ENTER_LGETXATTR 875 +#define SYS_EXIT_LGETXATTR 874 +#define SYS_ENTER_LISTXATTR 871 +#define SYS_EXIT_LISTXATTR 870 +#define SYS_ENTER_LLISTXATTR 869 +#define SYS_EXIT_LLISTXATTR 868 +#define SYS_ENTER_REMOVEXATTR 865 +#define SYS_EXIT_REMOVEXATTR 864 +#define SYS_ENTER_LREMOVEXATTR 863 +#define SYS_EXIT_LREMOVEXATTR 862 +#define SYS_ENTER_OPEN_TREE 857 +#define SYS_EXIT_OPEN_TREE 856 +#define SYS_ENTER_GETDENTS 829 +#define SYS_EXIT_GETDENTS 828 +#define SYS_ENTER_GETDENTS64 827 +#define SYS_EXIT_GETDENTS64 826 +#define SYS_ENTER_IOCTL 825 +#define SYS_EXIT_IOCTL 824 +#define SYS_ENTER_FCNTL 823 +#define SYS_EXIT_FCNTL 822 +#define SYS_ENTER_MKNODAT 821 +#define SYS_EXIT_MKNODAT 820 +#define SYS_ENTER_MKNOD 819 +#define SYS_EXIT_MKNOD 818 +#define SYS_ENTER_MKDIRAT 817 +#define SYS_EXIT_MKDIRAT 816 +#define SYS_ENTER_MKDIR 815 +#define SYS_EXIT_MKDIR 814 +#define SYS_ENTER_RMDIR 813 +#define SYS_EXIT_RMDIR 812 +#define SYS_ENTER_UNLINKAT 811 +#define SYS_EXIT_UNLINKAT 810 +#define SYS_ENTER_UNLINK 809 +#define SYS_EXIT_UNLINK 808 +#define SYS_ENTER_SYMLINKAT 807 +#define SYS_EXIT_SYMLINKAT 806 +#define SYS_ENTER_SYMLINK 805 +#define SYS_EXIT_SYMLINK 804 +#define SYS_ENTER_LINKAT 803 +#define SYS_EXIT_LINKAT 802 +#define SYS_ENTER_LINK 801 +#define SYS_EXIT_LINK 800 +#define SYS_ENTER_RENAMEAT2 799 +#define SYS_EXIT_RENAMEAT2 798 +#define SYS_ENTER_RENAMEAT 797 +#define SYS_EXIT_RENAMEAT 796 +#define SYS_ENTER_RENAME 795 +#define SYS_EXIT_RENAME 794 +#define SYS_ENTER_EXECVE 789 +#define SYS_EXIT_EXECVE 788 +#define SYS_ENTER_EXECVEAT 787 +#define SYS_EXIT_EXECVEAT 786 +#define SYS_ENTER_NEWSTAT 785 +#define SYS_EXIT_NEWSTAT 784 +#define SYS_ENTER_NEWLSTAT 783 +#define SYS_EXIT_NEWLSTAT 782 +#define SYS_ENTER_NEWFSTATAT 781 +#define SYS_EXIT_NEWFSTATAT 780 +#define SYS_ENTER_NEWFSTAT 779 +#define SYS_EXIT_NEWFSTAT 778 +#define SYS_ENTER_READLINKAT 777 +#define SYS_EXIT_READLINKAT 776 +#define SYS_ENTER_STATX 773 +#define SYS_EXIT_STATX 772 +#define SYS_ENTER_LSEEK 771 +#define SYS_EXIT_LSEEK 770 +#define SYS_ENTER_READ 769 +#define SYS_EXIT_READ 768 +#define SYS_ENTER_WRITE 767 +#define SYS_EXIT_WRITE 766 +#define SYS_ENTER_PREAD64 765 +#define SYS_EXIT_PREAD64 764 +#define SYS_ENTER_PWRITE64 763 +#define SYS_EXIT_PWRITE64 762 +#define SYS_ENTER_FTRUNCATE 743 +#define SYS_EXIT_FTRUNCATE 742 +#define SYS_ENTER_FACCESSAT 739 +#define SYS_EXIT_FACCESSAT 738 +#define SYS_ENTER_FACCESSAT2 737 +#define SYS_EXIT_FACCESSAT2 736 +#define SYS_ENTER_ACCESS 735 +#define SYS_EXIT_ACCESS 734 +#define SYS_ENTER_CHDIR 733 +#define SYS_EXIT_CHDIR 732 +#define SYS_ENTER_FCHDIR 731 +#define SYS_EXIT_FCHDIR 730 +#define SYS_ENTER_CHROOT 729 +#define SYS_EXIT_CHROOT 728 +#define SYS_ENTER_FCHMOD 727 +#define SYS_EXIT_FCHMOD 726 +#define SYS_ENTER_FCHMODAT2 725 +#define SYS_EXIT_FCHMODAT2 724 +#define SYS_ENTER_FCHMODAT 723 +#define SYS_EXIT_FCHMODAT 722 +#define SYS_ENTER_CHMOD 721 +#define SYS_EXIT_CHMOD 720 +#define SYS_ENTER_FCHOWNAT 719 +#define SYS_EXIT_FCHOWNAT 718 +#define SYS_ENTER_CHOWN 717 +#define SYS_EXIT_CHOWN 716 +#define SYS_ENTER_LCHOWN 715 +#define SYS_EXIT_LCHOWN 714 +#define SYS_ENTER_FCHOWN 713 +#define SYS_EXIT_FCHOWN 712 +#define SYS_ENTER_OPEN 711 +#define SYS_EXIT_OPEN 710 +#define SYS_ENTER_OPENAT 709 +#define SYS_EXIT_OPENAT 708 +#define SYS_ENTER_OPENAT2 707 +#define SYS_EXIT_OPENAT2 706 +#define SYS_ENTER_CREAT 705 +#define SYS_EXIT_CREAT 704 +#define SYS_ENTER_CLOSE 703 +#define SYS_EXIT_CLOSE 702 +#define SYS_ENTER_CLOSE_RANGE 701 +#define SYS_EXIT_CLOSE_RANGE 700 +#define SYS_ENTER_CACHESTAT 528 +#define SYS_EXIT_CACHESTAT 527 -SEC("tracepoint/syscalls/sys_exit_cachestat") -int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_enter_io_uring_enter") +int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_io_uring_enter") +int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -118,18 +181,18 @@ int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CACHESTAT; + ev->trace_id = SYS_EXIT_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_cachestat") -int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_io_uring_register") +int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -139,7 +202,7 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CACHESTAT; + ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -149,8 +212,8 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_close_range") -int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_io_uring_register") +int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -160,18 +223,18 @@ int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->trace_id = SYS_EXIT_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_close_range") -int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -181,7 +244,7 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -191,8 +254,8 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_close") -int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -202,18 +265,18 @@ int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_close") -int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -223,7 +286,7 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE; + ev->trace_id = SYS_ENTER_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -233,8 +296,8 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_creat") -int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -244,18 +307,18 @@ int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CREAT; + ev->trace_id = SYS_EXIT_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_creat") -int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -265,7 +328,93 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CREAT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -276,8 +425,8 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fchown") -int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -287,18 +436,18 @@ int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWN; + ev->trace_id = SYS_EXIT_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchown") -int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -308,7 +457,7 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHOWN; + ev->trace_id = SYS_ENTER_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -318,8 +467,8 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fchmod") -int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -329,39 +478,41 @@ int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMOD; + ev->trace_id = SYS_EXIT_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchmod") -int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_utimensat") +int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHMOD; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fchdir") -int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_utimensat") +int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -371,18 +522,62 @@ int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHDIR; + ev->trace_id = SYS_EXIT_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchdir") -int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_futimesat") +int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_futimesat") +int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -392,7 +587,7 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHDIR; + ev->trace_id = SYS_ENTER_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -402,8 +597,8 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_ftruncate") -int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -413,18 +608,18 @@ int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->trace_id = SYS_EXIT_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_ftruncate") -int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -434,7 +629,7 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->trace_id = SYS_ENTER_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -444,8 +639,8 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_copy_file_range") -int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -455,39 +650,40 @@ int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; + ev->trace_id = SYS_EXIT_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_copy_file_range") -int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_pwrite64") -int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -497,39 +693,40 @@ int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITE64; + ev->trace_id = SYS_EXIT_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_pwrite64") -int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITE64; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_pread64") -int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -539,18 +736,320 @@ int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREAD64; + ev->trace_id = SYS_EXIT_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_pread64") -int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open_tree") +int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_open_tree") +int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -560,7 +1059,7 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREAD64; + ev->trace_id = SYS_ENTER_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -570,8 +1069,8 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_write") -int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -581,18 +1080,18 @@ int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITE; + ev->trace_id = SYS_EXIT_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_write") -int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -602,7 +1101,7 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITE; + ev->trace_id = SYS_ENTER_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -612,8 +1111,8 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_read") -int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -623,18 +1122,18 @@ int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READ; + ev->trace_id = SYS_EXIT_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_read") -int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -644,7 +1143,7 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READ; + ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -654,8 +1153,8 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_lseek") -int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -665,18 +1164,18 @@ int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSEEK; + ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lseek") -int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -686,7 +1185,7 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_LSEEK; + ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -696,8 +1195,8 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_readlinkat") -int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -707,18 +1206,106 @@ int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINKAT; + ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_readlinkat") -int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mknodat") +int handle_sys_enter_mknodat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknodat") +int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mknod") +int handle_sys_enter_mknod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknod") +int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -728,7 +1315,7 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINKAT; + ev->trace_id = SYS_ENTER_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -739,8 +1326,8 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_newfstat") -int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -750,39 +1337,40 @@ int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->trace_id = SYS_EXIT_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_newfstat") -int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_rename") -int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -792,18 +1380,147 @@ int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAME; + ev->trace_id = SYS_EXIT_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_rename") -int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -813,20 +1530,20 @@ int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAME; + ev->trace_id = SYS_ENTER_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_renameat") -int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -836,18 +1553,18 @@ int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT; + ev->trace_id = SYS_EXIT_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_renameat") -int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -857,20 +1574,20 @@ int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT; + ev->trace_id = SYS_ENTER_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_renameat2") -int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -880,18 +1597,18 @@ int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->trace_id = SYS_EXIT_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_renameat2") -int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -901,7 +1618,7 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->trace_id = SYS_ENTER_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -913,8 +1630,8 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_link") -int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -924,11 +1641,11 @@ int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINK; + ev->trace_id = SYS_EXIT_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; @@ -957,8 +1674,8 @@ int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_linkat") -int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -968,18 +1685,18 @@ int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINKAT; + ev->trace_id = SYS_EXIT_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_linkat") -int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -989,7 +1706,7 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINKAT; + ev->trace_id = SYS_ENTER_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1001,8 +1718,8 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_symlink") -int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1012,18 +1729,18 @@ int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINK; + ev->trace_id = SYS_EXIT_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_symlink") -int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1033,20 +1750,20 @@ int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINK; + ev->trace_id = SYS_ENTER_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_symlinkat") -int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1056,18 +1773,18 @@ int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->trace_id = SYS_EXIT_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_symlinkat") -int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1077,20 +1794,20 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->trace_id = SYS_ENTER_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_unlink") -int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1100,40 +1817,41 @@ int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINK; + ev->trace_id = SYS_EXIT_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_unlink") -int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_execve") +int handle_sys_enter_execve(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_unlinkat") -int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_execve") +int handle_sys_exit_execve(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1143,40 +1861,41 @@ int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINKAT; + ev->trace_id = SYS_EXIT_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_unlinkat") -int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_execveat") +int handle_sys_enter_execveat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINKAT; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_rmdir") -int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_execveat") +int handle_sys_exit_execveat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1186,40 +1905,41 @@ int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RMDIR; + ev->trace_id = SYS_EXIT_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_rmdir") -int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newstat") +int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_RMDIR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mkdir") -int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_newstat") +int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1229,40 +1949,41 @@ int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIR; + ev->trace_id = SYS_EXIT_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mkdir") -int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newlstat") +int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mkdirat") -int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_newlstat") +int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1272,18 +1993,104 @@ int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIRAT; + ev->trace_id = SYS_EXIT_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mkdirat") -int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newfstatat") +int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstatat") +int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newfstat") +int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstat") +int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1293,7 +2100,7 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIRAT; + ev->trace_id = SYS_ENTER_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1304,8 +2111,8 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1315,39 +2122,41 @@ int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; + ev->trace_id = SYS_EXIT_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_statx") +int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_statx") +int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1357,18 +2166,18 @@ int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; + ev->trace_id = SYS_EXIT_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lseek") +int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1378,7 +2187,7 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; + ev->trace_id = SYS_ENTER_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1388,8 +2197,8 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lseek") +int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1399,18 +2208,18 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; + ev->trace_id = SYS_EXIT_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_read") +int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1420,7 +2229,7 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; + ev->trace_id = SYS_ENTER_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1430,8 +2239,8 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_read") +int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1441,18 +2250,18 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; + ev->trace_id = SYS_EXIT_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_write") +int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1462,7 +2271,7 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; + ev->trace_id = SYS_ENTER_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1472,8 +2281,8 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_lremovexattr") -int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_write") +int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1483,40 +2292,39 @@ int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->trace_id = SYS_EXIT_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lremovexattr") -int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_pread64") +int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_removexattr") -int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_pread64") +int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1526,40 +2334,39 @@ int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->trace_id = SYS_EXIT_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_removexattr") -int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_pwrite64") +int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_llistxattr") -int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_pwrite64") +int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1569,40 +2376,39 @@ int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->trace_id = SYS_EXIT_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_llistxattr") -int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ftruncate") +int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_listxattr") -int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ftruncate") +int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1612,40 +2418,41 @@ int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTR; + ev->trace_id = SYS_EXIT_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_listxattr") -int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_faccessat") +int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_lgetxattr") -int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_faccessat") +int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1655,40 +2462,41 @@ int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LGETXATTR; + ev->trace_id = SYS_EXIT_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lgetxattr") -int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_faccessat2") +int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LGETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_getxattr") -int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_faccessat2") +int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1698,40 +2506,41 @@ int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTR; + ev->trace_id = SYS_EXIT_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getxattr") -int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_access") +int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_lsetxattr") -int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_access") +int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1741,40 +2550,41 @@ int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSETXATTR; + ev->trace_id = SYS_EXIT_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lsetxattr") -int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chdir") +int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LSETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_setxattr") -int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chdir") +int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1784,40 +2594,39 @@ int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTR; + ev->trace_id = SYS_EXIT_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_setxattr") -int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchdir") +int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_sync_file_range") -int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchdir") +int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1827,39 +2636,41 @@ int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->trace_id = SYS_EXIT_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_sync_file_range") -int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chroot") +int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chroot") +int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1869,18 +2680,18 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; + ev->trace_id = SYS_EXIT_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmod") +int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1890,7 +2701,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; + ev->trace_id = SYS_ENTER_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1900,8 +2711,8 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmod") +int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1911,39 +2722,41 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; + ev->trace_id = SYS_EXIT_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmodat2") +int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmodat2") +int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1953,39 +2766,41 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; + ev->trace_id = SYS_EXIT_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmodat") +int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_statfs") -int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmodat") +int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1995,40 +2810,41 @@ int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATFS; + ev->trace_id = SYS_EXIT_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_statfs") -int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chmod") +int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATFS; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") -int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chmod") +int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2038,39 +2854,41 @@ int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->trace_id = SYS_EXIT_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") -int handle_sys_enter_inotify_rm_watch(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchownat") +int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") -int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchownat") +int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2080,40 +2898,41 @@ int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->trace_id = SYS_EXIT_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") -int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chown") +int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fanotify_mark") -int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chown") +int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2123,40 +2942,41 @@ int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->trace_id = SYS_EXIT_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fanotify_mark") -int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lchown") +int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lchown") +int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2166,18 +2986,18 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; + ev->trace_id = SYS_EXIT_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchown") +int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2187,7 +3007,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; + ev->trace_id = SYS_ENTER_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2197,8 +3017,8 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchown") +int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2208,39 +3028,41 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->trace_id = SYS_EXIT_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_open") +int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mq_unlink") -int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_open") +int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2250,39 +3072,41 @@ int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MQ_UNLINK; + ev->trace_id = SYS_EXIT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mq_unlink") -int handle_sys_enter_mq_unlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_MQ_UNLINK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_io_uring_register") -int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2292,18 +3116,105 @@ int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_REGISTER; + ev->trace_id = SYS_EXIT_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_io_uring_register") -int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat2") +int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat2") +int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2313,7 +3224,7 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_REGISTER; + ev->trace_id = SYS_ENTER_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2323,8 +3234,8 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_io_uring_enter") -int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_close") +int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2334,18 +3245,18 @@ int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_ENTER; + ev->trace_id = SYS_EXIT_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_io_uring_enter") -int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_close_range") +int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2355,7 +3266,7 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->trace_id = SYS_ENTER_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2365,4 +3276,67 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_close_range") +int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_cachestat") +int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_cachestat") +int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku index de801a7..e43b436 100644 --- a/internal/c/generated/tracepoints.raku +++ b/internal/c/generated/tracepoints.raku @@ -1,7 +1,6 @@ #!/usr/bin/env raku use v6.d; -#use Grammar::Debugger; grammar SysTraceFormat { rule TOP { <whole-format-section>* } @@ -32,6 +31,104 @@ class Field { has Bool $.signed is rw; } +role TracepointTemplate { + method template(%vals) returns Str { + my \is-enter = %vals<name>.split('_')[1] eq 'enter'; + my \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' + !! 'trace_event_raw_sys_exit'; + my Str @parts; + + @parts.push: qq:to/END/; + SEC("tracepoint/syscalls/{%vals<name>}") + int handle_{%vals<name>.lc}(struct {ctx-struct} *ctx) \{ + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct {%vals<event-struct>} *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct {%vals<event-struct>}), 0); + if (!ev) + return 0; + + ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ %vals<event-struct>.uc}; + ev->trace_id = {%vals<name>.uc}; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + END + + @parts.push: %vals<extra> if %vals<extra>:exists; + + @parts.push: qq:to/END/; + + bpf_ringbuf_submit(ev, 0); + return 0; + \} + END + + @parts.join(''); + } +} + +class FdTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Str $extra = qq:to/END/; + ev->fd = (__s32)ctx->args[0]; + END + self.template: %vals.append( ( event-struct => 'fd_event', :$extra ).hash ); + } +} + +class NameTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Int \oldname-field-number = %vals<format>.field-number('oldname'); + my Int \newname-field-number = %vals<format>.field-number('newname'); + my Str $extra = qq:to/END/; + __builtin_memset(\&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-field-number}]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-field-number}]); + END + self.template: %vals.append( ( event-struct => 'name_event', :$extra ).hash ); + } +} + +class OpenTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Int \field-number = %vals<format>.field-number('filename'); + my Str $extra = qq:to/END/; + __builtin_memset(\&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[{field-number}]); + bpf_get_current_comm(\&ev->comm, sizeof(ev->comm)); + END + self.template: %vals.append( ( event-struct => 'open_event', :$extra ).hash ); + } +} + +class PathnameTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Int \field-number = %vals<format>.field-number('pathname'); + my Str $extra = qq:to/END/; + __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{field-number}]); + END + self.template: %vals.append( ( event-struct => 'path_event', :$extra ).hash ); + } +} + +class RetTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Str $extra = q:to/END/; + ev->ret = ctx->ret; + END + self.template: %vals.append( ( event-struct => 'ret_event', :$extra ).hash ); + } +} + +class NullTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + self.template: %vals.append( ( event-struct => 'null_event' ).hash ); + } +} + class Format { # Fields not accessible from raw tracepoints. has Field @!internal-fields; @@ -43,14 +140,7 @@ class Format { has Str $.name is rw; has Int $.id is rw; - # file descriptor passed to syscalls. - has Bool $.has-fd is rw = False; - # Tracepoint has oldname/newname - has Bool $.has-name is rw = False; - # Tracepoint has pathname - has Bool $.has-path is rw = False; - # Syscall returns with a long value (e.g. bytes read/written) - has Bool $.has-long-ret is rw = False; + has $.format-impl; method push(Field \field) { # External fields start from this field name. @@ -64,85 +154,36 @@ class Format { } if (field.name eq 'fd' && field.type eq 'unsigned int') { - $!has-fd = True; + $!format-impl = FdTracepoint.new; } elsif (field.name eq 'newname' && field.type eq 'const char *') { - $!has-name = True; + $!format-impl = NameTracepoint.new; + } elsif (field.name eq 'filename' && field.type eq 'const char *') { + $!format-impl = OpenTracepoint.new; } elsif (field.name eq 'pathname' && field.type eq 'const char *') { - $!has-path = True; + $!format-impl = PathnameTracepoint.new; } elsif (field.name eq 'ret' && field.type eq 'long') { - $.has-long-ret = True; + $!format-impl = RetTracepoint.new; } } - method !field-number(Str \field-name) { - @!external-fields.first(*.name eq field-name, :k) - 1; - } + method generate-c-constant returns Str { "#define {$!name.uc} {$!id}" } + method generate-bpf-c-tracepoint returns Str { $!format-impl.generate-bpf-c-tracepoint: (format => self, :$!name).hash } - method generate-constant returns Str { - "#define {$!name.uc} {$!id}"; - } - - method generate-probe returns Str { - my \is-enter = $!name.split('_')[1] eq 'enter'; - my \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' - !! 'trace_event_raw_sys_exit'; - my \event-struct = do if $!has-fd { 'fd_event' } - elsif $!has-long-ret { 'ret_event' } - elsif $!has-name { 'name_event' } - elsif $!has-path { 'path_event' } - else { 'null_event' }; - my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' } - elsif $!has-long-ret { 'ev->ret = ctx->ret;' } - elsif $!has-name { - my Int \oldname-index = self!field-number('oldname'); - my Int \newname-index = self!field-number('newname'); - qq:to/END/.trim-trailing; - __builtin_memset(\&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-index}]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-index}]); - END - } elsif $!has-path { - my Int \pathname-index = self!field-number('pathname'); - qq:to/END/.trim-trailing; - __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{pathname-index}]); - END - } - else { '' }; - qq:to/END/; - SEC("tracepoint/syscalls/{$!name}") - int handle_{$!name.lc}(struct {ctx-struct} *ctx) \{ - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct {event-struct} *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct {event-struct}), 0); - if (!ev) - return 0; - - ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ event-struct.uc}; - ev->trace_id = {$!name.uc}; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_ns() / 1000; - {extra-data} - - bpf_ringbuf_submit(ev, 0); - return 0; - \} - END - } + method field-number(Str \field-name) { @!external-fields.first(*.name eq field-name, :k) - 1 } + method can-generate returns Bool { so $!format-impl.^can('generate-bpf-c-tracepoint') } + method enter-reject returns Bool { $!format-impl !~~ any(FdTracepoint, NameTracepoint, OpenTracepoint, PathnameTracepoint) } } class SysTraceFormatActions { - has Format @!formats; + has Hash %!formats; has Format $!current-format = Format.new; has Field $!current-field = Field.new; - method TOP($/) { make @!formats } + method TOP($/) { make %!formats } method whole-format-section($/) { - push @!formats: $!current-format; + my ($, \enter-exit, \what) = $!current-format.name.split('_', 3); + %!formats{what}{enter-exit} = $!current-format; $!current-format = Format.new; } @@ -161,18 +202,18 @@ class SysTraceFormatActions { method field-signed($/) { $!current-field.signed = +$/<cbool> == 0 ?? False !! True } } -my Format @formats = gather for SysTraceFormat - .parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made - # For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open - .classify(*.name.split('_').tail).values - .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) || $_.grep(*.has-path) }) -> @_ { .take for @_ } +my Format @formats = gather for + SysTraceFormat.parse($*IN.slurp, actions => SysTraceFormatActions.new).made.values -> %syscall { + next if !all(%syscall.values.map(*.can-generate)) or %syscall<enter>.enter-reject; + .take for %syscall.values; +} -@formats .= sort(*.id); +@formats .= sort({ $^b.id cmp $^a.id }); say qq:to/END/; // Code generated - don't change manually! -{@formats.map(*.generate-constant).join("\n")} +{@formats.map(*.generate-c-constant).join("\n")} -{@formats.map(*.generate-probe).join("\n")} +{@formats.map(*.generate-bpf-c-tracepoint).join("\n")} END diff --git a/internal/c/ioriotng.bpf.c b/internal/c/ioriotng.bpf.c index 896309e..7c41551 100644 --- a/internal/c/ioriotng.bpf.c +++ b/internal/c/ioriotng.bpf.c @@ -16,8 +16,5 @@ // Auto-generated tracepoints. #include "generated/tracepoints.c" -// Tracepoints with custom handling. -#include "tracepoints/open.c" - char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c deleted file mode 100644 index b4e8757..0000000 --- a/internal/c/tracepoints/open.c +++ /dev/null @@ -1,71 +0,0 @@ -//+build ignore - -#define SYS_EXIT_OPEN 1 -#define SYS_ENTER_OPEN 2 -#define SYS_EXIT_OPENAT 3 -#define SYS_ENTER_OPENAT 4 - -static __always_inline int _handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx, __u32 trace_id) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = trace_id; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_ns() / 1000; - - // Reset memory, as structure is re-used (ringbuffer) - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -static __always_inline int _handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx, __u32 trace_id) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_FD_EVENT; - ev->trace_id = trace_id; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { - return _handle_sys_enter_open(ctx, SYS_ENTER_OPENAT); -} - -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { - return _handle_sys_exit_open(ctx, SYS_EXIT_OPENAT); -} - -SEC("tracepoint/syscalls/sys_enter_open") -int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { - return _handle_sys_enter_open(ctx, SYS_ENTER_OPEN); -} - -SEC("tracepoint/syscalls/sys_exit_open") -int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { - return _handle_sys_exit_open(ctx, SYS_EXIT_OPEN); -} diff --git a/internal/c/types.h b/internal/c/types.h index b2cb1fa..9dc4208 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -22,6 +22,7 @@ struct open_event { __u32 pid; __u32 tid; __u32 time; + __s32 flags; char filename[MAX_FILENAME_LENGTH]; char comm[MAX_PROGNAME_LENGTH]; }; diff --git a/internal/eventloop.go b/internal/eventloop.go index 91a8983..9ce0149 100644 --- a/internal/eventloop.go +++ b/internal/eventloop.go @@ -54,7 +54,7 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent { case *OpenEvent: openEv := ev.enterEv.(*OpenEvent) - fd := ev.exitEv.(*FdEvent).Fd + fd := int32(ev.exitEv.(*RetEvent).Ret) file := fdFile{fd, string(openEv.Filename[:])} if fd >= 0 { files[fd] = file diff --git a/internal/generated/tracepoints/tracepoints.go b/internal/generated/tracepoints/tracepoints.go index 7495274..708af63 100644 --- a/internal/generated/tracepoints/tracepoints.go +++ b/internal/generated/tracepoints/tracepoints.go @@ -2,114 +2,152 @@ package tracepoints var List = []string{ - "sys_exit_cachestat", - "sys_enter_cachestat", - "sys_exit_close_range", - "sys_enter_close_range", - "sys_exit_close", - "sys_enter_close", - "sys_exit_creat", - "sys_enter_creat", - "sys_exit_fchown", - "sys_enter_fchown", - "sys_exit_fchmod", - "sys_enter_fchmod", - "sys_exit_fchdir", - "sys_enter_fchdir", - "sys_exit_ftruncate", - "sys_enter_ftruncate", - "sys_exit_copy_file_range", - "sys_enter_copy_file_range", - "sys_exit_pwrite64", - "sys_enter_pwrite64", - "sys_exit_pread64", - "sys_enter_pread64", - "sys_exit_write", - "sys_enter_write", - "sys_exit_read", - "sys_enter_read", - "sys_exit_lseek", - "sys_enter_lseek", - "sys_exit_readlinkat", - "sys_enter_readlinkat", - "sys_exit_newfstat", - "sys_enter_newfstat", - "sys_exit_rename", - "sys_enter_rename", - "sys_exit_renameat", - "sys_enter_renameat", - "sys_exit_renameat2", - "sys_enter_renameat2", - "sys_exit_link", - "sys_enter_link", - "sys_exit_linkat", - "sys_enter_linkat", - "sys_exit_symlink", - "sys_enter_symlink", - "sys_exit_symlinkat", - "sys_enter_symlinkat", - "sys_exit_unlink", - "sys_enter_unlink", - "sys_exit_unlinkat", - "sys_enter_unlinkat", - "sys_exit_rmdir", - "sys_enter_rmdir", - "sys_exit_mkdir", - "sys_enter_mkdir", - "sys_exit_mkdirat", - "sys_enter_mkdirat", - "sys_exit_fcntl", - "sys_enter_fcntl", - "sys_exit_ioctl", - "sys_enter_ioctl", - "sys_exit_getdents64", - "sys_enter_getdents64", - "sys_exit_getdents", - "sys_enter_getdents", - "sys_exit_lremovexattr", - "sys_enter_lremovexattr", - "sys_exit_removexattr", - "sys_enter_removexattr", - "sys_exit_llistxattr", - "sys_enter_llistxattr", - "sys_exit_listxattr", - "sys_enter_listxattr", - "sys_exit_lgetxattr", - "sys_enter_lgetxattr", - "sys_exit_getxattr", - "sys_enter_getxattr", - "sys_exit_lsetxattr", - "sys_enter_lsetxattr", - "sys_exit_setxattr", - "sys_enter_setxattr", - "sys_exit_sync_file_range", - "sys_enter_sync_file_range", - "sys_exit_fdatasync", - "sys_enter_fdatasync", - "sys_exit_fsync", - "sys_enter_fsync", - "sys_exit_fstatfs", - "sys_enter_fstatfs", - "sys_exit_statfs", - "sys_enter_statfs", - "sys_exit_inotify_rm_watch", - "sys_enter_inotify_rm_watch", - "sys_exit_inotify_add_watch", - "sys_enter_inotify_add_watch", - "sys_exit_fanotify_mark", - "sys_enter_fanotify_mark", - "sys_exit_flock", - "sys_enter_flock", - "sys_exit_quotactl_fd", - "sys_enter_quotactl_fd", - "sys_exit_mq_unlink", - "sys_enter_mq_unlink", - "sys_exit_io_uring_register", - "sys_enter_io_uring_register", - "sys_exit_io_uring_enter", "sys_enter_io_uring_enter", - "sys_enter_openat", - "sys_exit_openat", + "sys_exit_io_uring_enter", + "sys_enter_io_uring_register", + "sys_exit_io_uring_register", + "sys_enter_quotactl_fd", + "sys_exit_quotactl_fd", + "sys_enter_flock", + "sys_exit_flock", + "sys_enter_fanotify_mark", + "sys_exit_fanotify_mark", + "sys_enter_inotify_add_watch", + "sys_exit_inotify_add_watch", + "sys_enter_statfs", + "sys_exit_statfs", + "sys_enter_fstatfs", + "sys_exit_fstatfs", + "sys_enter_utimensat", + "sys_exit_utimensat", + "sys_enter_futimesat", + "sys_exit_futimesat", + "sys_enter_fsync", + "sys_exit_fsync", + "sys_enter_fdatasync", + "sys_exit_fdatasync", + "sys_enter_setxattr", + "sys_exit_setxattr", + "sys_enter_lsetxattr", + "sys_exit_lsetxattr", + "sys_enter_getxattr", + "sys_exit_getxattr", + "sys_enter_lgetxattr", + "sys_exit_lgetxattr", + "sys_enter_listxattr", + "sys_exit_listxattr", + "sys_enter_llistxattr", + "sys_exit_llistxattr", + "sys_enter_removexattr", + "sys_exit_removexattr", + "sys_enter_lremovexattr", + "sys_exit_lremovexattr", + "sys_enter_open_tree", + "sys_exit_open_tree", + "sys_enter_getdents", + "sys_exit_getdents", + "sys_enter_getdents64", + "sys_exit_getdents64", + "sys_enter_ioctl", + "sys_exit_ioctl", + "sys_enter_fcntl", + "sys_exit_fcntl", + "sys_enter_mknodat", + "sys_exit_mknodat", + "sys_enter_mknod", + "sys_exit_mknod", + "sys_enter_mkdirat", + "sys_exit_mkdirat", + "sys_enter_mkdir", + "sys_exit_mkdir", + "sys_enter_rmdir", + "sys_exit_rmdir", + "sys_enter_unlinkat", + "sys_exit_unlinkat", + "sys_enter_unlink", + "sys_exit_unlink", + "sys_enter_symlinkat", + "sys_exit_symlinkat", + "sys_enter_symlink", + "sys_exit_symlink", + "sys_enter_linkat", + "sys_exit_linkat", + "sys_enter_link", + "sys_exit_link", + "sys_enter_renameat2", + "sys_exit_renameat2", + "sys_enter_renameat", + "sys_exit_renameat", + "sys_enter_rename", + "sys_exit_rename", + "sys_enter_execve", + "sys_exit_execve", + "sys_enter_execveat", + "sys_exit_execveat", + "sys_enter_newstat", + "sys_exit_newstat", + "sys_enter_newlstat", + "sys_exit_newlstat", + "sys_enter_newfstatat", + "sys_exit_newfstatat", + "sys_enter_newfstat", + "sys_exit_newfstat", + "sys_enter_readlinkat", + "sys_exit_readlinkat", + "sys_enter_statx", + "sys_exit_statx", + "sys_enter_lseek", + "sys_exit_lseek", + "sys_enter_read", + "sys_exit_read", + "sys_enter_write", + "sys_exit_write", + "sys_enter_pread64", + "sys_exit_pread64", + "sys_enter_pwrite64", + "sys_exit_pwrite64", + "sys_enter_ftruncate", + "sys_exit_ftruncate", + "sys_enter_faccessat", + "sys_exit_faccessat", + "sys_enter_faccessat2", + "sys_exit_faccessat2", + "sys_enter_access", + "sys_exit_access", + "sys_enter_chdir", + "sys_exit_chdir", + "sys_enter_fchdir", + "sys_exit_fchdir", + "sys_enter_chroot", + "sys_exit_chroot", + "sys_enter_fchmod", + "sys_exit_fchmod", + "sys_enter_fchmodat2", + "sys_exit_fchmodat2", + "sys_enter_fchmodat", + "sys_exit_fchmodat", + "sys_enter_chmod", + "sys_exit_chmod", + "sys_enter_fchownat", + "sys_exit_fchownat", + "sys_enter_chown", + "sys_exit_chown", + "sys_enter_lchown", + "sys_exit_lchown", + "sys_enter_fchown", + "sys_exit_fchown", "sys_enter_open", "sys_exit_open", + "sys_enter_openat", + "sys_exit_openat", + "sys_enter_openat2", + "sys_exit_openat2", + "sys_enter_creat", + "sys_exit_creat", + "sys_enter_close", + "sys_exit_close", + "sys_enter_close_range", + "sys_exit_close_range", + "sys_enter_cachestat", + "sys_exit_cachestat", } diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go index c4e687b..2dbe553 100644 --- a/internal/generated/types/types.go +++ b/internal/generated/types/types.go @@ -12,11 +12,11 @@ type EventType uint32 type TraceId uint32 var traceId2String = map[TraceId]string{ - 527: "exit_cachestat", 528: "enter_cachestat", 700: "exit_close_range", 701: "enter_close_range", 702: "exit_close", 703: "enter_close", 704: "exit_creat", 705: "enter_creat", 712: "exit_fchown", 713: "enter_fchown", 726: "exit_fchmod", 727: "enter_fchmod", 730: "exit_fchdir", 731: "enter_fchdir", 742: "exit_ftruncate", 743: "enter_ftruncate", 746: "exit_copy_file_range", 747: "enter_copy_file_range", 762: "exit_pwrite64", 763: "enter_pwrite64", 764: "exit_pread64", 765: "enter_pread64", 766: "exit_write", 767: "enter_write", 768: "exit_read", 769: "enter_read", 770: "exit_lseek", 771: "enter_lseek", 776: "exit_readlinkat", 777: "enter_readlinkat", 778: "exit_newfstat", 779: "enter_newfstat", 794: "exit_rename", 795: "enter_rename", 796: "exit_renameat", 797: "enter_renameat", 798: "exit_renameat2", 799: "enter_renameat2", 800: "exit_link", 801: "enter_link", 802: "exit_linkat", 803: "enter_linkat", 804: "exit_symlink", 805: "enter_symlink", 806: "exit_symlinkat", 807: "enter_symlinkat", 808: "exit_unlink", 809: "enter_unlink", 810: "exit_unlinkat", 811: "enter_unlinkat", 812: "exit_rmdir", 813: "enter_rmdir", 814: "exit_mkdir", 815: "enter_mkdir", 816: "exit_mkdirat", 817: "enter_mkdirat", 822: "exit_fcntl", 823: "enter_fcntl", 824: "exit_ioctl", 825: "enter_ioctl", 826: "exit_getdents64", 827: "enter_getdents64", 828: "exit_getdents", 829: "enter_getdents", 862: "exit_lremovexattr", 863: "enter_lremovexattr", 864: "exit_removexattr", 865: "enter_removexattr", 868: "exit_llistxattr", 869: "enter_llistxattr", 870: "exit_listxattr", 871: "enter_listxattr", 874: "exit_lgetxattr", 875: "enter_lgetxattr", 876: "exit_getxattr", 877: "enter_getxattr", 880: "exit_lsetxattr", 881: "enter_lsetxattr", 882: "exit_setxattr", 883: "enter_setxattr", 922: "exit_sync_file_range", 923: "enter_sync_file_range", 924: "exit_fdatasync", 925: "enter_fdatasync", 926: "exit_fsync", 927: "enter_fsync", 944: "exit_fstatfs", 945: "enter_fstatfs", 946: "exit_statfs", 947: "enter_statfs", 954: "exit_inotify_rm_watch", 955: "enter_inotify_rm_watch", 956: "exit_inotify_add_watch", 957: "enter_inotify_add_watch", 962: "exit_fanotify_mark", 963: "enter_fanotify_mark", 1020: "exit_flock", 1021: "enter_flock", 1051: "exit_quotactl_fd", 1052: "enter_quotactl_fd", 1321: "exit_mq_unlink", 1322: "enter_mq_unlink", 1377: "exit_io_uring_register", 1378: "enter_io_uring_register", 1381: "exit_io_uring_enter", 1382: "enter_io_uring_enter", 1: "exit_open", 2: "enter_open", 3: "exit_openat", 4: "enter_openat", + 1382: "enter_io_uring_enter", 1381: "exit_io_uring_enter", 1378: "enter_io_uring_register", 1377: "exit_io_uring_register", 1052: "enter_quotactl_fd", 1051: "exit_quotactl_fd", 1021: "enter_flock", 1020: "exit_flock", 963: "enter_fanotify_mark", 962: "exit_fanotify_mark", 957: "enter_inotify_add_watch", 956: "exit_inotify_add_watch", 947: "enter_statfs", 946: "exit_statfs", 945: "enter_fstatfs", 944: "exit_fstatfs", 939: "enter_utimensat", 938: "exit_utimensat", 937: "enter_futimesat", 936: "exit_futimesat", 927: "enter_fsync", 926: "exit_fsync", 925: "enter_fdatasync", 924: "exit_fdatasync", 883: "enter_setxattr", 882: "exit_setxattr", 881: "enter_lsetxattr", 880: "exit_lsetxattr", 877: "enter_getxattr", 876: "exit_getxattr", 875: "enter_lgetxattr", 874: "exit_lgetxattr", 871: "enter_listxattr", 870: "exit_listxattr", 869: "enter_llistxattr", 868: "exit_llistxattr", 865: "enter_removexattr", 864: "exit_removexattr", 863: "enter_lremovexattr", 862: "exit_lremovexattr", 857: "enter_open_tree", 856: "exit_open_tree", 829: "enter_getdents", 828: "exit_getdents", 827: "enter_getdents64", 826: "exit_getdents64", 825: "enter_ioctl", 824: "exit_ioctl", 823: "enter_fcntl", 822: "exit_fcntl", 821: "enter_mknodat", 820: "exit_mknodat", 819: "enter_mknod", 818: "exit_mknod", 817: "enter_mkdirat", 816: "exit_mkdirat", 815: "enter_mkdir", 814: "exit_mkdir", 813: "enter_rmdir", 812: "exit_rmdir", 811: "enter_unlinkat", 810: "exit_unlinkat", 809: "enter_unlink", 808: "exit_unlink", 807: "enter_symlinkat", 806: "exit_symlinkat", 805: "enter_symlink", 804: "exit_symlink", 803: "enter_linkat", 802: "exit_linkat", 801: "enter_link", 800: "exit_link", 799: "enter_renameat2", 798: "exit_renameat2", 797: "enter_renameat", 796: "exit_renameat", 795: "enter_rename", 794: "exit_rename", 789: "enter_execve", 788: "exit_execve", 787: "enter_execveat", 786: "exit_execveat", 785: "enter_newstat", 784: "exit_newstat", 783: "enter_newlstat", 782: "exit_newlstat", 781: "enter_newfstatat", 780: "exit_newfstatat", 779: "enter_newfstat", 778: "exit_newfstat", 777: "enter_readlinkat", 776: "exit_readlinkat", 773: "enter_statx", 772: "exit_statx", 771: "enter_lseek", 770: "exit_lseek", 769: "enter_read", 768: "exit_read", 767: "enter_write", 766: "exit_write", 765: "enter_pread64", 764: "exit_pread64", 763: "enter_pwrite64", 762: "exit_pwrite64", 743: "enter_ftruncate", 742: "exit_ftruncate", 739: "enter_faccessat", 738: "exit_faccessat", 737: "enter_faccessat2", 736: "exit_faccessat2", 735: "enter_access", 734: "exit_access", 733: "enter_chdir", 732: "exit_chdir", 731: "enter_fchdir", 730: "exit_fchdir", 729: "enter_chroot", 728: "exit_chroot", 727: "enter_fchmod", 726: "exit_fchmod", 725: "enter_fchmodat2", 724: "exit_fchmodat2", 723: "enter_fchmodat", 722: "exit_fchmodat", 721: "enter_chmod", 720: "exit_chmod", 719: "enter_fchownat", 718: "exit_fchownat", 717: "enter_chown", 716: "exit_chown", 715: "enter_lchown", 714: "exit_lchown", 713: "enter_fchown", 712: "exit_fchown", 711: "enter_open", 710: "exit_open", 709: "enter_openat", 708: "exit_openat", 707: "enter_openat2", 706: "exit_openat2", 705: "enter_creat", 704: "exit_creat", 703: "enter_close", 702: "exit_close", 701: "enter_close_range", 700: "exit_close_range", 528: "enter_cachestat", 527: "exit_cachestat", } var traceId2Name = map[TraceId]string{ - 527: "cachestat", 528: "cachestat", 700: "close_range", 701: "close_range", 702: "close", 703: "close", 704: "creat", 705: "creat", 712: "fchown", 713: "fchown", 726: "fchmod", 727: "fchmod", 730: "fchdir", 731: "fchdir", 742: "ftruncate", 743: "ftruncate", 746: "copy_file_range", 747: "copy_file_range", 762: "pwrite64", 763: "pwrite64", 764: "pread64", 765: "pread64", 766: "write", 767: "write", 768: "read", 769: "read", 770: "lseek", 771: "lseek", 776: "readlinkat", 777: "readlinkat", 778: "newfstat", 779: "newfstat", 794: "rename", 795: "rename", 796: "renameat", 797: "renameat", 798: "renameat2", 799: "renameat2", 800: "link", 801: "link", 802: "linkat", 803: "linkat", 804: "symlink", 805: "symlink", 806: "symlinkat", 807: "symlinkat", 808: "unlink", 809: "unlink", 810: "unlinkat", 811: "unlinkat", 812: "rmdir", 813: "rmdir", 814: "mkdir", 815: "mkdir", 816: "mkdirat", 817: "mkdirat", 822: "fcntl", 823: "fcntl", 824: "ioctl", 825: "ioctl", 826: "getdents64", 827: "getdents64", 828: "getdents", 829: "getdents", 862: "lremovexattr", 863: "lremovexattr", 864: "removexattr", 865: "removexattr", 868: "llistxattr", 869: "llistxattr", 870: "listxattr", 871: "listxattr", 874: "lgetxattr", 875: "lgetxattr", 876: "getxattr", 877: "getxattr", 880: "lsetxattr", 881: "lsetxattr", 882: "setxattr", 883: "setxattr", 922: "sync_file_range", 923: "sync_file_range", 924: "fdatasync", 925: "fdatasync", 926: "fsync", 927: "fsync", 944: "fstatfs", 945: "fstatfs", 946: "statfs", 947: "statfs", 954: "inotify_rm_watch", 955: "inotify_rm_watch", 956: "inotify_add_watch", 957: "inotify_add_watch", 962: "fanotify_mark", 963: "fanotify_mark", 1020: "flock", 1021: "flock", 1051: "quotactl_fd", 1052: "quotactl_fd", 1321: "mq_unlink", 1322: "mq_unlink", 1377: "io_uring_register", 1378: "io_uring_register", 1381: "io_uring_enter", 1382: "io_uring_enter", 1: "open", 2: "open", 3: "openat", 4: "openat", + 1382: "io_uring_enter", 1381: "io_uring_enter", 1378: "io_uring_register", 1377: "io_uring_register", 1052: "quotactl_fd", 1051: "quotactl_fd", 1021: "flock", 1020: "flock", 963: "fanotify_mark", 962: "fanotify_mark", 957: "inotify_add_watch", 956: "inotify_add_watch", 947: "statfs", 946: "statfs", 945: "fstatfs", 944: "fstatfs", 939: "utimensat", 938: "utimensat", 937: "futimesat", 936: "futimesat", 927: "fsync", 926: "fsync", 925: "fdatasync", 924: "fdatasync", 883: "setxattr", 882: "setxattr", 881: "lsetxattr", 880: "lsetxattr", 877: "getxattr", 876: "getxattr", 875: "lgetxattr", 874: "lgetxattr", 871: "listxattr", 870: "listxattr", 869: "llistxattr", 868: "llistxattr", 865: "removexattr", 864: "removexattr", 863: "lremovexattr", 862: "lremovexattr", 857: "open_tree", 856: "open_tree", 829: "getdents", 828: "getdents", 827: "getdents64", 826: "getdents64", 825: "ioctl", 824: "ioctl", 823: "fcntl", 822: "fcntl", 821: "mknodat", 820: "mknodat", 819: "mknod", 818: "mknod", 817: "mkdirat", 816: "mkdirat", 815: "mkdir", 814: "mkdir", 813: "rmdir", 812: "rmdir", 811: "unlinkat", 810: "unlinkat", 809: "unlink", 808: "unlink", 807: "symlinkat", 806: "symlinkat", 805: "symlink", 804: "symlink", 803: "linkat", 802: "linkat", 801: "link", 800: "link", 799: "renameat2", 798: "renameat2", 797: "renameat", 796: "renameat", 795: "rename", 794: "rename", 789: "execve", 788: "execve", 787: "execveat", 786: "execveat", 785: "newstat", 784: "newstat", 783: "newlstat", 782: "newlstat", 781: "newfstatat", 780: "newfstatat", 779: "newfstat", 778: "newfstat", 777: "readlinkat", 776: "readlinkat", 773: "statx", 772: "statx", 771: "lseek", 770: "lseek", 769: "read", 768: "read", 767: "write", 766: "write", 765: "pread64", 764: "pread64", 763: "pwrite64", 762: "pwrite64", 743: "ftruncate", 742: "ftruncate", 739: "faccessat", 738: "faccessat", 737: "faccessat2", 736: "faccessat2", 735: "access", 734: "access", 733: "chdir", 732: "chdir", 731: "fchdir", 730: "fchdir", 729: "chroot", 728: "chroot", 727: "fchmod", 726: "fchmod", 725: "fchmodat2", 724: "fchmodat2", 723: "fchmodat", 722: "fchmodat", 721: "chmod", 720: "chmod", 719: "fchownat", 718: "fchownat", 717: "chown", 716: "chown", 715: "lchown", 714: "lchown", 713: "fchown", 712: "fchown", 711: "open", 710: "open", 709: "openat", 708: "openat", 707: "openat2", 706: "openat2", 705: "creat", 704: "creat", 703: "close", 702: "close", 701: "close_range", 700: "close_range", 528: "cachestat", 527: "cachestat", } func (s TraceId) String() string { @@ -56,12 +56,13 @@ type OpenEvent struct { Pid uint32 Tid uint32 Time uint32 + Flags int32 Filename [MAX_FILENAME_LENGTH]byte Comm [MAX_PROGNAME_LENGTH]byte } func (o OpenEvent) String() string { - return fmt.Sprintf("EventType:%v TraceId:%v Pid:%v Tid:%v Time:%v Filename:%v Comm:%v", o.EventType, o.TraceId, o.Pid, o.Tid, o.Time, string(o.Filename[:]), string(o.Comm[:])) + return fmt.Sprintf("EventType:%v TraceId:%v Pid:%v Tid:%v Time:%v Flags:%v Filename:%v Comm:%v", o.EventType, o.TraceId, o.Pid, o.Tid, o.Time, o.Flags, string(o.Filename[:]), string(o.Comm[:])) } func (o *OpenEvent) GetEventType() EventType { @@ -351,113 +352,151 @@ func (p *PathEvent) Recycle() { poolOfPathEvents.Put(p) } -const SYS_EXIT_CACHESTAT TraceId = 527 -const SYS_ENTER_CACHESTAT TraceId = 528 -const SYS_EXIT_CLOSE_RANGE TraceId = 700 -const SYS_ENTER_CLOSE_RANGE TraceId = 701 -const SYS_EXIT_CLOSE TraceId = 702 -const SYS_ENTER_CLOSE TraceId = 703 -const SYS_EXIT_CREAT TraceId = 704 -const SYS_ENTER_CREAT TraceId = 705 -const SYS_EXIT_FCHOWN TraceId = 712 -const SYS_ENTER_FCHOWN TraceId = 713 -const SYS_EXIT_FCHMOD TraceId = 726 -const SYS_ENTER_FCHMOD TraceId = 727 -const SYS_EXIT_FCHDIR TraceId = 730 -const SYS_ENTER_FCHDIR TraceId = 731 -const SYS_EXIT_FTRUNCATE TraceId = 742 -const SYS_ENTER_FTRUNCATE TraceId = 743 -const SYS_EXIT_COPY_FILE_RANGE TraceId = 746 -const SYS_ENTER_COPY_FILE_RANGE TraceId = 747 -const SYS_EXIT_PWRITE64 TraceId = 762 -const SYS_ENTER_PWRITE64 TraceId = 763 -const SYS_EXIT_PREAD64 TraceId = 764 -const SYS_ENTER_PREAD64 TraceId = 765 -const SYS_EXIT_WRITE TraceId = 766 -const SYS_ENTER_WRITE TraceId = 767 -const SYS_EXIT_READ TraceId = 768 -const SYS_ENTER_READ TraceId = 769 -const SYS_EXIT_LSEEK TraceId = 770 -const SYS_ENTER_LSEEK TraceId = 771 -const SYS_EXIT_READLINKAT TraceId = 776 -const SYS_ENTER_READLINKAT TraceId = 777 -const SYS_EXIT_NEWFSTAT TraceId = 778 -const SYS_ENTER_NEWFSTAT TraceId = 779 -const SYS_EXIT_RENAME TraceId = 794 -const SYS_ENTER_RENAME TraceId = 795 -const SYS_EXIT_RENAMEAT TraceId = 796 -const SYS_ENTER_RENAMEAT TraceId = 797 -const SYS_EXIT_RENAMEAT2 TraceId = 798 -const SYS_ENTER_RENAMEAT2 TraceId = 799 -const SYS_EXIT_LINK TraceId = 800 -const SYS_ENTER_LINK TraceId = 801 -const SYS_EXIT_LINKAT TraceId = 802 -const SYS_ENTER_LINKAT TraceId = 803 -const SYS_EXIT_SYMLINK TraceId = 804 -const SYS_ENTER_SYMLINK TraceId = 805 -const SYS_EXIT_SYMLINKAT TraceId = 806 -const SYS_ENTER_SYMLINKAT TraceId = 807 -const SYS_EXIT_UNLINK TraceId = 808 -const SYS_ENTER_UNLINK TraceId = 809 -const SYS_EXIT_UNLINKAT TraceId = 810 -const SYS_ENTER_UNLINKAT TraceId = 811 -const SYS_EXIT_RMDIR TraceId = 812 -const SYS_ENTER_RMDIR TraceId = 813 -const SYS_EXIT_MKDIR TraceId = 814 -const SYS_ENTER_MKDIR TraceId = 815 -const SYS_EXIT_MKDIRAT TraceId = 816 -const SYS_ENTER_MKDIRAT TraceId = 817 -const SYS_EXIT_FCNTL TraceId = 822 -const SYS_ENTER_FCNTL TraceId = 823 -const SYS_EXIT_IOCTL TraceId = 824 -const SYS_ENTER_IOCTL TraceId = 825 -const SYS_EXIT_GETDENTS64 TraceId = 826 -const SYS_ENTER_GETDENTS64 TraceId = 827 -const SYS_EXIT_GETDENTS TraceId = 828 -const SYS_ENTER_GETDENTS TraceId = 829 -const SYS_EXIT_LREMOVEXATTR TraceId = 862 -const SYS_ENTER_LREMOVEXATTR TraceId = 863 -const SYS_EXIT_REMOVEXATTR TraceId = 864 -const SYS_ENTER_REMOVEXATTR TraceId = 865 -const SYS_EXIT_LLISTXATTR TraceId = 868 -const SYS_ENTER_LLISTXATTR TraceId = 869 -const SYS_EXIT_LISTXATTR TraceId = 870 -const SYS_ENTER_LISTXATTR TraceId = 871 -const SYS_EXIT_LGETXATTR TraceId = 874 -const SYS_ENTER_LGETXATTR TraceId = 875 -const SYS_EXIT_GETXATTR TraceId = 876 -const SYS_ENTER_GETXATTR TraceId = 877 -const SYS_EXIT_LSETXATTR TraceId = 880 -const SYS_ENTER_LSETXATTR TraceId = 881 -const SYS_EXIT_SETXATTR TraceId = 882 -const SYS_ENTER_SETXATTR TraceId = 883 -const SYS_EXIT_SYNC_FILE_RANGE TraceId = 922 -const SYS_ENTER_SYNC_FILE_RANGE TraceId = 923 -const SYS_EXIT_FDATASYNC TraceId = 924 -const SYS_ENTER_FDATASYNC TraceId = 925 -const SYS_EXIT_FSYNC TraceId = 926 -const SYS_ENTER_FSYNC TraceId = 927 -const SYS_EXIT_FSTATFS TraceId = 944 -const SYS_ENTER_FSTATFS TraceId = 945 -const SYS_EXIT_STATFS TraceId = 946 -const SYS_ENTER_STATFS TraceId = 947 -const SYS_EXIT_INOTIFY_RM_WATCH TraceId = 954 -const SYS_ENTER_INOTIFY_RM_WATCH TraceId = 955 -const SYS_EXIT_INOTIFY_ADD_WATCH TraceId = 956 -const SYS_ENTER_INOTIFY_ADD_WATCH TraceId = 957 -const SYS_EXIT_FANOTIFY_MARK TraceId = 962 -const SYS_ENTER_FANOTIFY_MARK TraceId = 963 -const SYS_EXIT_FLOCK TraceId = 1020 -const SYS_ENTER_FLOCK TraceId = 1021 -const SYS_EXIT_QUOTACTL_FD TraceId = 1051 -const SYS_ENTER_QUOTACTL_FD TraceId = 1052 -const SYS_EXIT_MQ_UNLINK TraceId = 1321 -const SYS_ENTER_MQ_UNLINK TraceId = 1322 -const SYS_EXIT_IO_URING_REGISTER TraceId = 1377 -const SYS_ENTER_IO_URING_REGISTER TraceId = 1378 -const SYS_EXIT_IO_URING_ENTER TraceId = 1381 const SYS_ENTER_IO_URING_ENTER TraceId = 1382 -const SYS_EXIT_OPEN TraceId = 1 -const SYS_ENTER_OPEN TraceId = 2 -const SYS_EXIT_OPENAT TraceId = 3 -const SYS_ENTER_OPENAT TraceId = 4 +const SYS_EXIT_IO_URING_ENTER TraceId = 1381 +const SYS_ENTER_IO_URING_REGISTER TraceId = 1378 +const SYS_EXIT_IO_URING_REGISTER TraceId = 1377 +const SYS_ENTER_QUOTACTL_FD TraceId = 1052 +const SYS_EXIT_QUOTACTL_FD TraceId = 1051 +const SYS_ENTER_FLOCK TraceId = 1021 +const SYS_EXIT_FLOCK TraceId = 1020 +const SYS_ENTER_FANOTIFY_MARK TraceId = 963 +const SYS_EXIT_FANOTIFY_MARK TraceId = 962 +const SYS_ENTER_INOTIFY_ADD_WATCH TraceId = 957 +const SYS_EXIT_INOTIFY_ADD_WATCH TraceId = 956 +const SYS_ENTER_STATFS TraceId = 947 +const SYS_EXIT_STATFS TraceId = 946 +const SYS_ENTER_FSTATFS TraceId = 945 +const SYS_EXIT_FSTATFS TraceId = 944 +const SYS_ENTER_UTIMENSAT TraceId = 939 +const SYS_EXIT_UTIMENSAT TraceId = 938 +const SYS_ENTER_FUTIMESAT TraceId = 937 +const SYS_EXIT_FUTIMESAT TraceId = 936 +const SYS_ENTER_FSYNC TraceId = 927 +const SYS_EXIT_FSYNC TraceId = 926 +const SYS_ENTER_FDATASYNC TraceId = 925 +const SYS_EXIT_FDATASYNC TraceId = 924 +const SYS_ENTER_SETXATTR TraceId = 883 +const SYS_EXIT_SETXATTR TraceId = 882 +const SYS_ENTER_LSETXATTR TraceId = 881 +const SYS_EXIT_LSETXATTR TraceId = 880 +const SYS_ENTER_GETXATTR TraceId = 877 +const SYS_EXIT_GETXATTR TraceId = 876 +const SYS_ENTER_LGETXATTR TraceId = 875 +const SYS_EXIT_LGETXATTR TraceId = 874 +const SYS_ENTER_LISTXATTR TraceId = 871 +const SYS_EXIT_LISTXATTR TraceId = 870 +const SYS_ENTER_LLISTXATTR TraceId = 869 +const SYS_EXIT_LLISTXATTR TraceId = 868 +const SYS_ENTER_REMOVEXATTR TraceId = 865 +const SYS_EXIT_REMOVEXATTR TraceId = 864 +const SYS_ENTER_LREMOVEXATTR TraceId = 863 +const SYS_EXIT_LREMOVEXATTR TraceId = 862 +const SYS_ENTER_OPEN_TREE TraceId = 857 +const SYS_EXIT_OPEN_TREE TraceId = 856 +const SYS_ENTER_GETDENTS TraceId = 829 +const SYS_EXIT_GETDENTS TraceId = 828 +const SYS_ENTER_GETDENTS64 TraceId = 827 +const SYS_EXIT_GETDENTS64 TraceId = 826 +const SYS_ENTER_IOCTL TraceId = 825 +const SYS_EXIT_IOCTL TraceId = 824 +const SYS_ENTER_FCNTL TraceId = 823 +const SYS_EXIT_FCNTL TraceId = 822 +const SYS_ENTER_MKNODAT TraceId = 821 +const SYS_EXIT_MKNODAT TraceId = 820 +const SYS_ENTER_MKNOD TraceId = 819 +const SYS_EXIT_MKNOD TraceId = 818 +const SYS_ENTER_MKDIRAT TraceId = 817 +const SYS_EXIT_MKDIRAT TraceId = 816 +const SYS_ENTER_MKDIR TraceId = 815 +const SYS_EXIT_MKDIR TraceId = 814 +const SYS_ENTER_RMDIR TraceId = 813 +const SYS_EXIT_RMDIR TraceId = 812 +const SYS_ENTER_UNLINKAT TraceId = 811 +const SYS_EXIT_UNLINKAT TraceId = 810 +const SYS_ENTER_UNLINK TraceId = 809 +const SYS_EXIT_UNLINK TraceId = 808 +const SYS_ENTER_SYMLINKAT TraceId = 807 +const SYS_EXIT_SYMLINKAT TraceId = 806 +const SYS_ENTER_SYMLINK TraceId = 805 +const SYS_EXIT_SYMLINK TraceId = 804 +const SYS_ENTER_LINKAT TraceId = 803 +const SYS_EXIT_LINKAT TraceId = 802 +const SYS_ENTER_LINK TraceId = 801 +const SYS_EXIT_LINK TraceId = 800 +const SYS_ENTER_RENAMEAT2 TraceId = 799 +const SYS_EXIT_RENAMEAT2 TraceId = 798 +const SYS_ENTER_RENAMEAT TraceId = 797 +const SYS_EXIT_RENAMEAT TraceId = 796 +const SYS_ENTER_RENAME TraceId = 795 +const SYS_EXIT_RENAME TraceId = 794 +const SYS_ENTER_EXECVE TraceId = 789 +const SYS_EXIT_EXECVE TraceId = 788 +const SYS_ENTER_EXECVEAT TraceId = 787 +const SYS_EXIT_EXECVEAT TraceId = 786 +const SYS_ENTER_NEWSTAT TraceId = 785 +const SYS_EXIT_NEWSTAT TraceId = 784 +const SYS_ENTER_NEWLSTAT TraceId = 783 +const SYS_EXIT_NEWLSTAT TraceId = 782 +const SYS_ENTER_NEWFSTATAT TraceId = 781 +const SYS_EXIT_NEWFSTATAT TraceId = 780 +const SYS_ENTER_NEWFSTAT TraceId = 779 +const SYS_EXIT_NEWFSTAT TraceId = 778 +const SYS_ENTER_READLINKAT TraceId = 777 +const SYS_EXIT_READLINKAT TraceId = 776 +const SYS_ENTER_STATX TraceId = 773 +const SYS_EXIT_STATX TraceId = 772 +const SYS_ENTER_LSEEK TraceId = 771 +const SYS_EXIT_LSEEK TraceId = 770 +const SYS_ENTER_READ TraceId = 769 +const SYS_EXIT_READ TraceId = 768 +const SYS_ENTER_WRITE TraceId = 767 +const SYS_EXIT_WRITE TraceId = 766 +const SYS_ENTER_PREAD64 TraceId = 765 +const SYS_EXIT_PREAD64 TraceId = 764 +const SYS_ENTER_PWRITE64 TraceId = 763 +const SYS_EXIT_PWRITE64 TraceId = 762 +const SYS_ENTER_FTRUNCATE TraceId = 743 +const SYS_EXIT_FTRUNCATE TraceId = 742 +const SYS_ENTER_FACCESSAT TraceId = 739 +const SYS_EXIT_FACCESSAT TraceId = 738 +const SYS_ENTER_FACCESSAT2 TraceId = 737 +const SYS_EXIT_FACCESSAT2 TraceId = 736 +const SYS_ENTER_ACCESS TraceId = 735 +const SYS_EXIT_ACCESS TraceId = 734 +const SYS_ENTER_CHDIR TraceId = 733 +const SYS_EXIT_CHDIR TraceId = 732 +const SYS_ENTER_FCHDIR TraceId = 731 +const SYS_EXIT_FCHDIR TraceId = 730 +const SYS_ENTER_CHROOT TraceId = 729 +const SYS_EXIT_CHROOT TraceId = 728 +const SYS_ENTER_FCHMOD TraceId = 727 +const SYS_EXIT_FCHMOD TraceId = 726 +const SYS_ENTER_FCHMODAT2 TraceId = 725 +const SYS_EXIT_FCHMODAT2 TraceId = 724 +const SYS_ENTER_FCHMODAT TraceId = 723 +const SYS_EXIT_FCHMODAT TraceId = 722 +const SYS_ENTER_CHMOD TraceId = 721 +const SYS_EXIT_CHMOD TraceId = 720 +const SYS_ENTER_FCHOWNAT TraceId = 719 +const SYS_EXIT_FCHOWNAT TraceId = 718 +const SYS_ENTER_CHOWN TraceId = 717 +const SYS_EXIT_CHOWN TraceId = 716 +const SYS_ENTER_LCHOWN TraceId = 715 +const SYS_EXIT_LCHOWN TraceId = 714 +const SYS_ENTER_FCHOWN TraceId = 713 +const SYS_EXIT_FCHOWN TraceId = 712 +const SYS_ENTER_OPEN TraceId = 711 +const SYS_EXIT_OPEN TraceId = 710 +const SYS_ENTER_OPENAT TraceId = 709 +const SYS_EXIT_OPENAT TraceId = 708 +const SYS_ENTER_OPENAT2 TraceId = 707 +const SYS_EXIT_OPENAT2 TraceId = 706 +const SYS_ENTER_CREAT TraceId = 705 +const SYS_EXIT_CREAT TraceId = 704 +const SYS_ENTER_CLOSE TraceId = 703 +const SYS_EXIT_CLOSE TraceId = 702 +const SYS_ENTER_CLOSE_RANGE TraceId = 701 +const SYS_EXIT_CLOSE_RANGE TraceId = 700 +const SYS_ENTER_CACHESTAT TraceId = 528 +const SYS_EXIT_CACHESTAT TraceId = 527 |