g7 classify fd-from-air eventfd users

author: Paul Buetow <paul@buetow.org> 2026-05-21 11:45:09 +0300
committer: Paul Buetow <paul@buetow.org> 2026-05-21 11:45:09 +0300
commit: 8bd5f17ae2cd662b21fcd45a849c4b701a3aa40f (patch)
tree: 338b145f35995aa5db1726f93f862a79a9de7a2a
parent: c58aa139f5e7252aefb1bcacb5fa8b9ea8cdcdef (diff)
10 files changed, 273 insertions, 70 deletions
diff --git a/integrationtests/attach_tracepoints_test.go b/integrationtests/attach_tracepoints_test.go
index 7121422..f66ecca 100644
--- a/integrationtests/attach_tracepoints_test.go
+++ b/integrationtests/attach_tracepoints_test.go
@@ -121,3 +121,24 @@ func TestAttachTraceKindsPidfdOnly(t *testing.T) {
 		{Tracepoint: "enter_pidfd_getfd", Comm: "ioworkload"},
 	})
 }
+
+func TestAttachTraceKindsEventfdOnly(t *testing.T) {
+	enableParallelIfRequested(t)
+	h := newTestHarness(t)
+
+	result, pid, err := h.RunWithIorArgs("polling-epoll", defaultDuration, []string{
+		"-trace-kinds", "eventfd",
+	})
+	if err != nil {
+		t.Fatalf("run scenario polling-epoll with trace-kinds=eventfd: %v", err)
+	}
+
+	AssertNoUnexpectedPID(t, result, pid)
+	AssertNoUnexpectedComm(t, result, "ioworkload")
+	AssertEventsPresent(t, result, []ExpectedEvent{
+		{Tracepoint: "enter_epoll_create1", Comm: "ioworkload", MinCount: 1},
+	})
+	AssertEventsAbsent(t, result, []ExpectedEvent{
+		{Tracepoint: "enter_epoll_wait", Comm: "ioworkload"},
+	})
+}
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index b2fff2e..d85508c 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -1994,7 +1994,7 @@ int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_landlock_create_ruleset is a struct null_event (kind=null)
+/// sys_enter_landlock_create_ruleset is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_landlock_create_ruleset")
 int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -2004,21 +2004,25 @@ int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_CREATE_RULESET))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_LANDLOCK_CREATE_RULESET;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = (__s32)ctx->args[2];
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_landlock_create_ruleset is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_landlock_create_ruleset")
 int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -2028,17 +2032,23 @@ int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_CREATE_RULESET, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_LANDLOCK_CREATE_RULESET;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -4380,7 +4390,7 @@ int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_epoll_create1 is a struct null_event (kind=null)
+/// sys_enter_epoll_create1 is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_epoll_create1")
 int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4390,21 +4400,25 @@ int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE1))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_EPOLL_CREATE1;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = (__s32)ctx->args[0];
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_epoll_create1 is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_epoll_create1")
 int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -4414,23 +4428,29 @@ int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE1, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_EPOLL_CREATE1;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_enter_epoll_create is a struct null_event (kind=null)
+/// sys_enter_epoll_create is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_epoll_create")
 int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4440,21 +4460,25 @@ int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_EPOLL_CREATE;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = (__s32)ctx->args[0];
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_epoll_create is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_epoll_create")
 int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -4464,17 +4488,23 @@ int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_EPOLL_CREATE;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -4693,7 +4723,7 @@ int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_fanotify_init is a struct null_event (kind=null)
+/// sys_enter_fanotify_init is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_fanotify_init")
 int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4703,21 +4733,25 @@ int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_INIT))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_FANOTIFY_INIT;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = (__s32)ctx->args[0];
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_fanotify_init is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_fanotify_init")
 int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -4727,17 +4761,23 @@ int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_FANOTIFY_INIT, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_FANOTIFY_INIT;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -4795,7 +4835,7 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_inotify_init1 is a struct null_event (kind=null)
+/// sys_enter_inotify_init1 is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_inotify_init1")
 int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4805,21 +4845,25 @@ int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT1))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_INOTIFY_INIT1;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = (__s32)ctx->args[0];
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_inotify_init1 is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_inotify_init1")
 int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -4829,23 +4873,29 @@ int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT1, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_INOTIFY_INIT1;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_enter_inotify_init is a struct null_event (kind=null)
+/// sys_enter_inotify_init is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_inotify_init")
 int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -4855,21 +4905,25 @@ int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_INOTIFY_INIT;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_inotify_init is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_inotify_init")
 int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -4879,17 +4933,23 @@ int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_INOTIFY_INIT;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
@@ -5101,7 +5161,7 @@ int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_fsopen is a struct null_event (kind=null)
+/// sys_enter_fsopen is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_enter_fsopen")
 int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -5111,21 +5171,25 @@ int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_FSOPEN))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_EVENTFD_EVENT;
     ev->trace_id = SYS_ENTER_FSOPEN;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = (__s32)ctx->args[1];
+    bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+    ev->flags = flags;
+    ev->ret = -1;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_fsopen is a struct eventfd_event (kind=eventfd)
 SEC("tracepoint/syscalls/sys_exit_fsopen")
 int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
@@ -5135,17 +5199,23 @@ int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) {
     if (!ior_on_syscall_exit(tid, SYS_EXIT_FSOPEN, ctx->ret))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_EVENTFD_EVENT;
     ev->trace_id = SYS_EXIT_FSOPEN;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 flags = 0;
+    __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+    if (pending) {
+        flags = *pending;
+        bpf_map_delete_elem(&eventfd_flags_map, &tid);
+    }
+    ev->flags = flags;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index bca5fcf..85dc95f 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -32,8 +32,8 @@ sys_enter_delete_module is a struct null_event (kind=null)
 sys_enter_dup is a struct fd_event (kind=fd)
 sys_enter_dup2 is a struct fd_event (kind=fd)
 sys_enter_dup3 is a struct dup3_event (kind=dup3)
-sys_enter_epoll_create is a struct null_event (kind=null)
-sys_enter_epoll_create1 is a struct null_event (kind=null)
+sys_enter_epoll_create is a struct eventfd_event (kind=eventfd)
+sys_enter_epoll_create1 is a struct eventfd_event (kind=eventfd)
 sys_enter_epoll_ctl is a struct epoll_ctl_event (kind=epoll-ctl)
 sys_enter_epoll_pwait is a struct fd_event (kind=fd)
 sys_enter_epoll_pwait2 is a struct fd_event (kind=fd)
@@ -48,7 +48,7 @@ sys_enter_faccessat is a struct path_event (kind=pathname)
 sys_enter_faccessat2 is a struct path_event (kind=pathname)
 sys_enter_fadvise64 is a struct fd_event (kind=fd)
 sys_enter_fallocate is a struct fd_event (kind=fd)
-sys_enter_fanotify_init is a struct null_event (kind=null)
+sys_enter_fanotify_init is a struct eventfd_event (kind=eventfd)
 sys_enter_fanotify_mark is a struct path_event (kind=pathname)
 sys_enter_fchdir is a struct fd_event (kind=fd)
 sys_enter_fchmod is a struct fd_event (kind=fd)
@@ -69,7 +69,7 @@ sys_enter_fremovexattr is a struct fd_event (kind=fd)
 sys_enter_fsconfig is a struct fd_event (kind=fd)
 sys_enter_fsetxattr is a struct fd_event (kind=fd)
 sys_enter_fsmount is a struct eventfd_event (kind=eventfd)
-sys_enter_fsopen is a struct null_event (kind=null)
+sys_enter_fsopen is a struct eventfd_event (kind=eventfd)
 sys_enter_fspick is a struct path_event (kind=pathname)
 sys_enter_fstatfs is a struct fd_event (kind=fd)
 sys_enter_fsync is a struct fd_event (kind=fd)
@@ -112,8 +112,8 @@ sys_enter_getxattr is a struct path_event (kind=pathname)
 sys_enter_getxattrat is a struct path_event (kind=pathname)
 sys_enter_init_module is a struct null_event (kind=null)
 sys_enter_inotify_add_watch is a struct fd_event (kind=fd)
-sys_enter_inotify_init is a struct null_event (kind=null)
-sys_enter_inotify_init1 is a struct null_event (kind=null)
+sys_enter_inotify_init is a struct eventfd_event (kind=eventfd)
+sys_enter_inotify_init1 is a struct eventfd_event (kind=eventfd)
 sys_enter_inotify_rm_watch is a struct fd_event (kind=fd)
 sys_enter_io_cancel is a struct null_event (kind=null)
 sys_enter_io_destroy is a struct null_event (kind=null)
@@ -135,7 +135,7 @@ sys_enter_kexec_load is a struct null_event (kind=null)
 sys_enter_keyctl is a struct keyctl_event (kind=keyctl)
 sys_enter_kill is a struct null_event (kind=null)
 sys_enter_landlock_add_rule is a struct null_event (kind=null)
-sys_enter_landlock_create_ruleset is a struct null_event (kind=null)
+sys_enter_landlock_create_ruleset is a struct eventfd_event (kind=eventfd)
 sys_enter_landlock_restrict_self is a struct null_event (kind=null)
 sys_enter_lchown is a struct path_event (kind=pathname)
 sys_enter_lgetxattr is a struct path_event (kind=pathname)
@@ -399,8 +399,8 @@ sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_dup is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_epoll_create is a struct eventfd_event (kind=eventfd)
+sys_exit_epoll_create1 is a struct eventfd_event (kind=eventfd)
 sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) (kind=ret)
@@ -415,7 +415,7 @@ sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_fanotify_init is a struct eventfd_event (kind=eventfd)
 sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) (kind=ret)
@@ -436,7 +436,7 @@ sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fsmount is a struct eventfd_event (kind=eventfd)
-sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_fsopen is a struct eventfd_event (kind=eventfd)
 sys_exit_fspick is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_fsync is a struct ret_event (UNCLASSIFIED) (kind=ret)
@@ -479,8 +479,8 @@ sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret)
 sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_init_module is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_inotify_init is a struct eventfd_event (kind=eventfd)
+sys_exit_inotify_init1 is a struct eventfd_event (kind=eventfd)
 sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) (kind=ret)
@@ -502,7 +502,7 @@ sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_kill is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_landlock_create_ruleset is a struct eventfd_event (kind=eventfd)
 sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_lchown is a struct ret_event (UNCLASSIFIED) (kind=ret)
 sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret)
diff --git a/internal/eventloop_exit.go b/internal/eventloop_exit.go
index df2e557..1212de6 100644
--- a/internal/eventloop_exit.go
+++ b/internal/eventloop_exit.go
@@ -508,6 +508,16 @@ func pipeDescriptorName(flags, fd0, fd1 int32) string {
 
 func eventfdDescriptorName(traceID types.TraceId, flags int32) string {
 	switch traceID {
+	case types.SYS_ENTER_EPOLL_CREATE, types.SYS_ENTER_EPOLL_CREATE1:
+		return fmt.Sprintf("epollfd:%d", flags)
+	case types.SYS_ENTER_INOTIFY_INIT, types.SYS_ENTER_INOTIFY_INIT1:
+		return fmt.Sprintf("inotifyfd:%d", flags)
+	case types.SYS_ENTER_FANOTIFY_INIT:
+		return fmt.Sprintf("fanotifyfd:%d", flags)
+	case types.SYS_ENTER_LANDLOCK_CREATE_RULESET:
+		return fmt.Sprintf("landlockfd:%d", flags)
+	case types.SYS_ENTER_FSOPEN:
+		return fmt.Sprintf("fsopenfd:%d", flags)
 	case types.SYS_ENTER_MEMFD_CREATE:
 		return fmt.Sprintf("memfd:%d", flags)
 	case types.SYS_ENTER_MEMFD_SECRET:
diff --git a/internal/eventloop_ipc_test.go b/internal/eventloop_ipc_test.go
index 6eaf8f3..53b8be7 100644
--- a/internal/eventloop_ipc_test.go
+++ b/internal/eventloop_ipc_test.go
@@ -111,6 +111,11 @@ func TestEventfdDescriptorNameByTraceID(t *testing.T) {
 		want    string
 	}{
 		{name: "eventfd", traceID: types.SYS_ENTER_EVENTFD2, flags: 1, want: "eventfd:1"},
+		{name: "epoll_create1", traceID: types.SYS_ENTER_EPOLL_CREATE1, flags: 11, want: "epollfd:11"},
+		{name: "inotify_init1", traceID: types.SYS_ENTER_INOTIFY_INIT1, flags: 12, want: "inotifyfd:12"},
+		{name: "fanotify_init", traceID: types.SYS_ENTER_FANOTIFY_INIT, flags: 13, want: "fanotifyfd:13"},
+		{name: "landlock_create_ruleset", traceID: types.SYS_ENTER_LANDLOCK_CREATE_RULESET, flags: 14, want: "landlockfd:14"},
+		{name: "fsopen", traceID: types.SYS_ENTER_FSOPEN, flags: 15, want: "fsopenfd:15"},
 		{name: "memfd_create", traceID: types.SYS_ENTER_MEMFD_CREATE, flags: 2, want: "memfd:2"},
 		{name: "memfd_secret", traceID: types.SYS_ENTER_MEMFD_SECRET, flags: 3, want: "memfd-secret:3"},
 		{name: "userfaultfd", traceID: types.SYS_ENTER_USERFAULTFD, flags: 4, want: "userfaultfd:4"},
diff --git a/internal/generate/bpfhandler.go b/internal/generate/bpfhandler.go
index 85377f1..fb4a4e3 100644
--- a/internal/generate/bpfhandler.go
+++ b/internal/generate/bpfhandler.go
@@ -262,6 +262,16 @@ func generateExtraEventfd(f *Format, isEnter bool) string {
 	if isEnter {
 		flagsExpr := "0"
 		switch f.Name {
+		case "sys_enter_epoll_create":
+			flagsExpr = "(__s32)ctx->args[0]"
+		case "sys_enter_epoll_create1":
+			flagsExpr = "(__s32)ctx->args[0]"
+		case "sys_enter_inotify_init1":
+			flagsExpr = "(__s32)ctx->args[0]"
+		case "sys_enter_fanotify_init":
+			flagsExpr = "(__s32)ctx->args[0]"
+		case "sys_enter_landlock_create_ruleset":
+			flagsExpr = "(__s32)ctx->args[2]"
 		case "sys_enter_eventfd2":
 			flagsExpr = "(__s32)ctx->args[1]"
 		case "sys_enter_memfd_create":
diff --git a/internal/generate/classify.go b/internal/generate/classify.go
index 69ada90..9896976 100644
--- a/internal/generate/classify.go
+++ b/internal/generate/classify.go
@@ -206,6 +206,34 @@ func classifyNameOnly(name string) (ClassificationResult, bool) {
 		return ClassificationResult{Kind: KindEventfd}, true
 	case "sys_exit_timerfd_create":
 		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_epoll_create":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_epoll_create":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_epoll_create1":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_epoll_create1":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_inotify_init":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_inotify_init":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_inotify_init1":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_inotify_init1":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_fanotify_init":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_fanotify_init":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_landlock_create_ruleset":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_landlock_create_ruleset":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_enter_fsopen":
+		return ClassificationResult{Kind: KindEventfd}, true
+	case "sys_exit_fsopen":
+		return ClassificationResult{Kind: KindEventfd}, true
 	case "sys_enter_pidfd_open":
 		return ClassificationResult{Kind: KindPidfd}, true
 	case "sys_exit_pidfd_open":
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 4b156ff..b51877c 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -654,6 +654,43 @@ func TestClassifyN7NameOnlyKinds(t *testing.T) {
 	}
 }
 
+func TestClassifyG7NameOnlyKinds(t *testing.T) {
+	tests := []struct {
+		name string
+		want TracepointKind
+	}{
+		{"sys_enter_epoll_create", KindEventfd},
+		{"sys_exit_epoll_create", KindEventfd},
+		{"sys_enter_epoll_create1", KindEventfd},
+		{"sys_exit_epoll_create1", KindEventfd},
+		{"sys_enter_inotify_init", KindEventfd},
+		{"sys_exit_inotify_init", KindEventfd},
+		{"sys_enter_inotify_init1", KindEventfd},
+		{"sys_exit_inotify_init1", KindEventfd},
+		{"sys_enter_fanotify_init", KindEventfd},
+		{"sys_exit_fanotify_init", KindEventfd},
+		{"sys_enter_landlock_create_ruleset", KindEventfd},
+		{"sys_exit_landlock_create_ruleset", KindEventfd},
+		{"sys_enter_fsopen", KindEventfd},
+		{"sys_exit_fsopen", KindEventfd},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := ClassifyFormat(&Format{
+				Name: tt.name,
+				ExternalFields: []Field{
+					{Type: "long", Name: "__syscall_nr"},
+					{Type: "long", Name: "arg0"},
+				},
+			})
+			if r.Kind != tt.want {
+				t.Fatalf("%s: got kind %d, want %d", tt.name, r.Kind, tt.want)
+			}
+		})
+	}
+}
+
 func TestClassifyMount(t *testing.T) {
 	r := classifyFromData(t, FormatMount)
 	if r.Kind != KindPathname {
@@ -819,6 +856,13 @@ func TestClassifySyscallPairAccepted(t *testing.T) {
 		{"pipe2", FormatPipe2, FormatExitPipe2, KindPipe},
 		{"eventfd", FormatEventfd, FormatExitEventfd, KindEventfd},
 		{"eventfd2", FormatEventfd2, FormatExitEventfd2, KindEventfd},
+		{"epoll_create", syntheticEnter("epoll_create", 9340), syntheticExit("epoll_create", 9339), KindEventfd},
+		{"epoll_create1", syntheticEnter("epoll_create1", 9342), syntheticExit("epoll_create1", 9341), KindEventfd},
+		{"inotify_init", syntheticEnter("inotify_init", 9344), syntheticExit("inotify_init", 9343), KindEventfd},
+		{"inotify_init1", syntheticEnter("inotify_init1", 9346), syntheticExit("inotify_init1", 9345), KindEventfd},
+		{"fanotify_init", syntheticEnter("fanotify_init", 9348), syntheticExit("fanotify_init", 9347), KindEventfd},
+		{"landlock_create_ruleset", syntheticEnter("landlock_create_ruleset", 9350), syntheticExit("landlock_create_ruleset", 9349), KindEventfd},
+		{"fsopen", syntheticEnter("fsopen", 9352), syntheticExit("fsopen", 9351), KindEventfd},
 		{"pidfd_open", syntheticEnter("pidfd_open", 9320), syntheticExit("pidfd_open", 9319), KindPidfd},
 		{"pidfd_send_signal", syntheticEnter("pidfd_send_signal", 9322), syntheticExit("pidfd_send_signal", 9321), KindFd},
 		{"epoll_ctl", FormatEpollCtl, FormatExitEpollCtl, KindEpollCtl},
diff --git a/internal/tracepoints/dimension_selector_test.go b/internal/tracepoints/dimension_selector_test.go
index da88954..0a332b5 100644
--- a/internal/tracepoints/dimension_selector_test.go
+++ b/internal/tracepoints/dimension_selector_test.go
@@ -63,6 +63,21 @@ func TestParseSelectorWithDimensionsPidfdKindOnly(t *testing.T) {
 	}
 }
 
+func TestParseSelectorWithDimensionsEventfdKindIncludesEpollCreate(t *testing.T) {
+	sel, err := ParseSelectorWithDimensions("", "", DimensionSelectorConfig{
+		TraceKinds: "eventfd",
+	})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !sel.ShouldAttach("sys_enter_epoll_create1") {
+		t.Fatal("expected epoll_create1 to be attached for eventfd kind")
+	}
+	if sel.ShouldAttach("sys_enter_epoll_wait") {
+		t.Fatal("expected epoll_wait to be excluded when only eventfd kind is enabled")
+	}
+}
+
 func TestParseSelectorWithDimensionsSyscallOnly(t *testing.T) {
 	sel, err := ParseSelectorWithDimensions("", "", DimensionSelectorConfig{
 		TraceSyscalls: "openat",
diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go
index 060a779..c45f6d2 100644
--- a/internal/tracepoints/generated_tracepoints.go
+++ b/internal/tracepoints/generated_tracepoints.go
@@ -1143,8 +1143,8 @@ var syscallKinds = map[string]string{
 	"dup":                     "fd",
 	"dup2":                    "fd",
 	"dup3":                    "dup3",
-	"epoll_create":            "null",
-	"epoll_create1":           "null",
+	"epoll_create":            "eventfd",
+	"epoll_create1":           "eventfd",
 	"epoll_ctl":               "epoll-ctl",
 	"epoll_pwait":             "fd",
 	"epoll_pwait2":            "fd",
@@ -1159,7 +1159,7 @@ var syscallKinds = map[string]string{
 	"faccessat2":              "pathname",
 	"fadvise64":               "fd",
 	"fallocate":               "fd",
-	"fanotify_init":           "null",
+	"fanotify_init":           "eventfd",
 	"fanotify_mark":           "pathname",
 	"fchdir":                  "fd",
 	"fchmod":                  "fd",
@@ -1180,7 +1180,7 @@ var syscallKinds = map[string]string{
 	"fsconfig":                "fd",
 	"fsetxattr":               "fd",
 	"fsmount":                 "eventfd",
-	"fsopen":                  "null",
+	"fsopen":                  "eventfd",
 	"fspick":                  "pathname",
 	"fstatfs":                 "fd",
 	"fsync":                   "fd",
@@ -1223,8 +1223,8 @@ var syscallKinds = map[string]string{
 	"getxattrat":              "pathname",
 	"init_module":             "null",
 	"inotify_add_watch":       "fd",
-	"inotify_init":            "null",
-	"inotify_init1":           "null",
+	"inotify_init":            "eventfd",
+	"inotify_init1":           "eventfd",
 	"inotify_rm_watch":        "fd",
 	"io_cancel":               "null",
 	"io_destroy":              "null",
@@ -1246,7 +1246,7 @@ var syscallKinds = map[string]string{
 	"keyctl":                  "keyctl",
 	"kill":                    "null",
 	"landlock_add_rule":       "null",
-	"landlock_create_ruleset": "null",
+	"landlock_create_ruleset": "eventfd",
 	"landlock_restrict_self":  "null",
 	"lchown":                  "pathname",
 	"lgetxattr":               "pathname",
author	Paul Buetow <paul@buetow.org>	2026-05-21 11:45:09 +0300
committer	Paul Buetow <paul@buetow.org>	2026-05-21 11:45:09 +0300
commit	8bd5f17ae2cd662b21fcd45a849c4b701a3aa40f (patch)
tree	338b145f35995aa5db1726f93f862a79a9de7a2a
parent	c58aa139f5e7252aefb1bcacb5fa8b9ea8cdcdef (diff)