diff options
| author | Paul Buetow <paul@buetow.org> | 2024-03-02 14:05:20 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-03-02 14:05:20 +0200 |
| commit | b941cec01a9dfb29903b9e55369073df5c283a52 (patch) | |
| tree | 31aca998741d8c8b8275dd3528fff46a65cdaf21 | |
| parent | f4e736903d6a7d2b8e025c8a6f7ef63ff3ec3e3a (diff) | |
C generation for syscalls with oldname and newname args
| -rw-r--r-- | internal/c/generated/tracepoints.c | 382 | ||||
| -rw-r--r-- | internal/c/generated/tracepoints.raku | 27 | ||||
| -rw-r--r-- | internal/c/types.h | 12 | ||||
| -rw-r--r-- | internal/generated/tracepoints/tracepoints.go | 14 | ||||
| -rw-r--r-- | internal/generated/types/types.go | 123 |
5 files changed, 521 insertions, 37 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index e7e8317..e824de3 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -28,6 +28,20 @@ #define SYS_ENTER_LSEEK 763 #define SYS_EXIT_NEWFSTAT 770 #define SYS_ENTER_NEWFSTAT 771 +#define SYS_EXIT_RENAME 786 +#define SYS_ENTER_RENAME 787 +#define SYS_EXIT_RENAMEAT 788 +#define SYS_ENTER_RENAMEAT 789 +#define SYS_EXIT_RENAMEAT2 790 +#define SYS_ENTER_RENAMEAT2 791 +#define SYS_EXIT_LINK 792 +#define SYS_ENTER_LINK 793 +#define SYS_EXIT_LINKAT 794 +#define SYS_ENTER_LINKAT 795 +#define SYS_EXIT_SYMLINK 796 +#define SYS_ENTER_SYMLINK 797 +#define SYS_EXIT_SYMLINKAT 798 +#define SYS_ENTER_SYMLINKAT 799 #define SYS_EXIT_FCNTL 814 #define SYS_ENTER_FCNTL 815 #define SYS_EXIT_IOCTL 816 @@ -89,7 +103,7 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -131,7 +145,7 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -173,7 +187,7 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -215,7 +229,7 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -257,7 +271,7 @@ int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -299,7 +313,7 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -341,7 +355,7 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -374,16 +388,16 @@ int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) { if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; + ev->event_type = ENTER_NULL_EVENT; ev->syscall_id = SYS_ENTER_COPY_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + bpf_ringbuf_submit(ev, 0); return 0; @@ -425,7 +439,7 @@ int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -467,7 +481,7 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -509,7 +523,7 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -551,7 +565,7 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -593,7 +607,7 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -635,7 +649,315 @@ int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_link") +int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->syscall_id = SYS_EXIT_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->syscall_id = SYS_ENTER_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -677,7 +999,7 @@ int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -719,7 +1041,7 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -761,7 +1083,7 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -803,7 +1125,7 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -836,16 +1158,16 @@ int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; + ev->event_type = ENTER_NULL_EVENT; ev->syscall_id = SYS_ENTER_SYNC_FILE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + bpf_ringbuf_submit(ev, 0); return 0; @@ -887,7 +1209,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -929,7 +1251,7 @@ int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -971,7 +1293,7 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -1013,7 +1335,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -1055,7 +1377,7 @@ int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -1097,7 +1419,7 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -1139,7 +1461,7 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (int)ctx->args[0]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku index 4613d54..ef79ed6 100644 --- a/internal/c/generated/tracepoints.raku +++ b/internal/c/generated/tracepoints.raku @@ -38,6 +38,8 @@ class Format { has Field @.fields is rw; # file descriptor passed to syscalls. has Bool $.has-fd is rw = False; + # Has tracepoint has got oldname and name + has Bool $.has-name is rw = False; # Syscall returns with a long value (e.g. bytes read/written) has Bool $.has-long-ret is rw = False; @@ -45,6 +47,8 @@ class Format { push @!fields: $field; if ($field.name eq 'fd' && $field.type eq 'unsigned int') { $!has-fd = True; + } elsif ($field.name eq 'newname' && $field.type eq 'const char *') { + $!has-name = True; } elsif ($field.name eq 'ret' && $field.type eq 'long') { $.has-long-ret = True; } @@ -56,11 +60,22 @@ class Format { method generate-probe returns Str { my \is-enter = $!name.split('_')[1] eq 'enter'; - my \is-exit = !is-enter; my \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' !! 'trace_event_raw_sys_exit'; - my \event-struct = is-enter ?? 'fd_event' - !! ($!has-long-ret ?? 'ret_event' !! 'null_event'); + my \event-struct = do if $!has-fd { 'fd_event' } + elsif $!has-long-ret { 'ret_event' } + elsif $!has-name { 'name_event' } + else { 'null_event' }; + my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' } + elsif $!has-long-ret { 'ev->ret = ctx->ret;' } + elsif $!has-name { + q:to/END/.trim-trailing; + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + END + } + else { '' }; qq:to/END/; SEC("tracepoint/syscalls/{$!name}") int handle_{$!name.lc}(struct {ctx-struct} *ctx) \{ @@ -77,8 +92,7 @@ class Format { ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - {is-enter ?? 'ev->fd = (int)ctx->args[0];' - !! ($!has-long-ret ?? 'ev->ret = ctx->ret;' !! '') } + {extra-data} bpf_ringbuf_submit(ev, 0); return 0; @@ -118,8 +132,7 @@ my Format @formats = gather for SysTraceFormat .parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made # For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open .classify(*.name.split('_').tail).values - # Check whether one of them (enter or exit) has an fd. - .grep(*.grep(*.has-fd).elems > 0) -> @_ { .take for @_ } + .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) }) -> @_ { .take for @_ } @formats .= sort(*.id); diff --git a/internal/c/types.h b/internal/c/types.h index 7a1ff12..57f39f0 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -11,6 +11,8 @@ #define EXIT_FD_EVENT 6 #define ENTER_RET_EVENT 7 #define EXIT_RET_EVENT 8 +#define ENTER_NAME_EVENT 9 +#define EXIT_NAME_EVENT 10 struct open_enter_event { __u32 event_type; @@ -47,3 +49,13 @@ struct ret_event { __s64 ret; __u32 time; }; + +struct name_event { + __u32 event_type; + __u32 syscall_id; + __u32 pid; + __u32 tid; + __u32 time; + char oldname[MAX_FILENAME_LENGTH]; + char newname[MAX_FILENAME_LENGTH]; +}; diff --git a/internal/generated/tracepoints/tracepoints.go b/internal/generated/tracepoints/tracepoints.go index 8b9a1a6..41c7d60 100644 --- a/internal/generated/tracepoints/tracepoints.go +++ b/internal/generated/tracepoints/tracepoints.go @@ -30,6 +30,20 @@ var List = []string{ "sys_enter_lseek", "sys_exit_newfstat", "sys_enter_newfstat", + "sys_exit_rename", + "sys_enter_rename", + "sys_exit_renameat", + "sys_enter_renameat", + "sys_exit_renameat2", + "sys_enter_renameat2", + "sys_exit_link", + "sys_enter_link", + "sys_exit_linkat", + "sys_enter_linkat", + "sys_exit_symlink", + "sys_enter_symlink", + "sys_exit_symlinkat", + "sys_enter_symlinkat", "sys_exit_fcntl", "sys_enter_fcntl", "sys_exit_ioctl", diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go index bb834e8..30f5936 100644 --- a/internal/generated/types/types.go +++ b/internal/generated/types/types.go @@ -69,6 +69,34 @@ func (s SyscallId) String() string { return "exit_newfstat" case SYS_ENTER_NEWFSTAT: return "enter_newfstat" + case SYS_EXIT_RENAME: + return "exit_rename" + case SYS_ENTER_RENAME: + return "enter_rename" + case SYS_EXIT_RENAMEAT: + return "exit_renameat" + case SYS_ENTER_RENAMEAT: + return "enter_renameat" + case SYS_EXIT_RENAMEAT2: + return "exit_renameat2" + case SYS_ENTER_RENAMEAT2: + return "enter_renameat2" + case SYS_EXIT_LINK: + return "exit_link" + case SYS_ENTER_LINK: + return "enter_link" + case SYS_EXIT_LINKAT: + return "exit_linkat" + case SYS_ENTER_LINKAT: + return "enter_linkat" + case SYS_EXIT_SYMLINK: + return "exit_symlink" + case SYS_ENTER_SYMLINK: + return "enter_symlink" + case SYS_EXIT_SYMLINKAT: + return "exit_symlinkat" + case SYS_ENTER_SYMLINKAT: + return "enter_symlinkat" case SYS_EXIT_FCNTL: return "exit_fcntl" case SYS_ENTER_FCNTL: @@ -188,6 +216,34 @@ func (s SyscallId) Name() string { return "newfstat" case SYS_ENTER_NEWFSTAT: return "newfstat" + case SYS_EXIT_RENAME: + return "rename" + case SYS_ENTER_RENAME: + return "rename" + case SYS_EXIT_RENAMEAT: + return "renameat" + case SYS_ENTER_RENAMEAT: + return "renameat" + case SYS_EXIT_RENAMEAT2: + return "renameat2" + case SYS_ENTER_RENAMEAT2: + return "renameat2" + case SYS_EXIT_LINK: + return "link" + case SYS_ENTER_LINK: + return "link" + case SYS_EXIT_LINKAT: + return "linkat" + case SYS_ENTER_LINKAT: + return "linkat" + case SYS_EXIT_SYMLINK: + return "symlink" + case SYS_ENTER_SYMLINK: + return "symlink" + case SYS_EXIT_SYMLINKAT: + return "symlinkat" + case SYS_ENTER_SYMLINKAT: + return "symlinkat" case SYS_EXIT_FCNTL: return "fcntl" case SYS_ENTER_FCNTL: @@ -259,6 +315,8 @@ const ENTER_FD_EVENT = 5 const EXIT_FD_EVENT = 6 const ENTER_RET_EVENT = 7 const EXIT_RET_EVENT = 8 +const ENTER_NAME_EVENT = 9 +const EXIT_NAME_EVENT = 10 type OpenEnterEvent struct { EventType EventType @@ -460,6 +518,57 @@ func (r *RetEvent) Recycle() { poolOfRetEvents.Put(r) } +type NameEvent struct { + EventType EventType + SyscallId SyscallId + Pid uint32 + Tid uint32 + Time uint32 + Oldname [MAX_FILENAME_LENGTH]byte + Newname [MAX_FILENAME_LENGTH]byte +} + +func (n NameEvent) String() string { + return fmt.Sprintf("EventType:%v SyscallId:%v Pid:%v Tid:%v Time:%v Oldname:%v Newname:%v", n.EventType, n.SyscallId, n.Pid, n.Tid, n.Time, string(n.Oldname[:]), string(n.Newname[:])) +} + +func (n *NameEvent) GetEventType() EventType { + return n.EventType +} + +func (n *NameEvent) GetSyscallId() SyscallId { + return n.SyscallId +} + +func (n *NameEvent) GetPid() uint32 { + return n.Pid +} + +func (n *NameEvent) GetTid() uint32 { + return n.Tid +} + +func (n *NameEvent) GetTime() uint32 { + return n.Time +} + +var poolOfNameEvents = sync.Pool{ + New: func() interface{} { return &NameEvent{} }, +} + +func NewNameEvent(raw []byte) *NameEvent { + n := poolOfNameEvents.Get().(*NameEvent) + if err := binary.Read(bytes.NewReader(raw), binary.LittleEndian, n); err != nil { + fmt.Println(n, raw, len(raw), err) + panic(raw) + } + return n +} + +func (n *NameEvent) Recycle() { + poolOfNameEvents.Put(n) +} + const SYS_EXIT_CACHESTAT SyscallId = 520 const SYS_ENTER_CACHESTAT SyscallId = 521 const SYS_EXIT_CLOSE_RANGE SyscallId = 692 @@ -488,6 +597,20 @@ const SYS_EXIT_LSEEK SyscallId = 762 const SYS_ENTER_LSEEK SyscallId = 763 const SYS_EXIT_NEWFSTAT SyscallId = 770 const SYS_ENTER_NEWFSTAT SyscallId = 771 +const SYS_EXIT_RENAME SyscallId = 786 +const SYS_ENTER_RENAME SyscallId = 787 +const SYS_EXIT_RENAMEAT SyscallId = 788 +const SYS_ENTER_RENAMEAT SyscallId = 789 +const SYS_EXIT_RENAMEAT2 SyscallId = 790 +const SYS_ENTER_RENAMEAT2 SyscallId = 791 +const SYS_EXIT_LINK SyscallId = 792 +const SYS_ENTER_LINK SyscallId = 793 +const SYS_EXIT_LINKAT SyscallId = 794 +const SYS_ENTER_LINKAT SyscallId = 795 +const SYS_EXIT_SYMLINK SyscallId = 796 +const SYS_ENTER_SYMLINK SyscallId = 797 +const SYS_EXIT_SYMLINKAT SyscallId = 798 +const SYS_ENTER_SYMLINKAT SyscallId = 799 const SYS_EXIT_FCNTL SyscallId = 814 const SYS_ENTER_FCNTL SyscallId = 815 const SYS_EXIT_IOCTL SyscallId = 816 |