diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-21 11:39:18 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-21 11:39:18 +0300 |
| commit | c58aa139f5e7252aefb1bcacb5fa8b9ea8cdcdef (patch) | |
| tree | 09ae5323e06a3a0b5ade451f1b8e4b9efccb4561 | |
| parent | a0d6f222864301c11afd9c1d3306e6bfe8446d5d (diff) | |
n7 classify pidfd and misc tail syscalls
| -rw-r--r-- | integrationtests/attach_tracepoints_test.go | 21 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints.c | 51 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 12 | ||||
| -rw-r--r-- | internal/eventloop_exit.go | 2 | ||||
| -rw-r--r-- | internal/eventloop_ipc_test.go | 1 | ||||
| -rw-r--r-- | internal/generate/bpfhandler.go | 6 | ||||
| -rw-r--r-- | internal/generate/classify.go | 26 | ||||
| -rw-r--r-- | internal/generate/classify_test.go | 44 | ||||
| -rw-r--r-- | internal/generate/codegen_test.go | 4 | ||||
| -rw-r--r-- | internal/generate/kindregistry.go | 1 | ||||
| -rw-r--r-- | internal/generate/retclassify_test.go | 2 | ||||
| -rw-r--r-- | internal/generate/tracepointsgo.go | 7 | ||||
| -rw-r--r-- | internal/generate/tracepointsgo_test.go | 2 | ||||
| -rw-r--r-- | internal/tracepoints/dimension_selector_test.go | 15 | ||||
| -rw-r--r-- | internal/tracepoints/generated_tracepoints.go | 122 |
15 files changed, 227 insertions, 89 deletions
diff --git a/integrationtests/attach_tracepoints_test.go b/integrationtests/attach_tracepoints_test.go index 2dcb28d..7121422 100644 --- a/integrationtests/attach_tracepoints_test.go +++ b/integrationtests/attach_tracepoints_test.go @@ -100,3 +100,24 @@ func TestAttachTraceSyscallsWithExclusion(t *testing.T) { {Tracepoint: "enter_openat", Comm: "ioworkload"}, }) } + +func TestAttachTraceKindsPidfdOnly(t *testing.T) { + enableParallelIfRequested(t) + h := newTestHarness(t) + + result, pid, err := h.RunWithIorArgs("pidfd-getfd-success", defaultDuration, []string{ + "-trace-kinds", "pidfd", + }) + if err != nil { + t.Fatalf("run scenario pidfd-getfd-success with trace-kinds=pidfd: %v", err) + } + + AssertNoUnexpectedPID(t, result, pid) + AssertNoUnexpectedComm(t, result, "ioworkload") + AssertEventsPresent(t, result, []ExpectedEvent{ + {Tracepoint: "enter_pidfd_open", Comm: "ioworkload", MinCount: 1}, + }) + AssertEventsAbsent(t, result, []ExpectedEvent{ + {Tracepoint: "enter_pidfd_getfd", Comm: "ioworkload"}, + }) +} diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index bbacb84..b2fff2e 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1716,7 +1716,7 @@ int handle_sys_enter_getrandom(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_getrandom is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_getrandom is a struct ret_event (READ_CLASSIFIED) (kind=ret) SEC("tracepoint/syscalls/sys_exit_getrandom") int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -1736,7 +1736,7 @@ int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -13295,7 +13295,7 @@ int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_kexec_file_load is a struct null_event (kind=null) +/// sys_enter_kexec_file_load is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_kexec_file_load") int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -13305,15 +13305,16 @@ int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_FILE_LOAD)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_KEXEC_FILE_LOAD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -14715,7 +14716,7 @@ int handle_sys_exit_adjtimex(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_kcmp is a struct null_event (kind=null) +/// sys_enter_kcmp is a struct two_fd_event (kind=two-fd) SEC("tracepoint/syscalls/sys_enter_kcmp") int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -14725,15 +14726,18 @@ int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_KCMP)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct two_fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct two_fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_TWO_FD_EVENT; ev->trace_id = SYS_ENTER_KCMP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd_a = (__s32)ctx->args[3]; + ev->fd_b = (__s32)ctx->args[4]; + ev->extra = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; @@ -15867,7 +15871,7 @@ int handle_sys_exit_setns(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_pidfd_open is a struct null_event (kind=null) +/// sys_enter_pidfd_open is a struct eventfd_event (kind=pidfd) SEC("tracepoint/syscalls/sys_enter_pidfd_open") int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -15877,21 +15881,25 @@ int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_OPEN)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_PIDFD_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[0]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_pidfd_open is a struct eventfd_event (kind=pidfd) SEC("tracepoint/syscalls/sys_exit_pidfd_open") int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -15901,17 +15909,23 @@ int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_OPEN, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_PIDFD_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -18018,7 +18032,7 @@ int handle_sys_exit_kill(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_pidfd_send_signal is a struct null_event (kind=null) +/// sys_enter_pidfd_send_signal is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_pidfd_send_signal") int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -18028,15 +18042,16 @@ int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_SEND_SIGNAL)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_PIDFD_SEND_SIGNAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 79fbdf8..bca5fcf 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -129,8 +129,8 @@ sys_enter_ioperm is a struct null_event (kind=null) sys_enter_iopl is a struct null_event (kind=null) sys_enter_ioprio_get is a struct null_event (kind=null) sys_enter_ioprio_set is a struct null_event (kind=null) -sys_enter_kcmp is a struct null_event (kind=null) -sys_enter_kexec_file_load is a struct null_event (kind=null) +sys_enter_kcmp is a struct two_fd_event (kind=two-fd) +sys_enter_kexec_file_load is a struct fd_event (kind=fd) sys_enter_kexec_load is a struct null_event (kind=null) sys_enter_keyctl is a struct keyctl_event (kind=keyctl) sys_enter_kill is a struct null_event (kind=null) @@ -208,8 +208,8 @@ sys_enter_pause is a struct null_event (kind=null) sys_enter_perf_event_open is a struct perf_open_event (kind=perf-open) sys_enter_personality is a struct null_event (kind=null) sys_enter_pidfd_getfd is a struct fd_event (kind=fd) -sys_enter_pidfd_open is a struct null_event (kind=null) -sys_enter_pidfd_send_signal is a struct null_event (kind=null) +sys_enter_pidfd_open is a struct eventfd_event (kind=pidfd) +sys_enter_pidfd_send_signal is a struct fd_event (kind=fd) sys_enter_pipe is a struct pipe_event (kind=pipe) sys_enter_pipe2 is a struct pipe_event (kind=pipe) sys_enter_pivot_root is a struct path_event (kind=pathname) @@ -464,7 +464,7 @@ sys_exit_getpgrp is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getpid is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getppid is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getpriority is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_getrandom is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_getrandom is a struct ret_event (READ_CLASSIFIED) (kind=ret) sys_exit_getresgid is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getresuid is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_getrlimit is a struct ret_event (UNCLASSIFIED) (kind=ret) @@ -575,7 +575,7 @@ sys_exit_pause is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_perf_event_open is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_personality is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_pidfd_open is a struct eventfd_event (kind=pidfd) sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_pipe is a struct pipe_event (kind=pipe) sys_exit_pipe2 is a struct pipe_event (kind=pipe) diff --git a/internal/eventloop_exit.go b/internal/eventloop_exit.go index d00fe04..df2e557 100644 --- a/internal/eventloop_exit.go +++ b/internal/eventloop_exit.go @@ -518,6 +518,8 @@ func eventfdDescriptorName(traceID types.TraceId, flags int32) string { return fmt.Sprintf("signalfd:%d", flags) case types.SYS_ENTER_TIMERFD_CREATE: return fmt.Sprintf("timerfd:%d", flags) + case types.SYS_ENTER_PIDFD_OPEN: + return fmt.Sprintf("pidfd:%d", flags) default: return fmt.Sprintf("eventfd:%d", flags) } diff --git a/internal/eventloop_ipc_test.go b/internal/eventloop_ipc_test.go index fc598a2..6eaf8f3 100644 --- a/internal/eventloop_ipc_test.go +++ b/internal/eventloop_ipc_test.go @@ -116,6 +116,7 @@ func TestEventfdDescriptorNameByTraceID(t *testing.T) { {name: "userfaultfd", traceID: types.SYS_ENTER_USERFAULTFD, flags: 4, want: "userfaultfd:4"}, {name: "signalfd", traceID: types.SYS_ENTER_SIGNALFD4, flags: 5, want: "signalfd:5"}, {name: "timerfd_create", traceID: types.SYS_ENTER_TIMERFD_CREATE, flags: 6, want: "timerfd:6"}, + {name: "pidfd_open", traceID: types.SYS_ENTER_PIDFD_OPEN, flags: 7, want: "pidfd:7"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/internal/generate/bpfhandler.go b/internal/generate/bpfhandler.go index ee56f17..85377f1 100644 --- a/internal/generate/bpfhandler.go +++ b/internal/generate/bpfhandler.go @@ -91,6 +91,8 @@ func generateExtra(tp GeneratedTracepoint, isEnter bool) string { return generateExtraPipe(f, isEnter) case KindEventfd: return generateExtraEventfd(f, isEnter) + case KindPidfd: + return generateExtraEventfd(f, isEnter) case KindEpollCtl: return generateExtraEpollCtl() case KindTwoFd: @@ -272,6 +274,8 @@ func generateExtraEventfd(f *Format, isEnter bool) string { flagsExpr = "(__s32)ctx->args[3]" case "sys_enter_timerfd_create": flagsExpr = "(__s32)ctx->args[1]" + case "sys_enter_pidfd_open": + flagsExpr = "(__s32)ctx->args[0]" case "sys_enter_fsmount": flagsExpr = "(__s32)ctx->args[1]" case "sys_enter_fsopen": @@ -290,6 +294,8 @@ func generateExtraTwoFd(name string) string { switch name { case "sys_enter_move_mount": return " ev->fd_a = (__s32)ctx->args[0];\n ev->fd_b = (__s32)ctx->args[2];\n ev->extra = (__u64)ctx->args[4];\n" + case "sys_enter_kcmp": + return " ev->fd_a = (__s32)ctx->args[3];\n ev->fd_b = (__s32)ctx->args[4];\n ev->extra = (__u64)ctx->args[2];\n" default: return " ev->fd_a = (__s32)ctx->args[0];\n ev->fd_b = (__s32)ctx->args[1];\n ev->extra = (__u64)ctx->args[2];\n" } diff --git a/internal/generate/classify.go b/internal/generate/classify.go index ad9d694..69ada90 100644 --- a/internal/generate/classify.go +++ b/internal/generate/classify.go @@ -22,6 +22,7 @@ const ( KindAccept KindPipe KindEventfd + KindPidfd KindEpollCtl KindTwoFd KindPoll @@ -66,6 +67,8 @@ func (k TracepointKind) MetadataName() string { return "pipe" case KindEventfd: return "eventfd" + case KindPidfd: + return "pidfd" case KindEpollCtl: return "epoll-ctl" case KindTwoFd: @@ -203,6 +206,10 @@ func classifyNameOnly(name string) (ClassificationResult, bool) { return ClassificationResult{Kind: KindEventfd}, true case "sys_exit_timerfd_create": return ClassificationResult{Kind: KindEventfd}, true + case "sys_enter_pidfd_open": + return ClassificationResult{Kind: KindPidfd}, true + case "sys_exit_pidfd_open": + return ClassificationResult{Kind: KindPidfd}, true case "sys_enter_bind": return ClassificationResult{Kind: KindFd}, true case "sys_enter_connect": @@ -265,6 +272,12 @@ func classifyNameOnly(name string) (ClassificationResult, bool) { return ClassificationResult{Kind: KindPtrace}, true case "sys_enter_perf_event_open": return ClassificationResult{Kind: KindPerfOpen}, true + case "sys_enter_pidfd_send_signal": + return ClassificationResult{Kind: KindFd}, true + case "sys_enter_kexec_file_load": + return ClassificationResult{Kind: KindFd}, true + case "sys_enter_kcmp": + return ClassificationResult{Kind: KindTwoFd}, true case "sys_enter_mq_timedsend": return ClassificationResult{Kind: KindFd}, true case "sys_enter_mq_timedreceive": @@ -281,6 +294,18 @@ func classifyNameOnly(name string) (ClassificationResult, bool) { return ClassificationResult{Kind: KindNull}, true case "sys_enter_exit_group": return ClassificationResult{Kind: KindNull}, true + case "sys_enter_membarrier": + return ClassificationResult{Kind: KindNull}, true + case "sys_enter_rseq": + return ClassificationResult{Kind: KindNull}, true + case "sys_enter_set_robust_list": + return ClassificationResult{Kind: KindNull}, true + case "sys_enter_get_robust_list": + return ClassificationResult{Kind: KindNull}, true + case "sys_enter_mmap2": + return ClassificationResult{Kind: KindNull}, true + case "sys_enter_kexec_load": + return ClassificationResult{Kind: KindNull}, true } if strings.HasPrefix(name, "sys_enter_io_") { return ClassificationResult{Kind: KindNull}, true @@ -409,6 +434,7 @@ var retClassifications = map[string]RetClassification{ "readv": ReadClassified, "recvmsg": ReadClassified, "recvfrom": ReadClassified, + "getrandom": ReadClassified, "syslog": ReadClassified, "mq_timedreceive": ReadClassified, diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go index 79e6240..4b156ff 100644 --- a/internal/generate/classify_test.go +++ b/internal/generate/classify_test.go @@ -620,6 +620,40 @@ func TestClassifyMqFdSyscallsByName(t *testing.T) { } } +func TestClassifyN7NameOnlyKinds(t *testing.T) { + tests := []struct { + name string + want TracepointKind + }{ + {"sys_enter_pidfd_open", KindPidfd}, + {"sys_exit_pidfd_open", KindPidfd}, + {"sys_enter_pidfd_send_signal", KindFd}, + {"sys_enter_kexec_file_load", KindFd}, + {"sys_enter_kcmp", KindTwoFd}, + {"sys_enter_membarrier", KindNull}, + {"sys_enter_rseq", KindNull}, + {"sys_enter_set_robust_list", KindNull}, + {"sys_enter_get_robust_list", KindNull}, + {"sys_enter_mmap2", KindNull}, + {"sys_enter_kexec_load", KindNull}, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := ClassifyFormat(&Format{ + Name: tt.name, + ExternalFields: []Field{ + {Type: "long", Name: "__syscall_nr"}, + {Type: "long", Name: "arg0"}, + }, + }) + if r.Kind != tt.want { + t.Fatalf("%s: got kind %d, want %d", tt.name, r.Kind, tt.want) + } + }) + } +} + func TestClassifyMount(t *testing.T) { r := classifyFromData(t, FormatMount) if r.Kind != KindPathname { @@ -785,6 +819,8 @@ func TestClassifySyscallPairAccepted(t *testing.T) { {"pipe2", FormatPipe2, FormatExitPipe2, KindPipe}, {"eventfd", FormatEventfd, FormatExitEventfd, KindEventfd}, {"eventfd2", FormatEventfd2, FormatExitEventfd2, KindEventfd}, + {"pidfd_open", syntheticEnter("pidfd_open", 9320), syntheticExit("pidfd_open", 9319), KindPidfd}, + {"pidfd_send_signal", syntheticEnter("pidfd_send_signal", 9322), syntheticExit("pidfd_send_signal", 9321), KindFd}, {"epoll_ctl", FormatEpollCtl, FormatExitEpollCtl, KindEpollCtl}, {"epoll_wait", FormatEpollWait, FormatExitEpollWait, KindFd}, {"epoll_pwait", FormatEpollPwait, FormatExitEpollPwait, KindFd}, @@ -805,6 +841,14 @@ func TestClassifySyscallPairAccepted(t *testing.T) { {"mount", FormatMount, FormatExitMount, KindPathname}, {"umount", FormatUmount, FormatExitUmount, KindPathname}, {"move_mount", FormatMoveMount, FormatExitMoveMount, KindTwoFd}, + {"kcmp", syntheticEnter("kcmp", 9324), syntheticExit("kcmp", 9323), KindTwoFd}, + {"kexec_file_load", syntheticEnter("kexec_file_load", 9326), syntheticExit("kexec_file_load", 9325), KindFd}, + {"membarrier", syntheticEnter("membarrier", 9328), syntheticExit("membarrier", 9327), KindNull}, + {"rseq", syntheticEnter("rseq", 9330), syntheticExit("rseq", 9329), KindNull}, + {"set_robust_list", syntheticEnter("set_robust_list", 9332), syntheticExit("set_robust_list", 9331), KindNull}, + {"get_robust_list", syntheticEnter("get_robust_list", 9334), syntheticExit("get_robust_list", 9333), KindNull}, + {"mmap2", syntheticEnter("mmap2", 9336), syntheticExit("mmap2", 9335), KindNull}, + {"kexec_load", syntheticEnter("kexec_load", 9338), syntheticExit("kexec_load", 9337), KindNull}, {"fsmount", FormatFsmount, FormatExitFsmount, KindEventfd}, {"pivot_root", FormatPivotRoot, FormatExitPivotRoot, KindPathname}, {"quotactl", FormatQuotactl, FormatExitQuotactl, KindPathname}, diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go index c653ad0..83d316f 100644 --- a/internal/generate/codegen_test.go +++ b/internal/generate/codegen_test.go @@ -550,6 +550,7 @@ func TestGenerateAllEventTypes(t *testing.T) { {KindAccept, "ENTER_ACCEPT_EVENT", "EXIT_ACCEPT_EVENT"}, {KindPipe, "ENTER_PIPE_EVENT", "EXIT_PIPE_EVENT"}, {KindEventfd, "ENTER_EVENTFD_EVENT", "EXIT_EVENTFD_EVENT"}, + {KindPidfd, "ENTER_EVENTFD_EVENT", "EXIT_EVENTFD_EVENT"}, {KindEpollCtl, "ENTER_EPOLL_CTL_EVENT", "EXIT_EPOLL_CTL_EVENT"}, {KindTwoFd, "ENTER_TWO_FD_EVENT", "EXIT_TWO_FD_EVENT"}, {KindPoll, "ENTER_POLL_EVENT", "EXIT_POLL_EVENT"}, @@ -591,6 +592,7 @@ func TestEventStructNames(t *testing.T) { {KindAccept, "accept_event"}, {KindPipe, "pipe_event"}, {KindEventfd, "eventfd_event"}, + {KindPidfd, "eventfd_event"}, {KindEpollCtl, "epoll_ctl_event"}, {KindTwoFd, "two_fd_event"}, {KindPoll, "poll_event"}, @@ -617,7 +619,7 @@ func TestEnterReject(t *testing.T) { t.Error("KindNone should be enter-rejected") } - accepted := []TracepointKind{KindFd, KindOpen, KindMqOpen, KindExec, KindPathname, KindName, KindFcntl, KindNull, KindDup3, KindOpenByHandleAt, KindSocket, KindSocketpair, KindAccept, KindPipe, KindEventfd, KindEpollCtl, KindTwoFd, KindPoll, KindMem, KindSleep, KindKeyctl, KindPtrace, KindPerfOpen} + accepted := []TracepointKind{KindFd, KindOpen, KindMqOpen, KindExec, KindPathname, KindName, KindFcntl, KindNull, KindDup3, KindOpenByHandleAt, KindSocket, KindSocketpair, KindAccept, KindPipe, KindEventfd, KindPidfd, KindEpollCtl, KindTwoFd, KindPoll, KindMem, KindSleep, KindKeyctl, KindPtrace, KindPerfOpen} for _, k := range accepted { if isEnterRejected(k) { t.Errorf("kind %d should NOT be enter-rejected", k) diff --git a/internal/generate/kindregistry.go b/internal/generate/kindregistry.go index a5f5795..9387e19 100644 --- a/internal/generate/kindregistry.go +++ b/internal/generate/kindregistry.go @@ -32,6 +32,7 @@ var kindRegistry = map[TracepointKind]kindMeta{ KindAccept: {structName: "accept_event", enterAccepted: true}, KindPipe: {structName: "pipe_event", enterAccepted: true}, KindEventfd: {structName: "eventfd_event", enterAccepted: true}, + KindPidfd: {structName: "eventfd_event", enterAccepted: true}, KindEpollCtl: {structName: "epoll_ctl_event", enterAccepted: true}, KindTwoFd: {structName: "two_fd_event", enterAccepted: true}, KindPoll: {structName: "poll_event", enterAccepted: true}, diff --git a/internal/generate/retclassify_test.go b/internal/generate/retclassify_test.go index f837957..4e9655b 100644 --- a/internal/generate/retclassify_test.go +++ b/internal/generate/retclassify_test.go @@ -7,7 +7,7 @@ func TestClassifyRetRead(t *testing.T) { "fgetxattr", "flistxattr", "getdents", "getdents64", "getxattr", "lgetxattr", "listxattr", "llistxattr", "pread64", "preadv", "preadv2", "process_vm_readv", "read", "readlink", "readlinkat", - "readv", "recvmsg", "recvfrom", "syslog", "mq_timedreceive", + "readv", "recvmsg", "recvfrom", "syslog", "mq_timedreceive", "getrandom", } for _, name := range reads { if got := ClassifyRet("sys_exit_" + name); got != ReadClassified { diff --git a/internal/generate/tracepointsgo.go b/internal/generate/tracepointsgo.go index 47c2e8f..bc44b2f 100644 --- a/internal/generate/tracepointsgo.go +++ b/internal/generate/tracepointsgo.go @@ -10,7 +10,7 @@ import ( ) var secRe = regexp.MustCompile(`^SEC.*sys_((?:enter|exit)_[a-z_0-9]+)`) -var kindLineRe = regexp.MustCompile(`^(sys_enter_[a-z0-9_]+)\s+is a struct\s+([a-z0-9_]+)(?:\s+.*)?$`) +var kindLineRe = regexp.MustCompile(`^(sys_enter_[a-z0-9_]+)\s+is a struct\s+([a-z0-9_]+)(?:.*\(kind=([a-z0-9-]+)\))?\s*$`) // ExtractTracepoints reads generated C code and extracts tracepoint names from // SEC annotations, producing the generated_tracepoints.go content. @@ -66,7 +66,10 @@ func extractSyscallKinds(r io.Reader) (map[string]string, error) { continue } syscall := strings.TrimPrefix(m[1], "sys_enter_") - kind := normalizeStructKind(m[2]) + kind := strings.TrimSpace(m[3]) + if kind == "" { + kind = normalizeStructKind(m[2]) + } if kind == "" { continue } diff --git a/internal/generate/tracepointsgo_test.go b/internal/generate/tracepointsgo_test.go index ebad63d..ee15b81 100644 --- a/internal/generate/tracepointsgo_test.go +++ b/internal/generate/tracepointsgo_test.go @@ -131,6 +131,7 @@ func TestExtractTracepointsWithKinds(t *testing.T) { sys_enter_open_by_handle_at is a struct open_by_handle_at_event sys_enter_mq_open is a struct mq_open_event sys_enter_epoll_ctl is a struct epoll_ctl_event +sys_enter_pidfd_open is a struct eventfd_event (kind=pidfd) ` output, err := ExtractTracepointsWithKinds(strings.NewReader(sampleGeneratedC), strings.NewReader(kindData)) if err != nil { @@ -140,4 +141,5 @@ sys_enter_epoll_ctl is a struct epoll_ctl_event requireContains(t, output, `"open_by_handle_at": "open-by-handle-at",`) requireContains(t, output, `"mq_open": "mq-open",`) requireContains(t, output, `"epoll_ctl": "epoll-ctl",`) + requireContains(t, output, `"pidfd_open": "pidfd",`) } diff --git a/internal/tracepoints/dimension_selector_test.go b/internal/tracepoints/dimension_selector_test.go index cd7b0f8..da88954 100644 --- a/internal/tracepoints/dimension_selector_test.go +++ b/internal/tracepoints/dimension_selector_test.go @@ -48,6 +48,21 @@ func TestParseSelectorWithDimensionsKindOnly(t *testing.T) { } } +func TestParseSelectorWithDimensionsPidfdKindOnly(t *testing.T) { + sel, err := ParseSelectorWithDimensions("", "", DimensionSelectorConfig{ + TraceKinds: "pidfd", + }) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if !sel.ShouldAttach("sys_enter_pidfd_open") { + t.Fatal("expected pidfd_open to be attached for pidfd kind") + } + if sel.ShouldAttach("sys_enter_openat") { + t.Fatal("expected openat to be excluded when only pidfd kind is enabled") + } +} + func TestParseSelectorWithDimensionsSyscallOnly(t *testing.T) { sel, err := ParseSelectorWithDimensions("", "", DimensionSelectorConfig{ TraceSyscalls: "openat", diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go index b9da5ca..060a779 100644 --- a/internal/tracepoints/generated_tracepoints.go +++ b/internal/tracepoints/generated_tracepoints.go @@ -1111,7 +1111,7 @@ var syscallFamilies = map[string]string{ var syscallKinds = map[string]string{ "accept": "accept", "accept4": "accept", - "access": "path", + "access": "pathname", "acct": "null", "add_key": "keyctl", "adjtimex": "null", @@ -1123,10 +1123,10 @@ var syscallKinds = map[string]string{ "cachestat": "fd", "capget": "null", "capset": "null", - "chdir": "path", - "chmod": "path", - "chown": "path", - "chroot": "path", + "chdir": "pathname", + "chmod": "pathname", + "chown": "pathname", + "chroot": "pathname", "clock_adjtime": "null", "clock_getres": "null", "clock_gettime": "null", @@ -1138,7 +1138,7 @@ var syscallKinds = map[string]string{ "close_range": "fd", "connect": "fd", "copy_file_range": "fd", - "creat": "path", + "creat": "pathname", "delete_module": "null", "dup": "fd", "dup2": "fd", @@ -1155,23 +1155,23 @@ var syscallKinds = map[string]string{ "execveat": "exec", "exit": "null", "exit_group": "null", - "faccessat": "path", - "faccessat2": "path", + "faccessat": "pathname", + "faccessat2": "pathname", "fadvise64": "fd", "fallocate": "fd", "fanotify_init": "null", - "fanotify_mark": "path", + "fanotify_mark": "pathname", "fchdir": "fd", "fchmod": "fd", - "fchmodat": "path", - "fchmodat2": "path", + "fchmodat": "pathname", + "fchmodat2": "pathname", "fchown": "fd", - "fchownat": "path", + "fchownat": "pathname", "fcntl": "fcntl", "fdatasync": "fd", "fgetxattr": "fd", - "file_getattr": "path", - "file_setattr": "path", + "file_getattr": "pathname", + "file_setattr": "pathname", "finit_module": "fd", "flistxattr": "fd", "flock": "fd", @@ -1181,7 +1181,7 @@ var syscallKinds = map[string]string{ "fsetxattr": "fd", "fsmount": "eventfd", "fsopen": "null", - "fspick": "path", + "fspick": "pathname", "fstatfs": "fd", "fsync": "fd", "ftruncate": "fd", @@ -1190,7 +1190,7 @@ var syscallKinds = map[string]string{ "futex_wait": "null", "futex_waitv": "null", "futex_wake": "null", - "futimesat": "path", + "futimesat": "pathname", "get_mempolicy": "null", "get_robust_list": "null", "getcpu": "null", @@ -1219,8 +1219,8 @@ var syscallKinds = map[string]string{ "gettid": "null", "gettimeofday": "null", "getuid": "null", - "getxattr": "path", - "getxattrat": "path", + "getxattr": "pathname", + "getxattrat": "pathname", "init_module": "null", "inotify_add_watch": "fd", "inotify_init": "null", @@ -1240,27 +1240,27 @@ var syscallKinds = map[string]string{ "iopl": "null", "ioprio_get": "null", "ioprio_set": "null", - "kcmp": "null", - "kexec_file_load": "null", + "kcmp": "two-fd", + "kexec_file_load": "fd", "kexec_load": "null", "keyctl": "keyctl", "kill": "null", "landlock_add_rule": "null", "landlock_create_ruleset": "null", "landlock_restrict_self": "null", - "lchown": "path", - "lgetxattr": "path", + "lchown": "pathname", + "lgetxattr": "pathname", "link": "name", "linkat": "name", "listen": "fd", "listmount": "null", "listns": "null", - "listxattr": "path", - "listxattrat": "path", - "llistxattr": "path", - "lremovexattr": "path", + "listxattr": "pathname", + "listxattrat": "pathname", + "llistxattr": "pathname", + "lremovexattr": "pathname", "lseek": "fd", - "lsetxattr": "path", + "lsetxattr": "pathname", "lsm_get_self_attr": "null", "lsm_list_modules": "null", "lsm_set_self_attr": "null", @@ -1272,26 +1272,26 @@ var syscallKinds = map[string]string{ "memfd_secret": "eventfd", "migrate_pages": "null", "mincore": "null", - "mkdir": "path", - "mkdirat": "path", - "mknod": "path", - "mknodat": "path", + "mkdir": "pathname", + "mkdirat": "pathname", + "mknod": "pathname", + "mknodat": "pathname", "mlock": "null", "mlock2": "null", "mlockall": "null", "mmap": "fd", "modify_ldt": "null", - "mount": "path", - "mount_setattr": "path", + "mount": "pathname", + "mount_setattr": "pathname", "move_mount": "two-fd", "move_pages": "null", "mprotect": "null", "mq_getsetattr": "fd", "mq_notify": "fd", - "mq_open": "open", + "mq_open": "mq-open", "mq_timedreceive": "fd", "mq_timedsend": "fd", - "mq_unlink": "path", + "mq_unlink": "pathname", "mremap": "mem", "mseal": "null", "msgctl": "null", @@ -1302,12 +1302,12 @@ var syscallKinds = map[string]string{ "munlock": "null", "munlockall": "null", "munmap": "mem", - "name_to_handle_at": "path", + "name_to_handle_at": "pathname", "nanosleep": "sleep", "newfstat": "fd", - "newfstatat": "path", - "newlstat": "path", - "newstat": "path", + "newfstatat": "pathname", + "newlstat": "pathname", + "newstat": "pathname", "newuname": "null", "open": "open", "open_by_handle_at": "open-by-handle-at", @@ -1319,11 +1319,11 @@ var syscallKinds = map[string]string{ "perf_event_open": "perf-open", "personality": "null", "pidfd_getfd": "fd", - "pidfd_open": "null", - "pidfd_send_signal": "null", + "pidfd_open": "pidfd", + "pidfd_send_signal": "fd", "pipe": "pipe", "pipe2": "pipe", - "pivot_root": "path", + "pivot_root": "pathname", "pkey_alloc": "null", "pkey_free": "null", "pkey_mprotect": "null", @@ -1343,26 +1343,26 @@ var syscallKinds = map[string]string{ "pwrite64": "fd", "pwritev": "fd", "pwritev2": "fd", - "quotactl": "path", + "quotactl": "pathname", "quotactl_fd": "fd", "read": "fd", "readahead": "fd", - "readlink": "path", - "readlinkat": "path", + "readlink": "pathname", + "readlinkat": "pathname", "readv": "fd", "reboot": "null", "recvfrom": "fd", "recvmmsg": "fd", "recvmsg": "fd", "remap_file_pages": "null", - "removexattr": "path", - "removexattrat": "path", + "removexattr": "pathname", + "removexattrat": "pathname", "rename": "name", "renameat": "name", "renameat2": "name", "request_key": "keyctl", "restart_syscall": "null", - "rmdir": "path", + "rmdir": "pathname", "rseq": "null", "rt_sigaction": "null", "rt_sigpending": "null", @@ -1417,8 +1417,8 @@ var syscallKinds = map[string]string{ "setsockopt": "fd", "settimeofday": "null", "setuid": "null", - "setxattr": "path", - "setxattrat": "path", + "setxattr": "pathname", + "setxattrat": "pathname", "shmat": "null", "shmctl": "null", "shmdt": "null", @@ -1430,11 +1430,11 @@ var syscallKinds = map[string]string{ "socket": "socket", "socketpair": "socketpair", "splice": "null", - "statfs": "path", + "statfs": "pathname", "statmount": "null", - "statx": "path", - "swapoff": "path", - "swapon": "path", + "statx": "pathname", + "swapoff": "pathname", + "swapon": "pathname", "symlink": "name", "symlinkat": "name", "sync": "null", @@ -1456,19 +1456,19 @@ var syscallKinds = map[string]string{ "timerfd_settime": "null", "times": "null", "tkill": "null", - "truncate": "path", + "truncate": "pathname", "umask": "null", - "umount": "path", - "unlink": "path", - "unlinkat": "path", + "umount": "pathname", + "unlink": "pathname", + "unlinkat": "pathname", "unshare": "null", "uprobe": "null", "uretprobe": "null", "userfaultfd": "eventfd", "ustat": "null", - "utime": "path", - "utimensat": "path", - "utimes": "path", + "utime": "pathname", + "utimensat": "pathname", + "utimes": "pathname", "vfork": "null", "vhangup": "null", "vmsplice": "fd", |