diff options
| author | Paul Buetow <paul@buetow.org> | 2025-07-14 00:12:30 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2025-07-14 00:12:30 +0300 |
| commit | 4c367424d81722b0473cc65fd58fac3136ce13d3 (patch) | |
| tree | 588d4038d4cdb58a6913ac5595dfe7fe8e4e3edc | |
| parent | 5356927b4a0f9772d84e707a2f5e1c507902085f (diff) | |
more on classification
| -rw-r--r-- | internal/c/Makefile | 4 | ||||
| -rw-r--r-- | internal/c/generate_tracepoints_c.raku | 409 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints.c | 5651 | ||||
| -rw-r--r-- | internal/c/types.h | 3 |
4 files changed, 5459 insertions, 608 deletions
diff --git a/internal/c/Makefile b/internal/c/Makefile index 9503cea..d676368 100644 --- a/internal/c/Makefile +++ b/internal/c/Makefile @@ -31,7 +31,9 @@ generate_tracepoints: grep '^/// ' ./generated_tracepoints.c | sort | sed 's|/// ||' > ./generated_tracepoints_result.txt.new diff -u ./generated_tracepoints_result.txt ./generated_tracepoints_result.txt.new cp ./generated_tracepoints_result.txt.new ./generated_tracepoints_result.txt - + +# TODO: Document what to do, when a syscall is missing. E.g. we also need to add the new syscall maybe +# to the classifier in generate_tracepoints_c.raku! .PHONY: generate_tracepoints_force generate_tracepoints_force: sudo sh -c 'sudo find /sys/kernel/tracing/events/syscalls -maxdepth 2 -mindepth 2 -name format' \ diff --git a/internal/c/generate_tracepoints_c.raku b/internal/c/generate_tracepoints_c.raku index 11c4e0f..02e7532 100644 --- a/internal/c/generate_tracepoints_c.raku +++ b/internal/c/generate_tracepoints_c.raku @@ -135,381 +135,40 @@ class PathnameTracepoint does TracepointTemplate { } role TracepointClassification { - has %!map = - accept => 'noio', - accept4 => 'noio', - access => 'noio', - acct => 'noio', - add_key => 'noio', - adjtimex => 'noio', - alarm => 'noio', - arch_prctl => 'noio', - bind => 'noio', - bpf => 'noio', - brk => 'noio', - cachestat => 'noio', - capget => 'noio', - capset => 'noio', - chdir => 'noio', - chmod => 'noio', - chown => 'noio', - chroot => 'noio', - clock_adjtime => 'noio', - clock_getres => 'noio', - clock_gettime => 'noio', - clock_nanosleep => 'noio', - clock_settime => 'noio', - clone => 'noio', - clone3 => 'noio', - close => 'noio', - close_range => 'noio', - connect => 'noio', - copy_file_range => 'transfer', - creat => 'noio', - delete_module => 'noio', - dup => 'noio', - dup2 => 'noio', - dup3 => 'noio', - epoll_create => 'noio', - epoll_create1 => 'noio', - epoll_ctl => 'noio', - epoll_pwait => 'noio', - epoll_pwait2 => 'noio', - epoll_wait => 'noio', - eventfd => 'noio', - eventfd2 => 'noio', - execve => 'noio', - execveat => 'noio', - exit => 'noio', - exit_group => 'noio', - faccessat => 'noio', - faccessat2 => 'noio', - fadvise64 => 'noio', - fallocate => 'noio', - fanotify_init => 'noio', - fanotify_mark => 'noio', - fchdir => 'noio', - fchmod => 'noio', - fchmodat => 'noio', - fchmodat2 => 'noio', - fchown => 'noio', - fchownat => 'noio', - fcntl => 'noio', - fdatasync => 'noio', - fgetxattr => 'noio', - finit_module => 'noio', - flistxattr => 'noio', - flock => 'noio', - fork => 'noio', - fremovexattr => 'noio', - fsconfig => 'noio', - fsetxattr => 'noio', - fsmount => 'noio', - fsopen => 'noio', - fspick => 'noio', - fstatfs => 'noio', - fsync => 'noio', - ftruncate => 'noio', - futex => 'noio', - futex_requeue => 'noio', - futex_wait => 'noio', - futex_waitv => 'noio', - futex_wake => 'noio', - futimesat => 'noio', - get_mempolicy => 'noio', - get_robust_list => 'noio', - getcpu => 'noio', - getcwd => 'noio', - getdents => 'read', - getdents64 => 'read', - getegid => 'noio', - geteuid => 'noio', - getgid => 'noio', - getgroups => 'noio', - getitimer => 'noio', - getpeername => 'noio', - getpgid => 'noio', - getpgrp => 'noio', - getpid => 'noio', - getppid => 'noio', - getpriority => 'noio', - getrandom => 'noio', - getresgid => 'noio', - getresuid => 'noio', - getrlimit => 'noio', - getrusage => 'noio', - getsid => 'noio', - getsockname => 'noio', - getsockopt => 'noio', - gettid => 'noio', - gettimeofday => 'noio', - getuid => 'noio', - getxattr => 'noio', - getxattrat => 'noio', - init_module => 'noio', - inotify_add_watch => 'noio', - inotify_init => 'noio', - inotify_init1 => 'noio', - inotify_rm_watch => 'noio', - io_cancel => 'noio', - io_destroy => 'noio', - io_getevents => 'noio', - io_pgetevents => 'noio', - io_setup => 'noio', - io_submit => 'noio', - io_uring_enter => 'noio', - io_uring_register => 'noio', - io_uring_setup => 'noio', - ioctl => 'noio', - ioperm => 'noio', - iopl => 'noio', - ioprio_get => 'noio', - ioprio_set => 'noio', - kcmp => 'noio', - kexec_file_load => 'noio', - kexec_load => 'noio', - keyctl => 'noio', - kill => 'noio', - landlock_add_rule => 'noio', - landlock_create_ruleset => 'noio', - landlock_restrict_self => 'noio', - lchown => 'noio', - lgetxattr => 'noio', - link => 'noio', - linkat => 'noio', - listen => 'noio', - listmount => 'noio', - listxattr => 'noio', - listxattrat => 'noio', - llistxattr => 'noio', - lremovexattr => 'noio', - lseek => 'noio', - lsetxattr => 'noio', - lsm_get_self_attr => 'noio', - lsm_list_modules => 'noio', - lsm_set_self_attr => 'noio', - madvise => 'noio', - map_shadow_stack => 'noio', - mbind => 'noio', - membarrier => 'noio', - memfd_create => 'noio', - memfd_secret => 'noio', - migrate_pages => 'noio', - mincore => 'noio', - mkdir => 'noio', - mkdirat => 'noio', - mknod => 'noio', - mknodat => 'noio', - mlock => 'noio', - mlock2 => 'noio', - mlockall => 'noio', - mmap => 'noio', - modify_ldt => 'noio', - mount => 'noio', - mount_setattr => 'noio', - move_mount => 'noio', - move_pages => 'noio', - mprotect => 'noio', - mq_getsetattr => 'noio', - mq_notify => 'noio', - mq_open => 'noio', - mq_timedreceive => 'noio', - mq_timedsend => 'noio', - mq_unlink => 'noio', - mremap => 'noio', - mseal => 'noio', - msgctl => 'noio', - msgget => 'noio', - msgrcv => 'noio', - msgsnd => 'noio', - msync => 'noio', - munlock => 'noio', - munlockall => 'noio', - munmap => 'noio', - name_to_handle_at => 'noio', - nanosleep => 'noio', - newfstat => 'noio', - newfstatat => 'noio', - newlstat => 'noio', - newstat => 'noio', - newuname => 'noio', - open => 'noio', - open_by_handle_at => 'noio', - open_tree => 'noio', - open_tree_attr => 'noio', - openat => 'noio', - openat2 => 'noio', - pause => 'noio', - perf_event_open => 'noio', - personality => 'noio', - pidfd_getfd => 'noio', - pidfd_open => 'noio', - pidfd_send_signal => 'noio', - pipe => 'noio', - pipe2 => 'noio', - pivot_root => 'noio', - pkey_alloc => 'noio', - pkey_free => 'noio', - pkey_mprotect => 'noio', - poll => 'noio', - ppoll => 'noio', - prctl => 'noio', - pread64 => 'read', - preadv => 'read', - preadv2 => 'read', - prlimit64 => 'noio', - process_madvise => 'noio', - process_mrelease => 'noio', - process_vm_readv => 'read', - process_vm_writev => 'write', - pselect6 => 'noio', - ptrace => 'noio', - pwrite64 => 'write', - pwritev => 'write', - pwritev2 => 'write', - quotactl => 'noio', - quotactl_fd => 'noio', - read => 'read', - readahead => 'noio', - readlink => 'read', - readlinkat => 'read', - readv => 'read', - reboot => 'noio', - recvfrom => 'read', - recvmmsg => 'read', - recvmsg => 'read', - remap_file_pages => 'noio', - removexattr => 'noio', - removexattrat => 'noio', - rename => 'noio', - renameat => 'noio', - renameat2 => 'noio', - request_key => 'noio', - restart_syscall => 'noio', - rmdir => 'noio', - rseq => 'noio', - rt_sigaction => 'noio', - rt_sigpending => 'noio', - rt_sigprocmask => 'noio', - rt_sigqueueinfo => 'noio', - rt_sigreturn => 'noio', - rt_sigsuspend => 'noio', - rt_sigtimedwait => 'noio', - rt_tgsigqueueinfo => 'noio', - sched_get_priority_max => 'noio', - sched_get_priority_min => 'noio', - sched_getaffinity => 'noio', - sched_getattr => 'noio', - sched_getparam => 'noio', - sched_getscheduler => 'noio', - sched_rr_get_interval => 'noio', - sched_setaffinity => 'noio', - sched_setattr => 'noio', - sched_setparam => 'noio', - sched_setscheduler => 'noio', - sched_yield => 'noio', - seccomp => 'noio', - select => 'noio', - semctl => 'noio', - semget => 'noio', - semop => 'noio', - semtimedop => 'noio', - sendfile64 => 'transfer', - sendmmsg => 'write', - sendmsg => 'write', - sendto => 'write', - set_mempolicy => 'noio', - set_mempolicy_home_node => 'noio', - set_robust_list => 'noio', - set_tid_address => 'noio', - setdomainname => 'noio', - setfsgid => 'noio', - setfsuid => 'noio', - setgid => 'noio', - setgroups => 'noio', - sethostname => 'noio', - setitimer => 'noio', - setns => 'noio', - setpgid => 'noio', - setpriority => 'noio', - setregid => 'noio', - setresgid => 'noio', - setresuid => 'noio', - setreuid => 'noio', - setrlimit => 'noio', - setsid => 'noio', - setsockopt => 'noio', - settimeofday => 'noio', - setuid => 'noio', - setxattr => 'noio', - setxattrat => 'noio', - shmat => 'noio', - shmctl => 'noio', - shmdt => 'noio', - shmget => 'noio', - shutdown => 'noio', - sigaltstack => 'noio', - signalfd => 'noio', - signalfd4 => 'noio', - socket => 'noio', - socketpair => 'noio', - splice => 'transfer', - statfs => 'noio', - statmount => 'noio', - statx => 'noio', - swapoff => 'noio', - swapon => 'noio', - symlink => 'noio', - symlinkat => 'noio', - sync => 'noio', - sync_file_range => 'noio', - syncfs => 'noio', - sysfs => 'noio', - sysinfo => 'noio', - syslog => 'noio', - tee => 'transfer', - tgkill => 'noio', - time => 'noio', - timer_create => 'noio', - timer_delete => 'noio', - timer_getoverrun => 'noio', - timer_gettime => 'noio', - timer_settime => 'noio', - timerfd_create => 'noio', - timerfd_gettime => 'noio', - timerfd_settime => 'noio', - times => 'noio', - tkill => 'noio', - truncate => 'noio', - umask => 'noio', - umount => 'noio', - unlink => 'noio', - unlinkat => 'noio', - unshare => 'noio', - uretprobe => 'noio', - userfaultfd => 'noio', - ustat => 'noio', - utime => 'noio', - utimensat => 'noio', - utimes => 'noio', - vfork => 'noio', - vhangup => 'noio', - vmsplice => 'transfer', - wait4 => 'noio', - waitid => 'noio', - write => 'write', - writev => 'write'; - - method classify-tracepoint(Str \name --> Str) { - my Str \syscall = name.subst(/^SYS_EXIT_/, '').lc; - die "Syscall '{syscall}' for tracepoint '{name}' not found in classification map" - unless %!map<syscall>:exists; - given %!map{syscall} { - when 'read' { 'READ_CLASSIFIED' } - when 'write' { 'WRITE_CLASSIFIED' } - default { 'OTHER_CLASSIFIED' } - } - } + method classify-tracepoint(Str \name --> Str) { self.classify: name.subst(/^SYS_EXIT_/, '').lc } + + # TODO: Use patterh matching, e.g. pread.*, evwrite.*.. + multi method classify('getdents64' --> Str) { 'READ_CLASSIFIED' } + multi method classify('getdents' --> Str) { 'READ_CLASSIFIED' } + multi method classify('pread64' --> Str) { 'READ_CLASSIFIED' } + multi method classify('preadv2' --> Str) { 'READ_CLASSIFIED' } + multi method classify('preadv' --> Str) { 'READ_CLASSIFIED' } + multi method classify('process_vm_readv' --> Str) { 'READ_CLASSIFIED' } + multi method classify('readlinkat' --> Str) { 'READ_CLASSIFIED' } + multi method classify('readlink' --> Str) { 'READ_CLASSIFIED' } + multi method classify('read' --> Str) { 'READ_CLASSIFIED' } + multi method classify('readv' --> Str) { 'READ_CLASSIFIED' } + multi method classify('recvfrom' --> Str) { 'READ_CLASSIFIED' } + multi method classify('recvmmsg' --> Str) { 'READ_CLASSIFIED' } + multi method classify('recvmsg' --> Str) { 'READ_CLASSIFIED' } + + multi method classify('copy_file_range' --> Str) { 'TRANSFER_CLASSIFIED' } + multi method classify('sendfile64' --> Str) { 'TRANSFER_CLASSIFIED' } + multi method classify('splice' --> Str) { 'TRANSFER_CLASSIFIED' } + multi method classify('tee' --> Str) { 'TRANSFER_CLASSIFIED' } + multi method classify('vmsplice' --> Str) { 'TRANSFER_CLASSIFIED' } + + multi method classify('process_vm_writev' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('pwrite64' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('pwritev2' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('pwritev' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('sendmmsg' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('sendmsg' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('sendto' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('writev' --> Str) { 'WRITE_CLASSIFIED' } + multi method classify('write' --> Str) { 'WRITE_CLASSIFIED' } + + multi method classify($ --> Str) { 'UNCLASSIFIED' } } class RetTracepoint does TracepointTemplate does TracepointClassification { diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 9a50b17..6708962 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1,256 +1,5445 @@ // Code generated - don't change manually! -/// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -/// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -/// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -/// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -/// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -/// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -/// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -/// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -/// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -/// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -/// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -/// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -/// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related +/// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related +/// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related +/// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related +/// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related /// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -/// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -/// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -/// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related +/// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related /// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -/// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -/// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -/// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -/// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -/// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related -/// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -/// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -/// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -/// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -/// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -/// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -/// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -/// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -/// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -/// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -/// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -/// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -/// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -/// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -/// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -/// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -/// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -/// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -/// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -/// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -/// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -/// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -/// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -/// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -/// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -/// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -/// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related -/// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -/// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -/// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -/// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -/// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -/// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related +/// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related +/// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related +/// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related +/// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related /// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -/// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -/// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -/// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related +/// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related +/// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related /// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -/// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -/// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related -/// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -/// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -/// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -/// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -/// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -/// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -/// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -/// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related -/// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -/// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -/// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -/// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related -/// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -/// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -/// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -/// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -/// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related -/// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -/// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -/// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -/// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related +/// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related +/// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related +/// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related +/// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related +/// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related +/// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related +/// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related +/// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related +/// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related +/// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related +/// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related +/// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related +/// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related /// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -/// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -/// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -/// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -/// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -/// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -/// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -/// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -/// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related +/// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related +/// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related +/// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related /// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -/// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -/// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -/// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -/// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -/// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -/// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related -/// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -/// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -/// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -/// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -/// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -/// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -/// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -/// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related -/// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -/// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -/// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -/// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -/// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -/// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -/// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related +/// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related /// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -/// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -/// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -/// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -/// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -/// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -/// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -/// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -/// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -/// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -/// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -/// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -/// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -/// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -/// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -/// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -/// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -/// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -/// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -/// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -/// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -/// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related +/// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related +/// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related +/// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related +/// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related +/// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related +/// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related +/// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related +/// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related +/// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related +/// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related +/// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related /// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -/// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -/// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related +/// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related +/// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related +/// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related /// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -/// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related +/// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related /// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -/// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -/// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -/// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -/// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -/// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -/// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -/// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related -/// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -/// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -/// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related -/// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -/// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -/// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -/// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -/// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related -/// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -/// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -/// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -/// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -/// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -/// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -/// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -/// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related +/// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related +/// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related +/// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related +/// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related +/// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related +/// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related /// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -/// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -/// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -/// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related +/// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related +/// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related +/// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related +/// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related +/// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related +/// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related +/// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related +/// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related +/// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related +/// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related +/// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related /// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -/// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -/// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -/// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -/// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -/// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related +/// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related +/// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related /// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -/// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -/// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -/// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -/// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -/// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -/// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related +/// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related +/// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related +/// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related +/// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related +/// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related +/// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related +/// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related +/// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related +/// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related +/// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related /// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -/// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -/// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -/// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -/// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -/// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -/// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -/// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -/// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related /// Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related +/// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related +/// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related +/// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related +/// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related +/// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related +/// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related +/// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related +/// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related +/// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related +/// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related +/// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related +/// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related +/// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related +/// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related +/// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related +/// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related +/// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related +/// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related +/// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related +/// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related +/// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related +/// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related +/// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related +/// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related +/// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related +/// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related +/// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related +/// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related +/// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related +/// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related +/// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related +/// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related +/// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related +/// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related +/// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related +/// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related +/// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related +/// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related +/// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related +/// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related +/// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related +/// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related +/// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related +/// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related +/// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related +/// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related +/// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related +/// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related /// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -/// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -/// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -/// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -/// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -/// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -/// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related +/// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related +/// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related +/// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related +/// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related +/// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related +/// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related +/// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related +/// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related +/// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related +/// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related +/// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related +/// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related +/// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related +/// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related +/// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related +/// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related +/// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related +/// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related +/// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related +/// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related +/// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related +/// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related +/// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related +/// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related +/// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related /// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related +/// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related +/// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related +/// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related +/// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related /// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -/// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -/// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related +/// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related +/// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related +/// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related +/// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related +/// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related +/// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related +/// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related +/// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related +/// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related +/// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related /// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -/// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -/// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -/// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related -/// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -/// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -/// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -/// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -/// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -/// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -/// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -/// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -/// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -/// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -/// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -/// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -/// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related +/// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related +/// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related /// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -/// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -/// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -/// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related -/// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related -/// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -/// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -/// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -/// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -/// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related +/// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related +/// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related +/// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related +/// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related +/// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related +/// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related +/// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related +/// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related +/// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related +/// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related +/// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related +/// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related +/// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related +/// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related +/// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related +/// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related +/// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related +/// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related +/// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related +/// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related +/// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related +/// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related +/// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related +/// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related +/// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related +/// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related +/// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related +/// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related +/// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related +/// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related +/// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related +/// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related +/// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related +/// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related +/// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related +/// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related +/// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related +/// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related /// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -/// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -/// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -/// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -/// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -/// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related +/// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related +/// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related +/// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related +/// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related +/// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related /// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -/// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -/// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -/// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -/// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -/// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -/// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -/// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related +/// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related +/// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related +/// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related +/// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related +/// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related +/// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related +/// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related /// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related +/// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related +/// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related +/// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related +/// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related +/// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related +/// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related +/// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related +/// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related +/// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related +/// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related +/// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related +/// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related +/// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related +/// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related +/// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related +/// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related +/// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related +/// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related +/// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related +/// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related + +#define SYS_ENTER_IO_URING_REGISTER 1524 +#define SYS_EXIT_IO_URING_REGISTER 1523 +#define SYS_ENTER_IO_URING_ENTER 1505 +#define SYS_EXIT_IO_URING_ENTER 1504 +#define SYS_ENTER_IO_URING_SETUP 1503 +#define SYS_EXIT_IO_URING_SETUP 1502 +#define SYS_ENTER_QUOTACTL_FD 1161 +#define SYS_EXIT_QUOTACTL_FD 1160 +#define SYS_ENTER_FLOCK 1130 +#define SYS_EXIT_FLOCK 1129 +#define SYS_ENTER_IO_SETUP 1114 +#define SYS_EXIT_IO_SETUP 1113 +#define SYS_ENTER_IO_DESTROY 1112 +#define SYS_EXIT_IO_DESTROY 1111 +#define SYS_ENTER_IO_SUBMIT 1110 +#define SYS_EXIT_IO_SUBMIT 1109 +#define SYS_ENTER_IO_CANCEL 1108 +#define SYS_EXIT_IO_CANCEL 1107 +#define SYS_ENTER_IO_GETEVENTS 1106 +#define SYS_EXIT_IO_GETEVENTS 1105 +#define SYS_ENTER_IO_PGETEVENTS 1104 +#define SYS_EXIT_IO_PGETEVENTS 1103 +#define SYS_ENTER_FANOTIFY_MARK 1072 +#define SYS_EXIT_FANOTIFY_MARK 1071 +#define SYS_ENTER_FSPICK 1060 +#define SYS_EXIT_FSPICK 1059 +#define SYS_ENTER_FSCONFIG 1058 +#define SYS_EXIT_FSCONFIG 1057 +#define SYS_ENTER_STATFS 1056 +#define SYS_EXIT_STATFS 1055 +#define SYS_ENTER_FSTATFS 1054 +#define SYS_EXIT_FSTATFS 1053 +#define SYS_ENTER_UTIMENSAT 1048 +#define SYS_EXIT_UTIMENSAT 1047 +#define SYS_ENTER_FUTIMESAT 1046 +#define SYS_EXIT_FUTIMESAT 1045 +#define SYS_ENTER_SYNC 1040 +#define SYS_EXIT_SYNC 1039 +#define SYS_ENTER_SYNCFS 1038 +#define SYS_EXIT_SYNCFS 1037 +#define SYS_ENTER_FSYNC 1036 +#define SYS_EXIT_FSYNC 1035 +#define SYS_ENTER_FDATASYNC 1034 +#define SYS_EXIT_FDATASYNC 1033 +#define SYS_ENTER_SYNC_FILE_RANGE 1032 +#define SYS_EXIT_SYNC_FILE_RANGE 1031 +#define SYS_ENTER_VMSPLICE 1030 +#define SYS_EXIT_VMSPLICE 1029 +#define SYS_ENTER_SETXATTRAT 992 +#define SYS_EXIT_SETXATTRAT 991 +#define SYS_ENTER_SETXATTR 990 +#define SYS_EXIT_SETXATTR 989 +#define SYS_ENTER_LSETXATTR 988 +#define SYS_EXIT_LSETXATTR 987 +#define SYS_ENTER_FSETXATTR 986 +#define SYS_EXIT_FSETXATTR 985 +#define SYS_ENTER_GETXATTRAT 984 +#define SYS_EXIT_GETXATTRAT 983 +#define SYS_ENTER_GETXATTR 982 +#define SYS_EXIT_GETXATTR 981 +#define SYS_ENTER_LGETXATTR 980 +#define SYS_EXIT_LGETXATTR 979 +#define SYS_ENTER_FGETXATTR 978 +#define SYS_EXIT_FGETXATTR 977 +#define SYS_ENTER_LISTXATTRAT 976 +#define SYS_EXIT_LISTXATTRAT 975 +#define SYS_ENTER_LISTXATTR 974 +#define SYS_EXIT_LISTXATTR 973 +#define SYS_ENTER_LLISTXATTR 972 +#define SYS_EXIT_LLISTXATTR 971 +#define SYS_ENTER_FLISTXATTR 970 +#define SYS_EXIT_FLISTXATTR 969 +#define SYS_ENTER_REMOVEXATTRAT 968 +#define SYS_EXIT_REMOVEXATTRAT 967 +#define SYS_ENTER_REMOVEXATTR 966 +#define SYS_EXIT_REMOVEXATTR 965 +#define SYS_ENTER_LREMOVEXATTR 964 +#define SYS_EXIT_LREMOVEXATTR 963 +#define SYS_ENTER_FREMOVEXATTR 962 +#define SYS_EXIT_FREMOVEXATTR 961 +#define SYS_ENTER_OPEN_TREE 958 +#define SYS_EXIT_OPEN_TREE 957 +#define SYS_ENTER_MOUNT_SETATTR 948 +#define SYS_EXIT_MOUNT_SETATTR 947 +#define SYS_ENTER_OPEN_TREE_ATTR 946 +#define SYS_EXIT_OPEN_TREE_ATTR 945 +#define SYS_ENTER_CLOSE_RANGE 938 +#define SYS_EXIT_CLOSE_RANGE 937 +#define SYS_ENTER_DUP3 936 +#define SYS_EXIT_DUP3 935 +#define SYS_ENTER_DUP2 934 +#define SYS_EXIT_DUP2 933 +#define SYS_ENTER_DUP 932 +#define SYS_EXIT_DUP 931 +#define SYS_ENTER_GETDENTS 918 +#define SYS_EXIT_GETDENTS 917 +#define SYS_ENTER_GETDENTS64 916 +#define SYS_EXIT_GETDENTS64 915 +#define SYS_ENTER_IOCTL 914 +#define SYS_EXIT_IOCTL 913 +#define SYS_ENTER_FCNTL 912 +#define SYS_EXIT_FCNTL 911 +#define SYS_ENTER_MKDIRAT 906 +#define SYS_EXIT_MKDIRAT 905 +#define SYS_ENTER_MKDIR 904 +#define SYS_EXIT_MKDIR 903 +#define SYS_ENTER_RMDIR 902 +#define SYS_EXIT_RMDIR 901 +#define SYS_ENTER_UNLINKAT 900 +#define SYS_EXIT_UNLINKAT 899 +#define SYS_ENTER_UNLINK 898 +#define SYS_EXIT_UNLINK 897 +#define SYS_ENTER_SYMLINKAT 896 +#define SYS_EXIT_SYMLINKAT 895 +#define SYS_ENTER_SYMLINK 894 +#define SYS_EXIT_SYMLINK 893 +#define SYS_ENTER_LINKAT 892 +#define SYS_EXIT_LINKAT 891 +#define SYS_ENTER_LINK 890 +#define SYS_EXIT_LINK 889 +#define SYS_ENTER_RENAMEAT2 888 +#define SYS_EXIT_RENAMEAT2 887 +#define SYS_ENTER_RENAMEAT 886 +#define SYS_EXIT_RENAMEAT 885 +#define SYS_ENTER_RENAME 884 +#define SYS_EXIT_RENAME 883 +#define SYS_ENTER_NEWSTAT 874 +#define SYS_EXIT_NEWSTAT 873 +#define SYS_ENTER_NEWLSTAT 872 +#define SYS_EXIT_NEWLSTAT 871 +#define SYS_ENTER_NEWFSTATAT 870 +#define SYS_EXIT_NEWFSTATAT 869 +#define SYS_ENTER_NEWFSTAT 868 +#define SYS_EXIT_NEWFSTAT 867 +#define SYS_ENTER_READLINKAT 866 +#define SYS_EXIT_READLINKAT 865 +#define SYS_ENTER_READLINK 864 +#define SYS_EXIT_READLINK 863 +#define SYS_ENTER_STATX 862 +#define SYS_EXIT_STATX 861 +#define SYS_ENTER_LSEEK 860 +#define SYS_EXIT_LSEEK 859 +#define SYS_ENTER_READ 858 +#define SYS_EXIT_READ 857 +#define SYS_ENTER_WRITE 856 +#define SYS_EXIT_WRITE 855 +#define SYS_ENTER_PREAD64 854 +#define SYS_EXIT_PREAD64 853 +#define SYS_ENTER_PWRITE64 852 +#define SYS_EXIT_PWRITE64 851 +#define SYS_ENTER_READV 850 +#define SYS_EXIT_READV 849 +#define SYS_ENTER_WRITEV 848 +#define SYS_EXIT_WRITEV 847 +#define SYS_ENTER_PREADV 846 +#define SYS_EXIT_PREADV 845 +#define SYS_ENTER_PREADV2 844 +#define SYS_EXIT_PREADV2 843 +#define SYS_ENTER_PWRITEV 842 +#define SYS_EXIT_PWRITEV 841 +#define SYS_ENTER_PWRITEV2 840 +#define SYS_EXIT_PWRITEV2 839 +#define SYS_ENTER_TRUNCATE 834 +#define SYS_EXIT_TRUNCATE 833 +#define SYS_ENTER_FTRUNCATE 832 +#define SYS_EXIT_FTRUNCATE 831 +#define SYS_ENTER_FALLOCATE 830 +#define SYS_EXIT_FALLOCATE 829 +#define SYS_ENTER_FACCESSAT 828 +#define SYS_EXIT_FACCESSAT 827 +#define SYS_ENTER_FACCESSAT2 826 +#define SYS_EXIT_FACCESSAT2 825 +#define SYS_ENTER_ACCESS 824 +#define SYS_EXIT_ACCESS 823 +#define SYS_ENTER_CHDIR 822 +#define SYS_EXIT_CHDIR 821 +#define SYS_ENTER_FCHDIR 820 +#define SYS_EXIT_FCHDIR 819 +#define SYS_ENTER_CHROOT 818 +#define SYS_EXIT_CHROOT 817 +#define SYS_ENTER_FCHMOD 816 +#define SYS_EXIT_FCHMOD 815 +#define SYS_ENTER_FCHMODAT2 814 +#define SYS_EXIT_FCHMODAT2 813 +#define SYS_ENTER_FCHMODAT 812 +#define SYS_EXIT_FCHMODAT 811 +#define SYS_ENTER_CHMOD 810 +#define SYS_EXIT_CHMOD 809 +#define SYS_ENTER_FCHOWNAT 808 +#define SYS_EXIT_FCHOWNAT 807 +#define SYS_ENTER_CHOWN 806 +#define SYS_EXIT_CHOWN 805 +#define SYS_ENTER_LCHOWN 804 +#define SYS_EXIT_LCHOWN 803 +#define SYS_ENTER_FCHOWN 802 +#define SYS_EXIT_FCHOWN 801 +#define SYS_ENTER_OPEN 800 +#define SYS_EXIT_OPEN 799 +#define SYS_ENTER_OPENAT 798 +#define SYS_EXIT_OPENAT 797 +#define SYS_ENTER_OPENAT2 796 +#define SYS_EXIT_OPENAT2 795 +#define SYS_ENTER_CREAT 794 +#define SYS_EXIT_CREAT 793 +#define SYS_ENTER_CLOSE 792 +#define SYS_EXIT_CLOSE 791 +#define SYS_ENTER_READAHEAD 625 +#define SYS_EXIT_READAHEAD 624 +#define SYS_ENTER_FADVISE64 623 +#define SYS_EXIT_FADVISE64 622 +#define SYS_ENTER_CACHESTAT 604 +#define SYS_EXIT_CACHESTAT 603 +#define SYS_ENTER_FINIT_MODULE 410 +#define SYS_EXIT_FINIT_MODULE 409 +#define SYS_ENTER_SYSLOG 351 +#define SYS_EXIT_SYSLOG 350 +#define SYS_ENTER_MMAP 100 +#define SYS_EXIT_MMAP 99 + +/// sys_enter_io_uring_register is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_uring_register") +int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_REGISTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_uring_register is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_uring_register") +int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_URING_REGISTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_uring_enter is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_uring_enter") +int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_uring_enter is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_uring_enter") +int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_uring_setup is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_uring_setup") +int handle_sys_enter_io_uring_setup(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_SETUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_uring_setup is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_uring_setup") +int handle_sys_exit_io_uring_setup(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_URING_SETUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_quotactl_fd is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_quotactl_fd is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_flock is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_flock is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_setup is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_setup") +int handle_sys_enter_io_setup(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_SETUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_setup is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_setup") +int handle_sys_exit_io_setup(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_SETUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_destroy is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_destroy") +int handle_sys_enter_io_destroy(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_DESTROY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_destroy is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_destroy") +int handle_sys_exit_io_destroy(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_DESTROY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_submit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_submit") +int handle_sys_enter_io_submit(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_SUBMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_submit is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_submit") +int handle_sys_exit_io_submit(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_SUBMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_cancel is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_cancel") +int handle_sys_enter_io_cancel(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_CANCEL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_cancel is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_cancel") +int handle_sys_exit_io_cancel(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_CANCEL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_getevents is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_getevents") +int handle_sys_enter_io_getevents(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_GETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_getevents is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_getevents") +int handle_sys_exit_io_getevents(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_GETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_pgetevents is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_pgetevents") +int handle_sys_enter_io_pgetevents(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_PGETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_pgetevents is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_io_pgetevents") +int handle_sys_exit_io_pgetevents(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_PGETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fanotify_mark is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fanotify_mark is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fspick is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fspick") +int handle_sys_enter_fspick(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FSPICK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fspick is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fspick") +int handle_sys_exit_fspick(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSPICK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsconfig is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fsconfig") +int handle_sys_enter_fsconfig(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSCONFIG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsconfig is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fsconfig") +int handle_sys_exit_fsconfig(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSCONFIG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_statfs is a struct path_event +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_statfs is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fstatfs is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fstatfs is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_utimensat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_utimensat") +int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UTIMENSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_utimensat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_utimensat") +int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIMENSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futimesat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_futimesat") +int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futimesat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_futimesat") +int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sync is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sync") +int handle_sys_enter_sync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sync is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_sync") +int handle_sys_exit_sync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_syncfs is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_syncfs") +int handle_sys_enter_syncfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SYNCFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_syncfs is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_syncfs") +int handle_sys_exit_syncfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNCFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsync is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsync is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fdatasync is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fdatasync is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sync_file_range is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sync_file_range") +int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sync_file_range is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_sync_file_range") +int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_vmsplice is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_vmsplice") +int handle_sys_enter_vmsplice(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_VMSPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_vmsplice is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_vmsplice") +int handle_sys_exit_vmsplice(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_VMSPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setxattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_setxattrat") +int handle_sys_enter_setxattrat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setxattrat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_setxattrat") +int handle_sys_exit_setxattrat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lsetxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lsetxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsetxattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fsetxattr") +int handle_sys_enter_fsetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsetxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fsetxattr") +int handle_sys_exit_fsetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getxattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_getxattrat") +int handle_sys_enter_getxattrat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getxattrat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_getxattrat") +int handle_sys_exit_getxattrat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lgetxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lgetxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fgetxattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fgetxattr") +int handle_sys_enter_fgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fgetxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fgetxattr") +int handle_sys_exit_fgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listxattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_listxattrat") +int handle_sys_enter_listxattrat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listxattrat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_listxattrat") +int handle_sys_exit_listxattrat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_llistxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_llistxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_flistxattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_flistxattr") +int handle_sys_enter_flistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_flistxattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_flistxattr") +int handle_sys_exit_flistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_removexattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_removexattrat") +int handle_sys_enter_removexattrat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_removexattrat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_removexattrat") +int handle_sys_exit_removexattrat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_removexattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_removexattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lremovexattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lremovexattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fremovexattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fremovexattr") +int handle_sys_enter_fremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fremovexattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fremovexattr") +int handle_sys_exit_fremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open_tree is a struct open_event +SEC("tracepoint/syscalls/sys_enter_open_tree") +int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open_tree is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_open_tree") +int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mount_setattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mount_setattr") +int handle_sys_enter_mount_setattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MOUNT_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mount_setattr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_mount_setattr") +int handle_sys_exit_mount_setattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOUNT_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open_tree_attr is a struct open_event +SEC("tracepoint/syscalls/sys_enter_open_tree_attr") +int handle_sys_enter_open_tree_attr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open_tree_attr is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_open_tree_attr") +int handle_sys_exit_open_tree_attr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_close_range is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_close_range") +int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_close_range is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_close_range") +int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_dup3 is a struct dup3_event +SEC("tracepoint/syscalls/sys_enter_dup3") +int handle_sys_enter_dup3(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_DUP3_EVENT; + ev->trace_id = SYS_ENTER_DUP3; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + ev->flags = (__s32)ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_dup3 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_dup3") +int handle_sys_exit_dup3(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DUP3; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_dup2 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_dup2") +int handle_sys_enter_dup2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_DUP2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_dup2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_dup2") +int handle_sys_exit_dup2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DUP2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_dup is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_dup") +int handle_sys_enter_dup(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_DUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_dup is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_dup") +int handle_sys_exit_dup(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getdents is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETDENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getdents is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETDENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getdents64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETDENTS64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getdents64 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETDENTS64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ioctl is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IOCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ioctl is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fcntl is a struct fcntl_event +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FCNTL_EVENT; + ev->trace_id = SYS_ENTER_FCNTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = ctx->args[0]; + ev->cmd = ctx->args[1]; + ev->arg = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fcntl is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCNTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mkdirat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mkdirat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mkdir is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mkdir is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rmdir is a struct path_event +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rmdir is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_unlinkat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_unlinkat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_unlink is a struct path_event +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_unlink is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_symlinkat is a struct name_event +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_symlinkat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_symlink is a struct name_event +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_symlink is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_linkat is a struct name_event +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_linkat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_link is a struct name_event +SEC("tracepoint/syscalls/sys_enter_link") +int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_link is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_renameat2 is a struct name_event +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_renameat2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_renameat is a struct name_event +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_renameat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rename is a struct name_event +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rename is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newstat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_newstat") +int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NEWSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newstat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_newstat") +int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newlstat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_newlstat") +int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NEWLSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newlstat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_newlstat") +int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWLSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newfstatat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_newfstatat") +int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newfstatat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_newfstatat") +int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newfstat is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_newfstat") +int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newfstat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_newfstat") +int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readlinkat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readlinkat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readlink is a struct path_event +SEC("tracepoint/syscalls/sys_enter_readlink") +int handle_sys_enter_readlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readlink is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_readlink") +int handle_sys_exit_readlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_statx is a struct path_event +SEC("tracepoint/syscalls/sys_enter_statx") +int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_statx is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_statx") +int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lseek is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_lseek") +int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_LSEEK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lseek is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_lseek") +int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSEEK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_read is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_read") +int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_read is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_read") +int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_write is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_write") +int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_WRITE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_write is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_write") +int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WRITE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pread64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pread64") +int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREAD64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pread64 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_pread64") +int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREAD64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pwrite64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pwrite64") +int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pwrite64 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_pwrite64") +int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readv is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_readv") +int handle_sys_enter_readv(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readv is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_readv") +int handle_sys_exit_readv(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_writev is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_writev") +int handle_sys_enter_writev(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_writev is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_writev") +int handle_sys_exit_writev(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_preadv is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_preadv") +int handle_sys_enter_preadv(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREADV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_preadv is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_preadv") +int handle_sys_exit_preadv(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREADV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_preadv2 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_preadv2") +int handle_sys_enter_preadv2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREADV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_preadv2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_preadv2") +int handle_sys_exit_preadv2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREADV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pwritev is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pwritev") +int handle_sys_enter_pwritev(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pwritev is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_pwritev") +int handle_sys_exit_pwritev(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pwritev2 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pwritev2") +int handle_sys_enter_pwritev2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITEV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pwritev2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_pwritev2") +int handle_sys_exit_pwritev2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITEV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_truncate is a struct path_event +SEC("tracepoint/syscalls/sys_enter_truncate") +int handle_sys_enter_truncate(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_TRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_truncate is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_truncate") +int handle_sys_exit_truncate(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ftruncate is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_ftruncate") +int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ftruncate is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_ftruncate") +int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fallocate is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fallocate") +int handle_sys_enter_fallocate(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FALLOCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fallocate is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fallocate") +int handle_sys_exit_fallocate(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FALLOCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_faccessat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_faccessat") +int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_faccessat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_faccessat") +int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FACCESSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_faccessat2 is a struct path_event +SEC("tracepoint/syscalls/sys_enter_faccessat2") +int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_faccessat2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_faccessat2") +int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FACCESSAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_access is a struct path_event +SEC("tracepoint/syscalls/sys_enter_access") +int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_ACCESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_access is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_access") +int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chdir is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chdir") +int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chdir is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_chdir") +int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchdir is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fchdir") +int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchdir is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fchdir") +int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chroot is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chroot") +int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chroot is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_chroot") +int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchmod is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fchmod") +int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchmod is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fchmod") +int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchmodat2 is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fchmodat2") +int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchmodat2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fchmodat2") +int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMODAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchmodat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fchmodat") +int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchmodat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fchmodat") +int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chmod is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chmod") +int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chmod is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_chmod") +int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchownat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fchownat") +int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FCHOWNAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchownat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fchownat") +int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHOWNAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chown is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chown") +int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chown is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_chown") +int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lchown is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lchown") +int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lchown is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_lchown") +int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchown is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fchown") +int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchown is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fchown") +int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open is a struct open_event +SEC("tracepoint/syscalls/sys_enter_open") +int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[1]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_open") +int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_openat is a struct open_event +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_openat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_openat2 is a struct open_event +SEC("tracepoint/syscalls/sys_enter_openat2") +int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = -1; // Probably OK + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_openat2 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_openat2") +int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_creat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_creat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_close is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_close") +int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CLOSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_close is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_close") +int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readahead is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_readahead") +int handle_sys_enter_readahead(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READAHEAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readahead is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_readahead") +int handle_sys_exit_readahead(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READAHEAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fadvise64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fadvise64") +int handle_sys_enter_fadvise64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FADVISE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fadvise64 is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_fadvise64") +int handle_sys_exit_fadvise64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FADVISE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_cachestat is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_cachestat") +int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_cachestat is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_cachestat") +int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_finit_module is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_finit_module") +int handle_sys_enter_finit_module(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FINIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_finit_module is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_finit_module") +int handle_sys_exit_finit_module(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FINIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_syslog is a struct null_event +SEC("tracepoint/syscalls/sys_enter_syslog") +int handle_sys_enter_syslog(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYSLOG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_syslog is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_syslog") +int handle_sys_exit_syslog(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYSLOG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mmap is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_mmap") +int handle_sys_enter_mmap(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_MMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mmap is a struct ret_event +SEC("tracepoint/syscalls/sys_exit_mmap") +int handle_sys_exit_mmap(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + + diff --git a/internal/c/types.h b/internal/c/types.h index 6465f8f..7c8f834 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -20,9 +20,10 @@ #define ENTER_DUP3_EVENT 15 #define EXIT_DUP3_EVENT 16 -#define OTHER_CLASSIFIED 0 +#define UNCLASSIFIED 0 #define READ_CLASSIFIED 1 #define WRITE_CLASSIFIED 2 +#define TRANSFER_CLASSIFIED 3 struct open_event { __u32 event_type; |