diff options
| author | Paul Buetow <paul@buetow.org> | 2024-03-09 18:18:41 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-03-09 23:48:02 +0200 |
| commit | 60defe5b1312b0cdcaaa62659ec851971b3c018d (patch) | |
| tree | 7fa215b3e7e03e62f45e0834bbf5bd8bea75828e /internal/c/generated/tracepoints.c | |
| parent | 478a1eb094a7d9e050cef60f80d9a8af1835dfcf (diff) | |
Also auto-generate open syscalls.
Diffstat (limited to 'internal/c/generated/tracepoints.c')
| -rw-r--r-- | internal/c/generated/tracepoints.c | 2118 |
1 files changed, 1546 insertions, 572 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index 8ba2028..e1cb7d6 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -1,114 +1,177 @@ // Code generated - don't change manually! -#define SYS_EXIT_CACHESTAT 527 -#define SYS_ENTER_CACHESTAT 528 -#define SYS_EXIT_CLOSE_RANGE 700 -#define SYS_ENTER_CLOSE_RANGE 701 -#define SYS_EXIT_CLOSE 702 -#define SYS_ENTER_CLOSE 703 -#define SYS_EXIT_CREAT 704 -#define SYS_ENTER_CREAT 705 -#define SYS_EXIT_FCHOWN 712 -#define SYS_ENTER_FCHOWN 713 -#define SYS_EXIT_FCHMOD 726 -#define SYS_ENTER_FCHMOD 727 -#define SYS_EXIT_FCHDIR 730 -#define SYS_ENTER_FCHDIR 731 -#define SYS_EXIT_FTRUNCATE 742 -#define SYS_ENTER_FTRUNCATE 743 -#define SYS_EXIT_COPY_FILE_RANGE 746 -#define SYS_ENTER_COPY_FILE_RANGE 747 -#define SYS_EXIT_PWRITE64 762 -#define SYS_ENTER_PWRITE64 763 -#define SYS_EXIT_PREAD64 764 -#define SYS_ENTER_PREAD64 765 -#define SYS_EXIT_WRITE 766 -#define SYS_ENTER_WRITE 767 -#define SYS_EXIT_READ 768 -#define SYS_ENTER_READ 769 -#define SYS_EXIT_LSEEK 770 -#define SYS_ENTER_LSEEK 771 -#define SYS_EXIT_READLINKAT 776 -#define SYS_ENTER_READLINKAT 777 -#define SYS_EXIT_NEWFSTAT 778 -#define SYS_ENTER_NEWFSTAT 779 -#define SYS_EXIT_RENAME 794 -#define SYS_ENTER_RENAME 795 -#define SYS_EXIT_RENAMEAT 796 -#define SYS_ENTER_RENAMEAT 797 -#define SYS_EXIT_RENAMEAT2 798 -#define SYS_ENTER_RENAMEAT2 799 -#define SYS_EXIT_LINK 800 -#define SYS_ENTER_LINK 801 -#define SYS_EXIT_LINKAT 802 -#define SYS_ENTER_LINKAT 803 -#define SYS_EXIT_SYMLINK 804 -#define SYS_ENTER_SYMLINK 805 -#define SYS_EXIT_SYMLINKAT 806 -#define SYS_ENTER_SYMLINKAT 807 -#define SYS_EXIT_UNLINK 808 -#define SYS_ENTER_UNLINK 809 -#define SYS_EXIT_UNLINKAT 810 -#define SYS_ENTER_UNLINKAT 811 -#define SYS_EXIT_RMDIR 812 -#define SYS_ENTER_RMDIR 813 -#define SYS_EXIT_MKDIR 814 -#define SYS_ENTER_MKDIR 815 -#define SYS_EXIT_MKDIRAT 816 -#define SYS_ENTER_MKDIRAT 817 -#define SYS_EXIT_FCNTL 822 -#define SYS_ENTER_FCNTL 823 -#define SYS_EXIT_IOCTL 824 -#define SYS_ENTER_IOCTL 825 -#define SYS_EXIT_GETDENTS64 826 -#define SYS_ENTER_GETDENTS64 827 -#define SYS_EXIT_GETDENTS 828 -#define SYS_ENTER_GETDENTS 829 -#define SYS_EXIT_LREMOVEXATTR 862 -#define SYS_ENTER_LREMOVEXATTR 863 -#define SYS_EXIT_REMOVEXATTR 864 -#define SYS_ENTER_REMOVEXATTR 865 -#define SYS_EXIT_LLISTXATTR 868 -#define SYS_ENTER_LLISTXATTR 869 -#define SYS_EXIT_LISTXATTR 870 -#define SYS_ENTER_LISTXATTR 871 -#define SYS_EXIT_LGETXATTR 874 -#define SYS_ENTER_LGETXATTR 875 -#define SYS_EXIT_GETXATTR 876 -#define SYS_ENTER_GETXATTR 877 -#define SYS_EXIT_LSETXATTR 880 -#define SYS_ENTER_LSETXATTR 881 -#define SYS_EXIT_SETXATTR 882 -#define SYS_ENTER_SETXATTR 883 -#define SYS_EXIT_SYNC_FILE_RANGE 922 -#define SYS_ENTER_SYNC_FILE_RANGE 923 -#define SYS_EXIT_FDATASYNC 924 -#define SYS_ENTER_FDATASYNC 925 -#define SYS_EXIT_FSYNC 926 -#define SYS_ENTER_FSYNC 927 -#define SYS_EXIT_FSTATFS 944 -#define SYS_ENTER_FSTATFS 945 -#define SYS_EXIT_STATFS 946 -#define SYS_ENTER_STATFS 947 -#define SYS_EXIT_INOTIFY_RM_WATCH 954 -#define SYS_ENTER_INOTIFY_RM_WATCH 955 -#define SYS_EXIT_INOTIFY_ADD_WATCH 956 -#define SYS_ENTER_INOTIFY_ADD_WATCH 957 -#define SYS_EXIT_FANOTIFY_MARK 962 -#define SYS_ENTER_FANOTIFY_MARK 963 -#define SYS_EXIT_FLOCK 1020 -#define SYS_ENTER_FLOCK 1021 -#define SYS_EXIT_QUOTACTL_FD 1051 -#define SYS_ENTER_QUOTACTL_FD 1052 -#define SYS_EXIT_MQ_UNLINK 1321 -#define SYS_ENTER_MQ_UNLINK 1322 -#define SYS_EXIT_IO_URING_REGISTER 1377 -#define SYS_ENTER_IO_URING_REGISTER 1378 -#define SYS_EXIT_IO_URING_ENTER 1381 #define SYS_ENTER_IO_URING_ENTER 1382 +#define SYS_EXIT_IO_URING_ENTER 1381 +#define SYS_ENTER_IO_URING_REGISTER 1378 +#define SYS_EXIT_IO_URING_REGISTER 1377 +#define SYS_ENTER_QUOTACTL_FD 1052 +#define SYS_EXIT_QUOTACTL_FD 1051 +#define SYS_ENTER_FLOCK 1021 +#define SYS_EXIT_FLOCK 1020 +#define SYS_ENTER_FANOTIFY_MARK 963 +#define SYS_EXIT_FANOTIFY_MARK 962 +#define SYS_ENTER_INOTIFY_ADD_WATCH 957 +#define SYS_EXIT_INOTIFY_ADD_WATCH 956 +#define SYS_ENTER_STATFS 947 +#define SYS_EXIT_STATFS 946 +#define SYS_ENTER_FSTATFS 945 +#define SYS_EXIT_FSTATFS 944 +#define SYS_ENTER_UTIMENSAT 939 +#define SYS_EXIT_UTIMENSAT 938 +#define SYS_ENTER_FUTIMESAT 937 +#define SYS_EXIT_FUTIMESAT 936 +#define SYS_ENTER_FSYNC 927 +#define SYS_EXIT_FSYNC 926 +#define SYS_ENTER_FDATASYNC 925 +#define SYS_EXIT_FDATASYNC 924 +#define SYS_ENTER_SETXATTR 883 +#define SYS_EXIT_SETXATTR 882 +#define SYS_ENTER_LSETXATTR 881 +#define SYS_EXIT_LSETXATTR 880 +#define SYS_ENTER_GETXATTR 877 +#define SYS_EXIT_GETXATTR 876 +#define SYS_ENTER_LGETXATTR 875 +#define SYS_EXIT_LGETXATTR 874 +#define SYS_ENTER_LISTXATTR 871 +#define SYS_EXIT_LISTXATTR 870 +#define SYS_ENTER_LLISTXATTR 869 +#define SYS_EXIT_LLISTXATTR 868 +#define SYS_ENTER_REMOVEXATTR 865 +#define SYS_EXIT_REMOVEXATTR 864 +#define SYS_ENTER_LREMOVEXATTR 863 +#define SYS_EXIT_LREMOVEXATTR 862 +#define SYS_ENTER_OPEN_TREE 857 +#define SYS_EXIT_OPEN_TREE 856 +#define SYS_ENTER_GETDENTS 829 +#define SYS_EXIT_GETDENTS 828 +#define SYS_ENTER_GETDENTS64 827 +#define SYS_EXIT_GETDENTS64 826 +#define SYS_ENTER_IOCTL 825 +#define SYS_EXIT_IOCTL 824 +#define SYS_ENTER_FCNTL 823 +#define SYS_EXIT_FCNTL 822 +#define SYS_ENTER_MKNODAT 821 +#define SYS_EXIT_MKNODAT 820 +#define SYS_ENTER_MKNOD 819 +#define SYS_EXIT_MKNOD 818 +#define SYS_ENTER_MKDIRAT 817 +#define SYS_EXIT_MKDIRAT 816 +#define SYS_ENTER_MKDIR 815 +#define SYS_EXIT_MKDIR 814 +#define SYS_ENTER_RMDIR 813 +#define SYS_EXIT_RMDIR 812 +#define SYS_ENTER_UNLINKAT 811 +#define SYS_EXIT_UNLINKAT 810 +#define SYS_ENTER_UNLINK 809 +#define SYS_EXIT_UNLINK 808 +#define SYS_ENTER_SYMLINKAT 807 +#define SYS_EXIT_SYMLINKAT 806 +#define SYS_ENTER_SYMLINK 805 +#define SYS_EXIT_SYMLINK 804 +#define SYS_ENTER_LINKAT 803 +#define SYS_EXIT_LINKAT 802 +#define SYS_ENTER_LINK 801 +#define SYS_EXIT_LINK 800 +#define SYS_ENTER_RENAMEAT2 799 +#define SYS_EXIT_RENAMEAT2 798 +#define SYS_ENTER_RENAMEAT 797 +#define SYS_EXIT_RENAMEAT 796 +#define SYS_ENTER_RENAME 795 +#define SYS_EXIT_RENAME 794 +#define SYS_ENTER_EXECVE 789 +#define SYS_EXIT_EXECVE 788 +#define SYS_ENTER_EXECVEAT 787 +#define SYS_EXIT_EXECVEAT 786 +#define SYS_ENTER_NEWSTAT 785 +#define SYS_EXIT_NEWSTAT 784 +#define SYS_ENTER_NEWLSTAT 783 +#define SYS_EXIT_NEWLSTAT 782 +#define SYS_ENTER_NEWFSTATAT 781 +#define SYS_EXIT_NEWFSTATAT 780 +#define SYS_ENTER_NEWFSTAT 779 +#define SYS_EXIT_NEWFSTAT 778 +#define SYS_ENTER_READLINKAT 777 +#define SYS_EXIT_READLINKAT 776 +#define SYS_ENTER_STATX 773 +#define SYS_EXIT_STATX 772 +#define SYS_ENTER_LSEEK 771 +#define SYS_EXIT_LSEEK 770 +#define SYS_ENTER_READ 769 +#define SYS_EXIT_READ 768 +#define SYS_ENTER_WRITE 767 +#define SYS_EXIT_WRITE 766 +#define SYS_ENTER_PREAD64 765 +#define SYS_EXIT_PREAD64 764 +#define SYS_ENTER_PWRITE64 763 +#define SYS_EXIT_PWRITE64 762 +#define SYS_ENTER_FTRUNCATE 743 +#define SYS_EXIT_FTRUNCATE 742 +#define SYS_ENTER_FACCESSAT 739 +#define SYS_EXIT_FACCESSAT 738 +#define SYS_ENTER_FACCESSAT2 737 +#define SYS_EXIT_FACCESSAT2 736 +#define SYS_ENTER_ACCESS 735 +#define SYS_EXIT_ACCESS 734 +#define SYS_ENTER_CHDIR 733 +#define SYS_EXIT_CHDIR 732 +#define SYS_ENTER_FCHDIR 731 +#define SYS_EXIT_FCHDIR 730 +#define SYS_ENTER_CHROOT 729 +#define SYS_EXIT_CHROOT 728 +#define SYS_ENTER_FCHMOD 727 +#define SYS_EXIT_FCHMOD 726 +#define SYS_ENTER_FCHMODAT2 725 +#define SYS_EXIT_FCHMODAT2 724 +#define SYS_ENTER_FCHMODAT 723 +#define SYS_EXIT_FCHMODAT 722 +#define SYS_ENTER_CHMOD 721 +#define SYS_EXIT_CHMOD 720 +#define SYS_ENTER_FCHOWNAT 719 +#define SYS_EXIT_FCHOWNAT 718 +#define SYS_ENTER_CHOWN 717 +#define SYS_EXIT_CHOWN 716 +#define SYS_ENTER_LCHOWN 715 +#define SYS_EXIT_LCHOWN 714 +#define SYS_ENTER_FCHOWN 713 +#define SYS_EXIT_FCHOWN 712 +#define SYS_ENTER_OPEN 711 +#define SYS_EXIT_OPEN 710 +#define SYS_ENTER_OPENAT 709 +#define SYS_EXIT_OPENAT 708 +#define SYS_ENTER_OPENAT2 707 +#define SYS_EXIT_OPENAT2 706 +#define SYS_ENTER_CREAT 705 +#define SYS_EXIT_CREAT 704 +#define SYS_ENTER_CLOSE 703 +#define SYS_EXIT_CLOSE 702 +#define SYS_ENTER_CLOSE_RANGE 701 +#define SYS_EXIT_CLOSE_RANGE 700 +#define SYS_ENTER_CACHESTAT 528 +#define SYS_EXIT_CACHESTAT 527 -SEC("tracepoint/syscalls/sys_exit_cachestat") -int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_enter_io_uring_enter") +int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_io_uring_enter") +int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -118,18 +181,18 @@ int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CACHESTAT; + ev->trace_id = SYS_EXIT_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_cachestat") -int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_io_uring_register") +int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -139,7 +202,7 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CACHESTAT; + ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -149,8 +212,8 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_close_range") -int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_io_uring_register") +int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -160,18 +223,18 @@ int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->trace_id = SYS_EXIT_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_close_range") -int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -181,7 +244,7 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -191,8 +254,8 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_close") -int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -202,18 +265,18 @@ int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_close") -int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -223,7 +286,7 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE; + ev->trace_id = SYS_ENTER_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -233,8 +296,8 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_creat") -int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -244,18 +307,18 @@ int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CREAT; + ev->trace_id = SYS_EXIT_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_creat") -int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -265,7 +328,93 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CREAT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -276,8 +425,8 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fchown") -int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -287,18 +436,18 @@ int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWN; + ev->trace_id = SYS_EXIT_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchown") -int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -308,7 +457,7 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHOWN; + ev->trace_id = SYS_ENTER_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -318,8 +467,8 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fchmod") -int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -329,39 +478,41 @@ int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMOD; + ev->trace_id = SYS_EXIT_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchmod") -int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_utimensat") +int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHMOD; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fchdir") -int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_utimensat") +int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -371,18 +522,62 @@ int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHDIR; + ev->trace_id = SYS_EXIT_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchdir") -int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_futimesat") +int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_futimesat") +int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -392,7 +587,7 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHDIR; + ev->trace_id = SYS_ENTER_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -402,8 +597,8 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_ftruncate") -int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -413,18 +608,18 @@ int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->trace_id = SYS_EXIT_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_ftruncate") -int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -434,7 +629,7 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->trace_id = SYS_ENTER_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -444,8 +639,8 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_copy_file_range") -int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -455,39 +650,40 @@ int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; + ev->trace_id = SYS_EXIT_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_copy_file_range") -int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_pwrite64") -int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -497,39 +693,40 @@ int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITE64; + ev->trace_id = SYS_EXIT_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_pwrite64") -int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITE64; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_pread64") -int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -539,18 +736,320 @@ int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREAD64; + ev->trace_id = SYS_EXIT_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_pread64") -int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open_tree") +int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_open_tree") +int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -560,7 +1059,7 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREAD64; + ev->trace_id = SYS_ENTER_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -570,8 +1069,8 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_write") -int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -581,18 +1080,18 @@ int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITE; + ev->trace_id = SYS_EXIT_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_write") -int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -602,7 +1101,7 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITE; + ev->trace_id = SYS_ENTER_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -612,8 +1111,8 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_read") -int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -623,18 +1122,18 @@ int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READ; + ev->trace_id = SYS_EXIT_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_read") -int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -644,7 +1143,7 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READ; + ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -654,8 +1153,8 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_lseek") -int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -665,18 +1164,18 @@ int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSEEK; + ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lseek") -int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -686,7 +1185,7 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_LSEEK; + ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -696,8 +1195,8 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_readlinkat") -int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -707,18 +1206,106 @@ int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINKAT; + ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_readlinkat") -int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mknodat") +int handle_sys_enter_mknodat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknodat") +int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mknod") +int handle_sys_enter_mknod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknod") +int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -728,7 +1315,7 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINKAT; + ev->trace_id = SYS_ENTER_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -739,8 +1326,8 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_newfstat") -int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -750,39 +1337,40 @@ int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->trace_id = SYS_EXIT_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_newfstat") -int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_rename") -int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -792,18 +1380,147 @@ int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAME; + ev->trace_id = SYS_EXIT_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_rename") -int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -813,20 +1530,20 @@ int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAME; + ev->trace_id = SYS_ENTER_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_renameat") -int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -836,18 +1553,18 @@ int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT; + ev->trace_id = SYS_EXIT_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_renameat") -int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -857,20 +1574,20 @@ int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT; + ev->trace_id = SYS_ENTER_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_renameat2") -int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -880,18 +1597,18 @@ int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->trace_id = SYS_EXIT_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_renameat2") -int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -901,7 +1618,7 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->trace_id = SYS_ENTER_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -913,8 +1630,8 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_link") -int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -924,11 +1641,11 @@ int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINK; + ev->trace_id = SYS_EXIT_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; @@ -957,8 +1674,8 @@ int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_linkat") -int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -968,18 +1685,18 @@ int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINKAT; + ev->trace_id = SYS_EXIT_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_linkat") -int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -989,7 +1706,7 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINKAT; + ev->trace_id = SYS_ENTER_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1001,8 +1718,8 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_symlink") -int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1012,18 +1729,18 @@ int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINK; + ev->trace_id = SYS_EXIT_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_symlink") -int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1033,20 +1750,20 @@ int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINK; + ev->trace_id = SYS_ENTER_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_symlinkat") -int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1056,18 +1773,18 @@ int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->trace_id = SYS_EXIT_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_symlinkat") -int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1077,20 +1794,20 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->trace_id = SYS_ENTER_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_unlink") -int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1100,40 +1817,41 @@ int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINK; + ev->trace_id = SYS_EXIT_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_unlink") -int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_execve") +int handle_sys_enter_execve(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_unlinkat") -int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_execve") +int handle_sys_exit_execve(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1143,40 +1861,41 @@ int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINKAT; + ev->trace_id = SYS_EXIT_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_unlinkat") -int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_execveat") +int handle_sys_enter_execveat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINKAT; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_rmdir") -int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_execveat") +int handle_sys_exit_execveat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1186,40 +1905,41 @@ int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RMDIR; + ev->trace_id = SYS_EXIT_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_rmdir") -int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newstat") +int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_RMDIR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mkdir") -int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_newstat") +int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1229,40 +1949,41 @@ int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIR; + ev->trace_id = SYS_EXIT_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mkdir") -int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newlstat") +int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mkdirat") -int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_newlstat") +int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1272,18 +1993,104 @@ int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIRAT; + ev->trace_id = SYS_EXIT_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mkdirat") -int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newfstatat") +int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstatat") +int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newfstat") +int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstat") +int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1293,7 +2100,7 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIRAT; + ev->trace_id = SYS_ENTER_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1304,8 +2111,8 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1315,39 +2122,41 @@ int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; + ev->trace_id = SYS_EXIT_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_statx") +int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_statx") +int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1357,18 +2166,18 @@ int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; + ev->trace_id = SYS_EXIT_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lseek") +int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1378,7 +2187,7 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; + ev->trace_id = SYS_ENTER_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1388,8 +2197,8 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lseek") +int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1399,18 +2208,18 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; + ev->trace_id = SYS_EXIT_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_read") +int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1420,7 +2229,7 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; + ev->trace_id = SYS_ENTER_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1430,8 +2239,8 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_read") +int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1441,18 +2250,18 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; + ev->trace_id = SYS_EXIT_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_write") +int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1462,7 +2271,7 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; + ev->trace_id = SYS_ENTER_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1472,8 +2281,8 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_lremovexattr") -int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_write") +int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1483,40 +2292,39 @@ int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->trace_id = SYS_EXIT_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lremovexattr") -int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_pread64") +int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_removexattr") -int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_pread64") +int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1526,40 +2334,39 @@ int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->trace_id = SYS_EXIT_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_removexattr") -int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_pwrite64") +int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_llistxattr") -int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_pwrite64") +int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1569,40 +2376,39 @@ int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->trace_id = SYS_EXIT_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_llistxattr") -int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ftruncate") +int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_listxattr") -int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ftruncate") +int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1612,40 +2418,41 @@ int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTR; + ev->trace_id = SYS_EXIT_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_listxattr") -int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_faccessat") +int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_lgetxattr") -int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_faccessat") +int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1655,40 +2462,41 @@ int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LGETXATTR; + ev->trace_id = SYS_EXIT_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lgetxattr") -int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_faccessat2") +int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LGETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_getxattr") -int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_faccessat2") +int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1698,40 +2506,41 @@ int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTR; + ev->trace_id = SYS_EXIT_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getxattr") -int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_access") +int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_lsetxattr") -int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_access") +int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1741,40 +2550,41 @@ int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSETXATTR; + ev->trace_id = SYS_EXIT_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lsetxattr") -int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chdir") +int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LSETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_setxattr") -int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chdir") +int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1784,40 +2594,39 @@ int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTR; + ev->trace_id = SYS_EXIT_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_setxattr") -int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchdir") +int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_sync_file_range") -int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchdir") +int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1827,39 +2636,41 @@ int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->trace_id = SYS_EXIT_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_sync_file_range") -int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chroot") +int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chroot") +int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1869,18 +2680,18 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; + ev->trace_id = SYS_EXIT_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmod") +int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1890,7 +2701,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; + ev->trace_id = SYS_ENTER_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1900,8 +2711,8 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmod") +int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1911,39 +2722,41 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; + ev->trace_id = SYS_EXIT_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmodat2") +int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmodat2") +int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1953,39 +2766,41 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; + ev->trace_id = SYS_EXIT_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmodat") +int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_statfs") -int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmodat") +int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1995,40 +2810,41 @@ int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATFS; + ev->trace_id = SYS_EXIT_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_statfs") -int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chmod") +int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATFS; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") -int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chmod") +int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2038,39 +2854,41 @@ int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->trace_id = SYS_EXIT_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") -int handle_sys_enter_inotify_rm_watch(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchownat") +int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") -int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchownat") +int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2080,40 +2898,41 @@ int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->trace_id = SYS_EXIT_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") -int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chown") +int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fanotify_mark") -int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chown") +int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2123,40 +2942,41 @@ int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->trace_id = SYS_EXIT_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fanotify_mark") -int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lchown") +int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lchown") +int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2166,18 +2986,18 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; + ev->trace_id = SYS_EXIT_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchown") +int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2187,7 +3007,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; + ev->trace_id = SYS_ENTER_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2197,8 +3017,8 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchown") +int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2208,39 +3028,41 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->trace_id = SYS_EXIT_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_open") +int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mq_unlink") -int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_open") +int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2250,39 +3072,41 @@ int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MQ_UNLINK; + ev->trace_id = SYS_EXIT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mq_unlink") -int handle_sys_enter_mq_unlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_MQ_UNLINK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_io_uring_register") -int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2292,18 +3116,105 @@ int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_REGISTER; + ev->trace_id = SYS_EXIT_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_io_uring_register") -int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat2") +int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat2") +int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2313,7 +3224,7 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_REGISTER; + ev->trace_id = SYS_ENTER_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2323,8 +3234,8 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_io_uring_enter") -int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_close") +int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2334,18 +3245,18 @@ int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_ENTER; + ev->trace_id = SYS_EXIT_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_io_uring_enter") -int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_close_range") +int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2355,7 +3266,7 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->trace_id = SYS_ENTER_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2365,4 +3276,67 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_close_range") +int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_cachestat") +int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_cachestat") +int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + |