diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-21 17:43:18 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-21 17:43:18 +0300 |
| commit | 11394edddbb8f02208edb18e06ae40b6912742f4 (patch) | |
| tree | 6008d4ae3551a24d8f412d4710dad78c6d650fd7 /internal/c | |
| parent | 8b38c88cc86adb9240473523c59d9b4a83f5437d (diff) | |
e7 classify acct pathname and misc null syscalls
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 8 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 78f29c7..f1602e5 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -13488,7 +13488,7 @@ int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_acct is a struct null_event (kind=null) +/// sys_enter_acct is a struct path_event (kind=pathname) SEC("tracepoint/syscalls/sys_enter_acct") int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -13498,15 +13498,17 @@ int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCT)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_PATH_EVENT; ev->trace_id = SYS_ENTER_ACCT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 43b33d5..5c13a75 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -1,7 +1,7 @@ sys_enter_accept is a struct accept_event (kind=accept) sys_enter_accept4 is a struct accept_event (kind=accept) sys_enter_access is a struct path_event (kind=pathname) -sys_enter_acct is a struct null_event (kind=null) +sys_enter_acct is a struct path_event (kind=pathname) sys_enter_add_key is a struct keyctl_event (kind=keyctl) sys_enter_adjtimex is a struct null_event (kind=null) sys_enter_alarm is a struct null_event (kind=null) |