diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-19 10:12:32 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-19 10:12:32 +0300 |
| commit | 127516b4bf63dc922df222825a9a6a1d7eacc214 (patch) | |
| tree | 3839a2f6a7f4f1bc713690678fc003d4e2be8a8c /internal/c | |
| parent | 32a19cf9fb1344c9b1a61054d7cf2c90edc3708a (diff) | |
u6: add socket/socketpair kind scaffolding and wiring
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 25 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 4 | ||||
| -rw-r--r-- | internal/c/types.h | 28 |
3 files changed, 49 insertions, 8 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 980f91d..0974d77 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -736,22 +736,25 @@ #define SYS_ENTER_RT_SIGRETURN 57 #define SYS_EXIT_RT_SIGRETURN 56 -/// sys_enter_socket is a struct null_event +/// sys_enter_socket is a struct socket_event SEC("tracepoint/syscalls/sys_enter_socket") int handle_sys_enter_socket(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct socket_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socket_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_SOCKET_EVENT; ev->trace_id = SYS_ENTER_SOCKET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->family = (__s32)ctx->args[0]; + ev->type = (__s32)ctx->args[1]; + ev->protocol = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; @@ -780,22 +783,32 @@ int handle_sys_exit_socket(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_socketpair is a struct null_event +/// sys_enter_socketpair is a struct socketpair_event SEC("tracepoint/syscalls/sys_enter_socketpair") int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_SOCKETPAIR_EVENT; ev->trace_id = SYS_ENTER_SOCKETPAIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + int sv[2]; + __builtin_memset(&sv, 0xff, sizeof(sv)); + if (ctx->args[3] != 0) { + bpf_probe_read_user(&sv, sizeof(sv), (void *)ctx->args[3]); + } + ev->family = (__s32)ctx->args[0]; + ev->type = (__s32)ctx->args[1]; + ev->protocol = (__s32)ctx->args[2]; + ev->sv0 = (__s32)sv[0]; + ev->sv1 = (__s32)sv[1]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index ea4f2d1..2d6e54c 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -316,8 +316,8 @@ sys_enter_shutdown is a struct fd_event sys_enter_sigaltstack is a struct null_event sys_enter_signalfd is a struct null_event sys_enter_signalfd4 is a struct null_event -sys_enter_socket is a struct null_event -sys_enter_socketpair is a struct null_event +sys_enter_socket is a struct socket_event +sys_enter_socketpair is a struct socketpair_event sys_enter_splice is a struct null_event sys_enter_statfs is a struct path_event sys_enter_statmount is a struct null_event diff --git a/internal/c/types.h b/internal/c/types.h index 18ffe6a..ddb2dca 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -21,6 +21,10 @@ #define EXIT_DUP3_EVENT 16 #define ENTER_OPEN_BY_HANDLE_AT_EVENT 17 #define EXIT_OPEN_BY_HANDLE_AT_EVENT 18 +#define ENTER_SOCKET_EVENT 19 +#define EXIT_SOCKET_EVENT 20 +#define ENTER_SOCKETPAIR_EVENT 21 +#define EXIT_SOCKETPAIR_EVENT 22 #define UNCLASSIFIED 0 #define READ_CLASSIFIED 1 @@ -114,3 +118,27 @@ struct open_by_handle_at_event { __u32 tid; __s32 flags; }; + +struct socket_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s32 family; + __s32 type; + __s32 protocol; +}; + +struct socketpair_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s32 family; + __s32 type; + __s32 protocol; + __s32 sv0; + __s32 sv1; +}; |