initial RwEvent (read-write event) returning size

3 files changed, 12 insertions, 3 deletions

diff --git a/internal/c/tracepoints/close.c b/internal/c/tracepoints/close.c
index 199a6fa..f98b39c 100644
--- a/internal/c/tracepoints/close.c
+++ b/internal/c/tracepoints/close.c
@@ -21,7 +21,7 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
 }
 
 SEC("tracepoint/syscalls/sys_exit_close")
-int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
+int handle_exit_close(struct trace_event_raw_sys_exit *ctx) {
     __u32 pid, tid;
     if (filter(&pid, &tid))
         return 0;
diff --git a/internal/c/tracepoints/write.c b/internal/c/tracepoints/write.c
index 7caff5d..b79ae92 100644
--- a/internal/c/tracepoints/write.c
+++ b/internal/c/tracepoints/write.c
@@ -21,12 +21,12 @@ int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
 }
 
 SEC("tracepoint/syscalls/sys_exit_write")
-int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
+int handle_exit_write(struct trace_event_raw_sys_exit *ctx) {
     __u32 pid, tid;
     if (filter(&pid, &tid))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct rw_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct rw_event), 0);
     if (!ev)
         return 0;
 
@@ -35,6 +35,7 @@ int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
     ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
 
+    ev->size = ctx->ret;
     bpf_ringbuf_submit(ev, 0);
 
     return 0;
diff --git a/internal/c/types.h b/internal/c/types.h
index a2d3b4b..b62c19a 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -31,6 +31,14 @@ struct fd_event {
     __s32 fd;
 };
 
+struct rw_event {
+    __u32 op_id;
+    __u32 pid;
+    __u32 tid;
+    __u64 time;
+    __s64 size;
+};
+
 struct open_enter_event {
     __u32 op_id; 
     char filename[MAX_FILENAME_LENGTH];