diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-18 14:14:33 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-18 14:14:33 +0300 |
| commit | 519cd996b5a7fede23b8b23f3c101d10b26111de (patch) | |
| tree | 93f14954325e936d459003f334b667d2afec93b6 /internal/c | |
| parent | d68e12c92f2aec9b59a849480e0788ab5d798b2a (diff) | |
k6: emit tracepoints for all syscall families
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 12219 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 750 |
2 files changed, 12248 insertions, 721 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 1633966..be6606d 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1,490 +1,1592 @@ // Code generated - don't change manually! -/// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -/// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -/// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -/// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -/// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -/// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -/// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -/// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -/// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -/// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -/// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -/// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -/// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -/// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -/// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -/// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -/// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -/// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -/// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -/// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -/// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -/// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -/// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -/// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -/// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -/// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -/// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related -/// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related -/// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -/// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -/// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -/// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -/// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -/// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -/// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -/// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -/// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -/// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -/// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -/// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -/// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -/// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -/// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -/// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related -/// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -/// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -/// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -/// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -/// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -/// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -/// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -/// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -/// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -/// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -/// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -/// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -/// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -/// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -/// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -/// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -/// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -/// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -/// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -/// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -/// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related -/// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related -/// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -/// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -/// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -/// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -/// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -/// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -/// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -/// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -/// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -/// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -/// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -/// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -/// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -/// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -/// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -/// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -/// Ignoring sys_enter_listns sys_exit_listns as possibly not file I/O related -/// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -/// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -/// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -/// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -/// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -/// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -/// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -/// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -/// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -/// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -/// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -/// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related -/// Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related -/// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -/// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -/// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -/// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -/// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -/// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -/// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -/// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -/// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -/// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -/// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -/// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -/// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -/// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -/// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -/// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -/// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -/// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -/// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -/// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -/// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -/// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -/// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -/// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -/// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -/// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -/// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -/// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -/// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -/// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -/// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -/// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -/// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -/// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -/// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -/// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -/// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -/// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -/// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -/// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -/// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -/// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -/// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -/// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -/// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -/// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -/// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -/// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -/// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -/// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -/// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -/// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -/// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -/// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -/// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -/// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -/// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related -/// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -/// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -/// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -/// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -/// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -/// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -/// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -/// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -/// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -/// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -/// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -/// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -/// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -/// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -/// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -/// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -/// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -/// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -/// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -/// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -/// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -/// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -/// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -/// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -/// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -/// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -/// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -/// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -/// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -/// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -/// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -/// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -/// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -/// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -/// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -/// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -/// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -/// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -/// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -/// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -/// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -/// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -/// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -/// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -/// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -/// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -/// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -/// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -/// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -/// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -/// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -/// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -/// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -/// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -/// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -/// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related -/// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -/// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -/// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -/// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -/// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -/// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related -/// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -/// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -/// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -/// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -/// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -/// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -/// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -/// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -/// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -/// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -/// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -/// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -/// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -/// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -/// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -/// Ignoring sys_enter_uprobe sys_exit_uprobe as possibly not file I/O related -/// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -/// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -/// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -/// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -/// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -/// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -/// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -/// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -/// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related - -#define SYS_ENTER_IO_URING_REGISTER 1521 -#define SYS_EXIT_IO_URING_REGISTER 1520 -#define SYS_ENTER_IO_URING_ENTER 1502 -#define SYS_EXIT_IO_URING_ENTER 1501 -#define SYS_ENTER_IO_URING_SETUP 1500 -#define SYS_EXIT_IO_URING_SETUP 1499 -#define SYS_ENTER_QUOTACTL_FD 1155 -#define SYS_EXIT_QUOTACTL_FD 1154 -#define SYS_ENTER_NAME_TO_HANDLE_AT 1139 -#define SYS_EXIT_NAME_TO_HANDLE_AT 1138 -#define SYS_ENTER_OPEN_BY_HANDLE_AT 1137 -#define SYS_EXIT_OPEN_BY_HANDLE_AT 1136 -#define SYS_ENTER_FLOCK 1123 -#define SYS_EXIT_FLOCK 1122 -#define SYS_ENTER_IO_SETUP 1109 -#define SYS_EXIT_IO_SETUP 1108 -#define SYS_ENTER_IO_DESTROY 1107 -#define SYS_EXIT_IO_DESTROY 1106 -#define SYS_ENTER_IO_SUBMIT 1105 -#define SYS_EXIT_IO_SUBMIT 1104 -#define SYS_ENTER_IO_CANCEL 1103 -#define SYS_EXIT_IO_CANCEL 1102 -#define SYS_ENTER_IO_GETEVENTS 1101 -#define SYS_EXIT_IO_GETEVENTS 1100 -#define SYS_ENTER_IO_PGETEVENTS 1099 -#define SYS_EXIT_IO_PGETEVENTS 1098 -#define SYS_ENTER_FANOTIFY_MARK 1067 -#define SYS_EXIT_FANOTIFY_MARK 1066 -#define SYS_ENTER_FILE_GETATTR 1057 -#define SYS_EXIT_FILE_GETATTR 1056 -#define SYS_ENTER_FILE_SETATTR 1055 -#define SYS_EXIT_FILE_SETATTR 1054 -#define SYS_ENTER_FSPICK 1051 -#define SYS_EXIT_FSPICK 1050 -#define SYS_ENTER_FSCONFIG 1049 -#define SYS_EXIT_FSCONFIG 1048 -#define SYS_ENTER_STATFS 1047 -#define SYS_EXIT_STATFS 1046 -#define SYS_ENTER_FSTATFS 1045 -#define SYS_EXIT_FSTATFS 1044 -#define SYS_ENTER_GETCWD 1041 -#define SYS_EXIT_GETCWD 1040 -#define SYS_ENTER_UTIMENSAT 1039 -#define SYS_EXIT_UTIMENSAT 1038 -#define SYS_ENTER_FUTIMESAT 1037 -#define SYS_EXIT_FUTIMESAT 1036 -#define SYS_ENTER_SYNC 1031 -#define SYS_EXIT_SYNC 1030 -#define SYS_ENTER_SYNCFS 1029 -#define SYS_EXIT_SYNCFS 1028 -#define SYS_ENTER_FSYNC 1027 -#define SYS_EXIT_FSYNC 1026 -#define SYS_ENTER_FDATASYNC 1025 -#define SYS_EXIT_FDATASYNC 1024 -#define SYS_ENTER_SYNC_FILE_RANGE 1023 -#define SYS_EXIT_SYNC_FILE_RANGE 1022 -#define SYS_ENTER_VMSPLICE 1021 -#define SYS_EXIT_VMSPLICE 1020 -#define SYS_ENTER_SETXATTRAT 982 -#define SYS_EXIT_SETXATTRAT 981 -#define SYS_ENTER_SETXATTR 980 -#define SYS_EXIT_SETXATTR 979 -#define SYS_ENTER_LSETXATTR 978 -#define SYS_EXIT_LSETXATTR 977 -#define SYS_ENTER_FSETXATTR 976 -#define SYS_EXIT_FSETXATTR 975 -#define SYS_ENTER_GETXATTRAT 974 -#define SYS_EXIT_GETXATTRAT 973 -#define SYS_ENTER_GETXATTR 972 -#define SYS_EXIT_GETXATTR 971 -#define SYS_ENTER_LGETXATTR 970 -#define SYS_EXIT_LGETXATTR 969 -#define SYS_ENTER_FGETXATTR 968 -#define SYS_EXIT_FGETXATTR 967 -#define SYS_ENTER_LISTXATTRAT 966 -#define SYS_EXIT_LISTXATTRAT 965 -#define SYS_ENTER_LISTXATTR 964 -#define SYS_EXIT_LISTXATTR 963 -#define SYS_ENTER_LLISTXATTR 962 -#define SYS_EXIT_LLISTXATTR 961 -#define SYS_ENTER_FLISTXATTR 960 -#define SYS_EXIT_FLISTXATTR 959 -#define SYS_ENTER_REMOVEXATTRAT 958 -#define SYS_EXIT_REMOVEXATTRAT 957 -#define SYS_ENTER_REMOVEXATTR 956 -#define SYS_EXIT_REMOVEXATTR 955 -#define SYS_ENTER_LREMOVEXATTR 954 -#define SYS_EXIT_LREMOVEXATTR 953 -#define SYS_ENTER_FREMOVEXATTR 952 -#define SYS_EXIT_FREMOVEXATTR 951 -#define SYS_ENTER_OPEN_TREE 948 -#define SYS_EXIT_OPEN_TREE 947 -#define SYS_ENTER_MOUNT_SETATTR 938 -#define SYS_EXIT_MOUNT_SETATTR 937 -#define SYS_ENTER_OPEN_TREE_ATTR 936 -#define SYS_EXIT_OPEN_TREE_ATTR 935 -#define SYS_ENTER_CLOSE_RANGE 928 -#define SYS_EXIT_CLOSE_RANGE 927 -#define SYS_ENTER_DUP3 926 -#define SYS_EXIT_DUP3 925 -#define SYS_ENTER_DUP2 924 -#define SYS_EXIT_DUP2 923 -#define SYS_ENTER_DUP 922 -#define SYS_EXIT_DUP 921 -#define SYS_ENTER_GETDENTS 908 -#define SYS_EXIT_GETDENTS 907 -#define SYS_ENTER_GETDENTS64 906 -#define SYS_EXIT_GETDENTS64 905 -#define SYS_ENTER_IOCTL 904 -#define SYS_EXIT_IOCTL 903 -#define SYS_ENTER_FCNTL 902 -#define SYS_EXIT_FCNTL 901 -#define SYS_ENTER_MKDIRAT 896 -#define SYS_EXIT_MKDIRAT 895 -#define SYS_ENTER_MKDIR 894 -#define SYS_EXIT_MKDIR 893 -#define SYS_ENTER_RMDIR 892 -#define SYS_EXIT_RMDIR 891 -#define SYS_ENTER_UNLINKAT 890 -#define SYS_EXIT_UNLINKAT 889 -#define SYS_ENTER_UNLINK 888 -#define SYS_EXIT_UNLINK 887 -#define SYS_ENTER_SYMLINKAT 886 -#define SYS_EXIT_SYMLINKAT 885 -#define SYS_ENTER_SYMLINK 884 -#define SYS_EXIT_SYMLINK 883 -#define SYS_ENTER_LINKAT 882 -#define SYS_EXIT_LINKAT 881 -#define SYS_ENTER_LINK 880 -#define SYS_EXIT_LINK 879 -#define SYS_ENTER_RENAMEAT2 878 -#define SYS_EXIT_RENAMEAT2 877 -#define SYS_ENTER_RENAMEAT 876 -#define SYS_EXIT_RENAMEAT 875 -#define SYS_ENTER_RENAME 874 -#define SYS_EXIT_RENAME 873 -#define SYS_ENTER_NEWSTAT 864 -#define SYS_EXIT_NEWSTAT 863 -#define SYS_ENTER_NEWLSTAT 862 -#define SYS_EXIT_NEWLSTAT 861 -#define SYS_ENTER_NEWFSTATAT 860 -#define SYS_EXIT_NEWFSTATAT 859 -#define SYS_ENTER_NEWFSTAT 858 -#define SYS_EXIT_NEWFSTAT 857 -#define SYS_ENTER_READLINKAT 856 -#define SYS_EXIT_READLINKAT 855 -#define SYS_ENTER_READLINK 854 -#define SYS_EXIT_READLINK 853 -#define SYS_ENTER_STATX 852 -#define SYS_EXIT_STATX 851 -#define SYS_ENTER_LSEEK 850 -#define SYS_EXIT_LSEEK 849 -#define SYS_ENTER_READ 848 -#define SYS_EXIT_READ 847 -#define SYS_ENTER_WRITE 846 -#define SYS_EXIT_WRITE 845 -#define SYS_ENTER_PREAD64 844 -#define SYS_EXIT_PREAD64 843 -#define SYS_ENTER_PWRITE64 842 -#define SYS_EXIT_PWRITE64 841 -#define SYS_ENTER_READV 840 -#define SYS_EXIT_READV 839 -#define SYS_ENTER_WRITEV 838 -#define SYS_EXIT_WRITEV 837 -#define SYS_ENTER_PREADV 836 -#define SYS_EXIT_PREADV 835 -#define SYS_ENTER_PREADV2 834 -#define SYS_EXIT_PREADV2 833 -#define SYS_ENTER_PWRITEV 832 -#define SYS_EXIT_PWRITEV 831 -#define SYS_ENTER_PWRITEV2 830 -#define SYS_EXIT_PWRITEV2 829 -#define SYS_ENTER_COPY_FILE_RANGE 826 -#define SYS_EXIT_COPY_FILE_RANGE 825 -#define SYS_ENTER_TRUNCATE 824 -#define SYS_EXIT_TRUNCATE 823 -#define SYS_ENTER_FTRUNCATE 822 -#define SYS_EXIT_FTRUNCATE 821 -#define SYS_ENTER_FALLOCATE 820 -#define SYS_EXIT_FALLOCATE 819 -#define SYS_ENTER_FACCESSAT 818 -#define SYS_EXIT_FACCESSAT 817 -#define SYS_ENTER_FACCESSAT2 816 -#define SYS_EXIT_FACCESSAT2 815 -#define SYS_ENTER_ACCESS 814 -#define SYS_EXIT_ACCESS 813 -#define SYS_ENTER_CHDIR 812 -#define SYS_EXIT_CHDIR 811 -#define SYS_ENTER_FCHDIR 810 -#define SYS_EXIT_FCHDIR 809 -#define SYS_ENTER_CHROOT 808 -#define SYS_EXIT_CHROOT 807 -#define SYS_ENTER_FCHMOD 806 -#define SYS_EXIT_FCHMOD 805 -#define SYS_ENTER_FCHMODAT2 804 -#define SYS_EXIT_FCHMODAT2 803 -#define SYS_ENTER_FCHMODAT 802 -#define SYS_EXIT_FCHMODAT 801 -#define SYS_ENTER_CHMOD 800 -#define SYS_EXIT_CHMOD 799 -#define SYS_ENTER_FCHOWNAT 798 -#define SYS_EXIT_FCHOWNAT 797 -#define SYS_ENTER_CHOWN 796 -#define SYS_EXIT_CHOWN 795 -#define SYS_ENTER_LCHOWN 794 -#define SYS_EXIT_LCHOWN 793 -#define SYS_ENTER_FCHOWN 792 -#define SYS_EXIT_FCHOWN 791 -#define SYS_ENTER_OPEN 790 -#define SYS_EXIT_OPEN 789 -#define SYS_ENTER_OPENAT 788 -#define SYS_EXIT_OPENAT 787 -#define SYS_ENTER_OPENAT2 786 -#define SYS_EXIT_OPENAT2 785 -#define SYS_ENTER_CREAT 784 -#define SYS_EXIT_CREAT 783 -#define SYS_ENTER_CLOSE 782 -#define SYS_EXIT_CLOSE 781 -#define SYS_ENTER_MSYNC 710 -#define SYS_EXIT_MSYNC 709 + +#define SYS_ENTER_SOCKET 1847 +#define SYS_EXIT_SOCKET 1846 +#define SYS_ENTER_SOCKETPAIR 1845 +#define SYS_EXIT_SOCKETPAIR 1844 +#define SYS_ENTER_BIND 1843 +#define SYS_EXIT_BIND 1842 +#define SYS_ENTER_LISTEN 1841 +#define SYS_EXIT_LISTEN 1840 +#define SYS_ENTER_ACCEPT4 1839 +#define SYS_EXIT_ACCEPT4 1838 +#define SYS_ENTER_ACCEPT 1837 +#define SYS_EXIT_ACCEPT 1836 +#define SYS_ENTER_CONNECT 1835 +#define SYS_EXIT_CONNECT 1834 +#define SYS_ENTER_GETSOCKNAME 1833 +#define SYS_EXIT_GETSOCKNAME 1832 +#define SYS_ENTER_GETPEERNAME 1831 +#define SYS_EXIT_GETPEERNAME 1830 +#define SYS_ENTER_SENDTO 1829 +#define SYS_EXIT_SENDTO 1828 +#define SYS_ENTER_RECVFROM 1827 +#define SYS_EXIT_RECVFROM 1826 +#define SYS_ENTER_SETSOCKOPT 1825 +#define SYS_EXIT_SETSOCKOPT 1824 +#define SYS_ENTER_GETSOCKOPT 1823 +#define SYS_EXIT_GETSOCKOPT 1822 +#define SYS_ENTER_SHUTDOWN 1821 +#define SYS_EXIT_SHUTDOWN 1820 +#define SYS_ENTER_SENDMSG 1819 +#define SYS_EXIT_SENDMSG 1818 +#define SYS_ENTER_SENDMMSG 1817 +#define SYS_EXIT_SENDMMSG 1816 +#define SYS_ENTER_RECVMSG 1815 +#define SYS_EXIT_RECVMSG 1814 +#define SYS_ENTER_RECVMMSG 1813 +#define SYS_EXIT_RECVMMSG 1812 +#define SYS_ENTER_GETRANDOM 1575 +#define SYS_EXIT_GETRANDOM 1574 +#define SYS_ENTER_IO_URING_REGISTER 1528 +#define SYS_EXIT_IO_URING_REGISTER 1527 +#define SYS_ENTER_IO_URING_ENTER 1509 +#define SYS_EXIT_IO_URING_ENTER 1508 +#define SYS_ENTER_IO_URING_SETUP 1507 +#define SYS_EXIT_IO_URING_SETUP 1506 +#define SYS_ENTER_IOPRIO_SET 1491 +#define SYS_EXIT_IOPRIO_SET 1490 +#define SYS_ENTER_IOPRIO_GET 1489 +#define SYS_EXIT_IOPRIO_GET 1488 +#define SYS_ENTER_LANDLOCK_CREATE_RULESET 1463 +#define SYS_EXIT_LANDLOCK_CREATE_RULESET 1462 +#define SYS_ENTER_LANDLOCK_ADD_RULE 1461 +#define SYS_EXIT_LANDLOCK_ADD_RULE 1460 +#define SYS_ENTER_LANDLOCK_RESTRICT_SELF 1459 +#define SYS_EXIT_LANDLOCK_RESTRICT_SELF 1458 +#define SYS_ENTER_LSM_SET_SELF_ATTR 1456 +#define SYS_EXIT_LSM_SET_SELF_ATTR 1455 +#define SYS_ENTER_LSM_GET_SELF_ATTR 1454 +#define SYS_EXIT_LSM_GET_SELF_ATTR 1453 +#define SYS_ENTER_LSM_LIST_MODULES 1452 +#define SYS_EXIT_LSM_LIST_MODULES 1451 +#define SYS_ENTER_ADD_KEY 1449 +#define SYS_EXIT_ADD_KEY 1448 +#define SYS_ENTER_REQUEST_KEY 1447 +#define SYS_EXIT_REQUEST_KEY 1446 +#define SYS_ENTER_KEYCTL 1445 +#define SYS_EXIT_KEYCTL 1444 +#define SYS_ENTER_MQ_OPEN 1443 +#define SYS_EXIT_MQ_OPEN 1442 +#define SYS_ENTER_MQ_UNLINK 1441 +#define SYS_EXIT_MQ_UNLINK 1440 +#define SYS_ENTER_MQ_TIMEDSEND 1439 +#define SYS_EXIT_MQ_TIMEDSEND 1438 +#define SYS_ENTER_MQ_TIMEDRECEIVE 1437 +#define SYS_EXIT_MQ_TIMEDRECEIVE 1436 +#define SYS_ENTER_MQ_NOTIFY 1435 +#define SYS_EXIT_MQ_NOTIFY 1434 +#define SYS_ENTER_MQ_GETSETATTR 1433 +#define SYS_EXIT_MQ_GETSETATTR 1432 +#define SYS_ENTER_SHMGET 1431 +#define SYS_EXIT_SHMGET 1430 +#define SYS_ENTER_SHMCTL 1429 +#define SYS_EXIT_SHMCTL 1428 +#define SYS_ENTER_SHMAT 1427 +#define SYS_EXIT_SHMAT 1426 +#define SYS_ENTER_SHMDT 1425 +#define SYS_EXIT_SHMDT 1424 +#define SYS_ENTER_SEMGET 1423 +#define SYS_EXIT_SEMGET 1422 +#define SYS_ENTER_SEMCTL 1421 +#define SYS_EXIT_SEMCTL 1420 +#define SYS_ENTER_SEMTIMEDOP 1419 +#define SYS_EXIT_SEMTIMEDOP 1418 +#define SYS_ENTER_SEMOP 1417 +#define SYS_EXIT_SEMOP 1416 +#define SYS_ENTER_MSGGET 1415 +#define SYS_EXIT_MSGGET 1414 +#define SYS_ENTER_MSGCTL 1413 +#define SYS_EXIT_MSGCTL 1412 +#define SYS_ENTER_MSGSND 1411 +#define SYS_EXIT_MSGSND 1410 +#define SYS_ENTER_MSGRCV 1409 +#define SYS_EXIT_MSGRCV 1408 +#define SYS_ENTER_QUOTACTL 1164 +#define SYS_EXIT_QUOTACTL 1163 +#define SYS_ENTER_QUOTACTL_FD 1162 +#define SYS_EXIT_QUOTACTL_FD 1161 +#define SYS_ENTER_NAME_TO_HANDLE_AT 1146 +#define SYS_EXIT_NAME_TO_HANDLE_AT 1145 +#define SYS_ENTER_OPEN_BY_HANDLE_AT 1144 +#define SYS_EXIT_OPEN_BY_HANDLE_AT 1143 +#define SYS_ENTER_FLOCK 1130 +#define SYS_EXIT_FLOCK 1129 +#define SYS_ENTER_IO_SETUP 1111 +#define SYS_EXIT_IO_SETUP 1110 +#define SYS_ENTER_IO_DESTROY 1109 +#define SYS_EXIT_IO_DESTROY 1108 +#define SYS_ENTER_IO_SUBMIT 1107 +#define SYS_EXIT_IO_SUBMIT 1106 +#define SYS_ENTER_IO_CANCEL 1105 +#define SYS_EXIT_IO_CANCEL 1104 +#define SYS_ENTER_IO_GETEVENTS 1103 +#define SYS_EXIT_IO_GETEVENTS 1102 +#define SYS_ENTER_IO_PGETEVENTS 1101 +#define SYS_EXIT_IO_PGETEVENTS 1100 +#define SYS_ENTER_USERFAULTFD 1099 +#define SYS_EXIT_USERFAULTFD 1098 +#define SYS_ENTER_EVENTFD2 1097 +#define SYS_EXIT_EVENTFD2 1096 +#define SYS_ENTER_EVENTFD 1095 +#define SYS_EXIT_EVENTFD 1094 +#define SYS_ENTER_TIMERFD_CREATE 1093 +#define SYS_EXIT_TIMERFD_CREATE 1092 +#define SYS_ENTER_TIMERFD_SETTIME 1091 +#define SYS_EXIT_TIMERFD_SETTIME 1090 +#define SYS_ENTER_TIMERFD_GETTIME 1089 +#define SYS_EXIT_TIMERFD_GETTIME 1088 +#define SYS_ENTER_SIGNALFD4 1087 +#define SYS_EXIT_SIGNALFD4 1086 +#define SYS_ENTER_SIGNALFD 1085 +#define SYS_EXIT_SIGNALFD 1084 +#define SYS_ENTER_EPOLL_CREATE1 1083 +#define SYS_EXIT_EPOLL_CREATE1 1082 +#define SYS_ENTER_EPOLL_CREATE 1081 +#define SYS_EXIT_EPOLL_CREATE 1080 +#define SYS_ENTER_EPOLL_CTL 1079 +#define SYS_EXIT_EPOLL_CTL 1078 +#define SYS_ENTER_EPOLL_WAIT 1077 +#define SYS_EXIT_EPOLL_WAIT 1076 +#define SYS_ENTER_EPOLL_PWAIT 1075 +#define SYS_EXIT_EPOLL_PWAIT 1074 +#define SYS_ENTER_EPOLL_PWAIT2 1073 +#define SYS_EXIT_EPOLL_PWAIT2 1072 +#define SYS_ENTER_FANOTIFY_INIT 1071 +#define SYS_EXIT_FANOTIFY_INIT 1070 +#define SYS_ENTER_FANOTIFY_MARK 1069 +#define SYS_EXIT_FANOTIFY_MARK 1068 +#define SYS_ENTER_INOTIFY_INIT1 1067 +#define SYS_EXIT_INOTIFY_INIT1 1066 +#define SYS_ENTER_INOTIFY_INIT 1065 +#define SYS_EXIT_INOTIFY_INIT 1064 +#define SYS_ENTER_INOTIFY_ADD_WATCH 1063 +#define SYS_EXIT_INOTIFY_ADD_WATCH 1062 +#define SYS_ENTER_INOTIFY_RM_WATCH 1061 +#define SYS_EXIT_INOTIFY_RM_WATCH 1060 +#define SYS_ENTER_FILE_GETATTR 1059 +#define SYS_EXIT_FILE_GETATTR 1058 +#define SYS_ENTER_FILE_SETATTR 1057 +#define SYS_EXIT_FILE_SETATTR 1056 +#define SYS_ENTER_FSOPEN 1055 +#define SYS_EXIT_FSOPEN 1054 +#define SYS_ENTER_FSPICK 1053 +#define SYS_EXIT_FSPICK 1052 +#define SYS_ENTER_FSCONFIG 1051 +#define SYS_EXIT_FSCONFIG 1050 +#define SYS_ENTER_STATFS 1049 +#define SYS_EXIT_STATFS 1048 +#define SYS_ENTER_FSTATFS 1047 +#define SYS_EXIT_FSTATFS 1046 +#define SYS_ENTER_USTAT 1045 +#define SYS_EXIT_USTAT 1044 +#define SYS_ENTER_GETCWD 1043 +#define SYS_EXIT_GETCWD 1042 +#define SYS_ENTER_UTIMENSAT 1041 +#define SYS_EXIT_UTIMENSAT 1040 +#define SYS_ENTER_FUTIMESAT 1039 +#define SYS_EXIT_FUTIMESAT 1038 +#define SYS_ENTER_UTIMES 1037 +#define SYS_EXIT_UTIMES 1036 +#define SYS_ENTER_UTIME 1035 +#define SYS_EXIT_UTIME 1034 +#define SYS_ENTER_SYNC 1033 +#define SYS_EXIT_SYNC 1032 +#define SYS_ENTER_SYNCFS 1031 +#define SYS_EXIT_SYNCFS 1030 +#define SYS_ENTER_FSYNC 1029 +#define SYS_EXIT_FSYNC 1028 +#define SYS_ENTER_FDATASYNC 1027 +#define SYS_EXIT_FDATASYNC 1026 +#define SYS_ENTER_SYNC_FILE_RANGE 1025 +#define SYS_EXIT_SYNC_FILE_RANGE 1024 +#define SYS_ENTER_VMSPLICE 1023 +#define SYS_EXIT_VMSPLICE 1022 +#define SYS_ENTER_SPLICE 1021 +#define SYS_EXIT_SPLICE 1020 +#define SYS_ENTER_TEE 1019 +#define SYS_EXIT_TEE 1018 +#define SYS_ENTER_SETXATTRAT 985 +#define SYS_EXIT_SETXATTRAT 984 +#define SYS_ENTER_SETXATTR 983 +#define SYS_EXIT_SETXATTR 982 +#define SYS_ENTER_LSETXATTR 981 +#define SYS_EXIT_LSETXATTR 980 +#define SYS_ENTER_FSETXATTR 979 +#define SYS_EXIT_FSETXATTR 978 +#define SYS_ENTER_GETXATTRAT 977 +#define SYS_EXIT_GETXATTRAT 976 +#define SYS_ENTER_GETXATTR 975 +#define SYS_EXIT_GETXATTR 974 +#define SYS_ENTER_LGETXATTR 973 +#define SYS_EXIT_LGETXATTR 972 +#define SYS_ENTER_FGETXATTR 971 +#define SYS_EXIT_FGETXATTR 970 +#define SYS_ENTER_LISTXATTRAT 969 +#define SYS_EXIT_LISTXATTRAT 968 +#define SYS_ENTER_LISTXATTR 967 +#define SYS_EXIT_LISTXATTR 966 +#define SYS_ENTER_LLISTXATTR 965 +#define SYS_EXIT_LLISTXATTR 964 +#define SYS_ENTER_FLISTXATTR 963 +#define SYS_EXIT_FLISTXATTR 962 +#define SYS_ENTER_REMOVEXATTRAT 961 +#define SYS_EXIT_REMOVEXATTRAT 960 +#define SYS_ENTER_REMOVEXATTR 959 +#define SYS_EXIT_REMOVEXATTR 958 +#define SYS_ENTER_LREMOVEXATTR 957 +#define SYS_EXIT_LREMOVEXATTR 956 +#define SYS_ENTER_FREMOVEXATTR 955 +#define SYS_EXIT_FREMOVEXATTR 954 +#define SYS_ENTER_UMOUNT 953 +#define SYS_EXIT_UMOUNT 952 +#define SYS_ENTER_OPEN_TREE 951 +#define SYS_EXIT_OPEN_TREE 950 +#define SYS_ENTER_MOUNT 949 +#define SYS_EXIT_MOUNT 948 +#define SYS_ENTER_FSMOUNT 947 +#define SYS_EXIT_FSMOUNT 946 +#define SYS_ENTER_MOVE_MOUNT 945 +#define SYS_EXIT_MOVE_MOUNT 944 +#define SYS_ENTER_PIVOT_ROOT 943 +#define SYS_EXIT_PIVOT_ROOT 942 +#define SYS_ENTER_MOUNT_SETATTR 941 +#define SYS_EXIT_MOUNT_SETATTR 940 +#define SYS_ENTER_OPEN_TREE_ATTR 939 +#define SYS_EXIT_OPEN_TREE_ATTR 938 +#define SYS_ENTER_STATMOUNT 937 +#define SYS_EXIT_STATMOUNT 936 +#define SYS_ENTER_LISTMOUNT 935 +#define SYS_EXIT_LISTMOUNT 934 +#define SYS_ENTER_SYSFS 933 +#define SYS_EXIT_SYSFS 932 +#define SYS_ENTER_CLOSE_RANGE 931 +#define SYS_EXIT_CLOSE_RANGE 930 +#define SYS_ENTER_DUP3 929 +#define SYS_EXIT_DUP3 928 +#define SYS_ENTER_DUP2 927 +#define SYS_EXIT_DUP2 926 +#define SYS_ENTER_DUP 925 +#define SYS_EXIT_DUP 924 +#define SYS_ENTER_SELECT 919 +#define SYS_EXIT_SELECT 918 +#define SYS_ENTER_PSELECT6 917 +#define SYS_EXIT_PSELECT6 916 +#define SYS_ENTER_POLL 915 +#define SYS_EXIT_POLL 914 +#define SYS_ENTER_PPOLL 913 +#define SYS_EXIT_PPOLL 912 +#define SYS_ENTER_GETDENTS 911 +#define SYS_EXIT_GETDENTS 910 +#define SYS_ENTER_GETDENTS64 909 +#define SYS_EXIT_GETDENTS64 908 +#define SYS_ENTER_IOCTL 907 +#define SYS_EXIT_IOCTL 906 +#define SYS_ENTER_FCNTL 905 +#define SYS_EXIT_FCNTL 904 +#define SYS_ENTER_MKNODAT 903 +#define SYS_EXIT_MKNODAT 902 +#define SYS_ENTER_MKNOD 901 +#define SYS_EXIT_MKNOD 900 +#define SYS_ENTER_MKDIRAT 899 +#define SYS_EXIT_MKDIRAT 898 +#define SYS_ENTER_MKDIR 897 +#define SYS_EXIT_MKDIR 896 +#define SYS_ENTER_RMDIR 895 +#define SYS_EXIT_RMDIR 894 +#define SYS_ENTER_UNLINKAT 893 +#define SYS_EXIT_UNLINKAT 892 +#define SYS_ENTER_UNLINK 891 +#define SYS_EXIT_UNLINK 890 +#define SYS_ENTER_SYMLINKAT 889 +#define SYS_EXIT_SYMLINKAT 888 +#define SYS_ENTER_SYMLINK 887 +#define SYS_EXIT_SYMLINK 886 +#define SYS_ENTER_LINKAT 885 +#define SYS_EXIT_LINKAT 884 +#define SYS_ENTER_LINK 883 +#define SYS_EXIT_LINK 882 +#define SYS_ENTER_RENAMEAT2 881 +#define SYS_EXIT_RENAMEAT2 880 +#define SYS_ENTER_RENAMEAT 879 +#define SYS_EXIT_RENAMEAT 878 +#define SYS_ENTER_RENAME 877 +#define SYS_EXIT_RENAME 876 +#define SYS_ENTER_PIPE2 875 +#define SYS_EXIT_PIPE2 874 +#define SYS_ENTER_PIPE 873 +#define SYS_EXIT_PIPE 872 +#define SYS_ENTER_EXECVE 871 +#define SYS_EXIT_EXECVE 870 +#define SYS_ENTER_EXECVEAT 869 +#define SYS_EXIT_EXECVEAT 868 +#define SYS_ENTER_NEWSTAT 867 +#define SYS_EXIT_NEWSTAT 866 +#define SYS_ENTER_NEWLSTAT 865 +#define SYS_EXIT_NEWLSTAT 864 +#define SYS_ENTER_NEWFSTATAT 863 +#define SYS_EXIT_NEWFSTATAT 862 +#define SYS_ENTER_NEWFSTAT 861 +#define SYS_EXIT_NEWFSTAT 860 +#define SYS_ENTER_READLINKAT 859 +#define SYS_EXIT_READLINKAT 858 +#define SYS_ENTER_READLINK 857 +#define SYS_EXIT_READLINK 856 +#define SYS_ENTER_STATX 855 +#define SYS_EXIT_STATX 854 +#define SYS_ENTER_LSEEK 853 +#define SYS_EXIT_LSEEK 852 +#define SYS_ENTER_READ 851 +#define SYS_EXIT_READ 850 +#define SYS_ENTER_WRITE 849 +#define SYS_EXIT_WRITE 848 +#define SYS_ENTER_PREAD64 847 +#define SYS_EXIT_PREAD64 846 +#define SYS_ENTER_PWRITE64 845 +#define SYS_EXIT_PWRITE64 844 +#define SYS_ENTER_READV 843 +#define SYS_EXIT_READV 842 +#define SYS_ENTER_WRITEV 841 +#define SYS_EXIT_WRITEV 840 +#define SYS_ENTER_PREADV 839 +#define SYS_EXIT_PREADV 838 +#define SYS_ENTER_PREADV2 837 +#define SYS_EXIT_PREADV2 836 +#define SYS_ENTER_PWRITEV 835 +#define SYS_EXIT_PWRITEV 834 +#define SYS_ENTER_PWRITEV2 833 +#define SYS_EXIT_PWRITEV2 832 +#define SYS_ENTER_SENDFILE64 831 +#define SYS_EXIT_SENDFILE64 830 +#define SYS_ENTER_COPY_FILE_RANGE 829 +#define SYS_EXIT_COPY_FILE_RANGE 828 +#define SYS_ENTER_TRUNCATE 827 +#define SYS_EXIT_TRUNCATE 826 +#define SYS_ENTER_FTRUNCATE 825 +#define SYS_EXIT_FTRUNCATE 824 +#define SYS_ENTER_FALLOCATE 823 +#define SYS_EXIT_FALLOCATE 822 +#define SYS_ENTER_FACCESSAT 821 +#define SYS_EXIT_FACCESSAT 820 +#define SYS_ENTER_FACCESSAT2 819 +#define SYS_EXIT_FACCESSAT2 818 +#define SYS_ENTER_ACCESS 817 +#define SYS_EXIT_ACCESS 816 +#define SYS_ENTER_CHDIR 815 +#define SYS_EXIT_CHDIR 814 +#define SYS_ENTER_FCHDIR 813 +#define SYS_EXIT_FCHDIR 812 +#define SYS_ENTER_CHROOT 811 +#define SYS_EXIT_CHROOT 810 +#define SYS_ENTER_FCHMOD 809 +#define SYS_EXIT_FCHMOD 808 +#define SYS_ENTER_FCHMODAT2 807 +#define SYS_EXIT_FCHMODAT2 806 +#define SYS_ENTER_FCHMODAT 805 +#define SYS_EXIT_FCHMODAT 804 +#define SYS_ENTER_CHMOD 803 +#define SYS_EXIT_CHMOD 802 +#define SYS_ENTER_FCHOWNAT 801 +#define SYS_EXIT_FCHOWNAT 800 +#define SYS_ENTER_CHOWN 799 +#define SYS_EXIT_CHOWN 798 +#define SYS_ENTER_LCHOWN 797 +#define SYS_EXIT_LCHOWN 796 +#define SYS_ENTER_FCHOWN 795 +#define SYS_EXIT_FCHOWN 794 +#define SYS_ENTER_OPEN 793 +#define SYS_EXIT_OPEN 792 +#define SYS_ENTER_OPENAT 791 +#define SYS_EXIT_OPENAT 790 +#define SYS_ENTER_OPENAT2 789 +#define SYS_EXIT_OPENAT2 788 +#define SYS_ENTER_CREAT 787 +#define SYS_EXIT_CREAT 786 +#define SYS_ENTER_CLOSE 785 +#define SYS_EXIT_CLOSE 784 +#define SYS_ENTER_VHANGUP 783 +#define SYS_EXIT_VHANGUP 782 +#define SYS_ENTER_MEMFD_CREATE 781 +#define SYS_EXIT_MEMFD_CREATE 780 +#define SYS_ENTER_MEMFD_SECRET 774 +#define SYS_EXIT_MEMFD_SECRET 773 +#define SYS_ENTER_MOVE_PAGES 754 +#define SYS_EXIT_MOVE_PAGES 753 +#define SYS_ENTER_SET_MEMPOLICY_HOME_NODE 743 +#define SYS_EXIT_SET_MEMPOLICY_HOME_NODE 742 +#define SYS_ENTER_MBIND 741 +#define SYS_EXIT_MBIND 740 +#define SYS_ENTER_SET_MEMPOLICY 739 +#define SYS_EXIT_SET_MEMPOLICY 738 +#define SYS_ENTER_MIGRATE_PAGES 737 +#define SYS_EXIT_MIGRATE_PAGES 736 +#define SYS_ENTER_GET_MEMPOLICY 735 +#define SYS_EXIT_GET_MEMPOLICY 734 +#define SYS_ENTER_SWAPOFF 733 +#define SYS_EXIT_SWAPOFF 732 +#define SYS_ENTER_SWAPON 731 +#define SYS_EXIT_SWAPON 730 +#define SYS_ENTER_MADVISE 729 +#define SYS_EXIT_MADVISE 728 +#define SYS_ENTER_PROCESS_MADVISE 727 +#define SYS_EXIT_PROCESS_MADVISE 726 +#define SYS_ENTER_MSEAL 725 +#define SYS_EXIT_MSEAL 724 +#define SYS_ENTER_PROCESS_VM_READV 723 +#define SYS_EXIT_PROCESS_VM_READV 722 +#define SYS_ENTER_PROCESS_VM_WRITEV 721 +#define SYS_EXIT_PROCESS_VM_WRITEV 720 +#define SYS_ENTER_MSYNC 712 +#define SYS_EXIT_MSYNC 711 +#define SYS_ENTER_MREMAP 710 +#define SYS_EXIT_MREMAP 709 +#define SYS_ENTER_MPROTECT 708 +#define SYS_EXIT_MPROTECT 707 +#define SYS_ENTER_PKEY_MPROTECT 706 +#define SYS_EXIT_PKEY_MPROTECT 705 +#define SYS_ENTER_PKEY_ALLOC 704 +#define SYS_EXIT_PKEY_ALLOC 703 +#define SYS_ENTER_PKEY_FREE 702 +#define SYS_EXIT_PKEY_FREE 701 +#define SYS_ENTER_BRK 698 +#define SYS_EXIT_BRK 697 +#define SYS_ENTER_MUNMAP 696 +#define SYS_EXIT_MUNMAP 695 +#define SYS_ENTER_REMAP_FILE_PAGES 694 +#define SYS_EXIT_REMAP_FILE_PAGES 693 +#define SYS_ENTER_MLOCK 692 +#define SYS_EXIT_MLOCK 691 +#define SYS_ENTER_MLOCK2 690 +#define SYS_EXIT_MLOCK2 689 +#define SYS_ENTER_MUNLOCK 688 +#define SYS_EXIT_MUNLOCK 687 +#define SYS_ENTER_MLOCKALL 686 +#define SYS_EXIT_MLOCKALL 685 +#define SYS_ENTER_MUNLOCKALL 684 +#define SYS_EXIT_MUNLOCKALL 683 +#define SYS_ENTER_MINCORE 682 +#define SYS_EXIT_MINCORE 681 #define SYS_ENTER_READAHEAD 616 #define SYS_EXIT_READAHEAD 615 #define SYS_ENTER_FADVISE64 614 #define SYS_EXIT_FADVISE64 613 +#define SYS_ENTER_PROCESS_MRELEASE 604 +#define SYS_EXIT_PROCESS_MRELEASE 603 #define SYS_ENTER_CACHESTAT 595 #define SYS_EXIT_CACHESTAT 594 +#define SYS_ENTER_RSEQ 591 +#define SYS_EXIT_RSEQ 590 +#define SYS_ENTER_PERF_EVENT_OPEN 587 +#define SYS_EXIT_PERF_EVENT_OPEN 586 +#define SYS_ENTER_BPF 585 +#define SYS_EXIT_BPF 584 +#define SYS_ENTER_SECCOMP 526 +#define SYS_EXIT_SECCOMP 525 +#define SYS_ENTER_KEXEC_FILE_LOAD 508 +#define SYS_EXIT_KEXEC_FILE_LOAD 507 +#define SYS_ENTER_KEXEC_LOAD 506 +#define SYS_EXIT_KEXEC_LOAD 505 +#define SYS_ENTER_ACCT 504 +#define SYS_EXIT_ACCT 503 +#define SYS_ENTER_SET_ROBUST_LIST 499 +#define SYS_EXIT_SET_ROBUST_LIST 498 +#define SYS_ENTER_GET_ROBUST_LIST 497 +#define SYS_EXIT_GET_ROBUST_LIST 496 +#define SYS_ENTER_FUTEX 495 +#define SYS_EXIT_FUTEX 494 +#define SYS_ENTER_FUTEX_WAITV 493 +#define SYS_EXIT_FUTEX_WAITV 492 +#define SYS_ENTER_FUTEX_WAKE 491 +#define SYS_EXIT_FUTEX_WAKE 490 +#define SYS_ENTER_FUTEX_WAIT 489 +#define SYS_EXIT_FUTEX_WAIT 488 +#define SYS_ENTER_FUTEX_REQUEUE 487 +#define SYS_EXIT_FUTEX_REQUEUE 486 +#define SYS_ENTER_GETITIMER 471 +#define SYS_EXIT_GETITIMER 470 +#define SYS_ENTER_ALARM 469 +#define SYS_EXIT_ALARM 468 +#define SYS_ENTER_SETITIMER 467 +#define SYS_EXIT_SETITIMER 466 +#define SYS_ENTER_TIMER_CREATE 465 +#define SYS_EXIT_TIMER_CREATE 464 +#define SYS_ENTER_TIMER_GETTIME 463 +#define SYS_EXIT_TIMER_GETTIME 462 +#define SYS_ENTER_TIMER_GETOVERRUN 461 +#define SYS_EXIT_TIMER_GETOVERRUN 460 +#define SYS_ENTER_TIMER_SETTIME 459 +#define SYS_EXIT_TIMER_SETTIME 458 +#define SYS_ENTER_TIMER_DELETE 457 +#define SYS_EXIT_TIMER_DELETE 456 +#define SYS_ENTER_CLOCK_SETTIME 455 +#define SYS_EXIT_CLOCK_SETTIME 454 +#define SYS_ENTER_CLOCK_GETTIME 453 +#define SYS_EXIT_CLOCK_GETTIME 452 +#define SYS_ENTER_CLOCK_ADJTIME 451 +#define SYS_EXIT_CLOCK_ADJTIME 450 +#define SYS_ENTER_CLOCK_GETRES 449 +#define SYS_EXIT_CLOCK_GETRES 448 +#define SYS_ENTER_CLOCK_NANOSLEEP 447 +#define SYS_EXIT_CLOCK_NANOSLEEP 446 +#define SYS_ENTER_NANOSLEEP 441 +#define SYS_EXIT_NANOSLEEP 440 +#define SYS_ENTER_TIME 425 +#define SYS_EXIT_TIME 424 +#define SYS_ENTER_GETTIMEOFDAY 423 +#define SYS_EXIT_GETTIMEOFDAY 422 +#define SYS_ENTER_SETTIMEOFDAY 421 +#define SYS_EXIT_SETTIMEOFDAY 420 +#define SYS_ENTER_ADJTIMEX 419 +#define SYS_EXIT_ADJTIMEX 418 +#define SYS_ENTER_KCMP 417 +#define SYS_EXIT_KCMP 416 +#define SYS_ENTER_DELETE_MODULE 410 +#define SYS_EXIT_DELETE_MODULE 409 +#define SYS_ENTER_INIT_MODULE 408 +#define SYS_EXIT_INIT_MODULE 407 #define SYS_ENTER_FINIT_MODULE 406 #define SYS_EXIT_FINIT_MODULE 405 #define SYS_ENTER_SYSLOG 350 #define SYS_EXIT_SYSLOG 349 +#define SYS_ENTER_MEMBARRIER 346 +#define SYS_EXIT_MEMBARRIER 345 +#define SYS_ENTER_SCHED_SETSCHEDULER 341 +#define SYS_EXIT_SCHED_SETSCHEDULER 340 +#define SYS_ENTER_SCHED_SETPARAM 339 +#define SYS_EXIT_SCHED_SETPARAM 338 +#define SYS_ENTER_SCHED_SETATTR 337 +#define SYS_EXIT_SCHED_SETATTR 336 +#define SYS_ENTER_SCHED_GETSCHEDULER 335 +#define SYS_EXIT_SCHED_GETSCHEDULER 334 +#define SYS_ENTER_SCHED_GETPARAM 333 +#define SYS_EXIT_SCHED_GETPARAM 332 +#define SYS_ENTER_SCHED_GETATTR 331 +#define SYS_EXIT_SCHED_GETATTR 330 +#define SYS_ENTER_SCHED_SETAFFINITY 329 +#define SYS_EXIT_SCHED_SETAFFINITY 328 +#define SYS_ENTER_SCHED_GETAFFINITY 327 +#define SYS_EXIT_SCHED_GETAFFINITY 326 +#define SYS_ENTER_SCHED_YIELD 325 +#define SYS_EXIT_SCHED_YIELD 324 +#define SYS_ENTER_SCHED_GET_PRIORITY_MAX 323 +#define SYS_EXIT_SCHED_GET_PRIORITY_MAX 322 +#define SYS_ENTER_SCHED_GET_PRIORITY_MIN 321 +#define SYS_EXIT_SCHED_GET_PRIORITY_MIN 320 +#define SYS_ENTER_SCHED_RR_GET_INTERVAL 319 +#define SYS_EXIT_SCHED_RR_GET_INTERVAL 318 +#define SYS_ENTER_GETGROUPS 286 +#define SYS_EXIT_GETGROUPS 285 +#define SYS_ENTER_SETGROUPS 284 +#define SYS_EXIT_SETGROUPS 283 +#define SYS_ENTER_REBOOT 282 +#define SYS_EXIT_REBOOT 281 +#define SYS_ENTER_LISTNS 277 +#define SYS_EXIT_LISTNS 276 +#define SYS_ENTER_SETNS 275 +#define SYS_EXIT_SETNS 274 +#define SYS_ENTER_PIDFD_OPEN 273 +#define SYS_EXIT_PIDFD_OPEN 272 #define SYS_ENTER_PIDFD_GETFD 271 #define SYS_EXIT_PIDFD_GETFD 270 +#define SYS_ENTER_SETPRIORITY 265 +#define SYS_EXIT_SETPRIORITY 264 +#define SYS_ENTER_GETPRIORITY 263 +#define SYS_EXIT_GETPRIORITY 262 +#define SYS_ENTER_SETREGID 261 +#define SYS_EXIT_SETREGID 260 +#define SYS_ENTER_SETGID 259 +#define SYS_EXIT_SETGID 258 +#define SYS_ENTER_SETREUID 257 +#define SYS_EXIT_SETREUID 256 +#define SYS_ENTER_SETUID 255 +#define SYS_EXIT_SETUID 254 +#define SYS_ENTER_SETRESUID 253 +#define SYS_EXIT_SETRESUID 252 +#define SYS_ENTER_GETRESUID 251 +#define SYS_EXIT_GETRESUID 250 +#define SYS_ENTER_SETRESGID 249 +#define SYS_EXIT_SETRESGID 248 +#define SYS_ENTER_GETRESGID 247 +#define SYS_EXIT_GETRESGID 246 +#define SYS_ENTER_SETFSUID 245 +#define SYS_EXIT_SETFSUID 244 +#define SYS_ENTER_SETFSGID 243 +#define SYS_EXIT_SETFSGID 242 +#define SYS_ENTER_GETPID 241 +#define SYS_EXIT_GETPID 240 +#define SYS_ENTER_GETTID 239 +#define SYS_EXIT_GETTID 238 +#define SYS_ENTER_GETPPID 237 +#define SYS_EXIT_GETPPID 236 +#define SYS_ENTER_GETUID 235 +#define SYS_EXIT_GETUID 234 +#define SYS_ENTER_GETEUID 233 +#define SYS_EXIT_GETEUID 232 +#define SYS_ENTER_GETGID 231 +#define SYS_EXIT_GETGID 230 +#define SYS_ENTER_GETEGID 229 +#define SYS_EXIT_GETEGID 228 +#define SYS_ENTER_TIMES 227 +#define SYS_EXIT_TIMES 226 +#define SYS_ENTER_SETPGID 225 +#define SYS_EXIT_SETPGID 224 +#define SYS_ENTER_GETPGID 223 +#define SYS_EXIT_GETPGID 222 +#define SYS_ENTER_GETPGRP 221 +#define SYS_EXIT_GETPGRP 220 +#define SYS_ENTER_GETSID 219 +#define SYS_EXIT_GETSID 218 +#define SYS_ENTER_SETSID 217 +#define SYS_EXIT_SETSID 216 +#define SYS_ENTER_NEWUNAME 215 +#define SYS_EXIT_NEWUNAME 214 +#define SYS_ENTER_SETHOSTNAME 213 +#define SYS_EXIT_SETHOSTNAME 212 +#define SYS_ENTER_SETDOMAINNAME 211 +#define SYS_EXIT_SETDOMAINNAME 210 +#define SYS_ENTER_GETRLIMIT 209 +#define SYS_EXIT_GETRLIMIT 208 +#define SYS_ENTER_PRLIMIT64 207 +#define SYS_EXIT_PRLIMIT64 206 +#define SYS_ENTER_SETRLIMIT 205 +#define SYS_EXIT_SETRLIMIT 204 +#define SYS_ENTER_GETRUSAGE 203 +#define SYS_EXIT_GETRUSAGE 202 +#define SYS_ENTER_UMASK 201 +#define SYS_EXIT_UMASK 200 +#define SYS_ENTER_PRCTL 199 +#define SYS_EXIT_PRCTL 198 +#define SYS_ENTER_GETCPU 197 +#define SYS_EXIT_GETCPU 196 +#define SYS_ENTER_SYSINFO 195 +#define SYS_EXIT_SYSINFO 194 +#define SYS_ENTER_RESTART_SYSCALL 191 +#define SYS_EXIT_RESTART_SYSCALL 190 +#define SYS_ENTER_RT_SIGPROCMASK 189 +#define SYS_EXIT_RT_SIGPROCMASK 188 +#define SYS_ENTER_RT_SIGPENDING 187 +#define SYS_EXIT_RT_SIGPENDING 186 +#define SYS_ENTER_RT_SIGTIMEDWAIT 185 +#define SYS_EXIT_RT_SIGTIMEDWAIT 184 +#define SYS_ENTER_KILL 183 +#define SYS_EXIT_KILL 182 +#define SYS_ENTER_PIDFD_SEND_SIGNAL 181 +#define SYS_EXIT_PIDFD_SEND_SIGNAL 180 +#define SYS_ENTER_TGKILL 179 +#define SYS_EXIT_TGKILL 178 +#define SYS_ENTER_TKILL 177 +#define SYS_EXIT_TKILL 176 +#define SYS_ENTER_RT_SIGQUEUEINFO 175 +#define SYS_EXIT_RT_SIGQUEUEINFO 174 +#define SYS_ENTER_RT_TGSIGQUEUEINFO 173 +#define SYS_EXIT_RT_TGSIGQUEUEINFO 172 +#define SYS_ENTER_SIGALTSTACK 171 +#define SYS_EXIT_SIGALTSTACK 170 +#define SYS_ENTER_RT_SIGACTION 169 +#define SYS_EXIT_RT_SIGACTION 168 +#define SYS_ENTER_PAUSE 167 +#define SYS_EXIT_PAUSE 166 +#define SYS_ENTER_RT_SIGSUSPEND 165 +#define SYS_EXIT_RT_SIGSUSPEND 164 +#define SYS_ENTER_PTRACE 163 +#define SYS_EXIT_PTRACE 162 +#define SYS_ENTER_CAPGET 161 +#define SYS_EXIT_CAPGET 160 +#define SYS_ENTER_CAPSET 159 +#define SYS_EXIT_CAPSET 158 +#define SYS_ENTER_EXIT 150 +#define SYS_EXIT_EXIT 149 +#define SYS_ENTER_EXIT_GROUP 148 +#define SYS_EXIT_EXIT_GROUP 147 +#define SYS_ENTER_WAITID 146 +#define SYS_EXIT_WAITID 145 +#define SYS_ENTER_WAIT4 144 +#define SYS_EXIT_WAIT4 143 +#define SYS_ENTER_PERSONALITY 139 +#define SYS_EXIT_PERSONALITY 138 +#define SYS_ENTER_SET_TID_ADDRESS 134 +#define SYS_EXIT_SET_TID_ADDRESS 133 +#define SYS_ENTER_FORK 132 +#define SYS_EXIT_FORK 131 +#define SYS_ENTER_VFORK 130 +#define SYS_EXIT_VFORK 129 +#define SYS_ENTER_CLONE 128 +#define SYS_EXIT_CLONE 127 +#define SYS_ENTER_CLONE3 126 +#define SYS_EXIT_CLONE3 125 +#define SYS_ENTER_UNSHARE 124 +#define SYS_EXIT_UNSHARE 123 +#define SYS_ENTER_MAP_SHADOW_STACK 119 +#define SYS_EXIT_MAP_SHADOW_STACK 118 +#define SYS_ENTER_URETPROBE 117 +#define SYS_EXIT_URETPROBE 116 +#define SYS_ENTER_UPROBE 115 +#define SYS_EXIT_UPROBE 114 +#define SYS_ENTER_ARCH_PRCTL 102 +#define SYS_EXIT_ARCH_PRCTL 101 #define SYS_ENTER_MMAP 100 #define SYS_EXIT_MMAP 99 +#define SYS_ENTER_MODIFY_LDT 98 +#define SYS_EXIT_MODIFY_LDT 97 +#define SYS_ENTER_IOPERM 95 +#define SYS_EXIT_IOPERM 94 +#define SYS_ENTER_IOPL 93 +#define SYS_EXIT_IOPL 92 +#define SYS_ENTER_RT_SIGRETURN 57 +#define SYS_EXIT_RT_SIGRETURN 56 + +/// sys_enter_socket is a struct null_event +SEC("tracepoint/syscalls/sys_enter_socket") +int handle_sys_enter_socket(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SOCKET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_socket is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_socket") +int handle_sys_exit_socket(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SOCKET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_socketpair is a struct null_event +SEC("tracepoint/syscalls/sys_enter_socketpair") +int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SOCKETPAIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_socketpair is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_socketpair") +int handle_sys_exit_socketpair(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SOCKETPAIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_bind is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_bind") +int handle_sys_enter_bind(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_BIND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_bind is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_bind") +int handle_sys_exit_bind(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_BIND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listen is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_listen") +int handle_sys_enter_listen(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_LISTEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listen is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listen") +int handle_sys_exit_listen(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_accept4 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_accept4") +int handle_sys_enter_accept4(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_ACCEPT4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_accept4 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_accept4") +int handle_sys_exit_accept4(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCEPT4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_accept is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_accept") +int handle_sys_enter_accept(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_ACCEPT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_accept is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_accept") +int handle_sys_exit_accept(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCEPT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_connect is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_connect") +int handle_sys_enter_connect(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CONNECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_connect is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_connect") +int handle_sys_exit_connect(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CONNECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getsockname is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getsockname") +int handle_sys_enter_getsockname(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETSOCKNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getsockname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getsockname") +int handle_sys_exit_getsockname(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETSOCKNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getpeername is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getpeername") +int handle_sys_enter_getpeername(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETPEERNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getpeername is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpeername") +int handle_sys_exit_getpeername(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETPEERNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sendto is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sendto") +int handle_sys_enter_sendto(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SENDTO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sendto is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendto") +int handle_sys_exit_sendto(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SENDTO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_recvfrom is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_recvfrom") +int handle_sys_enter_recvfrom(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_RECVFROM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_recvfrom is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_recvfrom") +int handle_sys_exit_recvfrom(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RECVFROM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setsockopt is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_setsockopt") +int handle_sys_enter_setsockopt(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SETSOCKOPT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setsockopt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setsockopt") +int handle_sys_exit_setsockopt(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETSOCKOPT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getsockopt is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getsockopt") +int handle_sys_enter_getsockopt(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETSOCKOPT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getsockopt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getsockopt") +int handle_sys_exit_getsockopt(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETSOCKOPT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shutdown is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_shutdown") +int handle_sys_enter_shutdown(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SHUTDOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shutdown is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shutdown") +int handle_sys_exit_shutdown(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHUTDOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sendmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sendmsg") +int handle_sys_enter_sendmsg(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SENDMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sendmsg is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendmsg") +int handle_sys_exit_sendmsg(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SENDMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sendmmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sendmmsg") +int handle_sys_enter_sendmmsg(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SENDMMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sendmmsg is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendmmsg") +int handle_sys_exit_sendmmsg(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SENDMMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_recvmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_recvmsg") +int handle_sys_enter_recvmsg(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_RECVMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_recvmsg is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_recvmsg") +int handle_sys_exit_recvmsg(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RECVMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_recvmmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_recvmmsg") +int handle_sys_enter_recvmmsg(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_RECVMMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_recvmmsg is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_recvmmsg") +int handle_sys_exit_recvmmsg(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RECVMMSG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getrandom is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getrandom") +int handle_sys_enter_getrandom(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRANDOM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getrandom is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getrandom") +int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETRANDOM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} /// sys_enter_io_uring_register is a struct fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_register") @@ -620,6 +1722,1326 @@ int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_ioprio_set is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ioprio_set") +int handle_sys_enter_ioprio_set(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IOPRIO_SET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ioprio_set is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioprio_set") +int handle_sys_exit_ioprio_set(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOPRIO_SET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ioprio_get is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ioprio_get") +int handle_sys_enter_ioprio_get(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IOPRIO_GET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ioprio_get is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioprio_get") +int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOPRIO_GET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_landlock_create_ruleset is a struct null_event +SEC("tracepoint/syscalls/sys_enter_landlock_create_ruleset") +int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LANDLOCK_CREATE_RULESET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_landlock_create_ruleset") +int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LANDLOCK_CREATE_RULESET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_landlock_add_rule is a struct null_event +SEC("tracepoint/syscalls/sys_enter_landlock_add_rule") +int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LANDLOCK_ADD_RULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_landlock_add_rule") +int handle_sys_exit_landlock_add_rule(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LANDLOCK_ADD_RULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_landlock_restrict_self is a struct null_event +SEC("tracepoint/syscalls/sys_enter_landlock_restrict_self") +int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LANDLOCK_RESTRICT_SELF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_landlock_restrict_self") +int handle_sys_exit_landlock_restrict_self(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LANDLOCK_RESTRICT_SELF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lsm_set_self_attr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_lsm_set_self_attr") +int handle_sys_enter_lsm_set_self_attr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LSM_SET_SELF_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lsm_set_self_attr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsm_set_self_attr") +int handle_sys_exit_lsm_set_self_attr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSM_SET_SELF_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lsm_get_self_attr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_lsm_get_self_attr") +int handle_sys_enter_lsm_get_self_attr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LSM_GET_SELF_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lsm_get_self_attr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsm_get_self_attr") +int handle_sys_exit_lsm_get_self_attr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSM_GET_SELF_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lsm_list_modules is a struct null_event +SEC("tracepoint/syscalls/sys_enter_lsm_list_modules") +int handle_sys_enter_lsm_list_modules(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LSM_LIST_MODULES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lsm_list_modules is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsm_list_modules") +int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSM_LIST_MODULES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_add_key is a struct null_event +SEC("tracepoint/syscalls/sys_enter_add_key") +int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ADD_KEY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_add_key is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_add_key") +int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ADD_KEY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_request_key is a struct null_event +SEC("tracepoint/syscalls/sys_enter_request_key") +int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_REQUEST_KEY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_request_key is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_request_key") +int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REQUEST_KEY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_keyctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_keyctl") +int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KEYCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_keyctl") +int handle_sys_exit_keyctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KEYCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_open is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_open") +int handle_sys_enter_mq_open(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_open") +int handle_sys_exit_mq_open(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_unlink is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_unlink") +int handle_sys_enter_mq_unlink(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_unlink is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_unlink") +int handle_sys_exit_mq_unlink(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_timedsend is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_timedsend") +int handle_sys_enter_mq_timedsend(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_TIMEDSEND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_timedsend is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_timedsend") +int handle_sys_exit_mq_timedsend(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_TIMEDSEND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_timedreceive is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_timedreceive") +int handle_sys_enter_mq_timedreceive(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_TIMEDRECEIVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_timedreceive is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_timedreceive") +int handle_sys_exit_mq_timedreceive(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_TIMEDRECEIVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_notify is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_notify") +int handle_sys_enter_mq_notify(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_NOTIFY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_notify is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_notify") +int handle_sys_exit_mq_notify(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_NOTIFY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_getsetattr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_getsetattr") +int handle_sys_enter_mq_getsetattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_GETSETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_getsetattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_getsetattr") +int handle_sys_exit_mq_getsetattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_GETSETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmget") +int handle_sys_enter_shmget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmget") +int handle_sys_exit_shmget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmctl") +int handle_sys_enter_shmctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmctl") +int handle_sys_exit_shmctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmat is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmat") +int handle_sys_enter_shmat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmat") +int handle_sys_exit_shmat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmdt is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmdt") +int handle_sys_enter_shmdt(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMDT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmdt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmdt") +int handle_sys_exit_shmdt(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMDT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semget") +int handle_sys_enter_semget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semget") +int handle_sys_exit_semget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semctl") +int handle_sys_enter_semctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semctl") +int handle_sys_exit_semctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semtimedop is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semtimedop") +int handle_sys_enter_semtimedop(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMTIMEDOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semtimedop is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semtimedop") +int handle_sys_exit_semtimedop(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMTIMEDOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semop is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semop") +int handle_sys_enter_semop(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semop is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semop") +int handle_sys_exit_semop(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgget") +int handle_sys_enter_msgget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgget") +int handle_sys_exit_msgget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgctl") +int handle_sys_enter_msgctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgctl") +int handle_sys_exit_msgctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgsnd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgsnd") +int handle_sys_enter_msgsnd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGSND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgsnd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgsnd") +int handle_sys_exit_msgsnd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGSND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgrcv is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgrcv") +int handle_sys_enter_msgrcv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGRCV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgrcv is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgrcv") +int handle_sys_exit_msgrcv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGRCV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_quotactl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_quotactl") +int handle_sys_enter_quotactl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_QUOTACTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_quotactl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_quotactl") +int handle_sys_exit_quotactl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_QUOTACTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_quotactl_fd is a struct fd_event SEC("tracepoint/syscalls/sys_enter_quotactl_fd") int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { @@ -1065,6 +3487,667 @@ int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_userfaultfd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_userfaultfd") +int handle_sys_enter_userfaultfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_USERFAULTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_userfaultfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_userfaultfd") +int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_USERFAULTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_eventfd2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_eventfd2") +int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EVENTFD2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_eventfd2") +int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EVENTFD2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_eventfd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_eventfd") +int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EVENTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_eventfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_eventfd") +int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EVENTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timerfd_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timerfd_create") +int handle_sys_enter_timerfd_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMERFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timerfd_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timerfd_create") +int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMERFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timerfd_settime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timerfd_settime") +int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMERFD_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timerfd_settime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timerfd_settime") +int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMERFD_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timerfd_gettime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timerfd_gettime") +int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMERFD_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timerfd_gettime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timerfd_gettime") +int handle_sys_exit_timerfd_gettime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMERFD_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_signalfd4 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_signalfd4") +int handle_sys_enter_signalfd4(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SIGNALFD4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_signalfd4 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_signalfd4") +int handle_sys_exit_signalfd4(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SIGNALFD4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_signalfd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_signalfd") +int handle_sys_enter_signalfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SIGNALFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_signalfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_signalfd") +int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SIGNALFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_create1 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_create1") +int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_CREATE1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_create1") +int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_CREATE1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_create") +int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_create") +int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_ctl is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_epoll_ctl") +int handle_sys_enter_epoll_ctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_CTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_ctl") +int handle_sys_exit_epoll_ctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_CTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_wait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_wait") +int handle_sys_enter_epoll_wait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_wait") +int handle_sys_exit_epoll_wait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_pwait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_pwait") +int handle_sys_enter_epoll_pwait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_PWAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_pwait") +int handle_sys_exit_epoll_pwait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_PWAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_pwait2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_pwait2") +int handle_sys_enter_epoll_pwait2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_PWAIT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_pwait2") +int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_PWAIT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fanotify_init is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fanotify_init") +int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fanotify_init") +int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_fanotify_mark is a struct path_event SEC("tracepoint/syscalls/sys_enter_fanotify_mark") int handle_sys_enter_fanotify_mark(struct syscall_trace_enter *ctx) { @@ -1111,6 +4194,184 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_inotify_init1 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_inotify_init1") +int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_INIT1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_init1") +int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_INIT1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_init is a struct null_event +SEC("tracepoint/syscalls/sys_enter_inotify_init") +int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_init") +int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_add_watch is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_rm_watch is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") +int handle_sys_enter_inotify_rm_watch(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") +int handle_sys_exit_inotify_rm_watch(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_file_getattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_file_getattr") int handle_sys_enter_file_getattr(struct syscall_trace_enter *ctx) { @@ -1203,6 +4464,50 @@ int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_fsopen is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fsopen") +int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FSOPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsopen") +int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSOPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_fspick is a struct path_event SEC("tracepoint/syscalls/sys_enter_fspick") int handle_sys_enter_fspick(struct syscall_trace_enter *ctx) { @@ -1385,6 +4690,50 @@ int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_ustat is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ustat") +int handle_sys_enter_ustat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_USTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ustat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ustat") +int handle_sys_exit_ustat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_USTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_getcwd is a struct null_event SEC("tracepoint/syscalls/sys_enter_getcwd") int handle_sys_enter_getcwd(struct syscall_trace_enter *ctx) { @@ -1521,6 +4870,94 @@ int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_utimes is a struct null_event +SEC("tracepoint/syscalls/sys_enter_utimes") +int handle_sys_enter_utimes(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UTIMES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_utimes is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_utimes") +int handle_sys_exit_utimes(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIMES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_utime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_utime") +int handle_sys_enter_utime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_utime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_utime") +int handle_sys_exit_utime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_sync is a struct null_event SEC("tracepoint/syscalls/sys_enter_sync") int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { @@ -1790,6 +5227,94 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_splice is a struct null_event +SEC("tracepoint/syscalls/sys_enter_splice") +int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_splice is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_splice") +int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_tee is a struct null_event +SEC("tracepoint/syscalls/sys_enter_tee") +int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TEE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_tee is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_tee") +int handle_sys_exit_tee(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TEE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_setxattrat is a struct path_event SEC("tracepoint/syscalls/sys_enter_setxattrat") int handle_sys_enter_setxattrat(struct syscall_trace_enter *ctx) { @@ -2522,6 +6047,50 @@ int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_umount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_umount") +int handle_sys_enter_umount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_umount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_umount") +int handle_sys_exit_umount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_open_tree is a struct open_event SEC("tracepoint/syscalls/sys_enter_open_tree") int handle_sys_enter_open_tree(struct syscall_trace_enter *ctx) { @@ -2570,6 +6139,182 @@ int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_mount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mount") +int handle_sys_enter_mount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mount") +int handle_sys_exit_mount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsmount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fsmount") +int handle_sys_enter_fsmount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FSMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsmount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsmount") +int handle_sys_exit_fsmount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_move_mount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_move_mount") +int handle_sys_enter_move_mount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MOVE_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_move_mount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_move_mount") +int handle_sys_exit_move_mount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOVE_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pivot_root is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pivot_root") +int handle_sys_enter_pivot_root(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIVOT_ROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pivot_root") +int handle_sys_exit_pivot_root(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIVOT_ROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_mount_setattr is a struct path_event SEC("tracepoint/syscalls/sys_enter_mount_setattr") int handle_sys_enter_mount_setattr(struct syscall_trace_enter *ctx) { @@ -2664,6 +6409,138 @@ int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_statmount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_statmount") +int handle_sys_enter_statmount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_STATMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_statmount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_statmount") +int handle_sys_exit_statmount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listmount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_listmount") +int handle_sys_enter_listmount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LISTMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listmount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listmount") +int handle_sys_exit_listmount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sysfs is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sysfs") +int handle_sys_enter_sysfs(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYSFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sysfs is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sysfs") +int handle_sys_exit_sysfs(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYSFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_close_range is a struct fd_event SEC("tracepoint/syscalls/sys_enter_close_range") int handle_sys_enter_close_range(struct syscall_trace_enter *ctx) { @@ -2845,6 +6722,182 @@ int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_select is a struct null_event +SEC("tracepoint/syscalls/sys_enter_select") +int handle_sys_enter_select(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SELECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_select is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_select") +int handle_sys_exit_select(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SELECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pselect6 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pselect6") +int handle_sys_enter_pselect6(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PSELECT6; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pselect6 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pselect6") +int handle_sys_exit_pselect6(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PSELECT6; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_poll is a struct null_event +SEC("tracepoint/syscalls/sys_enter_poll") +int handle_sys_enter_poll(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_POLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_poll is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_poll") +int handle_sys_exit_poll(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_POLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ppoll is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ppoll") +int handle_sys_enter_ppoll(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PPOLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ppoll is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ppoll") +int handle_sys_exit_ppoll(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PPOLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_getdents is a struct fd_event SEC("tracepoint/syscalls/sys_enter_getdents") int handle_sys_enter_getdents(struct syscall_trace_enter *ctx) { @@ -3027,6 +7080,98 @@ int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_mknodat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mknodat") +int handle_sys_enter_mknodat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mknodat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mknodat") +int handle_sys_exit_mknodat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mknod is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mknod") +int handle_sys_enter_mknod(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mknod is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mknod") +int handle_sys_exit_mknod(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_mkdirat is a struct path_event SEC("tracepoint/syscalls/sys_enter_mkdirat") int handle_sys_enter_mkdirat(struct syscall_trace_enter *ctx) { @@ -3586,6 +7731,185 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_pipe2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pipe2") +int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIPE2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pipe2") +int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIPE2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pipe is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pipe") +int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIPE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pipe is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pipe") +int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIPE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_execve is a struct path_event +SEC("tracepoint/syscalls/sys_enter_execve") +int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_EXECVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_execve is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_execve") +int handle_sys_exit_execve(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXECVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_execveat is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_execveat") +int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_EXECVEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_execveat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_execveat") +int handle_sys_exit_execveat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXECVEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_newstat is a struct path_event SEC("tracepoint/syscalls/sys_enter_newstat") int handle_sys_enter_newstat(struct syscall_trace_enter *ctx) { @@ -4402,6 +8726,50 @@ int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_sendfile64 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sendfile64") +int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SENDFILE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sendfile64 is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendfile64") +int handle_sys_exit_sendfile64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SENDFILE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_copy_file_range is a struct fd_event SEC("tracepoint/syscalls/sys_enter_copy_file_range") int handle_sys_enter_copy_file_range(struct syscall_trace_enter *ctx) { @@ -5459,6 +9827,710 @@ int handle_sys_exit_close(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_vhangup is a struct null_event +SEC("tracepoint/syscalls/sys_enter_vhangup") +int handle_sys_enter_vhangup(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_VHANGUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_vhangup is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_vhangup") +int handle_sys_exit_vhangup(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_VHANGUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_memfd_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_memfd_create") +int handle_sys_enter_memfd_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MEMFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_memfd_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_memfd_create") +int handle_sys_exit_memfd_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MEMFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_memfd_secret is a struct null_event +SEC("tracepoint/syscalls/sys_enter_memfd_secret") +int handle_sys_enter_memfd_secret(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MEMFD_SECRET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_memfd_secret is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_memfd_secret") +int handle_sys_exit_memfd_secret(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MEMFD_SECRET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_move_pages is a struct null_event +SEC("tracepoint/syscalls/sys_enter_move_pages") +int handle_sys_enter_move_pages(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MOVE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_move_pages is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_move_pages") +int handle_sys_exit_move_pages(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOVE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_mempolicy_home_node is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_mempolicy_home_node") +int handle_sys_enter_set_mempolicy_home_node(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_MEMPOLICY_HOME_NODE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_mempolicy_home_node is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_mempolicy_home_node") +int handle_sys_exit_set_mempolicy_home_node(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_MEMPOLICY_HOME_NODE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mbind is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mbind") +int handle_sys_enter_mbind(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MBIND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mbind is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mbind") +int handle_sys_exit_mbind(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MBIND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_mempolicy is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_mempolicy") +int handle_sys_enter_set_mempolicy(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_mempolicy is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_mempolicy") +int handle_sys_exit_set_mempolicy(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_migrate_pages is a struct null_event +SEC("tracepoint/syscalls/sys_enter_migrate_pages") +int handle_sys_enter_migrate_pages(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MIGRATE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_migrate_pages is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_migrate_pages") +int handle_sys_exit_migrate_pages(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MIGRATE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_get_mempolicy is a struct null_event +SEC("tracepoint/syscalls/sys_enter_get_mempolicy") +int handle_sys_enter_get_mempolicy(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_get_mempolicy is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_get_mempolicy") +int handle_sys_exit_get_mempolicy(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_swapoff is a struct null_event +SEC("tracepoint/syscalls/sys_enter_swapoff") +int handle_sys_enter_swapoff(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SWAPOFF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_swapoff is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_swapoff") +int handle_sys_exit_swapoff(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SWAPOFF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_swapon is a struct null_event +SEC("tracepoint/syscalls/sys_enter_swapon") +int handle_sys_enter_swapon(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SWAPON; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_swapon is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_swapon") +int handle_sys_exit_swapon(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SWAPON; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_madvise is a struct null_event +SEC("tracepoint/syscalls/sys_enter_madvise") +int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_madvise is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_madvise") +int handle_sys_exit_madvise(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_madvise is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_madvise") +int handle_sys_enter_process_madvise(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_madvise is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_madvise") +int handle_sys_exit_process_madvise(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mseal is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mseal") +int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSEAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mseal is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mseal") +int handle_sys_exit_mseal(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSEAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_vm_readv is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_vm_readv") +int handle_sys_enter_process_vm_readv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_VM_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_vm_readv is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_vm_readv") +int handle_sys_exit_process_vm_readv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_VM_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_vm_writev is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_vm_writev") +int handle_sys_enter_process_vm_writev(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_VM_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_vm_writev is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_vm_writev") +int handle_sys_exit_process_vm_writev(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_VM_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_msync is a struct null_event SEC("tracepoint/syscalls/sys_enter_msync") int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { @@ -5503,6 +10575,622 @@ int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_mremap is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mremap") +int handle_sys_enter_mremap(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MREMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mremap is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mremap") +int handle_sys_exit_mremap(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MREMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mprotect is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mprotect") +int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mprotect is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mprotect") +int handle_sys_exit_mprotect(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pkey_mprotect is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pkey_mprotect") +int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PKEY_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pkey_mprotect is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pkey_mprotect") +int handle_sys_exit_pkey_mprotect(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PKEY_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pkey_alloc is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pkey_alloc") +int handle_sys_enter_pkey_alloc(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PKEY_ALLOC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pkey_alloc") +int handle_sys_exit_pkey_alloc(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PKEY_ALLOC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pkey_free is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pkey_free") +int handle_sys_enter_pkey_free(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PKEY_FREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pkey_free") +int handle_sys_exit_pkey_free(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PKEY_FREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_brk is a struct null_event +SEC("tracepoint/syscalls/sys_enter_brk") +int handle_sys_enter_brk(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_BRK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_brk is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_brk") +int handle_sys_exit_brk(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_BRK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_munmap is a struct null_event +SEC("tracepoint/syscalls/sys_enter_munmap") +int handle_sys_enter_munmap(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MUNMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_munmap is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_munmap") +int handle_sys_exit_munmap(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MUNMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_remap_file_pages is a struct null_event +SEC("tracepoint/syscalls/sys_enter_remap_file_pages") +int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_REMAP_FILE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_remap_file_pages is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_remap_file_pages") +int handle_sys_exit_remap_file_pages(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMAP_FILE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mlock is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mlock") +int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mlock is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mlock") +int handle_sys_exit_mlock(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mlock2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mlock2") +int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MLOCK2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mlock2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mlock2") +int handle_sys_exit_mlock2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MLOCK2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_munlock is a struct null_event +SEC("tracepoint/syscalls/sys_enter_munlock") +int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MUNLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_munlock is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_munlock") +int handle_sys_exit_munlock(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MUNLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mlockall is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mlockall") +int handle_sys_enter_mlockall(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mlockall is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mlockall") +int handle_sys_exit_mlockall(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_munlockall is a struct null_event +SEC("tracepoint/syscalls/sys_enter_munlockall") +int handle_sys_enter_munlockall(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MUNLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_munlockall is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_munlockall") +int handle_sys_exit_munlockall(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MUNLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mincore is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mincore") +int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MINCORE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mincore is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mincore") +int handle_sys_exit_mincore(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MINCORE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_readahead is a struct fd_event SEC("tracepoint/syscalls/sys_enter_readahead") int handle_sys_enter_readahead(struct syscall_trace_enter *ctx) { @@ -5593,6 +11281,50 @@ int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_process_mrelease is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_mrelease") +int handle_sys_enter_process_mrelease(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_MRELEASE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_mrelease is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_mrelease") +int handle_sys_exit_process_mrelease(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_MRELEASE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_cachestat is a struct fd_event SEC("tracepoint/syscalls/sys_enter_cachestat") int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { @@ -5638,6 +11370,1546 @@ int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_rseq is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rseq") +int handle_sys_enter_rseq(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RSEQ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rseq is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rseq") +int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RSEQ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_perf_event_open is a struct null_event +SEC("tracepoint/syscalls/sys_enter_perf_event_open") +int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PERF_EVENT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_perf_event_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_perf_event_open") +int handle_sys_exit_perf_event_open(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PERF_EVENT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_bpf is a struct null_event +SEC("tracepoint/syscalls/sys_enter_bpf") +int handle_sys_enter_bpf(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_BPF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_bpf is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_bpf") +int handle_sys_exit_bpf(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_BPF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_seccomp is a struct null_event +SEC("tracepoint/syscalls/sys_enter_seccomp") +int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SECCOMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_seccomp is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_seccomp") +int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SECCOMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kexec_file_load is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kexec_file_load") +int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KEXEC_FILE_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kexec_file_load is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kexec_file_load") +int handle_sys_exit_kexec_file_load(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KEXEC_FILE_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kexec_load is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kexec_load") +int handle_sys_enter_kexec_load(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KEXEC_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kexec_load") +int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KEXEC_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_acct is a struct null_event +SEC("tracepoint/syscalls/sys_enter_acct") +int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ACCT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_acct is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_acct") +int handle_sys_exit_acct(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_robust_list is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_robust_list") +int handle_sys_enter_set_robust_list(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_robust_list is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_robust_list") +int handle_sys_exit_set_robust_list(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_get_robust_list is a struct null_event +SEC("tracepoint/syscalls/sys_enter_get_robust_list") +int handle_sys_enter_get_robust_list(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_get_robust_list is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_get_robust_list") +int handle_sys_exit_get_robust_list(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex") +int handle_sys_enter_futex(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex") +int handle_sys_exit_futex(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_waitv is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_waitv") +int handle_sys_enter_futex_waitv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_WAITV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_waitv is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_waitv") +int handle_sys_exit_futex_waitv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_WAITV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_wake is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_wake") +int handle_sys_enter_futex_wake(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_WAKE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_wake is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_wake") +int handle_sys_exit_futex_wake(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_WAKE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_wait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_wait") +int handle_sys_enter_futex_wait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_wait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_wait") +int handle_sys_exit_futex_wait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_requeue is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_requeue") +int handle_sys_enter_futex_requeue(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_REQUEUE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_requeue is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_requeue") +int handle_sys_exit_futex_requeue(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_REQUEUE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getitimer is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getitimer") +int handle_sys_enter_getitimer(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getitimer is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getitimer") +int handle_sys_exit_getitimer(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_alarm is a struct null_event +SEC("tracepoint/syscalls/sys_enter_alarm") +int handle_sys_enter_alarm(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ALARM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_alarm is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_alarm") +int handle_sys_exit_alarm(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ALARM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setitimer is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setitimer") +int handle_sys_enter_setitimer(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setitimer is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setitimer") +int handle_sys_exit_setitimer(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_create") +int handle_sys_enter_timer_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_create") +int handle_sys_exit_timer_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_gettime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_gettime") +int handle_sys_enter_timer_gettime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_gettime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_gettime") +int handle_sys_exit_timer_gettime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_getoverrun is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_getoverrun") +int handle_sys_enter_timer_getoverrun(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_GETOVERRUN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_getoverrun is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_getoverrun") +int handle_sys_exit_timer_getoverrun(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_GETOVERRUN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_settime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_settime") +int handle_sys_enter_timer_settime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_settime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_settime") +int handle_sys_exit_timer_settime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_delete is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_delete") +int handle_sys_enter_timer_delete(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_DELETE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_delete is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_delete") +int handle_sys_exit_timer_delete(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_DELETE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_settime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_settime") +int handle_sys_enter_clock_settime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_settime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_settime") +int handle_sys_exit_clock_settime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_gettime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_gettime") +int handle_sys_enter_clock_gettime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_gettime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_gettime") +int handle_sys_exit_clock_gettime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_adjtime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_adjtime") +int handle_sys_enter_clock_adjtime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_ADJTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_adjtime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_adjtime") +int handle_sys_exit_clock_adjtime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_ADJTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_getres is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_getres") +int handle_sys_enter_clock_getres(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_GETRES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_getres is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_getres") +int handle_sys_exit_clock_getres(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_GETRES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_nanosleep is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_nanosleep") +int handle_sys_enter_clock_nanosleep(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_nanosleep is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_nanosleep") +int handle_sys_exit_clock_nanosleep(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_nanosleep is a struct null_event +SEC("tracepoint/syscalls/sys_enter_nanosleep") +int handle_sys_enter_nanosleep(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_nanosleep is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_nanosleep") +int handle_sys_exit_nanosleep(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_time is a struct null_event +SEC("tracepoint/syscalls/sys_enter_time") +int handle_sys_enter_time(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_time is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_time") +int handle_sys_exit_time(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_gettimeofday is a struct null_event +SEC("tracepoint/syscalls/sys_enter_gettimeofday") +int handle_sys_enter_gettimeofday(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_gettimeofday") +int handle_sys_exit_gettimeofday(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_settimeofday is a struct null_event +SEC("tracepoint/syscalls/sys_enter_settimeofday") +int handle_sys_enter_settimeofday(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_settimeofday is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_settimeofday") +int handle_sys_exit_settimeofday(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_adjtimex is a struct null_event +SEC("tracepoint/syscalls/sys_enter_adjtimex") +int handle_sys_enter_adjtimex(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ADJTIMEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_adjtimex is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_adjtimex") +int handle_sys_exit_adjtimex(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ADJTIMEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kcmp is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kcmp") +int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KCMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kcmp is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kcmp") +int handle_sys_exit_kcmp(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KCMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_delete_module is a struct null_event +SEC("tracepoint/syscalls/sys_enter_delete_module") +int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_DELETE_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_delete_module") +int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DELETE_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_init_module is a struct null_event +SEC("tracepoint/syscalls/sys_enter_init_module") +int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_init_module is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_init_module") +int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_finit_module is a struct fd_event SEC("tracepoint/syscalls/sys_enter_finit_module") int handle_sys_enter_finit_module(struct syscall_trace_enter *ctx) { @@ -5727,6 +12999,843 @@ int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_membarrier is a struct null_event +SEC("tracepoint/syscalls/sys_enter_membarrier") +int handle_sys_enter_membarrier(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MEMBARRIER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_membarrier is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_membarrier") +int handle_sys_exit_membarrier(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MEMBARRIER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setscheduler is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setscheduler") +int handle_sys_enter_sched_setscheduler(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setscheduler is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setscheduler") +int handle_sys_exit_sched_setscheduler(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setparam is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setparam") +int handle_sys_enter_sched_setparam(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setparam is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setparam") +int handle_sys_exit_sched_setparam(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setattr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setattr") +int handle_sys_enter_sched_setattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setattr") +int handle_sys_exit_sched_setattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getscheduler is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getscheduler") +int handle_sys_enter_sched_getscheduler(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getscheduler is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getscheduler") +int handle_sys_exit_sched_getscheduler(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getparam is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getparam") +int handle_sys_enter_sched_getparam(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getparam is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getparam") +int handle_sys_exit_sched_getparam(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getattr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getattr") +int handle_sys_enter_sched_getattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getattr") +int handle_sys_exit_sched_getattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setaffinity is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setaffinity") +int handle_sys_enter_sched_setaffinity(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setaffinity is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setaffinity") +int handle_sys_exit_sched_setaffinity(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getaffinity is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getaffinity") +int handle_sys_enter_sched_getaffinity(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getaffinity is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getaffinity") +int handle_sys_exit_sched_getaffinity(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_yield is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_yield") +int handle_sys_enter_sched_yield(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_YIELD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_yield is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_yield") +int handle_sys_exit_sched_yield(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_YIELD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_get_priority_max is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_get_priority_max") +int handle_sys_enter_sched_get_priority_max(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GET_PRIORITY_MAX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_get_priority_max is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_get_priority_max") +int handle_sys_exit_sched_get_priority_max(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GET_PRIORITY_MAX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_get_priority_min is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_get_priority_min") +int handle_sys_enter_sched_get_priority_min(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GET_PRIORITY_MIN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_get_priority_min is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_get_priority_min") +int handle_sys_exit_sched_get_priority_min(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GET_PRIORITY_MIN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_rr_get_interval is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_rr_get_interval") +int handle_sys_enter_sched_rr_get_interval(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_RR_GET_INTERVAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_rr_get_interval is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_rr_get_interval") +int handle_sys_exit_sched_rr_get_interval(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_RR_GET_INTERVAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getgroups is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getgroups") +int handle_sys_enter_getgroups(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETGROUPS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getgroups is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getgroups") +int handle_sys_exit_getgroups(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETGROUPS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setgroups is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setgroups") +int handle_sys_enter_setgroups(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETGROUPS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setgroups is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setgroups") +int handle_sys_exit_setgroups(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETGROUPS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_reboot is a struct null_event +SEC("tracepoint/syscalls/sys_enter_reboot") +int handle_sys_enter_reboot(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_REBOOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_reboot is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_reboot") +int handle_sys_exit_reboot(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REBOOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listns is a struct null_event +SEC("tracepoint/syscalls/sys_enter_listns") +int handle_sys_enter_listns(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LISTNS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listns is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listns") +int handle_sys_exit_listns(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTNS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setns is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_setns") +int handle_sys_enter_setns(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SETNS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setns is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setns") +int handle_sys_exit_setns(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETNS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pidfd_open is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pidfd_open") +int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIDFD_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pidfd_open") +int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIDFD_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_pidfd_getfd is a struct fd_event SEC("tracepoint/syscalls/sys_enter_pidfd_getfd") int handle_sys_enter_pidfd_getfd(struct syscall_trace_enter *ctx) { @@ -5772,6 +13881,2998 @@ int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_setpriority is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setpriority") +int handle_sys_enter_setpriority(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETPRIORITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setpriority is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setpriority") +int handle_sys_exit_setpriority(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETPRIORITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getpriority is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpriority") +int handle_sys_enter_getpriority(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPRIORITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getpriority is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpriority") +int handle_sys_exit_getpriority(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETPRIORITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setregid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setregid") +int handle_sys_enter_setregid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETREGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setregid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setregid") +int handle_sys_exit_setregid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETREGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setgid") +int handle_sys_enter_setgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setgid") +int handle_sys_exit_setgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setreuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setreuid") +int handle_sys_enter_setreuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETREUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setreuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setreuid") +int handle_sys_exit_setreuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETREUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setuid") +int handle_sys_enter_setuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setuid") +int handle_sys_exit_setuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setresuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setresuid") +int handle_sys_enter_setresuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETRESUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setresuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setresuid") +int handle_sys_exit_setresuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETRESUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getresuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getresuid") +int handle_sys_enter_getresuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRESUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getresuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getresuid") +int handle_sys_exit_getresuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETRESUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setresgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setresgid") +int handle_sys_enter_setresgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETRESGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setresgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setresgid") +int handle_sys_exit_setresgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETRESGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getresgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getresgid") +int handle_sys_enter_getresgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRESGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getresgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getresgid") +int handle_sys_exit_getresgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETRESGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setfsuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setfsuid") +int handle_sys_enter_setfsuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETFSUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setfsuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setfsuid") +int handle_sys_exit_setfsuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETFSUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setfsgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setfsgid") +int handle_sys_enter_setfsgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETFSGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setfsgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setfsgid") +int handle_sys_exit_setfsgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETFSGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getpid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpid") +int handle_sys_enter_getpid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getpid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpid") +int handle_sys_exit_getpid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETPID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_gettid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_gettid") +int handle_sys_enter_gettid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETTID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_gettid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_gettid") +int handle_sys_exit_gettid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETTID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getppid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getppid") +int handle_sys_enter_getppid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPPID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getppid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getppid") +int handle_sys_exit_getppid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETPPID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getuid") +int handle_sys_enter_getuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getuid") +int handle_sys_exit_getuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_geteuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_geteuid") +int handle_sys_enter_geteuid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETEUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_geteuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_geteuid") +int handle_sys_exit_geteuid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETEUID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getgid") +int handle_sys_enter_getgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getgid") +int handle_sys_exit_getgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getegid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getegid") +int handle_sys_enter_getegid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETEGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getegid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getegid") +int handle_sys_exit_getegid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETEGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_times is a struct null_event +SEC("tracepoint/syscalls/sys_enter_times") +int handle_sys_enter_times(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_times is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_times") +int handle_sys_exit_times(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setpgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setpgid") +int handle_sys_enter_setpgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETPGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setpgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setpgid") +int handle_sys_exit_setpgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETPGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getpgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpgid") +int handle_sys_enter_getpgid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getpgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpgid") +int handle_sys_exit_getpgid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETPGID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getpgrp is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpgrp") +int handle_sys_enter_getpgrp(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPGRP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getpgrp is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpgrp") +int handle_sys_exit_getpgrp(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETPGRP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getsid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getsid") +int handle_sys_enter_getsid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETSID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getsid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getsid") +int handle_sys_exit_getsid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETSID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setsid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setsid") +int handle_sys_enter_setsid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETSID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setsid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setsid") +int handle_sys_exit_setsid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETSID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newuname is a struct null_event +SEC("tracepoint/syscalls/sys_enter_newuname") +int handle_sys_enter_newuname(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_NEWUNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newuname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_newuname") +int handle_sys_exit_newuname(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWUNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sethostname is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sethostname") +int handle_sys_enter_sethostname(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETHOSTNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sethostname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sethostname") +int handle_sys_exit_sethostname(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETHOSTNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setdomainname is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setdomainname") +int handle_sys_enter_setdomainname(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETDOMAINNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setdomainname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setdomainname") +int handle_sys_exit_setdomainname(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETDOMAINNAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getrlimit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getrlimit") +int handle_sys_enter_getrlimit(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRLIMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getrlimit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getrlimit") +int handle_sys_exit_getrlimit(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETRLIMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_prlimit64 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_prlimit64") +int handle_sys_enter_prlimit64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PRLIMIT64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_prlimit64 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_prlimit64") +int handle_sys_exit_prlimit64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PRLIMIT64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setrlimit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setrlimit") +int handle_sys_enter_setrlimit(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETRLIMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setrlimit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setrlimit") +int handle_sys_exit_setrlimit(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETRLIMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getrusage is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getrusage") +int handle_sys_enter_getrusage(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRUSAGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getrusage is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getrusage") +int handle_sys_exit_getrusage(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETRUSAGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_umask is a struct null_event +SEC("tracepoint/syscalls/sys_enter_umask") +int handle_sys_enter_umask(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UMASK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_umask is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_umask") +int handle_sys_exit_umask(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UMASK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_prctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_prctl") +int handle_sys_enter_prctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PRCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_prctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_prctl") +int handle_sys_exit_prctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PRCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getcpu is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getcpu") +int handle_sys_enter_getcpu(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETCPU; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getcpu is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getcpu") +int handle_sys_exit_getcpu(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETCPU; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sysinfo is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sysinfo") +int handle_sys_enter_sysinfo(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYSINFO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sysinfo is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sysinfo") +int handle_sys_exit_sysinfo(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYSINFO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_restart_syscall is a struct null_event +SEC("tracepoint/syscalls/sys_enter_restart_syscall") +int handle_sys_enter_restart_syscall(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RESTART_SYSCALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_restart_syscall is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_restart_syscall") +int handle_sys_exit_restart_syscall(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RESTART_SYSCALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigprocmask is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigprocmask") +int handle_sys_enter_rt_sigprocmask(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGPROCMASK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigprocmask is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigprocmask") +int handle_sys_exit_rt_sigprocmask(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGPROCMASK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigpending is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigpending") +int handle_sys_enter_rt_sigpending(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGPENDING; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigpending is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigpending") +int handle_sys_exit_rt_sigpending(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGPENDING; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigtimedwait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigtimedwait") +int handle_sys_enter_rt_sigtimedwait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGTIMEDWAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigtimedwait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigtimedwait") +int handle_sys_exit_rt_sigtimedwait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGTIMEDWAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kill is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kill") +int handle_sys_enter_kill(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KILL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kill is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kill") +int handle_sys_exit_kill(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KILL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pidfd_send_signal is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pidfd_send_signal") +int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIDFD_SEND_SIGNAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pidfd_send_signal") +int handle_sys_exit_pidfd_send_signal(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIDFD_SEND_SIGNAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_tgkill is a struct null_event +SEC("tracepoint/syscalls/sys_enter_tgkill") +int handle_sys_enter_tgkill(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TGKILL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_tgkill is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_tgkill") +int handle_sys_exit_tgkill(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TGKILL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_tkill is a struct null_event +SEC("tracepoint/syscalls/sys_enter_tkill") +int handle_sys_enter_tkill(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TKILL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_tkill is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_tkill") +int handle_sys_exit_tkill(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TKILL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigqueueinfo is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigqueueinfo") +int handle_sys_enter_rt_sigqueueinfo(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGQUEUEINFO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigqueueinfo is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigqueueinfo") +int handle_sys_exit_rt_sigqueueinfo(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGQUEUEINFO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_tgsigqueueinfo is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_tgsigqueueinfo") +int handle_sys_enter_rt_tgsigqueueinfo(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_TGSIGQUEUEINFO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_tgsigqueueinfo is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_tgsigqueueinfo") +int handle_sys_exit_rt_tgsigqueueinfo(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_TGSIGQUEUEINFO; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sigaltstack is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sigaltstack") +int handle_sys_enter_sigaltstack(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SIGALTSTACK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sigaltstack is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sigaltstack") +int handle_sys_exit_sigaltstack(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SIGALTSTACK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigaction is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigaction") +int handle_sys_enter_rt_sigaction(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGACTION; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigaction is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigaction") +int handle_sys_exit_rt_sigaction(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGACTION; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pause is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pause") +int handle_sys_enter_pause(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PAUSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pause is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pause") +int handle_sys_exit_pause(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PAUSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigsuspend is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigsuspend") +int handle_sys_enter_rt_sigsuspend(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGSUSPEND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigsuspend is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigsuspend") +int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGSUSPEND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ptrace is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ptrace") +int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PTRACE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ptrace is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ptrace") +int handle_sys_exit_ptrace(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PTRACE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_capget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_capget") +int handle_sys_enter_capget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CAPGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_capget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_capget") +int handle_sys_exit_capget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CAPGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_capset is a struct null_event +SEC("tracepoint/syscalls/sys_enter_capset") +int handle_sys_enter_capset(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CAPSET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_capset is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_capset") +int handle_sys_exit_capset(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CAPSET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_exit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_exit") +int handle_sys_enter_exit(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EXIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_exit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_exit") +int handle_sys_exit_exit(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_exit_group is a struct null_event +SEC("tracepoint/syscalls/sys_enter_exit_group") +int handle_sys_enter_exit_group(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EXIT_GROUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_exit_group is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_exit_group") +int handle_sys_exit_exit_group(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXIT_GROUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_waitid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_waitid") +int handle_sys_enter_waitid(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_WAITID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_waitid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_waitid") +int handle_sys_exit_waitid(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WAITID; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_wait4 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_wait4") +int handle_sys_enter_wait4(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_WAIT4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_wait4 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_wait4") +int handle_sys_exit_wait4(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WAIT4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_personality is a struct null_event +SEC("tracepoint/syscalls/sys_enter_personality") +int handle_sys_enter_personality(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PERSONALITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_personality is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_personality") +int handle_sys_exit_personality(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PERSONALITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_tid_address is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_tid_address") +int handle_sys_enter_set_tid_address(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_TID_ADDRESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_tid_address is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_tid_address") +int handle_sys_exit_set_tid_address(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_TID_ADDRESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fork is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fork") +int handle_sys_enter_fork(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FORK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fork is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fork") +int handle_sys_exit_fork(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FORK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_vfork is a struct null_event +SEC("tracepoint/syscalls/sys_enter_vfork") +int handle_sys_enter_vfork(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_VFORK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_vfork is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_vfork") +int handle_sys_exit_vfork(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_VFORK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clone is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clone") +int handle_sys_enter_clone(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLONE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clone is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clone") +int handle_sys_exit_clone(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLONE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clone3 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clone3") +int handle_sys_enter_clone3(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLONE3; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clone3 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clone3") +int handle_sys_exit_clone3(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLONE3; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_unshare is a struct null_event +SEC("tracepoint/syscalls/sys_enter_unshare") +int handle_sys_enter_unshare(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UNSHARE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_unshare is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_unshare") +int handle_sys_exit_unshare(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNSHARE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_map_shadow_stack is a struct null_event +SEC("tracepoint/syscalls/sys_enter_map_shadow_stack") +int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MAP_SHADOW_STACK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_map_shadow_stack is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_map_shadow_stack") +int handle_sys_exit_map_shadow_stack(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MAP_SHADOW_STACK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_uretprobe is a struct null_event +SEC("tracepoint/syscalls/sys_enter_uretprobe") +int handle_sys_enter_uretprobe(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_URETPROBE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_uretprobe is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_uretprobe") +int handle_sys_exit_uretprobe(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_URETPROBE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_uprobe is a struct null_event +SEC("tracepoint/syscalls/sys_enter_uprobe") +int handle_sys_enter_uprobe(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UPROBE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_uprobe is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_uprobe") +int handle_sys_exit_uprobe(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UPROBE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_arch_prctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_arch_prctl") +int handle_sys_enter_arch_prctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ARCH_PRCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_arch_prctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_arch_prctl") +int handle_sys_exit_arch_prctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ARCH_PRCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_mmap is a struct fd_event SEC("tracepoint/syscalls/sys_enter_mmap") int handle_sys_enter_mmap(struct syscall_trace_enter *ctx) { @@ -5817,3 +16918,179 @@ int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { return 0; } +/// sys_enter_modify_ldt is a struct null_event +SEC("tracepoint/syscalls/sys_enter_modify_ldt") +int handle_sys_enter_modify_ldt(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MODIFY_LDT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_modify_ldt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_modify_ldt") +int handle_sys_exit_modify_ldt(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MODIFY_LDT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ioperm is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ioperm") +int handle_sys_enter_ioperm(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IOPERM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ioperm is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioperm") +int handle_sys_exit_ioperm(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOPERM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_iopl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_iopl") +int handle_sys_enter_iopl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IOPL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_iopl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_iopl") +int handle_sys_exit_iopl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOPL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rt_sigreturn is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigreturn") +int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGRETURN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rt_sigreturn is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigreturn") +int handle_sys_exit_rt_sigreturn(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RT_SIGRETURN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 0d439b4..2cc1e52 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -1,270 +1,54 @@ -Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related -Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related -Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related -Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related -Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related -Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -Ignoring sys_enter_listns sys_exit_listns as possibly not file I/O related -Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related -Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related -Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related -Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related -Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related -Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -Ignoring sys_enter_uprobe sys_exit_uprobe as possibly not file I/O related -Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related +sys_enter_accept is a struct fd_event +sys_enter_accept4 is a struct fd_event sys_enter_access is a struct path_event +sys_enter_acct is a struct null_event +sys_enter_add_key is a struct null_event +sys_enter_adjtimex is a struct null_event +sys_enter_alarm is a struct null_event +sys_enter_arch_prctl is a struct null_event +sys_enter_bind is a struct fd_event +sys_enter_bpf is a struct null_event +sys_enter_brk is a struct null_event sys_enter_cachestat is a struct fd_event +sys_enter_capget is a struct null_event +sys_enter_capset is a struct null_event sys_enter_chdir is a struct path_event sys_enter_chmod is a struct path_event sys_enter_chown is a struct path_event sys_enter_chroot is a struct path_event +sys_enter_clock_adjtime is a struct null_event +sys_enter_clock_getres is a struct null_event +sys_enter_clock_gettime is a struct null_event +sys_enter_clock_nanosleep is a struct null_event +sys_enter_clock_settime is a struct null_event +sys_enter_clone is a struct null_event +sys_enter_clone3 is a struct null_event sys_enter_close is a struct fd_event sys_enter_close_range is a struct fd_event +sys_enter_connect is a struct fd_event sys_enter_copy_file_range is a struct fd_event sys_enter_creat is a struct path_event +sys_enter_delete_module is a struct null_event sys_enter_dup is a struct fd_event sys_enter_dup2 is a struct fd_event sys_enter_dup3 is a struct dup3_event +sys_enter_epoll_create is a struct null_event +sys_enter_epoll_create1 is a struct null_event +sys_enter_epoll_ctl is a struct fd_event +sys_enter_epoll_pwait is a struct null_event +sys_enter_epoll_pwait2 is a struct null_event +sys_enter_epoll_wait is a struct null_event +sys_enter_eventfd is a struct null_event +sys_enter_eventfd2 is a struct null_event +sys_enter_execve is a struct path_event +sys_enter_execveat is a struct fd_event +sys_enter_exit is a struct null_event +sys_enter_exit_group is a struct null_event sys_enter_faccessat is a struct path_event sys_enter_faccessat2 is a struct path_event sys_enter_fadvise64 is a struct fd_event sys_enter_fallocate is a struct fd_event +sys_enter_fanotify_init is a struct null_event sys_enter_fanotify_mark is a struct path_event sys_enter_fchdir is a struct fd_event sys_enter_fchmod is a struct fd_event @@ -280,19 +64,57 @@ sys_enter_file_setattr is a struct path_event sys_enter_finit_module is a struct fd_event sys_enter_flistxattr is a struct fd_event sys_enter_flock is a struct fd_event +sys_enter_fork is a struct null_event sys_enter_fremovexattr is a struct fd_event sys_enter_fsconfig is a struct fd_event sys_enter_fsetxattr is a struct fd_event +sys_enter_fsmount is a struct null_event +sys_enter_fsopen is a struct null_event sys_enter_fspick is a struct path_event sys_enter_fstatfs is a struct fd_event sys_enter_fsync is a struct fd_event sys_enter_ftruncate is a struct fd_event +sys_enter_futex is a struct null_event +sys_enter_futex_requeue is a struct null_event +sys_enter_futex_wait is a struct null_event +sys_enter_futex_waitv is a struct null_event +sys_enter_futex_wake is a struct null_event sys_enter_futimesat is a struct path_event +sys_enter_get_mempolicy is a struct null_event +sys_enter_get_robust_list is a struct null_event +sys_enter_getcpu is a struct null_event sys_enter_getcwd is a struct null_event sys_enter_getdents is a struct fd_event sys_enter_getdents64 is a struct fd_event +sys_enter_getegid is a struct null_event +sys_enter_geteuid is a struct null_event +sys_enter_getgid is a struct null_event +sys_enter_getgroups is a struct null_event +sys_enter_getitimer is a struct null_event +sys_enter_getpeername is a struct fd_event +sys_enter_getpgid is a struct null_event +sys_enter_getpgrp is a struct null_event +sys_enter_getpid is a struct null_event +sys_enter_getppid is a struct null_event +sys_enter_getpriority is a struct null_event +sys_enter_getrandom is a struct null_event +sys_enter_getresgid is a struct null_event +sys_enter_getresuid is a struct null_event +sys_enter_getrlimit is a struct null_event +sys_enter_getrusage is a struct null_event +sys_enter_getsid is a struct null_event +sys_enter_getsockname is a struct fd_event +sys_enter_getsockopt is a struct fd_event +sys_enter_gettid is a struct null_event +sys_enter_gettimeofday is a struct null_event +sys_enter_getuid is a struct null_event sys_enter_getxattr is a struct path_event sys_enter_getxattrat is a struct path_event +sys_enter_init_module is a struct null_event +sys_enter_inotify_add_watch is a struct fd_event +sys_enter_inotify_init is a struct null_event +sys_enter_inotify_init1 is a struct null_event +sys_enter_inotify_rm_watch is a struct fd_event sys_enter_io_cancel is a struct null_event sys_enter_io_destroy is a struct null_event sys_enter_io_getevents is a struct null_event @@ -303,85 +125,297 @@ sys_enter_io_uring_enter is a struct fd_event sys_enter_io_uring_register is a struct fd_event sys_enter_io_uring_setup is a struct null_event sys_enter_ioctl is a struct fd_event +sys_enter_ioperm is a struct null_event +sys_enter_iopl is a struct null_event +sys_enter_ioprio_get is a struct null_event +sys_enter_ioprio_set is a struct null_event +sys_enter_kcmp is a struct null_event +sys_enter_kexec_file_load is a struct null_event +sys_enter_kexec_load is a struct null_event +sys_enter_keyctl is a struct null_event +sys_enter_kill is a struct null_event +sys_enter_landlock_add_rule is a struct null_event +sys_enter_landlock_create_ruleset is a struct null_event +sys_enter_landlock_restrict_self is a struct null_event sys_enter_lchown is a struct path_event sys_enter_lgetxattr is a struct path_event sys_enter_link is a struct name_event sys_enter_linkat is a struct name_event +sys_enter_listen is a struct fd_event +sys_enter_listmount is a struct null_event +sys_enter_listns is a struct null_event sys_enter_listxattr is a struct path_event sys_enter_listxattrat is a struct path_event sys_enter_llistxattr is a struct path_event sys_enter_lremovexattr is a struct path_event sys_enter_lseek is a struct fd_event sys_enter_lsetxattr is a struct path_event +sys_enter_lsm_get_self_attr is a struct null_event +sys_enter_lsm_list_modules is a struct null_event +sys_enter_lsm_set_self_attr is a struct null_event +sys_enter_madvise is a struct null_event +sys_enter_map_shadow_stack is a struct null_event +sys_enter_mbind is a struct null_event +sys_enter_membarrier is a struct null_event +sys_enter_memfd_create is a struct null_event +sys_enter_memfd_secret is a struct null_event +sys_enter_migrate_pages is a struct null_event +sys_enter_mincore is a struct null_event sys_enter_mkdir is a struct path_event sys_enter_mkdirat is a struct path_event +sys_enter_mknod is a struct path_event +sys_enter_mknodat is a struct path_event +sys_enter_mlock is a struct null_event +sys_enter_mlock2 is a struct null_event +sys_enter_mlockall is a struct null_event sys_enter_mmap is a struct fd_event +sys_enter_modify_ldt is a struct null_event +sys_enter_mount is a struct null_event sys_enter_mount_setattr is a struct path_event +sys_enter_move_mount is a struct null_event +sys_enter_move_pages is a struct null_event +sys_enter_mprotect is a struct null_event +sys_enter_mq_getsetattr is a struct null_event +sys_enter_mq_notify is a struct null_event +sys_enter_mq_open is a struct null_event +sys_enter_mq_timedreceive is a struct null_event +sys_enter_mq_timedsend is a struct null_event +sys_enter_mq_unlink is a struct null_event +sys_enter_mremap is a struct null_event +sys_enter_mseal is a struct null_event +sys_enter_msgctl is a struct null_event +sys_enter_msgget is a struct null_event +sys_enter_msgrcv is a struct null_event +sys_enter_msgsnd is a struct null_event sys_enter_msync is a struct null_event +sys_enter_munlock is a struct null_event +sys_enter_munlockall is a struct null_event +sys_enter_munmap is a struct null_event sys_enter_name_to_handle_at is a struct path_event +sys_enter_nanosleep is a struct null_event sys_enter_newfstat is a struct fd_event sys_enter_newfstatat is a struct path_event sys_enter_newlstat is a struct path_event sys_enter_newstat is a struct path_event +sys_enter_newuname is a struct null_event sys_enter_open is a struct open_event sys_enter_open_by_handle_at is a struct open_by_handle_at_event sys_enter_open_tree is a struct open_event sys_enter_open_tree_attr is a struct open_event sys_enter_openat is a struct open_event sys_enter_openat2 is a struct open_event +sys_enter_pause is a struct null_event +sys_enter_perf_event_open is a struct null_event +sys_enter_personality is a struct null_event sys_enter_pidfd_getfd is a struct fd_event +sys_enter_pidfd_open is a struct null_event +sys_enter_pidfd_send_signal is a struct null_event +sys_enter_pipe is a struct null_event +sys_enter_pipe2 is a struct null_event +sys_enter_pivot_root is a struct null_event +sys_enter_pkey_alloc is a struct null_event +sys_enter_pkey_free is a struct null_event +sys_enter_pkey_mprotect is a struct null_event +sys_enter_poll is a struct null_event +sys_enter_ppoll is a struct null_event +sys_enter_prctl is a struct null_event sys_enter_pread64 is a struct fd_event sys_enter_preadv is a struct fd_event sys_enter_preadv2 is a struct fd_event +sys_enter_prlimit64 is a struct null_event +sys_enter_process_madvise is a struct null_event +sys_enter_process_mrelease is a struct null_event +sys_enter_process_vm_readv is a struct null_event +sys_enter_process_vm_writev is a struct null_event +sys_enter_pselect6 is a struct null_event +sys_enter_ptrace is a struct null_event sys_enter_pwrite64 is a struct fd_event sys_enter_pwritev is a struct fd_event sys_enter_pwritev2 is a struct fd_event +sys_enter_quotactl is a struct null_event sys_enter_quotactl_fd is a struct fd_event sys_enter_read is a struct fd_event sys_enter_readahead is a struct fd_event sys_enter_readlink is a struct path_event sys_enter_readlinkat is a struct path_event sys_enter_readv is a struct fd_event +sys_enter_reboot is a struct null_event +sys_enter_recvfrom is a struct fd_event +sys_enter_recvmmsg is a struct fd_event +sys_enter_recvmsg is a struct fd_event +sys_enter_remap_file_pages is a struct null_event sys_enter_removexattr is a struct path_event sys_enter_removexattrat is a struct path_event sys_enter_rename is a struct name_event sys_enter_renameat is a struct name_event sys_enter_renameat2 is a struct name_event +sys_enter_request_key is a struct null_event +sys_enter_restart_syscall is a struct null_event sys_enter_rmdir is a struct path_event +sys_enter_rseq is a struct null_event +sys_enter_rt_sigaction is a struct null_event +sys_enter_rt_sigpending is a struct null_event +sys_enter_rt_sigprocmask is a struct null_event +sys_enter_rt_sigqueueinfo is a struct null_event +sys_enter_rt_sigreturn is a struct null_event +sys_enter_rt_sigsuspend is a struct null_event +sys_enter_rt_sigtimedwait is a struct null_event +sys_enter_rt_tgsigqueueinfo is a struct null_event +sys_enter_sched_get_priority_max is a struct null_event +sys_enter_sched_get_priority_min is a struct null_event +sys_enter_sched_getaffinity is a struct null_event +sys_enter_sched_getattr is a struct null_event +sys_enter_sched_getparam is a struct null_event +sys_enter_sched_getscheduler is a struct null_event +sys_enter_sched_rr_get_interval is a struct null_event +sys_enter_sched_setaffinity is a struct null_event +sys_enter_sched_setattr is a struct null_event +sys_enter_sched_setparam is a struct null_event +sys_enter_sched_setscheduler is a struct null_event +sys_enter_sched_yield is a struct null_event +sys_enter_seccomp is a struct null_event +sys_enter_select is a struct null_event +sys_enter_semctl is a struct null_event +sys_enter_semget is a struct null_event +sys_enter_semop is a struct null_event +sys_enter_semtimedop is a struct null_event +sys_enter_sendfile64 is a struct null_event +sys_enter_sendmmsg is a struct fd_event +sys_enter_sendmsg is a struct fd_event +sys_enter_sendto is a struct fd_event +sys_enter_set_mempolicy is a struct null_event +sys_enter_set_mempolicy_home_node is a struct null_event +sys_enter_set_robust_list is a struct null_event +sys_enter_set_tid_address is a struct null_event +sys_enter_setdomainname is a struct null_event +sys_enter_setfsgid is a struct null_event +sys_enter_setfsuid is a struct null_event +sys_enter_setgid is a struct null_event +sys_enter_setgroups is a struct null_event +sys_enter_sethostname is a struct null_event +sys_enter_setitimer is a struct null_event +sys_enter_setns is a struct fd_event +sys_enter_setpgid is a struct null_event +sys_enter_setpriority is a struct null_event +sys_enter_setregid is a struct null_event +sys_enter_setresgid is a struct null_event +sys_enter_setresuid is a struct null_event +sys_enter_setreuid is a struct null_event +sys_enter_setrlimit is a struct null_event +sys_enter_setsid is a struct null_event +sys_enter_setsockopt is a struct fd_event +sys_enter_settimeofday is a struct null_event +sys_enter_setuid is a struct null_event sys_enter_setxattr is a struct path_event sys_enter_setxattrat is a struct path_event +sys_enter_shmat is a struct null_event +sys_enter_shmctl is a struct null_event +sys_enter_shmdt is a struct null_event +sys_enter_shmget is a struct null_event +sys_enter_shutdown is a struct fd_event +sys_enter_sigaltstack is a struct null_event +sys_enter_signalfd is a struct null_event +sys_enter_signalfd4 is a struct null_event +sys_enter_socket is a struct null_event +sys_enter_socketpair is a struct null_event +sys_enter_splice is a struct null_event sys_enter_statfs is a struct path_event +sys_enter_statmount is a struct null_event sys_enter_statx is a struct path_event +sys_enter_swapoff is a struct null_event +sys_enter_swapon is a struct null_event sys_enter_symlink is a struct name_event sys_enter_symlinkat is a struct name_event sys_enter_sync is a struct null_event sys_enter_sync_file_range is a struct fd_event sys_enter_syncfs is a struct fd_event +sys_enter_sysfs is a struct null_event +sys_enter_sysinfo is a struct null_event sys_enter_syslog is a struct null_event +sys_enter_tee is a struct null_event +sys_enter_tgkill is a struct null_event +sys_enter_time is a struct null_event +sys_enter_timer_create is a struct null_event +sys_enter_timer_delete is a struct null_event +sys_enter_timer_getoverrun is a struct null_event +sys_enter_timer_gettime is a struct null_event +sys_enter_timer_settime is a struct null_event +sys_enter_timerfd_create is a struct null_event +sys_enter_timerfd_gettime is a struct null_event +sys_enter_timerfd_settime is a struct null_event +sys_enter_times is a struct null_event +sys_enter_tkill is a struct null_event sys_enter_truncate is a struct path_event +sys_enter_umask is a struct null_event +sys_enter_umount is a struct null_event sys_enter_unlink is a struct path_event sys_enter_unlinkat is a struct path_event +sys_enter_unshare is a struct null_event +sys_enter_uprobe is a struct null_event +sys_enter_uretprobe is a struct null_event +sys_enter_userfaultfd is a struct null_event +sys_enter_ustat is a struct null_event +sys_enter_utime is a struct null_event sys_enter_utimensat is a struct path_event +sys_enter_utimes is a struct null_event +sys_enter_vfork is a struct null_event +sys_enter_vhangup is a struct null_event sys_enter_vmsplice is a struct fd_event +sys_enter_wait4 is a struct null_event +sys_enter_waitid is a struct null_event sys_enter_write is a struct fd_event sys_enter_writev is a struct fd_event +sys_exit_accept is a struct ret_event (UNCLASSIFIED) +sys_exit_accept4 is a struct ret_event (UNCLASSIFIED) sys_exit_access is a struct ret_event (UNCLASSIFIED) +sys_exit_acct is a struct ret_event (UNCLASSIFIED) +sys_exit_add_key is a struct ret_event (UNCLASSIFIED) +sys_exit_adjtimex is a struct ret_event (UNCLASSIFIED) +sys_exit_alarm is a struct ret_event (UNCLASSIFIED) +sys_exit_arch_prctl is a struct ret_event (UNCLASSIFIED) +sys_exit_bind is a struct ret_event (UNCLASSIFIED) +sys_exit_bpf is a struct ret_event (UNCLASSIFIED) +sys_exit_brk is a struct ret_event (UNCLASSIFIED) sys_exit_cachestat is a struct ret_event (UNCLASSIFIED) +sys_exit_capget is a struct ret_event (UNCLASSIFIED) +sys_exit_capset is a struct ret_event (UNCLASSIFIED) sys_exit_chdir is a struct ret_event (UNCLASSIFIED) sys_exit_chmod is a struct ret_event (UNCLASSIFIED) sys_exit_chown is a struct ret_event (UNCLASSIFIED) sys_exit_chroot is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_adjtime is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_getres is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_gettime is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_nanosleep is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_settime is a struct ret_event (UNCLASSIFIED) +sys_exit_clone is a struct ret_event (UNCLASSIFIED) +sys_exit_clone3 is a struct ret_event (UNCLASSIFIED) sys_exit_close is a struct ret_event (UNCLASSIFIED) sys_exit_close_range is a struct ret_event (UNCLASSIFIED) +sys_exit_connect is a struct ret_event (UNCLASSIFIED) sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) sys_exit_creat is a struct ret_event (UNCLASSIFIED) +sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) sys_exit_dup is a struct ret_event (UNCLASSIFIED) sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED) +sys_exit_eventfd is a struct ret_event (UNCLASSIFIED) +sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED) +sys_exit_execve is a struct ret_event (UNCLASSIFIED) +sys_exit_execveat is a struct ret_event (UNCLASSIFIED) +sys_exit_exit is a struct ret_event (UNCLASSIFIED) +sys_exit_exit_group is a struct ret_event (UNCLASSIFIED) sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) +sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) @@ -397,19 +431,57 @@ sys_exit_file_setattr is a struct ret_event (UNCLASSIFIED) sys_exit_finit_module is a struct ret_event (UNCLASSIFIED) sys_exit_flistxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_flock is a struct ret_event (UNCLASSIFIED) +sys_exit_fork is a struct ret_event (UNCLASSIFIED) sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) +sys_exit_fsmount is a struct ret_event (UNCLASSIFIED) +sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) sys_exit_fspick is a struct ret_event (UNCLASSIFIED) sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) sys_exit_fsync is a struct ret_event (UNCLASSIFIED) sys_exit_ftruncate is a struct ret_event (UNCLASSIFIED) +sys_exit_futex is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_requeue is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_wait is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_waitv is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_wake is a struct ret_event (UNCLASSIFIED) sys_exit_futimesat is a struct ret_event (UNCLASSIFIED) +sys_exit_get_mempolicy is a struct ret_event (UNCLASSIFIED) +sys_exit_get_robust_list is a struct ret_event (UNCLASSIFIED) +sys_exit_getcpu is a struct ret_event (UNCLASSIFIED) sys_exit_getcwd is a struct ret_event (UNCLASSIFIED) sys_exit_getdents is a struct ret_event (READ_CLASSIFIED) sys_exit_getdents64 is a struct ret_event (READ_CLASSIFIED) +sys_exit_getegid is a struct ret_event (UNCLASSIFIED) +sys_exit_geteuid is a struct ret_event (UNCLASSIFIED) +sys_exit_getgid is a struct ret_event (UNCLASSIFIED) +sys_exit_getgroups is a struct ret_event (UNCLASSIFIED) +sys_exit_getitimer is a struct ret_event (UNCLASSIFIED) +sys_exit_getpeername is a struct ret_event (UNCLASSIFIED) +sys_exit_getpgid is a struct ret_event (UNCLASSIFIED) +sys_exit_getpgrp is a struct ret_event (UNCLASSIFIED) +sys_exit_getpid is a struct ret_event (UNCLASSIFIED) +sys_exit_getppid is a struct ret_event (UNCLASSIFIED) +sys_exit_getpriority is a struct ret_event (UNCLASSIFIED) +sys_exit_getrandom is a struct ret_event (UNCLASSIFIED) +sys_exit_getresgid is a struct ret_event (UNCLASSIFIED) +sys_exit_getresuid is a struct ret_event (UNCLASSIFIED) +sys_exit_getrlimit is a struct ret_event (UNCLASSIFIED) +sys_exit_getrusage is a struct ret_event (UNCLASSIFIED) +sys_exit_getsid is a struct ret_event (UNCLASSIFIED) +sys_exit_getsockname is a struct ret_event (UNCLASSIFIED) +sys_exit_getsockopt is a struct ret_event (UNCLASSIFIED) +sys_exit_gettid is a struct ret_event (UNCLASSIFIED) +sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) +sys_exit_getuid is a struct ret_event (UNCLASSIFIED) sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) +sys_exit_init_module is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) sys_exit_io_getevents is a struct ret_event (UNCLASSIFIED) @@ -420,65 +492,243 @@ sys_exit_io_uring_enter is a struct ret_event (UNCLASSIFIED) sys_exit_io_uring_register is a struct ret_event (UNCLASSIFIED) sys_exit_io_uring_setup is a struct ret_event (UNCLASSIFIED) sys_exit_ioctl is a struct ret_event (UNCLASSIFIED) +sys_exit_ioperm is a struct ret_event (UNCLASSIFIED) +sys_exit_iopl is a struct ret_event (UNCLASSIFIED) +sys_exit_ioprio_get is a struct ret_event (UNCLASSIFIED) +sys_exit_ioprio_set is a struct ret_event (UNCLASSIFIED) +sys_exit_kcmp is a struct ret_event (UNCLASSIFIED) +sys_exit_kexec_file_load is a struct ret_event (UNCLASSIFIED) +sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) +sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) +sys_exit_kill is a struct ret_event (UNCLASSIFIED) +sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) +sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) +sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) sys_exit_lchown is a struct ret_event (UNCLASSIFIED) sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_link is a struct ret_event (UNCLASSIFIED) sys_exit_linkat is a struct ret_event (UNCLASSIFIED) +sys_exit_listen is a struct ret_event (UNCLASSIFIED) +sys_exit_listmount is a struct ret_event (UNCLASSIFIED) +sys_exit_listns is a struct ret_event (UNCLASSIFIED) sys_exit_listxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_listxattrat is a struct ret_event (UNCLASSIFIED) sys_exit_llistxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_lremovexattr is a struct ret_event (UNCLASSIFIED) sys_exit_lseek is a struct ret_event (UNCLASSIFIED) sys_exit_lsetxattr is a struct ret_event (UNCLASSIFIED) +sys_exit_lsm_get_self_attr is a struct ret_event (UNCLASSIFIED) +sys_exit_lsm_list_modules is a struct ret_event (UNCLASSIFIED) +sys_exit_lsm_set_self_attr is a struct ret_event (UNCLASSIFIED) +sys_exit_madvise is a struct ret_event (UNCLASSIFIED) +sys_exit_map_shadow_stack is a struct ret_event (UNCLASSIFIED) +sys_exit_mbind is a struct ret_event (UNCLASSIFIED) +sys_exit_membarrier is a struct ret_event (UNCLASSIFIED) +sys_exit_memfd_create is a struct ret_event (UNCLASSIFIED) +sys_exit_memfd_secret is a struct ret_event (UNCLASSIFIED) +sys_exit_migrate_pages is a struct ret_event (UNCLASSIFIED) +sys_exit_mincore is a struct ret_event (UNCLASSIFIED) sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) +sys_exit_mknod is a struct ret_event (UNCLASSIFIED) +sys_exit_mknodat is a struct ret_event (UNCLASSIFIED) +sys_exit_mlock is a struct ret_event (UNCLASSIFIED) +sys_exit_mlock2 is a struct ret_event (UNCLASSIFIED) +sys_exit_mlockall is a struct ret_event (UNCLASSIFIED) sys_exit_mmap is a struct ret_event (UNCLASSIFIED) +sys_exit_modify_ldt is a struct ret_event (UNCLASSIFIED) +sys_exit_mount is a struct ret_event (UNCLASSIFIED) sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) +sys_exit_move_mount is a struct ret_event (UNCLASSIFIED) +sys_exit_move_pages is a struct ret_event (UNCLASSIFIED) +sys_exit_mprotect is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_getsetattr is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_notify is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_open is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_timedreceive is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_timedsend is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_unlink is a struct ret_event (UNCLASSIFIED) +sys_exit_mremap is a struct ret_event (UNCLASSIFIED) +sys_exit_mseal is a struct ret_event (UNCLASSIFIED) +sys_exit_msgctl is a struct ret_event (UNCLASSIFIED) +sys_exit_msgget is a struct ret_event (UNCLASSIFIED) +sys_exit_msgrcv is a struct ret_event (UNCLASSIFIED) +sys_exit_msgsnd is a struct ret_event (UNCLASSIFIED) sys_exit_msync is a struct ret_event (UNCLASSIFIED) +sys_exit_munlock is a struct ret_event (UNCLASSIFIED) +sys_exit_munlockall is a struct ret_event (UNCLASSIFIED) +sys_exit_munmap is a struct ret_event (UNCLASSIFIED) sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) +sys_exit_nanosleep is a struct ret_event (UNCLASSIFIED) sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) sys_exit_newstat is a struct ret_event (UNCLASSIFIED) +sys_exit_newuname is a struct ret_event (UNCLASSIFIED) sys_exit_open is a struct ret_event (UNCLASSIFIED) sys_exit_open_by_handle_at is a struct ret_event (UNCLASSIFIED) sys_exit_open_tree is a struct ret_event (UNCLASSIFIED) sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED) sys_exit_openat is a struct ret_event (UNCLASSIFIED) sys_exit_openat2 is a struct ret_event (UNCLASSIFIED) +sys_exit_pause is a struct ret_event (UNCLASSIFIED) +sys_exit_perf_event_open is a struct ret_event (UNCLASSIFIED) +sys_exit_personality is a struct ret_event (UNCLASSIFIED) sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) +sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) +sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) +sys_exit_pipe is a struct ret_event (UNCLASSIFIED) +sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED) +sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED) +sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED) +sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED) +sys_exit_pkey_mprotect is a struct ret_event (UNCLASSIFIED) +sys_exit_poll is a struct ret_event (UNCLASSIFIED) +sys_exit_ppoll is a struct ret_event (UNCLASSIFIED) +sys_exit_prctl is a struct ret_event (UNCLASSIFIED) sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED) sys_exit_preadv is a struct ret_event (READ_CLASSIFIED) sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED) +sys_exit_prlimit64 is a struct ret_event (UNCLASSIFIED) +sys_exit_process_madvise is a struct ret_event (UNCLASSIFIED) +sys_exit_process_mrelease is a struct ret_event (UNCLASSIFIED) +sys_exit_process_vm_readv is a struct ret_event (READ_CLASSIFIED) +sys_exit_process_vm_writev is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_pselect6 is a struct ret_event (UNCLASSIFIED) +sys_exit_ptrace is a struct ret_event (UNCLASSIFIED) sys_exit_pwrite64 is a struct ret_event (WRITE_CLASSIFIED) sys_exit_pwritev is a struct ret_event (WRITE_CLASSIFIED) sys_exit_pwritev2 is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_quotactl is a struct ret_event (UNCLASSIFIED) sys_exit_quotactl_fd is a struct ret_event (UNCLASSIFIED) sys_exit_read is a struct ret_event (READ_CLASSIFIED) sys_exit_readahead is a struct ret_event (UNCLASSIFIED) sys_exit_readlink is a struct ret_event (READ_CLASSIFIED) sys_exit_readlinkat is a struct ret_event (READ_CLASSIFIED) sys_exit_readv is a struct ret_event (READ_CLASSIFIED) +sys_exit_reboot is a struct ret_event (UNCLASSIFIED) +sys_exit_recvfrom is a struct ret_event (READ_CLASSIFIED) +sys_exit_recvmmsg is a struct ret_event (READ_CLASSIFIED) +sys_exit_recvmsg is a struct ret_event (READ_CLASSIFIED) +sys_exit_remap_file_pages is a struct ret_event (UNCLASSIFIED) sys_exit_removexattr is a struct ret_event (UNCLASSIFIED) sys_exit_removexattrat is a struct ret_event (UNCLASSIFIED) sys_exit_rename is a struct ret_event (UNCLASSIFIED) sys_exit_renameat is a struct ret_event (UNCLASSIFIED) sys_exit_renameat2 is a struct ret_event (UNCLASSIFIED) +sys_exit_request_key is a struct ret_event (UNCLASSIFIED) +sys_exit_restart_syscall is a struct ret_event (UNCLASSIFIED) sys_exit_rmdir is a struct ret_event (UNCLASSIFIED) +sys_exit_rseq is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigaction is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigpending is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigprocmask is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigqueueinfo is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigreturn is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigsuspend is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigtimedwait is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_tgsigqueueinfo is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_get_priority_max is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_get_priority_min is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getaffinity is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getattr is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getparam is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getscheduler is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_rr_get_interval is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setaffinity is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setattr is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setparam is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setscheduler is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_yield is a struct ret_event (UNCLASSIFIED) +sys_exit_seccomp is a struct ret_event (UNCLASSIFIED) +sys_exit_select is a struct ret_event (UNCLASSIFIED) +sys_exit_semctl is a struct ret_event (UNCLASSIFIED) +sys_exit_semget is a struct ret_event (UNCLASSIFIED) +sys_exit_semop is a struct ret_event (UNCLASSIFIED) +sys_exit_semtimedop is a struct ret_event (UNCLASSIFIED) +sys_exit_sendfile64 is a struct ret_event (TRANSFER_CLASSIFIED) +sys_exit_sendmmsg is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_sendmsg is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_sendto is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_set_mempolicy is a struct ret_event (UNCLASSIFIED) +sys_exit_set_mempolicy_home_node is a struct ret_event (UNCLASSIFIED) +sys_exit_set_robust_list is a struct ret_event (UNCLASSIFIED) +sys_exit_set_tid_address is a struct ret_event (UNCLASSIFIED) +sys_exit_setdomainname is a struct ret_event (UNCLASSIFIED) +sys_exit_setfsgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setfsuid is a struct ret_event (UNCLASSIFIED) +sys_exit_setgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setgroups is a struct ret_event (UNCLASSIFIED) +sys_exit_sethostname is a struct ret_event (UNCLASSIFIED) +sys_exit_setitimer is a struct ret_event (UNCLASSIFIED) +sys_exit_setns is a struct ret_event (UNCLASSIFIED) +sys_exit_setpgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setpriority is a struct ret_event (UNCLASSIFIED) +sys_exit_setregid is a struct ret_event (UNCLASSIFIED) +sys_exit_setresgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setresuid is a struct ret_event (UNCLASSIFIED) +sys_exit_setreuid is a struct ret_event (UNCLASSIFIED) +sys_exit_setrlimit is a struct ret_event (UNCLASSIFIED) +sys_exit_setsid is a struct ret_event (UNCLASSIFIED) +sys_exit_setsockopt is a struct ret_event (UNCLASSIFIED) +sys_exit_settimeofday is a struct ret_event (UNCLASSIFIED) +sys_exit_setuid is a struct ret_event (UNCLASSIFIED) sys_exit_setxattr is a struct ret_event (UNCLASSIFIED) sys_exit_setxattrat is a struct ret_event (UNCLASSIFIED) +sys_exit_shmat is a struct ret_event (UNCLASSIFIED) +sys_exit_shmctl is a struct ret_event (UNCLASSIFIED) +sys_exit_shmdt is a struct ret_event (UNCLASSIFIED) +sys_exit_shmget is a struct ret_event (UNCLASSIFIED) +sys_exit_shutdown is a struct ret_event (UNCLASSIFIED) +sys_exit_sigaltstack is a struct ret_event (UNCLASSIFIED) +sys_exit_signalfd is a struct ret_event (UNCLASSIFIED) +sys_exit_signalfd4 is a struct ret_event (UNCLASSIFIED) +sys_exit_socket is a struct ret_event (UNCLASSIFIED) +sys_exit_socketpair is a struct ret_event (UNCLASSIFIED) +sys_exit_splice is a struct ret_event (TRANSFER_CLASSIFIED) sys_exit_statfs is a struct ret_event (UNCLASSIFIED) +sys_exit_statmount is a struct ret_event (UNCLASSIFIED) sys_exit_statx is a struct ret_event (UNCLASSIFIED) +sys_exit_swapoff is a struct ret_event (UNCLASSIFIED) +sys_exit_swapon is a struct ret_event (UNCLASSIFIED) sys_exit_symlink is a struct ret_event (UNCLASSIFIED) sys_exit_symlinkat is a struct ret_event (UNCLASSIFIED) sys_exit_sync is a struct ret_event (UNCLASSIFIED) sys_exit_sync_file_range is a struct ret_event (UNCLASSIFIED) sys_exit_syncfs is a struct ret_event (UNCLASSIFIED) +sys_exit_sysfs is a struct ret_event (UNCLASSIFIED) +sys_exit_sysinfo is a struct ret_event (UNCLASSIFIED) sys_exit_syslog is a struct ret_event (READ_CLASSIFIED) +sys_exit_tee is a struct ret_event (TRANSFER_CLASSIFIED) +sys_exit_tgkill is a struct ret_event (UNCLASSIFIED) +sys_exit_time is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_create is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_delete is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_getoverrun is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_gettime is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_settime is a struct ret_event (UNCLASSIFIED) +sys_exit_timerfd_create is a struct ret_event (UNCLASSIFIED) +sys_exit_timerfd_gettime is a struct ret_event (UNCLASSIFIED) +sys_exit_timerfd_settime is a struct ret_event (UNCLASSIFIED) +sys_exit_times is a struct ret_event (UNCLASSIFIED) +sys_exit_tkill is a struct ret_event (UNCLASSIFIED) sys_exit_truncate is a struct ret_event (UNCLASSIFIED) +sys_exit_umask is a struct ret_event (UNCLASSIFIED) +sys_exit_umount is a struct ret_event (UNCLASSIFIED) sys_exit_unlink is a struct ret_event (UNCLASSIFIED) sys_exit_unlinkat is a struct ret_event (UNCLASSIFIED) +sys_exit_unshare is a struct ret_event (UNCLASSIFIED) +sys_exit_uprobe is a struct ret_event (UNCLASSIFIED) +sys_exit_uretprobe is a struct ret_event (UNCLASSIFIED) +sys_exit_userfaultfd is a struct ret_event (UNCLASSIFIED) +sys_exit_ustat is a struct ret_event (UNCLASSIFIED) +sys_exit_utime is a struct ret_event (UNCLASSIFIED) sys_exit_utimensat is a struct ret_event (UNCLASSIFIED) +sys_exit_utimes is a struct ret_event (UNCLASSIFIED) +sys_exit_vfork is a struct ret_event (UNCLASSIFIED) +sys_exit_vhangup is a struct ret_event (UNCLASSIFIED) sys_exit_vmsplice is a struct ret_event (TRANSFER_CLASSIFIED) +sys_exit_wait4 is a struct ret_event (UNCLASSIFIED) +sys_exit_waitid is a struct ret_event (UNCLASSIFIED) sys_exit_write is a struct ret_event (WRITE_CLASSIFIED) sys_exit_writev is a struct ret_event (WRITE_CLASSIFIED) |