diff options
| author | Paul Buetow <paul@buetow.org> | 2024-03-09 18:18:41 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-03-09 23:48:02 +0200 |
| commit | 60defe5b1312b0cdcaaa62659ec851971b3c018d (patch) | |
| tree | 7fa215b3e7e03e62f45e0834bbf5bd8bea75828e /internal/c | |
| parent | 478a1eb094a7d9e050cef60f80d9a8af1835dfcf (diff) | |
Also auto-generate open syscalls.
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated/tracepoints.c | 2118 | ||||
| -rw-r--r-- | internal/c/generated/tracepoints.raku | 203 | ||||
| -rw-r--r-- | internal/c/ioriotng.bpf.c | 3 | ||||
| -rw-r--r-- | internal/c/tracepoints/open.c | 71 | ||||
| -rw-r--r-- | internal/c/types.h | 1 |
5 files changed, 1669 insertions, 727 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index 8ba2028..e1cb7d6 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -1,114 +1,177 @@ // Code generated - don't change manually! -#define SYS_EXIT_CACHESTAT 527 -#define SYS_ENTER_CACHESTAT 528 -#define SYS_EXIT_CLOSE_RANGE 700 -#define SYS_ENTER_CLOSE_RANGE 701 -#define SYS_EXIT_CLOSE 702 -#define SYS_ENTER_CLOSE 703 -#define SYS_EXIT_CREAT 704 -#define SYS_ENTER_CREAT 705 -#define SYS_EXIT_FCHOWN 712 -#define SYS_ENTER_FCHOWN 713 -#define SYS_EXIT_FCHMOD 726 -#define SYS_ENTER_FCHMOD 727 -#define SYS_EXIT_FCHDIR 730 -#define SYS_ENTER_FCHDIR 731 -#define SYS_EXIT_FTRUNCATE 742 -#define SYS_ENTER_FTRUNCATE 743 -#define SYS_EXIT_COPY_FILE_RANGE 746 -#define SYS_ENTER_COPY_FILE_RANGE 747 -#define SYS_EXIT_PWRITE64 762 -#define SYS_ENTER_PWRITE64 763 -#define SYS_EXIT_PREAD64 764 -#define SYS_ENTER_PREAD64 765 -#define SYS_EXIT_WRITE 766 -#define SYS_ENTER_WRITE 767 -#define SYS_EXIT_READ 768 -#define SYS_ENTER_READ 769 -#define SYS_EXIT_LSEEK 770 -#define SYS_ENTER_LSEEK 771 -#define SYS_EXIT_READLINKAT 776 -#define SYS_ENTER_READLINKAT 777 -#define SYS_EXIT_NEWFSTAT 778 -#define SYS_ENTER_NEWFSTAT 779 -#define SYS_EXIT_RENAME 794 -#define SYS_ENTER_RENAME 795 -#define SYS_EXIT_RENAMEAT 796 -#define SYS_ENTER_RENAMEAT 797 -#define SYS_EXIT_RENAMEAT2 798 -#define SYS_ENTER_RENAMEAT2 799 -#define SYS_EXIT_LINK 800 -#define SYS_ENTER_LINK 801 -#define SYS_EXIT_LINKAT 802 -#define SYS_ENTER_LINKAT 803 -#define SYS_EXIT_SYMLINK 804 -#define SYS_ENTER_SYMLINK 805 -#define SYS_EXIT_SYMLINKAT 806 -#define SYS_ENTER_SYMLINKAT 807 -#define SYS_EXIT_UNLINK 808 -#define SYS_ENTER_UNLINK 809 -#define SYS_EXIT_UNLINKAT 810 -#define SYS_ENTER_UNLINKAT 811 -#define SYS_EXIT_RMDIR 812 -#define SYS_ENTER_RMDIR 813 -#define SYS_EXIT_MKDIR 814 -#define SYS_ENTER_MKDIR 815 -#define SYS_EXIT_MKDIRAT 816 -#define SYS_ENTER_MKDIRAT 817 -#define SYS_EXIT_FCNTL 822 -#define SYS_ENTER_FCNTL 823 -#define SYS_EXIT_IOCTL 824 -#define SYS_ENTER_IOCTL 825 -#define SYS_EXIT_GETDENTS64 826 -#define SYS_ENTER_GETDENTS64 827 -#define SYS_EXIT_GETDENTS 828 -#define SYS_ENTER_GETDENTS 829 -#define SYS_EXIT_LREMOVEXATTR 862 -#define SYS_ENTER_LREMOVEXATTR 863 -#define SYS_EXIT_REMOVEXATTR 864 -#define SYS_ENTER_REMOVEXATTR 865 -#define SYS_EXIT_LLISTXATTR 868 -#define SYS_ENTER_LLISTXATTR 869 -#define SYS_EXIT_LISTXATTR 870 -#define SYS_ENTER_LISTXATTR 871 -#define SYS_EXIT_LGETXATTR 874 -#define SYS_ENTER_LGETXATTR 875 -#define SYS_EXIT_GETXATTR 876 -#define SYS_ENTER_GETXATTR 877 -#define SYS_EXIT_LSETXATTR 880 -#define SYS_ENTER_LSETXATTR 881 -#define SYS_EXIT_SETXATTR 882 -#define SYS_ENTER_SETXATTR 883 -#define SYS_EXIT_SYNC_FILE_RANGE 922 -#define SYS_ENTER_SYNC_FILE_RANGE 923 -#define SYS_EXIT_FDATASYNC 924 -#define SYS_ENTER_FDATASYNC 925 -#define SYS_EXIT_FSYNC 926 -#define SYS_ENTER_FSYNC 927 -#define SYS_EXIT_FSTATFS 944 -#define SYS_ENTER_FSTATFS 945 -#define SYS_EXIT_STATFS 946 -#define SYS_ENTER_STATFS 947 -#define SYS_EXIT_INOTIFY_RM_WATCH 954 -#define SYS_ENTER_INOTIFY_RM_WATCH 955 -#define SYS_EXIT_INOTIFY_ADD_WATCH 956 -#define SYS_ENTER_INOTIFY_ADD_WATCH 957 -#define SYS_EXIT_FANOTIFY_MARK 962 -#define SYS_ENTER_FANOTIFY_MARK 963 -#define SYS_EXIT_FLOCK 1020 -#define SYS_ENTER_FLOCK 1021 -#define SYS_EXIT_QUOTACTL_FD 1051 -#define SYS_ENTER_QUOTACTL_FD 1052 -#define SYS_EXIT_MQ_UNLINK 1321 -#define SYS_ENTER_MQ_UNLINK 1322 -#define SYS_EXIT_IO_URING_REGISTER 1377 -#define SYS_ENTER_IO_URING_REGISTER 1378 -#define SYS_EXIT_IO_URING_ENTER 1381 #define SYS_ENTER_IO_URING_ENTER 1382 +#define SYS_EXIT_IO_URING_ENTER 1381 +#define SYS_ENTER_IO_URING_REGISTER 1378 +#define SYS_EXIT_IO_URING_REGISTER 1377 +#define SYS_ENTER_QUOTACTL_FD 1052 +#define SYS_EXIT_QUOTACTL_FD 1051 +#define SYS_ENTER_FLOCK 1021 +#define SYS_EXIT_FLOCK 1020 +#define SYS_ENTER_FANOTIFY_MARK 963 +#define SYS_EXIT_FANOTIFY_MARK 962 +#define SYS_ENTER_INOTIFY_ADD_WATCH 957 +#define SYS_EXIT_INOTIFY_ADD_WATCH 956 +#define SYS_ENTER_STATFS 947 +#define SYS_EXIT_STATFS 946 +#define SYS_ENTER_FSTATFS 945 +#define SYS_EXIT_FSTATFS 944 +#define SYS_ENTER_UTIMENSAT 939 +#define SYS_EXIT_UTIMENSAT 938 +#define SYS_ENTER_FUTIMESAT 937 +#define SYS_EXIT_FUTIMESAT 936 +#define SYS_ENTER_FSYNC 927 +#define SYS_EXIT_FSYNC 926 +#define SYS_ENTER_FDATASYNC 925 +#define SYS_EXIT_FDATASYNC 924 +#define SYS_ENTER_SETXATTR 883 +#define SYS_EXIT_SETXATTR 882 +#define SYS_ENTER_LSETXATTR 881 +#define SYS_EXIT_LSETXATTR 880 +#define SYS_ENTER_GETXATTR 877 +#define SYS_EXIT_GETXATTR 876 +#define SYS_ENTER_LGETXATTR 875 +#define SYS_EXIT_LGETXATTR 874 +#define SYS_ENTER_LISTXATTR 871 +#define SYS_EXIT_LISTXATTR 870 +#define SYS_ENTER_LLISTXATTR 869 +#define SYS_EXIT_LLISTXATTR 868 +#define SYS_ENTER_REMOVEXATTR 865 +#define SYS_EXIT_REMOVEXATTR 864 +#define SYS_ENTER_LREMOVEXATTR 863 +#define SYS_EXIT_LREMOVEXATTR 862 +#define SYS_ENTER_OPEN_TREE 857 +#define SYS_EXIT_OPEN_TREE 856 +#define SYS_ENTER_GETDENTS 829 +#define SYS_EXIT_GETDENTS 828 +#define SYS_ENTER_GETDENTS64 827 +#define SYS_EXIT_GETDENTS64 826 +#define SYS_ENTER_IOCTL 825 +#define SYS_EXIT_IOCTL 824 +#define SYS_ENTER_FCNTL 823 +#define SYS_EXIT_FCNTL 822 +#define SYS_ENTER_MKNODAT 821 +#define SYS_EXIT_MKNODAT 820 +#define SYS_ENTER_MKNOD 819 +#define SYS_EXIT_MKNOD 818 +#define SYS_ENTER_MKDIRAT 817 +#define SYS_EXIT_MKDIRAT 816 +#define SYS_ENTER_MKDIR 815 +#define SYS_EXIT_MKDIR 814 +#define SYS_ENTER_RMDIR 813 +#define SYS_EXIT_RMDIR 812 +#define SYS_ENTER_UNLINKAT 811 +#define SYS_EXIT_UNLINKAT 810 +#define SYS_ENTER_UNLINK 809 +#define SYS_EXIT_UNLINK 808 +#define SYS_ENTER_SYMLINKAT 807 +#define SYS_EXIT_SYMLINKAT 806 +#define SYS_ENTER_SYMLINK 805 +#define SYS_EXIT_SYMLINK 804 +#define SYS_ENTER_LINKAT 803 +#define SYS_EXIT_LINKAT 802 +#define SYS_ENTER_LINK 801 +#define SYS_EXIT_LINK 800 +#define SYS_ENTER_RENAMEAT2 799 +#define SYS_EXIT_RENAMEAT2 798 +#define SYS_ENTER_RENAMEAT 797 +#define SYS_EXIT_RENAMEAT 796 +#define SYS_ENTER_RENAME 795 +#define SYS_EXIT_RENAME 794 +#define SYS_ENTER_EXECVE 789 +#define SYS_EXIT_EXECVE 788 +#define SYS_ENTER_EXECVEAT 787 +#define SYS_EXIT_EXECVEAT 786 +#define SYS_ENTER_NEWSTAT 785 +#define SYS_EXIT_NEWSTAT 784 +#define SYS_ENTER_NEWLSTAT 783 +#define SYS_EXIT_NEWLSTAT 782 +#define SYS_ENTER_NEWFSTATAT 781 +#define SYS_EXIT_NEWFSTATAT 780 +#define SYS_ENTER_NEWFSTAT 779 +#define SYS_EXIT_NEWFSTAT 778 +#define SYS_ENTER_READLINKAT 777 +#define SYS_EXIT_READLINKAT 776 +#define SYS_ENTER_STATX 773 +#define SYS_EXIT_STATX 772 +#define SYS_ENTER_LSEEK 771 +#define SYS_EXIT_LSEEK 770 +#define SYS_ENTER_READ 769 +#define SYS_EXIT_READ 768 +#define SYS_ENTER_WRITE 767 +#define SYS_EXIT_WRITE 766 +#define SYS_ENTER_PREAD64 765 +#define SYS_EXIT_PREAD64 764 +#define SYS_ENTER_PWRITE64 763 +#define SYS_EXIT_PWRITE64 762 +#define SYS_ENTER_FTRUNCATE 743 +#define SYS_EXIT_FTRUNCATE 742 +#define SYS_ENTER_FACCESSAT 739 +#define SYS_EXIT_FACCESSAT 738 +#define SYS_ENTER_FACCESSAT2 737 +#define SYS_EXIT_FACCESSAT2 736 +#define SYS_ENTER_ACCESS 735 +#define SYS_EXIT_ACCESS 734 +#define SYS_ENTER_CHDIR 733 +#define SYS_EXIT_CHDIR 732 +#define SYS_ENTER_FCHDIR 731 +#define SYS_EXIT_FCHDIR 730 +#define SYS_ENTER_CHROOT 729 +#define SYS_EXIT_CHROOT 728 +#define SYS_ENTER_FCHMOD 727 +#define SYS_EXIT_FCHMOD 726 +#define SYS_ENTER_FCHMODAT2 725 +#define SYS_EXIT_FCHMODAT2 724 +#define SYS_ENTER_FCHMODAT 723 +#define SYS_EXIT_FCHMODAT 722 +#define SYS_ENTER_CHMOD 721 +#define SYS_EXIT_CHMOD 720 +#define SYS_ENTER_FCHOWNAT 719 +#define SYS_EXIT_FCHOWNAT 718 +#define SYS_ENTER_CHOWN 717 +#define SYS_EXIT_CHOWN 716 +#define SYS_ENTER_LCHOWN 715 +#define SYS_EXIT_LCHOWN 714 +#define SYS_ENTER_FCHOWN 713 +#define SYS_EXIT_FCHOWN 712 +#define SYS_ENTER_OPEN 711 +#define SYS_EXIT_OPEN 710 +#define SYS_ENTER_OPENAT 709 +#define SYS_EXIT_OPENAT 708 +#define SYS_ENTER_OPENAT2 707 +#define SYS_EXIT_OPENAT2 706 +#define SYS_ENTER_CREAT 705 +#define SYS_EXIT_CREAT 704 +#define SYS_ENTER_CLOSE 703 +#define SYS_EXIT_CLOSE 702 +#define SYS_ENTER_CLOSE_RANGE 701 +#define SYS_EXIT_CLOSE_RANGE 700 +#define SYS_ENTER_CACHESTAT 528 +#define SYS_EXIT_CACHESTAT 527 -SEC("tracepoint/syscalls/sys_exit_cachestat") -int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_enter_io_uring_enter") +int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_io_uring_enter") +int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -118,18 +181,18 @@ int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CACHESTAT; + ev->trace_id = SYS_EXIT_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_cachestat") -int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_io_uring_register") +int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -139,7 +202,7 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CACHESTAT; + ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -149,8 +212,8 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_close_range") -int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_io_uring_register") +int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -160,18 +223,18 @@ int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->trace_id = SYS_EXIT_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_close_range") -int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -181,7 +244,7 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -191,8 +254,8 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_close") -int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -202,18 +265,18 @@ int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_close") -int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -223,7 +286,7 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE; + ev->trace_id = SYS_ENTER_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -233,8 +296,8 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_creat") -int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -244,18 +307,18 @@ int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CREAT; + ev->trace_id = SYS_EXIT_FLOCK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_creat") -int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -265,7 +328,93 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CREAT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -276,8 +425,8 @@ int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fchown") -int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -287,18 +436,18 @@ int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWN; + ev->trace_id = SYS_EXIT_STATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchown") -int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -308,7 +457,7 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHOWN; + ev->trace_id = SYS_ENTER_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -318,8 +467,8 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fchmod") -int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -329,39 +478,41 @@ int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMOD; + ev->trace_id = SYS_EXIT_FSTATFS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchmod") -int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_utimensat") +int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHMOD; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fchdir") -int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_utimensat") +int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -371,18 +522,62 @@ int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHDIR; + ev->trace_id = SYS_EXIT_UTIMENSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fchdir") -int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_futimesat") +int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_futimesat") +int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -392,7 +587,7 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHDIR; + ev->trace_id = SYS_ENTER_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -402,8 +597,8 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_ftruncate") -int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -413,18 +608,18 @@ int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->trace_id = SYS_EXIT_FSYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_ftruncate") -int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -434,7 +629,7 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->trace_id = SYS_ENTER_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -444,8 +639,8 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_copy_file_range") -int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -455,39 +650,40 @@ int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; + ev->trace_id = SYS_EXIT_FDATASYNC; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_copy_file_range") -int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_pwrite64") -int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -497,39 +693,40 @@ int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITE64; + ev->trace_id = SYS_EXIT_SETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_pwrite64") -int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITE64; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_pread64") -int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -539,18 +736,320 @@ int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREAD64; + ev->trace_id = SYS_EXIT_LSETXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_pread64") -int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open_tree") +int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_open_tree") +int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -560,7 +1059,7 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREAD64; + ev->trace_id = SYS_ENTER_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -570,8 +1069,8 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_write") -int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -581,18 +1080,18 @@ int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITE; + ev->trace_id = SYS_EXIT_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_write") -int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -602,7 +1101,7 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITE; + ev->trace_id = SYS_ENTER_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -612,8 +1111,8 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_read") -int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -623,18 +1122,18 @@ int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READ; + ev->trace_id = SYS_EXIT_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_read") -int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -644,7 +1143,7 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READ; + ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -654,8 +1153,8 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_lseek") -int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -665,18 +1164,18 @@ int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSEEK; + ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lseek") -int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -686,7 +1185,7 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_LSEEK; + ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -696,8 +1195,8 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_readlinkat") -int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -707,18 +1206,106 @@ int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINKAT; + ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_readlinkat") -int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mknodat") +int handle_sys_enter_mknodat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknodat") +int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mknod") +int handle_sys_enter_mknod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknod") +int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -728,7 +1315,7 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINKAT; + ev->trace_id = SYS_ENTER_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -739,8 +1326,8 @@ int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_newfstat") -int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -750,39 +1337,40 @@ int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->trace_id = SYS_EXIT_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_newfstat") -int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_rename") -int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -792,18 +1380,147 @@ int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAME; + ev->trace_id = SYS_EXIT_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_rename") -int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -813,20 +1530,20 @@ int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAME; + ev->trace_id = SYS_ENTER_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_renameat") -int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -836,18 +1553,18 @@ int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT; + ev->trace_id = SYS_EXIT_SYMLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_renameat") -int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -857,20 +1574,20 @@ int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT; + ev->trace_id = SYS_ENTER_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_renameat2") -int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -880,18 +1597,18 @@ int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->trace_id = SYS_EXIT_SYMLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_renameat2") -int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -901,7 +1618,7 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->trace_id = SYS_ENTER_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -913,8 +1630,8 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_link") -int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -924,11 +1641,11 @@ int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINK; + ev->trace_id = SYS_EXIT_LINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; @@ -957,8 +1674,8 @@ int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_linkat") -int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -968,18 +1685,18 @@ int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINKAT; + ev->trace_id = SYS_EXIT_LINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_linkat") -int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -989,7 +1706,7 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINKAT; + ev->trace_id = SYS_ENTER_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1001,8 +1718,8 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_symlink") -int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1012,18 +1729,18 @@ int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINK; + ev->trace_id = SYS_EXIT_RENAMEAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_symlink") -int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1033,20 +1750,20 @@ int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINK; + ev->trace_id = SYS_ENTER_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_symlinkat") -int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1056,18 +1773,18 @@ int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->trace_id = SYS_EXIT_RENAMEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_symlinkat") -int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1077,20 +1794,20 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->trace_id = SYS_ENTER_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_unlink") -int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1100,40 +1817,41 @@ int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINK; + ev->trace_id = SYS_EXIT_RENAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_unlink") -int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_execve") +int handle_sys_enter_execve(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_unlinkat") -int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_execve") +int handle_sys_exit_execve(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1143,40 +1861,41 @@ int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINKAT; + ev->trace_id = SYS_EXIT_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_unlinkat") -int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_execveat") +int handle_sys_enter_execveat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINKAT; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_rmdir") -int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_execveat") +int handle_sys_exit_execveat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1186,40 +1905,41 @@ int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RMDIR; + ev->trace_id = SYS_EXIT_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_rmdir") -int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newstat") +int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_RMDIR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mkdir") -int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_newstat") +int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1229,40 +1949,41 @@ int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIR; + ev->trace_id = SYS_EXIT_NEWSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mkdir") -int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newlstat") +int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mkdirat") -int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_newlstat") +int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1272,18 +1993,104 @@ int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIRAT; + ev->trace_id = SYS_EXIT_NEWLSTAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mkdirat") -int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_newfstatat") +int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstatat") +int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newfstat") +int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstat") +int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1293,7 +2100,7 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIRAT; + ev->trace_id = SYS_ENTER_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1304,8 +2111,8 @@ int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1315,39 +2122,41 @@ int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; + ev->trace_id = SYS_EXIT_READLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_statx") +int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_statx") +int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1357,18 +2166,18 @@ int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; + ev->trace_id = SYS_EXIT_STATX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lseek") +int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1378,7 +2187,7 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; + ev->trace_id = SYS_ENTER_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1388,8 +2197,8 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lseek") +int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1399,18 +2208,18 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; + ev->trace_id = SYS_EXIT_LSEEK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_read") +int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1420,7 +2229,7 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; + ev->trace_id = SYS_ENTER_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1430,8 +2239,8 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_read") +int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1441,18 +2250,18 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; + ev->trace_id = SYS_EXIT_READ; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_write") +int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1462,7 +2271,7 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; + ev->trace_id = SYS_ENTER_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1472,8 +2281,8 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_lremovexattr") -int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_write") +int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1483,40 +2292,39 @@ int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->trace_id = SYS_EXIT_WRITE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lremovexattr") -int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_pread64") +int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_removexattr") -int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_pread64") +int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1526,40 +2334,39 @@ int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->trace_id = SYS_EXIT_PREAD64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_removexattr") -int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_pwrite64") +int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_llistxattr") -int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_pwrite64") +int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1569,40 +2376,39 @@ int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->trace_id = SYS_EXIT_PWRITE64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_llistxattr") -int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ftruncate") +int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_listxattr") -int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ftruncate") +int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1612,40 +2418,41 @@ int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTR; + ev->trace_id = SYS_EXIT_FTRUNCATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_listxattr") -int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_faccessat") +int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_lgetxattr") -int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_faccessat") +int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1655,40 +2462,41 @@ int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LGETXATTR; + ev->trace_id = SYS_EXIT_FACCESSAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lgetxattr") -int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_faccessat2") +int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LGETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_getxattr") -int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_faccessat2") +int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1698,40 +2506,41 @@ int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTR; + ev->trace_id = SYS_EXIT_FACCESSAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_getxattr") -int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_access") +int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_lsetxattr") -int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_access") +int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1741,40 +2550,41 @@ int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSETXATTR; + ev->trace_id = SYS_EXIT_ACCESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_lsetxattr") -int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chdir") +int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LSETXATTR; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_setxattr") -int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chdir") +int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1784,40 +2594,39 @@ int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTR; + ev->trace_id = SYS_EXIT_CHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_setxattr") -int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchdir") +int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_sync_file_range") -int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchdir") +int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1827,39 +2636,41 @@ int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->trace_id = SYS_EXIT_FCHDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_sync_file_range") -int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chroot") +int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chroot") +int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1869,18 +2680,18 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; + ev->trace_id = SYS_EXIT_CHROOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmod") +int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1890,7 +2701,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; + ev->trace_id = SYS_ENTER_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1900,8 +2711,8 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmod") +int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1911,39 +2722,41 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; + ev->trace_id = SYS_EXIT_FCHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmodat2") +int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmodat2") +int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1953,39 +2766,41 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; + ev->trace_id = SYS_EXIT_FCHMODAT2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchmodat") +int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_statfs") -int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchmodat") +int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1995,40 +2810,41 @@ int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATFS; + ev->trace_id = SYS_EXIT_FCHMODAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_statfs") -int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chmod") +int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATFS; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") -int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chmod") +int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2038,39 +2854,41 @@ int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->trace_id = SYS_EXIT_CHMOD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") -int handle_sys_enter_inotify_rm_watch(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchownat") +int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") -int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchownat") +int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2080,40 +2898,41 @@ int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->trace_id = SYS_EXIT_FCHOWNAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") -int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_chown") +int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fanotify_mark") -int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_chown") +int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2123,40 +2942,41 @@ int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->trace_id = SYS_EXIT_CHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_fanotify_mark") -int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lchown") +int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lchown") +int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2166,18 +2986,18 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; + ev->trace_id = SYS_EXIT_LCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fchown") +int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2187,7 +3007,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; + ev->trace_id = SYS_ENTER_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2197,8 +3017,8 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fchown") +int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2208,39 +3028,41 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->trace_id = SYS_EXIT_FCHOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_open") +int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_mq_unlink") -int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_open") +int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2250,39 +3072,41 @@ int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MQ_UNLINK; + ev->trace_id = SYS_EXIT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_mq_unlink") -int handle_sys_enter_mq_unlink(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_MQ_UNLINK; + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_io_uring_register") -int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2292,18 +3116,105 @@ int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_REGISTER; + ev->trace_id = SYS_EXIT_OPENAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_io_uring_register") -int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat2") +int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat2") +int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2313,7 +3224,7 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_REGISTER; + ev->trace_id = SYS_ENTER_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2323,8 +3234,8 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_io_uring_enter") -int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_close") +int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2334,18 +3245,18 @@ int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_ENTER; + ev->trace_id = SYS_EXIT_CLOSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->ret = ctx->ret; + ev->ret = ctx->ret; bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_enter_io_uring_enter") -int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_close_range") +int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2355,7 +3266,7 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->trace_id = SYS_ENTER_CLOSE_RANGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -2365,4 +3276,67 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_close_range") +int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_cachestat") +int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_cachestat") +int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku index de801a7..e43b436 100644 --- a/internal/c/generated/tracepoints.raku +++ b/internal/c/generated/tracepoints.raku @@ -1,7 +1,6 @@ #!/usr/bin/env raku use v6.d; -#use Grammar::Debugger; grammar SysTraceFormat { rule TOP { <whole-format-section>* } @@ -32,6 +31,104 @@ class Field { has Bool $.signed is rw; } +role TracepointTemplate { + method template(%vals) returns Str { + my \is-enter = %vals<name>.split('_')[1] eq 'enter'; + my \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' + !! 'trace_event_raw_sys_exit'; + my Str @parts; + + @parts.push: qq:to/END/; + SEC("tracepoint/syscalls/{%vals<name>}") + int handle_{%vals<name>.lc}(struct {ctx-struct} *ctx) \{ + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct {%vals<event-struct>} *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct {%vals<event-struct>}), 0); + if (!ev) + return 0; + + ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ %vals<event-struct>.uc}; + ev->trace_id = {%vals<name>.uc}; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + END + + @parts.push: %vals<extra> if %vals<extra>:exists; + + @parts.push: qq:to/END/; + + bpf_ringbuf_submit(ev, 0); + return 0; + \} + END + + @parts.join(''); + } +} + +class FdTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Str $extra = qq:to/END/; + ev->fd = (__s32)ctx->args[0]; + END + self.template: %vals.append( ( event-struct => 'fd_event', :$extra ).hash ); + } +} + +class NameTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Int \oldname-field-number = %vals<format>.field-number('oldname'); + my Int \newname-field-number = %vals<format>.field-number('newname'); + my Str $extra = qq:to/END/; + __builtin_memset(\&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-field-number}]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-field-number}]); + END + self.template: %vals.append( ( event-struct => 'name_event', :$extra ).hash ); + } +} + +class OpenTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Int \field-number = %vals<format>.field-number('filename'); + my Str $extra = qq:to/END/; + __builtin_memset(\&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[{field-number}]); + bpf_get_current_comm(\&ev->comm, sizeof(ev->comm)); + END + self.template: %vals.append( ( event-struct => 'open_event', :$extra ).hash ); + } +} + +class PathnameTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Int \field-number = %vals<format>.field-number('pathname'); + my Str $extra = qq:to/END/; + __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{field-number}]); + END + self.template: %vals.append( ( event-struct => 'path_event', :$extra ).hash ); + } +} + +class RetTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + my Str $extra = q:to/END/; + ev->ret = ctx->ret; + END + self.template: %vals.append( ( event-struct => 'ret_event', :$extra ).hash ); + } +} + +class NullTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals) returns Str { + self.template: %vals.append( ( event-struct => 'null_event' ).hash ); + } +} + class Format { # Fields not accessible from raw tracepoints. has Field @!internal-fields; @@ -43,14 +140,7 @@ class Format { has Str $.name is rw; has Int $.id is rw; - # file descriptor passed to syscalls. - has Bool $.has-fd is rw = False; - # Tracepoint has oldname/newname - has Bool $.has-name is rw = False; - # Tracepoint has pathname - has Bool $.has-path is rw = False; - # Syscall returns with a long value (e.g. bytes read/written) - has Bool $.has-long-ret is rw = False; + has $.format-impl; method push(Field \field) { # External fields start from this field name. @@ -64,85 +154,36 @@ class Format { } if (field.name eq 'fd' && field.type eq 'unsigned int') { - $!has-fd = True; + $!format-impl = FdTracepoint.new; } elsif (field.name eq 'newname' && field.type eq 'const char *') { - $!has-name = True; + $!format-impl = NameTracepoint.new; + } elsif (field.name eq 'filename' && field.type eq 'const char *') { + $!format-impl = OpenTracepoint.new; } elsif (field.name eq 'pathname' && field.type eq 'const char *') { - $!has-path = True; + $!format-impl = PathnameTracepoint.new; } elsif (field.name eq 'ret' && field.type eq 'long') { - $.has-long-ret = True; + $!format-impl = RetTracepoint.new; } } - method !field-number(Str \field-name) { - @!external-fields.first(*.name eq field-name, :k) - 1; - } + method generate-c-constant returns Str { "#define {$!name.uc} {$!id}" } + method generate-bpf-c-tracepoint returns Str { $!format-impl.generate-bpf-c-tracepoint: (format => self, :$!name).hash } - method generate-constant returns Str { - "#define {$!name.uc} {$!id}"; - } - - method generate-probe returns Str { - my \is-enter = $!name.split('_')[1] eq 'enter'; - my \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' - !! 'trace_event_raw_sys_exit'; - my \event-struct = do if $!has-fd { 'fd_event' } - elsif $!has-long-ret { 'ret_event' } - elsif $!has-name { 'name_event' } - elsif $!has-path { 'path_event' } - else { 'null_event' }; - my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' } - elsif $!has-long-ret { 'ev->ret = ctx->ret;' } - elsif $!has-name { - my Int \oldname-index = self!field-number('oldname'); - my Int \newname-index = self!field-number('newname'); - qq:to/END/.trim-trailing; - __builtin_memset(\&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-index}]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-index}]); - END - } elsif $!has-path { - my Int \pathname-index = self!field-number('pathname'); - qq:to/END/.trim-trailing; - __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{pathname-index}]); - END - } - else { '' }; - qq:to/END/; - SEC("tracepoint/syscalls/{$!name}") - int handle_{$!name.lc}(struct {ctx-struct} *ctx) \{ - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct {event-struct} *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct {event-struct}), 0); - if (!ev) - return 0; - - ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ event-struct.uc}; - ev->trace_id = {$!name.uc}; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_ns() / 1000; - {extra-data} - - bpf_ringbuf_submit(ev, 0); - return 0; - \} - END - } + method field-number(Str \field-name) { @!external-fields.first(*.name eq field-name, :k) - 1 } + method can-generate returns Bool { so $!format-impl.^can('generate-bpf-c-tracepoint') } + method enter-reject returns Bool { $!format-impl !~~ any(FdTracepoint, NameTracepoint, OpenTracepoint, PathnameTracepoint) } } class SysTraceFormatActions { - has Format @!formats; + has Hash %!formats; has Format $!current-format = Format.new; has Field $!current-field = Field.new; - method TOP($/) { make @!formats } + method TOP($/) { make %!formats } method whole-format-section($/) { - push @!formats: $!current-format; + my ($, \enter-exit, \what) = $!current-format.name.split('_', 3); + %!formats{what}{enter-exit} = $!current-format; $!current-format = Format.new; } @@ -161,18 +202,18 @@ class SysTraceFormatActions { method field-signed($/) { $!current-field.signed = +$/<cbool> == 0 ?? False !! True } } -my Format @formats = gather for SysTraceFormat - .parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made - # For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open - .classify(*.name.split('_').tail).values - .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) || $_.grep(*.has-path) }) -> @_ { .take for @_ } +my Format @formats = gather for + SysTraceFormat.parse($*IN.slurp, actions => SysTraceFormatActions.new).made.values -> %syscall { + next if !all(%syscall.values.map(*.can-generate)) or %syscall<enter>.enter-reject; + .take for %syscall.values; +} -@formats .= sort(*.id); +@formats .= sort({ $^b.id cmp $^a.id }); say qq:to/END/; // Code generated - don't change manually! -{@formats.map(*.generate-constant).join("\n")} +{@formats.map(*.generate-c-constant).join("\n")} -{@formats.map(*.generate-probe).join("\n")} +{@formats.map(*.generate-bpf-c-tracepoint).join("\n")} END diff --git a/internal/c/ioriotng.bpf.c b/internal/c/ioriotng.bpf.c index 896309e..7c41551 100644 --- a/internal/c/ioriotng.bpf.c +++ b/internal/c/ioriotng.bpf.c @@ -16,8 +16,5 @@ // Auto-generated tracepoints. #include "generated/tracepoints.c" -// Tracepoints with custom handling. -#include "tracepoints/open.c" - char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c deleted file mode 100644 index b4e8757..0000000 --- a/internal/c/tracepoints/open.c +++ /dev/null @@ -1,71 +0,0 @@ -//+build ignore - -#define SYS_EXIT_OPEN 1 -#define SYS_ENTER_OPEN 2 -#define SYS_EXIT_OPENAT 3 -#define SYS_ENTER_OPENAT 4 - -static __always_inline int _handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx, __u32 trace_id) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = trace_id; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_ns() / 1000; - - // Reset memory, as structure is re-used (ringbuffer) - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -static __always_inline int _handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx, __u32 trace_id) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_FD_EVENT; - ev->trace_id = trace_id; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { - return _handle_sys_enter_open(ctx, SYS_ENTER_OPENAT); -} - -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { - return _handle_sys_exit_open(ctx, SYS_EXIT_OPENAT); -} - -SEC("tracepoint/syscalls/sys_enter_open") -int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { - return _handle_sys_enter_open(ctx, SYS_ENTER_OPEN); -} - -SEC("tracepoint/syscalls/sys_exit_open") -int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { - return _handle_sys_exit_open(ctx, SYS_EXIT_OPEN); -} diff --git a/internal/c/types.h b/internal/c/types.h index b2cb1fa..9dc4208 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -22,6 +22,7 @@ struct open_event { __u32 pid; __u32 tid; __u32 time; + __s32 flags; char filename[MAX_FILENAME_LENGTH]; char comm[MAX_PROGNAME_LENGTH]; }; |