diff options
| author | Paul Buetow <paul@buetow.org> | 2026-06-04 09:58:32 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-06-04 09:58:32 +0300 |
| commit | 6ac9fa4e62c6aa37a57835c390f69fe17e04a8d0 (patch) | |
| tree | 88c9b35e5dd2517b7503d1d7436eb169c626c02e /internal/c | |
| parent | 9a22816887b492ea0192ac096514568c7df80b01 (diff) | |
fix(classify): capture timerfd_gettime/settime + splice/tee fd, not KindNull
Root cause: the generic field matcher classifyByField only maps an arg
literally named "fd" to KindFd. Several syscalls operate on an EXISTING
fd whose tracepoint arg0 is named something else, so they fell through
to KindNull -> null_event, capturing NO descriptor and dropping the fd
they act on:
- timerfd_gettime / timerfd_settime: arg0 is "int ufd" (the timerfd)
- splice: arg0 is "int fd_in" (source fd of an in-kernel transfer)
- tee: arg0 is "int fdin" (source fd of an in-kernel transfer)
Fix: add explicit KindFd overrides for these four sys_enter_* keys to
nameOnlyKindsTable so the enter handler captures arg0, mirroring the
established epoll_wait(epfd) / mq_*(mqdes) / sendfile64(out_fd) /
copy_file_range(fd_in) precedent. splice/tee were surfaced by a systemic
sweep of tracepoint formats for fd-typed arg0 named other than "fd" that
currently classify to null; they are TransferClassified siblings of
sendfile64/copy_file_range and clearly fd-operating. The *at() family
(dfd arg0) is intentionally untouched: it is path-classified, and
timerfd_create remains the KindEventfd fd CREATOR.
Regenerated artifacts (mage generate): the four enter handlers now emit
fd_event capturing ctx->args[0] instead of null_event; exit handlers stay
UNCLASSIFIED. Updated the generated kind maps, the golden result.txt, the
classify_test expectations, and docs/syscall-tracing-plan.md (moved the
four from kind "null" to kind "fd"; families IPC/Network unchanged).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 28 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 8 |
2 files changed, 20 insertions, 16 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 4ec7b86..f2f3d46 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -4169,7 +4169,7 @@ int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_timerfd_settime is a struct null_event (kind=null) +/// sys_enter_timerfd_settime is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_timerfd_settime") int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4179,15 +4179,16 @@ int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_SETTIME)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -4219,7 +4220,7 @@ int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_timerfd_gettime is a struct null_event (kind=null) +/// sys_enter_timerfd_gettime is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_timerfd_gettime") int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4229,15 +4230,16 @@ int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_GETTIME)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -6039,7 +6041,7 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_splice is a struct null_event (kind=null) +/// sys_enter_splice is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_splice") int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -6049,15 +6051,16 @@ int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_SPLICE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -6089,7 +6092,7 @@ int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_tee is a struct null_event (kind=null) +/// sys_enter_tee is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_tee") int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -6099,15 +6102,16 @@ int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_TEE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TEE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 3804441..3ec20dd 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -318,7 +318,7 @@ sys_enter_signalfd is a struct eventfd_event (kind=eventfd) sys_enter_signalfd4 is a struct eventfd_event (kind=eventfd) sys_enter_socket is a struct socket_event (kind=socket) sys_enter_socketpair is a struct socketpair_event (kind=socketpair) -sys_enter_splice is a struct null_event (kind=null) +sys_enter_splice is a struct fd_event (kind=fd) sys_enter_statfs is a struct path_event (kind=pathname) sys_enter_statmount is a struct null_event (kind=null) sys_enter_statx is a struct path_event (kind=pathname) @@ -332,7 +332,7 @@ sys_enter_syncfs is a struct fd_event (kind=fd) sys_enter_sysfs is a struct null_event (kind=null) sys_enter_sysinfo is a struct null_event (kind=null) sys_enter_syslog is a struct null_event (kind=null) -sys_enter_tee is a struct null_event (kind=null) +sys_enter_tee is a struct fd_event (kind=fd) sys_enter_tgkill is a struct null_event (kind=null) sys_enter_time is a struct null_event (kind=null) sys_enter_timer_create is a struct null_event (kind=timer-obj) @@ -341,8 +341,8 @@ sys_enter_timer_getoverrun is a struct null_event (kind=timer-obj) sys_enter_timer_gettime is a struct null_event (kind=timer-obj) sys_enter_timer_settime is a struct null_event (kind=timer-obj) sys_enter_timerfd_create is a struct eventfd_event (kind=eventfd) -sys_enter_timerfd_gettime is a struct null_event (kind=null) -sys_enter_timerfd_settime is a struct null_event (kind=null) +sys_enter_timerfd_gettime is a struct fd_event (kind=fd) +sys_enter_timerfd_settime is a struct fd_event (kind=fd) sys_enter_times is a struct null_event (kind=null) sys_enter_tkill is a struct null_event (kind=null) sys_enter_truncate is a struct path_event (kind=pathname) |