diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-19 16:15:18 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-19 16:15:18 +0300 |
| commit | 843def4f5c23db050cccfae57a9acb5899c110f4 (patch) | |
| tree | d90d94c39ff59c7df7278f29f5402c58c391daec /internal/c | |
| parent | 061fb2b2380752eed06a78d10567da172ea8e27c (diff) | |
x6: add pipe/eventfd fd-from-air syscall support
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 126 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 16 | ||||
| -rw-r--r-- | internal/c/maps.h | 19 | ||||
| -rw-r--r-- | internal/c/types.h | 26 |
4 files changed, 151 insertions, 36 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 0f83f35..c14c61e 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -3571,89 +3571,109 @@ int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_eventfd2 is a struct null_event +/// sys_enter_eventfd2 is a struct eventfd_event SEC("tracepoint/syscalls/sys_enter_eventfd2") int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EVENTFD2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[1]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED) +/// sys_exit_eventfd2 is a struct eventfd_event SEC("tracepoint/syscalls/sys_exit_eventfd2") int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EVENTFD2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_eventfd is a struct null_event +/// sys_enter_eventfd is a struct eventfd_event SEC("tracepoint/syscalls/sys_enter_eventfd") int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EVENTFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_eventfd is a struct ret_event (UNCLASSIFIED) +/// sys_exit_eventfd is a struct eventfd_event SEC("tracepoint/syscalls/sys_exit_eventfd") int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EVENTFD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -7771,89 +7791,139 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_pipe2 is a struct null_event +/// sys_enter_pipe2 is a struct pipe_event SEC("tracepoint/syscalls/sys_enter_pipe2") int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_PIPE_EVENT; ev->trace_id = SYS_ENTER_PIPE2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + struct pipe_ctx pending; + pending.upipefd = ctx->args[0]; + pending.flags = (__s32)ctx->args[1]; + bpf_map_update_elem(&pipe_ctx_map, &tid, &pending, BPF_ANY); + ev->flags = pending.flags; + ev->fd0 = -1; + ev->fd1 = -1; + ev->ret = 0; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED) +/// sys_exit_pipe2 is a struct pipe_event SEC("tracepoint/syscalls/sys_exit_pipe2") int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_PIPE_EVENT; ev->trace_id = SYS_EXIT_PIPE2; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 fd0 = -1; + __s32 fd1 = -1; + struct pipe_ctx *pending = bpf_map_lookup_elem(&pipe_ctx_map, &tid); + if (pending) { + flags = pending->flags; + if (ctx->ret == 0 && pending->upipefd != 0) { + int pipefd[2]; + if (bpf_probe_read_user(&pipefd, sizeof(pipefd), (void *)pending->upipefd) == 0) { + fd0 = (__s32)pipefd[0]; + fd1 = (__s32)pipefd[1]; + } + } + bpf_map_delete_elem(&pipe_ctx_map, &tid); + } + ev->flags = flags; + ev->fd0 = fd0; + ev->fd1 = fd1; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_pipe is a struct null_event +/// sys_enter_pipe is a struct pipe_event SEC("tracepoint/syscalls/sys_enter_pipe") int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_PIPE_EVENT; ev->trace_id = SYS_ENTER_PIPE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + struct pipe_ctx pending; + pending.upipefd = ctx->args[0]; + pending.flags = 0; + bpf_map_update_elem(&pipe_ctx_map, &tid, &pending, BPF_ANY); + ev->flags = pending.flags; + ev->fd0 = -1; + ev->fd1 = -1; + ev->ret = 0; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pipe is a struct ret_event (UNCLASSIFIED) +/// sys_exit_pipe is a struct pipe_event SEC("tracepoint/syscalls/sys_exit_pipe") int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_PIPE_EVENT; ev->trace_id = SYS_EXIT_PIPE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 fd0 = -1; + __s32 fd1 = -1; + struct pipe_ctx *pending = bpf_map_lookup_elem(&pipe_ctx_map, &tid); + if (pending) { + flags = pending->flags; + if (ctx->ret == 0 && pending->upipefd != 0) { + int pipefd[2]; + if (bpf_probe_read_user(&pipefd, sizeof(pipefd), (void *)pending->upipefd) == 0) { + fd0 = (__s32)pipefd[0]; + fd1 = (__s32)pipefd[1]; + } + } + bpf_map_delete_elem(&pipe_ctx_map, &tid); + } + ev->flags = flags; + ev->fd0 = fd0; + ev->fd1 = fd1; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index a2ad3ca..8f2564c 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -38,8 +38,8 @@ sys_enter_epoll_ctl is a struct fd_event sys_enter_epoll_pwait is a struct null_event sys_enter_epoll_pwait2 is a struct null_event sys_enter_epoll_wait is a struct null_event -sys_enter_eventfd is a struct null_event -sys_enter_eventfd2 is a struct null_event +sys_enter_eventfd is a struct eventfd_event +sys_enter_eventfd2 is a struct eventfd_event sys_enter_execve is a struct path_event sys_enter_execveat is a struct fd_event sys_enter_exit is a struct null_event @@ -210,8 +210,8 @@ sys_enter_personality is a struct null_event sys_enter_pidfd_getfd is a struct fd_event sys_enter_pidfd_open is a struct null_event sys_enter_pidfd_send_signal is a struct null_event -sys_enter_pipe is a struct null_event -sys_enter_pipe2 is a struct null_event +sys_enter_pipe is a struct pipe_event +sys_enter_pipe2 is a struct pipe_event sys_enter_pivot_root is a struct null_event sys_enter_pkey_alloc is a struct null_event sys_enter_pkey_free is a struct null_event @@ -405,8 +405,8 @@ sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED) -sys_exit_eventfd is a struct ret_event (UNCLASSIFIED) -sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED) +sys_exit_eventfd is a struct eventfd_event +sys_exit_eventfd2 is a struct eventfd_event sys_exit_execve is a struct ret_event (UNCLASSIFIED) sys_exit_execveat is a struct ret_event (UNCLASSIFIED) sys_exit_exit is a struct ret_event (UNCLASSIFIED) @@ -577,8 +577,8 @@ sys_exit_personality is a struct ret_event (UNCLASSIFIED) sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) -sys_exit_pipe is a struct ret_event (UNCLASSIFIED) -sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED) +sys_exit_pipe is a struct pipe_event +sys_exit_pipe2 is a struct pipe_event sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED) sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED) sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED) diff --git a/internal/c/maps.h b/internal/c/maps.h index 1624ff8..665e4ff 100644 --- a/internal/c/maps.h +++ b/internal/c/maps.h @@ -12,9 +12,28 @@ struct socketpair_ctx { __s32 protocol; }; +struct pipe_ctx { + __u64 upipefd; + __s32 flags; +}; + struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 8192); __type(key, __u32); __type(value, struct socketpair_ctx); } socketpair_ctx_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, __u32); + __type(value, struct pipe_ctx); +} pipe_ctx_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, __u32); + __type(value, __s32); +} eventfd_flags_map SEC(".maps"); diff --git a/internal/c/types.h b/internal/c/types.h index 6365e3f..3e06040 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -27,6 +27,10 @@ #define EXIT_SOCKETPAIR_EVENT 22 #define ENTER_ACCEPT_EVENT 23 #define EXIT_ACCEPT_EVENT 24 +#define ENTER_PIPE_EVENT 25 +#define EXIT_PIPE_EVENT 26 +#define ENTER_EVENTFD_EVENT 27 +#define EXIT_EVENTFD_EVENT 28 #define UNCLASSIFIED 0 #define READ_CLASSIFIED 1 @@ -155,3 +159,25 @@ struct accept_event { __s32 fd; __s64 ret; }; + +struct pipe_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s32 flags; + __s32 fd0; + __s32 fd1; + __s64 ret; +}; + +struct eventfd_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s32 flags; + __s64 ret; +}; |