diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-20 11:38:19 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-20 11:38:19 +0300 |
| commit | 9310b54d439d4a1a8d4d337987aa63884df0af76 (patch) | |
| tree | c6fb38085891a04ce81672f977af316a2e96b2fd /internal/c | |
| parent | 5fd613562e2aa2ab3aac3349f44db88330046c1c (diff) | |
feat: add syscall aggregate sampling infrastructure (task 17)
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/filter.c | 99 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints.c | 2202 | ||||
| -rw-r--r-- | internal/c/maps.h | 36 |
3 files changed, 2336 insertions, 1 deletions
diff --git a/internal/c/filter.c b/internal/c/filter.c index 55632e4..88c4fa0 100644 --- a/internal/c/filter.c +++ b/internal/c/filter.c @@ -2,6 +2,104 @@ #define ACCEPT 0 #define FILTER 1 +#define IOR_HISTOGRAM_BUCKETS 8 + +static __always_inline __u32 ior_histogram_bucket_index(__u64 duration_ns) { + if (duration_ns < 1000) + return 0; + if (duration_ns < 10000) + return 1; + if (duration_ns < 100000) + return 2; + if (duration_ns < 1000000) + return 3; + if (duration_ns < 10000000) + return 4; + if (duration_ns < 100000000) + return 5; + if (duration_ns < 1000000000) + return 6; + return 7; +} + +static __always_inline void ior_update_syscall_aggregate(__u32 enter_trace_id, __u64 duration_ns, __s64 ret) { + __u32 bucket_idx; + struct syscall_aggregate *existing; + struct syscall_aggregate fresh = {}; + + existing = bpf_map_lookup_elem(&syscall_aggregate_map, &enter_trace_id); + bucket_idx = ior_histogram_bucket_index(duration_ns); + if (bucket_idx >= IOR_HISTOGRAM_BUCKETS) + bucket_idx = IOR_HISTOGRAM_BUCKETS - 1; + + if (existing) { + existing->count += 1; + existing->total_duration_ns += duration_ns; + if (ret < 0) + existing->errors += 1; + if (existing->count == 1 || duration_ns < existing->min_duration_ns) + existing->min_duration_ns = duration_ns; + if (duration_ns > existing->max_duration_ns) + existing->max_duration_ns = duration_ns; + existing->duration_histogram[bucket_idx] += 1; + return; + } + + fresh.count = 1; + fresh.total_duration_ns = duration_ns; + fresh.min_duration_ns = duration_ns; + fresh.max_duration_ns = duration_ns; + if (ret < 0) + fresh.errors = 1; + fresh.duration_histogram[bucket_idx] = 1; + bpf_map_update_elem(&syscall_aggregate_map, &enter_trace_id, &fresh, BPF_ANY); +} + +static __always_inline int ior_should_emit_trace(__u32 enter_trace_id) { + __u32 default_rate = 1; + __u32 *configured = bpf_map_lookup_elem(&syscall_sampling_rate_map, &enter_trace_id); + __u32 rate = configured ? *configured : default_rate; + + // A zero rate means aggregate-only mode for this syscall. + if (rate == 0) + return 0; + if (rate == 1) + return 1; + return (bpf_get_prandom_u32() % rate) == 0; +} + +static __always_inline int ior_on_syscall_enter(__u32 tid, __u32 enter_trace_id) { + struct syscall_enter_state state = {}; + + state.start_ns = bpf_ktime_get_boot_ns(); + state.enter_trace_id = enter_trace_id; + state.emit_event = ior_should_emit_trace(enter_trace_id) ? 1 : 0; + bpf_map_update_elem(&syscall_enter_state_map, &tid, &state, BPF_ANY); + return state.emit_event != 0; +} + +static __always_inline int ior_on_syscall_exit(__u32 tid, __u32 exit_trace_id, __s64 ret) { + __u64 now; + __u64 duration = 0; + __u8 emit_event = 1; + struct syscall_enter_state *state; + + state = bpf_map_lookup_elem(&syscall_enter_state_map, &tid); + if (!state) + return 1; + + now = bpf_ktime_get_boot_ns(); + if (now >= state->start_ns) + duration = now - state->start_ns; + + // A tracepoint pair uses enter_id == exit_id + 1 in this codebase. + if (state->enter_trace_id == exit_trace_id + 1) + ior_update_syscall_aggregate(state->enter_trace_id, duration, ret); + + emit_event = state->emit_event; + bpf_map_delete_elem(&syscall_enter_state_map, &tid); + return emit_event != 0; +} static __always_inline int filter(__u32 *pid, __u32 *tid) { u64 pid_tgid = bpf_get_current_pid_tgid(); @@ -21,4 +119,3 @@ static __always_inline int filter(__u32 *pid, __u32 *tid) { return FILTER; } - diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index ad11b06..68aa8a7 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -743,6 +743,9 @@ int handle_sys_enter_socket(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SOCKET)) + return 0; + struct socket_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socket_event), 0); if (!ev) return 0; @@ -767,6 +770,9 @@ int handle_sys_exit_socket(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SOCKET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -790,6 +796,9 @@ int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SOCKETPAIR)) + return 0; + struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; @@ -823,6 +832,9 @@ int handle_sys_exit_socketpair(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SOCKETPAIR, ctx->ret)) + return 0; + struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; @@ -869,6 +881,9 @@ int handle_sys_enter_bind(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_BIND)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -891,6 +906,9 @@ int handle_sys_exit_bind(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_BIND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -914,6 +932,9 @@ int handle_sys_enter_listen(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTEN)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -936,6 +957,9 @@ int handle_sys_exit_listen(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -959,6 +983,9 @@ int handle_sys_enter_accept4(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCEPT4)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -982,6 +1009,9 @@ int handle_sys_exit_accept4(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCEPT4, ctx->ret)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -1005,6 +1035,9 @@ int handle_sys_enter_accept(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCEPT)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -1028,6 +1061,9 @@ int handle_sys_exit_accept(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCEPT, ctx->ret)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -1051,6 +1087,9 @@ int handle_sys_enter_connect(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CONNECT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1073,6 +1112,9 @@ int handle_sys_exit_connect(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CONNECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1096,6 +1138,9 @@ int handle_sys_enter_getsockname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSOCKNAME)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1118,6 +1163,9 @@ int handle_sys_exit_getsockname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETSOCKNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1141,6 +1189,9 @@ int handle_sys_enter_getpeername(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPEERNAME)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1163,6 +1214,9 @@ int handle_sys_exit_getpeername(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPEERNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1186,6 +1240,9 @@ int handle_sys_enter_sendto(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDTO)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1208,6 +1265,9 @@ int handle_sys_exit_sendto(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDTO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1231,6 +1291,9 @@ int handle_sys_enter_recvfrom(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVFROM)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1253,6 +1316,9 @@ int handle_sys_exit_recvfrom(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RECVFROM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1276,6 +1342,9 @@ int handle_sys_enter_setsockopt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETSOCKOPT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1298,6 +1367,9 @@ int handle_sys_exit_setsockopt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETSOCKOPT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1321,6 +1393,9 @@ int handle_sys_enter_getsockopt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSOCKOPT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1343,6 +1418,9 @@ int handle_sys_exit_getsockopt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETSOCKOPT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1366,6 +1444,9 @@ int handle_sys_enter_shutdown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHUTDOWN)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1388,6 +1469,9 @@ int handle_sys_exit_shutdown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHUTDOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1411,6 +1495,9 @@ int handle_sys_enter_sendmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1433,6 +1520,9 @@ int handle_sys_exit_sendmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1456,6 +1546,9 @@ int handle_sys_enter_sendmmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDMMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1478,6 +1571,9 @@ int handle_sys_exit_sendmmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDMMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1501,6 +1597,9 @@ int handle_sys_enter_recvmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1523,6 +1622,9 @@ int handle_sys_exit_recvmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RECVMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1546,6 +1648,9 @@ int handle_sys_enter_recvmmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVMMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1568,6 +1673,9 @@ int handle_sys_exit_recvmmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RECVMMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1591,6 +1699,9 @@ int handle_sys_enter_getrandom(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRANDOM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1612,6 +1723,9 @@ int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRANDOM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1635,6 +1749,9 @@ int handle_sys_enter_io_uring_register(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_REGISTER)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1657,6 +1774,9 @@ int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_URING_REGISTER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1680,6 +1800,9 @@ int handle_sys_enter_io_uring_enter(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_ENTER)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1702,6 +1825,9 @@ int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_URING_ENTER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1725,6 +1851,9 @@ int handle_sys_enter_io_uring_setup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_SETUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1746,6 +1875,9 @@ int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_URING_SETUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1769,6 +1901,9 @@ int handle_sys_enter_ioprio_set(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPRIO_SET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1790,6 +1925,9 @@ int handle_sys_exit_ioprio_set(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPRIO_SET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1813,6 +1951,9 @@ int handle_sys_enter_ioprio_get(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPRIO_GET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1834,6 +1975,9 @@ int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPRIO_GET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1857,6 +2001,9 @@ int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_CREATE_RULESET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1878,6 +2025,9 @@ int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_CREATE_RULESET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1901,6 +2051,9 @@ int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_ADD_RULE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1922,6 +2075,9 @@ int handle_sys_exit_landlock_add_rule(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_ADD_RULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1945,6 +2101,9 @@ int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_RESTRICT_SELF)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1966,6 +2125,9 @@ int handle_sys_exit_landlock_restrict_self(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_RESTRICT_SELF, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1989,6 +2151,9 @@ int handle_sys_enter_lsm_set_self_attr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_SET_SELF_ATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2010,6 +2175,9 @@ int handle_sys_exit_lsm_set_self_attr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSM_SET_SELF_ATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2033,6 +2201,9 @@ int handle_sys_enter_lsm_get_self_attr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_GET_SELF_ATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2054,6 +2225,9 @@ int handle_sys_exit_lsm_get_self_attr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSM_GET_SELF_ATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2077,6 +2251,9 @@ int handle_sys_enter_lsm_list_modules(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_LIST_MODULES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2098,6 +2275,9 @@ int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSM_LIST_MODULES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2121,6 +2301,9 @@ int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ADD_KEY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2142,6 +2325,9 @@ int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ADD_KEY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2165,6 +2351,9 @@ int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REQUEST_KEY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2186,6 +2375,9 @@ int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REQUEST_KEY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2209,6 +2401,9 @@ int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KEYCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2230,6 +2425,9 @@ int handle_sys_exit_keyctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KEYCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2253,6 +2451,9 @@ int handle_sys_enter_mq_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_OPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2274,6 +2475,9 @@ int handle_sys_exit_mq_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2297,6 +2501,9 @@ int handle_sys_enter_mq_unlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_UNLINK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2318,6 +2525,9 @@ int handle_sys_exit_mq_unlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_UNLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2341,6 +2551,9 @@ int handle_sys_enter_mq_timedsend(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_TIMEDSEND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2362,6 +2575,9 @@ int handle_sys_exit_mq_timedsend(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_TIMEDSEND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2385,6 +2601,9 @@ int handle_sys_enter_mq_timedreceive(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_TIMEDRECEIVE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2406,6 +2625,9 @@ int handle_sys_exit_mq_timedreceive(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_TIMEDRECEIVE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2429,6 +2651,9 @@ int handle_sys_enter_mq_notify(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_NOTIFY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2450,6 +2675,9 @@ int handle_sys_exit_mq_notify(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_NOTIFY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2473,6 +2701,9 @@ int handle_sys_enter_mq_getsetattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_GETSETATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2494,6 +2725,9 @@ int handle_sys_exit_mq_getsetattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_GETSETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2517,6 +2751,9 @@ int handle_sys_enter_shmget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2538,6 +2775,9 @@ int handle_sys_exit_shmget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2561,6 +2801,9 @@ int handle_sys_enter_shmctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2582,6 +2825,9 @@ int handle_sys_exit_shmctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2605,6 +2851,9 @@ int handle_sys_enter_shmat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMAT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2626,6 +2875,9 @@ int handle_sys_exit_shmat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2649,6 +2901,9 @@ int handle_sys_enter_shmdt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMDT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2670,6 +2925,9 @@ int handle_sys_exit_shmdt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMDT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2693,6 +2951,9 @@ int handle_sys_enter_semget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2714,6 +2975,9 @@ int handle_sys_exit_semget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2737,6 +3001,9 @@ int handle_sys_enter_semctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2758,6 +3025,9 @@ int handle_sys_exit_semctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2781,6 +3051,9 @@ int handle_sys_enter_semtimedop(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMTIMEDOP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2802,6 +3075,9 @@ int handle_sys_exit_semtimedop(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMTIMEDOP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2825,6 +3101,9 @@ int handle_sys_enter_semop(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMOP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2846,6 +3125,9 @@ int handle_sys_exit_semop(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMOP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2869,6 +3151,9 @@ int handle_sys_enter_msgget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2890,6 +3175,9 @@ int handle_sys_exit_msgget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2913,6 +3201,9 @@ int handle_sys_enter_msgctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2934,6 +3225,9 @@ int handle_sys_exit_msgctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2957,6 +3251,9 @@ int handle_sys_enter_msgsnd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGSND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2978,6 +3275,9 @@ int handle_sys_exit_msgsnd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGSND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3001,6 +3301,9 @@ int handle_sys_enter_msgrcv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGRCV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3022,6 +3325,9 @@ int handle_sys_exit_msgrcv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGRCV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3045,6 +3351,9 @@ int handle_sys_enter_quotactl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_QUOTACTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3066,6 +3375,9 @@ int handle_sys_exit_quotactl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_QUOTACTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3089,6 +3401,9 @@ int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_QUOTACTL_FD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -3111,6 +3426,9 @@ int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_QUOTACTL_FD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3134,6 +3452,9 @@ int handle_sys_enter_name_to_handle_at(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NAME_TO_HANDLE_AT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -3157,6 +3478,9 @@ int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NAME_TO_HANDLE_AT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3180,6 +3504,9 @@ int handle_sys_enter_open_by_handle_at(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_BY_HANDLE_AT)) + return 0; + struct open_by_handle_at_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_by_handle_at_event), 0); if (!ev) return 0; @@ -3202,6 +3529,9 @@ int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN_BY_HANDLE_AT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3225,6 +3555,9 @@ int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FLOCK)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -3247,6 +3580,9 @@ int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FLOCK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3270,6 +3606,9 @@ int handle_sys_enter_io_setup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_SETUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3291,6 +3630,9 @@ int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_SETUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3314,6 +3656,9 @@ int handle_sys_enter_io_destroy(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_DESTROY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3335,6 +3680,9 @@ int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_DESTROY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3358,6 +3706,9 @@ int handle_sys_enter_io_submit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_SUBMIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3379,6 +3730,9 @@ int handle_sys_exit_io_submit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_SUBMIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3402,6 +3756,9 @@ int handle_sys_enter_io_cancel(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_CANCEL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3423,6 +3780,9 @@ int handle_sys_exit_io_cancel(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_CANCEL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3446,6 +3806,9 @@ int handle_sys_enter_io_getevents(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_GETEVENTS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3467,6 +3830,9 @@ int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_GETEVENTS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3490,6 +3856,9 @@ int handle_sys_enter_io_pgetevents(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_PGETEVENTS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3511,6 +3880,9 @@ int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_PGETEVENTS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3534,6 +3906,9 @@ int handle_sys_enter_userfaultfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_USERFAULTFD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3555,6 +3930,9 @@ int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_USERFAULTFD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3578,6 +3956,9 @@ int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EVENTFD2)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3603,6 +3984,9 @@ int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EVENTFD2, ctx->ret)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3632,6 +4016,9 @@ int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EVENTFD)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3657,6 +4044,9 @@ int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EVENTFD, ctx->ret)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3686,6 +4076,9 @@ int handle_sys_enter_timerfd_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3707,6 +4100,9 @@ int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMERFD_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3730,6 +4126,9 @@ int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_SETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3751,6 +4150,9 @@ int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMERFD_SETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3774,6 +4176,9 @@ int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_GETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3795,6 +4200,9 @@ int handle_sys_exit_timerfd_gettime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMERFD_GETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3818,6 +4226,9 @@ int handle_sys_enter_signalfd4(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGNALFD4)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3839,6 +4250,9 @@ int handle_sys_exit_signalfd4(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SIGNALFD4, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3862,6 +4276,9 @@ int handle_sys_enter_signalfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGNALFD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3883,6 +4300,9 @@ int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SIGNALFD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3906,6 +4326,9 @@ int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE1)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3927,6 +4350,9 @@ int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE1, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3950,6 +4376,9 @@ int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3971,6 +4400,9 @@ int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3994,6 +4426,9 @@ int handle_sys_enter_epoll_ctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CTL)) + return 0; + struct epoll_ctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct epoll_ctl_event), 0); if (!ev) return 0; @@ -4025,6 +4460,9 @@ int handle_sys_exit_epoll_ctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4048,6 +4486,9 @@ int handle_sys_enter_epoll_wait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_WAIT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4070,6 +4511,9 @@ int handle_sys_exit_epoll_wait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_WAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4093,6 +4537,9 @@ int handle_sys_enter_epoll_pwait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_PWAIT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4115,6 +4562,9 @@ int handle_sys_exit_epoll_pwait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_PWAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4138,6 +4588,9 @@ int handle_sys_enter_epoll_pwait2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_PWAIT2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4160,6 +4613,9 @@ int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_PWAIT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4183,6 +4639,9 @@ int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_INIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4204,6 +4663,9 @@ int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FANOTIFY_INIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4227,6 +4689,9 @@ int handle_sys_enter_fanotify_mark(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_MARK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4250,6 +4715,9 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FANOTIFY_MARK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4273,6 +4741,9 @@ int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT1)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4294,6 +4765,9 @@ int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT1, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4317,6 +4791,9 @@ int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4338,6 +4815,9 @@ int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4361,6 +4841,9 @@ int handle_sys_enter_inotify_add_watch(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_ADD_WATCH)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4383,6 +4866,9 @@ int handle_sys_exit_inotify_add_watch(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_ADD_WATCH, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4406,6 +4892,9 @@ int handle_sys_enter_inotify_rm_watch(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_RM_WATCH)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4428,6 +4917,9 @@ int handle_sys_exit_inotify_rm_watch(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_RM_WATCH, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4451,6 +4943,9 @@ int handle_sys_enter_file_getattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FILE_GETATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4474,6 +4969,9 @@ int handle_sys_exit_file_getattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FILE_GETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4497,6 +4995,9 @@ int handle_sys_enter_file_setattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FILE_SETATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4520,6 +5021,9 @@ int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FILE_SETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4543,6 +5047,9 @@ int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSOPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4564,6 +5071,9 @@ int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSOPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4587,6 +5097,9 @@ int handle_sys_enter_fspick(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSPICK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4610,6 +5123,9 @@ int handle_sys_exit_fspick(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSPICK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4633,6 +5149,9 @@ int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSCONFIG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4655,6 +5174,9 @@ int handle_sys_exit_fsconfig(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSCONFIG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4678,6 +5200,9 @@ int handle_sys_enter_statfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_STATFS)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4701,6 +5226,9 @@ int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_STATFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4724,6 +5252,9 @@ int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSTATFS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4746,6 +5277,9 @@ int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSTATFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4769,6 +5303,9 @@ int handle_sys_enter_ustat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_USTAT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4790,6 +5327,9 @@ int handle_sys_exit_ustat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_USTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4813,6 +5353,9 @@ int handle_sys_enter_getcwd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETCWD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4834,6 +5377,9 @@ int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETCWD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4857,6 +5403,9 @@ int handle_sys_enter_utimensat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIMENSAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4880,6 +5429,9 @@ int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UTIMENSAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4903,6 +5455,9 @@ int handle_sys_enter_futimesat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTIMESAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4926,6 +5481,9 @@ int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTIMESAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4949,6 +5507,9 @@ int handle_sys_enter_utimes(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIMES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4970,6 +5531,9 @@ int handle_sys_exit_utimes(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UTIMES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4993,6 +5557,9 @@ int handle_sys_enter_utime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5014,6 +5581,9 @@ int handle_sys_exit_utime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5037,6 +5607,9 @@ int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNC)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5058,6 +5631,9 @@ int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5081,6 +5657,9 @@ int handle_sys_enter_syncfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNCFS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5103,6 +5682,9 @@ int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYNCFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5126,6 +5708,9 @@ int handle_sys_enter_fsync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSYNC)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5148,6 +5733,9 @@ int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5171,6 +5759,9 @@ int handle_sys_enter_fdatasync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FDATASYNC)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5193,6 +5784,9 @@ int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FDATASYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5216,6 +5810,9 @@ int handle_sys_enter_sync_file_range(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNC_FILE_RANGE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5238,6 +5835,9 @@ int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYNC_FILE_RANGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5261,6 +5861,9 @@ int handle_sys_enter_vmsplice(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_VMSPLICE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5283,6 +5886,9 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_VMSPLICE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5306,6 +5912,9 @@ int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SPLICE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5327,6 +5936,9 @@ int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SPLICE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5350,6 +5962,9 @@ int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TEE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5371,6 +5986,9 @@ int handle_sys_exit_tee(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TEE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5394,6 +6012,9 @@ int handle_sys_enter_setxattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5417,6 +6038,9 @@ int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5440,6 +6064,9 @@ int handle_sys_enter_setxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5463,6 +6090,9 @@ int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5486,6 +6116,9 @@ int handle_sys_enter_lsetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5509,6 +6142,9 @@ int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5532,6 +6168,9 @@ int handle_sys_enter_fsetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSETXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5554,6 +6193,9 @@ int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5577,6 +6219,9 @@ int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5600,6 +6245,9 @@ int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5623,6 +6271,9 @@ int handle_sys_enter_getxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5646,6 +6297,9 @@ int handle_sys_exit_getxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5669,6 +6323,9 @@ int handle_sys_enter_lgetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LGETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5692,6 +6349,9 @@ int handle_sys_exit_lgetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LGETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5715,6 +6375,9 @@ int handle_sys_enter_fgetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FGETXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5737,6 +6400,9 @@ int handle_sys_exit_fgetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FGETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5760,6 +6426,9 @@ int handle_sys_enter_listxattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5783,6 +6452,9 @@ int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5806,6 +6478,9 @@ int handle_sys_enter_listxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5829,6 +6504,9 @@ int handle_sys_exit_listxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5852,6 +6530,9 @@ int handle_sys_enter_llistxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LLISTXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5875,6 +6556,9 @@ int handle_sys_exit_llistxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LLISTXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5898,6 +6582,9 @@ int handle_sys_enter_flistxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FLISTXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5920,6 +6607,9 @@ int handle_sys_exit_flistxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FLISTXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5943,6 +6633,9 @@ int handle_sys_enter_removexattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REMOVEXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5966,6 +6659,9 @@ int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REMOVEXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5989,6 +6685,9 @@ int handle_sys_enter_removexattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REMOVEXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -6012,6 +6711,9 @@ int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REMOVEXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6035,6 +6737,9 @@ int handle_sys_enter_lremovexattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LREMOVEXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -6058,6 +6763,9 @@ int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LREMOVEXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6081,6 +6789,9 @@ int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FREMOVEXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6103,6 +6814,9 @@ int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FREMOVEXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6126,6 +6840,9 @@ int handle_sys_enter_umount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6147,6 +6864,9 @@ int handle_sys_exit_umount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6170,6 +6890,9 @@ int handle_sys_enter_open_tree(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_TREE)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -6195,6 +6918,9 @@ int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN_TREE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6218,6 +6944,9 @@ int handle_sys_enter_mount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6239,6 +6968,9 @@ int handle_sys_exit_mount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6262,6 +6994,9 @@ int handle_sys_enter_fsmount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6283,6 +7018,9 @@ int handle_sys_exit_fsmount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6306,6 +7044,9 @@ int handle_sys_enter_move_mount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOVE_MOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6327,6 +7068,9 @@ int handle_sys_exit_move_mount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOVE_MOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6350,6 +7094,9 @@ int handle_sys_enter_pivot_root(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIVOT_ROOT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6371,6 +7118,9 @@ int handle_sys_exit_pivot_root(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIVOT_ROOT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6394,6 +7144,9 @@ int handle_sys_enter_mount_setattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOUNT_SETATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -6417,6 +7170,9 @@ int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOUNT_SETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6440,6 +7196,9 @@ int handle_sys_enter_open_tree_attr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_TREE_ATTR)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -6465,6 +7224,9 @@ int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN_TREE_ATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6488,6 +7250,9 @@ int handle_sys_enter_statmount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_STATMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6509,6 +7274,9 @@ int handle_sys_exit_statmount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_STATMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6532,6 +7300,9 @@ int handle_sys_enter_listmount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6553,6 +7324,9 @@ int handle_sys_exit_listmount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6576,6 +7350,9 @@ int handle_sys_enter_sysfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSFS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6597,6 +7374,9 @@ int handle_sys_exit_sysfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYSFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6620,6 +7400,9 @@ int handle_sys_enter_close_range(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOSE_RANGE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6642,6 +7425,9 @@ int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOSE_RANGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6665,6 +7451,9 @@ int handle_sys_enter_dup3(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP3)) + return 0; + struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); if (!ev) return 0; @@ -6688,6 +7477,9 @@ int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DUP3, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6711,6 +7503,9 @@ int handle_sys_enter_dup2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6733,6 +7528,9 @@ int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DUP2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6756,6 +7554,9 @@ int handle_sys_enter_dup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6778,6 +7579,9 @@ int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6801,6 +7605,9 @@ int handle_sys_enter_select(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SELECT)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6833,6 +7640,9 @@ int handle_sys_exit_select(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SELECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6856,6 +7666,9 @@ int handle_sys_enter_pselect6(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PSELECT6)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6888,6 +7701,9 @@ int handle_sys_exit_pselect6(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PSELECT6, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6911,6 +7727,9 @@ int handle_sys_enter_poll(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_POLL)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6938,6 +7757,9 @@ int handle_sys_exit_poll(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_POLL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6961,6 +7783,9 @@ int handle_sys_enter_ppoll(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PPOLL)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6993,6 +7818,9 @@ int handle_sys_exit_ppoll(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PPOLL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7016,6 +7844,9 @@ int handle_sys_enter_getdents(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETDENTS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -7038,6 +7869,9 @@ int handle_sys_exit_getdents(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETDENTS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7061,6 +7895,9 @@ int handle_sys_enter_getdents64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETDENTS64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -7083,6 +7920,9 @@ int handle_sys_exit_getdents64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETDENTS64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7106,6 +7946,9 @@ int handle_sys_enter_ioctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOCTL)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -7128,6 +7971,9 @@ int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7151,6 +7997,9 @@ int handle_sys_enter_fcntl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCNTL)) + return 0; + struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); if (!ev) return 0; @@ -7175,6 +8024,9 @@ int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCNTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7198,6 +8050,9 @@ int handle_sys_enter_mknodat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKNODAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7221,6 +8076,9 @@ int handle_sys_exit_mknodat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKNODAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7244,6 +8102,9 @@ int handle_sys_enter_mknod(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKNOD)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7267,6 +8128,9 @@ int handle_sys_exit_mknod(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKNOD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7290,6 +8154,9 @@ int handle_sys_enter_mkdirat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKDIRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7313,6 +8180,9 @@ int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKDIRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7336,6 +8206,9 @@ int handle_sys_enter_mkdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKDIR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7359,6 +8232,9 @@ int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7382,6 +8258,9 @@ int handle_sys_enter_rmdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RMDIR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7405,6 +8284,9 @@ int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RMDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7428,6 +8310,9 @@ int handle_sys_enter_unlinkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UNLINKAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7451,6 +8336,9 @@ int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UNLINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7474,6 +8362,9 @@ int handle_sys_enter_unlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UNLINK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7497,6 +8388,9 @@ int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UNLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7520,6 +8414,9 @@ int handle_sys_enter_symlinkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYMLINKAT)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7544,6 +8441,9 @@ int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYMLINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7567,6 +8467,9 @@ int handle_sys_enter_symlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYMLINK)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7591,6 +8494,9 @@ int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYMLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7614,6 +8520,9 @@ int handle_sys_enter_linkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LINKAT)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7638,6 +8547,9 @@ int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7661,6 +8573,9 @@ int handle_sys_enter_link(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LINK)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7685,6 +8600,9 @@ int handle_sys_exit_link(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7708,6 +8626,9 @@ int handle_sys_enter_renameat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAMEAT2)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7732,6 +8653,9 @@ int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RENAMEAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7755,6 +8679,9 @@ int handle_sys_enter_renameat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAMEAT)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7779,6 +8706,9 @@ int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RENAMEAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7802,6 +8732,9 @@ int handle_sys_enter_rename(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAME)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7826,6 +8759,9 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RENAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7849,6 +8785,9 @@ int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIPE2)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7878,6 +8817,9 @@ int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIPE2, ctx->ret)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7918,6 +8860,9 @@ int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIPE)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7947,6 +8892,9 @@ int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIPE, ctx->ret)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7987,6 +8935,9 @@ int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVE)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8010,6 +8961,9 @@ int handle_sys_exit_execve(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXECVE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8033,6 +8987,9 @@ int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVEAT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8055,6 +9012,9 @@ int handle_sys_exit_execveat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXECVEAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8078,6 +9038,9 @@ int handle_sys_enter_newstat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWSTAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8101,6 +9064,9 @@ int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWSTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8124,6 +9090,9 @@ int handle_sys_enter_newlstat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWLSTAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8147,6 +9116,9 @@ int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWLSTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8170,6 +9142,9 @@ int handle_sys_enter_newfstatat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWFSTATAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8193,6 +9168,9 @@ int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWFSTATAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8216,6 +9194,9 @@ int handle_sys_enter_newfstat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWFSTAT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8238,6 +9219,9 @@ int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWFSTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8261,6 +9245,9 @@ int handle_sys_enter_readlinkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READLINKAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8284,6 +9271,9 @@ int handle_sys_exit_readlinkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READLINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8307,6 +9297,9 @@ int handle_sys_enter_readlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READLINK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8330,6 +9323,9 @@ int handle_sys_exit_readlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8353,6 +9349,9 @@ int handle_sys_enter_statx(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_STATX)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8376,6 +9375,9 @@ int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_STATX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8399,6 +9401,9 @@ int handle_sys_enter_lseek(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSEEK)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8421,6 +9426,9 @@ int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSEEK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8444,6 +9452,9 @@ int handle_sys_enter_read(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READ)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8466,6 +9477,9 @@ int handle_sys_exit_read(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READ, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8489,6 +9503,9 @@ int handle_sys_enter_write(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WRITE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8511,6 +9528,9 @@ int handle_sys_exit_write(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WRITE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8534,6 +9554,9 @@ int handle_sys_enter_pread64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PREAD64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8556,6 +9579,9 @@ int handle_sys_exit_pread64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PREAD64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8579,6 +9605,9 @@ int handle_sys_enter_pwrite64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITE64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8601,6 +9630,9 @@ int handle_sys_exit_pwrite64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PWRITE64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8624,6 +9656,9 @@ int handle_sys_enter_readv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8646,6 +9681,9 @@ int handle_sys_exit_readv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8669,6 +9707,9 @@ int handle_sys_enter_writev(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WRITEV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8691,6 +9732,9 @@ int handle_sys_exit_writev(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WRITEV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8714,6 +9758,9 @@ int handle_sys_enter_preadv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PREADV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8736,6 +9783,9 @@ int handle_sys_exit_preadv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PREADV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8759,6 +9809,9 @@ int handle_sys_enter_preadv2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PREADV2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8781,6 +9834,9 @@ int handle_sys_exit_preadv2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PREADV2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8804,6 +9860,9 @@ int handle_sys_enter_pwritev(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITEV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8826,6 +9885,9 @@ int handle_sys_exit_pwritev(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PWRITEV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8849,6 +9911,9 @@ int handle_sys_enter_pwritev2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITEV2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8871,6 +9936,9 @@ int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PWRITEV2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8894,6 +9962,9 @@ int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDFILE64)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -8915,6 +9986,9 @@ int handle_sys_exit_sendfile64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDFILE64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8938,6 +10012,9 @@ int handle_sys_enter_copy_file_range(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_COPY_FILE_RANGE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8960,6 +10037,9 @@ int handle_sys_exit_copy_file_range(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_COPY_FILE_RANGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8983,6 +10063,9 @@ int handle_sys_enter_truncate(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TRUNCATE)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9006,6 +10089,9 @@ int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TRUNCATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9029,6 +10115,9 @@ int handle_sys_enter_ftruncate(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FTRUNCATE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9051,6 +10140,9 @@ int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FTRUNCATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9074,6 +10166,9 @@ int handle_sys_enter_fallocate(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FALLOCATE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9096,6 +10191,9 @@ int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FALLOCATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9119,6 +10217,9 @@ int handle_sys_enter_faccessat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FACCESSAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9142,6 +10243,9 @@ int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FACCESSAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9165,6 +10269,9 @@ int handle_sys_enter_faccessat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FACCESSAT2)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9188,6 +10295,9 @@ int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FACCESSAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9211,6 +10321,9 @@ int handle_sys_enter_access(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCESS)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9234,6 +10347,9 @@ int handle_sys_exit_access(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCESS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9257,6 +10373,9 @@ int handle_sys_enter_chdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHDIR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9280,6 +10399,9 @@ int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9303,6 +10425,9 @@ int handle_sys_enter_fchdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHDIR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9325,6 +10450,9 @@ int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9348,6 +10476,9 @@ int handle_sys_enter_chroot(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHROOT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9371,6 +10502,9 @@ int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHROOT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9394,6 +10528,9 @@ int handle_sys_enter_fchmod(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMOD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9416,6 +10553,9 @@ int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHMOD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9439,6 +10579,9 @@ int handle_sys_enter_fchmodat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMODAT2)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9462,6 +10605,9 @@ int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHMODAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9485,6 +10631,9 @@ int handle_sys_enter_fchmodat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMODAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9508,6 +10657,9 @@ int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHMODAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9531,6 +10683,9 @@ int handle_sys_enter_chmod(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHMOD)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9554,6 +10709,9 @@ int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHMOD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9577,6 +10735,9 @@ int handle_sys_enter_fchownat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHOWNAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9600,6 +10761,9 @@ int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHOWNAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9623,6 +10787,9 @@ int handle_sys_enter_chown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHOWN)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9646,6 +10813,9 @@ int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9669,6 +10839,9 @@ int handle_sys_enter_lchown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LCHOWN)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9692,6 +10865,9 @@ int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LCHOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9715,6 +10891,9 @@ int handle_sys_enter_fchown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHOWN)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9737,6 +10916,9 @@ int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9760,6 +10942,9 @@ int handle_sys_enter_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -9785,6 +10970,9 @@ int handle_sys_exit_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9808,6 +10996,9 @@ int handle_sys_enter_openat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPENAT)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -9833,6 +11024,9 @@ int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPENAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9856,6 +11050,9 @@ int handle_sys_enter_openat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPENAT2)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -9881,6 +11078,9 @@ int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPENAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9904,6 +11104,9 @@ int handle_sys_enter_creat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CREAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9927,6 +11130,9 @@ int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CREAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9950,6 +11156,9 @@ int handle_sys_enter_close(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOSE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9972,6 +11181,9 @@ int handle_sys_exit_close(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOSE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9995,6 +11207,9 @@ int handle_sys_enter_vhangup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_VHANGUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10016,6 +11231,9 @@ int handle_sys_exit_vhangup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_VHANGUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10039,6 +11257,9 @@ int handle_sys_enter_memfd_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMFD_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10060,6 +11281,9 @@ int handle_sys_exit_memfd_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MEMFD_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10083,6 +11307,9 @@ int handle_sys_enter_memfd_secret(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMFD_SECRET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10104,6 +11331,9 @@ int handle_sys_exit_memfd_secret(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MEMFD_SECRET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10127,6 +11357,9 @@ int handle_sys_enter_move_pages(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOVE_PAGES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10148,6 +11381,9 @@ int handle_sys_exit_move_pages(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOVE_PAGES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10171,6 +11407,9 @@ int handle_sys_enter_set_mempolicy_home_node(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_MEMPOLICY_HOME_NODE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10192,6 +11431,9 @@ int handle_sys_exit_set_mempolicy_home_node(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_MEMPOLICY_HOME_NODE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10215,6 +11457,9 @@ int handle_sys_enter_mbind(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MBIND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10236,6 +11481,9 @@ int handle_sys_exit_mbind(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MBIND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10259,6 +11507,9 @@ int handle_sys_enter_set_mempolicy(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_MEMPOLICY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10280,6 +11531,9 @@ int handle_sys_exit_set_mempolicy(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_MEMPOLICY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10303,6 +11557,9 @@ int handle_sys_enter_migrate_pages(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MIGRATE_PAGES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10324,6 +11581,9 @@ int handle_sys_exit_migrate_pages(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MIGRATE_PAGES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10347,6 +11607,9 @@ int handle_sys_enter_get_mempolicy(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GET_MEMPOLICY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10368,6 +11631,9 @@ int handle_sys_exit_get_mempolicy(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GET_MEMPOLICY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10391,6 +11657,9 @@ int handle_sys_enter_swapoff(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SWAPOFF)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10412,6 +11681,9 @@ int handle_sys_exit_swapoff(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SWAPOFF, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10435,6 +11707,9 @@ int handle_sys_enter_swapon(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SWAPON)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10456,6 +11731,9 @@ int handle_sys_exit_swapon(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SWAPON, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10479,6 +11757,9 @@ int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MADVISE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10500,6 +11781,9 @@ int handle_sys_exit_madvise(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MADVISE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10523,6 +11807,9 @@ int handle_sys_enter_process_madvise(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_MADVISE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10544,6 +11831,9 @@ int handle_sys_exit_process_madvise(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_MADVISE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10567,6 +11857,9 @@ int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSEAL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10588,6 +11881,9 @@ int handle_sys_exit_mseal(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSEAL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10611,6 +11907,9 @@ int handle_sys_enter_process_vm_readv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_VM_READV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10632,6 +11931,9 @@ int handle_sys_exit_process_vm_readv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_VM_READV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10655,6 +11957,9 @@ int handle_sys_enter_process_vm_writev(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_VM_WRITEV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10676,6 +11981,9 @@ int handle_sys_exit_process_vm_writev(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_VM_WRITEV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10699,6 +12007,9 @@ int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSYNC)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10720,6 +12031,9 @@ int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10743,6 +12057,9 @@ int handle_sys_enter_mremap(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MREMAP)) + return 0; + struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; @@ -10768,6 +12085,9 @@ int handle_sys_exit_mremap(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MREMAP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10791,6 +12111,9 @@ int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MPROTECT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10812,6 +12135,9 @@ int handle_sys_exit_mprotect(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MPROTECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10835,6 +12161,9 @@ int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_MPROTECT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10856,6 +12185,9 @@ int handle_sys_exit_pkey_mprotect(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PKEY_MPROTECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10879,6 +12211,9 @@ int handle_sys_enter_pkey_alloc(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_ALLOC)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10900,6 +12235,9 @@ int handle_sys_exit_pkey_alloc(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PKEY_ALLOC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10923,6 +12261,9 @@ int handle_sys_enter_pkey_free(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_FREE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10944,6 +12285,9 @@ int handle_sys_exit_pkey_free(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PKEY_FREE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10967,6 +12311,9 @@ int handle_sys_enter_brk(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_BRK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10988,6 +12335,9 @@ int handle_sys_exit_brk(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_BRK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11011,6 +12361,9 @@ int handle_sys_enter_munmap(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNMAP)) + return 0; + struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; @@ -11036,6 +12389,9 @@ int handle_sys_exit_munmap(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MUNMAP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11059,6 +12415,9 @@ int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REMAP_FILE_PAGES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11080,6 +12439,9 @@ int handle_sys_exit_remap_file_pages(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REMAP_FILE_PAGES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11103,6 +12465,9 @@ int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11124,6 +12489,9 @@ int handle_sys_exit_mlock(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MLOCK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11147,6 +12515,9 @@ int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK2)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11168,6 +12539,9 @@ int handle_sys_exit_mlock2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MLOCK2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11191,6 +12565,9 @@ int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11212,6 +12589,9 @@ int handle_sys_exit_munlock(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MUNLOCK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11235,6 +12615,9 @@ int handle_sys_enter_mlockall(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCKALL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11256,6 +12639,9 @@ int handle_sys_exit_mlockall(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MLOCKALL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11279,6 +12665,9 @@ int handle_sys_enter_munlockall(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCKALL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11300,6 +12689,9 @@ int handle_sys_exit_munlockall(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MUNLOCKALL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11323,6 +12715,9 @@ int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MINCORE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11344,6 +12739,9 @@ int handle_sys_exit_mincore(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MINCORE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11367,6 +12765,9 @@ int handle_sys_enter_readahead(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READAHEAD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -11389,6 +12790,9 @@ int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READAHEAD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11412,6 +12816,9 @@ int handle_sys_enter_fadvise64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FADVISE64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -11434,6 +12841,9 @@ int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FADVISE64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11457,6 +12867,9 @@ int handle_sys_enter_process_mrelease(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_MRELEASE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11478,6 +12891,9 @@ int handle_sys_exit_process_mrelease(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_MRELEASE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11501,6 +12917,9 @@ int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CACHESTAT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -11523,6 +12942,9 @@ int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CACHESTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11546,6 +12968,9 @@ int handle_sys_enter_rseq(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RSEQ)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11567,6 +12992,9 @@ int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RSEQ, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11590,6 +13018,9 @@ int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PERF_EVENT_OPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11611,6 +13042,9 @@ int handle_sys_exit_perf_event_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PERF_EVENT_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11634,6 +13068,9 @@ int handle_sys_enter_bpf(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_BPF)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11655,6 +13092,9 @@ int handle_sys_exit_bpf(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_BPF, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11678,6 +13118,9 @@ int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SECCOMP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11699,6 +13142,9 @@ int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SECCOMP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11722,6 +13168,9 @@ int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_FILE_LOAD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11743,6 +13192,9 @@ int handle_sys_exit_kexec_file_load(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KEXEC_FILE_LOAD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11766,6 +13218,9 @@ int handle_sys_enter_kexec_load(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_LOAD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11787,6 +13242,9 @@ int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KEXEC_LOAD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11810,6 +13268,9 @@ int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11831,6 +13292,9 @@ int handle_sys_exit_acct(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11854,6 +13318,9 @@ int handle_sys_enter_set_robust_list(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_ROBUST_LIST)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11875,6 +13342,9 @@ int handle_sys_exit_set_robust_list(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_ROBUST_LIST, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11898,6 +13368,9 @@ int handle_sys_enter_get_robust_list(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GET_ROBUST_LIST)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11919,6 +13392,9 @@ int handle_sys_exit_get_robust_list(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GET_ROBUST_LIST, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11942,6 +13418,9 @@ int handle_sys_enter_futex(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11963,6 +13442,9 @@ int handle_sys_exit_futex(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11986,6 +13468,9 @@ int handle_sys_enter_futex_waitv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAITV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12007,6 +13492,9 @@ int handle_sys_exit_futex_waitv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_WAITV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12030,6 +13518,9 @@ int handle_sys_enter_futex_wake(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAKE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12051,6 +13542,9 @@ int handle_sys_exit_futex_wake(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_WAKE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12074,6 +13568,9 @@ int handle_sys_enter_futex_wait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12095,6 +13592,9 @@ int handle_sys_exit_futex_wait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_WAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12118,6 +13618,9 @@ int handle_sys_enter_futex_requeue(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_REQUEUE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12139,6 +13642,9 @@ int handle_sys_exit_futex_requeue(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_REQUEUE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12162,6 +13668,9 @@ int handle_sys_enter_getitimer(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETITIMER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12183,6 +13692,9 @@ int handle_sys_exit_getitimer(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETITIMER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12206,6 +13718,9 @@ int handle_sys_enter_alarm(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ALARM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12227,6 +13742,9 @@ int handle_sys_exit_alarm(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ALARM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12250,6 +13768,9 @@ int handle_sys_enter_setitimer(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETITIMER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12271,6 +13792,9 @@ int handle_sys_exit_setitimer(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETITIMER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12294,6 +13818,9 @@ int handle_sys_enter_timer_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12315,6 +13842,9 @@ int handle_sys_exit_timer_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12338,6 +13868,9 @@ int handle_sys_enter_timer_gettime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_GETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12359,6 +13892,9 @@ int handle_sys_exit_timer_gettime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_GETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12382,6 +13918,9 @@ int handle_sys_enter_timer_getoverrun(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_GETOVERRUN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12403,6 +13942,9 @@ int handle_sys_exit_timer_getoverrun(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_GETOVERRUN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12426,6 +13968,9 @@ int handle_sys_enter_timer_settime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_SETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12447,6 +13992,9 @@ int handle_sys_exit_timer_settime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_SETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12470,6 +14018,9 @@ int handle_sys_enter_timer_delete(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_DELETE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12491,6 +14042,9 @@ int handle_sys_exit_timer_delete(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_DELETE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12514,6 +14068,9 @@ int handle_sys_enter_clock_settime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_SETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12535,6 +14092,9 @@ int handle_sys_exit_clock_settime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_SETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12558,6 +14118,9 @@ int handle_sys_enter_clock_gettime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_GETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12579,6 +14142,9 @@ int handle_sys_exit_clock_gettime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_GETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12602,6 +14168,9 @@ int handle_sys_enter_clock_adjtime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_ADJTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12623,6 +14192,9 @@ int handle_sys_exit_clock_adjtime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_ADJTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12646,6 +14218,9 @@ int handle_sys_enter_clock_getres(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_GETRES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12667,6 +14242,9 @@ int handle_sys_exit_clock_getres(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_GETRES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12690,6 +14268,9 @@ int handle_sys_enter_clock_nanosleep(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_NANOSLEEP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12711,6 +14292,9 @@ int handle_sys_exit_clock_nanosleep(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_NANOSLEEP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12734,6 +14318,9 @@ int handle_sys_enter_nanosleep(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NANOSLEEP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12755,6 +14342,9 @@ int handle_sys_exit_nanosleep(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NANOSLEEP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12778,6 +14368,9 @@ int handle_sys_enter_time(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12799,6 +14392,9 @@ int handle_sys_exit_time(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12822,6 +14418,9 @@ int handle_sys_enter_gettimeofday(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETTIMEOFDAY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12843,6 +14442,9 @@ int handle_sys_exit_gettimeofday(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETTIMEOFDAY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12866,6 +14468,9 @@ int handle_sys_enter_settimeofday(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETTIMEOFDAY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12887,6 +14492,9 @@ int handle_sys_exit_settimeofday(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETTIMEOFDAY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12910,6 +14518,9 @@ int handle_sys_enter_adjtimex(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ADJTIMEX)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12931,6 +14542,9 @@ int handle_sys_exit_adjtimex(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ADJTIMEX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12954,6 +14568,9 @@ int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KCMP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12975,6 +14592,9 @@ int handle_sys_exit_kcmp(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KCMP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12998,6 +14618,9 @@ int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DELETE_MODULE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13019,6 +14642,9 @@ int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DELETE_MODULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13042,6 +14668,9 @@ int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INIT_MODULE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13063,6 +14692,9 @@ int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INIT_MODULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13086,6 +14718,9 @@ int handle_sys_enter_finit_module(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FINIT_MODULE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -13108,6 +14743,9 @@ int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FINIT_MODULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13131,6 +14769,9 @@ int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSLOG)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13152,6 +14793,9 @@ int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYSLOG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13175,6 +14819,9 @@ int handle_sys_enter_membarrier(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMBARRIER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13196,6 +14843,9 @@ int handle_sys_exit_membarrier(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MEMBARRIER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13219,6 +14869,9 @@ int handle_sys_enter_sched_setscheduler(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETSCHEDULER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13240,6 +14893,9 @@ int handle_sys_exit_sched_setscheduler(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETSCHEDULER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13263,6 +14919,9 @@ int handle_sys_enter_sched_setparam(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETPARAM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13284,6 +14943,9 @@ int handle_sys_exit_sched_setparam(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETPARAM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13307,6 +14969,9 @@ int handle_sys_enter_sched_setattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13328,6 +14993,9 @@ int handle_sys_exit_sched_setattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13351,6 +15019,9 @@ int handle_sys_enter_sched_getscheduler(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETSCHEDULER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13372,6 +15043,9 @@ int handle_sys_exit_sched_getscheduler(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETSCHEDULER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13395,6 +15069,9 @@ int handle_sys_enter_sched_getparam(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETPARAM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13416,6 +15093,9 @@ int handle_sys_exit_sched_getparam(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETPARAM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13439,6 +15119,9 @@ int handle_sys_enter_sched_getattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13460,6 +15143,9 @@ int handle_sys_exit_sched_getattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13483,6 +15169,9 @@ int handle_sys_enter_sched_setaffinity(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETAFFINITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13504,6 +15193,9 @@ int handle_sys_exit_sched_setaffinity(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETAFFINITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13527,6 +15219,9 @@ int handle_sys_enter_sched_getaffinity(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETAFFINITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13548,6 +15243,9 @@ int handle_sys_exit_sched_getaffinity(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETAFFINITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13571,6 +15269,9 @@ int handle_sys_enter_sched_yield(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_YIELD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13592,6 +15293,9 @@ int handle_sys_exit_sched_yield(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_YIELD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13615,6 +15319,9 @@ int handle_sys_enter_sched_get_priority_max(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GET_PRIORITY_MAX)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13636,6 +15343,9 @@ int handle_sys_exit_sched_get_priority_max(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GET_PRIORITY_MAX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13659,6 +15369,9 @@ int handle_sys_enter_sched_get_priority_min(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GET_PRIORITY_MIN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13680,6 +15393,9 @@ int handle_sys_exit_sched_get_priority_min(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GET_PRIORITY_MIN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13703,6 +15419,9 @@ int handle_sys_enter_sched_rr_get_interval(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_RR_GET_INTERVAL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13724,6 +15443,9 @@ int handle_sys_exit_sched_rr_get_interval(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_RR_GET_INTERVAL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13747,6 +15469,9 @@ int handle_sys_enter_getgroups(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETGROUPS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13768,6 +15493,9 @@ int handle_sys_exit_getgroups(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETGROUPS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13791,6 +15519,9 @@ int handle_sys_enter_setgroups(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETGROUPS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13812,6 +15543,9 @@ int handle_sys_exit_setgroups(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETGROUPS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13835,6 +15569,9 @@ int handle_sys_enter_reboot(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REBOOT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13856,6 +15593,9 @@ int handle_sys_exit_reboot(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REBOOT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13879,6 +15619,9 @@ int handle_sys_enter_listns(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTNS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13900,6 +15643,9 @@ int handle_sys_exit_listns(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTNS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13923,6 +15669,9 @@ int handle_sys_enter_setns(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETNS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -13945,6 +15694,9 @@ int handle_sys_exit_setns(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETNS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13968,6 +15720,9 @@ int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_OPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13989,6 +15744,9 @@ int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14012,6 +15770,9 @@ int handle_sys_enter_pidfd_getfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_GETFD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -14034,6 +15795,9 @@ int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_GETFD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14057,6 +15821,9 @@ int handle_sys_enter_setpriority(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETPRIORITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14078,6 +15845,9 @@ int handle_sys_exit_setpriority(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETPRIORITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14101,6 +15871,9 @@ int handle_sys_enter_getpriority(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPRIORITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14122,6 +15895,9 @@ int handle_sys_exit_getpriority(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPRIORITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14145,6 +15921,9 @@ int handle_sys_enter_setregid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETREGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14166,6 +15945,9 @@ int handle_sys_exit_setregid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETREGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14189,6 +15971,9 @@ int handle_sys_enter_setgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14210,6 +15995,9 @@ int handle_sys_exit_setgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14233,6 +16021,9 @@ int handle_sys_enter_setreuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETREUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14254,6 +16045,9 @@ int handle_sys_exit_setreuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETREUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14277,6 +16071,9 @@ int handle_sys_enter_setuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14298,6 +16095,9 @@ int handle_sys_exit_setuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14321,6 +16121,9 @@ int handle_sys_enter_setresuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRESUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14342,6 +16145,9 @@ int handle_sys_exit_setresuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETRESUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14365,6 +16171,9 @@ int handle_sys_enter_getresuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRESUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14386,6 +16195,9 @@ int handle_sys_exit_getresuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRESUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14409,6 +16221,9 @@ int handle_sys_enter_setresgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRESGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14430,6 +16245,9 @@ int handle_sys_exit_setresgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETRESGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14453,6 +16271,9 @@ int handle_sys_enter_getresgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRESGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14474,6 +16295,9 @@ int handle_sys_exit_getresgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRESGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14497,6 +16321,9 @@ int handle_sys_enter_setfsuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETFSUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14518,6 +16345,9 @@ int handle_sys_exit_setfsuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETFSUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14541,6 +16371,9 @@ int handle_sys_enter_setfsgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETFSGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14562,6 +16395,9 @@ int handle_sys_exit_setfsgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETFSGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14585,6 +16421,9 @@ int handle_sys_enter_getpid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14606,6 +16445,9 @@ int handle_sys_exit_getpid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14629,6 +16471,9 @@ int handle_sys_enter_gettid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETTID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14650,6 +16495,9 @@ int handle_sys_exit_gettid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETTID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14673,6 +16521,9 @@ int handle_sys_enter_getppid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPPID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14694,6 +16545,9 @@ int handle_sys_exit_getppid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPPID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14717,6 +16571,9 @@ int handle_sys_enter_getuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14738,6 +16595,9 @@ int handle_sys_exit_getuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14761,6 +16621,9 @@ int handle_sys_enter_geteuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETEUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14782,6 +16645,9 @@ int handle_sys_exit_geteuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETEUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14805,6 +16671,9 @@ int handle_sys_enter_getgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14826,6 +16695,9 @@ int handle_sys_exit_getgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14849,6 +16721,9 @@ int handle_sys_enter_getegid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETEGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14870,6 +16745,9 @@ int handle_sys_exit_getegid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETEGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14893,6 +16771,9 @@ int handle_sys_enter_times(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14914,6 +16795,9 @@ int handle_sys_exit_times(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14937,6 +16821,9 @@ int handle_sys_enter_setpgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETPGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14958,6 +16845,9 @@ int handle_sys_exit_setpgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETPGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14981,6 +16871,9 @@ int handle_sys_enter_getpgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15002,6 +16895,9 @@ int handle_sys_exit_getpgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15025,6 +16921,9 @@ int handle_sys_enter_getpgrp(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPGRP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15046,6 +16945,9 @@ int handle_sys_exit_getpgrp(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPGRP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15069,6 +16971,9 @@ int handle_sys_enter_getsid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15090,6 +16995,9 @@ int handle_sys_exit_getsid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETSID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15113,6 +17021,9 @@ int handle_sys_enter_setsid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETSID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15134,6 +17045,9 @@ int handle_sys_exit_setsid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETSID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15157,6 +17071,9 @@ int handle_sys_enter_newuname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWUNAME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15178,6 +17095,9 @@ int handle_sys_exit_newuname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWUNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15201,6 +17121,9 @@ int handle_sys_enter_sethostname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETHOSTNAME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15222,6 +17145,9 @@ int handle_sys_exit_sethostname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETHOSTNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15245,6 +17171,9 @@ int handle_sys_enter_setdomainname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETDOMAINNAME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15266,6 +17195,9 @@ int handle_sys_exit_setdomainname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETDOMAINNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15289,6 +17221,9 @@ int handle_sys_enter_getrlimit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRLIMIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15310,6 +17245,9 @@ int handle_sys_exit_getrlimit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRLIMIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15333,6 +17271,9 @@ int handle_sys_enter_prlimit64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PRLIMIT64)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15354,6 +17295,9 @@ int handle_sys_exit_prlimit64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PRLIMIT64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15377,6 +17321,9 @@ int handle_sys_enter_setrlimit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRLIMIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15398,6 +17345,9 @@ int handle_sys_exit_setrlimit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETRLIMIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15421,6 +17371,9 @@ int handle_sys_enter_getrusage(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRUSAGE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15442,6 +17395,9 @@ int handle_sys_exit_getrusage(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRUSAGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15465,6 +17421,9 @@ int handle_sys_enter_umask(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UMASK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15486,6 +17445,9 @@ int handle_sys_exit_umask(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UMASK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15509,6 +17471,9 @@ int handle_sys_enter_prctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PRCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15530,6 +17495,9 @@ int handle_sys_exit_prctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PRCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15553,6 +17521,9 @@ int handle_sys_enter_getcpu(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETCPU)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15574,6 +17545,9 @@ int handle_sys_exit_getcpu(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETCPU, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15597,6 +17571,9 @@ int handle_sys_enter_sysinfo(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSINFO)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15618,6 +17595,9 @@ int handle_sys_exit_sysinfo(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYSINFO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15641,6 +17621,9 @@ int handle_sys_enter_restart_syscall(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RESTART_SYSCALL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15662,6 +17645,9 @@ int handle_sys_exit_restart_syscall(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RESTART_SYSCALL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15685,6 +17671,9 @@ int handle_sys_enter_rt_sigprocmask(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGPROCMASK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15706,6 +17695,9 @@ int handle_sys_exit_rt_sigprocmask(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGPROCMASK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15729,6 +17721,9 @@ int handle_sys_enter_rt_sigpending(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGPENDING)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15750,6 +17745,9 @@ int handle_sys_exit_rt_sigpending(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGPENDING, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15773,6 +17771,9 @@ int handle_sys_enter_rt_sigtimedwait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGTIMEDWAIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15794,6 +17795,9 @@ int handle_sys_exit_rt_sigtimedwait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGTIMEDWAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15817,6 +17821,9 @@ int handle_sys_enter_kill(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KILL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15838,6 +17845,9 @@ int handle_sys_exit_kill(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KILL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15861,6 +17871,9 @@ int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_SEND_SIGNAL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15882,6 +17895,9 @@ int handle_sys_exit_pidfd_send_signal(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_SEND_SIGNAL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15905,6 +17921,9 @@ int handle_sys_enter_tgkill(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TGKILL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15926,6 +17945,9 @@ int handle_sys_exit_tgkill(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TGKILL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15949,6 +17971,9 @@ int handle_sys_enter_tkill(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TKILL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15970,6 +17995,9 @@ int handle_sys_exit_tkill(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TKILL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15993,6 +18021,9 @@ int handle_sys_enter_rt_sigqueueinfo(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGQUEUEINFO)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16014,6 +18045,9 @@ int handle_sys_exit_rt_sigqueueinfo(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGQUEUEINFO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16037,6 +18071,9 @@ int handle_sys_enter_rt_tgsigqueueinfo(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_TGSIGQUEUEINFO)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16058,6 +18095,9 @@ int handle_sys_exit_rt_tgsigqueueinfo(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_TGSIGQUEUEINFO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16081,6 +18121,9 @@ int handle_sys_enter_sigaltstack(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGALTSTACK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16102,6 +18145,9 @@ int handle_sys_exit_sigaltstack(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SIGALTSTACK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16125,6 +18171,9 @@ int handle_sys_enter_rt_sigaction(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGACTION)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16146,6 +18195,9 @@ int handle_sys_exit_rt_sigaction(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGACTION, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16169,6 +18221,9 @@ int handle_sys_enter_pause(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PAUSE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16190,6 +18245,9 @@ int handle_sys_exit_pause(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PAUSE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16213,6 +18271,9 @@ int handle_sys_enter_rt_sigsuspend(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGSUSPEND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16234,6 +18295,9 @@ int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGSUSPEND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16257,6 +18321,9 @@ int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PTRACE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16278,6 +18345,9 @@ int handle_sys_exit_ptrace(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PTRACE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16301,6 +18371,9 @@ int handle_sys_enter_capget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CAPGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16322,6 +18395,9 @@ int handle_sys_exit_capget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CAPGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16345,6 +18421,9 @@ int handle_sys_enter_capset(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CAPSET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16366,6 +18445,9 @@ int handle_sys_exit_capset(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CAPSET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16389,6 +18471,9 @@ int handle_sys_enter_exit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16410,6 +18495,9 @@ int handle_sys_exit_exit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16433,6 +18521,9 @@ int handle_sys_enter_exit_group(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXIT_GROUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16454,6 +18545,9 @@ int handle_sys_exit_exit_group(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXIT_GROUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16477,6 +18571,9 @@ int handle_sys_enter_waitid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WAITID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16498,6 +18595,9 @@ int handle_sys_exit_waitid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WAITID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16521,6 +18621,9 @@ int handle_sys_enter_wait4(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WAIT4)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16542,6 +18645,9 @@ int handle_sys_exit_wait4(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WAIT4, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16565,6 +18671,9 @@ int handle_sys_enter_personality(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PERSONALITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16586,6 +18695,9 @@ int handle_sys_exit_personality(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PERSONALITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16609,6 +18721,9 @@ int handle_sys_enter_set_tid_address(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_TID_ADDRESS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16630,6 +18745,9 @@ int handle_sys_exit_set_tid_address(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_TID_ADDRESS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16653,6 +18771,9 @@ int handle_sys_enter_fork(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FORK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16674,6 +18795,9 @@ int handle_sys_exit_fork(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FORK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16697,6 +18821,9 @@ int handle_sys_enter_vfork(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_VFORK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16718,6 +18845,9 @@ int handle_sys_exit_vfork(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_VFORK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16741,6 +18871,9 @@ int handle_sys_enter_clone(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLONE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16762,6 +18895,9 @@ int handle_sys_exit_clone(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLONE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16785,6 +18921,9 @@ int handle_sys_enter_clone3(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLONE3)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16806,6 +18945,9 @@ int handle_sys_exit_clone3(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLONE3, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16829,6 +18971,9 @@ int handle_sys_enter_unshare(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UNSHARE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16850,6 +18995,9 @@ int handle_sys_exit_unshare(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UNSHARE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16873,6 +19021,9 @@ int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MAP_SHADOW_STACK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16894,6 +19045,9 @@ int handle_sys_exit_map_shadow_stack(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MAP_SHADOW_STACK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16917,6 +19071,9 @@ int handle_sys_enter_uretprobe(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_URETPROBE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16938,6 +19095,9 @@ int handle_sys_exit_uretprobe(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_URETPROBE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16961,6 +19121,9 @@ int handle_sys_enter_uprobe(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UPROBE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16982,6 +19145,9 @@ int handle_sys_exit_uprobe(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UPROBE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17005,6 +19171,9 @@ int handle_sys_enter_arch_prctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ARCH_PRCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17026,6 +19195,9 @@ int handle_sys_exit_arch_prctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ARCH_PRCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17049,6 +19221,9 @@ int handle_sys_enter_mmap(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MMAP)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -17071,6 +19246,9 @@ int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MMAP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17094,6 +19272,9 @@ int handle_sys_enter_modify_ldt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MODIFY_LDT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17115,6 +19296,9 @@ int handle_sys_exit_modify_ldt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MODIFY_LDT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17138,6 +19322,9 @@ int handle_sys_enter_ioperm(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPERM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17159,6 +19346,9 @@ int handle_sys_exit_ioperm(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPERM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17182,6 +19372,9 @@ int handle_sys_enter_iopl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17203,6 +19396,9 @@ int handle_sys_exit_iopl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17226,6 +19422,9 @@ int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGRETURN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17247,6 +19446,9 @@ int handle_sys_exit_rt_sigreturn(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGRETURN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; diff --git a/internal/c/maps.h b/internal/c/maps.h index 665e4ff..79a1367 100644 --- a/internal/c/maps.h +++ b/internal/c/maps.h @@ -5,6 +5,21 @@ struct { __uint(max_entries, 1 << 24); } event_map SEC(".maps"); +struct syscall_enter_state { + __u64 start_ns; + __u32 enter_trace_id; + __u8 emit_event; +}; + +struct syscall_aggregate { + __u64 count; + __u64 errors; + __u64 total_duration_ns; + __u64 min_duration_ns; + __u64 max_duration_ns; + __u64 duration_histogram[8]; +}; + struct socketpair_ctx { __u64 usockvec; __s32 family; @@ -37,3 +52,24 @@ struct { __type(key, __u32); __type(value, __s32); } eventfd_flags_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 32768); + __type(key, __u32); + __type(value, struct syscall_enter_state); +} syscall_enter_state_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 4096); + __type(key, __u32); + __type(value, struct syscall_aggregate); +} syscall_aggregate_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 4096); + __type(key, __u32); + __type(value, __u32); +} syscall_sampling_rate_map SEC(".maps"); |