u6: fix socketpair exit fd capture and socket filtering

author: Paul Buetow <paul@buetow.org> 2026-05-19 10:32:32 +0300
committer: Paul Buetow <paul@buetow.org> 2026-05-19 10:32:32 +0300
commit: 9cc2c7b3c4c7a1f1837a4a5260f11ccea5814c83 (patch)
tree: 423ab8233039f23bee0d4fbcb98a0b0a68841476 /internal/c
parent: 127516b4bf63dc922df222825a9a6a1d7eacc214 (diff)
4 files changed, 55 insertions, 15 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 0974d77..03cf2b4 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -799,39 +799,64 @@ int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) {
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
-    int sv[2];
-    __builtin_memset(&sv, 0xff, sizeof(sv));
-    if (ctx->args[3] != 0) {
-        bpf_probe_read_user(&sv, sizeof(sv), (void *)ctx->args[3]);
-    }
-    ev->family = (__s32)ctx->args[0];
-    ev->type = (__s32)ctx->args[1];
-    ev->protocol = (__s32)ctx->args[2];
-    ev->sv0 = (__s32)sv[0];
-    ev->sv1 = (__s32)sv[1];
+    struct socketpair_ctx pending;
+    pending.usockvec = ctx->args[3];
+    pending.family = (__s32)ctx->args[0];
+    pending.type = (__s32)ctx->args[1];
+    pending.protocol = (__s32)ctx->args[2];
+    bpf_map_update_elem(&socketpair_ctx_map, &tid, &pending, BPF_ANY);
+    ev->family = pending.family;
+    ev->type = pending.type;
+    ev->protocol = pending.protocol;
+    ev->sv0 = -1;
+    ev->sv1 = -1;
+    ev->ret = 0;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
 }
 
-/// sys_exit_socketpair is a struct ret_event (UNCLASSIFIED)
+/// sys_exit_socketpair is a struct socketpair_event
 SEC("tracepoint/syscalls/sys_exit_socketpair")
 int handle_sys_exit_socketpair(struct syscall_trace_exit *ctx) {
     __u32 pid, tid;
     if (filter(&pid, &tid))
         return 0;
 
-    struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+    struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = EXIT_RET_EVENT;
+    ev->event_type = EXIT_SOCKETPAIR_EVENT;
     ev->trace_id = SYS_EXIT_SOCKETPAIR;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __s32 family = -1;
+    __s32 type = -1;
+    __s32 protocol = -1;
+    __s32 sv0 = -1;
+    __s32 sv1 = -1;
+    struct socketpair_ctx *pending = bpf_map_lookup_elem(&socketpair_ctx_map, &tid);
+    if (pending) {
+        family = pending->family;
+        type = pending->type;
+        protocol = pending->protocol;
+        if (ctx->ret == 0 && pending->usockvec != 0) {
+            int sv[2];
+            if (bpf_probe_read_user(&sv, sizeof(sv), (void *)pending->usockvec) == 0) {
+                sv0 = (__s32)sv[0];
+                sv1 = (__s32)sv[1];
+            }
+        }
+        bpf_map_delete_elem(&socketpair_ctx_map, &tid);
+    }
+    ev->family = family;
+    ev->type = type;
+    ev->protocol = protocol;
+    ev->sv0 = sv0;
+    ev->sv1 = sv1;
     ev->ret = ctx->ret;
-    ev->ret_type = UNCLASSIFIED;
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 2d6e54c..560e24b 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -684,7 +684,7 @@ sys_exit_sigaltstack is a struct ret_event (UNCLASSIFIED)
 sys_exit_signalfd is a struct ret_event (UNCLASSIFIED)
 sys_exit_signalfd4 is a struct ret_event (UNCLASSIFIED)
 sys_exit_socket is a struct ret_event (UNCLASSIFIED)
-sys_exit_socketpair is a struct ret_event (UNCLASSIFIED)
+sys_exit_socketpair is a struct socketpair_event
 sys_exit_splice is a struct ret_event (TRANSFER_CLASSIFIED)
 sys_exit_statfs is a struct ret_event (UNCLASSIFIED)
 sys_exit_statmount is a struct ret_event (UNCLASSIFIED)
diff --git a/internal/c/maps.h b/internal/c/maps.h
index 7ec871c..1624ff8 100644
--- a/internal/c/maps.h
+++ b/internal/c/maps.h
@@ -4,3 +4,17 @@ struct {
     __uint(type, BPF_MAP_TYPE_RINGBUF);
     __uint(max_entries, 1 << 24);
 } event_map SEC(".maps");
+
+struct socketpair_ctx {
+    __u64 usockvec;
+    __s32 family;
+    __s32 type;
+    __s32 protocol;
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 8192);
+    __type(key, __u32);
+    __type(value, struct socketpair_ctx);
+} socketpair_ctx_map SEC(".maps");
diff --git a/internal/c/types.h b/internal/c/types.h
index ddb2dca..29f18e1 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -141,4 +141,5 @@ struct socketpair_event {
     __s32 protocol;
     __s32 sv0;
     __s32 sv1;
+    __s64 ret;
 };
author	Paul Buetow <paul@buetow.org>	2026-05-19 10:32:32 +0300
committer	Paul Buetow <paul@buetow.org>	2026-05-19 10:32:32 +0300
commit	9cc2c7b3c4c7a1f1837a4a5260f11ccea5814c83 (patch)
tree	423ab8233039f23bee0d4fbcb98a0b0a68841476 /internal/c
parent	127516b4bf63dc922df222825a9a6a1d7eacc214 (diff)