summaryrefslogtreecommitdiff
path: root/internal/c
diff options
context:
space:
mode:
authorPaul Buetow <paul@buetow.org>2024-03-02 14:05:20 +0200
committerPaul Buetow <paul@buetow.org>2024-03-02 14:05:20 +0200
commitb941cec01a9dfb29903b9e55369073df5c283a52 (patch)
tree31aca998741d8c8b8275dd3528fff46a65cdaf21 /internal/c
parentf4e736903d6a7d2b8e025c8a6f7ef63ff3ec3e3a (diff)
C generation for syscalls with oldname and newname args
Diffstat (limited to 'internal/c')
-rw-r--r--internal/c/generated/tracepoints.c382
-rw-r--r--internal/c/generated/tracepoints.raku27
-rw-r--r--internal/c/types.h12
3 files changed, 384 insertions, 37 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c
index e7e8317..e824de3 100644
--- a/internal/c/generated/tracepoints.c
+++ b/internal/c/generated/tracepoints.c
@@ -28,6 +28,20 @@
#define SYS_ENTER_LSEEK 763
#define SYS_EXIT_NEWFSTAT 770
#define SYS_ENTER_NEWFSTAT 771
+#define SYS_EXIT_RENAME 786
+#define SYS_ENTER_RENAME 787
+#define SYS_EXIT_RENAMEAT 788
+#define SYS_ENTER_RENAMEAT 789
+#define SYS_EXIT_RENAMEAT2 790
+#define SYS_ENTER_RENAMEAT2 791
+#define SYS_EXIT_LINK 792
+#define SYS_ENTER_LINK 793
+#define SYS_EXIT_LINKAT 794
+#define SYS_ENTER_LINKAT 795
+#define SYS_EXIT_SYMLINK 796
+#define SYS_ENTER_SYMLINK 797
+#define SYS_EXIT_SYMLINKAT 798
+#define SYS_ENTER_SYMLINKAT 799
#define SYS_EXIT_FCNTL 814
#define SYS_ENTER_FCNTL 815
#define SYS_EXIT_IOCTL 816
@@ -89,7 +103,7 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -131,7 +145,7 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -173,7 +187,7 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -215,7 +229,7 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -257,7 +271,7 @@ int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -299,7 +313,7 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -341,7 +355,7 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -374,16 +388,16 @@ int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) {
if (filter(&pid, &tid))
return 0;
- struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_FD_EVENT;
+ ev->event_type = ENTER_NULL_EVENT;
ev->syscall_id = SYS_ENTER_COPY_FILE_RANGE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -425,7 +439,7 @@ int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -467,7 +481,7 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -509,7 +523,7 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -551,7 +565,7 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -593,7 +607,7 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -635,7 +649,315 @@ int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_rename")
+int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_RENAME;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_rename")
+int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_RENAME;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_renameat")
+int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_RENAMEAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_renameat")
+int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_RENAMEAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_renameat2")
+int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_RENAMEAT2;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_renameat2")
+int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_RENAMEAT2;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_link")
+int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_LINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_link")
+int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_LINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_linkat")
+int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_LINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_linkat")
+int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_LINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_symlink")
+int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_SYMLINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_symlink")
+int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_SYMLINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_symlinkat")
+int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->syscall_id = SYS_EXIT_SYMLINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_symlinkat")
+int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NAME_EVENT;
+ ev->syscall_id = SYS_ENTER_SYMLINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -677,7 +999,7 @@ int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -719,7 +1041,7 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -761,7 +1083,7 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -803,7 +1125,7 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -836,16 +1158,16 @@ int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) {
if (filter(&pid, &tid))
return 0;
- struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_FD_EVENT;
+ ev->event_type = ENTER_NULL_EVENT;
ev->syscall_id = SYS_ENTER_SYNC_FILE_RANGE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -887,7 +1209,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -929,7 +1251,7 @@ int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -971,7 +1293,7 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -1013,7 +1335,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -1055,7 +1377,7 @@ int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -1097,7 +1419,7 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -1139,7 +1461,7 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- ev->fd = (int)ctx->args[0];
+ ev->fd = (__s32)ctx->args[0];
bpf_ringbuf_submit(ev, 0);
return 0;
diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku
index 4613d54..ef79ed6 100644
--- a/internal/c/generated/tracepoints.raku
+++ b/internal/c/generated/tracepoints.raku
@@ -38,6 +38,8 @@ class Format {
has Field @.fields is rw;
# file descriptor passed to syscalls.
has Bool $.has-fd is rw = False;
+ # Has tracepoint has got oldname and name
+ has Bool $.has-name is rw = False;
# Syscall returns with a long value (e.g. bytes read/written)
has Bool $.has-long-ret is rw = False;
@@ -45,6 +47,8 @@ class Format {
push @!fields: $field;
if ($field.name eq 'fd' && $field.type eq 'unsigned int') {
$!has-fd = True;
+ } elsif ($field.name eq 'newname' && $field.type eq 'const char *') {
+ $!has-name = True;
} elsif ($field.name eq 'ret' && $field.type eq 'long') {
$.has-long-ret = True;
}
@@ -56,11 +60,22 @@ class Format {
method generate-probe returns Str {
my \is-enter = $!name.split('_')[1] eq 'enter';
- my \is-exit = !is-enter;
my \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter'
!! 'trace_event_raw_sys_exit';
- my \event-struct = is-enter ?? 'fd_event'
- !! ($!has-long-ret ?? 'ret_event' !! 'null_event');
+ my \event-struct = do if $!has-fd { 'fd_event' }
+ elsif $!has-long-ret { 'ret_event' }
+ elsif $!has-name { 'name_event' }
+ else { 'null_event' };
+ my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' }
+ elsif $!has-long-ret { 'ev->ret = ctx->ret;' }
+ elsif $!has-name {
+ q:to/END/.trim-trailing;
+ __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname));
+ bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]);
+ bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]);
+ END
+ }
+ else { '' };
qq:to/END/;
SEC("tracepoint/syscalls/{$!name}")
int handle_{$!name.lc}(struct {ctx-struct} *ctx) \{
@@ -77,8 +92,7 @@ class Format {
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
- {is-enter ?? 'ev->fd = (int)ctx->args[0];'
- !! ($!has-long-ret ?? 'ev->ret = ctx->ret;' !! '') }
+ {extra-data}
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -118,8 +132,7 @@ my Format @formats = gather for SysTraceFormat
.parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made
# For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open
.classify(*.name.split('_').tail).values
- # Check whether one of them (enter or exit) has an fd.
- .grep(*.grep(*.has-fd).elems > 0) -> @_ { .take for @_ }
+ .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) }) -> @_ { .take for @_ }
@formats .= sort(*.id);
diff --git a/internal/c/types.h b/internal/c/types.h
index 7a1ff12..57f39f0 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -11,6 +11,8 @@
#define EXIT_FD_EVENT 6
#define ENTER_RET_EVENT 7
#define EXIT_RET_EVENT 8
+#define ENTER_NAME_EVENT 9
+#define EXIT_NAME_EVENT 10
struct open_enter_event {
__u32 event_type;
@@ -47,3 +49,13 @@ struct ret_event {
__s64 ret;
__u32 time;
};
+
+struct name_event {
+ __u32 event_type;
+ __u32 syscall_id;
+ __u32 pid;
+ __u32 tid;
+ __u32 time;
+ char oldname[MAX_FILENAME_LENGTH];
+ char newname[MAX_FILENAME_LENGTH];
+};
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 13:58:36 +0000