summaryrefslogtreecommitdiff
path: root/internal/c
diff options
context:
space:
mode:
authorPaul Buetow <paul@buetow.org>2026-05-31 19:04:44 +0300
committerPaul Buetow <paul@buetow.org>2026-05-31 19:04:44 +0300
commitc3177bd82c16429c1bb246d19af76012479f0c01 (patch)
treef71fc68ce009295690a723b49881eed74bae0c48 /internal/c
parentc6a89452bd6872a380d4ce0dc9ec35ea0c66ef9e (diff)
getxattrat: READ-classify return for xattr-get family consistency
getxattrat(2) (Linux 6.13+) returns the xattr value size in bytes, exactly like getxattr/lgetxattr/fgetxattr, but its exit was classified UNCLASSIFIED, so its read bytes were dropped from I/O totals. Classify it as ReadClassified and regenerate the BPF handler (ret_type now READ_CLASSIFIED). Path extraction (args[1], after the dirfd) and the name-not-captured-as-path behaviour were already correct. Update the docs ReadClassified list and the retclassify expectation, and add the first xattr integration coverage: an ioworkload scenario that sets then getxattrat-reads a user xattr on tmpfs, plus a test that asserts enter_getxattrat captures the file path (not the xattr name) and accounts the returned value size as read bytes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal/c')
-rw-r--r--internal/c/generated_tracepoints.c4
-rw-r--r--internal/c/generated_tracepoints_result.txt2
2 files changed, 3 insertions, 3 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 5c72813..8c76e7a 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -6372,7 +6372,7 @@ int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) {
return 0;
}
-/// sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_getxattrat is a struct ret_event (READ_CLASSIFIED) (kind=ret)
SEC("tracepoint/syscalls/sys_exit_getxattrat")
int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
@@ -6392,7 +6392,7 @@ int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) {
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
+ ev->ret_type = READ_CLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 971f92c..0842bda 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -474,7 +474,7 @@ sys_exit_gettid is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_getuid is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret)
-sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_getxattrat is a struct ret_event (READ_CLASSIFIED) (kind=ret)
sys_exit_init_module is a struct null_event (kind=module)
sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_inotify_init is a struct eventfd_event (kind=eventfd)
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 10:17:55 +0000