diff options
| author | Paul Buetow <paul@buetow.org> | 2026-02-21 13:59:39 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-02-21 13:59:39 +0200 |
| commit | b5792f8e23d1599dcce49bc83e5d128abee484f3 (patch) | |
| tree | ef07039e4e05b23a6b41adf6b663abd0109a436b /internal/c | |
| parent | 114f0cb9e6e5487fccaafb7d7065b611c8c14402 (diff) | |
Enable name_to_handle_at and io_uring fd attribution
Amp-Thread-ID: https://ampcode.com/threads/T-019c7fec-eec9-706a-8338-3ce674802680
Co-authored-by: Amp <amp@ampcode.com>
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 63 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 7 |
2 files changed, 60 insertions, 10 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 941e271..562a5b9 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -125,7 +125,6 @@ /// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related /// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related /// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -/// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related /// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related /// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related /// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related @@ -263,6 +262,8 @@ #define SYS_EXIT_IO_URING_SETUP 1493 #define SYS_ENTER_QUOTACTL_FD 1151 #define SYS_EXIT_QUOTACTL_FD 1150 +#define SYS_ENTER_NAME_TO_HANDLE_AT 1135 +#define SYS_EXIT_NAME_TO_HANDLE_AT 1134 #define SYS_ENTER_OPEN_BY_HANDLE_AT 1133 #define SYS_EXIT_OPEN_BY_HANDLE_AT 1132 #define SYS_ENTER_FLOCK 1119 @@ -480,22 +481,23 @@ #define SYS_ENTER_MMAP 100 #define SYS_EXIT_MMAP 99 -/// sys_enter_io_uring_register is a struct null_event +/// sys_enter_io_uring_register is a struct fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_register") int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -524,22 +526,23 @@ int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { return 0; } -/// sys_enter_io_uring_enter is a struct null_event +/// sys_enter_io_uring_enter is a struct fd_event SEC("tracepoint/syscalls/sys_enter_io_uring_enter") int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -657,6 +660,52 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; } +/// sys_enter_name_to_handle_at is a struct path_event +SEC("tracepoint/syscalls/sys_enter_name_to_handle_at") +int handle_sys_enter_name_to_handle_at(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NAME_TO_HANDLE_AT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_name_to_handle_at") +int handle_sys_exit_name_to_handle_at(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NAME_TO_HANDLE_AT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + /// sys_enter_open_by_handle_at is a struct open_by_handle_at_event SEC("tracepoint/syscalls/sys_enter_open_by_handle_at") int handle_sys_enter_open_by_handle_at(struct trace_event_raw_sys_enter *ctx) { diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index fb3867c..fc722c1 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -123,7 +123,6 @@ Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related @@ -301,8 +300,8 @@ sys_enter_io_getevents is a struct null_event sys_enter_io_pgetevents is a struct null_event sys_enter_io_setup is a struct null_event sys_enter_io_submit is a struct null_event -sys_enter_io_uring_enter is a struct null_event -sys_enter_io_uring_register is a struct null_event +sys_enter_io_uring_enter is a struct fd_event +sys_enter_io_uring_register is a struct fd_event sys_enter_io_uring_setup is a struct null_event sys_enter_ioctl is a struct fd_event sys_enter_lchown is a struct path_event @@ -319,6 +318,7 @@ sys_enter_mkdir is a struct path_event sys_enter_mkdirat is a struct path_event sys_enter_mmap is a struct fd_event sys_enter_mount_setattr is a struct path_event +sys_enter_name_to_handle_at is a struct path_event sys_enter_newfstat is a struct fd_event sys_enter_newfstatat is a struct path_event sys_enter_newlstat is a struct path_event @@ -431,6 +431,7 @@ sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) sys_exit_mmap is a struct ret_event (UNCLASSIFIED) sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) +sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) |