diff options
| author | Paul Buetow <paul@buetow.org> | 2024-03-08 08:46:00 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-03-08 08:46:00 +0200 |
| commit | 0b94a7cced7d4bb9a44c9e9e827c4e3b09e5e8dc (patch) | |
| tree | 3401f36473884d72f88de53339def3e314cf7c1b /internal | |
| parent | b215bafceeecbe97de19fb3111dc080196224ab9 (diff) | |
as per https://codeberg.org/snonux/ioriotng/issues/19
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/c/generated/tracepoints.c | 898 | ||||
| -rw-r--r-- | internal/c/generated/tracepoints.raku | 15 | ||||
| -rw-r--r-- | internal/c/types.h | 11 | ||||
| -rw-r--r-- | internal/eventloop.go | 5 | ||||
| -rw-r--r-- | internal/file.go | 13 | ||||
| -rw-r--r-- | internal/generated/tracepoints/tracepoints.go | 40 | ||||
| -rw-r--r-- | internal/generated/types/types.go | 252 |
7 files changed, 1232 insertions, 2 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index 89c473a..8ba2028 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -6,6 +6,8 @@ #define SYS_ENTER_CLOSE_RANGE 701 #define SYS_EXIT_CLOSE 702 #define SYS_ENTER_CLOSE 703 +#define SYS_EXIT_CREAT 704 +#define SYS_ENTER_CREAT 705 #define SYS_EXIT_FCHOWN 712 #define SYS_ENTER_FCHOWN 713 #define SYS_EXIT_FCHMOD 726 @@ -26,6 +28,8 @@ #define SYS_ENTER_READ 769 #define SYS_EXIT_LSEEK 770 #define SYS_ENTER_LSEEK 771 +#define SYS_EXIT_READLINKAT 776 +#define SYS_ENTER_READLINKAT 777 #define SYS_EXIT_NEWFSTAT 778 #define SYS_ENTER_NEWFSTAT 779 #define SYS_EXIT_RENAME 794 @@ -42,6 +46,16 @@ #define SYS_ENTER_SYMLINK 805 #define SYS_EXIT_SYMLINKAT 806 #define SYS_ENTER_SYMLINKAT 807 +#define SYS_EXIT_UNLINK 808 +#define SYS_ENTER_UNLINK 809 +#define SYS_EXIT_UNLINKAT 810 +#define SYS_ENTER_UNLINKAT 811 +#define SYS_EXIT_RMDIR 812 +#define SYS_ENTER_RMDIR 813 +#define SYS_EXIT_MKDIR 814 +#define SYS_ENTER_MKDIR 815 +#define SYS_EXIT_MKDIRAT 816 +#define SYS_ENTER_MKDIRAT 817 #define SYS_EXIT_FCNTL 822 #define SYS_ENTER_FCNTL 823 #define SYS_EXIT_IOCTL 824 @@ -50,6 +64,22 @@ #define SYS_ENTER_GETDENTS64 827 #define SYS_EXIT_GETDENTS 828 #define SYS_ENTER_GETDENTS 829 +#define SYS_EXIT_LREMOVEXATTR 862 +#define SYS_ENTER_LREMOVEXATTR 863 +#define SYS_EXIT_REMOVEXATTR 864 +#define SYS_ENTER_REMOVEXATTR 865 +#define SYS_EXIT_LLISTXATTR 868 +#define SYS_ENTER_LLISTXATTR 869 +#define SYS_EXIT_LISTXATTR 870 +#define SYS_ENTER_LISTXATTR 871 +#define SYS_EXIT_LGETXATTR 874 +#define SYS_ENTER_LGETXATTR 875 +#define SYS_EXIT_GETXATTR 876 +#define SYS_ENTER_GETXATTR 877 +#define SYS_EXIT_LSETXATTR 880 +#define SYS_ENTER_LSETXATTR 881 +#define SYS_EXIT_SETXATTR 882 +#define SYS_ENTER_SETXATTR 883 #define SYS_EXIT_SYNC_FILE_RANGE 922 #define SYS_ENTER_SYNC_FILE_RANGE 923 #define SYS_EXIT_FDATASYNC 924 @@ -58,10 +88,20 @@ #define SYS_ENTER_FSYNC 927 #define SYS_EXIT_FSTATFS 944 #define SYS_ENTER_FSTATFS 945 +#define SYS_EXIT_STATFS 946 +#define SYS_ENTER_STATFS 947 +#define SYS_EXIT_INOTIFY_RM_WATCH 954 +#define SYS_ENTER_INOTIFY_RM_WATCH 955 +#define SYS_EXIT_INOTIFY_ADD_WATCH 956 +#define SYS_ENTER_INOTIFY_ADD_WATCH 957 +#define SYS_EXIT_FANOTIFY_MARK 962 +#define SYS_ENTER_FANOTIFY_MARK 963 #define SYS_EXIT_FLOCK 1020 #define SYS_ENTER_FLOCK 1021 #define SYS_EXIT_QUOTACTL_FD 1051 #define SYS_ENTER_QUOTACTL_FD 1052 +#define SYS_EXIT_MQ_UNLINK 1321 +#define SYS_ENTER_MQ_UNLINK 1322 #define SYS_EXIT_IO_URING_REGISTER 1377 #define SYS_ENTER_IO_URING_REGISTER 1378 #define SYS_EXIT_IO_URING_ENTER 1381 @@ -193,6 +233,49 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_fchown") int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -613,6 +696,49 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_newfstat") int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -963,6 +1089,221 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_fcntl") int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1131,6 +1472,350 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_sync_file_range") int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1299,6 +1984,177 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") +int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") +int handle_sys_enter_inotify_rm_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_flock") int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -1383,6 +2239,48 @@ int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_mq_unlink") +int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mq_unlink") +int handle_sys_enter_mq_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_io_uring_register") int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku index ad95559..de801a7 100644 --- a/internal/c/generated/tracepoints.raku +++ b/internal/c/generated/tracepoints.raku @@ -45,8 +45,10 @@ class Format { # file descriptor passed to syscalls. has Bool $.has-fd is rw = False; - # Has tracepoint has got oldname and name + # Tracepoint has oldname/newname has Bool $.has-name is rw = False; + # Tracepoint has pathname + has Bool $.has-path is rw = False; # Syscall returns with a long value (e.g. bytes read/written) has Bool $.has-long-ret is rw = False; @@ -65,6 +67,8 @@ class Format { $!has-fd = True; } elsif (field.name eq 'newname' && field.type eq 'const char *') { $!has-name = True; + } elsif (field.name eq 'pathname' && field.type eq 'const char *') { + $!has-path = True; } elsif (field.name eq 'ret' && field.type eq 'long') { $.has-long-ret = True; } @@ -85,6 +89,7 @@ class Format { my \event-struct = do if $!has-fd { 'fd_event' } elsif $!has-long-ret { 'ret_event' } elsif $!has-name { 'name_event' } + elsif $!has-path { 'path_event' } else { 'null_event' }; my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' } elsif $!has-long-ret { 'ev->ret = ctx->ret;' } @@ -96,6 +101,12 @@ class Format { bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-index}]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-index}]); END + } elsif $!has-path { + my Int \pathname-index = self!field-number('pathname'); + qq:to/END/.trim-trailing; + __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{pathname-index}]); + END } else { '' }; qq:to/END/; @@ -154,7 +165,7 @@ my Format @formats = gather for SysTraceFormat .parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made # For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open .classify(*.name.split('_').tail).values - .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) }) -> @_ { .take for @_ } + .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) || $_.grep(*.has-path) }) -> @_ { .take for @_ } @formats .= sort(*.id); diff --git a/internal/c/types.h b/internal/c/types.h index 017e1fb..b2cb1fa 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -13,6 +13,8 @@ #define EXIT_RET_EVENT 8 #define ENTER_NAME_EVENT 9 #define EXIT_NAME_EVENT 10 +#define ENTER_PATH_EVENT 11 +#define EXIT_PATH_EVENT 12 struct open_event { __u32 event_type; @@ -59,3 +61,12 @@ struct name_event { char oldname[MAX_FILENAME_LENGTH]; char newname[MAX_FILENAME_LENGTH]; }; + +struct path_event { + __u32 event_type; + __u32 trace_id; + __u32 pid; + __u32 tid; + __u32 time; + char pathname[MAX_FILENAME_LENGTH]; +}; diff --git a/internal/eventloop.go b/internal/eventloop.go index 2ebd01c..d3f91b8 100644 --- a/internal/eventloop.go +++ b/internal/eventloop.go @@ -72,6 +72,11 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent { } ev.comm, _ = comms[ev.enterEv.GetTid()] + case *PathEvent: + nameEvent := ev.enterEv.(*PathEvent) + ev.file = pathnameFile{string(nameEvent.Pathname[:])} + ev.comm, _ = comms[ev.enterEv.GetTid()] + case *FdEvent: fd := ev.enterEv.(*FdEvent).Fd if file_, ok := files[fd]; ok { diff --git a/internal/file.go b/internal/file.go index 81fe43d..72fe57e 100644 --- a/internal/file.go +++ b/internal/file.go @@ -43,3 +43,16 @@ func (f oldnameNewnameFile) String() string { return sb.String() } + +type pathnameFile struct { + pathname string +} + +func (f pathnameFile) String() string { + var sb strings.Builder + + sb.WriteString("pathname:") + sb.WriteString(f.pathname) + + return sb.String() +} diff --git a/internal/generated/tracepoints/tracepoints.go b/internal/generated/tracepoints/tracepoints.go index 22eed77..7495274 100644 --- a/internal/generated/tracepoints/tracepoints.go +++ b/internal/generated/tracepoints/tracepoints.go @@ -8,6 +8,8 @@ var List = []string{ "sys_enter_close_range", "sys_exit_close", "sys_enter_close", + "sys_exit_creat", + "sys_enter_creat", "sys_exit_fchown", "sys_enter_fchown", "sys_exit_fchmod", @@ -28,6 +30,8 @@ var List = []string{ "sys_enter_read", "sys_exit_lseek", "sys_enter_lseek", + "sys_exit_readlinkat", + "sys_enter_readlinkat", "sys_exit_newfstat", "sys_enter_newfstat", "sys_exit_rename", @@ -44,6 +48,16 @@ var List = []string{ "sys_enter_symlink", "sys_exit_symlinkat", "sys_enter_symlinkat", + "sys_exit_unlink", + "sys_enter_unlink", + "sys_exit_unlinkat", + "sys_enter_unlinkat", + "sys_exit_rmdir", + "sys_enter_rmdir", + "sys_exit_mkdir", + "sys_enter_mkdir", + "sys_exit_mkdirat", + "sys_enter_mkdirat", "sys_exit_fcntl", "sys_enter_fcntl", "sys_exit_ioctl", @@ -52,6 +66,22 @@ var List = []string{ "sys_enter_getdents64", "sys_exit_getdents", "sys_enter_getdents", + "sys_exit_lremovexattr", + "sys_enter_lremovexattr", + "sys_exit_removexattr", + "sys_enter_removexattr", + "sys_exit_llistxattr", + "sys_enter_llistxattr", + "sys_exit_listxattr", + "sys_enter_listxattr", + "sys_exit_lgetxattr", + "sys_enter_lgetxattr", + "sys_exit_getxattr", + "sys_enter_getxattr", + "sys_exit_lsetxattr", + "sys_enter_lsetxattr", + "sys_exit_setxattr", + "sys_enter_setxattr", "sys_exit_sync_file_range", "sys_enter_sync_file_range", "sys_exit_fdatasync", @@ -60,10 +90,20 @@ var List = []string{ "sys_enter_fsync", "sys_exit_fstatfs", "sys_enter_fstatfs", + "sys_exit_statfs", + "sys_enter_statfs", + "sys_exit_inotify_rm_watch", + "sys_enter_inotify_rm_watch", + "sys_exit_inotify_add_watch", + "sys_enter_inotify_add_watch", + "sys_exit_fanotify_mark", + "sys_enter_fanotify_mark", "sys_exit_flock", "sys_enter_flock", "sys_exit_quotactl_fd", "sys_enter_quotactl_fd", + "sys_exit_mq_unlink", + "sys_enter_mq_unlink", "sys_exit_io_uring_register", "sys_enter_io_uring_register", "sys_exit_io_uring_enter", diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go index 8925056..5830dd3 100644 --- a/internal/generated/types/types.go +++ b/internal/generated/types/types.go @@ -25,6 +25,10 @@ func (s TraceId) String() string { return "exit_close" case SYS_ENTER_CLOSE: return "enter_close" + case SYS_EXIT_CREAT: + return "exit_creat" + case SYS_ENTER_CREAT: + return "enter_creat" case SYS_EXIT_FCHOWN: return "exit_fchown" case SYS_ENTER_FCHOWN: @@ -65,6 +69,10 @@ func (s TraceId) String() string { return "exit_lseek" case SYS_ENTER_LSEEK: return "enter_lseek" + case SYS_EXIT_READLINKAT: + return "exit_readlinkat" + case SYS_ENTER_READLINKAT: + return "enter_readlinkat" case SYS_EXIT_NEWFSTAT: return "exit_newfstat" case SYS_ENTER_NEWFSTAT: @@ -97,6 +105,26 @@ func (s TraceId) String() string { return "exit_symlinkat" case SYS_ENTER_SYMLINKAT: return "enter_symlinkat" + case SYS_EXIT_UNLINK: + return "exit_unlink" + case SYS_ENTER_UNLINK: + return "enter_unlink" + case SYS_EXIT_UNLINKAT: + return "exit_unlinkat" + case SYS_ENTER_UNLINKAT: + return "enter_unlinkat" + case SYS_EXIT_RMDIR: + return "exit_rmdir" + case SYS_ENTER_RMDIR: + return "enter_rmdir" + case SYS_EXIT_MKDIR: + return "exit_mkdir" + case SYS_ENTER_MKDIR: + return "enter_mkdir" + case SYS_EXIT_MKDIRAT: + return "exit_mkdirat" + case SYS_ENTER_MKDIRAT: + return "enter_mkdirat" case SYS_EXIT_FCNTL: return "exit_fcntl" case SYS_ENTER_FCNTL: @@ -113,6 +141,38 @@ func (s TraceId) String() string { return "exit_getdents" case SYS_ENTER_GETDENTS: return "enter_getdents" + case SYS_EXIT_LREMOVEXATTR: + return "exit_lremovexattr" + case SYS_ENTER_LREMOVEXATTR: + return "enter_lremovexattr" + case SYS_EXIT_REMOVEXATTR: + return "exit_removexattr" + case SYS_ENTER_REMOVEXATTR: + return "enter_removexattr" + case SYS_EXIT_LLISTXATTR: + return "exit_llistxattr" + case SYS_ENTER_LLISTXATTR: + return "enter_llistxattr" + case SYS_EXIT_LISTXATTR: + return "exit_listxattr" + case SYS_ENTER_LISTXATTR: + return "enter_listxattr" + case SYS_EXIT_LGETXATTR: + return "exit_lgetxattr" + case SYS_ENTER_LGETXATTR: + return "enter_lgetxattr" + case SYS_EXIT_GETXATTR: + return "exit_getxattr" + case SYS_ENTER_GETXATTR: + return "enter_getxattr" + case SYS_EXIT_LSETXATTR: + return "exit_lsetxattr" + case SYS_ENTER_LSETXATTR: + return "enter_lsetxattr" + case SYS_EXIT_SETXATTR: + return "exit_setxattr" + case SYS_ENTER_SETXATTR: + return "enter_setxattr" case SYS_EXIT_SYNC_FILE_RANGE: return "exit_sync_file_range" case SYS_ENTER_SYNC_FILE_RANGE: @@ -129,6 +189,22 @@ func (s TraceId) String() string { return "exit_fstatfs" case SYS_ENTER_FSTATFS: return "enter_fstatfs" + case SYS_EXIT_STATFS: + return "exit_statfs" + case SYS_ENTER_STATFS: + return "enter_statfs" + case SYS_EXIT_INOTIFY_RM_WATCH: + return "exit_inotify_rm_watch" + case SYS_ENTER_INOTIFY_RM_WATCH: + return "enter_inotify_rm_watch" + case SYS_EXIT_INOTIFY_ADD_WATCH: + return "exit_inotify_add_watch" + case SYS_ENTER_INOTIFY_ADD_WATCH: + return "enter_inotify_add_watch" + case SYS_EXIT_FANOTIFY_MARK: + return "exit_fanotify_mark" + case SYS_ENTER_FANOTIFY_MARK: + return "enter_fanotify_mark" case SYS_EXIT_FLOCK: return "exit_flock" case SYS_ENTER_FLOCK: @@ -137,6 +213,10 @@ func (s TraceId) String() string { return "exit_quotactl_fd" case SYS_ENTER_QUOTACTL_FD: return "enter_quotactl_fd" + case SYS_EXIT_MQ_UNLINK: + return "exit_mq_unlink" + case SYS_ENTER_MQ_UNLINK: + return "enter_mq_unlink" case SYS_EXIT_IO_URING_REGISTER: return "exit_io_uring_register" case SYS_ENTER_IO_URING_REGISTER: @@ -172,6 +252,10 @@ func (s TraceId) Name() string { return "close" case SYS_ENTER_CLOSE: return "close" + case SYS_EXIT_CREAT: + return "creat" + case SYS_ENTER_CREAT: + return "creat" case SYS_EXIT_FCHOWN: return "fchown" case SYS_ENTER_FCHOWN: @@ -212,6 +296,10 @@ func (s TraceId) Name() string { return "lseek" case SYS_ENTER_LSEEK: return "lseek" + case SYS_EXIT_READLINKAT: + return "readlinkat" + case SYS_ENTER_READLINKAT: + return "readlinkat" case SYS_EXIT_NEWFSTAT: return "newfstat" case SYS_ENTER_NEWFSTAT: @@ -244,6 +332,26 @@ func (s TraceId) Name() string { return "symlinkat" case SYS_ENTER_SYMLINKAT: return "symlinkat" + case SYS_EXIT_UNLINK: + return "unlink" + case SYS_ENTER_UNLINK: + return "unlink" + case SYS_EXIT_UNLINKAT: + return "unlinkat" + case SYS_ENTER_UNLINKAT: + return "unlinkat" + case SYS_EXIT_RMDIR: + return "rmdir" + case SYS_ENTER_RMDIR: + return "rmdir" + case SYS_EXIT_MKDIR: + return "mkdir" + case SYS_ENTER_MKDIR: + return "mkdir" + case SYS_EXIT_MKDIRAT: + return "mkdirat" + case SYS_ENTER_MKDIRAT: + return "mkdirat" case SYS_EXIT_FCNTL: return "fcntl" case SYS_ENTER_FCNTL: @@ -260,6 +368,38 @@ func (s TraceId) Name() string { return "getdents" case SYS_ENTER_GETDENTS: return "getdents" + case SYS_EXIT_LREMOVEXATTR: + return "lremovexattr" + case SYS_ENTER_LREMOVEXATTR: + return "lremovexattr" + case SYS_EXIT_REMOVEXATTR: + return "removexattr" + case SYS_ENTER_REMOVEXATTR: + return "removexattr" + case SYS_EXIT_LLISTXATTR: + return "llistxattr" + case SYS_ENTER_LLISTXATTR: + return "llistxattr" + case SYS_EXIT_LISTXATTR: + return "listxattr" + case SYS_ENTER_LISTXATTR: + return "listxattr" + case SYS_EXIT_LGETXATTR: + return "lgetxattr" + case SYS_ENTER_LGETXATTR: + return "lgetxattr" + case SYS_EXIT_GETXATTR: + return "getxattr" + case SYS_ENTER_GETXATTR: + return "getxattr" + case SYS_EXIT_LSETXATTR: + return "lsetxattr" + case SYS_ENTER_LSETXATTR: + return "lsetxattr" + case SYS_EXIT_SETXATTR: + return "setxattr" + case SYS_ENTER_SETXATTR: + return "setxattr" case SYS_EXIT_SYNC_FILE_RANGE: return "sync_file_range" case SYS_ENTER_SYNC_FILE_RANGE: @@ -276,6 +416,22 @@ func (s TraceId) Name() string { return "fstatfs" case SYS_ENTER_FSTATFS: return "fstatfs" + case SYS_EXIT_STATFS: + return "statfs" + case SYS_ENTER_STATFS: + return "statfs" + case SYS_EXIT_INOTIFY_RM_WATCH: + return "inotify_rm_watch" + case SYS_ENTER_INOTIFY_RM_WATCH: + return "inotify_rm_watch" + case SYS_EXIT_INOTIFY_ADD_WATCH: + return "inotify_add_watch" + case SYS_ENTER_INOTIFY_ADD_WATCH: + return "inotify_add_watch" + case SYS_EXIT_FANOTIFY_MARK: + return "fanotify_mark" + case SYS_ENTER_FANOTIFY_MARK: + return "fanotify_mark" case SYS_EXIT_FLOCK: return "flock" case SYS_ENTER_FLOCK: @@ -284,6 +440,10 @@ func (s TraceId) Name() string { return "quotactl_fd" case SYS_ENTER_QUOTACTL_FD: return "quotactl_fd" + case SYS_EXIT_MQ_UNLINK: + return "mq_unlink" + case SYS_ENTER_MQ_UNLINK: + return "mq_unlink" case SYS_EXIT_IO_URING_REGISTER: return "io_uring_register" case SYS_ENTER_IO_URING_REGISTER: @@ -317,6 +477,8 @@ const ENTER_RET_EVENT = 7 const EXIT_RET_EVENT = 8 const ENTER_NAME_EVENT = 9 const EXIT_NAME_EVENT = 10 +const ENTER_PATH_EVENT = 11 +const EXIT_PATH_EVENT = 12 type OpenEvent struct { EventType EventType @@ -569,12 +731,64 @@ func (n *NameEvent) Recycle() { poolOfNameEvents.Put(n) } +type PathEvent struct { + EventType EventType + TraceId TraceId + Pid uint32 + Tid uint32 + Time uint32 + Pathname [MAX_FILENAME_LENGTH]byte +} + +func (p PathEvent) String() string { + return fmt.Sprintf("EventType:%v TraceId:%v Pid:%v Tid:%v Time:%v Pathname:%v", p.EventType, p.TraceId, p.Pid, p.Tid, p.Time, string(p.Pathname[:])) +} + +func (p *PathEvent) GetEventType() EventType { + return p.EventType +} + +func (p *PathEvent) GetTraceId() TraceId { + return p.TraceId +} + +func (p *PathEvent) GetPid() uint32 { + return p.Pid +} + +func (p *PathEvent) GetTid() uint32 { + return p.Tid +} + +func (p *PathEvent) GetTime() uint32 { + return p.Time +} + +var poolOfPathEvents = sync.Pool{ + New: func() interface{} { return &PathEvent{} }, +} + +func NewPathEvent(raw []byte) *PathEvent { + p := poolOfPathEvents.Get().(*PathEvent) + if err := binary.Read(bytes.NewReader(raw), binary.LittleEndian, p); err != nil { + fmt.Println(p, raw, len(raw), err) + panic(raw) + } + return p +} + +func (p *PathEvent) Recycle() { + poolOfPathEvents.Put(p) +} + const SYS_EXIT_CACHESTAT TraceId = 527 const SYS_ENTER_CACHESTAT TraceId = 528 const SYS_EXIT_CLOSE_RANGE TraceId = 700 const SYS_ENTER_CLOSE_RANGE TraceId = 701 const SYS_EXIT_CLOSE TraceId = 702 const SYS_ENTER_CLOSE TraceId = 703 +const SYS_EXIT_CREAT TraceId = 704 +const SYS_ENTER_CREAT TraceId = 705 const SYS_EXIT_FCHOWN TraceId = 712 const SYS_ENTER_FCHOWN TraceId = 713 const SYS_EXIT_FCHMOD TraceId = 726 @@ -595,6 +809,8 @@ const SYS_EXIT_READ TraceId = 768 const SYS_ENTER_READ TraceId = 769 const SYS_EXIT_LSEEK TraceId = 770 const SYS_ENTER_LSEEK TraceId = 771 +const SYS_EXIT_READLINKAT TraceId = 776 +const SYS_ENTER_READLINKAT TraceId = 777 const SYS_EXIT_NEWFSTAT TraceId = 778 const SYS_ENTER_NEWFSTAT TraceId = 779 const SYS_EXIT_RENAME TraceId = 794 @@ -611,6 +827,16 @@ const SYS_EXIT_SYMLINK TraceId = 804 const SYS_ENTER_SYMLINK TraceId = 805 const SYS_EXIT_SYMLINKAT TraceId = 806 const SYS_ENTER_SYMLINKAT TraceId = 807 +const SYS_EXIT_UNLINK TraceId = 808 +const SYS_ENTER_UNLINK TraceId = 809 +const SYS_EXIT_UNLINKAT TraceId = 810 +const SYS_ENTER_UNLINKAT TraceId = 811 +const SYS_EXIT_RMDIR TraceId = 812 +const SYS_ENTER_RMDIR TraceId = 813 +const SYS_EXIT_MKDIR TraceId = 814 +const SYS_ENTER_MKDIR TraceId = 815 +const SYS_EXIT_MKDIRAT TraceId = 816 +const SYS_ENTER_MKDIRAT TraceId = 817 const SYS_EXIT_FCNTL TraceId = 822 const SYS_ENTER_FCNTL TraceId = 823 const SYS_EXIT_IOCTL TraceId = 824 @@ -619,6 +845,22 @@ const SYS_EXIT_GETDENTS64 TraceId = 826 const SYS_ENTER_GETDENTS64 TraceId = 827 const SYS_EXIT_GETDENTS TraceId = 828 const SYS_ENTER_GETDENTS TraceId = 829 +const SYS_EXIT_LREMOVEXATTR TraceId = 862 +const SYS_ENTER_LREMOVEXATTR TraceId = 863 +const SYS_EXIT_REMOVEXATTR TraceId = 864 +const SYS_ENTER_REMOVEXATTR TraceId = 865 +const SYS_EXIT_LLISTXATTR TraceId = 868 +const SYS_ENTER_LLISTXATTR TraceId = 869 +const SYS_EXIT_LISTXATTR TraceId = 870 +const SYS_ENTER_LISTXATTR TraceId = 871 +const SYS_EXIT_LGETXATTR TraceId = 874 +const SYS_ENTER_LGETXATTR TraceId = 875 +const SYS_EXIT_GETXATTR TraceId = 876 +const SYS_ENTER_GETXATTR TraceId = 877 +const SYS_EXIT_LSETXATTR TraceId = 880 +const SYS_ENTER_LSETXATTR TraceId = 881 +const SYS_EXIT_SETXATTR TraceId = 882 +const SYS_ENTER_SETXATTR TraceId = 883 const SYS_EXIT_SYNC_FILE_RANGE TraceId = 922 const SYS_ENTER_SYNC_FILE_RANGE TraceId = 923 const SYS_EXIT_FDATASYNC TraceId = 924 @@ -627,10 +869,20 @@ const SYS_EXIT_FSYNC TraceId = 926 const SYS_ENTER_FSYNC TraceId = 927 const SYS_EXIT_FSTATFS TraceId = 944 const SYS_ENTER_FSTATFS TraceId = 945 +const SYS_EXIT_STATFS TraceId = 946 +const SYS_ENTER_STATFS TraceId = 947 +const SYS_EXIT_INOTIFY_RM_WATCH TraceId = 954 +const SYS_ENTER_INOTIFY_RM_WATCH TraceId = 955 +const SYS_EXIT_INOTIFY_ADD_WATCH TraceId = 956 +const SYS_ENTER_INOTIFY_ADD_WATCH TraceId = 957 +const SYS_EXIT_FANOTIFY_MARK TraceId = 962 +const SYS_ENTER_FANOTIFY_MARK TraceId = 963 const SYS_EXIT_FLOCK TraceId = 1020 const SYS_ENTER_FLOCK TraceId = 1021 const SYS_EXIT_QUOTACTL_FD TraceId = 1051 const SYS_ENTER_QUOTACTL_FD TraceId = 1052 +const SYS_EXIT_MQ_UNLINK TraceId = 1321 +const SYS_ENTER_MQ_UNLINK TraceId = 1322 const SYS_EXIT_IO_URING_REGISTER TraceId = 1377 const SYS_ENTER_IO_URING_REGISTER TraceId = 1378 const SYS_EXIT_IO_URING_ENTER TraceId = 1381 |