e7 classify acct pathname and misc null syscalls

author: Paul Buetow <paul@buetow.org> 2026-05-21 17:43:18 +0300
committer: Paul Buetow <paul@buetow.org> 2026-05-21 17:43:18 +0300
commit: 11394edddbb8f02208edb18e06ae40b6912742f4 (patch)
tree: 6008d4ae3551a24d8f412d4710dad78c6d650fd7 /internal
parent: 8b38c88cc86adb9240473523c59d9b4a83f5437d (diff)
5 files changed, 104 insertions, 5 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 78f29c7..f1602e5 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -13488,7 +13488,7 @@ int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) {
     return 0;
 }
 
-/// sys_enter_acct is a struct null_event (kind=null)
+/// sys_enter_acct is a struct path_event (kind=pathname)
 SEC("tracepoint/syscalls/sys_enter_acct")
 int handle_sys_enter_acct(struct syscall_trace_enter *ctx) {
     __u32 pid, tid;
@@ -13498,15 +13498,17 @@ int handle_sys_enter_acct(struct syscall_trace_enter *ctx) {
     if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCT))
         return 0;
 
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
     if (!ev)
         return 0;
 
-    ev->event_type = ENTER_NULL_EVENT;
+    ev->event_type = ENTER_PATH_EVENT;
     ev->trace_id = SYS_ENTER_ACCT;
     ev->pid = pid;
     ev->tid = tid;
     ev->time = bpf_ktime_get_boot_ns();
+    __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+    bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
 
     bpf_ringbuf_submit(ev, 0);
     return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 43b33d5..5c13a75 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -1,7 +1,7 @@
 sys_enter_accept is a struct accept_event (kind=accept)
 sys_enter_accept4 is a struct accept_event (kind=accept)
 sys_enter_access is a struct path_event (kind=pathname)
-sys_enter_acct is a struct null_event (kind=null)
+sys_enter_acct is a struct path_event (kind=pathname)
 sys_enter_add_key is a struct keyctl_event (kind=keyctl)
 sys_enter_adjtimex is a struct null_event (kind=null)
 sys_enter_alarm is a struct null_event (kind=null)
diff --git a/internal/generate/classify.go b/internal/generate/classify.go
index e2b71f4..4ab63ad 100644
--- a/internal/generate/classify.go
+++ b/internal/generate/classify.go
@@ -480,6 +480,44 @@ func classifyNameOnly(name string) (ClassificationResult, bool) {
 		return ClassificationResult{Kind: KindNull}, true
 	case "sys_enter_kexec_load":
 		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_sysinfo":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_sysfs":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_ustat":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_newuname":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_sethostname":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_setdomainname":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_capget":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_capset":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_personality":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_reboot":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_restart_syscall":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_vhangup":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_arch_prctl":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_ioperm":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_iopl":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_modify_ldt":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_lsm_get_self_attr":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_lsm_set_self_attr":
+		return ClassificationResult{Kind: KindNull}, true
+	case "sys_enter_lsm_list_modules":
+		return ClassificationResult{Kind: KindNull}, true
 	}
 	if strings.HasPrefix(name, "sys_enter_io_") {
 		return ClassificationResult{Kind: KindNull}, true
@@ -519,6 +557,10 @@ func classifyNameAndField(name, fieldType, fieldName string) (ClassificationResu
 		if isCStringPtrType(fieldType) && fieldName == "name" {
 			return ClassificationResult{Kind: KindPathname, PathnameField: "name"}, true
 		}
+	case "sys_enter_acct":
+		if isCStringPtrType(fieldType) && fieldName == "name" {
+			return ClassificationResult{Kind: KindPathname, PathnameField: "name"}, true
+		}
 	case "sys_enter_pivot_root":
 		if isCStringPtrType(fieldType) && fieldName == "new_root" {
 			return ClassificationResult{Kind: KindPathname, PathnameField: "new_root"}, true
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 323db06..b35f1b1 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -867,6 +867,61 @@ func TestClassifyA7NameOnlyKinds(t *testing.T) {
 	}
 }
 
+func TestClassifyE7NullNameOnlyKinds(t *testing.T) {
+	tests := []string{
+		"sys_enter_sysinfo",
+		"sys_enter_sysfs",
+		"sys_enter_ustat",
+		"sys_enter_newuname",
+		"sys_enter_sethostname",
+		"sys_enter_setdomainname",
+		"sys_enter_capget",
+		"sys_enter_capset",
+		"sys_enter_personality",
+		"sys_enter_reboot",
+		"sys_enter_restart_syscall",
+		"sys_enter_vhangup",
+		"sys_enter_arch_prctl",
+		"sys_enter_ioperm",
+		"sys_enter_iopl",
+		"sys_enter_modify_ldt",
+		"sys_enter_lsm_get_self_attr",
+		"sys_enter_lsm_set_self_attr",
+		"sys_enter_lsm_list_modules",
+	}
+
+	for _, name := range tests {
+		t.Run(name, func(t *testing.T) {
+			r := ClassifyFormat(&Format{
+				Name: name,
+				ExternalFields: []Field{
+					{Type: "long", Name: "__syscall_nr"},
+					{Type: "long", Name: "arg0"},
+				},
+			})
+			if r.Kind != KindNull {
+				t.Fatalf("%s: got kind %d, want KindNull", name, r.Kind)
+			}
+		})
+	}
+}
+
+func TestClassifyAcctPathname(t *testing.T) {
+	r := ClassifyFormat(&Format{
+		Name: "sys_enter_acct",
+		ExternalFields: []Field{
+			{Type: "long", Name: "__syscall_nr"},
+			{Type: "const char *", Name: "name"},
+		},
+	})
+	if r.Kind != KindPathname {
+		t.Fatalf("acct: got kind %d, want KindPathname", r.Kind)
+	}
+	if r.PathnameField != "name" {
+		t.Fatalf("acct: PathnameField=%q, want name", r.PathnameField)
+	}
+}
+
 func TestClassifyMount(t *testing.T) {
 	r := classifyFromData(t, FormatMount)
 	if r.Kind != KindPathname {
diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go
index a144a08..b90bcdf 100644
--- a/internal/tracepoints/generated_tracepoints.go
+++ b/internal/tracepoints/generated_tracepoints.go
@@ -1112,7 +1112,7 @@ var syscallKinds = map[string]string{
 	"accept":                  "accept",
 	"accept4":                 "accept",
 	"access":                  "pathname",
-	"acct":                    "null",
+	"acct":                    "pathname",
 	"add_key":                 "keyctl",
 	"adjtimex":                "null",
 	"alarm":                   "null",
author	Paul Buetow <paul@buetow.org>	2026-05-21 17:43:18 +0300
committer	Paul Buetow <paul@buetow.org>	2026-05-21 17:43:18 +0300
commit	11394edddbb8f02208edb18e06ae40b6912742f4 (patch)
tree	6008d4ae3551a24d8f412d4710dad78c6d650fd7 /internal
parent	8b38c88cc86adb9240473523c59d9b4a83f5437d (diff)