filter sets pid and tid

7 files changed, 61 insertions, 49 deletions

diff --git a/internal/c/filter.c b/internal/c/filter.c
index 93497c7..f30611a 100644
--- a/internal/c/filter.c
+++ b/internal/c/filter.c
@@ -1,13 +1,20 @@
 //+build ignore
 
-static __always_inline int filter() {
-    if ((bpf_get_current_pid_tgid() >> 32) == PID_FILTER)
-        return 0;
+#define ACCEPT 0
+#define FILTER 1
+
+static __always_inline int filter(__u32 *pid, __u32 *tid) {
+    u64 pid_tgid = bpf_get_current_pid_tgid();
+    *pid = pid_tgid >> 32;
+    *tid = pid_tgid & 0xFFFFFFFF;
+
+    if (*pid == PID_FILTER)
+        return ACCEPT;
 
     /*
     if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) == UID_FILTER)
         return 0;
     */
 
-    return 1;
+    return FILTER;
 }
diff --git a/internal/c/tracepoints/close.c b/internal/c/tracepoints/close.c
index 5e9504b..199a6fa 100644
--- a/internal/c/tracepoints/close.c
+++ b/internal/c/tracepoints/close.c
@@ -2,7 +2,8 @@
 
 SEC("tracepoint/syscalls/sys_enter_close")
 int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
         return 0;
 
     struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
@@ -10,7 +11,8 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
         return 0;
 
     ev->op_id = CLOSE_ENTER_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->pid = pid;
+    ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
     ev->fd = (int)ctx->args[0];
 
@@ -20,7 +22,8 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
 
 SEC("tracepoint/syscalls/sys_exit_close")
 int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
         return 0;
 
     struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
@@ -28,7 +31,8 @@ int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
         return 0;
 
     ev->op_id = CLOSE_EXIT_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->pid = pid;
+    ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
 
     bpf_ringbuf_submit(ev, 0);
diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c
index f3b3a21..24f94b8 100644
--- a/internal/c/tracepoints/open.c
+++ b/internal/c/tracepoints/open.c
@@ -1,7 +1,8 @@
 //+build ignore
 
 static __always_inline int _handle_enter_open(struct trace_event_raw_sys_enter *ctx, __u32 op_id) {
-    if (filter())
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
         return 0;
 
     struct open_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_enter_event), 0);
@@ -9,7 +10,8 @@ static __always_inline int _handle_enter_open(struct trace_event_raw_sys_enter *
         return 0;
 
     ev->op_id = op_id;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->pid = pid;
+    ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
 
     // Reset memory, as structure is re-used (ringbuffer)
@@ -22,7 +24,8 @@ static __always_inline int _handle_enter_open(struct trace_event_raw_sys_enter *
 }
 
 static __always_inline int _handle_exit_open(struct trace_event_raw_sys_exit *ctx, __u32 op_id) {
-    if (filter())
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
         return 0;
 
     struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
@@ -30,7 +33,8 @@ static __always_inline int _handle_exit_open(struct trace_event_raw_sys_exit *ct
         return 0;
 
     ev->op_id = op_id;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->pid = pid;
+    ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
     ev->fd = ctx->ret;
 
diff --git a/internal/c/tracepoints/write.c b/internal/c/tracepoints/write.c
index 262cb48..7caff5d 100644
--- a/internal/c/tracepoints/write.c
+++ b/internal/c/tracepoints/write.c
@@ -2,7 +2,8 @@
 
 SEC("tracepoint/syscalls/sys_enter_write")
 int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
         return 0;
 
     struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
@@ -10,7 +11,8 @@ int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
         return 0;
 
     ev->op_id = WRITE_ENTER_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->pid = pid;
+    ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
     ev->fd = (int)ctx->args[0];
 
@@ -20,7 +22,8 @@ int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
 
 SEC("tracepoint/syscalls/sys_exit_write")
 int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
+    __u32 pid, tid;
+    if (filter(&pid, &tid))
         return 0;
 
     struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
@@ -28,7 +31,8 @@ int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
         return 0;
 
     ev->op_id = WRITE_EXIT_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->pid = pid;
+    ev->tid = tid;
     ev->time = bpf_ktime_get_ns();
 
     bpf_ringbuf_submit(ev, 0);
diff --git a/internal/c/types.h b/internal/c/types.h
index e1d5e29..509610e 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -18,26 +18,24 @@
 
 struct null_event {
     __u32 op_id;
-    __u32 pid_tgid;
+    __u32 pid;
+    __u32 tid;
     __u64 time;
 };
 
 struct fd_event {
     __u32 op_id;
-    __u32 pid_tgid;
+    __u32 pid;
+    __u32 tid;
     __u64 time;
     __s32 fd;
 };
 
 struct open_enter_event {
     __u32 op_id; 
-    __u32 pid_tgid;
+    __u32 pid;
+    __u32 tid;
     __u64 time;
     char filename[MAX_FILENAME_LENGTH];
     char comm[MAX_PROGNAME_LENGTH];
 };
-
-struct flags {
-   __u32 uid_filter;
-};
-
diff --git a/internal/eventloop.go b/internal/eventloop.go
index 26d7a17..d5ac4a9 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -22,13 +22,13 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
 			fallthrough
 		case OPEN_ENTER_OP_ID:
 			ev := NewOpenEnterEvent(raw)
-			enterOpen[ev.PidTgid] = ev
+			enterOpen[ev.Pid] = ev
 
 		case OPENAT_EXIT_OP_ID:
 			fallthrough
 		case OPEN_EXIT_OP_ID:
 			ev := NewFdEvent(raw)
-			enterEv, ok := enterOpen[ev.PidTgid]
+			enterEv, ok := enterOpen[ev.Pid]
 			if !ok {
 				fmt.Println("Dropping", ev)
 				ev.Recycle()
@@ -37,7 +37,7 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
 			duration := float64(ev.Time-enterEv.Time) / float64(1_000_000)
 			fmt.Println(duration, "ms", enterEv, ev)
 
-			delete(enterOpen, ev.PidTgid)
+			delete(enterOpen, ev.Pid)
 			ev.Recycle()
 			enterEv.Recycle()
 
@@ -47,7 +47,7 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
 			fallthrough
 		case WRITEV_ENTER_OP_ID:
 			ev := NewFdEvent(raw)
-			enterFd[ev.PidTgid] = ev
+			enterFd[ev.Pid] = ev
 
 		case CLOSE_EXIT_OP_ID:
 			fallthrough
@@ -55,7 +55,7 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
 			fallthrough
 		case WRITEV_EXIT_OP_ID:
 			ev := NewNullEvent(raw)
-			enterEv, ok := enterFd[ev.PidTgid]
+			enterEv, ok := enterFd[ev.Pid]
 			if !ok {
 				fmt.Println("Dropping", ev)
 				ev.Recycle()
@@ -64,7 +64,7 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
 			duration := float64(ev.Time-enterEv.Time) / float64(1_000_000)
 			fmt.Println(duration, "ms", enterEv, ev)
 
-			delete(enterFd, ev.PidTgid)
+			delete(enterFd, ev.Pid)
 			ev.Recycle()
 			enterEv.Recycle()
 
diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go
index 1e51ebe..329e07a 100644
--- a/internal/generated/types/types.go
+++ b/internal/generated/types/types.go
@@ -51,13 +51,14 @@ const WRITEV_ENTER_OP_ID OpId = 9
 const WRITEV_EXIT_OP_ID OpId = 10
 
 type NullEvent struct {
-	OpId    OpId
-	PidTgid uint32
-	Time    uint64
+	OpId OpId
+	Pid  uint32
+	Tid  uint32
+	Time uint64
 }
 
 func (n NullEvent) String() string {
-	return fmt.Sprintf("OpId:%v PidTgid:%v Time:%v", n.OpId, n.PidTgid, n.Time)
+	return fmt.Sprintf("OpId:%v Pid:%v Tid:%v Time:%v", n.OpId, n.Pid, n.Tid, n.Time)
 }
 
 var poolOfNullEvents = sync.Pool{
@@ -78,14 +79,15 @@ func (n *NullEvent) Recycle() {
 }
 
 type FdEvent struct {
-	OpId    OpId
-	PidTgid uint32
-	Time    uint64
-	Fd      int32
+	OpId OpId
+	Pid  uint32
+	Tid  uint32
+	Time uint64
+	Fd   int32
 }
 
 func (f FdEvent) String() string {
-	return fmt.Sprintf("OpId:%v PidTgid:%v Time:%v Fd:%v", f.OpId, f.PidTgid, f.Time, f.Fd)
+	return fmt.Sprintf("OpId:%v Pid:%v Tid:%v Time:%v Fd:%v", f.OpId, f.Pid, f.Tid, f.Time, f.Fd)
 }
 
 var poolOfFdEvents = sync.Pool{
@@ -107,14 +109,15 @@ func (f *FdEvent) Recycle() {
 
 type OpenEnterEvent struct {
 	OpId     OpId
-	PidTgid  uint32
+	Pid      uint32
+	Tid      uint32
 	Time     uint64
 	Filename [MAX_FILENAME_LENGTH]byte
 	Comm     [MAX_PROGNAME_LENGTH]byte
 }
 
 func (o OpenEnterEvent) String() string {
-	return fmt.Sprintf("OpId:%v PidTgid:%v Time:%v Filename:%v Comm:%v", o.OpId, o.PidTgid, o.Time, string(o.Filename[:]), string(o.Comm[:]))
+	return fmt.Sprintf("OpId:%v Pid:%v Tid:%v Time:%v Filename:%v Comm:%v", o.OpId, o.Pid, o.Tid, o.Time, string(o.Filename[:]), string(o.Comm[:]))
 }
 
 var poolOfOpenEnterEvents = sync.Pool{
@@ -133,11 +136,3 @@ func NewOpenEnterEvent(raw []byte) *OpenEnterEvent {
 func (o *OpenEnterEvent) Recycle() {
 	poolOfOpenEnterEvents.Put(o)
 }
-
-type Flags struct {
-	UidFilter uint32
-}
-
-func (f Flags) String() string {
-	return fmt.Sprintf("UidFilter:%v", f.UidFilter)
-}