diff options
| author | Paul Buetow <paul@buetow.org> | 2026-06-03 07:46:40 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-06-03 07:46:40 +0300 |
| commit | 96de9ef687b027b46478ab064e2b8106c9a07498 (patch) | |
| tree | 9c0e356f5088b06723fe5e2cac128630656aedf8 /internal | |
| parent | bf433c995a6991607a8583bb613a404ce9bb1d6d (diff) | |
fix(classify): assign file_getattr to FamilyFS, not Misc
file_getattr(2) (Linux 6.13+) retrieves a file's extended attributes
(struct file_attr) given a dirfd + pathname + attr buffer + size +
at_flags. It is a path-based filesystem operation, the counterpart of
statx and the FS_IOC_FSGETXATTR ioctl, so it belongs in FamilyFS.
It was falling through to FamilyMisc because the fsNameMarkers substring
list keys on "stat"/"xattr"/"chmod"/"chown" — "getattr" matches none of
them — and the syscall is absent from the fsSyscalls set, the same
Misc-fall-through defect previously fixed for alarm/fanotify_init/
fanotify_mark. Add an explicit "file_getattr": FamilyFS entry to the
syscallFamilies map, regenerate the Go tracepoint map, and update the
docs/syscall-tracing-plan.md family listing to match.
KIND stays KindPathname (pathname@args[1], data-driven from the live
tracepoint) and the return is 0/-1, hence UNCLASSIFIED (not a byte
count) — both already correct, only the family was wrong.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/generate/family.go | 14 | ||||
| -rw-r--r-- | internal/tracepoints/generated_tracepoints.go | 2 |
2 files changed, 15 insertions, 1 deletions
diff --git a/internal/generate/family.go b/internal/generate/family.go index 8f4752c..6a63dbb 100644 --- a/internal/generate/family.go +++ b/internal/generate/family.go @@ -245,6 +245,20 @@ var syscallFamilies = map[string]SyscallFamily{ "lsm_set_self_attr": FamilySecurity, "perf_event_open": FamilySecurity, "ptrace": FamilySecurity, "request_key": FamilySecurity, "seccomp": FamilySecurity, + + // file_getattr(2) (Linux 6.13+) is the path-based counterpart of statx + // and the FS_IOC_FSGETXATTR ioctl: it retrieves a file's extended + // attributes (struct file_attr) given dirfd@args[0] + pathname@args[1] + // + attr-buffer + size + at_flags. It is squarely a filesystem + // operation and belongs in FamilyFS alongside its statx/getxattr + // siblings. It must be listed explicitly because the fsNameMarkers list + // keys on "stat"/"xattr"/"chmod"/"chown" substrings — "getattr" matches + // none of them — and it is absent from the fsSyscalls set, so without + // this entry it would fall through to FamilyMisc (the same + // alarm/fanotify-style misclassification). KIND is data-driven from the + // live tracepoint (pathname@args[1] -> KindPathname) and the return is + // 0/-1, hence UNCLASSIFIED (not a byte count). + "file_getattr": FamilyFS, } // ClassifySyscallFamily returns the high-level syscall family for a tracepoint. diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go index 6b5ef6e..85fde5d 100644 --- a/internal/tracepoints/generated_tracepoints.go +++ b/internal/tracepoints/generated_tracepoints.go @@ -797,7 +797,7 @@ var syscallFamilies = map[string]string{ "fcntl": "FS", "fdatasync": "FS", "fgetxattr": "FS", - "file_getattr": "Misc", + "file_getattr": "FS", "file_setattr": "Misc", "finit_module": "Security", "flistxattr": "FS", |