summaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
authorPaul Buetow <paul@buetow.org>2024-02-27 20:39:16 +0200
committerPaul Buetow <paul@buetow.org>2024-02-28 00:15:12 +0200
commitd44c509284eaf0db2b1f7d14ede3687ff06c4853 (patch)
treef675f3f1578dbf8a3342fdb67f79ac3b216ed5dd /internal
parent139d2dca45306071a30562a94b69ac20ada515c8 (diff)
introduce event type for better deserializing
Diffstat (limited to 'internal')
-rw-r--r--internal/c/generated/tracepoints.c52
-rw-r--r--internal/c/generated/tracepoints.raku2
-rw-r--r--internal/c/tracepoints/open.c2
-rw-r--r--internal/c/types.h31
-rw-r--r--internal/eventloop.go102
-rw-r--r--internal/generated/nqc.raku2
-rw-r--r--internal/generated/types/types.go79
7 files changed, 151 insertions, 119 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c
index eb0ccd2..e7e8317 100644
--- a/internal/c/generated/tracepoints.c
+++ b/internal/c/generated/tracepoints.c
@@ -63,6 +63,7 @@ int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_CACHESTAT;
ev->pid = pid;
ev->tid = tid;
@@ -83,6 +84,7 @@ int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_CACHESTAT;
ev->pid = pid;
ev->tid = tid;
@@ -103,6 +105,7 @@ int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_CLOSE_RANGE;
ev->pid = pid;
ev->tid = tid;
@@ -123,6 +126,7 @@ int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_CLOSE_RANGE;
ev->pid = pid;
ev->tid = tid;
@@ -143,6 +147,7 @@ int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_CLOSE;
ev->pid = pid;
ev->tid = tid;
@@ -163,6 +168,7 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_CLOSE;
ev->pid = pid;
ev->tid = tid;
@@ -183,6 +189,7 @@ int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FCHOWN;
ev->pid = pid;
ev->tid = tid;
@@ -203,6 +210,7 @@ int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FCHOWN;
ev->pid = pid;
ev->tid = tid;
@@ -223,6 +231,7 @@ int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FCHMOD;
ev->pid = pid;
ev->tid = tid;
@@ -243,6 +252,7 @@ int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FCHMOD;
ev->pid = pid;
ev->tid = tid;
@@ -263,6 +273,7 @@ int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FCHDIR;
ev->pid = pid;
ev->tid = tid;
@@ -283,6 +294,7 @@ int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FCHDIR;
ev->pid = pid;
ev->tid = tid;
@@ -303,6 +315,7 @@ int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FTRUNCATE;
ev->pid = pid;
ev->tid = tid;
@@ -323,6 +336,7 @@ int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FTRUNCATE;
ev->pid = pid;
ev->tid = tid;
@@ -343,6 +357,7 @@ int handle_sys_exit_copy_file_range(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_COPY_FILE_RANGE;
ev->pid = pid;
ev->tid = tid;
@@ -363,6 +378,7 @@ int handle_sys_enter_copy_file_range(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_COPY_FILE_RANGE;
ev->pid = pid;
ev->tid = tid;
@@ -383,6 +399,7 @@ int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_PWRITE64;
ev->pid = pid;
ev->tid = tid;
@@ -403,6 +420,7 @@ int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_PWRITE64;
ev->pid = pid;
ev->tid = tid;
@@ -423,6 +441,7 @@ int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_PREAD64;
ev->pid = pid;
ev->tid = tid;
@@ -443,6 +462,7 @@ int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_PREAD64;
ev->pid = pid;
ev->tid = tid;
@@ -463,6 +483,7 @@ int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_WRITE;
ev->pid = pid;
ev->tid = tid;
@@ -483,6 +504,7 @@ int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_WRITE;
ev->pid = pid;
ev->tid = tid;
@@ -503,6 +525,7 @@ int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_READ;
ev->pid = pid;
ev->tid = tid;
@@ -523,6 +546,7 @@ int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_READ;
ev->pid = pid;
ev->tid = tid;
@@ -543,6 +567,7 @@ int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_LSEEK;
ev->pid = pid;
ev->tid = tid;
@@ -563,6 +588,7 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_LSEEK;
ev->pid = pid;
ev->tid = tid;
@@ -583,6 +609,7 @@ int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_NEWFSTAT;
ev->pid = pid;
ev->tid = tid;
@@ -603,6 +630,7 @@ int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_NEWFSTAT;
ev->pid = pid;
ev->tid = tid;
@@ -623,6 +651,7 @@ int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FCNTL;
ev->pid = pid;
ev->tid = tid;
@@ -643,6 +672,7 @@ int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FCNTL;
ev->pid = pid;
ev->tid = tid;
@@ -663,6 +693,7 @@ int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_IOCTL;
ev->pid = pid;
ev->tid = tid;
@@ -683,6 +714,7 @@ int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_IOCTL;
ev->pid = pid;
ev->tid = tid;
@@ -703,6 +735,7 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_GETDENTS64;
ev->pid = pid;
ev->tid = tid;
@@ -723,6 +756,7 @@ int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_GETDENTS64;
ev->pid = pid;
ev->tid = tid;
@@ -743,6 +777,7 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_GETDENTS;
ev->pid = pid;
ev->tid = tid;
@@ -763,6 +798,7 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_GETDENTS;
ev->pid = pid;
ev->tid = tid;
@@ -783,6 +819,7 @@ int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_SYNC_FILE_RANGE;
ev->pid = pid;
ev->tid = tid;
@@ -803,6 +840,7 @@ int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_SYNC_FILE_RANGE;
ev->pid = pid;
ev->tid = tid;
@@ -823,6 +861,7 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FDATASYNC;
ev->pid = pid;
ev->tid = tid;
@@ -843,6 +882,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FDATASYNC;
ev->pid = pid;
ev->tid = tid;
@@ -863,6 +903,7 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FSYNC;
ev->pid = pid;
ev->tid = tid;
@@ -883,6 +924,7 @@ int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FSYNC;
ev->pid = pid;
ev->tid = tid;
@@ -903,6 +945,7 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FSTATFS;
ev->pid = pid;
ev->tid = tid;
@@ -923,6 +966,7 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FSTATFS;
ev->pid = pid;
ev->tid = tid;
@@ -943,6 +987,7 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_FLOCK;
ev->pid = pid;
ev->tid = tid;
@@ -963,6 +1008,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_FLOCK;
ev->pid = pid;
ev->tid = tid;
@@ -983,6 +1029,7 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_QUOTACTL_FD;
ev->pid = pid;
ev->tid = tid;
@@ -1003,6 +1050,7 @@ int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_QUOTACTL_FD;
ev->pid = pid;
ev->tid = tid;
@@ -1023,6 +1071,7 @@ int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_IO_URING_REGISTER;
ev->pid = pid;
ev->tid = tid;
@@ -1043,6 +1092,7 @@ int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_IO_URING_REGISTER;
ev->pid = pid;
ev->tid = tid;
@@ -1063,6 +1113,7 @@ int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) {
if (!ev)
return 0;
+ ev->event_type = EXIT_RET_EVENT;
ev->syscall_id = SYS_EXIT_IO_URING_ENTER;
ev->pid = pid;
ev->tid = tid;
@@ -1083,6 +1134,7 @@ int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) {
if (!ev)
return 0;
+ ev->event_type = ENTER_FD_EVENT;
ev->syscall_id = SYS_ENTER_IO_URING_ENTER;
ev->pid = pid;
ev->tid = tid;
diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku
index 1de8a0e..4613d54 100644
--- a/internal/c/generated/tracepoints.raku
+++ b/internal/c/generated/tracepoints.raku
@@ -61,7 +61,6 @@ class Format {
!! 'trace_event_raw_sys_exit';
my \event-struct = is-enter ?? 'fd_event'
!! ($!has-long-ret ?? 'ret_event' !! 'null_event');
-
qq:to/END/;
SEC("tracepoint/syscalls/{$!name}")
int handle_{$!name.lc}(struct {ctx-struct} *ctx) \{
@@ -73,6 +72,7 @@ class Format {
if (!ev)
return 0;
+ ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ event-struct.uc};
ev->syscall_id = {$!name.uc};
ev->pid = pid;
ev->tid = tid;
diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c
index 7582299..4289f1c 100644
--- a/internal/c/tracepoints/open.c
+++ b/internal/c/tracepoints/open.c
@@ -14,6 +14,7 @@ static __always_inline int _handle_sys_enter_open(struct trace_event_raw_sys_ent
if (!ev)
return 0;
+ ev->event_type = ENTER_OPEN_EVENT;
ev->syscall_id = syscall_id;
ev->pid = pid;
ev->tid = tid;
@@ -37,6 +38,7 @@ static __always_inline int _handle_sys_exit_open(struct trace_event_raw_sys_exit
if (!ev)
return 0;
+ ev->event_type = EXIT_FD_EVENT;
ev->syscall_id = syscall_id;
ev->pid = pid;
ev->tid = tid;
diff --git a/internal/c/types.h b/internal/c/types.h
index db6f318..081883c 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -3,7 +3,27 @@
#define MAX_FILENAME_LENGTH 256
#define MAX_PROGNAME_LENGTH 16
+#define ENTER_OPEN_EVENT 1
+#define EXIT_OPEN_EVENT 2
+#define ENTER_NULL_EVENT 3
+#define EXIT_NULL_EVENT 4
+#define ENTER_FD_EVENT 5
+#define EXIT_FD_EVENT 6
+#define ENTER_RET_EVENT 7
+#define EXIT_RET_EVENT 8
+
+struct open_enter_event {
+ __u32 event_type;
+ __u32 syscall_id;
+ __u32 pid;
+ __u32 tid;
+ __u32 time;
+ char filename[MAX_FILENAME_LENGTH];
+ char comm[MAX_PROGNAME_LENGTH];
+};
+
struct null_event {
+ __u32 event_type;
__u32 syscall_id;
__u32 pid;
__u32 tid;
@@ -11,6 +31,7 @@ struct null_event {
};
struct fd_event {
+ __u32 event_type;
__u32 syscall_id;
__u32 pid;
__u32 tid;
@@ -19,18 +40,10 @@ struct fd_event {
};
struct ret_event {
+ __u32 event_type;
__u32 syscall_id;
__u32 pid;
__u32 tid;
__u32 time;
__u64 ret;
};
-
-struct open_enter_event {
- __u32 syscall_id;
- __u32 pid;
- __u32 tid;
- __u32 time;
- char filename[MAX_FILENAME_LENGTH];
- char comm[MAX_PROGNAME_LENGTH];
-};
diff --git a/internal/eventloop.go b/internal/eventloop.go
index 5fb8c5c..d22ea62 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -31,87 +31,37 @@ func binaryCompare(ev *OpenEnterEvent, raw []byte) {
fmt.Println("raw ", raw)
}
-func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
- enterOpen := make(map[uint32]*OpenEnterEvent)
- enterFd := make(map[uint32]*FdEvent)
+type Event interface {
+ String() string
+ GetTid() uint32
+}
- openFdMap := make(map[int32]openFile)
+func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) {
+ type Event interface {
+ String() string
+ }
for raw := range ch {
- switch SyscallId(raw[0]) {
- case SYS_ENTER_OPENAT:
- fallthrough
- case SYS_ENTER_OPEN:
- ev := NewOpenEnterEvent(raw)
- enterOpen[ev.Tid] = ev
-
- case SYS_EXIT_OPENAT:
- fallthrough
- case SYS_EXIT_OPEN:
- ev := NewFdEvent(raw)
- enterEv, ok := enterOpen[ev.Tid]
- if !ok {
- ev.Recycle()
- continue
- }
- file := openFile{
- fd: ev.Fd,
- path: string(enterEv.Filename[:]),
- }
- openFdMap[ev.Fd] = file
- duration := ev.Time - enterEv.Time
- fmt.Println(duration, "μs", "closed", file)
-
- delete(enterOpen, ev.Tid)
- ev.Recycle()
- enterEv.Recycle()
-
- case SYS_ENTER_CLOSE:
- fallthrough
- case SYS_ENTER_WRITE:
- ev := NewFdEvent(raw)
- if _, ok := openFdMap[ev.Fd]; !ok {
- // File open not traced (todo: read from procfs?)
- ev.Recycle()
- continue
- }
- enterFd[ev.Tid] = ev
-
- case SYS_EXIT_CLOSE:
- ev := NewNullEvent(raw)
- enterEv, ok := enterFd[ev.Tid]
- if !ok {
- ev.Recycle()
- continue
- }
- duration := ev.Time - enterEv.Time
- file, _ := openFdMap[enterEv.Fd]
- fmt.Println(duration, "μs", "closed", file)
-
- delete(openFdMap, enterEv.Fd)
- delete(enterFd, ev.Tid)
- ev.Recycle()
- enterEv.Recycle()
-
- case SYS_EXIT_WRITE:
- ev := NewRetEvent(raw)
- enterEv, ok := enterFd[ev.Tid]
- if !ok {
- ev.Recycle()
- continue
- }
- duration := ev.Time - enterEv.Time
- if file, ok := openFdMap[enterEv.Fd]; ok {
- fmt.Println(duration, "μs", "retval", ev.Ret, file)
- }
-
- delete(enterFd, ev.Tid)
- ev.Recycle()
- enterEv.Recycle()
-
+ var ev Event
+ switch EventType(raw[0]) {
+ case ENTER_OPEN_EVENT:
+ ev = NewOpenEnterEvent(raw)
+ case EXIT_OPEN_EVENT:
+ ev = NewFdEvent(raw)
+ case ENTER_FD_EVENT:
+ ev = NewFdEvent(raw)
+ case EXIT_FD_EVENT:
+ ev = NewFdEvent(raw)
+ case ENTER_NULL_EVENT:
+ ev = NewNullEvent(raw)
+ case EXIT_NULL_EVENT:
+ ev = NewNullEvent(raw)
+ case EXIT_RET_EVENT:
+ ev = NewRetEvent(raw)
default:
- panic(fmt.Sprintf("UNKNOWN Ringbuf data received len:%d raw:%v", len(raw), raw))
+ panic("Unknown event type")
}
+ fmt.Println(ev)
}
fmt.Println("Good bye")
diff --git a/internal/generated/nqc.raku b/internal/generated/nqc.raku
index e237b3f..a975df6 100644
--- a/internal/generated/nqc.raku
+++ b/internal/generated/nqc.raku
@@ -53,6 +53,7 @@ class NQCToGoActions {
method !constant-go-string-method returns Str {
qq:to/END/;
+ type EventType uint32
type SyscallId uint32
func (s SyscallId) String() string \{
@@ -121,6 +122,7 @@ class NQCToGoActions {
method member($/) {
my Str $type = $<identifier>.made eq 'SyscallId' ?? 'SyscallId' !! $<type>.made;
+ $type = 'EventType' if $<identifier>.made eq 'EventType';
make $<identifier>.made ~ ' ' ~ ($<arraysize> // '') ~ $type;
}
diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go
index 9483285..e3f89db 100644
--- a/internal/generated/types/types.go
+++ b/internal/generated/types/types.go
@@ -8,6 +8,7 @@ import (
"sync"
)
+type EventType uint32
type SyscallId uint32
func (s SyscallId) String() string {
@@ -131,8 +132,48 @@ func (s SyscallId) String() string {
const MAX_FILENAME_LENGTH = 256
const MAX_PROGNAME_LENGTH = 16
+const ENTER_OPEN_EVENT = 1
+const EXIT_OPEN_EVENT = 2
+const ENTER_NULL_EVENT = 3
+const EXIT_NULL_EVENT = 4
+const ENTER_FD_EVENT = 5
+const EXIT_FD_EVENT = 6
+const ENTER_RET_EVENT = 7
+const EXIT_RET_EVENT = 8
+
+type OpenEnterEvent struct {
+ EventType EventType
+ SyscallId SyscallId
+ Pid uint32
+ Tid uint32
+ Time uint32
+ Filename [MAX_FILENAME_LENGTH]byte
+ Comm [MAX_PROGNAME_LENGTH]byte
+}
+
+func (o OpenEnterEvent) String() string {
+ return fmt.Sprintf("EventType:%v SyscallId:%v Pid:%v Tid:%v Time:%v Filename:%v Comm:%v", o.EventType, o.SyscallId, o.Pid, o.Tid, o.Time, string(o.Filename[:]), string(o.Comm[:]))
+}
+
+var poolOfOpenEnterEvents = sync.Pool{
+ New: func() interface{} { return &OpenEnterEvent{} },
+}
+
+func NewOpenEnterEvent(raw []byte) *OpenEnterEvent {
+ o := poolOfOpenEnterEvents.Get().(*OpenEnterEvent)
+ if err := binary.Read(bytes.NewReader(raw), binary.LittleEndian, o); err != nil {
+ fmt.Println(o, raw, len(raw), err)
+ panic(raw)
+ }
+ return o
+}
+
+func (o *OpenEnterEvent) Recycle() {
+ poolOfOpenEnterEvents.Put(o)
+}
type NullEvent struct {
+ EventType EventType
SyscallId SyscallId
Pid uint32
Tid uint32
@@ -140,7 +181,7 @@ type NullEvent struct {
}
func (n NullEvent) String() string {
- return fmt.Sprintf("SyscallId:%v Pid:%v Tid:%v Time:%v", n.SyscallId, n.Pid, n.Tid, n.Time)
+ return fmt.Sprintf("EventType:%v SyscallId:%v Pid:%v Tid:%v Time:%v", n.EventType, n.SyscallId, n.Pid, n.Tid, n.Time)
}
var poolOfNullEvents = sync.Pool{
@@ -161,6 +202,7 @@ func (n *NullEvent) Recycle() {
}
type FdEvent struct {
+ EventType EventType
SyscallId SyscallId
Pid uint32
Tid uint32
@@ -169,7 +211,7 @@ type FdEvent struct {
}
func (f FdEvent) String() string {
- return fmt.Sprintf("SyscallId:%v Pid:%v Tid:%v Time:%v Fd:%v", f.SyscallId, f.Pid, f.Tid, f.Time, f.Fd)
+ return fmt.Sprintf("EventType:%v SyscallId:%v Pid:%v Tid:%v Time:%v Fd:%v", f.EventType, f.SyscallId, f.Pid, f.Tid, f.Time, f.Fd)
}
var poolOfFdEvents = sync.Pool{
@@ -190,6 +232,7 @@ func (f *FdEvent) Recycle() {
}
type RetEvent struct {
+ EventType EventType
SyscallId SyscallId
Pid uint32
Tid uint32
@@ -198,7 +241,7 @@ type RetEvent struct {
}
func (r RetEvent) String() string {
- return fmt.Sprintf("SyscallId:%v Pid:%v Tid:%v Time:%v Ret:%v", r.SyscallId, r.Pid, r.Tid, r.Time, r.Ret)
+ return fmt.Sprintf("EventType:%v SyscallId:%v Pid:%v Tid:%v Time:%v Ret:%v", r.EventType, r.SyscallId, r.Pid, r.Tid, r.Time, r.Ret)
}
var poolOfRetEvents = sync.Pool{
@@ -218,36 +261,6 @@ func (r *RetEvent) Recycle() {
poolOfRetEvents.Put(r)
}
-type OpenEnterEvent struct {
- SyscallId SyscallId
- Pid uint32
- Tid uint32
- Time uint32
- Filename [MAX_FILENAME_LENGTH]byte
- Comm [MAX_PROGNAME_LENGTH]byte
-}
-
-func (o OpenEnterEvent) String() string {
- return fmt.Sprintf("SyscallId:%v Pid:%v Tid:%v Time:%v Filename:%v Comm:%v", o.SyscallId, o.Pid, o.Tid, o.Time, string(o.Filename[:]), string(o.Comm[:]))
-}
-
-var poolOfOpenEnterEvents = sync.Pool{
- New: func() interface{} { return &OpenEnterEvent{} },
-}
-
-func NewOpenEnterEvent(raw []byte) *OpenEnterEvent {
- o := poolOfOpenEnterEvents.Get().(*OpenEnterEvent)
- if err := binary.Read(bytes.NewReader(raw), binary.LittleEndian, o); err != nil {
- fmt.Println(o, raw, len(raw), err)
- panic(raw)
- }
- return o
-}
-
-func (o *OpenEnterEvent) Recycle() {
- poolOfOpenEnterEvents.Put(o)
-}
-
const SYS_EXIT_CACHESTAT SyscallId = 520
const SYS_ENTER_CACHESTAT SyscallId = 521
const SYS_EXIT_CLOSE_RANGE SyscallId = 692
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 18:55:33 +0000