summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--internal/c/generated_tracepoints.c30
-rw-r--r--internal/c/generated_tracepoints_result.txt12
-rw-r--r--internal/generate/classify.go18
-rw-r--r--internal/generate/classify_test.go32
-rw-r--r--internal/generate/codegen_test.go6
-rw-r--r--internal/generate/kindregistry.go2
-rw-r--r--internal/tracepoints/dimension_selector_test.go15
-rw-r--r--internal/tracepoints/generated_tracepoints.go6
8 files changed, 93 insertions, 28 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 9f2f283..78f29c7 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -13339,7 +13339,7 @@ int handle_sys_exit_bpf(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_seccomp is a struct null_event (kind=null)
+/// sys_enter_seccomp is a struct null_event (kind=seccomp)
SEC("tracepoint/syscalls/sys_enter_seccomp")
int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -13363,7 +13363,7 @@ int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) {
return 0;
}
-/// sys_exit_seccomp is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_seccomp is a struct null_event (kind=seccomp)
SEC("tracepoint/syscalls/sys_exit_seccomp")
int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
@@ -13373,17 +13373,15 @@ int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) {
if (!ior_on_syscall_exit(tid, SYS_EXIT_SECCOMP, ctx->ret))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_NULL_EVENT;
ev->trace_id = SYS_EXIT_SECCOMP;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
- ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -14863,7 +14861,7 @@ int handle_sys_exit_kcmp(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_delete_module is a struct null_event (kind=null)
+/// sys_enter_delete_module is a struct null_event (kind=module)
SEC("tracepoint/syscalls/sys_enter_delete_module")
int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -14887,7 +14885,7 @@ int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) {
return 0;
}
-/// sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_delete_module is a struct null_event (kind=module)
SEC("tracepoint/syscalls/sys_exit_delete_module")
int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
@@ -14897,23 +14895,21 @@ int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) {
if (!ior_on_syscall_exit(tid, SYS_EXIT_DELETE_MODULE, ctx->ret))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_NULL_EVENT;
ev->trace_id = SYS_EXIT_DELETE_MODULE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
- ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_enter_init_module is a struct null_event (kind=null)
+/// sys_enter_init_module is a struct null_event (kind=module)
SEC("tracepoint/syscalls/sys_enter_init_module")
int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -14937,7 +14933,7 @@ int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) {
return 0;
}
-/// sys_exit_init_module is a struct ret_event (UNCLASSIFIED) (kind=ret)
+/// sys_exit_init_module is a struct null_event (kind=module)
SEC("tracepoint/syscalls/sys_exit_init_module")
int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
@@ -14947,17 +14943,15 @@ int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) {
if (!ior_on_syscall_exit(tid, SYS_EXIT_INIT_MODULE, ctx->ret))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_NULL_EVENT;
ev->trace_id = SYS_EXIT_INIT_MODULE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
- ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index ed07ec6..43b33d5 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -28,7 +28,7 @@ sys_enter_close_range is a struct fd_event (kind=fd)
sys_enter_connect is a struct fd_event (kind=fd)
sys_enter_copy_file_range is a struct fd_event (kind=fd)
sys_enter_creat is a struct path_event (kind=pathname)
-sys_enter_delete_module is a struct null_event (kind=null)
+sys_enter_delete_module is a struct null_event (kind=module)
sys_enter_dup is a struct fd_event (kind=fd)
sys_enter_dup2 is a struct fd_event (kind=fd)
sys_enter_dup3 is a struct dup3_event (kind=dup3)
@@ -110,7 +110,7 @@ sys_enter_gettimeofday is a struct null_event (kind=null)
sys_enter_getuid is a struct null_event (kind=null)
sys_enter_getxattr is a struct path_event (kind=pathname)
sys_enter_getxattrat is a struct path_event (kind=pathname)
-sys_enter_init_module is a struct null_event (kind=null)
+sys_enter_init_module is a struct null_event (kind=module)
sys_enter_inotify_add_watch is a struct fd_event (kind=fd)
sys_enter_inotify_init is a struct eventfd_event (kind=eventfd)
sys_enter_inotify_init1 is a struct eventfd_event (kind=eventfd)
@@ -273,7 +273,7 @@ sys_enter_sched_setattr is a struct null_event (kind=null)
sys_enter_sched_setparam is a struct null_event (kind=null)
sys_enter_sched_setscheduler is a struct null_event (kind=null)
sys_enter_sched_yield is a struct null_event (kind=null)
-sys_enter_seccomp is a struct null_event (kind=null)
+sys_enter_seccomp is a struct null_event (kind=seccomp)
sys_enter_select is a struct poll_event (kind=poll)
sys_enter_semctl is a struct null_event (kind=null)
sys_enter_semget is a struct null_event (kind=null)
@@ -395,7 +395,7 @@ sys_exit_close_range is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_connect is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) (kind=ret)
sys_exit_creat is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_delete_module is a struct null_event (kind=module)
sys_exit_dup is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) (kind=ret)
@@ -477,7 +477,7 @@ sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_getuid is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret)
sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_init_module is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_init_module is a struct null_event (kind=module)
sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_inotify_init is a struct eventfd_event (kind=eventfd)
sys_exit_inotify_init1 is a struct eventfd_event (kind=eventfd)
@@ -640,7 +640,7 @@ sys_exit_sched_setattr is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_sched_setparam is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_sched_setscheduler is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_sched_yield is a struct ret_event (UNCLASSIFIED) (kind=ret)
-sys_exit_seccomp is a struct ret_event (UNCLASSIFIED) (kind=ret)
+sys_exit_seccomp is a struct null_event (kind=seccomp)
sys_exit_select is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_semctl is a struct ret_event (UNCLASSIFIED) (kind=ret)
sys_exit_semget is a struct ret_event (UNCLASSIFIED) (kind=ret)
diff --git a/internal/generate/classify.go b/internal/generate/classify.go
index 0bfac0c..fdffdeb 100644
--- a/internal/generate/classify.go
+++ b/internal/generate/classify.go
@@ -31,6 +31,8 @@ const (
KindKeyctl
KindPtrace
KindPerfOpen
+ KindSeccomp
+ KindModule
)
func (k TracepointKind) MetadataName() string {
@@ -85,6 +87,10 @@ func (k TracepointKind) MetadataName() string {
return "ptrace"
case KindPerfOpen:
return "perf-open"
+ case KindSeccomp:
+ return "seccomp"
+ case KindModule:
+ return "module"
default:
return "none"
}
@@ -314,6 +320,18 @@ func classifyNameOnly(name string) (ClassificationResult, bool) {
return ClassificationResult{Kind: KindPtrace}, true
case "sys_enter_perf_event_open":
return ClassificationResult{Kind: KindPerfOpen}, true
+ case "sys_enter_seccomp":
+ return ClassificationResult{Kind: KindSeccomp}, true
+ case "sys_exit_seccomp":
+ return ClassificationResult{Kind: KindSeccomp}, true
+ case "sys_enter_init_module":
+ return ClassificationResult{Kind: KindModule}, true
+ case "sys_exit_init_module":
+ return ClassificationResult{Kind: KindModule}, true
+ case "sys_enter_delete_module":
+ return ClassificationResult{Kind: KindModule}, true
+ case "sys_exit_delete_module":
+ return ClassificationResult{Kind: KindModule}, true
case "sys_enter_pidfd_send_signal":
return ClassificationResult{Kind: KindFd}, true
case "sys_enter_kexec_file_load":
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 590b0bb..85a7863 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -721,6 +721,35 @@ func TestClassifyI7NameOnlyKinds(t *testing.T) {
}
}
+func TestClassify67NameOnlyKinds(t *testing.T) {
+ tests := []struct {
+ name string
+ want TracepointKind
+ }{
+ {"sys_enter_seccomp", KindSeccomp},
+ {"sys_exit_seccomp", KindSeccomp},
+ {"sys_enter_init_module", KindModule},
+ {"sys_exit_init_module", KindModule},
+ {"sys_enter_delete_module", KindModule},
+ {"sys_exit_delete_module", KindModule},
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ r := ClassifyFormat(&Format{
+ Name: tt.name,
+ ExternalFields: []Field{
+ {Type: "long", Name: "__syscall_nr"},
+ {Type: "long", Name: "arg0"},
+ },
+ })
+ if r.Kind != tt.want {
+ t.Fatalf("%s: got kind %d, want %d", tt.name, r.Kind, tt.want)
+ }
+ })
+ }
+}
+
func TestClassifyMount(t *testing.T) {
r := classifyFromData(t, FormatMount)
if r.Kind != KindPathname {
@@ -919,6 +948,9 @@ func TestClassifySyscallPairAccepted(t *testing.T) {
{"request_key", syntheticEnter("request_key", 9204), syntheticExit("request_key", 9203), KindKeyctl},
{"ptrace", syntheticEnter("ptrace", 9206), syntheticExit("ptrace", 9205), KindPtrace},
{"perf_event_open", syntheticEnter("perf_event_open", 9208), syntheticExit("perf_event_open", 9207), KindPerfOpen},
+ {"seccomp", syntheticEnter("seccomp", 9368), syntheticExit("seccomp", 9367), KindSeccomp},
+ {"init_module", syntheticEnter("init_module", 9370), syntheticExit("init_module", 9369), KindModule},
+ {"delete_module", syntheticEnter("delete_module", 9372), syntheticExit("delete_module", 9371), KindModule},
{"mount", FormatMount, FormatExitMount, KindPathname},
{"umount", FormatUmount, FormatExitUmount, KindPathname},
{"move_mount", FormatMoveMount, FormatExitMoveMount, KindTwoFd},
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index 4faed24..2b9f9e2 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -582,6 +582,8 @@ func TestGenerateAllEventTypes(t *testing.T) {
{KindKeyctl, "ENTER_KEYCTL_EVENT", "EXIT_KEYCTL_EVENT"},
{KindPtrace, "ENTER_PTRACE_EVENT", "EXIT_PTRACE_EVENT"},
{KindPerfOpen, "ENTER_PERF_OPEN_EVENT", "EXIT_PERF_OPEN_EVENT"},
+ {KindSeccomp, "ENTER_NULL_EVENT", "EXIT_NULL_EVENT"},
+ {KindModule, "ENTER_NULL_EVENT", "EXIT_NULL_EVENT"},
}
for _, tt := range tests {
@@ -624,6 +626,8 @@ func TestEventStructNames(t *testing.T) {
{KindKeyctl, "keyctl_event"},
{KindPtrace, "ptrace_event"},
{KindPerfOpen, "perf_open_event"},
+ {KindSeccomp, "null_event"},
+ {KindModule, "null_event"},
}
for _, tt := range tests {
@@ -642,7 +646,7 @@ func TestEnterReject(t *testing.T) {
t.Error("KindNone should be enter-rejected")
}
- accepted := []TracepointKind{KindFd, KindOpen, KindMqOpen, KindExec, KindPathname, KindName, KindFcntl, KindNull, KindDup3, KindOpenByHandleAt, KindSocket, KindSocketpair, KindAccept, KindPipe, KindEventfd, KindPidfd, KindEpollCtl, KindTwoFd, KindPoll, KindMem, KindSleep, KindKeyctl, KindPtrace, KindPerfOpen}
+ accepted := []TracepointKind{KindFd, KindOpen, KindMqOpen, KindExec, KindPathname, KindName, KindFcntl, KindNull, KindDup3, KindOpenByHandleAt, KindSocket, KindSocketpair, KindAccept, KindPipe, KindEventfd, KindPidfd, KindEpollCtl, KindTwoFd, KindPoll, KindMem, KindSleep, KindKeyctl, KindPtrace, KindPerfOpen, KindSeccomp, KindModule}
for _, k := range accepted {
if isEnterRejected(k) {
t.Errorf("kind %d should NOT be enter-rejected", k)
diff --git a/internal/generate/kindregistry.go b/internal/generate/kindregistry.go
index 9387e19..0ce4d2b 100644
--- a/internal/generate/kindregistry.go
+++ b/internal/generate/kindregistry.go
@@ -41,6 +41,8 @@ var kindRegistry = map[TracepointKind]kindMeta{
KindKeyctl: {structName: "keyctl_event", enterAccepted: true},
KindPtrace: {structName: "ptrace_event", enterAccepted: true},
KindPerfOpen: {structName: "perf_open_event", enterAccepted: true},
+ KindSeccomp: {structName: "null_event", enterAccepted: true},
+ KindModule: {structName: "null_event", enterAccepted: true},
// KindNone is intentionally absent: it represents "unclassified" and is
// never enter-accepted. lookupKind returns the zero kindMeta (enterAccepted=false)
// for any unregistered kind, so KindNone is implicitly rejected.
diff --git a/internal/tracepoints/dimension_selector_test.go b/internal/tracepoints/dimension_selector_test.go
index 388ec12..2ca65c6 100644
--- a/internal/tracepoints/dimension_selector_test.go
+++ b/internal/tracepoints/dimension_selector_test.go
@@ -93,6 +93,21 @@ func TestParseSelectorWithDimensionsMemKindIncludesMlock(t *testing.T) {
}
}
+func TestParseSelectorWithDimensionsSeccompKindOnly(t *testing.T) {
+ sel, err := ParseSelectorWithDimensions("", "", DimensionSelectorConfig{
+ TraceKinds: "seccomp",
+ })
+ if err != nil {
+ t.Fatalf("unexpected error: %v", err)
+ }
+ if !sel.ShouldAttach("sys_enter_seccomp") {
+ t.Fatal("expected seccomp to be attached for seccomp kind")
+ }
+ if sel.ShouldAttach("sys_enter_openat") {
+ t.Fatal("expected openat to be excluded when only seccomp kind is enabled")
+ }
+}
+
func TestParseSelectorWithDimensionsSyscallOnly(t *testing.T) {
sel, err := ParseSelectorWithDimensions("", "", DimensionSelectorConfig{
TraceSyscalls: "openat",
diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go
index b4fb1b0..a144a08 100644
--- a/internal/tracepoints/generated_tracepoints.go
+++ b/internal/tracepoints/generated_tracepoints.go
@@ -1139,7 +1139,7 @@ var syscallKinds = map[string]string{
"connect": "fd",
"copy_file_range": "fd",
"creat": "pathname",
- "delete_module": "null",
+ "delete_module": "module",
"dup": "fd",
"dup2": "fd",
"dup3": "dup3",
@@ -1221,7 +1221,7 @@ var syscallKinds = map[string]string{
"getuid": "null",
"getxattr": "pathname",
"getxattrat": "pathname",
- "init_module": "null",
+ "init_module": "module",
"inotify_add_watch": "fd",
"inotify_init": "eventfd",
"inotify_init1": "eventfd",
@@ -1384,7 +1384,7 @@ var syscallKinds = map[string]string{
"sched_setparam": "null",
"sched_setscheduler": "null",
"sched_yield": "null",
- "seccomp": "null",
+ "seccomp": "seccomp",
"select": "poll",
"semctl": "null",
"semget": "null",
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 15:10:26 +0000