summaryrefslogtreecommitdiff
path: root/internal/c
diff options
context:
space:
mode:
Diffstat (limited to 'internal/c')
-rw-r--r--internal/c/generated_tracepoints.c61
-rw-r--r--internal/c/generated_tracepoints_result.txt10
-rw-r--r--internal/c/types.h44
3 files changed, 95 insertions, 20 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index d14f5ef..b7fa686 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -2294,7 +2294,7 @@ int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_add_key is a struct null_event
+/// sys_enter_add_key is a struct keyctl_event
SEC("tracepoint/syscalls/sys_enter_add_key")
int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -2304,15 +2304,18 @@ int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_ADD_KEY))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_KEYCTL_EVENT;
ev->trace_id = SYS_ENTER_ADD_KEY;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->option = -1;
+ ev->key_serial = (__s32)ctx->args[4];
+ ev->value = (__u64)ctx->args[3];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -2344,7 +2347,7 @@ int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_request_key is a struct null_event
+/// sys_enter_request_key is a struct keyctl_event
SEC("tracepoint/syscalls/sys_enter_request_key")
int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -2354,15 +2357,18 @@ int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_REQUEST_KEY))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_KEYCTL_EVENT;
ev->trace_id = SYS_ENTER_REQUEST_KEY;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->option = -2;
+ ev->key_serial = (__s32)ctx->args[3];
+ ev->value = 0;
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -2394,7 +2400,7 @@ int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_keyctl is a struct null_event
+/// sys_enter_keyctl is a struct keyctl_event
SEC("tracepoint/syscalls/sys_enter_keyctl")
int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -2404,15 +2410,18 @@ int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_KEYCTL))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_KEYCTL_EVENT;
ev->trace_id = SYS_ENTER_KEYCTL;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->option = (__s32)ctx->args[0];
+ ev->key_serial = (__s32)ctx->args[1];
+ ev->value = (__u64)ctx->args[2];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -13050,7 +13059,7 @@ int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_perf_event_open is a struct null_event
+/// sys_enter_perf_event_open is a struct perf_open_event
SEC("tracepoint/syscalls/sys_enter_perf_event_open")
int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -13060,15 +13069,34 @@ int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_PERF_EVENT_OPEN))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct perf_open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct perf_open_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_PERF_OPEN_EVENT;
ev->trace_id = SYS_ENTER_PERF_EVENT_OPEN;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->attr_type = 0;
+ ev->attr_size = 0;
+ ev->config = 0;
+ if (ctx->args[0] != 0) {
+ struct __ior_perf_event_attr {
+ __u32 type;
+ __u32 size;
+ __u64 config;
+ } attr = {};
+ if (bpf_probe_read_user(&attr, sizeof(attr), (void *)ctx->args[0]) == 0) {
+ ev->attr_type = attr.type;
+ ev->attr_size = attr.size;
+ ev->config = attr.config;
+ }
+ }
+ ev->target_pid = (__s32)ctx->args[1];
+ ev->cpu = (__s32)ctx->args[2];
+ ev->group_fd = (__s32)ctx->args[3];
+ ev->flags = (__u32)ctx->args[4];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -18373,7 +18401,7 @@ int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_ptrace is a struct null_event
+/// sys_enter_ptrace is a struct ptrace_event
SEC("tracepoint/syscalls/sys_enter_ptrace")
int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -18383,15 +18411,18 @@ int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_PTRACE))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct ptrace_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ptrace_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_PTRACE_EVENT;
ev->trace_id = SYS_ENTER_PTRACE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->request = (__s64)ctx->args[0];
+ ev->target_pid = (__s32)ctx->args[1];
+ ev->data = (__u64)ctx->args[3];
bpf_ringbuf_submit(ev, 0);
return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 892cb1a..0d516db 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -2,7 +2,7 @@ sys_enter_accept is a struct accept_event
sys_enter_accept4 is a struct accept_event
sys_enter_access is a struct path_event
sys_enter_acct is a struct null_event
-sys_enter_add_key is a struct null_event
+sys_enter_add_key is a struct keyctl_event
sys_enter_adjtimex is a struct null_event
sys_enter_alarm is a struct null_event
sys_enter_arch_prctl is a struct null_event
@@ -132,7 +132,7 @@ sys_enter_ioprio_set is a struct null_event
sys_enter_kcmp is a struct null_event
sys_enter_kexec_file_load is a struct null_event
sys_enter_kexec_load is a struct null_event
-sys_enter_keyctl is a struct null_event
+sys_enter_keyctl is a struct keyctl_event
sys_enter_kill is a struct null_event
sys_enter_landlock_add_rule is a struct null_event
sys_enter_landlock_create_ruleset is a struct null_event
@@ -205,7 +205,7 @@ sys_enter_open_tree_attr is a struct open_event
sys_enter_openat is a struct open_event
sys_enter_openat2 is a struct open_event
sys_enter_pause is a struct null_event
-sys_enter_perf_event_open is a struct null_event
+sys_enter_perf_event_open is a struct perf_open_event
sys_enter_personality is a struct null_event
sys_enter_pidfd_getfd is a struct fd_event
sys_enter_pidfd_open is a struct null_event
@@ -228,7 +228,7 @@ sys_enter_process_mrelease is a struct null_event
sys_enter_process_vm_readv is a struct null_event
sys_enter_process_vm_writev is a struct null_event
sys_enter_pselect6 is a struct poll_event
-sys_enter_ptrace is a struct null_event
+sys_enter_ptrace is a struct ptrace_event
sys_enter_pwrite64 is a struct fd_event
sys_enter_pwritev is a struct fd_event
sys_enter_pwritev2 is a struct fd_event
@@ -249,7 +249,7 @@ sys_enter_removexattrat is a struct path_event
sys_enter_rename is a struct name_event
sys_enter_renameat is a struct name_event
sys_enter_renameat2 is a struct name_event
-sys_enter_request_key is a struct null_event
+sys_enter_request_key is a struct keyctl_event
sys_enter_restart_syscall is a struct null_event
sys_enter_rmdir is a struct path_event
sys_enter_rseq is a struct null_event
diff --git a/internal/c/types.h b/internal/c/types.h
index 6b4785e..6fde3a1 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -41,6 +41,12 @@
#define EXIT_SLEEP_EVENT 36
#define ENTER_TWO_FD_EVENT 37
#define EXIT_TWO_FD_EVENT 38
+#define ENTER_KEYCTL_EVENT 39
+#define EXIT_KEYCTL_EVENT 40
+#define ENTER_PTRACE_EVENT 41
+#define EXIT_PTRACE_EVENT 42
+#define ENTER_PERF_OPEN_EVENT 43
+#define EXIT_PERF_OPEN_EVENT 44
#define UNCLASSIFIED 0
#define READ_CLASSIFIED 1
@@ -245,3 +251,41 @@ struct two_fd_event {
__s32 fd_b;
__u64 extra;
};
+
+struct keyctl_event {
+ __u32 event_type;
+ __u32 trace_id;
+ __u64 time;
+ __u32 pid;
+ __u32 tid;
+ __s32 option;
+ __s32 key_serial;
+ __u64 value;
+};
+
+struct ptrace_event {
+ __u32 event_type;
+ __u32 trace_id;
+ __u64 time;
+ __u32 pid;
+ __u32 tid;
+ __s64 request;
+ __s32 target_pid;
+ __s32 _pad;
+ __u64 data;
+};
+
+struct perf_open_event {
+ __u32 event_type;
+ __u32 trace_id;
+ __u64 time;
+ __u32 pid;
+ __u32 tid;
+ __u32 attr_type;
+ __u32 attr_size;
+ __u64 config;
+ __s32 target_pid;
+ __s32 cpu;
+ __s32 group_fd;
+ __u32 flags;
+};
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 19:03:30 +0000