summaryrefslogtreecommitdiff
path: root/internal/c
diff options
context:
space:
mode:
Diffstat (limited to 'internal/c')
-rw-r--r--internal/c/generated_tracepoints.c126
-rw-r--r--internal/c/generated_tracepoints_result.txt16
-rw-r--r--internal/c/maps.h19
-rw-r--r--internal/c/types.h26
4 files changed, 151 insertions, 36 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 0f83f35..c14c61e 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -3571,89 +3571,109 @@ int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_eventfd2 is a struct null_event
+/// sys_enter_eventfd2 is a struct eventfd_event
SEC("tracepoint/syscalls/sys_enter_eventfd2")
int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_EVENTFD_EVENT;
ev->trace_id = SYS_ENTER_EVENTFD2;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ __s32 flags = (__s32)ctx->args[1];
+ bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+ ev->flags = flags;
+ ev->ret = -1;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED)
+/// sys_exit_eventfd2 is a struct eventfd_event
SEC("tracepoint/syscalls/sys_exit_eventfd2")
int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_EVENTFD_EVENT;
ev->trace_id = SYS_EXIT_EVENTFD2;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ __s32 flags = 0;
+ __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+ if (pending) {
+ flags = *pending;
+ bpf_map_delete_elem(&eventfd_flags_map, &tid);
+ }
+ ev->flags = flags;
ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_enter_eventfd is a struct null_event
+/// sys_enter_eventfd is a struct eventfd_event
SEC("tracepoint/syscalls/sys_enter_eventfd")
int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_EVENTFD_EVENT;
ev->trace_id = SYS_ENTER_EVENTFD;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ __s32 flags = 0;
+ bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY);
+ ev->flags = flags;
+ ev->ret = -1;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_exit_eventfd is a struct ret_event (UNCLASSIFIED)
+/// sys_exit_eventfd is a struct eventfd_event
SEC("tracepoint/syscalls/sys_exit_eventfd")
int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_EVENTFD_EVENT;
ev->trace_id = SYS_EXIT_EVENTFD;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ __s32 flags = 0;
+ __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid);
+ if (pending) {
+ flags = *pending;
+ bpf_map_delete_elem(&eventfd_flags_map, &tid);
+ }
+ ev->flags = flags;
ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -7771,89 +7791,139 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_pipe2 is a struct null_event
+/// sys_enter_pipe2 is a struct pipe_event
SEC("tracepoint/syscalls/sys_enter_pipe2")
int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_PIPE_EVENT;
ev->trace_id = SYS_ENTER_PIPE2;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ struct pipe_ctx pending;
+ pending.upipefd = ctx->args[0];
+ pending.flags = (__s32)ctx->args[1];
+ bpf_map_update_elem(&pipe_ctx_map, &tid, &pending, BPF_ANY);
+ ev->flags = pending.flags;
+ ev->fd0 = -1;
+ ev->fd1 = -1;
+ ev->ret = 0;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED)
+/// sys_exit_pipe2 is a struct pipe_event
SEC("tracepoint/syscalls/sys_exit_pipe2")
int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_PIPE_EVENT;
ev->trace_id = SYS_EXIT_PIPE2;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ __s32 flags = 0;
+ __s32 fd0 = -1;
+ __s32 fd1 = -1;
+ struct pipe_ctx *pending = bpf_map_lookup_elem(&pipe_ctx_map, &tid);
+ if (pending) {
+ flags = pending->flags;
+ if (ctx->ret == 0 && pending->upipefd != 0) {
+ int pipefd[2];
+ if (bpf_probe_read_user(&pipefd, sizeof(pipefd), (void *)pending->upipefd) == 0) {
+ fd0 = (__s32)pipefd[0];
+ fd1 = (__s32)pipefd[1];
+ }
+ }
+ bpf_map_delete_elem(&pipe_ctx_map, &tid);
+ }
+ ev->flags = flags;
+ ev->fd0 = fd0;
+ ev->fd1 = fd1;
ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_enter_pipe is a struct null_event
+/// sys_enter_pipe is a struct pipe_event
SEC("tracepoint/syscalls/sys_enter_pipe")
int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_PIPE_EVENT;
ev->trace_id = SYS_ENTER_PIPE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ struct pipe_ctx pending;
+ pending.upipefd = ctx->args[0];
+ pending.flags = 0;
+ bpf_map_update_elem(&pipe_ctx_map, &tid, &pending, BPF_ANY);
+ ev->flags = pending.flags;
+ ev->fd0 = -1;
+ ev->fd1 = -1;
+ ev->ret = 0;
bpf_ringbuf_submit(ev, 0);
return 0;
}
-/// sys_exit_pipe is a struct ret_event (UNCLASSIFIED)
+/// sys_exit_pipe is a struct pipe_event
SEC("tracepoint/syscalls/sys_exit_pipe")
int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
- struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0);
if (!ev)
return 0;
- ev->event_type = EXIT_RET_EVENT;
+ ev->event_type = EXIT_PIPE_EVENT;
ev->trace_id = SYS_EXIT_PIPE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ __s32 flags = 0;
+ __s32 fd0 = -1;
+ __s32 fd1 = -1;
+ struct pipe_ctx *pending = bpf_map_lookup_elem(&pipe_ctx_map, &tid);
+ if (pending) {
+ flags = pending->flags;
+ if (ctx->ret == 0 && pending->upipefd != 0) {
+ int pipefd[2];
+ if (bpf_probe_read_user(&pipefd, sizeof(pipefd), (void *)pending->upipefd) == 0) {
+ fd0 = (__s32)pipefd[0];
+ fd1 = (__s32)pipefd[1];
+ }
+ }
+ bpf_map_delete_elem(&pipe_ctx_map, &tid);
+ }
+ ev->flags = flags;
+ ev->fd0 = fd0;
+ ev->fd1 = fd1;
ev->ret = ctx->ret;
- ev->ret_type = UNCLASSIFIED;
bpf_ringbuf_submit(ev, 0);
return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index a2ad3ca..8f2564c 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -38,8 +38,8 @@ sys_enter_epoll_ctl is a struct fd_event
sys_enter_epoll_pwait is a struct null_event
sys_enter_epoll_pwait2 is a struct null_event
sys_enter_epoll_wait is a struct null_event
-sys_enter_eventfd is a struct null_event
-sys_enter_eventfd2 is a struct null_event
+sys_enter_eventfd is a struct eventfd_event
+sys_enter_eventfd2 is a struct eventfd_event
sys_enter_execve is a struct path_event
sys_enter_execveat is a struct fd_event
sys_enter_exit is a struct null_event
@@ -210,8 +210,8 @@ sys_enter_personality is a struct null_event
sys_enter_pidfd_getfd is a struct fd_event
sys_enter_pidfd_open is a struct null_event
sys_enter_pidfd_send_signal is a struct null_event
-sys_enter_pipe is a struct null_event
-sys_enter_pipe2 is a struct null_event
+sys_enter_pipe is a struct pipe_event
+sys_enter_pipe2 is a struct pipe_event
sys_enter_pivot_root is a struct null_event
sys_enter_pkey_alloc is a struct null_event
sys_enter_pkey_free is a struct null_event
@@ -405,8 +405,8 @@ sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED)
sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED)
sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED)
sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED)
-sys_exit_eventfd is a struct ret_event (UNCLASSIFIED)
-sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED)
+sys_exit_eventfd is a struct eventfd_event
+sys_exit_eventfd2 is a struct eventfd_event
sys_exit_execve is a struct ret_event (UNCLASSIFIED)
sys_exit_execveat is a struct ret_event (UNCLASSIFIED)
sys_exit_exit is a struct ret_event (UNCLASSIFIED)
@@ -577,8 +577,8 @@ sys_exit_personality is a struct ret_event (UNCLASSIFIED)
sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED)
sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED)
sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED)
-sys_exit_pipe is a struct ret_event (UNCLASSIFIED)
-sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED)
+sys_exit_pipe is a struct pipe_event
+sys_exit_pipe2 is a struct pipe_event
sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED)
sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED)
sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED)
diff --git a/internal/c/maps.h b/internal/c/maps.h
index 1624ff8..665e4ff 100644
--- a/internal/c/maps.h
+++ b/internal/c/maps.h
@@ -12,9 +12,28 @@ struct socketpair_ctx {
__s32 protocol;
};
+struct pipe_ctx {
+ __u64 upipefd;
+ __s32 flags;
+};
+
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 8192);
__type(key, __u32);
__type(value, struct socketpair_ctx);
} socketpair_ctx_map SEC(".maps");
+
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __uint(max_entries, 8192);
+ __type(key, __u32);
+ __type(value, struct pipe_ctx);
+} pipe_ctx_map SEC(".maps");
+
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __uint(max_entries, 8192);
+ __type(key, __u32);
+ __type(value, __s32);
+} eventfd_flags_map SEC(".maps");
diff --git a/internal/c/types.h b/internal/c/types.h
index 6365e3f..3e06040 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -27,6 +27,10 @@
#define EXIT_SOCKETPAIR_EVENT 22
#define ENTER_ACCEPT_EVENT 23
#define EXIT_ACCEPT_EVENT 24
+#define ENTER_PIPE_EVENT 25
+#define EXIT_PIPE_EVENT 26
+#define ENTER_EVENTFD_EVENT 27
+#define EXIT_EVENTFD_EVENT 28
#define UNCLASSIFIED 0
#define READ_CLASSIFIED 1
@@ -155,3 +159,25 @@ struct accept_event {
__s32 fd;
__s64 ret;
};
+
+struct pipe_event {
+ __u32 event_type;
+ __u32 trace_id;
+ __u64 time;
+ __u32 pid;
+ __u32 tid;
+ __s32 flags;
+ __s32 fd0;
+ __s32 fd1;
+ __s64 ret;
+};
+
+struct eventfd_event {
+ __u32 event_type;
+ __u32 trace_id;
+ __u64 time;
+ __u32 pid;
+ __u32 tid;
+ __s32 flags;
+ __s64 ret;
+};
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 21:10:47 +0000