summaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
Diffstat (limited to 'internal')
-rw-r--r--internal/c/generated/tracepoints.c898
-rw-r--r--internal/c/generated/tracepoints.raku15
-rw-r--r--internal/c/types.h11
-rw-r--r--internal/eventloop.go5
-rw-r--r--internal/file.go13
-rw-r--r--internal/generated/tracepoints/tracepoints.go40
-rw-r--r--internal/generated/types/types.go252
7 files changed, 1232 insertions, 2 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c
index 89c473a..8ba2028 100644
--- a/internal/c/generated/tracepoints.c
+++ b/internal/c/generated/tracepoints.c
@@ -6,6 +6,8 @@
#define SYS_ENTER_CLOSE_RANGE 701
#define SYS_EXIT_CLOSE 702
#define SYS_ENTER_CLOSE 703
+#define SYS_EXIT_CREAT 704
+#define SYS_ENTER_CREAT 705
#define SYS_EXIT_FCHOWN 712
#define SYS_ENTER_FCHOWN 713
#define SYS_EXIT_FCHMOD 726
@@ -26,6 +28,8 @@
#define SYS_ENTER_READ 769
#define SYS_EXIT_LSEEK 770
#define SYS_ENTER_LSEEK 771
+#define SYS_EXIT_READLINKAT 776
+#define SYS_ENTER_READLINKAT 777
#define SYS_EXIT_NEWFSTAT 778
#define SYS_ENTER_NEWFSTAT 779
#define SYS_EXIT_RENAME 794
@@ -42,6 +46,16 @@
#define SYS_ENTER_SYMLINK 805
#define SYS_EXIT_SYMLINKAT 806
#define SYS_ENTER_SYMLINKAT 807
+#define SYS_EXIT_UNLINK 808
+#define SYS_ENTER_UNLINK 809
+#define SYS_EXIT_UNLINKAT 810
+#define SYS_ENTER_UNLINKAT 811
+#define SYS_EXIT_RMDIR 812
+#define SYS_ENTER_RMDIR 813
+#define SYS_EXIT_MKDIR 814
+#define SYS_ENTER_MKDIR 815
+#define SYS_EXIT_MKDIRAT 816
+#define SYS_ENTER_MKDIRAT 817
#define SYS_EXIT_FCNTL 822
#define SYS_ENTER_FCNTL 823
#define SYS_EXIT_IOCTL 824
@@ -50,6 +64,22 @@
#define SYS_ENTER_GETDENTS64 827
#define SYS_EXIT_GETDENTS 828
#define SYS_ENTER_GETDENTS 829
+#define SYS_EXIT_LREMOVEXATTR 862
+#define SYS_ENTER_LREMOVEXATTR 863
+#define SYS_EXIT_REMOVEXATTR 864
+#define SYS_ENTER_REMOVEXATTR 865
+#define SYS_EXIT_LLISTXATTR 868
+#define SYS_ENTER_LLISTXATTR 869
+#define SYS_EXIT_LISTXATTR 870
+#define SYS_ENTER_LISTXATTR 871
+#define SYS_EXIT_LGETXATTR 874
+#define SYS_ENTER_LGETXATTR 875
+#define SYS_EXIT_GETXATTR 876
+#define SYS_ENTER_GETXATTR 877
+#define SYS_EXIT_LSETXATTR 880
+#define SYS_ENTER_LSETXATTR 881
+#define SYS_EXIT_SETXATTR 882
+#define SYS_ENTER_SETXATTR 883
#define SYS_EXIT_SYNC_FILE_RANGE 922
#define SYS_ENTER_SYNC_FILE_RANGE 923
#define SYS_EXIT_FDATASYNC 924
@@ -58,10 +88,20 @@
#define SYS_ENTER_FSYNC 927
#define SYS_EXIT_FSTATFS 944
#define SYS_ENTER_FSTATFS 945
+#define SYS_EXIT_STATFS 946
+#define SYS_ENTER_STATFS 947
+#define SYS_EXIT_INOTIFY_RM_WATCH 954
+#define SYS_ENTER_INOTIFY_RM_WATCH 955
+#define SYS_EXIT_INOTIFY_ADD_WATCH 956
+#define SYS_ENTER_INOTIFY_ADD_WATCH 957
+#define SYS_EXIT_FANOTIFY_MARK 962
+#define SYS_ENTER_FANOTIFY_MARK 963
#define SYS_EXIT_FLOCK 1020
#define SYS_ENTER_FLOCK 1021
#define SYS_EXIT_QUOTACTL_FD 1051
#define SYS_ENTER_QUOTACTL_FD 1052
+#define SYS_EXIT_MQ_UNLINK 1321
+#define SYS_ENTER_MQ_UNLINK 1322
#define SYS_EXIT_IO_URING_REGISTER 1377
#define SYS_ENTER_IO_URING_REGISTER 1378
#define SYS_EXIT_IO_URING_ENTER 1381
@@ -193,6 +233,49 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) {
return 0;
}
+SEC("tracepoint/syscalls/sys_exit_creat")
+int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_CREAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_creat")
+int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_CREAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
SEC("tracepoint/syscalls/sys_exit_fchown")
int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) {
__u32 pid, tid;
@@ -613,6 +696,49 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) {
return 0;
}
+SEC("tracepoint/syscalls/sys_exit_readlinkat")
+int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_READLINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_readlinkat")
+int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_READLINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
SEC("tracepoint/syscalls/sys_exit_newfstat")
int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) {
__u32 pid, tid;
@@ -963,6 +1089,221 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) {
return 0;
}
+SEC("tracepoint/syscalls/sys_exit_unlink")
+int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_UNLINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_unlink")
+int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_UNLINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_unlinkat")
+int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_UNLINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_UNLINKAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_rmdir")
+int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_RMDIR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_rmdir")
+int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_RMDIR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_mkdir")
+int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_MKDIR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_mkdir")
+int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_MKDIR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_mkdirat")
+int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_MKDIRAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_mkdirat")
+int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_MKDIRAT;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
SEC("tracepoint/syscalls/sys_exit_fcntl")
int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) {
__u32 pid, tid;
@@ -1131,6 +1472,350 @@ int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) {
return 0;
}
+SEC("tracepoint/syscalls/sys_exit_lremovexattr")
+int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_LREMOVEXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_lremovexattr")
+int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_LREMOVEXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_removexattr")
+int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_REMOVEXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_removexattr")
+int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_REMOVEXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_llistxattr")
+int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_LLISTXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_llistxattr")
+int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_LLISTXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_listxattr")
+int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_LISTXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_listxattr")
+int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_LISTXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_lgetxattr")
+int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_LGETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_lgetxattr")
+int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_LGETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_getxattr")
+int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_GETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_getxattr")
+int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_GETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_lsetxattr")
+int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_LSETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_lsetxattr")
+int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_LSETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_setxattr")
+int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_SETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_setxattr")
+int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_SETXATTR;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
SEC("tracepoint/syscalls/sys_exit_sync_file_range")
int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) {
__u32 pid, tid;
@@ -1299,6 +1984,177 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) {
return 0;
}
+SEC("tracepoint/syscalls/sys_exit_statfs")
+int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_STATFS;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_statfs")
+int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_STATFS;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch")
+int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch")
+int handle_sys_enter_inotify_rm_watch(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NULL_EVENT;
+ ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_inotify_add_watch")
+int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_inotify_add_watch")
+int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_fanotify_mark")
+int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_FANOTIFY_MARK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_fanotify_mark")
+int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_PATH_EVENT;
+ ev->trace_id = SYS_ENTER_FANOTIFY_MARK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]);
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
SEC("tracepoint/syscalls/sys_exit_flock")
int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) {
__u32 pid, tid;
@@ -1383,6 +2239,48 @@ int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) {
return 0;
}
+SEC("tracepoint/syscalls/sys_exit_mq_unlink")
+int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = EXIT_RET_EVENT;
+ ev->trace_id = SYS_EXIT_MQ_UNLINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+ ev->ret = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_mq_unlink")
+int handle_sys_enter_mq_unlink(struct trace_event_raw_sys_enter *ctx) {
+ __u32 pid, tid;
+ if (filter(&pid, &tid))
+ return 0;
+
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->event_type = ENTER_NULL_EVENT;
+ ev->trace_id = SYS_ENTER_MQ_UNLINK;
+ ev->pid = pid;
+ ev->tid = tid;
+ ev->time = bpf_ktime_get_ns() / 1000;
+
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
SEC("tracepoint/syscalls/sys_exit_io_uring_register")
int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) {
__u32 pid, tid;
diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku
index ad95559..de801a7 100644
--- a/internal/c/generated/tracepoints.raku
+++ b/internal/c/generated/tracepoints.raku
@@ -45,8 +45,10 @@ class Format {
# file descriptor passed to syscalls.
has Bool $.has-fd is rw = False;
- # Has tracepoint has got oldname and name
+ # Tracepoint has oldname/newname
has Bool $.has-name is rw = False;
+ # Tracepoint has pathname
+ has Bool $.has-path is rw = False;
# Syscall returns with a long value (e.g. bytes read/written)
has Bool $.has-long-ret is rw = False;
@@ -65,6 +67,8 @@ class Format {
$!has-fd = True;
} elsif (field.name eq 'newname' && field.type eq 'const char *') {
$!has-name = True;
+ } elsif (field.name eq 'pathname' && field.type eq 'const char *') {
+ $!has-path = True;
} elsif (field.name eq 'ret' && field.type eq 'long') {
$.has-long-ret = True;
}
@@ -85,6 +89,7 @@ class Format {
my \event-struct = do if $!has-fd { 'fd_event' }
elsif $!has-long-ret { 'ret_event' }
elsif $!has-name { 'name_event' }
+ elsif $!has-path { 'path_event' }
else { 'null_event' };
my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' }
elsif $!has-long-ret { 'ev->ret = ctx->ret;' }
@@ -96,6 +101,12 @@ class Format {
bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-index}]);
bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-index}]);
END
+ } elsif $!has-path {
+ my Int \pathname-index = self!field-number('pathname');
+ qq:to/END/.trim-trailing;
+ __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname));
+ bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{pathname-index}]);
+ END
}
else { '' };
qq:to/END/;
@@ -154,7 +165,7 @@ my Format @formats = gather for SysTraceFormat
.parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made
# For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open
.classify(*.name.split('_').tail).values
- .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) }) -> @_ { .take for @_ }
+ .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) || $_.grep(*.has-path) }) -> @_ { .take for @_ }
@formats .= sort(*.id);
diff --git a/internal/c/types.h b/internal/c/types.h
index 017e1fb..b2cb1fa 100644
--- a/internal/c/types.h
+++ b/internal/c/types.h
@@ -13,6 +13,8 @@
#define EXIT_RET_EVENT 8
#define ENTER_NAME_EVENT 9
#define EXIT_NAME_EVENT 10
+#define ENTER_PATH_EVENT 11
+#define EXIT_PATH_EVENT 12
struct open_event {
__u32 event_type;
@@ -59,3 +61,12 @@ struct name_event {
char oldname[MAX_FILENAME_LENGTH];
char newname[MAX_FILENAME_LENGTH];
};
+
+struct path_event {
+ __u32 event_type;
+ __u32 trace_id;
+ __u32 pid;
+ __u32 tid;
+ __u32 time;
+ char pathname[MAX_FILENAME_LENGTH];
+};
diff --git a/internal/eventloop.go b/internal/eventloop.go
index 2ebd01c..d3f91b8 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -72,6 +72,11 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent {
}
ev.comm, _ = comms[ev.enterEv.GetTid()]
+ case *PathEvent:
+ nameEvent := ev.enterEv.(*PathEvent)
+ ev.file = pathnameFile{string(nameEvent.Pathname[:])}
+ ev.comm, _ = comms[ev.enterEv.GetTid()]
+
case *FdEvent:
fd := ev.enterEv.(*FdEvent).Fd
if file_, ok := files[fd]; ok {
diff --git a/internal/file.go b/internal/file.go
index 81fe43d..72fe57e 100644
--- a/internal/file.go
+++ b/internal/file.go
@@ -43,3 +43,16 @@ func (f oldnameNewnameFile) String() string {
return sb.String()
}
+
+type pathnameFile struct {
+ pathname string
+}
+
+func (f pathnameFile) String() string {
+ var sb strings.Builder
+
+ sb.WriteString("pathname:")
+ sb.WriteString(f.pathname)
+
+ return sb.String()
+}
diff --git a/internal/generated/tracepoints/tracepoints.go b/internal/generated/tracepoints/tracepoints.go
index 22eed77..7495274 100644
--- a/internal/generated/tracepoints/tracepoints.go
+++ b/internal/generated/tracepoints/tracepoints.go
@@ -8,6 +8,8 @@ var List = []string{
"sys_enter_close_range",
"sys_exit_close",
"sys_enter_close",
+ "sys_exit_creat",
+ "sys_enter_creat",
"sys_exit_fchown",
"sys_enter_fchown",
"sys_exit_fchmod",
@@ -28,6 +30,8 @@ var List = []string{
"sys_enter_read",
"sys_exit_lseek",
"sys_enter_lseek",
+ "sys_exit_readlinkat",
+ "sys_enter_readlinkat",
"sys_exit_newfstat",
"sys_enter_newfstat",
"sys_exit_rename",
@@ -44,6 +48,16 @@ var List = []string{
"sys_enter_symlink",
"sys_exit_symlinkat",
"sys_enter_symlinkat",
+ "sys_exit_unlink",
+ "sys_enter_unlink",
+ "sys_exit_unlinkat",
+ "sys_enter_unlinkat",
+ "sys_exit_rmdir",
+ "sys_enter_rmdir",
+ "sys_exit_mkdir",
+ "sys_enter_mkdir",
+ "sys_exit_mkdirat",
+ "sys_enter_mkdirat",
"sys_exit_fcntl",
"sys_enter_fcntl",
"sys_exit_ioctl",
@@ -52,6 +66,22 @@ var List = []string{
"sys_enter_getdents64",
"sys_exit_getdents",
"sys_enter_getdents",
+ "sys_exit_lremovexattr",
+ "sys_enter_lremovexattr",
+ "sys_exit_removexattr",
+ "sys_enter_removexattr",
+ "sys_exit_llistxattr",
+ "sys_enter_llistxattr",
+ "sys_exit_listxattr",
+ "sys_enter_listxattr",
+ "sys_exit_lgetxattr",
+ "sys_enter_lgetxattr",
+ "sys_exit_getxattr",
+ "sys_enter_getxattr",
+ "sys_exit_lsetxattr",
+ "sys_enter_lsetxattr",
+ "sys_exit_setxattr",
+ "sys_enter_setxattr",
"sys_exit_sync_file_range",
"sys_enter_sync_file_range",
"sys_exit_fdatasync",
@@ -60,10 +90,20 @@ var List = []string{
"sys_enter_fsync",
"sys_exit_fstatfs",
"sys_enter_fstatfs",
+ "sys_exit_statfs",
+ "sys_enter_statfs",
+ "sys_exit_inotify_rm_watch",
+ "sys_enter_inotify_rm_watch",
+ "sys_exit_inotify_add_watch",
+ "sys_enter_inotify_add_watch",
+ "sys_exit_fanotify_mark",
+ "sys_enter_fanotify_mark",
"sys_exit_flock",
"sys_enter_flock",
"sys_exit_quotactl_fd",
"sys_enter_quotactl_fd",
+ "sys_exit_mq_unlink",
+ "sys_enter_mq_unlink",
"sys_exit_io_uring_register",
"sys_enter_io_uring_register",
"sys_exit_io_uring_enter",
diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go
index 8925056..5830dd3 100644
--- a/internal/generated/types/types.go
+++ b/internal/generated/types/types.go
@@ -25,6 +25,10 @@ func (s TraceId) String() string {
return "exit_close"
case SYS_ENTER_CLOSE:
return "enter_close"
+ case SYS_EXIT_CREAT:
+ return "exit_creat"
+ case SYS_ENTER_CREAT:
+ return "enter_creat"
case SYS_EXIT_FCHOWN:
return "exit_fchown"
case SYS_ENTER_FCHOWN:
@@ -65,6 +69,10 @@ func (s TraceId) String() string {
return "exit_lseek"
case SYS_ENTER_LSEEK:
return "enter_lseek"
+ case SYS_EXIT_READLINKAT:
+ return "exit_readlinkat"
+ case SYS_ENTER_READLINKAT:
+ return "enter_readlinkat"
case SYS_EXIT_NEWFSTAT:
return "exit_newfstat"
case SYS_ENTER_NEWFSTAT:
@@ -97,6 +105,26 @@ func (s TraceId) String() string {
return "exit_symlinkat"
case SYS_ENTER_SYMLINKAT:
return "enter_symlinkat"
+ case SYS_EXIT_UNLINK:
+ return "exit_unlink"
+ case SYS_ENTER_UNLINK:
+ return "enter_unlink"
+ case SYS_EXIT_UNLINKAT:
+ return "exit_unlinkat"
+ case SYS_ENTER_UNLINKAT:
+ return "enter_unlinkat"
+ case SYS_EXIT_RMDIR:
+ return "exit_rmdir"
+ case SYS_ENTER_RMDIR:
+ return "enter_rmdir"
+ case SYS_EXIT_MKDIR:
+ return "exit_mkdir"
+ case SYS_ENTER_MKDIR:
+ return "enter_mkdir"
+ case SYS_EXIT_MKDIRAT:
+ return "exit_mkdirat"
+ case SYS_ENTER_MKDIRAT:
+ return "enter_mkdirat"
case SYS_EXIT_FCNTL:
return "exit_fcntl"
case SYS_ENTER_FCNTL:
@@ -113,6 +141,38 @@ func (s TraceId) String() string {
return "exit_getdents"
case SYS_ENTER_GETDENTS:
return "enter_getdents"
+ case SYS_EXIT_LREMOVEXATTR:
+ return "exit_lremovexattr"
+ case SYS_ENTER_LREMOVEXATTR:
+ return "enter_lremovexattr"
+ case SYS_EXIT_REMOVEXATTR:
+ return "exit_removexattr"
+ case SYS_ENTER_REMOVEXATTR:
+ return "enter_removexattr"
+ case SYS_EXIT_LLISTXATTR:
+ return "exit_llistxattr"
+ case SYS_ENTER_LLISTXATTR:
+ return "enter_llistxattr"
+ case SYS_EXIT_LISTXATTR:
+ return "exit_listxattr"
+ case SYS_ENTER_LISTXATTR:
+ return "enter_listxattr"
+ case SYS_EXIT_LGETXATTR:
+ return "exit_lgetxattr"
+ case SYS_ENTER_LGETXATTR:
+ return "enter_lgetxattr"
+ case SYS_EXIT_GETXATTR:
+ return "exit_getxattr"
+ case SYS_ENTER_GETXATTR:
+ return "enter_getxattr"
+ case SYS_EXIT_LSETXATTR:
+ return "exit_lsetxattr"
+ case SYS_ENTER_LSETXATTR:
+ return "enter_lsetxattr"
+ case SYS_EXIT_SETXATTR:
+ return "exit_setxattr"
+ case SYS_ENTER_SETXATTR:
+ return "enter_setxattr"
case SYS_EXIT_SYNC_FILE_RANGE:
return "exit_sync_file_range"
case SYS_ENTER_SYNC_FILE_RANGE:
@@ -129,6 +189,22 @@ func (s TraceId) String() string {
return "exit_fstatfs"
case SYS_ENTER_FSTATFS:
return "enter_fstatfs"
+ case SYS_EXIT_STATFS:
+ return "exit_statfs"
+ case SYS_ENTER_STATFS:
+ return "enter_statfs"
+ case SYS_EXIT_INOTIFY_RM_WATCH:
+ return "exit_inotify_rm_watch"
+ case SYS_ENTER_INOTIFY_RM_WATCH:
+ return "enter_inotify_rm_watch"
+ case SYS_EXIT_INOTIFY_ADD_WATCH:
+ return "exit_inotify_add_watch"
+ case SYS_ENTER_INOTIFY_ADD_WATCH:
+ return "enter_inotify_add_watch"
+ case SYS_EXIT_FANOTIFY_MARK:
+ return "exit_fanotify_mark"
+ case SYS_ENTER_FANOTIFY_MARK:
+ return "enter_fanotify_mark"
case SYS_EXIT_FLOCK:
return "exit_flock"
case SYS_ENTER_FLOCK:
@@ -137,6 +213,10 @@ func (s TraceId) String() string {
return "exit_quotactl_fd"
case SYS_ENTER_QUOTACTL_FD:
return "enter_quotactl_fd"
+ case SYS_EXIT_MQ_UNLINK:
+ return "exit_mq_unlink"
+ case SYS_ENTER_MQ_UNLINK:
+ return "enter_mq_unlink"
case SYS_EXIT_IO_URING_REGISTER:
return "exit_io_uring_register"
case SYS_ENTER_IO_URING_REGISTER:
@@ -172,6 +252,10 @@ func (s TraceId) Name() string {
return "close"
case SYS_ENTER_CLOSE:
return "close"
+ case SYS_EXIT_CREAT:
+ return "creat"
+ case SYS_ENTER_CREAT:
+ return "creat"
case SYS_EXIT_FCHOWN:
return "fchown"
case SYS_ENTER_FCHOWN:
@@ -212,6 +296,10 @@ func (s TraceId) Name() string {
return "lseek"
case SYS_ENTER_LSEEK:
return "lseek"
+ case SYS_EXIT_READLINKAT:
+ return "readlinkat"
+ case SYS_ENTER_READLINKAT:
+ return "readlinkat"
case SYS_EXIT_NEWFSTAT:
return "newfstat"
case SYS_ENTER_NEWFSTAT:
@@ -244,6 +332,26 @@ func (s TraceId) Name() string {
return "symlinkat"
case SYS_ENTER_SYMLINKAT:
return "symlinkat"
+ case SYS_EXIT_UNLINK:
+ return "unlink"
+ case SYS_ENTER_UNLINK:
+ return "unlink"
+ case SYS_EXIT_UNLINKAT:
+ return "unlinkat"
+ case SYS_ENTER_UNLINKAT:
+ return "unlinkat"
+ case SYS_EXIT_RMDIR:
+ return "rmdir"
+ case SYS_ENTER_RMDIR:
+ return "rmdir"
+ case SYS_EXIT_MKDIR:
+ return "mkdir"
+ case SYS_ENTER_MKDIR:
+ return "mkdir"
+ case SYS_EXIT_MKDIRAT:
+ return "mkdirat"
+ case SYS_ENTER_MKDIRAT:
+ return "mkdirat"
case SYS_EXIT_FCNTL:
return "fcntl"
case SYS_ENTER_FCNTL:
@@ -260,6 +368,38 @@ func (s TraceId) Name() string {
return "getdents"
case SYS_ENTER_GETDENTS:
return "getdents"
+ case SYS_EXIT_LREMOVEXATTR:
+ return "lremovexattr"
+ case SYS_ENTER_LREMOVEXATTR:
+ return "lremovexattr"
+ case SYS_EXIT_REMOVEXATTR:
+ return "removexattr"
+ case SYS_ENTER_REMOVEXATTR:
+ return "removexattr"
+ case SYS_EXIT_LLISTXATTR:
+ return "llistxattr"
+ case SYS_ENTER_LLISTXATTR:
+ return "llistxattr"
+ case SYS_EXIT_LISTXATTR:
+ return "listxattr"
+ case SYS_ENTER_LISTXATTR:
+ return "listxattr"
+ case SYS_EXIT_LGETXATTR:
+ return "lgetxattr"
+ case SYS_ENTER_LGETXATTR:
+ return "lgetxattr"
+ case SYS_EXIT_GETXATTR:
+ return "getxattr"
+ case SYS_ENTER_GETXATTR:
+ return "getxattr"
+ case SYS_EXIT_LSETXATTR:
+ return "lsetxattr"
+ case SYS_ENTER_LSETXATTR:
+ return "lsetxattr"
+ case SYS_EXIT_SETXATTR:
+ return "setxattr"
+ case SYS_ENTER_SETXATTR:
+ return "setxattr"
case SYS_EXIT_SYNC_FILE_RANGE:
return "sync_file_range"
case SYS_ENTER_SYNC_FILE_RANGE:
@@ -276,6 +416,22 @@ func (s TraceId) Name() string {
return "fstatfs"
case SYS_ENTER_FSTATFS:
return "fstatfs"
+ case SYS_EXIT_STATFS:
+ return "statfs"
+ case SYS_ENTER_STATFS:
+ return "statfs"
+ case SYS_EXIT_INOTIFY_RM_WATCH:
+ return "inotify_rm_watch"
+ case SYS_ENTER_INOTIFY_RM_WATCH:
+ return "inotify_rm_watch"
+ case SYS_EXIT_INOTIFY_ADD_WATCH:
+ return "inotify_add_watch"
+ case SYS_ENTER_INOTIFY_ADD_WATCH:
+ return "inotify_add_watch"
+ case SYS_EXIT_FANOTIFY_MARK:
+ return "fanotify_mark"
+ case SYS_ENTER_FANOTIFY_MARK:
+ return "fanotify_mark"
case SYS_EXIT_FLOCK:
return "flock"
case SYS_ENTER_FLOCK:
@@ -284,6 +440,10 @@ func (s TraceId) Name() string {
return "quotactl_fd"
case SYS_ENTER_QUOTACTL_FD:
return "quotactl_fd"
+ case SYS_EXIT_MQ_UNLINK:
+ return "mq_unlink"
+ case SYS_ENTER_MQ_UNLINK:
+ return "mq_unlink"
case SYS_EXIT_IO_URING_REGISTER:
return "io_uring_register"
case SYS_ENTER_IO_URING_REGISTER:
@@ -317,6 +477,8 @@ const ENTER_RET_EVENT = 7
const EXIT_RET_EVENT = 8
const ENTER_NAME_EVENT = 9
const EXIT_NAME_EVENT = 10
+const ENTER_PATH_EVENT = 11
+const EXIT_PATH_EVENT = 12
type OpenEvent struct {
EventType EventType
@@ -569,12 +731,64 @@ func (n *NameEvent) Recycle() {
poolOfNameEvents.Put(n)
}
+type PathEvent struct {
+ EventType EventType
+ TraceId TraceId
+ Pid uint32
+ Tid uint32
+ Time uint32
+ Pathname [MAX_FILENAME_LENGTH]byte
+}
+
+func (p PathEvent) String() string {
+ return fmt.Sprintf("EventType:%v TraceId:%v Pid:%v Tid:%v Time:%v Pathname:%v", p.EventType, p.TraceId, p.Pid, p.Tid, p.Time, string(p.Pathname[:]))
+}
+
+func (p *PathEvent) GetEventType() EventType {
+ return p.EventType
+}
+
+func (p *PathEvent) GetTraceId() TraceId {
+ return p.TraceId
+}
+
+func (p *PathEvent) GetPid() uint32 {
+ return p.Pid
+}
+
+func (p *PathEvent) GetTid() uint32 {
+ return p.Tid
+}
+
+func (p *PathEvent) GetTime() uint32 {
+ return p.Time
+}
+
+var poolOfPathEvents = sync.Pool{
+ New: func() interface{} { return &PathEvent{} },
+}
+
+func NewPathEvent(raw []byte) *PathEvent {
+ p := poolOfPathEvents.Get().(*PathEvent)
+ if err := binary.Read(bytes.NewReader(raw), binary.LittleEndian, p); err != nil {
+ fmt.Println(p, raw, len(raw), err)
+ panic(raw)
+ }
+ return p
+}
+
+func (p *PathEvent) Recycle() {
+ poolOfPathEvents.Put(p)
+}
+
const SYS_EXIT_CACHESTAT TraceId = 527
const SYS_ENTER_CACHESTAT TraceId = 528
const SYS_EXIT_CLOSE_RANGE TraceId = 700
const SYS_ENTER_CLOSE_RANGE TraceId = 701
const SYS_EXIT_CLOSE TraceId = 702
const SYS_ENTER_CLOSE TraceId = 703
+const SYS_EXIT_CREAT TraceId = 704
+const SYS_ENTER_CREAT TraceId = 705
const SYS_EXIT_FCHOWN TraceId = 712
const SYS_ENTER_FCHOWN TraceId = 713
const SYS_EXIT_FCHMOD TraceId = 726
@@ -595,6 +809,8 @@ const SYS_EXIT_READ TraceId = 768
const SYS_ENTER_READ TraceId = 769
const SYS_EXIT_LSEEK TraceId = 770
const SYS_ENTER_LSEEK TraceId = 771
+const SYS_EXIT_READLINKAT TraceId = 776
+const SYS_ENTER_READLINKAT TraceId = 777
const SYS_EXIT_NEWFSTAT TraceId = 778
const SYS_ENTER_NEWFSTAT TraceId = 779
const SYS_EXIT_RENAME TraceId = 794
@@ -611,6 +827,16 @@ const SYS_EXIT_SYMLINK TraceId = 804
const SYS_ENTER_SYMLINK TraceId = 805
const SYS_EXIT_SYMLINKAT TraceId = 806
const SYS_ENTER_SYMLINKAT TraceId = 807
+const SYS_EXIT_UNLINK TraceId = 808
+const SYS_ENTER_UNLINK TraceId = 809
+const SYS_EXIT_UNLINKAT TraceId = 810
+const SYS_ENTER_UNLINKAT TraceId = 811
+const SYS_EXIT_RMDIR TraceId = 812
+const SYS_ENTER_RMDIR TraceId = 813
+const SYS_EXIT_MKDIR TraceId = 814
+const SYS_ENTER_MKDIR TraceId = 815
+const SYS_EXIT_MKDIRAT TraceId = 816
+const SYS_ENTER_MKDIRAT TraceId = 817
const SYS_EXIT_FCNTL TraceId = 822
const SYS_ENTER_FCNTL TraceId = 823
const SYS_EXIT_IOCTL TraceId = 824
@@ -619,6 +845,22 @@ const SYS_EXIT_GETDENTS64 TraceId = 826
const SYS_ENTER_GETDENTS64 TraceId = 827
const SYS_EXIT_GETDENTS TraceId = 828
const SYS_ENTER_GETDENTS TraceId = 829
+const SYS_EXIT_LREMOVEXATTR TraceId = 862
+const SYS_ENTER_LREMOVEXATTR TraceId = 863
+const SYS_EXIT_REMOVEXATTR TraceId = 864
+const SYS_ENTER_REMOVEXATTR TraceId = 865
+const SYS_EXIT_LLISTXATTR TraceId = 868
+const SYS_ENTER_LLISTXATTR TraceId = 869
+const SYS_EXIT_LISTXATTR TraceId = 870
+const SYS_ENTER_LISTXATTR TraceId = 871
+const SYS_EXIT_LGETXATTR TraceId = 874
+const SYS_ENTER_LGETXATTR TraceId = 875
+const SYS_EXIT_GETXATTR TraceId = 876
+const SYS_ENTER_GETXATTR TraceId = 877
+const SYS_EXIT_LSETXATTR TraceId = 880
+const SYS_ENTER_LSETXATTR TraceId = 881
+const SYS_EXIT_SETXATTR TraceId = 882
+const SYS_ENTER_SETXATTR TraceId = 883
const SYS_EXIT_SYNC_FILE_RANGE TraceId = 922
const SYS_ENTER_SYNC_FILE_RANGE TraceId = 923
const SYS_EXIT_FDATASYNC TraceId = 924
@@ -627,10 +869,20 @@ const SYS_EXIT_FSYNC TraceId = 926
const SYS_ENTER_FSYNC TraceId = 927
const SYS_EXIT_FSTATFS TraceId = 944
const SYS_ENTER_FSTATFS TraceId = 945
+const SYS_EXIT_STATFS TraceId = 946
+const SYS_ENTER_STATFS TraceId = 947
+const SYS_EXIT_INOTIFY_RM_WATCH TraceId = 954
+const SYS_ENTER_INOTIFY_RM_WATCH TraceId = 955
+const SYS_EXIT_INOTIFY_ADD_WATCH TraceId = 956
+const SYS_ENTER_INOTIFY_ADD_WATCH TraceId = 957
+const SYS_EXIT_FANOTIFY_MARK TraceId = 962
+const SYS_ENTER_FANOTIFY_MARK TraceId = 963
const SYS_EXIT_FLOCK TraceId = 1020
const SYS_ENTER_FLOCK TraceId = 1021
const SYS_EXIT_QUOTACTL_FD TraceId = 1051
const SYS_ENTER_QUOTACTL_FD TraceId = 1052
+const SYS_EXIT_MQ_UNLINK TraceId = 1321
+const SYS_ENTER_MQ_UNLINK TraceId = 1322
const SYS_EXIT_IO_URING_REGISTER TraceId = 1377
const SYS_ENTER_IO_URING_REGISTER TraceId = 1378
const SYS_EXIT_IO_URING_ENTER TraceId = 1381
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 15:57:53 +0000