summaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
Diffstat (limited to 'internal')
-rw-r--r--internal/c/generated_tracepoints.c40
-rw-r--r--internal/c/generated_tracepoints_result.txt8
-rw-r--r--internal/generate/bpfhandler.go8
-rw-r--r--internal/generate/classify.go8
-rw-r--r--internal/generate/classify_test.go24
-rw-r--r--internal/generate/codegen_test.go36
-rw-r--r--internal/tracepoints/dimension_selector_test.go3
-rw-r--r--internal/tracepoints/generated_tracepoints.go8
8 files changed, 115 insertions, 20 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c
index 4385d16..8e66d2a 100644
--- a/internal/c/generated_tracepoints.c
+++ b/internal/c/generated_tracepoints.c
@@ -11935,7 +11935,7 @@ int handle_sys_exit_swapon(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_madvise is a struct null_event (kind=null)
+/// sys_enter_madvise is a struct mem_event (kind=mem)
SEC("tracepoint/syscalls/sys_enter_madvise")
int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -11945,15 +11945,19 @@ int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_MADVISE))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_MEM_EVENT;
ev->trace_id = SYS_ENTER_MADVISE;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->addr = (__u64)ctx->args[0];
+ ev->length = (__u64)ctx->args[1];
+ ev->length2 = 0;
+ ev->flags = (__u64)ctx->args[2];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -12293,7 +12297,7 @@ int handle_sys_exit_mremap(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_mprotect is a struct null_event (kind=null)
+/// sys_enter_mprotect is a struct mem_event (kind=mem)
SEC("tracepoint/syscalls/sys_enter_mprotect")
int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -12303,15 +12307,19 @@ int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_MPROTECT))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_MEM_EVENT;
ev->trace_id = SYS_ENTER_MPROTECT;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->addr = (__u64)ctx->args[0];
+ ev->length = (__u64)ctx->args[1];
+ ev->length2 = 0;
+ ev->flags = (__u64)ctx->args[2];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -12343,7 +12351,7 @@ int handle_sys_exit_mprotect(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_pkey_mprotect is a struct null_event (kind=null)
+/// sys_enter_pkey_mprotect is a struct mem_event (kind=mem)
SEC("tracepoint/syscalls/sys_enter_pkey_mprotect")
int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -12353,15 +12361,19 @@ int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_MPROTECT))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_MEM_EVENT;
ev->trace_id = SYS_ENTER_PKEY_MPROTECT;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->addr = (__u64)ctx->args[0];
+ ev->length = (__u64)ctx->args[1];
+ ev->length2 = (__u64)ctx->args[3];
+ ev->flags = (__u64)ctx->args[2];
bpf_ringbuf_submit(ev, 0);
return 0;
@@ -12493,7 +12505,7 @@ int handle_sys_exit_pkey_free(struct syscall_trace_exit *ctx) {
return 0;
}
-/// sys_enter_brk is a struct null_event (kind=null)
+/// sys_enter_brk is a struct mem_event (kind=mem)
SEC("tracepoint/syscalls/sys_enter_brk")
int handle_sys_enter_brk(struct syscall_trace_enter *ctx) {
__u32 pid, tid;
@@ -12503,15 +12515,19 @@ int handle_sys_enter_brk(struct syscall_trace_enter *ctx) {
if (!ior_on_syscall_enter(tid, SYS_ENTER_BRK))
return 0;
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0);
if (!ev)
return 0;
- ev->event_type = ENTER_NULL_EVENT;
+ ev->event_type = ENTER_MEM_EVENT;
ev->trace_id = SYS_ENTER_BRK;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_boot_ns();
+ ev->addr = (__u64)ctx->args[0];
+ ev->length = 0;
+ ev->length2 = 0;
+ ev->flags = 0;
bpf_ringbuf_submit(ev, 0);
return 0;
diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt
index 1db0ddf..4a1f137 100644
--- a/internal/c/generated_tracepoints_result.txt
+++ b/internal/c/generated_tracepoints_result.txt
@@ -8,7 +8,7 @@ sys_enter_alarm is a struct null_event (kind=null)
sys_enter_arch_prctl is a struct null_event (kind=null)
sys_enter_bind is a struct fd_event (kind=fd)
sys_enter_bpf is a struct null_event (kind=bpf)
-sys_enter_brk is a struct null_event (kind=null)
+sys_enter_brk is a struct mem_event (kind=mem)
sys_enter_cachestat is a struct fd_event (kind=fd)
sys_enter_capget is a struct null_event (kind=null)
sys_enter_capset is a struct null_event (kind=null)
@@ -153,7 +153,7 @@ sys_enter_lsetxattr is a struct path_event (kind=pathname)
sys_enter_lsm_get_self_attr is a struct null_event (kind=null)
sys_enter_lsm_list_modules is a struct null_event (kind=null)
sys_enter_lsm_set_self_attr is a struct null_event (kind=null)
-sys_enter_madvise is a struct null_event (kind=null)
+sys_enter_madvise is a struct mem_event (kind=mem)
sys_enter_map_shadow_stack is a struct mem_event (kind=mem)
sys_enter_mbind is a struct null_event (kind=null)
sys_enter_membarrier is a struct null_event (kind=null)
@@ -174,7 +174,7 @@ sys_enter_mount is a struct path_event (kind=pathname)
sys_enter_mount_setattr is a struct path_event (kind=pathname)
sys_enter_move_mount is a struct two_fd_event (kind=two-fd)
sys_enter_move_pages is a struct null_event (kind=null)
-sys_enter_mprotect is a struct null_event (kind=null)
+sys_enter_mprotect is a struct mem_event (kind=mem)
sys_enter_mq_getsetattr is a struct fd_event (kind=fd)
sys_enter_mq_notify is a struct fd_event (kind=fd)
sys_enter_mq_open is a struct open_event (kind=mq-open)
@@ -215,7 +215,7 @@ sys_enter_pipe2 is a struct pipe_event (kind=pipe)
sys_enter_pivot_root is a struct path_event (kind=pathname)
sys_enter_pkey_alloc is a struct null_event (kind=null)
sys_enter_pkey_free is a struct null_event (kind=null)
-sys_enter_pkey_mprotect is a struct null_event (kind=null)
+sys_enter_pkey_mprotect is a struct mem_event (kind=mem)
sys_enter_poll is a struct poll_event (kind=poll)
sys_enter_ppoll is a struct poll_event (kind=poll)
sys_enter_prctl is a struct null_event (kind=null)
diff --git a/internal/generate/bpfhandler.go b/internal/generate/bpfhandler.go
index 7dba8d7..cd2321b 100644
--- a/internal/generate/bpfhandler.go
+++ b/internal/generate/bpfhandler.go
@@ -328,6 +328,14 @@ func generateExtraPoll(name string) string {
func generateExtraMem(name string) string {
switch name {
+ case "sys_enter_mprotect":
+ return " ev->addr = (__u64)ctx->args[0];\n ev->length = (__u64)ctx->args[1];\n ev->length2 = 0;\n ev->flags = (__u64)ctx->args[2];\n"
+ case "sys_enter_madvise":
+ return " ev->addr = (__u64)ctx->args[0];\n ev->length = (__u64)ctx->args[1];\n ev->length2 = 0;\n ev->flags = (__u64)ctx->args[2];\n"
+ case "sys_enter_pkey_mprotect":
+ return " ev->addr = (__u64)ctx->args[0];\n ev->length = (__u64)ctx->args[1];\n ev->length2 = (__u64)ctx->args[3];\n ev->flags = (__u64)ctx->args[2];\n"
+ case "sys_enter_brk":
+ return " ev->addr = (__u64)ctx->args[0];\n ev->length = 0;\n ev->length2 = 0;\n ev->flags = 0;\n"
case "sys_enter_munmap":
return " ev->addr = (__u64)ctx->args[0];\n ev->length = (__u64)ctx->args[1];\n ev->length2 = 0;\n ev->flags = 0;\n"
case "sys_enter_mremap":
diff --git a/internal/generate/classify.go b/internal/generate/classify.go
index ff1bf72..191b41e 100644
--- a/internal/generate/classify.go
+++ b/internal/generate/classify.go
@@ -300,6 +300,14 @@ func classifyNameOnly(name string) (ClassificationResult, bool) {
return ClassificationResult{Kind: KindPoll}, true
case "sys_enter_pselect6":
return ClassificationResult{Kind: KindPoll}, true
+ case "sys_enter_mprotect":
+ return ClassificationResult{Kind: KindMem}, true
+ case "sys_enter_madvise":
+ return ClassificationResult{Kind: KindMem}, true
+ case "sys_enter_pkey_mprotect":
+ return ClassificationResult{Kind: KindMem}, true
+ case "sys_enter_brk":
+ return ClassificationResult{Kind: KindMem}, true
case "sys_enter_munmap":
return ClassificationResult{Kind: KindMem}, true
case "sys_enter_mremap":
diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go
index 8e77cd4..bbf33d6 100644
--- a/internal/generate/classify_test.go
+++ b/internal/generate/classify_test.go
@@ -721,6 +721,30 @@ func TestClassifyI7NameOnlyKinds(t *testing.T) {
}
}
+func TestClassifyH7NameOnlyKinds(t *testing.T) {
+ tests := []string{
+ "sys_enter_mprotect",
+ "sys_enter_madvise",
+ "sys_enter_pkey_mprotect",
+ "sys_enter_brk",
+ }
+
+ for _, name := range tests {
+ t.Run(name, func(t *testing.T) {
+ r := ClassifyFormat(&Format{
+ Name: name,
+ ExternalFields: []Field{
+ {Type: "long", Name: "__syscall_nr"},
+ {Type: "long", Name: "arg0"},
+ },
+ })
+ if r.Kind != KindMem {
+ t.Fatalf("%s: got kind %d, want KindMem", name, r.Kind)
+ }
+ })
+ }
+}
+
func TestClassify67NameOnlyKinds(t *testing.T) {
tests := []struct {
name string
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index d61e0c9..7614ab1 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -236,6 +236,42 @@ func TestGenerateMemHandlerRemapFilePages(t *testing.T) {
requireContains(t, output, "ev->flags = (__u64)ctx->args[4];")
}
+func TestGenerateMemHandlerMprotect(t *testing.T) {
+ output := GenerateTracepointsC(mustParseAll(t, syntheticPair("mprotect")))
+
+ requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_mprotect")`)
+ requireContains(t, output, "struct mem_event *ev")
+ requireContains(t, output, "ev->event_type = ENTER_MEM_EVENT;")
+ requireContains(t, output, "ev->addr = (__u64)ctx->args[0];")
+ requireContains(t, output, "ev->length = (__u64)ctx->args[1];")
+ requireContains(t, output, "ev->length2 = 0;")
+ requireContains(t, output, "ev->flags = (__u64)ctx->args[2];")
+}
+
+func TestGenerateMemHandlerPkeyMprotect(t *testing.T) {
+ output := GenerateTracepointsC(mustParseAll(t, syntheticPair("pkey_mprotect")))
+
+ requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_pkey_mprotect")`)
+ requireContains(t, output, "struct mem_event *ev")
+ requireContains(t, output, "ev->event_type = ENTER_MEM_EVENT;")
+ requireContains(t, output, "ev->addr = (__u64)ctx->args[0];")
+ requireContains(t, output, "ev->length = (__u64)ctx->args[1];")
+ requireContains(t, output, "ev->length2 = (__u64)ctx->args[3];")
+ requireContains(t, output, "ev->flags = (__u64)ctx->args[2];")
+}
+
+func TestGenerateMemHandlerBrk(t *testing.T) {
+ output := GenerateTracepointsC(mustParseAll(t, syntheticPair("brk")))
+
+ requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_brk")`)
+ requireContains(t, output, "struct mem_event *ev")
+ requireContains(t, output, "ev->event_type = ENTER_MEM_EVENT;")
+ requireContains(t, output, "ev->addr = (__u64)ctx->args[0];")
+ requireContains(t, output, "ev->length = 0;")
+ requireContains(t, output, "ev->length2 = 0;")
+ requireContains(t, output, "ev->flags = 0;")
+}
+
func TestGenerateDup3Handler(t *testing.T) {
output := generateFromPair(t, FormatDup3, FormatExitDup3)
diff --git a/internal/tracepoints/dimension_selector_test.go b/internal/tracepoints/dimension_selector_test.go
index 81a49e5..a8b432a 100644
--- a/internal/tracepoints/dimension_selector_test.go
+++ b/internal/tracepoints/dimension_selector_test.go
@@ -88,6 +88,9 @@ func TestParseSelectorWithDimensionsMemKindIncludesMlock(t *testing.T) {
if !sel.ShouldAttach("sys_enter_mlock") {
t.Fatal("expected mlock to be attached for mem kind")
}
+ if !sel.ShouldAttach("sys_enter_mprotect") {
+ t.Fatal("expected mprotect to be attached for mem kind")
+ }
if sel.ShouldAttach("sys_enter_nanosleep") {
t.Fatal("expected nanosleep to be excluded when only mem kind is enabled")
}
diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go
index 146b068..5b98b95 100644
--- a/internal/tracepoints/generated_tracepoints.go
+++ b/internal/tracepoints/generated_tracepoints.go
@@ -1119,7 +1119,7 @@ var syscallKinds = map[string]string{
"arch_prctl": "null",
"bind": "fd",
"bpf": "bpf",
- "brk": "null",
+ "brk": "mem",
"cachestat": "fd",
"capget": "null",
"capset": "null",
@@ -1264,7 +1264,7 @@ var syscallKinds = map[string]string{
"lsm_get_self_attr": "null",
"lsm_list_modules": "null",
"lsm_set_self_attr": "null",
- "madvise": "null",
+ "madvise": "mem",
"map_shadow_stack": "mem",
"mbind": "null",
"membarrier": "null",
@@ -1285,7 +1285,7 @@ var syscallKinds = map[string]string{
"mount_setattr": "pathname",
"move_mount": "two-fd",
"move_pages": "null",
- "mprotect": "null",
+ "mprotect": "mem",
"mq_getsetattr": "fd",
"mq_notify": "fd",
"mq_open": "mq-open",
@@ -1326,7 +1326,7 @@ var syscallKinds = map[string]string{
"pivot_root": "pathname",
"pkey_alloc": "null",
"pkey_free": "null",
- "pkey_mprotect": "null",
+ "pkey_mprotect": "mem",
"poll": "poll",
"ppoll": "poll",
"prctl": "null",
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 17:29:42 +0000