diff options
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 28 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 8 | ||||
| -rw-r--r-- | internal/generate/classify.go | 21 | ||||
| -rw-r--r-- | internal/generate/classify_test.go | 4 | ||||
| -rw-r--r-- | internal/tracepoints/generated_tracepoints.go | 8 |
5 files changed, 47 insertions, 22 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 4ec7b86..f2f3d46 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -4169,7 +4169,7 @@ int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_timerfd_settime is a struct null_event (kind=null) +/// sys_enter_timerfd_settime is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_timerfd_settime") int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4179,15 +4179,16 @@ int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_SETTIME)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_SETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -4219,7 +4220,7 @@ int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_timerfd_gettime is a struct null_event (kind=null) +/// sys_enter_timerfd_gettime is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_timerfd_gettime") int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4229,15 +4230,16 @@ int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_GETTIME)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TIMERFD_GETTIME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -6039,7 +6041,7 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_splice is a struct null_event (kind=null) +/// sys_enter_splice is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_splice") int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -6049,15 +6051,16 @@ int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_SPLICE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_SPLICE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -6089,7 +6092,7 @@ int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_tee is a struct null_event (kind=null) +/// sys_enter_tee is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_tee") int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -6099,15 +6102,16 @@ int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_TEE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_TEE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 3804441..3ec20dd 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -318,7 +318,7 @@ sys_enter_signalfd is a struct eventfd_event (kind=eventfd) sys_enter_signalfd4 is a struct eventfd_event (kind=eventfd) sys_enter_socket is a struct socket_event (kind=socket) sys_enter_socketpair is a struct socketpair_event (kind=socketpair) -sys_enter_splice is a struct null_event (kind=null) +sys_enter_splice is a struct fd_event (kind=fd) sys_enter_statfs is a struct path_event (kind=pathname) sys_enter_statmount is a struct null_event (kind=null) sys_enter_statx is a struct path_event (kind=pathname) @@ -332,7 +332,7 @@ sys_enter_syncfs is a struct fd_event (kind=fd) sys_enter_sysfs is a struct null_event (kind=null) sys_enter_sysinfo is a struct null_event (kind=null) sys_enter_syslog is a struct null_event (kind=null) -sys_enter_tee is a struct null_event (kind=null) +sys_enter_tee is a struct fd_event (kind=fd) sys_enter_tgkill is a struct null_event (kind=null) sys_enter_time is a struct null_event (kind=null) sys_enter_timer_create is a struct null_event (kind=timer-obj) @@ -341,8 +341,8 @@ sys_enter_timer_getoverrun is a struct null_event (kind=timer-obj) sys_enter_timer_gettime is a struct null_event (kind=timer-obj) sys_enter_timer_settime is a struct null_event (kind=timer-obj) sys_enter_timerfd_create is a struct eventfd_event (kind=eventfd) -sys_enter_timerfd_gettime is a struct null_event (kind=null) -sys_enter_timerfd_settime is a struct null_event (kind=null) +sys_enter_timerfd_gettime is a struct fd_event (kind=fd) +sys_enter_timerfd_settime is a struct fd_event (kind=fd) sys_enter_times is a struct null_event (kind=null) sys_enter_tkill is a struct null_event (kind=null) sys_enter_truncate is a struct path_event (kind=pathname) diff --git a/internal/generate/classify.go b/internal/generate/classify.go index 3ba0c00..efc9917 100644 --- a/internal/generate/classify.go +++ b/internal/generate/classify.go @@ -202,6 +202,16 @@ var nameOnlyKindsTable = map[string]TracepointKind{ "sys_exit_signalfd4": KindEventfd, "sys_enter_timerfd_create": KindEventfd, "sys_exit_timerfd_create": KindEventfd, + // timerfd_settime/timerfd_gettime operate on an EXISTING timerfd whose + // tracepoint arg0 is named "ufd" (int), not literally "fd". The generic + // field matcher (classifyByField) only maps fieldName=="fd" -> KindFd, so + // without these overrides they fall through to KindNull and capture NO + // descriptor — dropping the timerfd they act on. Classify them KindFd so + // the enter handler captures the timerfd at args[0], mirroring the + // epoll_wait(epfd) and mq_*(mqdes) precedent. timerfd_create above is the + // fd CREATOR (KindEventfd) and is intentionally left unchanged. + "sys_enter_timerfd_settime": KindFd, + "sys_enter_timerfd_gettime": KindFd, "sys_enter_epoll_create": KindEventfd, "sys_exit_epoll_create": KindEventfd, @@ -257,6 +267,17 @@ var nameOnlyKindsTable = map[string]TracepointKind{ // the single-fd KindFd convention used for copy_file_range and the // read/write/sendto/recvfrom families. "sys_enter_sendfile64": KindFd, + // splice(fd_in, off_in, fd_out, off_out, len, flags) and + // tee(fdin, fdout, len, flags) are in-kernel transfers between two + // EXISTING file descriptors (TransferClassified, see retClassifications), + // exactly like copy_file_range/sendfile64. Their arg0 is the source fd + // named "fd_in"/"fdin" — not literally "fd" — so the generic field matcher + // (classifyByField) leaves them at KindNull, capturing NO descriptor and + // dropping the fds they operate on. Classify them KindFd to capture the + // source fd at args[0], matching the single-fd KindFd convention already + // used for copy_file_range and sendfile64. + "sys_enter_splice": KindFd, + "sys_enter_tee": KindFd, "sys_enter_statmount": KindNull, "sys_enter_listmount": KindNull, "sys_enter_listns": KindNull, diff --git a/internal/generate/classify_test.go b/internal/generate/classify_test.go index 4993293..7d68e40 100644 --- a/internal/generate/classify_test.go +++ b/internal/generate/classify_test.go @@ -304,8 +304,8 @@ func TestClassifyPhaseAByteSyscallPairsAccepted(t *testing.T) { {"sendto", "struct fd_event", "WRITE_CLASSIFIED"}, {"sendmsg", "struct fd_event", "WRITE_CLASSIFIED"}, {"sendfile64", "struct fd_event", "TRANSFER_CLASSIFIED"}, - {"splice", "struct null_event", "TRANSFER_CLASSIFIED"}, - {"tee", "struct null_event", "TRANSFER_CLASSIFIED"}, + {"splice", "struct fd_event", "TRANSFER_CLASSIFIED"}, + {"tee", "struct fd_event", "TRANSFER_CLASSIFIED"}, {"process_vm_readv", "struct null_event", "READ_CLASSIFIED"}, {"process_vm_writev", "struct null_event", "WRITE_CLASSIFIED"}, } diff --git a/internal/tracepoints/generated_tracepoints.go b/internal/tracepoints/generated_tracepoints.go index 58bc617..ed379d4 100644 --- a/internal/tracepoints/generated_tracepoints.go +++ b/internal/tracepoints/generated_tracepoints.go @@ -1426,7 +1426,7 @@ var syscallKinds = map[string]string{ "signalfd4": "eventfd", "socket": "socket", "socketpair": "socketpair", - "splice": "null", + "splice": "fd", "statfs": "pathname", "statmount": "null", "statx": "pathname", @@ -1440,7 +1440,7 @@ var syscallKinds = map[string]string{ "sysfs": "null", "sysinfo": "null", "syslog": "null", - "tee": "null", + "tee": "fd", "tgkill": "null", "time": "null", "timer_create": "timer-obj", @@ -1449,8 +1449,8 @@ var syscallKinds = map[string]string{ "timer_gettime": "timer-obj", "timer_settime": "timer-obj", "timerfd_create": "eventfd", - "timerfd_gettime": "null", - "timerfd_settime": "null", + "timerfd_gettime": "fd", + "timerfd_settime": "fd", "times": "null", "tkill": "null", "truncate": "pathname", |