1 files changed, 20 insertions, 33 deletions

diff --git a/maps.bpf.h b/maps.bpf.h
index 9d795a8..e6307ba 100644
--- a/maps.bpf.h
+++ b/maps.bpf.h
@@ -8,6 +8,7 @@ struct flags {
    __u32 uid_filter;
 };
 
+// To pass command line flags from userspace to BPF kernel space.
 struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __type(key, u32);
@@ -15,47 +16,33 @@ struct {
    __uint(max_entries, 1 << 24);
 } flags_map SEC(".maps");
 
-struct open_event {
-    __s32 fd;
+#define OPENAT_ENTER_OP_ID 1
+#define OPENAT_EXIT_OP_ID 2
+#define CLOSE_ENTER_OP_ID 1
+#define CLOSE_EXIT_OP_ID 2
+
+struct openat_enter_event {
+    __u32 op_id; 
     __u32 tid;
-    __u64 enter_time;
-    __u64 exit_time;
+    __u64 time;
     char filename[MAX_FILENAME_LENGTH];
     char comm[MAX_PROGNAME_LENGTH];
 };
 
-struct {
-    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(u32));
-} open_event_map SEC(".maps");
-
-// Map to temporarily store the filename from sys_enter_openat
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(struct open_event));
-    __uint(max_entries, TEMP_MAP_SIZES);
-} open_event_temp_map SEC(".maps");
-
 struct fd_event {
-    __s32 fd;
-    __s32 op_id;
+    __u32 op_id;
     __u32 tid;
-    __u64 enter_time;
-    __u64 exit_time;
+    __u64 time;
+    __s32 fd;
 };
 
-struct {
-    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(u32));
-} fd_event_map SEC(".maps");
+struct null_event {
+    __u32 op_id;
+    __u32 tid;
+    __u64 time;
+};
 
-// Map to temporarily store info from the enter tracepoinut for the exit one
 struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(struct fd_event));
-    __uint(max_entries, TEMP_MAP_SIZES);
-} fd_event_temp_map SEC(".maps");
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 1 << 24);
+} event_map SEC(".maps");