| Age | Commit message (Collapse) | Author |
|---|
|
Audit of mknod(2) found the tracing implementation already correct:
sys_enter_mknod captures the real pathname from args[0] (no dirfd),
while the sibling sys_enter_mknodat captures it from args[1] (after
dirfd). Both are FamilyFS path_events; both exits are ret_event
UNCLASSIFIED (int 0/-1). No code or doc changes were needed.
Add lock-in tests guarding this behavior against regressions:
- TestGenerateMknodMknodatHandlers asserts the generated BPF C reads
the path from args[0] for mknod and args[1] for mknodat.
- FormatMknodat/FormatExitMknodat testdata mirroring the real
tracepoint layout (dfd pushes filename to args[1]).
- mknodat rows added to the classify kind (KindPathname) and family
(FamilyFS) test tables, matching the existing mknod coverage.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of dup2(2) found the tracing implementation already correct and
consistent with its dup/dup3 siblings: dup2 is KindFd (a plain fd_event),
the enter handler captures ev->fd from args[0] (oldfd) per the KindFd
convention, it is in the FS family, and its exit returns the new fd
(newfd/-1) as a plain UNCLASSIFIED ret_event (never a byte-count
transfer). Unlike dup3 it carries no flags and clears O_CLOEXEC on the
duplicate, which the eventloop registerDup path already honors.
No discrepancies were found, so add a lock-in test (matching prior
audits) that asserts the generated BPF C for dup2 captures fd from
args[0] (not args[1]/newfd), emits an fd_event (not a dup3_event), wires
no flags, and classifies the exit UNCLASSIFIED. Adds FormatExitDup2
testdata to drive the exit handler assertions.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of access(2) found the tracing implementation already correct:
FS family, KindPathname capturing the real path, and an UNCLASSIFIED
int 0/-1 ret_event on exit. access(2) captures its path from args[0]
(no dirfd), while siblings faccessat(2)/faccessat2(2) capture from
args[1] (dfd precedes the path). mage generate produces no diff and the
docs/integration coverage already match.
Add unit lock-in tests mirroring prior syscall audits:
- FormatAccess/FormatFaccessat tracepoint fixtures (real kernel formats).
- classify tests asserting both classify as KindPathname/"filename".
- family_test cluster asserting access/faccessat/faccessat2 stay FamilyFS.
- codegen test proving access reads ctx->args[0] while faccessat reads
ctx->args[1], guarding against a wrong-arg or dropped-path regression.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of bare sync(2) per man 2 sync: void sync(void) takes no args and
returns no value. Confirmed it is correctly classified KindNull in
FamilyFS, its ret is UNCLASSIFIED, and — unlike noreturn exit/exit_group —
its exit handler IS emitted because sync does return (void != noreturn).
Docs and generated maps already match; no code or doc changes needed.
Add lock-in tests:
- TestGenerateSyncHandler: enter null_event with no arg capture (sync has
no args at all), live exit handler emitted, ret recorded UNCLASSIFIED.
- TestClassifyRetSyncUnclassified: meaningless void ret stays UNCLASSIFIED.
- TestSyncIsNotNoreturn: guards sync from the noreturn suppression list.
- Add sync (FamilyFS) to the family/exit-handler table test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of wait4(2): pid_t wait4(pid_t pid, int *wstatus, int options,
struct rusage *rusage) waits for a child process to change state and
optionally retrieves its resource usage. None of the arguments is an fd
or a filesystem path: args[0] (pid) is a process/group selector -- a pid,
NOT a file descriptor; args[1] (wstatus) and args[3] (rusage) are
userspace output pointers; args[2] (options) is an int flag set. The
return value is a pid_t (child pid, 0 for WNOHANG, or -1) -- never a byte
count. The existing classification (KindProc -> null_event, FamilyProcess,
ret UNCLASSIFIED) and the generated null_event enter handler (captures no
args) are correct, matching siblings waitid/clone/fork/vfork, and
docs/syscall-tracing-plan.md plus the drift tests are in sync.
Add a dedicated lock-in test, modeled on the clone3 audit, that asserts
the wait* siblings classify as KindProc, the family is Process, the
generated enter handler emits a null_event capturing none of the args
(so the pid at args[0] is never misclassified as an fd), and the
pid/0/-1 return stays UNCLASSIFIED rather than a byte-count transfer.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of remap_file_pages(2): int remap_file_pages(void *addr,
size_t size, int prot, size_t pgoff, int flags). The implementation
was already correct (KindMem, FamilyMemory, addr=args[0],
length=args[1], length2=pgoff=args[3], flags=args[4]), but the
lock-in test was thinner than its madvise/mincore/munlock siblings.
Strengthen TestGenerateMemHandlerRemapFilePages to:
- negative-assert flags is never read from args[2] (prot, always 0)
or args[0] (addr), guarding the prot/flags index hazard
- verify the exit handler captures the int 0/-1 status generically as
UNCLASSIFIED, like every other KindMem exit
- document the wiring and the prot-vs-flags pitfall in the comment
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of munlock(2): int munlock(const void addr[.size], size_t size).
Verified the existing implementation is correct and consistent with its
mlock/mlock2 siblings:
- KindMem (classify.go) with addr=args[0], length=args[1]
- length2=0 and flags=0 (munlock has no flags, unlike mlock2's
MLOCK_ONFAULT at args[2]; distinct from munlockall which is KindNull)
- FamilyMemory (family.go)
- exit UNCLASSIFIED (returns int 0/-1, not a byte count)
- docs/syscall-tracing-plan.md already lists munlock under Memory + mem
No code or doc changes were needed; mage generate produces no diff.
Added a dedicated TestGenerateMemHandlerMunlock lock-in test mirroring
the madvise/mincore guards, asserting the correct arg mapping and the
absence of any flags/length2 wiring so a future copy of the mlock2
handler cannot silently surface a nonexistent args[2] as flags.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the ppoll syscall confirmed the tracing implementation is
correct: ppoll(struct pollfd *fds, nfds_t nfds,
const struct timespec *tmo_p, const sigset_t *sigmask) is classified as
KindPoll (poll_event, sibling of poll/select/pselect6) in FamilyPolling,
with an UNCLASSIFIED ret_event exit. The enter handler captures nfds from
args[1] and the timeout from the args[2] timespec, and correctly never
reads args[0] (a pointer to an ARRAY of pollfd structs) as a file
descriptor.
Add a dedicated codegen lock-in test mirroring the poll/pselect6 tests,
including negative assertions that args[0] is not captured as an fd and
that no byte-transfer field is emitted (the return value is a ready-count
>=0 or -1, not a byte count). Introduce a requireNotContains helper for
these negative checks.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of rt_tgsigqueueinfo(2): int rt_tgsigqueueinfo(pid_t tgid, pid_t
tid, int sig, siginfo_t *info) queues a signal plus data to a thread in
a thread group. Args are pids (tgid/tid), a signal number, and a
userspace siginfo_t pointer -- no fds or filesystem paths. The existing
classification (KindNull, FamilySignals, ret UNCLASSIFIED) and the
generated null_event enter handler (captures no args) are correct, and
docs/syscall-tracing-plan.md plus the drift tests are in sync.
Add dedicated lock-in tests, modeled on the rt_sigpending audit, that
assert the generated handler emits a null_event capturing none of the
args (so tgid/tid are never misclassified as fds) and that the int
0/-1 return stays UNCLASSIFIED rather than a byte-count transfer.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of clone3(2): long clone3(struct clone_args *cl_args, size_t size).
Neither arg is an fd or filesystem path (cl_args is a userspace control
block, size is its byte length), and the return value is a pid_t (child
PID in the parent, 0 in the child, -1 on error) — not a byte count.
clone3 was already correctly classified as KindProc in FamilyProcess with
an UNCLASSIFIED exit, identical to its clone/fork/vfork siblings; the
generated BPF handlers emit a null_event on enter (no arg capture) and a
ret_event tagged UNCLASSIFIED on exit. No code, classification, or doc
changes were needed.
Add TestGenerateClone3Handler to pin this down against future drift:
the name-only table maps all four siblings to KindProc even when fed the
real (struct clone_args *, size_t) args, the family is Process, the ret
is UNCLASSIFIED, the enter handler captures no ctx->args[], and the exit
handler reports ret_type=UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sigaltstack(2) confirmed the existing tracing is correct:
both args are userspace stack_t pointers (new + old alternate signal
stack), neither an fd nor a path, and it returns 0/-1. It is already
classified KindNull in FamilySignals across classify.go, family.go,
docs/syscall-tracing-plan.md, and the generated C/Go artifacts, matching
the rt_sig*/kill/pause sibling group. No discrepancies were found.
Add lock-in tests mirroring the prior rt_sigpending audit:
- TestGenerateSigaltstackHandler asserts the enter handler emits a
null_event capturing no args and the exit handler reports ctx->ret
as UNCLASSIFIED.
- TestClassifyRetSigaltstackUnclassified asserts the 0/-1 status is
never tagged as a byte count.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of init_module (man 2 init_module) confirmed the implementation is
correct: init_module(void *module_image, unsigned long len, const char
*param_values) is classified KindModule (null_event), capturing neither
an fd nor a path — param_values is a module-parameter string, not a
filesystem path. finit_module(int fd, ...) is classified KindFd via
field-based matching and captures fd = args[0]. Both syscalls live in the
Security family and match docs/syscall-tracing-plan.md.
No explicit finit_module test or init_module-vs-finit_module distinction
test existed, so add lock-in coverage:
- testdata.go: real-layout Format constants for (f)init_module enter/exit.
- classify_test.go: assert init_module=KindModule with no PathnameField
and finit_module=KindFd.
- codegen_test.go: assert generated BPF C for init_module captures no fd
and no filename/path, while finit_module captures fd = args[0].
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sysinfo(2): int sysinfo(struct sysinfo *info) returns overall
system statistics into a single userspace output pointer (not an fd or
path) and returns 0/-1. The existing classification was already correct
(KindNull, FamilyMisc, UNCLASSIFIED return) and docs/generated artifacts
are consistent; no behavior change was needed.
Add dedicated lock-in regression tests mirroring the rt_sigpending audit:
- TestGenerateSysinfoHandler: enter emits a null_event and captures no
args; exit emits a ret_event with ctx->ret tagged UNCLASSIFIED.
- TestClassifyRetSysinfoUnclassified: the 0/-1 status is never a byte
count.
- family_test.go: assert sysinfo/newuname/sysfs stay in FamilyMisc, with
a note that ustat is FamilyFS (matched by the 'stat' name marker) and
is intentionally not grouped here.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of rt_sigpending(2) confirmed the existing classification is correct
and added lock-in coverage:
- KindNull: int rt_sigpending(sigset_t *set, size_t sigsetsize). args[0] is
a userspace output pointer to a sigset_t (a signal mask, not a traced I/O
resource) and args[1] is the byte size; neither is an fd or path. The enter
handler emits a null_event and must not capture either arg. Added
TestGenerateRtSigpendingHandler with a negative assertion guarding against
any ctx->args[] capture in the enter handler.
- Exit ret_type=UNCLASSIFIED: rt_sigpending returns 0/-1, a status code, not
a byte count, so it must never be tagged READ/WRITE/TRANSFER. Added an exit
handler assertion plus TestClassifyRetRtSigpendingUnclassified.
- FamilySignals: shares the family with the whole rt_sig* group plus
kill/pause/sigaltstack/tkill/tgkill. Added lock-in family cases asserting
every rt_sig* sibling alongside rt_sigpending in TestClassifySyscallFamily.
No classification/codegen/doc changes were required; mage generate produces
no diff. Full ./internal/... passes (only the known pre-existing flake
TestCleanupLeakedWorkloadTempDirCaughtByAssertion fails, unrelated).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of process_madvise(2) confirmed the existing classification is correct
and added lock-in coverage:
- KindFd with fd=args[0]: the first arg is a pidfd (a PID file descriptor
selecting the target process), not an address, so it must NOT be treated
like madvise(2) (KindMem, addr=args[0]). Extended the enter-handler test
with a negative assertion guarding against the KindMem addr wiring.
- Exit ret_type=UNCLASSIFIED: process_madvise returns the number of bytes
advised, but that is advisory accounting, not real I/O data movement, so it
stays UNCLASSIFIED like madvise(2). Added an exit-handler assertion plus
TestClassifyRetProcessMadviseUnclassified.
- FamilyMemory: shares the family with madvise/process_mrelease/process_vm_*
siblings rather than FamilyIPC (pidfd_* lifecycle). Added family lock-in
cases in family_test.go.
No classification/codegen changes were required; mage generate produces no
diff. Full ./internal/... passes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of sched_get_priority_min(2): the syscall takes a single int policy
scheduling-policy enum (not an fd or path) and returns the minimum static
priority for that policy, or -1 on error. ior classifies it as KindNull in
FamilySched, consistent with every sibling sched_* syscall and the man page.
Add TestGenerateSchedGetPriorityMinHandler (covering the identical sibling
sched_get_priority_max too) to lock in that the enter handler emits a
null_event without capturing the int policy arg, that the family is
FamilySched, and that a live exit handler emitting EXIT_RET_EVENT is
generated since this syscall returns (unlike the noreturn exit syscalls).
No classification change was required, so generated artifacts are unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of mincore(2) confirmed the existing tracing is correct: KindMem +
FamilyMemory, with addr=args[0], length=args[1], and both flags and length2
held at zero. args[2] is the userspace 'vec' output pointer, not a flags
value, so it is correctly NOT wired into ev->flags.
Add TestGenerateMemHandlerMincore to lock in this wiring and explicitly guard
against the historical mistake of mapping args[2] onto ev->flags the way
flags-bearing siblings (madvise/mlock2/mseal) do.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of madvise(2) (int madvise(void *addr, size_t length, int advice))
confirmed the existing classification and BPF wiring are correct: KindMem /
FamilyMemory, addr=args[0], length=args[1], advice (flags-like) at args[2],
length2=0, and the int return captured generically as UNCLASSIFIED. This is
correctly distinct from process_madvise(2) (KindFd, pidfd at args[0]).
Unlike its KindMem siblings (mprotect, mlock2, brk, map_shadow_stack), madvise
lacked a dedicated handler-field lock-in test. Add TestGenerateMemHandlerMadvise
with positive field assertions plus negative guards: advice must come from
args[2] (not args[0]/addr), length2 must stay zero (no second region), and the
exit must return ctx->ret as UNCLASSIFIED.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audit of the x86 CET map_shadow_stack syscall (Linux 6.6+,
void *map_shadow_stack(unsigned long addr, unsigned long size,
unsigned int flags)) confirmed the existing tracing is correct:
KindMem / FamilyMemory classification, memFieldSpec wires
addr=args[0], length=args[1] (size), flags=args[2], length2=0, and
the return (mapped address or -errno) is captured generically as
ev->ret like every other KindMem exit. Docs and classify tests
already match.
The only gap was the lack of a codegen lock-in test for the BPF
handler field wiring, which mlock2/remap_file_pages/mprotect/brk all
have. Add TestGenerateMemHandlerMapShadowStack to guard against
future drift.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
exit and exit_group never return to userspace, so their sys_exit
tracepoints can never fire. The generator previously emitted matching
EXIT_RET_EVENT handlers anyway, producing dead code in the generated BPF
program. classifySyscall now skips exit-handler emission for noreturn
syscalls via isNoreturnSyscall, and the regenerated artifacts drop the
sys_exit_exit / sys_exit_exit_group handlers (enter handlers are kept).
Tests updated to match the new reality:
- TestGenerateExitNoreturnHandlers asserts no exit handler is emitted.
- TestClassifySyscallPairEmitsAllFamilies exempts noreturn syscalls from
the exit-handler-required assertion while staying strict for all others.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
exit(2) and exit_group(2) take a single int status arg and never return.
ior classifies both as KindNull (FamilyProcess): the enter handler emits a
null_event without capturing the status arg, and the kernel-exposed
sys_exit_{exit,exit_group} EXIT_RET_EVENT handlers are emitted but never
fire at runtime. Audit confirmed the implementation already matches the
man page; this adds a lock-in test documenting the noreturn behavior.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
Audited epoll_create/epoll_create1 against man 2 epoll_create.
Implementation already correct: both classify as KindEventfd (fd-creating),
epoll_create(size) hardcodes flags=0 (no flags arg), epoll_create1(flags)
reads ctx->args[0], and exit captures the returned fd via ev->ret.
Add FormatEpollCreate1/FormatExitEpollCreate1 fixtures and
TestGenerateEpollCreate1HandlerUsesArg0Flags as the positive counterpart to
the existing TestGenerateEpollCreateHandlerUsesZeroFlags negative test,
asserting the enter handler captures args[0] as flags rather than 0.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
epoll_create(size) was recording size (args[0]) as flags — hardcode to
0 since the syscall has no flags argument. pidfd_open(pid, flags) was
recording pid (args[0]) as flags — use args[1] instead.
Add test fixtures and codegen tests that verify the correct argument
indexes and reject the old wrong ones. Regenerate generated_tracepoints.c.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Generated exit handlers now pass the explicit enter trace ID
(SYS_ENTER_X) to ior_on_syscall_exit instead of relying on the
implicit enter_id == exit_id + 1 arithmetic invariant. filter.c
compares directly against the passed enter ID.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
