From 3ebafeb4dec7c5029cc42e0f9ea38f84691b5453 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 16 Mar 2025 21:56:01 +0200 Subject: refactor --- Makefile | 10 +- internal/c/Makefile | 13 + internal/c/generate_tracepoints.raku | 221 ++ internal/c/generated/Makefile | 14 - internal/c/generated/tracepoints.c | 3627 --------------------------------- internal/c/generated/tracepoints.raku | 221 -- internal/c/generated_tracepoints.c | 3627 +++++++++++++++++++++++++++++++++ internal/c/ior.bpf.c | 2 +- internal/generated/Makefile | 6 +- internal/generated/types/types.go | 1 - 10 files changed, 3870 insertions(+), 3872 deletions(-) create mode 100644 internal/c/generate_tracepoints.raku delete mode 100644 internal/c/generated/Makefile delete mode 100644 internal/c/generated/tracepoints.c delete mode 100644 internal/c/generated/tracepoints.raku create mode 100644 internal/c/generated_tracepoints.c diff --git a/Makefile b/Makefile index 7a272ec..ac5f00a 100644 --- a/Makefile +++ b/Makefile @@ -13,12 +13,12 @@ bpfbuild: make -C ./internal/c redo cp -v ./internal/c/ior.bpf.o . -gen: generated -generate: generated +gen: generate +generate: generate -.PHONY: generated -generated: - make -C ./internal/c/generated +.PHONY: generate +generate: + make -C ./internal/c generate make -C ./internal/generated .PHONY: gobuild diff --git a/internal/c/Makefile b/internal/c/Makefile index 81f2e4b..c2dddb5 100644 --- a/internal/c/Makefile +++ b/internal/c/Makefile @@ -19,3 +19,16 @@ vmlinux.h: clean: find . -name \*.o -delete find . -name vmlinux.h -delete + +.PHONY: generate +generate: generate_tracepoints + +.PHONY: generate_tracepoints +generate_tracepoints: + sudo sh -c 'cat /sys/kernel/tracing/events/syscalls/sys_{enter,exit}_*/format' \ + | raku generate_tracepoints.raku > ./generated_tracepoints.c + +.PHONY: generate_tracepoints_stdout +generate_tracepoints_stdout: + sudo sh -c 'cat /sys/kernel/tracing/events/syscalls/sys_{enter,exit}_*/format' \ + | raku generate_tracepoints.raku diff --git a/internal/c/generate_tracepoints.raku b/internal/c/generate_tracepoints.raku new file mode 100644 index 0000000..b942703 --- /dev/null +++ b/internal/c/generate_tracepoints.raku @@ -0,0 +1,221 @@ +#!/usr/bin/env raku + +use v6.d; + +# Grammar to parse /sys/kernel/tracing/events/syscalls/sys_{enter,exit}_*/format' +grammar SysTraceFormat { + rule TOP { * } + rule whole-format-section { } + rule name { 'name:' } + rule id { 'ID:' } + rule format { 'format:' * } + + rule field { 'field:' } + rule field-elements { } + rule field-declaration { + ';' } + + token field-type { <-[ \t]> } + token field-offset { 'offset:' ';' } + token field-size { 'size:' ';' } + token field-signed { 'signed:' ';' } + + token identifier { <[a..zA..Z0..9_]>+ } + token number { \d+ } + token cbool { '0' | '1' } + token print-fmt { 'print fmt' <-[\n]>+ "\n" } +} + +class Field { + has Str $.type is rw; + has Str $.name is rw; + has Int $.offset is rw; + has Int $.size is rw; + has Bool $.signed is rw; +} + +role TracepointTemplate { + method template(%vals --> Str) { + my Bool \is-enter = %vals.split('_')[1] eq 'enter'; + my Str \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' !! 'trace_event_raw_sys_exit'; + my Str @parts; + + @parts.push: qq:to/BPF_C_CODE/; + SEC("tracepoint/syscalls/{%vals}") + int handle_{%vals.lc}(struct {ctx-struct} *ctx) \{ + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct {%vals} *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct {%vals}), 0); + if (!ev) + return 0; + + ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ %vals.uc}; + ev->trace_id = {%vals.uc}; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + BPF_C_CODE + + @parts.push: %vals if %vals:exists; + + @parts.push: qq:to/BPF_C_CODE/; + + bpf_ringbuf_submit(ev, 0); + return 0; + \} + BPF_C_CODE + + [~] @parts; + } +} + +class FdTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals --> Str) { + my Str $extra = qq:to/BPF_C_CODE/; + ev->fd = (__s32)ctx->args[0]; + BPF_C_CODE + self.template: %vals.append( ( event-struct => 'fd_event', :$extra ).hash ); + } +} + +class NameTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals --> Str) { + my Int \oldname-field-number = %vals.field-number('oldname'); + my Int \newname-field-number = %vals.field-number('newname'); + my Str $extra = qq:to/BPF_C_CODE/; + __builtin_memset(\&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-field-number}]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-field-number}]); + BPF_C_CODE + self.template: %vals.append( ( event-struct => 'name_event', :$extra ).hash ); + } +} + +class OpenTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals --> Str) { + my Int \field-number = %vals.field-number('filename'); + my Str $extra = qq:to/BPF_C_CODE/; + __builtin_memset(\&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[{field-number}]); + bpf_get_current_comm(\&ev->comm, sizeof(ev->comm)); + BPF_C_CODE + self.template: %vals.append( ( event-struct => 'open_event', :$extra ).hash ); + } +} + +class PathnameTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals --> Str) { + my Int \field-number = %vals.field-number('pathname'); + my Str $extra = qq:to/BPF_C_CODE/; + __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{field-number}]); + BPF_C_CODE + self.template: %vals.append( ( event-struct => 'path_event', :$extra ).hash ); + } +} + +class RetTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals --> Str) { + my Str $extra = q:to/BPF_C_CODE/; + ev->ret = ctx->ret; + BPF_C_CODE + self.template: %vals.append( ( event-struct => 'ret_event', :$extra ).hash ); + } +} + +class NullTracepoint does TracepointTemplate { + method generate-bpf-c-tracepoint(%vals --> Str) { + self.template: %vals.append( ( event-struct => 'null_event' ).hash ); + } +} + +class Format { + has Field @!internal-fields; # Fields not accessible from raw tracepoints. + has Field @!external-fields; # Fields accessible from raw tracepoints. + has Bool $!is-external = False; # Track internal/external field sections. + has Str $.name is rw; + has Int $.id is rw; + has $.format-impl; + + method push(Field \field) { + $!is-external = True if field.name eq '__syscall_nr'; + + if $!is-external { + push @!external-fields: field; + } else { + push @!internal-fields: field; + return; + } + + self.set-format-impl(field.name, field.type); + } + + multi method set-format-impl('fd', 'unsigned int') { $!format-impl = FdTracepoint.new } + multi method set-format-impl('newname', 'const char *') { $!format-impl = NameTracepoint.new } + multi method set-format-impl('filename', 'const char *') { $!format-impl = OpenTracepoint.new } + multi method set-format-impl('pathname', 'const char *') { $!format-impl = PathnameTracepoint.new } + multi method set-format-impl('ret', 'long') { $!format-impl = RetTracepoint.new } + multi method set-format-impl($, $) { } + + method generate-c-constant returns Str { "#define {$!name.uc} {$!id}" } + method generate-bpf-c-tracepoint returns Str { $!format-impl.generate-bpf-c-tracepoint: (format => self, :$!name).hash } + + method field-number(Str \field-name) { @!external-fields.first(*.name eq field-name, :k) - 1 } + method can-generate returns Bool { so $!format-impl.^can('generate-bpf-c-tracepoint') } + method enter-reject returns Bool { $!format-impl !~~ any(FdTracepoint, NameTracepoint, OpenTracepoint, PathnameTracepoint) } +} + +class SysTraceFormatActions { + has Hash %!formats; + has Format $!current-format = Format.new; + has Field $!current-field = Field.new; + + method TOP($/) { make %!formats } + + method whole-format-section($/) { + my ($, \enter-exit, \what) = $!current-format.name.split('_', 3); + %!formats{what}{enter-exit} = $!current-format; + $!current-format = Format.new; + } + + method name($/) { $!current-format.name = ~$/ } + method id($/) { $!current-format.id = +$/ } + + method field-declaration($/) { + $!current-field.name = ~$/; + $!current-field.type = $/.join('').trim-trailing; + $!current-format.push($!current-field); + $!current-field = Field.new; + } + + method field-offset($/) { $!current-field.offset = +$/ } + method field-size($/) { $!current-field.size = +$/ } + method field-signed($/) { $!current-field.signed = +$/ == 0 ?? False !! True } +} + +say qq:to/BPF_C_CODE/; +// Code generated - don't change manually! +BPF_C_CODE + +my Format @formats = gather for + SysTraceFormat.parse($*IN.slurp, actions => SysTraceFormatActions.new).made.values -> %syscall { + + if !all(%syscall.values.map(*.can-generate)) { + say "// Ignoring {%syscall.values.map(*.name).sort} as possibly not file I/O related"; + next; + } elsif %syscall.enter-reject { + say "// Ignoring {%syscall.values.map(*.name).sort} as enter-rejected"; + next; + } + .take for %syscall.values; +} + +@formats .= sort({ $^b.id cmp $^a.id }); + +say qq:to/BPF_C_CODE/; + +{@formats.map(*.generate-c-constant).join("\n")} + +{@formats.map(*.generate-bpf-c-tracepoint).join("\n")} +BPF_C_CODE diff --git a/internal/c/generated/Makefile b/internal/c/generated/Makefile deleted file mode 100644 index 2d93b0c..0000000 --- a/internal/c/generated/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -all: generate - -generate: tracepoints - -.PHONY: tracepoints -tracepoints: - sudo sh -c 'cat /sys/kernel/tracing/events/syscalls/sys_{enter,exit}_*/format' \ - | raku tracepoints.raku > ./tracepoints.c - -.PHONY: tracepoints_stdout -tracepoints_stdout: - sudo sh -c 'cat /sys/kernel/tracing/events/syscalls/sys_{enter,exit}_*/format' \ - | raku tracepoints.raku - diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c deleted file mode 100644 index dc62679..0000000 --- a/internal/c/generated/tracepoints.c +++ /dev/null @@ -1,3627 +0,0 @@ -// Code generated - don't change manually! - -// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -// Ignoring sys_enter_sync sys_exit_sync as possibly not file I/O related -// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -// Ignoring sys_enter_fsconfig sys_exit_fsconfig as possibly not file I/O related -// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -// Ignoring sys_enter_io_setup sys_exit_io_setup as possibly not file I/O related -// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -// Ignoring sys_enter_dup sys_exit_dup as possibly not file I/O related -// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -// Ignoring sys_enter_flistxattr sys_exit_flistxattr as possibly not file I/O related -// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -// Ignoring sys_enter_vmsplice sys_exit_vmsplice as possibly not file I/O related -// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related -// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -// Ignoring sys_enter_fsetxattr sys_exit_fsetxattr as possibly not file I/O related -// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -// Ignoring sys_enter_io_submit sys_exit_io_submit as possibly not file I/O related -// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related -// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -// Ignoring sys_enter_mmap sys_exit_mmap as possibly not file I/O related -// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -// Ignoring sys_enter_pwritev sys_exit_pwritev as possibly not file I/O related -// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -// Ignoring sys_enter_readlink sys_exit_readlink as possibly not file I/O related -// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related -// Ignoring sys_enter_dup3 sys_exit_dup3 as possibly not file I/O related -// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related -// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related -// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -// Ignoring sys_enter_preadv sys_exit_preadv as possibly not file I/O related -// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -// Ignoring sys_enter_io_destroy sys_exit_io_destroy as possibly not file I/O related -// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related -// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -// Ignoring sys_enter_finit_module sys_exit_finit_module as possibly not file I/O related -// Ignoring sys_enter_io_uring_setup sys_exit_io_uring_setup as possibly not file I/O related -// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related -// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related -// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -// Ignoring sys_enter_io_getevents sys_exit_io_getevents as possibly not file I/O related -// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -// Ignoring sys_enter_preadv2 sys_exit_preadv2 as possibly not file I/O related -// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -// Ignoring sys_enter_syslog sys_exit_syslog as possibly not file I/O related -// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -// Ignoring sys_enter_readv sys_exit_readv as possibly not file I/O related -// Ignoring sys_enter_fremovexattr sys_exit_fremovexattr as possibly not file I/O related -// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -// Ignoring sys_enter_dup2 sys_exit_dup2 as possibly not file I/O related -// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -// Ignoring sys_enter_io_cancel sys_exit_io_cancel as possibly not file I/O related -// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related -// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related -// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related -// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -// Ignoring sys_enter_writev sys_exit_writev as possibly not file I/O related -// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -// Ignoring sys_enter_fgetxattr sys_exit_fgetxattr as possibly not file I/O related -// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -// Ignoring sys_enter_fspick sys_exit_fspick as possibly not file I/O related -// Ignoring sys_enter_sync_file_range sys_exit_sync_file_range as possibly not file I/O related -// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -// Ignoring sys_enter_readahead sys_exit_readahead as possibly not file I/O related -// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -// Ignoring sys_enter_fadvise64 sys_exit_fadvise64 as possibly not file I/O related -// Ignoring sys_enter_pwritev2 sys_exit_pwritev2 as possibly not file I/O related -// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -// Ignoring sys_enter_mount_setattr sys_exit_mount_setattr as possibly not file I/O related -// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -// Ignoring sys_enter_syncfs sys_exit_syncfs as possibly not file I/O related -// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -// Ignoring sys_enter_fallocate sys_exit_fallocate as possibly not file I/O related -// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -// Ignoring sys_enter_truncate sys_exit_truncate as possibly not file I/O related -// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -// Ignoring sys_enter_io_pgetevents sys_exit_io_pgetevents as possibly not file I/O related -// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related -// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related - -#define SYS_ENTER_IO_URING_REGISTER 1485 -#define SYS_EXIT_IO_URING_REGISTER 1484 -#define SYS_ENTER_IO_URING_ENTER 1466 -#define SYS_EXIT_IO_URING_ENTER 1465 -#define SYS_ENTER_QUOTACTL_FD 1127 -#define SYS_EXIT_QUOTACTL_FD 1126 -#define SYS_ENTER_FLOCK 1096 -#define SYS_EXIT_FLOCK 1095 -#define SYS_ENTER_FANOTIFY_MARK 1038 -#define SYS_EXIT_FANOTIFY_MARK 1037 -#define SYS_ENTER_INOTIFY_ADD_WATCH 1032 -#define SYS_EXIT_INOTIFY_ADD_WATCH 1031 -#define SYS_ENTER_STATFS 1022 -#define SYS_EXIT_STATFS 1021 -#define SYS_ENTER_FSTATFS 1020 -#define SYS_EXIT_FSTATFS 1019 -#define SYS_ENTER_UTIMENSAT 1014 -#define SYS_EXIT_UTIMENSAT 1013 -#define SYS_ENTER_FUTIMESAT 1012 -#define SYS_EXIT_FUTIMESAT 1011 -#define SYS_ENTER_FSYNC 1002 -#define SYS_EXIT_FSYNC 1001 -#define SYS_ENTER_FDATASYNC 1000 -#define SYS_EXIT_FDATASYNC 999 -#define SYS_ENTER_SETXATTR 958 -#define SYS_EXIT_SETXATTR 957 -#define SYS_ENTER_LSETXATTR 956 -#define SYS_EXIT_LSETXATTR 955 -#define SYS_ENTER_GETXATTR 952 -#define SYS_EXIT_GETXATTR 951 -#define SYS_ENTER_LGETXATTR 950 -#define SYS_EXIT_LGETXATTR 949 -#define SYS_ENTER_LISTXATTR 946 -#define SYS_EXIT_LISTXATTR 945 -#define SYS_ENTER_LLISTXATTR 944 -#define SYS_EXIT_LLISTXATTR 943 -#define SYS_ENTER_REMOVEXATTR 940 -#define SYS_EXIT_REMOVEXATTR 939 -#define SYS_ENTER_LREMOVEXATTR 938 -#define SYS_EXIT_LREMOVEXATTR 937 -#define SYS_ENTER_OPEN_TREE 932 -#define SYS_EXIT_OPEN_TREE 931 -#define SYS_ENTER_GETDENTS 900 -#define SYS_EXIT_GETDENTS 899 -#define SYS_ENTER_GETDENTS64 898 -#define SYS_EXIT_GETDENTS64 897 -#define SYS_ENTER_IOCTL 896 -#define SYS_EXIT_IOCTL 895 -#define SYS_ENTER_FCNTL 894 -#define SYS_EXIT_FCNTL 893 -#define SYS_ENTER_MKNODAT 892 -#define SYS_EXIT_MKNODAT 891 -#define SYS_ENTER_MKNOD 890 -#define SYS_EXIT_MKNOD 889 -#define SYS_ENTER_MKDIRAT 888 -#define SYS_EXIT_MKDIRAT 887 -#define SYS_ENTER_MKDIR 886 -#define SYS_EXIT_MKDIR 885 -#define SYS_ENTER_RMDIR 884 -#define SYS_EXIT_RMDIR 883 -#define SYS_ENTER_UNLINKAT 882 -#define SYS_EXIT_UNLINKAT 881 -#define SYS_ENTER_UNLINK 880 -#define SYS_EXIT_UNLINK 879 -#define SYS_ENTER_SYMLINKAT 878 -#define SYS_EXIT_SYMLINKAT 877 -#define SYS_ENTER_SYMLINK 876 -#define SYS_EXIT_SYMLINK 875 -#define SYS_ENTER_LINKAT 874 -#define SYS_EXIT_LINKAT 873 -#define SYS_ENTER_LINK 872 -#define SYS_EXIT_LINK 871 -#define SYS_ENTER_RENAMEAT2 870 -#define SYS_EXIT_RENAMEAT2 869 -#define SYS_ENTER_RENAMEAT 868 -#define SYS_EXIT_RENAMEAT 867 -#define SYS_ENTER_RENAME 866 -#define SYS_EXIT_RENAME 865 -#define SYS_ENTER_EXECVE 860 -#define SYS_EXIT_EXECVE 859 -#define SYS_ENTER_EXECVEAT 858 -#define SYS_EXIT_EXECVEAT 857 -#define SYS_ENTER_NEWSTAT 856 -#define SYS_EXIT_NEWSTAT 855 -#define SYS_ENTER_NEWLSTAT 854 -#define SYS_EXIT_NEWLSTAT 853 -#define SYS_ENTER_NEWFSTATAT 852 -#define SYS_EXIT_NEWFSTATAT 851 -#define SYS_ENTER_NEWFSTAT 850 -#define SYS_EXIT_NEWFSTAT 849 -#define SYS_ENTER_READLINKAT 848 -#define SYS_EXIT_READLINKAT 847 -#define SYS_ENTER_STATX 844 -#define SYS_EXIT_STATX 843 -#define SYS_ENTER_LSEEK 842 -#define SYS_EXIT_LSEEK 841 -#define SYS_ENTER_READ 840 -#define SYS_EXIT_READ 839 -#define SYS_ENTER_WRITE 838 -#define SYS_EXIT_WRITE 837 -#define SYS_ENTER_PREAD64 836 -#define SYS_EXIT_PREAD64 835 -#define SYS_ENTER_PWRITE64 834 -#define SYS_EXIT_PWRITE64 833 -#define SYS_ENTER_FTRUNCATE 814 -#define SYS_EXIT_FTRUNCATE 813 -#define SYS_ENTER_FACCESSAT 810 -#define SYS_EXIT_FACCESSAT 809 -#define SYS_ENTER_FACCESSAT2 808 -#define SYS_EXIT_FACCESSAT2 807 -#define SYS_ENTER_ACCESS 806 -#define SYS_EXIT_ACCESS 805 -#define SYS_ENTER_CHDIR 804 -#define SYS_EXIT_CHDIR 803 -#define SYS_ENTER_FCHDIR 802 -#define SYS_EXIT_FCHDIR 801 -#define SYS_ENTER_CHROOT 800 -#define SYS_EXIT_CHROOT 799 -#define SYS_ENTER_FCHMOD 798 -#define SYS_EXIT_FCHMOD 797 -#define SYS_ENTER_FCHMODAT2 796 -#define SYS_EXIT_FCHMODAT2 795 -#define SYS_ENTER_FCHMODAT 794 -#define SYS_EXIT_FCHMODAT 793 -#define SYS_ENTER_CHMOD 792 -#define SYS_EXIT_CHMOD 791 -#define SYS_ENTER_FCHOWNAT 790 -#define SYS_EXIT_FCHOWNAT 789 -#define SYS_ENTER_CHOWN 788 -#define SYS_EXIT_CHOWN 787 -#define SYS_ENTER_LCHOWN 786 -#define SYS_EXIT_LCHOWN 785 -#define SYS_ENTER_FCHOWN 784 -#define SYS_EXIT_FCHOWN 783 -#define SYS_ENTER_OPEN 782 -#define SYS_EXIT_OPEN 781 -#define SYS_ENTER_OPENAT 780 -#define SYS_EXIT_OPENAT 779 -#define SYS_ENTER_OPENAT2 778 -#define SYS_EXIT_OPENAT2 777 -#define SYS_ENTER_CREAT 776 -#define SYS_EXIT_CREAT 775 -#define SYS_ENTER_CLOSE 774 -#define SYS_EXIT_CLOSE 773 -#define SYS_ENTER_CLOSE_RANGE 772 -#define SYS_EXIT_CLOSE_RANGE 771 -#define SYS_ENTER_CACHESTAT 592 -#define SYS_EXIT_CACHESTAT 591 - -SEC("tracepoint/syscalls/sys_enter_io_uring_register") -int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_REGISTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_io_uring_register") -int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_REGISTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_io_uring_enter") -int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_ENTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_io_uring_enter") -int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_ENTER; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fanotify_mark") -int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FANOTIFY_MARK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fanotify_mark") -int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FANOTIFY_MARK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") -int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") -int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_statfs") -int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_statfs") -int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_utimensat") -int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_UTIMENSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_utimensat") -int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UTIMENSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_futimesat") -int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_FUTIMESAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_futimesat") -int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FUTIMESAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_setxattr") -int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_setxattr") -int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_lsetxattr") -int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LSETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_lsetxattr") -int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_getxattr") -int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_getxattr") -int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_lgetxattr") -int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LGETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_lgetxattr") -int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LGETXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_listxattr") -int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_listxattr") -int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_llistxattr") -int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LLISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_llistxattr") -int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LLISTXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_removexattr") -int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_removexattr") -int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_lremovexattr") -int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LREMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_lremovexattr") -int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LREMOVEXATTR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_open_tree") -int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN_TREE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_open_tree") -int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN_TREE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_mknodat") -int handle_sys_enter_mknodat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_MKNODAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_mknodat") -int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKNODAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_mknod") -int handle_sys_enter_mknod(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_MKNOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_mknod") -int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKNOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_mkdirat") -int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_mkdirat") -int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIRAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_mkdir") -int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_mkdir") -int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_rmdir") -int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_RMDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_rmdir") -int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RMDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_unlinkat") -int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_unlinkat") -int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_unlink") -int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_unlink") -int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_symlinkat") -int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_symlinkat") -int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_symlink") -int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_symlink") -int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_linkat") -int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_linkat") -int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_link") -int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_link") -int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_renameat2") -int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_renameat2") -int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_renameat") -int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_renameat") -int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_rename") -int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAME; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_rename") -int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAME; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_execve") -int handle_sys_enter_execve(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_EXECVE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_execve") -int handle_sys_exit_execve(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_EXECVE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_execveat") -int handle_sys_enter_execveat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_EXECVEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_execveat") -int handle_sys_exit_execveat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_EXECVEAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_newstat") -int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_NEWSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_newstat") -int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_newlstat") -int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_NEWLSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_newlstat") -int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWLSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_newfstatat") -int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTATAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_newfstatat") -int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTATAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_newfstat") -int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_newfstat") -int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_readlinkat") -int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_readlinkat") -int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINKAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_statx") -int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_STATX; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_statx") -int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATX; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_lseek") -int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_LSEEK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_lseek") -int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSEEK; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_read") -int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READ; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_read") -int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READ; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_write") -int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_write") -int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_pread64") -int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREAD64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_pread64") -int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREAD64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_pwrite64") -int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITE64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_pwrite64") -int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITE64; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_ftruncate") -int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FTRUNCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_ftruncate") -int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FTRUNCATE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_faccessat") -int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_FACCESSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_faccessat") -int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FACCESSAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_faccessat2") -int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_FACCESSAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_faccessat2") -int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FACCESSAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_access") -int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_ACCESS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_access") -int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_ACCESS; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_chdir") -int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_CHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_chdir") -int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fchdir") -int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fchdir") -int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHDIR; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_chroot") -int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_CHROOT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_chroot") -int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHROOT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fchmod") -int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fchmod") -int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fchmodat2") -int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_FCHMODAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fchmodat2") -int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMODAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fchmodat") -int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_FCHMODAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fchmodat") -int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMODAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_chmod") -int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_CHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_chmod") -int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHMOD; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fchownat") -int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_FCHOWNAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fchownat") -int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWNAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_chown") -int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_CHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_chown") -int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_lchown") -int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_LCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_lchown") -int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_fchown") -int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_fchown") -int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_open") -int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_open") -int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPENAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPENAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_openat2") -int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPENAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_openat2") -int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPENAT2; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_creat") -int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CREAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_creat") -int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CREAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_close") -int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_close") -int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_close_range") -int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE_RANGE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_close_range") -int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE_RANGE; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_cachestat") -int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CACHESTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_cachestat") -int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); - if (!ev) - return 0; - - ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CACHESTAT; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - ev->ret = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - - diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku deleted file mode 100644 index b942703..0000000 --- a/internal/c/generated/tracepoints.raku +++ /dev/null @@ -1,221 +0,0 @@ -#!/usr/bin/env raku - -use v6.d; - -# Grammar to parse /sys/kernel/tracing/events/syscalls/sys_{enter,exit}_*/format' -grammar SysTraceFormat { - rule TOP { * } - rule whole-format-section { } - rule name { 'name:' } - rule id { 'ID:' } - rule format { 'format:' * } - - rule field { 'field:' } - rule field-elements { } - rule field-declaration { + ';' } - - token field-type { <-[ \t]> } - token field-offset { 'offset:' ';' } - token field-size { 'size:' ';' } - token field-signed { 'signed:' ';' } - - token identifier { <[a..zA..Z0..9_]>+ } - token number { \d+ } - token cbool { '0' | '1' } - token print-fmt { 'print fmt' <-[\n]>+ "\n" } -} - -class Field { - has Str $.type is rw; - has Str $.name is rw; - has Int $.offset is rw; - has Int $.size is rw; - has Bool $.signed is rw; -} - -role TracepointTemplate { - method template(%vals --> Str) { - my Bool \is-enter = %vals.split('_')[1] eq 'enter'; - my Str \ctx-struct = is-enter ?? 'trace_event_raw_sys_enter' !! 'trace_event_raw_sys_exit'; - my Str @parts; - - @parts.push: qq:to/BPF_C_CODE/; - SEC("tracepoint/syscalls/{%vals}") - int handle_{%vals.lc}(struct {ctx-struct} *ctx) \{ - __u32 pid, tid; - if (filter(&pid, &tid)) - return 0; - - struct {%vals} *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct {%vals}), 0); - if (!ev) - return 0; - - ev->event_type = {(is-enter ?? 'ENTER_' !! 'EXIT_') ~ %vals.uc}; - ev->trace_id = {%vals.uc}; - ev->pid = pid; - ev->tid = tid; - ev->time = bpf_ktime_get_boot_ns(); - BPF_C_CODE - - @parts.push: %vals if %vals:exists; - - @parts.push: qq:to/BPF_C_CODE/; - - bpf_ringbuf_submit(ev, 0); - return 0; - \} - BPF_C_CODE - - [~] @parts; - } -} - -class FdTracepoint does TracepointTemplate { - method generate-bpf-c-tracepoint(%vals --> Str) { - my Str $extra = qq:to/BPF_C_CODE/; - ev->fd = (__s32)ctx->args[0]; - BPF_C_CODE - self.template: %vals.append( ( event-struct => 'fd_event', :$extra ).hash ); - } -} - -class NameTracepoint does TracepointTemplate { - method generate-bpf-c-tracepoint(%vals --> Str) { - my Int \oldname-field-number = %vals.field-number('oldname'); - my Int \newname-field-number = %vals.field-number('newname'); - my Str $extra = qq:to/BPF_C_CODE/; - __builtin_memset(\&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-field-number}]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-field-number}]); - BPF_C_CODE - self.template: %vals.append( ( event-struct => 'name_event', :$extra ).hash ); - } -} - -class OpenTracepoint does TracepointTemplate { - method generate-bpf-c-tracepoint(%vals --> Str) { - my Int \field-number = %vals.field-number('filename'); - my Str $extra = qq:to/BPF_C_CODE/; - __builtin_memset(\&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[{field-number}]); - bpf_get_current_comm(\&ev->comm, sizeof(ev->comm)); - BPF_C_CODE - self.template: %vals.append( ( event-struct => 'open_event', :$extra ).hash ); - } -} - -class PathnameTracepoint does TracepointTemplate { - method generate-bpf-c-tracepoint(%vals --> Str) { - my Int \field-number = %vals.field-number('pathname'); - my Str $extra = qq:to/BPF_C_CODE/; - __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{field-number}]); - BPF_C_CODE - self.template: %vals.append( ( event-struct => 'path_event', :$extra ).hash ); - } -} - -class RetTracepoint does TracepointTemplate { - method generate-bpf-c-tracepoint(%vals --> Str) { - my Str $extra = q:to/BPF_C_CODE/; - ev->ret = ctx->ret; - BPF_C_CODE - self.template: %vals.append( ( event-struct => 'ret_event', :$extra ).hash ); - } -} - -class NullTracepoint does TracepointTemplate { - method generate-bpf-c-tracepoint(%vals --> Str) { - self.template: %vals.append( ( event-struct => 'null_event' ).hash ); - } -} - -class Format { - has Field @!internal-fields; # Fields not accessible from raw tracepoints. - has Field @!external-fields; # Fields accessible from raw tracepoints. - has Bool $!is-external = False; # Track internal/external field sections. - has Str $.name is rw; - has Int $.id is rw; - has $.format-impl; - - method push(Field \field) { - $!is-external = True if field.name eq '__syscall_nr'; - - if $!is-external { - push @!external-fields: field; - } else { - push @!internal-fields: field; - return; - } - - self.set-format-impl(field.name, field.type); - } - - multi method set-format-impl('fd', 'unsigned int') { $!format-impl = FdTracepoint.new } - multi method set-format-impl('newname', 'const char *') { $!format-impl = NameTracepoint.new } - multi method set-format-impl('filename', 'const char *') { $!format-impl = OpenTracepoint.new } - multi method set-format-impl('pathname', 'const char *') { $!format-impl = PathnameTracepoint.new } - multi method set-format-impl('ret', 'long') { $!format-impl = RetTracepoint.new } - multi method set-format-impl($, $) { } - - method generate-c-constant returns Str { "#define {$!name.uc} {$!id}" } - method generate-bpf-c-tracepoint returns Str { $!format-impl.generate-bpf-c-tracepoint: (format => self, :$!name).hash } - - method field-number(Str \field-name) { @!external-fields.first(*.name eq field-name, :k) - 1 } - method can-generate returns Bool { so $!format-impl.^can('generate-bpf-c-tracepoint') } - method enter-reject returns Bool { $!format-impl !~~ any(FdTracepoint, NameTracepoint, OpenTracepoint, PathnameTracepoint) } -} - -class SysTraceFormatActions { - has Hash %!formats; - has Format $!current-format = Format.new; - has Field $!current-field = Field.new; - - method TOP($/) { make %!formats } - - method whole-format-section($/) { - my ($, \enter-exit, \what) = $!current-format.name.split('_', 3); - %!formats{what}{enter-exit} = $!current-format; - $!current-format = Format.new; - } - - method name($/) { $!current-format.name = ~$/ } - method id($/) { $!current-format.id = +$/ } - - method field-declaration($/) { - $!current-field.name = ~$/; - $!current-field.type = $/.join('').trim-trailing; - $!current-format.push($!current-field); - $!current-field = Field.new; - } - - method field-offset($/) { $!current-field.offset = +$/ } - method field-size($/) { $!current-field.size = +$/ } - method field-signed($/) { $!current-field.signed = +$/ == 0 ?? False !! True } -} - -say qq:to/BPF_C_CODE/; -// Code generated - don't change manually! -BPF_C_CODE - -my Format @formats = gather for - SysTraceFormat.parse($*IN.slurp, actions => SysTraceFormatActions.new).made.values -> %syscall { - - if !all(%syscall.values.map(*.can-generate)) { - say "// Ignoring {%syscall.values.map(*.name).sort} as possibly not file I/O related"; - next; - } elsif %syscall.enter-reject { - say "// Ignoring {%syscall.values.map(*.name).sort} as enter-rejected"; - next; - } - .take for %syscall.values; -} - -@formats .= sort({ $^b.id cmp $^a.id }); - -say qq:to/BPF_C_CODE/; - -{@formats.map(*.generate-c-constant).join("\n")} - -{@formats.map(*.generate-bpf-c-tracepoint).join("\n")} -BPF_C_CODE diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c new file mode 100644 index 0000000..c626170 --- /dev/null +++ b/internal/c/generated_tracepoints.c @@ -0,0 +1,3627 @@ +// Code generated - don't change manually! + +// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related +// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related +// Ignoring sys_enter_pwritev2 sys_exit_pwritev2 as possibly not file I/O related +// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related +// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related +// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related +// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related +// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related +// Ignoring sys_enter_fadvise64 sys_exit_fadvise64 as possibly not file I/O related +// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related +// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related +// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related +// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related +// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related +// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related +// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related +// Ignoring sys_enter_dup3 sys_exit_dup3 as possibly not file I/O related +// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related +// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related +// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related +// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related +// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related +// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related +// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related +// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related +// Ignoring sys_enter_io_setup sys_exit_io_setup as possibly not file I/O related +// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related +// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related +// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related +// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related +// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related +// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related +// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related +// Ignoring sys_enter_fspick sys_exit_fspick as possibly not file I/O related +// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related +// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related +// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related +// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related +// Ignoring sys_enter_fgetxattr sys_exit_fgetxattr as possibly not file I/O related +// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related +// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related +// Ignoring sys_enter_fsetxattr sys_exit_fsetxattr as possibly not file I/O related +// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related +// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related +// Ignoring sys_enter_preadv2 sys_exit_preadv2 as possibly not file I/O related +// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related +// Ignoring sys_enter_io_uring_setup sys_exit_io_uring_setup as possibly not file I/O related +// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related +// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related +// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related +// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related +// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related +// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related +// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related +// Ignoring sys_enter_dup sys_exit_dup as possibly not file I/O related +// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related +// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related +// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related +// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related +// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related +// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related +// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related +// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related +// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related +// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related +// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related +// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related +// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related +// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related +// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related +// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related +// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related +// Ignoring sys_enter_copy_file_range sys_exit_copy_file_range as possibly not file I/O related +// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related +// Ignoring sys_enter_name_to_handle_at sys_exit_name_to_handle_at as possibly not file I/O related +// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related +// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related +// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related +// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related +// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related +// Ignoring sys_enter_io_getevents sys_exit_io_getevents as possibly not file I/O related +// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related +// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related +// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related +// Ignoring sys_enter_io_submit sys_exit_io_submit as possibly not file I/O related +// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related +// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related +// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related +// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related +// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related +// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related +// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related +// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related +// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related +// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related +// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related +// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related +// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related +// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related +// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related +// Ignoring sys_enter_pwritev sys_exit_pwritev as possibly not file I/O related +// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related +// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related +// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related +// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related +// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related +// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related +// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related +// Ignoring sys_enter_mmap sys_exit_mmap as possibly not file I/O related +// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related +// Ignoring sys_enter_syncfs sys_exit_syncfs as possibly not file I/O related +// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related +// Ignoring sys_enter_truncate sys_exit_truncate as possibly not file I/O related +// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related +// Ignoring sys_enter_fsconfig sys_exit_fsconfig as possibly not file I/O related +// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related +// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related +// Ignoring sys_enter_readlink sys_exit_readlink as possibly not file I/O related +// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related +// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related +// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related +// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related +// Ignoring sys_enter_finit_module sys_exit_finit_module as possibly not file I/O related +// Ignoring sys_enter_io_destroy sys_exit_io_destroy as possibly not file I/O related +// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related +// Ignoring sys_enter_sync_file_range sys_exit_sync_file_range as possibly not file I/O related +// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related +// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related +// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related +// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related +// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related +// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related +// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related +// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related +// Ignoring sys_enter_getcwd sys_exit_getcwd as possibly not file I/O related +// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related +// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related +// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related +// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related +// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related +// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related +// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related +// Ignoring sys_enter_mount_setattr sys_exit_mount_setattr as possibly not file I/O related +// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related +// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related +// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related +// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related +// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related +// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related +// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related +// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related +// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related +// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related +// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related +// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related +// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related +// Ignoring sys_enter_sync sys_exit_sync as possibly not file I/O related +// Ignoring sys_enter_io_cancel sys_exit_io_cancel as possibly not file I/O related +// Ignoring sys_enter_vmsplice sys_exit_vmsplice as possibly not file I/O related +// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related +// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related +// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related +// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related +// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related +// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related +// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related +// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related +// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related +// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related +// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related +// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related +// Ignoring sys_enter_syslog sys_exit_syslog as possibly not file I/O related +// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related +// Ignoring sys_enter_open_by_handle_at sys_exit_open_by_handle_at as possibly not file I/O related +// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related +// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related +// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related +// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related +// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related +// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related +// Ignoring sys_enter_fremovexattr sys_exit_fremovexattr as possibly not file I/O related +// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related +// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related +// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related +// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related +// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related +// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related +// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related +// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related +// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related +// Ignoring sys_enter_preadv sys_exit_preadv as possibly not file I/O related +// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related +// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related +// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related +// Ignoring sys_enter_readv sys_exit_readv as possibly not file I/O related +// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related +// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related +// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related +// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related +// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related +// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related +// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related +// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related +// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related +// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related +// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related +// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related +// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related +// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related +// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related +// Ignoring sys_enter_pidfd_getfd sys_exit_pidfd_getfd as possibly not file I/O related +// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related +// Ignoring sys_enter_writev sys_exit_writev as possibly not file I/O related +// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related +// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related +// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related +// Ignoring sys_enter_io_pgetevents sys_exit_io_pgetevents as possibly not file I/O related +// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related +// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related +// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related +// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related +// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related +// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related +// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related +// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related +// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related +// Ignoring sys_enter_readahead sys_exit_readahead as possibly not file I/O related +// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related +// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related +// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related +// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related +// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related +// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related +// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related +// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related +// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related +// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related +// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related +// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related +// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related +// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related +// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related +// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related +// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related +// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related +// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related +// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related +// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related +// Ignoring sys_enter_flistxattr sys_exit_flistxattr as possibly not file I/O related +// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related +// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related +// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related +// Ignoring sys_enter_msync sys_exit_msync as possibly not file I/O related +// Ignoring sys_enter_dup2 sys_exit_dup2 as possibly not file I/O related +// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related +// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related +// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related +// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related +// Ignoring sys_enter_fallocate sys_exit_fallocate as possibly not file I/O related +// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related +// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related +// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related +// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related +// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related +// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related +// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related +// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related +// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related +// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related +// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related +// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related +// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related +// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related +// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related +// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related +// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related +// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related +// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related +// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related +// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related +// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related +// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related +// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related +// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related + +#define SYS_ENTER_IO_URING_REGISTER 1485 +#define SYS_EXIT_IO_URING_REGISTER 1484 +#define SYS_ENTER_IO_URING_ENTER 1466 +#define SYS_EXIT_IO_URING_ENTER 1465 +#define SYS_ENTER_QUOTACTL_FD 1127 +#define SYS_EXIT_QUOTACTL_FD 1126 +#define SYS_ENTER_FLOCK 1096 +#define SYS_EXIT_FLOCK 1095 +#define SYS_ENTER_FANOTIFY_MARK 1038 +#define SYS_EXIT_FANOTIFY_MARK 1037 +#define SYS_ENTER_INOTIFY_ADD_WATCH 1032 +#define SYS_EXIT_INOTIFY_ADD_WATCH 1031 +#define SYS_ENTER_STATFS 1022 +#define SYS_EXIT_STATFS 1021 +#define SYS_ENTER_FSTATFS 1020 +#define SYS_EXIT_FSTATFS 1019 +#define SYS_ENTER_UTIMENSAT 1014 +#define SYS_EXIT_UTIMENSAT 1013 +#define SYS_ENTER_FUTIMESAT 1012 +#define SYS_EXIT_FUTIMESAT 1011 +#define SYS_ENTER_FSYNC 1002 +#define SYS_EXIT_FSYNC 1001 +#define SYS_ENTER_FDATASYNC 1000 +#define SYS_EXIT_FDATASYNC 999 +#define SYS_ENTER_SETXATTR 958 +#define SYS_EXIT_SETXATTR 957 +#define SYS_ENTER_LSETXATTR 956 +#define SYS_EXIT_LSETXATTR 955 +#define SYS_ENTER_GETXATTR 952 +#define SYS_EXIT_GETXATTR 951 +#define SYS_ENTER_LGETXATTR 950 +#define SYS_EXIT_LGETXATTR 949 +#define SYS_ENTER_LISTXATTR 946 +#define SYS_EXIT_LISTXATTR 945 +#define SYS_ENTER_LLISTXATTR 944 +#define SYS_EXIT_LLISTXATTR 943 +#define SYS_ENTER_REMOVEXATTR 940 +#define SYS_EXIT_REMOVEXATTR 939 +#define SYS_ENTER_LREMOVEXATTR 938 +#define SYS_EXIT_LREMOVEXATTR 937 +#define SYS_ENTER_OPEN_TREE 932 +#define SYS_EXIT_OPEN_TREE 931 +#define SYS_ENTER_GETDENTS 900 +#define SYS_EXIT_GETDENTS 899 +#define SYS_ENTER_GETDENTS64 898 +#define SYS_EXIT_GETDENTS64 897 +#define SYS_ENTER_IOCTL 896 +#define SYS_EXIT_IOCTL 895 +#define SYS_ENTER_FCNTL 894 +#define SYS_EXIT_FCNTL 893 +#define SYS_ENTER_MKNODAT 892 +#define SYS_EXIT_MKNODAT 891 +#define SYS_ENTER_MKNOD 890 +#define SYS_EXIT_MKNOD 889 +#define SYS_ENTER_MKDIRAT 888 +#define SYS_EXIT_MKDIRAT 887 +#define SYS_ENTER_MKDIR 886 +#define SYS_EXIT_MKDIR 885 +#define SYS_ENTER_RMDIR 884 +#define SYS_EXIT_RMDIR 883 +#define SYS_ENTER_UNLINKAT 882 +#define SYS_EXIT_UNLINKAT 881 +#define SYS_ENTER_UNLINK 880 +#define SYS_EXIT_UNLINK 879 +#define SYS_ENTER_SYMLINKAT 878 +#define SYS_EXIT_SYMLINKAT 877 +#define SYS_ENTER_SYMLINK 876 +#define SYS_EXIT_SYMLINK 875 +#define SYS_ENTER_LINKAT 874 +#define SYS_EXIT_LINKAT 873 +#define SYS_ENTER_LINK 872 +#define SYS_EXIT_LINK 871 +#define SYS_ENTER_RENAMEAT2 870 +#define SYS_EXIT_RENAMEAT2 869 +#define SYS_ENTER_RENAMEAT 868 +#define SYS_EXIT_RENAMEAT 867 +#define SYS_ENTER_RENAME 866 +#define SYS_EXIT_RENAME 865 +#define SYS_ENTER_EXECVE 860 +#define SYS_EXIT_EXECVE 859 +#define SYS_ENTER_EXECVEAT 858 +#define SYS_EXIT_EXECVEAT 857 +#define SYS_ENTER_NEWSTAT 856 +#define SYS_EXIT_NEWSTAT 855 +#define SYS_ENTER_NEWLSTAT 854 +#define SYS_EXIT_NEWLSTAT 853 +#define SYS_ENTER_NEWFSTATAT 852 +#define SYS_EXIT_NEWFSTATAT 851 +#define SYS_ENTER_NEWFSTAT 850 +#define SYS_EXIT_NEWFSTAT 849 +#define SYS_ENTER_READLINKAT 848 +#define SYS_EXIT_READLINKAT 847 +#define SYS_ENTER_STATX 844 +#define SYS_EXIT_STATX 843 +#define SYS_ENTER_LSEEK 842 +#define SYS_EXIT_LSEEK 841 +#define SYS_ENTER_READ 840 +#define SYS_EXIT_READ 839 +#define SYS_ENTER_WRITE 838 +#define SYS_EXIT_WRITE 837 +#define SYS_ENTER_PREAD64 836 +#define SYS_EXIT_PREAD64 835 +#define SYS_ENTER_PWRITE64 834 +#define SYS_EXIT_PWRITE64 833 +#define SYS_ENTER_FTRUNCATE 814 +#define SYS_EXIT_FTRUNCATE 813 +#define SYS_ENTER_FACCESSAT 810 +#define SYS_EXIT_FACCESSAT 809 +#define SYS_ENTER_FACCESSAT2 808 +#define SYS_EXIT_FACCESSAT2 807 +#define SYS_ENTER_ACCESS 806 +#define SYS_EXIT_ACCESS 805 +#define SYS_ENTER_CHDIR 804 +#define SYS_EXIT_CHDIR 803 +#define SYS_ENTER_FCHDIR 802 +#define SYS_EXIT_FCHDIR 801 +#define SYS_ENTER_CHROOT 800 +#define SYS_EXIT_CHROOT 799 +#define SYS_ENTER_FCHMOD 798 +#define SYS_EXIT_FCHMOD 797 +#define SYS_ENTER_FCHMODAT2 796 +#define SYS_EXIT_FCHMODAT2 795 +#define SYS_ENTER_FCHMODAT 794 +#define SYS_EXIT_FCHMODAT 793 +#define SYS_ENTER_CHMOD 792 +#define SYS_EXIT_CHMOD 791 +#define SYS_ENTER_FCHOWNAT 790 +#define SYS_EXIT_FCHOWNAT 789 +#define SYS_ENTER_CHOWN 788 +#define SYS_EXIT_CHOWN 787 +#define SYS_ENTER_LCHOWN 786 +#define SYS_EXIT_LCHOWN 785 +#define SYS_ENTER_FCHOWN 784 +#define SYS_EXIT_FCHOWN 783 +#define SYS_ENTER_OPEN 782 +#define SYS_EXIT_OPEN 781 +#define SYS_ENTER_OPENAT 780 +#define SYS_EXIT_OPENAT 779 +#define SYS_ENTER_OPENAT2 778 +#define SYS_EXIT_OPENAT2 777 +#define SYS_ENTER_CREAT 776 +#define SYS_EXIT_CREAT 775 +#define SYS_ENTER_CLOSE 774 +#define SYS_EXIT_CLOSE 773 +#define SYS_ENTER_CLOSE_RANGE 772 +#define SYS_EXIT_CLOSE_RANGE 771 +#define SYS_ENTER_CACHESTAT 592 +#define SYS_EXIT_CACHESTAT 591 + +SEC("tracepoint/syscalls/sys_enter_io_uring_register") +int handle_sys_enter_io_uring_register(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_REGISTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_io_uring_register") +int handle_sys_exit_io_uring_register(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_URING_REGISTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_io_uring_enter") +int handle_sys_enter_io_uring_enter(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_io_uring_enter") +int handle_sys_exit_io_uring_enter(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_URING_ENTER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_utimensat") +int handle_sys_enter_utimensat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_UTIMENSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_utimensat") +int handle_sys_exit_utimensat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIMENSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_futimesat") +int handle_sys_enter_futimesat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_futimesat") +int handle_sys_exit_futimesat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open_tree") +int handle_sys_enter_open_tree(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_open_tree") +int handle_sys_exit_open_tree(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETDENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETDENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETDENTS64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETDENTS64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IOCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCNTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCNTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mknodat") +int handle_sys_enter_mknodat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknodat") +int handle_sys_exit_mknodat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mknod") +int handle_sys_enter_mknod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mknod") +int handle_sys_exit_mknod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_link") +int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_execve") +int handle_sys_enter_execve(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_execve") +int handle_sys_exit_execve(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXECVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_execveat") +int handle_sys_enter_execveat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_EXECVEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_execveat") +int handle_sys_exit_execveat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXECVEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newstat") +int handle_sys_enter_newstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newstat") +int handle_sys_exit_newstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newlstat") +int handle_sys_enter_newlstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWLSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newlstat") +int handle_sys_exit_newlstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWLSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newfstatat") +int handle_sys_enter_newfstatat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstatat") +int handle_sys_exit_newfstatat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_newfstat") +int handle_sys_enter_newfstat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_newfstat") +int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statx") +int handle_sys_enter_statx(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_STATX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_statx") +int handle_sys_exit_statx(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lseek") +int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_LSEEK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lseek") +int handle_sys_exit_lseek(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSEEK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_read") +int handle_sys_enter_read(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_read") +int handle_sys_exit_read(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_write") +int handle_sys_enter_write(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_WRITE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_write") +int handle_sys_exit_write(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WRITE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_pread64") +int handle_sys_enter_pread64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREAD64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_pread64") +int handle_sys_exit_pread64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREAD64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_pwrite64") +int handle_sys_enter_pwrite64(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_pwrite64") +int handle_sys_exit_pwrite64(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_ftruncate") +int handle_sys_enter_ftruncate(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_ftruncate") +int handle_sys_exit_ftruncate(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_faccessat") +int handle_sys_enter_faccessat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_faccessat") +int handle_sys_exit_faccessat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FACCESSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_faccessat2") +int handle_sys_enter_faccessat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_faccessat2") +int handle_sys_exit_faccessat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FACCESSAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_access") +int handle_sys_enter_access(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_ACCESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_access") +int handle_sys_exit_access(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_chdir") +int handle_sys_enter_chdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_chdir") +int handle_sys_exit_chdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fchdir") +int handle_sys_enter_fchdir(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fchdir") +int handle_sys_exit_fchdir(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_chroot") +int handle_sys_enter_chroot(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_chroot") +int handle_sys_exit_chroot(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fchmod") +int handle_sys_enter_fchmod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fchmod") +int handle_sys_exit_fchmod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fchmodat2") +int handle_sys_enter_fchmodat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fchmodat2") +int handle_sys_exit_fchmodat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMODAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fchmodat") +int handle_sys_enter_fchmodat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fchmodat") +int handle_sys_exit_fchmodat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_chmod") +int handle_sys_enter_chmod(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_chmod") +int handle_sys_exit_chmod(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fchownat") +int handle_sys_enter_fchownat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_FCHOWNAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fchownat") +int handle_sys_exit_fchownat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHOWNAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_chown") +int handle_sys_enter_chown(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_CHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_chown") +int handle_sys_exit_chown(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lchown") +int handle_sys_enter_lchown(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_LCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lchown") +int handle_sys_exit_lchown(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fchown") +int handle_sys_enter_fchown(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fchown") +int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open") +int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_open") +int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_openat2") +int handle_sys_enter_openat2(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat2") +int handle_sys_exit_openat2(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CLOSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_close") +int handle_sys_exit_close(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_close_range") +int handle_sys_enter_close_range(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_close_range") +int handle_sys_exit_close_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_cachestat") +int handle_sys_enter_cachestat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_cachestat") +int handle_sys_exit_cachestat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + + diff --git a/internal/c/ior.bpf.c b/internal/c/ior.bpf.c index 7c41551..57a4ed6 100644 --- a/internal/c/ior.bpf.c +++ b/internal/c/ior.bpf.c @@ -15,6 +15,6 @@ #include "filter.c" // Auto-generated tracepoints. -#include "generated/tracepoints.c" +#include "generated_tracepoints.c" char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/internal/generated/Makefile b/internal/generated/Makefile index 3d6bfd3..ffa3400 100644 --- a/internal/generated/Makefile +++ b/internal/generated/Makefile @@ -2,16 +2,16 @@ all: generate generate: tracepoints types -.PHONY: tracepoints +.PHONY: generate_tracepoints tracepoints: - cat ../c/*/*.c \ + cat ../c/generated_tracepoints.c \ | raku tracepoints.raku \ | goimports | gofmt \ > tracepoints/tracepoints.go .PHONY: types types: - ( cat ../c/types.h; grep -h '^#define' ../c/*/*.c ) \ + ( cat ../c/types.h; grep -h '^#define' ../c/generated_tracepoints.c ) \ | raku nqc.raku \ | goimports | gofmt \ > types/types.go diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go index 8587143..bc202ed 100644 --- a/internal/generated/types/types.go +++ b/internal/generated/types/types.go @@ -1,5 +1,4 @@ // Code generated - don't change manually! -// TODO: Rename all generate files to *_generated.go, and don't keep them in a generated directory anymore package types import ( -- cgit v1.2.3