From 0b94a7cced7d4bb9a44c9e9e827c4e3b09e5e8dc Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 8 Mar 2024 08:46:00 +0200 Subject: as per https://codeberg.org/snonux/ioriotng/issues/19 --- internal/c/generated/tracepoints.c | 1054 ++++++++++++++++++++++++++++++--- internal/c/generated/tracepoints.raku | 15 +- 2 files changed, 989 insertions(+), 80 deletions(-) (limited to 'internal/c/generated') diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index 89c473a..8ba2028 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -6,6 +6,8 @@ #define SYS_ENTER_CLOSE_RANGE 701 #define SYS_EXIT_CLOSE 702 #define SYS_ENTER_CLOSE 703 +#define SYS_EXIT_CREAT 704 +#define SYS_ENTER_CREAT 705 #define SYS_EXIT_FCHOWN 712 #define SYS_ENTER_FCHOWN 713 #define SYS_EXIT_FCHMOD 726 @@ -26,6 +28,8 @@ #define SYS_ENTER_READ 769 #define SYS_EXIT_LSEEK 770 #define SYS_ENTER_LSEEK 771 +#define SYS_EXIT_READLINKAT 776 +#define SYS_ENTER_READLINKAT 777 #define SYS_EXIT_NEWFSTAT 778 #define SYS_ENTER_NEWFSTAT 779 #define SYS_EXIT_RENAME 794 @@ -42,6 +46,16 @@ #define SYS_ENTER_SYMLINK 805 #define SYS_EXIT_SYMLINKAT 806 #define SYS_ENTER_SYMLINKAT 807 +#define SYS_EXIT_UNLINK 808 +#define SYS_ENTER_UNLINK 809 +#define SYS_EXIT_UNLINKAT 810 +#define SYS_ENTER_UNLINKAT 811 +#define SYS_EXIT_RMDIR 812 +#define SYS_ENTER_RMDIR 813 +#define SYS_EXIT_MKDIR 814 +#define SYS_ENTER_MKDIR 815 +#define SYS_EXIT_MKDIRAT 816 +#define SYS_ENTER_MKDIRAT 817 #define SYS_EXIT_FCNTL 822 #define SYS_ENTER_FCNTL 823 #define SYS_EXIT_IOCTL 824 @@ -50,6 +64,22 @@ #define SYS_ENTER_GETDENTS64 827 #define SYS_EXIT_GETDENTS 828 #define SYS_ENTER_GETDENTS 829 +#define SYS_EXIT_LREMOVEXATTR 862 +#define SYS_ENTER_LREMOVEXATTR 863 +#define SYS_EXIT_REMOVEXATTR 864 +#define SYS_ENTER_REMOVEXATTR 865 +#define SYS_EXIT_LLISTXATTR 868 +#define SYS_ENTER_LLISTXATTR 869 +#define SYS_EXIT_LISTXATTR 870 +#define SYS_ENTER_LISTXATTR 871 +#define SYS_EXIT_LGETXATTR 874 +#define SYS_ENTER_LGETXATTR 875 +#define SYS_EXIT_GETXATTR 876 +#define SYS_ENTER_GETXATTR 877 +#define SYS_EXIT_LSETXATTR 880 +#define SYS_ENTER_LSETXATTR 881 +#define SYS_EXIT_SETXATTR 882 +#define SYS_ENTER_SETXATTR 883 #define SYS_EXIT_SYNC_FILE_RANGE 922 #define SYS_ENTER_SYNC_FILE_RANGE 923 #define SYS_EXIT_FDATASYNC 924 @@ -58,10 +88,20 @@ #define SYS_ENTER_FSYNC 927 #define SYS_EXIT_FSTATFS 944 #define SYS_ENTER_FSTATFS 945 +#define SYS_EXIT_STATFS 946 +#define SYS_ENTER_STATFS 947 +#define SYS_EXIT_INOTIFY_RM_WATCH 954 +#define SYS_ENTER_INOTIFY_RM_WATCH 955 +#define SYS_EXIT_INOTIFY_ADD_WATCH 956 +#define SYS_ENTER_INOTIFY_ADD_WATCH 957 +#define SYS_EXIT_FANOTIFY_MARK 962 +#define SYS_ENTER_FANOTIFY_MARK 963 #define SYS_EXIT_FLOCK 1020 #define SYS_ENTER_FLOCK 1021 #define SYS_EXIT_QUOTACTL_FD 1051 #define SYS_ENTER_QUOTACTL_FD 1052 +#define SYS_EXIT_MQ_UNLINK 1321 +#define SYS_ENTER_MQ_UNLINK 1322 #define SYS_EXIT_IO_URING_REGISTER 1377 #define SYS_ENTER_IO_URING_REGISTER 1378 #define SYS_EXIT_IO_URING_ENTER 1381 @@ -193,6 +233,49 @@ int handle_sys_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_fchown") int handle_sys_exit_fchown(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -613,6 +696,49 @@ int handle_sys_enter_lseek(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + SEC("tracepoint/syscalls/sys_exit_newfstat") int handle_sys_exit_newfstat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; @@ -963,8 +1089,8 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -974,7 +1100,7 @@ int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; + ev->trace_id = SYS_EXIT_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -984,29 +1110,30 @@ int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1016,7 +1143,7 @@ int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; + ev->trace_id = SYS_EXIT_UNLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1026,29 +1153,30 @@ int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1058,7 +1186,7 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; + ev->trace_id = SYS_EXIT_RMDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1068,29 +1196,30 @@ int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1100,7 +1229,7 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; + ev->trace_id = SYS_EXIT_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1110,29 +1239,30 @@ int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_sync_file_range") -int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1142,7 +1272,7 @@ int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->trace_id = SYS_EXIT_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1152,29 +1282,30 @@ int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_sync_file_range") -int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIRAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1184,7 +1315,7 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; + ev->trace_id = SYS_EXIT_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1194,8 +1325,8 @@ int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1205,7 +1336,7 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; + ev->trace_id = SYS_ENTER_FCNTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1215,8 +1346,8 @@ int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1226,7 +1357,7 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; + ev->trace_id = SYS_EXIT_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1236,8 +1367,8 @@ int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1247,7 +1378,7 @@ int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; + ev->trace_id = SYS_ENTER_IOCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1257,8 +1388,8 @@ int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1268,7 +1399,7 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; + ev->trace_id = SYS_EXIT_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1278,8 +1409,8 @@ int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1289,7 +1420,7 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; + ev->trace_id = SYS_ENTER_GETDENTS64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1299,8 +1430,8 @@ int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1310,7 +1441,7 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; + ev->trace_id = SYS_EXIT_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1320,8 +1451,8 @@ int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1331,7 +1462,7 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; + ev->trace_id = SYS_ENTER_GETDENTS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1341,8 +1472,8 @@ int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct trace_event_raw_sys_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1352,7 +1483,7 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; @@ -1362,22 +1493,789 @@ int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct trace_event_raw_sys_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_sync_file_range") +int handle_sys_exit_sync_file_range(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_sync_file_range") +int handle_sys_enter_sync_file_range(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") +int handle_sys_exit_inotify_rm_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") +int handle_sys_enter_inotify_rm_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_mq_unlink") +int handle_sys_exit_mq_unlink(struct trace_event_raw_sys_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + ev->ret = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_mq_unlink") +int handle_sys_enter_mq_unlink(struct trace_event_raw_sys_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_ns() / 1000; + bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku index ad95559..de801a7 100644 --- a/internal/c/generated/tracepoints.raku +++ b/internal/c/generated/tracepoints.raku @@ -45,8 +45,10 @@ class Format { # file descriptor passed to syscalls. has Bool $.has-fd is rw = False; - # Has tracepoint has got oldname and name + # Tracepoint has oldname/newname has Bool $.has-name is rw = False; + # Tracepoint has pathname + has Bool $.has-path is rw = False; # Syscall returns with a long value (e.g. bytes read/written) has Bool $.has-long-ret is rw = False; @@ -65,6 +67,8 @@ class Format { $!has-fd = True; } elsif (field.name eq 'newname' && field.type eq 'const char *') { $!has-name = True; + } elsif (field.name eq 'pathname' && field.type eq 'const char *') { + $!has-path = True; } elsif (field.name eq 'ret' && field.type eq 'long') { $.has-long-ret = True; } @@ -85,6 +89,7 @@ class Format { my \event-struct = do if $!has-fd { 'fd_event' } elsif $!has-long-ret { 'ret_event' } elsif $!has-name { 'name_event' } + elsif $!has-path { 'path_event' } else { 'null_event' }; my \extra-data = do if $!has-fd { 'ev->fd = (__s32)ctx->args[0];' } elsif $!has-long-ret { 'ev->ret = ctx->ret;' } @@ -96,6 +101,12 @@ class Format { bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[{oldname-index}]); bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[{newname-index}]); END + } elsif $!has-path { + my Int \pathname-index = self!field-number('pathname'); + qq:to/END/.trim-trailing; + __builtin_memset(\&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[{pathname-index}]); + END } else { '' }; qq:to/END/; @@ -154,7 +165,7 @@ my Format @formats = gather for SysTraceFormat .parse($*IN.slurp,:actions(SysTraceFormatActions.new)).made # For each enter there is an exit tracepoint. E.g. sys_enter_open and sys_exit_open .classify(*.name.split('_').tail).values - .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) }) -> @_ { .take for @_ } + .grep({ $_.grep(*.has-fd) || $_.grep(*.has-name) || $_.grep(*.has-path) }) -> @_ { .take for @_ } @formats .= sort(*.id); -- cgit v1.2.3