From 519cd996b5a7fede23b8b23f3c101d10b26111de Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Mon, 18 May 2026 14:14:33 +0300 Subject: k6: emit tracepoints for all syscall families --- internal/c/generated_tracepoints.c | 14943 ++++++++++++++++++++++---- internal/c/generated_tracepoints_result.txt | 750 +- 2 files changed, 13610 insertions(+), 2083 deletions(-) (limited to 'internal/c') diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 1633966..be6606d 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1,516 +1,765 @@ // Code generated - don't change manually! -/// Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -/// Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -/// Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -/// Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -/// Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -/// Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -/// Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -/// Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -/// Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -/// Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -/// Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -/// Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -/// Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -/// Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -/// Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -/// Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -/// Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -/// Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -/// Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -/// Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -/// Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -/// Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -/// Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -/// Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -/// Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -/// Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -/// Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -/// Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related -/// Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related -/// Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -/// Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -/// Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -/// Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -/// Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -/// Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -/// Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -/// Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -/// Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -/// Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -/// Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -/// Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -/// Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -/// Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -/// Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -/// Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related -/// Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -/// Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -/// Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -/// Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -/// Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -/// Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -/// Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -/// Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -/// Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -/// Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -/// Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -/// Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -/// Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -/// Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -/// Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -/// Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -/// Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -/// Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -/// Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -/// Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -/// Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related -/// Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related -/// Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -/// Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -/// Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -/// Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -/// Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -/// Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -/// Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -/// Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -/// Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -/// Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -/// Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -/// Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -/// Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -/// Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -/// Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -/// Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -/// Ignoring sys_enter_listns sys_exit_listns as possibly not file I/O related -/// Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -/// Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -/// Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -/// Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -/// Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -/// Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -/// Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -/// Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -/// Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -/// Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -/// Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -/// Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related -/// Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related -/// Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -/// Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -/// Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -/// Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -/// Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -/// Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -/// Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -/// Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -/// Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -/// Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -/// Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -/// Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -/// Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -/// Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -/// Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -/// Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -/// Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -/// Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -/// Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -/// Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -/// Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -/// Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -/// Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -/// Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -/// Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -/// Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -/// Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -/// Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -/// Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -/// Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -/// Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -/// Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -/// Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -/// Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -/// Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -/// Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -/// Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -/// Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -/// Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -/// Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -/// Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -/// Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -/// Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -/// Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -/// Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -/// Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -/// Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -/// Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -/// Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -/// Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -/// Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -/// Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -/// Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -/// Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -/// Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -/// Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -/// Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -/// Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related -/// Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -/// Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -/// Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -/// Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -/// Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -/// Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -/// Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -/// Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -/// Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -/// Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -/// Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -/// Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -/// Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -/// Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -/// Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -/// Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -/// Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -/// Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -/// Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -/// Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -/// Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -/// Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -/// Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -/// Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -/// Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -/// Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -/// Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -/// Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -/// Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -/// Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -/// Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -/// Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -/// Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -/// Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -/// Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -/// Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -/// Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -/// Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -/// Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -/// Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -/// Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -/// Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -/// Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -/// Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -/// Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -/// Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -/// Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -/// Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -/// Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -/// Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -/// Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -/// Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -/// Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -/// Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -/// Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -/// Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -/// Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -/// Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related -/// Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -/// Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -/// Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -/// Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -/// Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -/// Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related -/// Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -/// Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -/// Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -/// Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -/// Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -/// Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -/// Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -/// Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -/// Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -/// Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -/// Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -/// Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -/// Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -/// Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -/// Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -/// Ignoring sys_enter_uprobe sys_exit_uprobe as possibly not file I/O related -/// Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -/// Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -/// Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -/// Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -/// Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -/// Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -/// Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -/// Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -/// Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related - -#define SYS_ENTER_IO_URING_REGISTER 1521 -#define SYS_EXIT_IO_URING_REGISTER 1520 -#define SYS_ENTER_IO_URING_ENTER 1502 -#define SYS_EXIT_IO_URING_ENTER 1501 -#define SYS_ENTER_IO_URING_SETUP 1500 -#define SYS_EXIT_IO_URING_SETUP 1499 -#define SYS_ENTER_QUOTACTL_FD 1155 -#define SYS_EXIT_QUOTACTL_FD 1154 -#define SYS_ENTER_NAME_TO_HANDLE_AT 1139 -#define SYS_EXIT_NAME_TO_HANDLE_AT 1138 -#define SYS_ENTER_OPEN_BY_HANDLE_AT 1137 -#define SYS_EXIT_OPEN_BY_HANDLE_AT 1136 -#define SYS_ENTER_FLOCK 1123 -#define SYS_EXIT_FLOCK 1122 -#define SYS_ENTER_IO_SETUP 1109 -#define SYS_EXIT_IO_SETUP 1108 -#define SYS_ENTER_IO_DESTROY 1107 -#define SYS_EXIT_IO_DESTROY 1106 -#define SYS_ENTER_IO_SUBMIT 1105 -#define SYS_EXIT_IO_SUBMIT 1104 -#define SYS_ENTER_IO_CANCEL 1103 -#define SYS_EXIT_IO_CANCEL 1102 -#define SYS_ENTER_IO_GETEVENTS 1101 -#define SYS_EXIT_IO_GETEVENTS 1100 -#define SYS_ENTER_IO_PGETEVENTS 1099 -#define SYS_EXIT_IO_PGETEVENTS 1098 -#define SYS_ENTER_FANOTIFY_MARK 1067 -#define SYS_EXIT_FANOTIFY_MARK 1066 -#define SYS_ENTER_FILE_GETATTR 1057 -#define SYS_EXIT_FILE_GETATTR 1056 -#define SYS_ENTER_FILE_SETATTR 1055 -#define SYS_EXIT_FILE_SETATTR 1054 -#define SYS_ENTER_FSPICK 1051 -#define SYS_EXIT_FSPICK 1050 -#define SYS_ENTER_FSCONFIG 1049 -#define SYS_EXIT_FSCONFIG 1048 -#define SYS_ENTER_STATFS 1047 -#define SYS_EXIT_STATFS 1046 -#define SYS_ENTER_FSTATFS 1045 -#define SYS_EXIT_FSTATFS 1044 -#define SYS_ENTER_GETCWD 1041 -#define SYS_EXIT_GETCWD 1040 -#define SYS_ENTER_UTIMENSAT 1039 -#define SYS_EXIT_UTIMENSAT 1038 -#define SYS_ENTER_FUTIMESAT 1037 -#define SYS_EXIT_FUTIMESAT 1036 -#define SYS_ENTER_SYNC 1031 -#define SYS_EXIT_SYNC 1030 -#define SYS_ENTER_SYNCFS 1029 -#define SYS_EXIT_SYNCFS 1028 -#define SYS_ENTER_FSYNC 1027 -#define SYS_EXIT_FSYNC 1026 -#define SYS_ENTER_FDATASYNC 1025 -#define SYS_EXIT_FDATASYNC 1024 -#define SYS_ENTER_SYNC_FILE_RANGE 1023 -#define SYS_EXIT_SYNC_FILE_RANGE 1022 -#define SYS_ENTER_VMSPLICE 1021 -#define SYS_EXIT_VMSPLICE 1020 -#define SYS_ENTER_SETXATTRAT 982 -#define SYS_EXIT_SETXATTRAT 981 -#define SYS_ENTER_SETXATTR 980 -#define SYS_EXIT_SETXATTR 979 -#define SYS_ENTER_LSETXATTR 978 -#define SYS_EXIT_LSETXATTR 977 -#define SYS_ENTER_FSETXATTR 976 -#define SYS_EXIT_FSETXATTR 975 -#define SYS_ENTER_GETXATTRAT 974 -#define SYS_EXIT_GETXATTRAT 973 -#define SYS_ENTER_GETXATTR 972 -#define SYS_EXIT_GETXATTR 971 -#define SYS_ENTER_LGETXATTR 970 -#define SYS_EXIT_LGETXATTR 969 -#define SYS_ENTER_FGETXATTR 968 -#define SYS_EXIT_FGETXATTR 967 -#define SYS_ENTER_LISTXATTRAT 966 -#define SYS_EXIT_LISTXATTRAT 965 -#define SYS_ENTER_LISTXATTR 964 -#define SYS_EXIT_LISTXATTR 963 -#define SYS_ENTER_LLISTXATTR 962 -#define SYS_EXIT_LLISTXATTR 961 -#define SYS_ENTER_FLISTXATTR 960 -#define SYS_EXIT_FLISTXATTR 959 -#define SYS_ENTER_REMOVEXATTRAT 958 -#define SYS_EXIT_REMOVEXATTRAT 957 -#define SYS_ENTER_REMOVEXATTR 956 -#define SYS_EXIT_REMOVEXATTR 955 -#define SYS_ENTER_LREMOVEXATTR 954 -#define SYS_EXIT_LREMOVEXATTR 953 -#define SYS_ENTER_FREMOVEXATTR 952 -#define SYS_EXIT_FREMOVEXATTR 951 -#define SYS_ENTER_OPEN_TREE 948 -#define SYS_EXIT_OPEN_TREE 947 -#define SYS_ENTER_MOUNT_SETATTR 938 -#define SYS_EXIT_MOUNT_SETATTR 937 -#define SYS_ENTER_OPEN_TREE_ATTR 936 -#define SYS_EXIT_OPEN_TREE_ATTR 935 -#define SYS_ENTER_CLOSE_RANGE 928 -#define SYS_EXIT_CLOSE_RANGE 927 -#define SYS_ENTER_DUP3 926 -#define SYS_EXIT_DUP3 925 -#define SYS_ENTER_DUP2 924 -#define SYS_EXIT_DUP2 923 -#define SYS_ENTER_DUP 922 -#define SYS_EXIT_DUP 921 -#define SYS_ENTER_GETDENTS 908 -#define SYS_EXIT_GETDENTS 907 -#define SYS_ENTER_GETDENTS64 906 -#define SYS_EXIT_GETDENTS64 905 -#define SYS_ENTER_IOCTL 904 -#define SYS_EXIT_IOCTL 903 -#define SYS_ENTER_FCNTL 902 -#define SYS_EXIT_FCNTL 901 -#define SYS_ENTER_MKDIRAT 896 -#define SYS_EXIT_MKDIRAT 895 -#define SYS_ENTER_MKDIR 894 -#define SYS_EXIT_MKDIR 893 -#define SYS_ENTER_RMDIR 892 -#define SYS_EXIT_RMDIR 891 -#define SYS_ENTER_UNLINKAT 890 -#define SYS_EXIT_UNLINKAT 889 -#define SYS_ENTER_UNLINK 888 -#define SYS_EXIT_UNLINK 887 -#define SYS_ENTER_SYMLINKAT 886 -#define SYS_EXIT_SYMLINKAT 885 -#define SYS_ENTER_SYMLINK 884 -#define SYS_EXIT_SYMLINK 883 -#define SYS_ENTER_LINKAT 882 -#define SYS_EXIT_LINKAT 881 -#define SYS_ENTER_LINK 880 -#define SYS_EXIT_LINK 879 -#define SYS_ENTER_RENAMEAT2 878 -#define SYS_EXIT_RENAMEAT2 877 -#define SYS_ENTER_RENAMEAT 876 -#define SYS_EXIT_RENAMEAT 875 -#define SYS_ENTER_RENAME 874 -#define SYS_EXIT_RENAME 873 -#define SYS_ENTER_NEWSTAT 864 -#define SYS_EXIT_NEWSTAT 863 -#define SYS_ENTER_NEWLSTAT 862 -#define SYS_EXIT_NEWLSTAT 861 -#define SYS_ENTER_NEWFSTATAT 860 -#define SYS_EXIT_NEWFSTATAT 859 -#define SYS_ENTER_NEWFSTAT 858 -#define SYS_EXIT_NEWFSTAT 857 -#define SYS_ENTER_READLINKAT 856 -#define SYS_EXIT_READLINKAT 855 -#define SYS_ENTER_READLINK 854 -#define SYS_EXIT_READLINK 853 -#define SYS_ENTER_STATX 852 -#define SYS_EXIT_STATX 851 -#define SYS_ENTER_LSEEK 850 -#define SYS_EXIT_LSEEK 849 -#define SYS_ENTER_READ 848 -#define SYS_EXIT_READ 847 -#define SYS_ENTER_WRITE 846 -#define SYS_EXIT_WRITE 845 -#define SYS_ENTER_PREAD64 844 -#define SYS_EXIT_PREAD64 843 -#define SYS_ENTER_PWRITE64 842 -#define SYS_EXIT_PWRITE64 841 -#define SYS_ENTER_READV 840 -#define SYS_EXIT_READV 839 -#define SYS_ENTER_WRITEV 838 -#define SYS_EXIT_WRITEV 837 -#define SYS_ENTER_PREADV 836 -#define SYS_EXIT_PREADV 835 -#define SYS_ENTER_PREADV2 834 -#define SYS_EXIT_PREADV2 833 -#define SYS_ENTER_PWRITEV 832 -#define SYS_EXIT_PWRITEV 831 -#define SYS_ENTER_PWRITEV2 830 -#define SYS_EXIT_PWRITEV2 829 -#define SYS_ENTER_COPY_FILE_RANGE 826 -#define SYS_EXIT_COPY_FILE_RANGE 825 -#define SYS_ENTER_TRUNCATE 824 -#define SYS_EXIT_TRUNCATE 823 -#define SYS_ENTER_FTRUNCATE 822 -#define SYS_EXIT_FTRUNCATE 821 -#define SYS_ENTER_FALLOCATE 820 -#define SYS_EXIT_FALLOCATE 819 -#define SYS_ENTER_FACCESSAT 818 -#define SYS_EXIT_FACCESSAT 817 -#define SYS_ENTER_FACCESSAT2 816 -#define SYS_EXIT_FACCESSAT2 815 -#define SYS_ENTER_ACCESS 814 -#define SYS_EXIT_ACCESS 813 -#define SYS_ENTER_CHDIR 812 -#define SYS_EXIT_CHDIR 811 -#define SYS_ENTER_FCHDIR 810 -#define SYS_EXIT_FCHDIR 809 -#define SYS_ENTER_CHROOT 808 -#define SYS_EXIT_CHROOT 807 -#define SYS_ENTER_FCHMOD 806 -#define SYS_EXIT_FCHMOD 805 -#define SYS_ENTER_FCHMODAT2 804 -#define SYS_EXIT_FCHMODAT2 803 -#define SYS_ENTER_FCHMODAT 802 -#define SYS_EXIT_FCHMODAT 801 -#define SYS_ENTER_CHMOD 800 -#define SYS_EXIT_CHMOD 799 -#define SYS_ENTER_FCHOWNAT 798 -#define SYS_EXIT_FCHOWNAT 797 -#define SYS_ENTER_CHOWN 796 -#define SYS_EXIT_CHOWN 795 -#define SYS_ENTER_LCHOWN 794 -#define SYS_EXIT_LCHOWN 793 -#define SYS_ENTER_FCHOWN 792 -#define SYS_EXIT_FCHOWN 791 -#define SYS_ENTER_OPEN 790 -#define SYS_EXIT_OPEN 789 -#define SYS_ENTER_OPENAT 788 -#define SYS_EXIT_OPENAT 787 -#define SYS_ENTER_OPENAT2 786 -#define SYS_EXIT_OPENAT2 785 -#define SYS_ENTER_CREAT 784 -#define SYS_EXIT_CREAT 783 -#define SYS_ENTER_CLOSE 782 -#define SYS_EXIT_CLOSE 781 -#define SYS_ENTER_MSYNC 710 -#define SYS_EXIT_MSYNC 709 + +#define SYS_ENTER_SOCKET 1847 +#define SYS_EXIT_SOCKET 1846 +#define SYS_ENTER_SOCKETPAIR 1845 +#define SYS_EXIT_SOCKETPAIR 1844 +#define SYS_ENTER_BIND 1843 +#define SYS_EXIT_BIND 1842 +#define SYS_ENTER_LISTEN 1841 +#define SYS_EXIT_LISTEN 1840 +#define SYS_ENTER_ACCEPT4 1839 +#define SYS_EXIT_ACCEPT4 1838 +#define SYS_ENTER_ACCEPT 1837 +#define SYS_EXIT_ACCEPT 1836 +#define SYS_ENTER_CONNECT 1835 +#define SYS_EXIT_CONNECT 1834 +#define SYS_ENTER_GETSOCKNAME 1833 +#define SYS_EXIT_GETSOCKNAME 1832 +#define SYS_ENTER_GETPEERNAME 1831 +#define SYS_EXIT_GETPEERNAME 1830 +#define SYS_ENTER_SENDTO 1829 +#define SYS_EXIT_SENDTO 1828 +#define SYS_ENTER_RECVFROM 1827 +#define SYS_EXIT_RECVFROM 1826 +#define SYS_ENTER_SETSOCKOPT 1825 +#define SYS_EXIT_SETSOCKOPT 1824 +#define SYS_ENTER_GETSOCKOPT 1823 +#define SYS_EXIT_GETSOCKOPT 1822 +#define SYS_ENTER_SHUTDOWN 1821 +#define SYS_EXIT_SHUTDOWN 1820 +#define SYS_ENTER_SENDMSG 1819 +#define SYS_EXIT_SENDMSG 1818 +#define SYS_ENTER_SENDMMSG 1817 +#define SYS_EXIT_SENDMMSG 1816 +#define SYS_ENTER_RECVMSG 1815 +#define SYS_EXIT_RECVMSG 1814 +#define SYS_ENTER_RECVMMSG 1813 +#define SYS_EXIT_RECVMMSG 1812 +#define SYS_ENTER_GETRANDOM 1575 +#define SYS_EXIT_GETRANDOM 1574 +#define SYS_ENTER_IO_URING_REGISTER 1528 +#define SYS_EXIT_IO_URING_REGISTER 1527 +#define SYS_ENTER_IO_URING_ENTER 1509 +#define SYS_EXIT_IO_URING_ENTER 1508 +#define SYS_ENTER_IO_URING_SETUP 1507 +#define SYS_EXIT_IO_URING_SETUP 1506 +#define SYS_ENTER_IOPRIO_SET 1491 +#define SYS_EXIT_IOPRIO_SET 1490 +#define SYS_ENTER_IOPRIO_GET 1489 +#define SYS_EXIT_IOPRIO_GET 1488 +#define SYS_ENTER_LANDLOCK_CREATE_RULESET 1463 +#define SYS_EXIT_LANDLOCK_CREATE_RULESET 1462 +#define SYS_ENTER_LANDLOCK_ADD_RULE 1461 +#define SYS_EXIT_LANDLOCK_ADD_RULE 1460 +#define SYS_ENTER_LANDLOCK_RESTRICT_SELF 1459 +#define SYS_EXIT_LANDLOCK_RESTRICT_SELF 1458 +#define SYS_ENTER_LSM_SET_SELF_ATTR 1456 +#define SYS_EXIT_LSM_SET_SELF_ATTR 1455 +#define SYS_ENTER_LSM_GET_SELF_ATTR 1454 +#define SYS_EXIT_LSM_GET_SELF_ATTR 1453 +#define SYS_ENTER_LSM_LIST_MODULES 1452 +#define SYS_EXIT_LSM_LIST_MODULES 1451 +#define SYS_ENTER_ADD_KEY 1449 +#define SYS_EXIT_ADD_KEY 1448 +#define SYS_ENTER_REQUEST_KEY 1447 +#define SYS_EXIT_REQUEST_KEY 1446 +#define SYS_ENTER_KEYCTL 1445 +#define SYS_EXIT_KEYCTL 1444 +#define SYS_ENTER_MQ_OPEN 1443 +#define SYS_EXIT_MQ_OPEN 1442 +#define SYS_ENTER_MQ_UNLINK 1441 +#define SYS_EXIT_MQ_UNLINK 1440 +#define SYS_ENTER_MQ_TIMEDSEND 1439 +#define SYS_EXIT_MQ_TIMEDSEND 1438 +#define SYS_ENTER_MQ_TIMEDRECEIVE 1437 +#define SYS_EXIT_MQ_TIMEDRECEIVE 1436 +#define SYS_ENTER_MQ_NOTIFY 1435 +#define SYS_EXIT_MQ_NOTIFY 1434 +#define SYS_ENTER_MQ_GETSETATTR 1433 +#define SYS_EXIT_MQ_GETSETATTR 1432 +#define SYS_ENTER_SHMGET 1431 +#define SYS_EXIT_SHMGET 1430 +#define SYS_ENTER_SHMCTL 1429 +#define SYS_EXIT_SHMCTL 1428 +#define SYS_ENTER_SHMAT 1427 +#define SYS_EXIT_SHMAT 1426 +#define SYS_ENTER_SHMDT 1425 +#define SYS_EXIT_SHMDT 1424 +#define SYS_ENTER_SEMGET 1423 +#define SYS_EXIT_SEMGET 1422 +#define SYS_ENTER_SEMCTL 1421 +#define SYS_EXIT_SEMCTL 1420 +#define SYS_ENTER_SEMTIMEDOP 1419 +#define SYS_EXIT_SEMTIMEDOP 1418 +#define SYS_ENTER_SEMOP 1417 +#define SYS_EXIT_SEMOP 1416 +#define SYS_ENTER_MSGGET 1415 +#define SYS_EXIT_MSGGET 1414 +#define SYS_ENTER_MSGCTL 1413 +#define SYS_EXIT_MSGCTL 1412 +#define SYS_ENTER_MSGSND 1411 +#define SYS_EXIT_MSGSND 1410 +#define SYS_ENTER_MSGRCV 1409 +#define SYS_EXIT_MSGRCV 1408 +#define SYS_ENTER_QUOTACTL 1164 +#define SYS_EXIT_QUOTACTL 1163 +#define SYS_ENTER_QUOTACTL_FD 1162 +#define SYS_EXIT_QUOTACTL_FD 1161 +#define SYS_ENTER_NAME_TO_HANDLE_AT 1146 +#define SYS_EXIT_NAME_TO_HANDLE_AT 1145 +#define SYS_ENTER_OPEN_BY_HANDLE_AT 1144 +#define SYS_EXIT_OPEN_BY_HANDLE_AT 1143 +#define SYS_ENTER_FLOCK 1130 +#define SYS_EXIT_FLOCK 1129 +#define SYS_ENTER_IO_SETUP 1111 +#define SYS_EXIT_IO_SETUP 1110 +#define SYS_ENTER_IO_DESTROY 1109 +#define SYS_EXIT_IO_DESTROY 1108 +#define SYS_ENTER_IO_SUBMIT 1107 +#define SYS_EXIT_IO_SUBMIT 1106 +#define SYS_ENTER_IO_CANCEL 1105 +#define SYS_EXIT_IO_CANCEL 1104 +#define SYS_ENTER_IO_GETEVENTS 1103 +#define SYS_EXIT_IO_GETEVENTS 1102 +#define SYS_ENTER_IO_PGETEVENTS 1101 +#define SYS_EXIT_IO_PGETEVENTS 1100 +#define SYS_ENTER_USERFAULTFD 1099 +#define SYS_EXIT_USERFAULTFD 1098 +#define SYS_ENTER_EVENTFD2 1097 +#define SYS_EXIT_EVENTFD2 1096 +#define SYS_ENTER_EVENTFD 1095 +#define SYS_EXIT_EVENTFD 1094 +#define SYS_ENTER_TIMERFD_CREATE 1093 +#define SYS_EXIT_TIMERFD_CREATE 1092 +#define SYS_ENTER_TIMERFD_SETTIME 1091 +#define SYS_EXIT_TIMERFD_SETTIME 1090 +#define SYS_ENTER_TIMERFD_GETTIME 1089 +#define SYS_EXIT_TIMERFD_GETTIME 1088 +#define SYS_ENTER_SIGNALFD4 1087 +#define SYS_EXIT_SIGNALFD4 1086 +#define SYS_ENTER_SIGNALFD 1085 +#define SYS_EXIT_SIGNALFD 1084 +#define SYS_ENTER_EPOLL_CREATE1 1083 +#define SYS_EXIT_EPOLL_CREATE1 1082 +#define SYS_ENTER_EPOLL_CREATE 1081 +#define SYS_EXIT_EPOLL_CREATE 1080 +#define SYS_ENTER_EPOLL_CTL 1079 +#define SYS_EXIT_EPOLL_CTL 1078 +#define SYS_ENTER_EPOLL_WAIT 1077 +#define SYS_EXIT_EPOLL_WAIT 1076 +#define SYS_ENTER_EPOLL_PWAIT 1075 +#define SYS_EXIT_EPOLL_PWAIT 1074 +#define SYS_ENTER_EPOLL_PWAIT2 1073 +#define SYS_EXIT_EPOLL_PWAIT2 1072 +#define SYS_ENTER_FANOTIFY_INIT 1071 +#define SYS_EXIT_FANOTIFY_INIT 1070 +#define SYS_ENTER_FANOTIFY_MARK 1069 +#define SYS_EXIT_FANOTIFY_MARK 1068 +#define SYS_ENTER_INOTIFY_INIT1 1067 +#define SYS_EXIT_INOTIFY_INIT1 1066 +#define SYS_ENTER_INOTIFY_INIT 1065 +#define SYS_EXIT_INOTIFY_INIT 1064 +#define SYS_ENTER_INOTIFY_ADD_WATCH 1063 +#define SYS_EXIT_INOTIFY_ADD_WATCH 1062 +#define SYS_ENTER_INOTIFY_RM_WATCH 1061 +#define SYS_EXIT_INOTIFY_RM_WATCH 1060 +#define SYS_ENTER_FILE_GETATTR 1059 +#define SYS_EXIT_FILE_GETATTR 1058 +#define SYS_ENTER_FILE_SETATTR 1057 +#define SYS_EXIT_FILE_SETATTR 1056 +#define SYS_ENTER_FSOPEN 1055 +#define SYS_EXIT_FSOPEN 1054 +#define SYS_ENTER_FSPICK 1053 +#define SYS_EXIT_FSPICK 1052 +#define SYS_ENTER_FSCONFIG 1051 +#define SYS_EXIT_FSCONFIG 1050 +#define SYS_ENTER_STATFS 1049 +#define SYS_EXIT_STATFS 1048 +#define SYS_ENTER_FSTATFS 1047 +#define SYS_EXIT_FSTATFS 1046 +#define SYS_ENTER_USTAT 1045 +#define SYS_EXIT_USTAT 1044 +#define SYS_ENTER_GETCWD 1043 +#define SYS_EXIT_GETCWD 1042 +#define SYS_ENTER_UTIMENSAT 1041 +#define SYS_EXIT_UTIMENSAT 1040 +#define SYS_ENTER_FUTIMESAT 1039 +#define SYS_EXIT_FUTIMESAT 1038 +#define SYS_ENTER_UTIMES 1037 +#define SYS_EXIT_UTIMES 1036 +#define SYS_ENTER_UTIME 1035 +#define SYS_EXIT_UTIME 1034 +#define SYS_ENTER_SYNC 1033 +#define SYS_EXIT_SYNC 1032 +#define SYS_ENTER_SYNCFS 1031 +#define SYS_EXIT_SYNCFS 1030 +#define SYS_ENTER_FSYNC 1029 +#define SYS_EXIT_FSYNC 1028 +#define SYS_ENTER_FDATASYNC 1027 +#define SYS_EXIT_FDATASYNC 1026 +#define SYS_ENTER_SYNC_FILE_RANGE 1025 +#define SYS_EXIT_SYNC_FILE_RANGE 1024 +#define SYS_ENTER_VMSPLICE 1023 +#define SYS_EXIT_VMSPLICE 1022 +#define SYS_ENTER_SPLICE 1021 +#define SYS_EXIT_SPLICE 1020 +#define SYS_ENTER_TEE 1019 +#define SYS_EXIT_TEE 1018 +#define SYS_ENTER_SETXATTRAT 985 +#define SYS_EXIT_SETXATTRAT 984 +#define SYS_ENTER_SETXATTR 983 +#define SYS_EXIT_SETXATTR 982 +#define SYS_ENTER_LSETXATTR 981 +#define SYS_EXIT_LSETXATTR 980 +#define SYS_ENTER_FSETXATTR 979 +#define SYS_EXIT_FSETXATTR 978 +#define SYS_ENTER_GETXATTRAT 977 +#define SYS_EXIT_GETXATTRAT 976 +#define SYS_ENTER_GETXATTR 975 +#define SYS_EXIT_GETXATTR 974 +#define SYS_ENTER_LGETXATTR 973 +#define SYS_EXIT_LGETXATTR 972 +#define SYS_ENTER_FGETXATTR 971 +#define SYS_EXIT_FGETXATTR 970 +#define SYS_ENTER_LISTXATTRAT 969 +#define SYS_EXIT_LISTXATTRAT 968 +#define SYS_ENTER_LISTXATTR 967 +#define SYS_EXIT_LISTXATTR 966 +#define SYS_ENTER_LLISTXATTR 965 +#define SYS_EXIT_LLISTXATTR 964 +#define SYS_ENTER_FLISTXATTR 963 +#define SYS_EXIT_FLISTXATTR 962 +#define SYS_ENTER_REMOVEXATTRAT 961 +#define SYS_EXIT_REMOVEXATTRAT 960 +#define SYS_ENTER_REMOVEXATTR 959 +#define SYS_EXIT_REMOVEXATTR 958 +#define SYS_ENTER_LREMOVEXATTR 957 +#define SYS_EXIT_LREMOVEXATTR 956 +#define SYS_ENTER_FREMOVEXATTR 955 +#define SYS_EXIT_FREMOVEXATTR 954 +#define SYS_ENTER_UMOUNT 953 +#define SYS_EXIT_UMOUNT 952 +#define SYS_ENTER_OPEN_TREE 951 +#define SYS_EXIT_OPEN_TREE 950 +#define SYS_ENTER_MOUNT 949 +#define SYS_EXIT_MOUNT 948 +#define SYS_ENTER_FSMOUNT 947 +#define SYS_EXIT_FSMOUNT 946 +#define SYS_ENTER_MOVE_MOUNT 945 +#define SYS_EXIT_MOVE_MOUNT 944 +#define SYS_ENTER_PIVOT_ROOT 943 +#define SYS_EXIT_PIVOT_ROOT 942 +#define SYS_ENTER_MOUNT_SETATTR 941 +#define SYS_EXIT_MOUNT_SETATTR 940 +#define SYS_ENTER_OPEN_TREE_ATTR 939 +#define SYS_EXIT_OPEN_TREE_ATTR 938 +#define SYS_ENTER_STATMOUNT 937 +#define SYS_EXIT_STATMOUNT 936 +#define SYS_ENTER_LISTMOUNT 935 +#define SYS_EXIT_LISTMOUNT 934 +#define SYS_ENTER_SYSFS 933 +#define SYS_EXIT_SYSFS 932 +#define SYS_ENTER_CLOSE_RANGE 931 +#define SYS_EXIT_CLOSE_RANGE 930 +#define SYS_ENTER_DUP3 929 +#define SYS_EXIT_DUP3 928 +#define SYS_ENTER_DUP2 927 +#define SYS_EXIT_DUP2 926 +#define SYS_ENTER_DUP 925 +#define SYS_EXIT_DUP 924 +#define SYS_ENTER_SELECT 919 +#define SYS_EXIT_SELECT 918 +#define SYS_ENTER_PSELECT6 917 +#define SYS_EXIT_PSELECT6 916 +#define SYS_ENTER_POLL 915 +#define SYS_EXIT_POLL 914 +#define SYS_ENTER_PPOLL 913 +#define SYS_EXIT_PPOLL 912 +#define SYS_ENTER_GETDENTS 911 +#define SYS_EXIT_GETDENTS 910 +#define SYS_ENTER_GETDENTS64 909 +#define SYS_EXIT_GETDENTS64 908 +#define SYS_ENTER_IOCTL 907 +#define SYS_EXIT_IOCTL 906 +#define SYS_ENTER_FCNTL 905 +#define SYS_EXIT_FCNTL 904 +#define SYS_ENTER_MKNODAT 903 +#define SYS_EXIT_MKNODAT 902 +#define SYS_ENTER_MKNOD 901 +#define SYS_EXIT_MKNOD 900 +#define SYS_ENTER_MKDIRAT 899 +#define SYS_EXIT_MKDIRAT 898 +#define SYS_ENTER_MKDIR 897 +#define SYS_EXIT_MKDIR 896 +#define SYS_ENTER_RMDIR 895 +#define SYS_EXIT_RMDIR 894 +#define SYS_ENTER_UNLINKAT 893 +#define SYS_EXIT_UNLINKAT 892 +#define SYS_ENTER_UNLINK 891 +#define SYS_EXIT_UNLINK 890 +#define SYS_ENTER_SYMLINKAT 889 +#define SYS_EXIT_SYMLINKAT 888 +#define SYS_ENTER_SYMLINK 887 +#define SYS_EXIT_SYMLINK 886 +#define SYS_ENTER_LINKAT 885 +#define SYS_EXIT_LINKAT 884 +#define SYS_ENTER_LINK 883 +#define SYS_EXIT_LINK 882 +#define SYS_ENTER_RENAMEAT2 881 +#define SYS_EXIT_RENAMEAT2 880 +#define SYS_ENTER_RENAMEAT 879 +#define SYS_EXIT_RENAMEAT 878 +#define SYS_ENTER_RENAME 877 +#define SYS_EXIT_RENAME 876 +#define SYS_ENTER_PIPE2 875 +#define SYS_EXIT_PIPE2 874 +#define SYS_ENTER_PIPE 873 +#define SYS_EXIT_PIPE 872 +#define SYS_ENTER_EXECVE 871 +#define SYS_EXIT_EXECVE 870 +#define SYS_ENTER_EXECVEAT 869 +#define SYS_EXIT_EXECVEAT 868 +#define SYS_ENTER_NEWSTAT 867 +#define SYS_EXIT_NEWSTAT 866 +#define SYS_ENTER_NEWLSTAT 865 +#define SYS_EXIT_NEWLSTAT 864 +#define SYS_ENTER_NEWFSTATAT 863 +#define SYS_EXIT_NEWFSTATAT 862 +#define SYS_ENTER_NEWFSTAT 861 +#define SYS_EXIT_NEWFSTAT 860 +#define SYS_ENTER_READLINKAT 859 +#define SYS_EXIT_READLINKAT 858 +#define SYS_ENTER_READLINK 857 +#define SYS_EXIT_READLINK 856 +#define SYS_ENTER_STATX 855 +#define SYS_EXIT_STATX 854 +#define SYS_ENTER_LSEEK 853 +#define SYS_EXIT_LSEEK 852 +#define SYS_ENTER_READ 851 +#define SYS_EXIT_READ 850 +#define SYS_ENTER_WRITE 849 +#define SYS_EXIT_WRITE 848 +#define SYS_ENTER_PREAD64 847 +#define SYS_EXIT_PREAD64 846 +#define SYS_ENTER_PWRITE64 845 +#define SYS_EXIT_PWRITE64 844 +#define SYS_ENTER_READV 843 +#define SYS_EXIT_READV 842 +#define SYS_ENTER_WRITEV 841 +#define SYS_EXIT_WRITEV 840 +#define SYS_ENTER_PREADV 839 +#define SYS_EXIT_PREADV 838 +#define SYS_ENTER_PREADV2 837 +#define SYS_EXIT_PREADV2 836 +#define SYS_ENTER_PWRITEV 835 +#define SYS_EXIT_PWRITEV 834 +#define SYS_ENTER_PWRITEV2 833 +#define SYS_EXIT_PWRITEV2 832 +#define SYS_ENTER_SENDFILE64 831 +#define SYS_EXIT_SENDFILE64 830 +#define SYS_ENTER_COPY_FILE_RANGE 829 +#define SYS_EXIT_COPY_FILE_RANGE 828 +#define SYS_ENTER_TRUNCATE 827 +#define SYS_EXIT_TRUNCATE 826 +#define SYS_ENTER_FTRUNCATE 825 +#define SYS_EXIT_FTRUNCATE 824 +#define SYS_ENTER_FALLOCATE 823 +#define SYS_EXIT_FALLOCATE 822 +#define SYS_ENTER_FACCESSAT 821 +#define SYS_EXIT_FACCESSAT 820 +#define SYS_ENTER_FACCESSAT2 819 +#define SYS_EXIT_FACCESSAT2 818 +#define SYS_ENTER_ACCESS 817 +#define SYS_EXIT_ACCESS 816 +#define SYS_ENTER_CHDIR 815 +#define SYS_EXIT_CHDIR 814 +#define SYS_ENTER_FCHDIR 813 +#define SYS_EXIT_FCHDIR 812 +#define SYS_ENTER_CHROOT 811 +#define SYS_EXIT_CHROOT 810 +#define SYS_ENTER_FCHMOD 809 +#define SYS_EXIT_FCHMOD 808 +#define SYS_ENTER_FCHMODAT2 807 +#define SYS_EXIT_FCHMODAT2 806 +#define SYS_ENTER_FCHMODAT 805 +#define SYS_EXIT_FCHMODAT 804 +#define SYS_ENTER_CHMOD 803 +#define SYS_EXIT_CHMOD 802 +#define SYS_ENTER_FCHOWNAT 801 +#define SYS_EXIT_FCHOWNAT 800 +#define SYS_ENTER_CHOWN 799 +#define SYS_EXIT_CHOWN 798 +#define SYS_ENTER_LCHOWN 797 +#define SYS_EXIT_LCHOWN 796 +#define SYS_ENTER_FCHOWN 795 +#define SYS_EXIT_FCHOWN 794 +#define SYS_ENTER_OPEN 793 +#define SYS_EXIT_OPEN 792 +#define SYS_ENTER_OPENAT 791 +#define SYS_EXIT_OPENAT 790 +#define SYS_ENTER_OPENAT2 789 +#define SYS_EXIT_OPENAT2 788 +#define SYS_ENTER_CREAT 787 +#define SYS_EXIT_CREAT 786 +#define SYS_ENTER_CLOSE 785 +#define SYS_EXIT_CLOSE 784 +#define SYS_ENTER_VHANGUP 783 +#define SYS_EXIT_VHANGUP 782 +#define SYS_ENTER_MEMFD_CREATE 781 +#define SYS_EXIT_MEMFD_CREATE 780 +#define SYS_ENTER_MEMFD_SECRET 774 +#define SYS_EXIT_MEMFD_SECRET 773 +#define SYS_ENTER_MOVE_PAGES 754 +#define SYS_EXIT_MOVE_PAGES 753 +#define SYS_ENTER_SET_MEMPOLICY_HOME_NODE 743 +#define SYS_EXIT_SET_MEMPOLICY_HOME_NODE 742 +#define SYS_ENTER_MBIND 741 +#define SYS_EXIT_MBIND 740 +#define SYS_ENTER_SET_MEMPOLICY 739 +#define SYS_EXIT_SET_MEMPOLICY 738 +#define SYS_ENTER_MIGRATE_PAGES 737 +#define SYS_EXIT_MIGRATE_PAGES 736 +#define SYS_ENTER_GET_MEMPOLICY 735 +#define SYS_EXIT_GET_MEMPOLICY 734 +#define SYS_ENTER_SWAPOFF 733 +#define SYS_EXIT_SWAPOFF 732 +#define SYS_ENTER_SWAPON 731 +#define SYS_EXIT_SWAPON 730 +#define SYS_ENTER_MADVISE 729 +#define SYS_EXIT_MADVISE 728 +#define SYS_ENTER_PROCESS_MADVISE 727 +#define SYS_EXIT_PROCESS_MADVISE 726 +#define SYS_ENTER_MSEAL 725 +#define SYS_EXIT_MSEAL 724 +#define SYS_ENTER_PROCESS_VM_READV 723 +#define SYS_EXIT_PROCESS_VM_READV 722 +#define SYS_ENTER_PROCESS_VM_WRITEV 721 +#define SYS_EXIT_PROCESS_VM_WRITEV 720 +#define SYS_ENTER_MSYNC 712 +#define SYS_EXIT_MSYNC 711 +#define SYS_ENTER_MREMAP 710 +#define SYS_EXIT_MREMAP 709 +#define SYS_ENTER_MPROTECT 708 +#define SYS_EXIT_MPROTECT 707 +#define SYS_ENTER_PKEY_MPROTECT 706 +#define SYS_EXIT_PKEY_MPROTECT 705 +#define SYS_ENTER_PKEY_ALLOC 704 +#define SYS_EXIT_PKEY_ALLOC 703 +#define SYS_ENTER_PKEY_FREE 702 +#define SYS_EXIT_PKEY_FREE 701 +#define SYS_ENTER_BRK 698 +#define SYS_EXIT_BRK 697 +#define SYS_ENTER_MUNMAP 696 +#define SYS_EXIT_MUNMAP 695 +#define SYS_ENTER_REMAP_FILE_PAGES 694 +#define SYS_EXIT_REMAP_FILE_PAGES 693 +#define SYS_ENTER_MLOCK 692 +#define SYS_EXIT_MLOCK 691 +#define SYS_ENTER_MLOCK2 690 +#define SYS_EXIT_MLOCK2 689 +#define SYS_ENTER_MUNLOCK 688 +#define SYS_EXIT_MUNLOCK 687 +#define SYS_ENTER_MLOCKALL 686 +#define SYS_EXIT_MLOCKALL 685 +#define SYS_ENTER_MUNLOCKALL 684 +#define SYS_EXIT_MUNLOCKALL 683 +#define SYS_ENTER_MINCORE 682 +#define SYS_EXIT_MINCORE 681 #define SYS_ENTER_READAHEAD 616 #define SYS_EXIT_READAHEAD 615 #define SYS_ENTER_FADVISE64 614 #define SYS_EXIT_FADVISE64 613 +#define SYS_ENTER_PROCESS_MRELEASE 604 +#define SYS_EXIT_PROCESS_MRELEASE 603 #define SYS_ENTER_CACHESTAT 595 #define SYS_EXIT_CACHESTAT 594 +#define SYS_ENTER_RSEQ 591 +#define SYS_EXIT_RSEQ 590 +#define SYS_ENTER_PERF_EVENT_OPEN 587 +#define SYS_EXIT_PERF_EVENT_OPEN 586 +#define SYS_ENTER_BPF 585 +#define SYS_EXIT_BPF 584 +#define SYS_ENTER_SECCOMP 526 +#define SYS_EXIT_SECCOMP 525 +#define SYS_ENTER_KEXEC_FILE_LOAD 508 +#define SYS_EXIT_KEXEC_FILE_LOAD 507 +#define SYS_ENTER_KEXEC_LOAD 506 +#define SYS_EXIT_KEXEC_LOAD 505 +#define SYS_ENTER_ACCT 504 +#define SYS_EXIT_ACCT 503 +#define SYS_ENTER_SET_ROBUST_LIST 499 +#define SYS_EXIT_SET_ROBUST_LIST 498 +#define SYS_ENTER_GET_ROBUST_LIST 497 +#define SYS_EXIT_GET_ROBUST_LIST 496 +#define SYS_ENTER_FUTEX 495 +#define SYS_EXIT_FUTEX 494 +#define SYS_ENTER_FUTEX_WAITV 493 +#define SYS_EXIT_FUTEX_WAITV 492 +#define SYS_ENTER_FUTEX_WAKE 491 +#define SYS_EXIT_FUTEX_WAKE 490 +#define SYS_ENTER_FUTEX_WAIT 489 +#define SYS_EXIT_FUTEX_WAIT 488 +#define SYS_ENTER_FUTEX_REQUEUE 487 +#define SYS_EXIT_FUTEX_REQUEUE 486 +#define SYS_ENTER_GETITIMER 471 +#define SYS_EXIT_GETITIMER 470 +#define SYS_ENTER_ALARM 469 +#define SYS_EXIT_ALARM 468 +#define SYS_ENTER_SETITIMER 467 +#define SYS_EXIT_SETITIMER 466 +#define SYS_ENTER_TIMER_CREATE 465 +#define SYS_EXIT_TIMER_CREATE 464 +#define SYS_ENTER_TIMER_GETTIME 463 +#define SYS_EXIT_TIMER_GETTIME 462 +#define SYS_ENTER_TIMER_GETOVERRUN 461 +#define SYS_EXIT_TIMER_GETOVERRUN 460 +#define SYS_ENTER_TIMER_SETTIME 459 +#define SYS_EXIT_TIMER_SETTIME 458 +#define SYS_ENTER_TIMER_DELETE 457 +#define SYS_EXIT_TIMER_DELETE 456 +#define SYS_ENTER_CLOCK_SETTIME 455 +#define SYS_EXIT_CLOCK_SETTIME 454 +#define SYS_ENTER_CLOCK_GETTIME 453 +#define SYS_EXIT_CLOCK_GETTIME 452 +#define SYS_ENTER_CLOCK_ADJTIME 451 +#define SYS_EXIT_CLOCK_ADJTIME 450 +#define SYS_ENTER_CLOCK_GETRES 449 +#define SYS_EXIT_CLOCK_GETRES 448 +#define SYS_ENTER_CLOCK_NANOSLEEP 447 +#define SYS_EXIT_CLOCK_NANOSLEEP 446 +#define SYS_ENTER_NANOSLEEP 441 +#define SYS_EXIT_NANOSLEEP 440 +#define SYS_ENTER_TIME 425 +#define SYS_EXIT_TIME 424 +#define SYS_ENTER_GETTIMEOFDAY 423 +#define SYS_EXIT_GETTIMEOFDAY 422 +#define SYS_ENTER_SETTIMEOFDAY 421 +#define SYS_EXIT_SETTIMEOFDAY 420 +#define SYS_ENTER_ADJTIMEX 419 +#define SYS_EXIT_ADJTIMEX 418 +#define SYS_ENTER_KCMP 417 +#define SYS_EXIT_KCMP 416 +#define SYS_ENTER_DELETE_MODULE 410 +#define SYS_EXIT_DELETE_MODULE 409 +#define SYS_ENTER_INIT_MODULE 408 +#define SYS_EXIT_INIT_MODULE 407 #define SYS_ENTER_FINIT_MODULE 406 #define SYS_EXIT_FINIT_MODULE 405 #define SYS_ENTER_SYSLOG 350 #define SYS_EXIT_SYSLOG 349 +#define SYS_ENTER_MEMBARRIER 346 +#define SYS_EXIT_MEMBARRIER 345 +#define SYS_ENTER_SCHED_SETSCHEDULER 341 +#define SYS_EXIT_SCHED_SETSCHEDULER 340 +#define SYS_ENTER_SCHED_SETPARAM 339 +#define SYS_EXIT_SCHED_SETPARAM 338 +#define SYS_ENTER_SCHED_SETATTR 337 +#define SYS_EXIT_SCHED_SETATTR 336 +#define SYS_ENTER_SCHED_GETSCHEDULER 335 +#define SYS_EXIT_SCHED_GETSCHEDULER 334 +#define SYS_ENTER_SCHED_GETPARAM 333 +#define SYS_EXIT_SCHED_GETPARAM 332 +#define SYS_ENTER_SCHED_GETATTR 331 +#define SYS_EXIT_SCHED_GETATTR 330 +#define SYS_ENTER_SCHED_SETAFFINITY 329 +#define SYS_EXIT_SCHED_SETAFFINITY 328 +#define SYS_ENTER_SCHED_GETAFFINITY 327 +#define SYS_EXIT_SCHED_GETAFFINITY 326 +#define SYS_ENTER_SCHED_YIELD 325 +#define SYS_EXIT_SCHED_YIELD 324 +#define SYS_ENTER_SCHED_GET_PRIORITY_MAX 323 +#define SYS_EXIT_SCHED_GET_PRIORITY_MAX 322 +#define SYS_ENTER_SCHED_GET_PRIORITY_MIN 321 +#define SYS_EXIT_SCHED_GET_PRIORITY_MIN 320 +#define SYS_ENTER_SCHED_RR_GET_INTERVAL 319 +#define SYS_EXIT_SCHED_RR_GET_INTERVAL 318 +#define SYS_ENTER_GETGROUPS 286 +#define SYS_EXIT_GETGROUPS 285 +#define SYS_ENTER_SETGROUPS 284 +#define SYS_EXIT_SETGROUPS 283 +#define SYS_ENTER_REBOOT 282 +#define SYS_EXIT_REBOOT 281 +#define SYS_ENTER_LISTNS 277 +#define SYS_EXIT_LISTNS 276 +#define SYS_ENTER_SETNS 275 +#define SYS_EXIT_SETNS 274 +#define SYS_ENTER_PIDFD_OPEN 273 +#define SYS_EXIT_PIDFD_OPEN 272 #define SYS_ENTER_PIDFD_GETFD 271 #define SYS_EXIT_PIDFD_GETFD 270 +#define SYS_ENTER_SETPRIORITY 265 +#define SYS_EXIT_SETPRIORITY 264 +#define SYS_ENTER_GETPRIORITY 263 +#define SYS_EXIT_GETPRIORITY 262 +#define SYS_ENTER_SETREGID 261 +#define SYS_EXIT_SETREGID 260 +#define SYS_ENTER_SETGID 259 +#define SYS_EXIT_SETGID 258 +#define SYS_ENTER_SETREUID 257 +#define SYS_EXIT_SETREUID 256 +#define SYS_ENTER_SETUID 255 +#define SYS_EXIT_SETUID 254 +#define SYS_ENTER_SETRESUID 253 +#define SYS_EXIT_SETRESUID 252 +#define SYS_ENTER_GETRESUID 251 +#define SYS_EXIT_GETRESUID 250 +#define SYS_ENTER_SETRESGID 249 +#define SYS_EXIT_SETRESGID 248 +#define SYS_ENTER_GETRESGID 247 +#define SYS_EXIT_GETRESGID 246 +#define SYS_ENTER_SETFSUID 245 +#define SYS_EXIT_SETFSUID 244 +#define SYS_ENTER_SETFSGID 243 +#define SYS_EXIT_SETFSGID 242 +#define SYS_ENTER_GETPID 241 +#define SYS_EXIT_GETPID 240 +#define SYS_ENTER_GETTID 239 +#define SYS_EXIT_GETTID 238 +#define SYS_ENTER_GETPPID 237 +#define SYS_EXIT_GETPPID 236 +#define SYS_ENTER_GETUID 235 +#define SYS_EXIT_GETUID 234 +#define SYS_ENTER_GETEUID 233 +#define SYS_EXIT_GETEUID 232 +#define SYS_ENTER_GETGID 231 +#define SYS_EXIT_GETGID 230 +#define SYS_ENTER_GETEGID 229 +#define SYS_EXIT_GETEGID 228 +#define SYS_ENTER_TIMES 227 +#define SYS_EXIT_TIMES 226 +#define SYS_ENTER_SETPGID 225 +#define SYS_EXIT_SETPGID 224 +#define SYS_ENTER_GETPGID 223 +#define SYS_EXIT_GETPGID 222 +#define SYS_ENTER_GETPGRP 221 +#define SYS_EXIT_GETPGRP 220 +#define SYS_ENTER_GETSID 219 +#define SYS_EXIT_GETSID 218 +#define SYS_ENTER_SETSID 217 +#define SYS_EXIT_SETSID 216 +#define SYS_ENTER_NEWUNAME 215 +#define SYS_EXIT_NEWUNAME 214 +#define SYS_ENTER_SETHOSTNAME 213 +#define SYS_EXIT_SETHOSTNAME 212 +#define SYS_ENTER_SETDOMAINNAME 211 +#define SYS_EXIT_SETDOMAINNAME 210 +#define SYS_ENTER_GETRLIMIT 209 +#define SYS_EXIT_GETRLIMIT 208 +#define SYS_ENTER_PRLIMIT64 207 +#define SYS_EXIT_PRLIMIT64 206 +#define SYS_ENTER_SETRLIMIT 205 +#define SYS_EXIT_SETRLIMIT 204 +#define SYS_ENTER_GETRUSAGE 203 +#define SYS_EXIT_GETRUSAGE 202 +#define SYS_ENTER_UMASK 201 +#define SYS_EXIT_UMASK 200 +#define SYS_ENTER_PRCTL 199 +#define SYS_EXIT_PRCTL 198 +#define SYS_ENTER_GETCPU 197 +#define SYS_EXIT_GETCPU 196 +#define SYS_ENTER_SYSINFO 195 +#define SYS_EXIT_SYSINFO 194 +#define SYS_ENTER_RESTART_SYSCALL 191 +#define SYS_EXIT_RESTART_SYSCALL 190 +#define SYS_ENTER_RT_SIGPROCMASK 189 +#define SYS_EXIT_RT_SIGPROCMASK 188 +#define SYS_ENTER_RT_SIGPENDING 187 +#define SYS_EXIT_RT_SIGPENDING 186 +#define SYS_ENTER_RT_SIGTIMEDWAIT 185 +#define SYS_EXIT_RT_SIGTIMEDWAIT 184 +#define SYS_ENTER_KILL 183 +#define SYS_EXIT_KILL 182 +#define SYS_ENTER_PIDFD_SEND_SIGNAL 181 +#define SYS_EXIT_PIDFD_SEND_SIGNAL 180 +#define SYS_ENTER_TGKILL 179 +#define SYS_EXIT_TGKILL 178 +#define SYS_ENTER_TKILL 177 +#define SYS_EXIT_TKILL 176 +#define SYS_ENTER_RT_SIGQUEUEINFO 175 +#define SYS_EXIT_RT_SIGQUEUEINFO 174 +#define SYS_ENTER_RT_TGSIGQUEUEINFO 173 +#define SYS_EXIT_RT_TGSIGQUEUEINFO 172 +#define SYS_ENTER_SIGALTSTACK 171 +#define SYS_EXIT_SIGALTSTACK 170 +#define SYS_ENTER_RT_SIGACTION 169 +#define SYS_EXIT_RT_SIGACTION 168 +#define SYS_ENTER_PAUSE 167 +#define SYS_EXIT_PAUSE 166 +#define SYS_ENTER_RT_SIGSUSPEND 165 +#define SYS_EXIT_RT_SIGSUSPEND 164 +#define SYS_ENTER_PTRACE 163 +#define SYS_EXIT_PTRACE 162 +#define SYS_ENTER_CAPGET 161 +#define SYS_EXIT_CAPGET 160 +#define SYS_ENTER_CAPSET 159 +#define SYS_EXIT_CAPSET 158 +#define SYS_ENTER_EXIT 150 +#define SYS_EXIT_EXIT 149 +#define SYS_ENTER_EXIT_GROUP 148 +#define SYS_EXIT_EXIT_GROUP 147 +#define SYS_ENTER_WAITID 146 +#define SYS_EXIT_WAITID 145 +#define SYS_ENTER_WAIT4 144 +#define SYS_EXIT_WAIT4 143 +#define SYS_ENTER_PERSONALITY 139 +#define SYS_EXIT_PERSONALITY 138 +#define SYS_ENTER_SET_TID_ADDRESS 134 +#define SYS_EXIT_SET_TID_ADDRESS 133 +#define SYS_ENTER_FORK 132 +#define SYS_EXIT_FORK 131 +#define SYS_ENTER_VFORK 130 +#define SYS_EXIT_VFORK 129 +#define SYS_ENTER_CLONE 128 +#define SYS_EXIT_CLONE 127 +#define SYS_ENTER_CLONE3 126 +#define SYS_EXIT_CLONE3 125 +#define SYS_ENTER_UNSHARE 124 +#define SYS_EXIT_UNSHARE 123 +#define SYS_ENTER_MAP_SHADOW_STACK 119 +#define SYS_EXIT_MAP_SHADOW_STACK 118 +#define SYS_ENTER_URETPROBE 117 +#define SYS_EXIT_URETPROBE 116 +#define SYS_ENTER_UPROBE 115 +#define SYS_EXIT_UPROBE 114 +#define SYS_ENTER_ARCH_PRCTL 102 +#define SYS_EXIT_ARCH_PRCTL 101 #define SYS_ENTER_MMAP 100 #define SYS_EXIT_MMAP 99 - -/// sys_enter_io_uring_register is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_io_uring_register") -int handle_sys_enter_io_uring_register(struct syscall_trace_enter *ctx) { +#define SYS_ENTER_MODIFY_LDT 98 +#define SYS_EXIT_MODIFY_LDT 97 +#define SYS_ENTER_IOPERM 95 +#define SYS_EXIT_IOPERM 94 +#define SYS_ENTER_IOPL 93 +#define SYS_EXIT_IOPL 92 +#define SYS_ENTER_RT_SIGRETURN 57 +#define SYS_EXIT_RT_SIGRETURN 56 + +/// sys_enter_socket is a struct null_event +SEC("tracepoint/syscalls/sys_enter_socket") +int handle_sys_enter_socket(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_REGISTER; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SOCKET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_uring_register is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_uring_register") -int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { +/// sys_exit_socket is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_socket") +int handle_sys_exit_socket(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -520,7 +769,7 @@ int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_REGISTER; + ev->trace_id = SYS_EXIT_SOCKET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -531,31 +780,30 @@ int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_io_uring_enter is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_io_uring_enter") -int handle_sys_enter_io_uring_enter(struct syscall_trace_enter *ctx) { +/// sys_enter_socketpair is a struct null_event +SEC("tracepoint/syscalls/sys_enter_socketpair") +int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_ENTER; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SOCKETPAIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_uring_enter is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_uring_enter") -int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { +/// sys_exit_socketpair is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_socketpair") +int handle_sys_exit_socketpair(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -565,7 +813,7 @@ int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_ENTER; + ev->trace_id = SYS_EXIT_SOCKETPAIR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -576,30 +824,31 @@ int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_io_uring_setup is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_uring_setup") -int handle_sys_enter_io_uring_setup(struct syscall_trace_enter *ctx) { +/// sys_enter_bind is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_bind") +int handle_sys_enter_bind(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_URING_SETUP; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_BIND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_uring_setup is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_uring_setup") -int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { +/// sys_exit_bind is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_bind") +int handle_sys_exit_bind(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -609,7 +858,7 @@ int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_URING_SETUP; + ev->trace_id = SYS_EXIT_BIND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -620,9 +869,9 @@ int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_quotactl_fd is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_quotactl_fd") -int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { +/// sys_enter_listen is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_listen") +int handle_sys_enter_listen(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -632,7 +881,7 @@ int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->trace_id = SYS_ENTER_LISTEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -642,9 +891,9 @@ int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_quotactl_fd is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_quotactl_fd") -int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { +/// sys_exit_listen is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listen") +int handle_sys_exit_listen(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -654,7 +903,7 @@ int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->trace_id = SYS_EXIT_LISTEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -665,32 +914,31 @@ int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_name_to_handle_at is a struct path_event -SEC("tracepoint/syscalls/sys_enter_name_to_handle_at") -int handle_sys_enter_name_to_handle_at(struct syscall_trace_enter *ctx) { +/// sys_enter_accept4 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_accept4") +int handle_sys_enter_accept4(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NAME_TO_HANDLE_AT; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_ACCEPT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_name_to_handle_at") -int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { +/// sys_exit_accept4 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_accept4") +int handle_sys_exit_accept4(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -700,7 +948,7 @@ int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NAME_TO_HANDLE_AT; + ev->trace_id = SYS_EXIT_ACCEPT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -711,31 +959,31 @@ int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_open_by_handle_at is a struct open_by_handle_at_event -SEC("tracepoint/syscalls/sys_enter_open_by_handle_at") -int handle_sys_enter_open_by_handle_at(struct syscall_trace_enter *ctx) { +/// sys_enter_accept is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_accept") +int handle_sys_enter_accept(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_by_handle_at_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_by_handle_at_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_BY_HANDLE_AT_EVENT; - ev->trace_id = SYS_ENTER_OPEN_BY_HANDLE_AT; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_ACCEPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->flags = (__s32)ctx->args[2]; + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_open_by_handle_at is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_open_by_handle_at") -int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { +/// sys_exit_accept is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_accept") +int handle_sys_exit_accept(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -745,7 +993,7 @@ int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN_BY_HANDLE_AT; + ev->trace_id = SYS_EXIT_ACCEPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -756,9 +1004,9 @@ int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_flock is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_flock") -int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { +/// sys_enter_connect is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_connect") +int handle_sys_enter_connect(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -768,7 +1016,7 @@ int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLOCK; + ev->trace_id = SYS_ENTER_CONNECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -778,9 +1026,9 @@ int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_flock is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_flock") -int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { +/// sys_exit_connect is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_connect") +int handle_sys_exit_connect(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -790,7 +1038,7 @@ int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLOCK; + ev->trace_id = SYS_EXIT_CONNECT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -801,30 +1049,31 @@ int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_io_setup is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_setup") -int handle_sys_enter_io_setup(struct syscall_trace_enter *ctx) { +/// sys_enter_getsockname is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getsockname") +int handle_sys_enter_getsockname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_SETUP; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETSOCKNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_setup is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_setup") -int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { +/// sys_exit_getsockname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getsockname") +int handle_sys_exit_getsockname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -834,7 +1083,7 @@ int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_SETUP; + ev->trace_id = SYS_EXIT_GETSOCKNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -845,30 +1094,31 @@ int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_io_destroy is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_destroy") -int handle_sys_enter_io_destroy(struct syscall_trace_enter *ctx) { +/// sys_enter_getpeername is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getpeername") +int handle_sys_enter_getpeername(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_DESTROY; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETPEERNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_destroy") -int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { +/// sys_exit_getpeername is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpeername") +int handle_sys_exit_getpeername(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -878,7 +1128,7 @@ int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_DESTROY; + ev->trace_id = SYS_EXIT_GETPEERNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -889,30 +1139,31 @@ int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_io_submit is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_submit") -int handle_sys_enter_io_submit(struct syscall_trace_enter *ctx) { +/// sys_enter_sendto is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sendto") +int handle_sys_enter_sendto(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_SUBMIT; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SENDTO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_submit is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_submit") -int handle_sys_exit_io_submit(struct syscall_trace_exit *ctx) { +/// sys_exit_sendto is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendto") +int handle_sys_exit_sendto(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -922,41 +1173,42 @@ int handle_sys_exit_io_submit(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_SUBMIT; + ev->trace_id = SYS_EXIT_SENDTO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_io_cancel is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_cancel") -int handle_sys_enter_io_cancel(struct syscall_trace_enter *ctx) { +/// sys_enter_recvfrom is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_recvfrom") +int handle_sys_enter_recvfrom(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_CANCEL; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_RECVFROM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_cancel") -int handle_sys_exit_io_cancel(struct syscall_trace_exit *ctx) { +/// sys_exit_recvfrom is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_recvfrom") +int handle_sys_exit_recvfrom(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -966,41 +1218,42 @@ int handle_sys_exit_io_cancel(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_CANCEL; + ev->trace_id = SYS_EXIT_RECVFROM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_io_getevents is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_getevents") -int handle_sys_enter_io_getevents(struct syscall_trace_enter *ctx) { +/// sys_enter_setsockopt is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_setsockopt") +int handle_sys_enter_setsockopt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_GETEVENTS; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_getevents is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_getevents") -int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { +/// sys_exit_setsockopt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setsockopt") +int handle_sys_exit_setsockopt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1010,7 +1263,7 @@ int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_GETEVENTS; + ev->trace_id = SYS_EXIT_SETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1021,30 +1274,31 @@ int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_io_pgetevents is a struct null_event -SEC("tracepoint/syscalls/sys_enter_io_pgetevents") -int handle_sys_enter_io_pgetevents(struct syscall_trace_enter *ctx) { +/// sys_enter_getsockopt is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getsockopt") +int handle_sys_enter_getsockopt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_IO_PGETEVENTS; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_io_pgetevents is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_io_pgetevents") -int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { +/// sys_exit_getsockopt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getsockopt") +int handle_sys_exit_getsockopt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1054,7 +1308,7 @@ int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IO_PGETEVENTS; + ev->trace_id = SYS_EXIT_GETSOCKOPT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1065,32 +1319,31 @@ int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fanotify_mark is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fanotify_mark") -int handle_sys_enter_fanotify_mark(struct syscall_trace_enter *ctx) { +/// sys_enter_shutdown is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_shutdown") +int handle_sys_enter_shutdown(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SHUTDOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fanotify_mark") -int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { +/// sys_exit_shutdown is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shutdown") +int handle_sys_exit_shutdown(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1100,7 +1353,7 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->trace_id = SYS_EXIT_SHUTDOWN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1111,32 +1364,31 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_file_getattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_file_getattr") -int handle_sys_enter_file_getattr(struct syscall_trace_enter *ctx) { +/// sys_enter_sendmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sendmsg") +int handle_sys_enter_sendmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FILE_GETATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SENDMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_file_getattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_file_getattr") -int handle_sys_exit_file_getattr(struct syscall_trace_exit *ctx) { +/// sys_exit_sendmsg is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendmsg") +int handle_sys_exit_sendmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1146,43 +1398,42 @@ int handle_sys_exit_file_getattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FILE_GETATTR; + ev->trace_id = SYS_EXIT_SENDMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_file_setattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_file_setattr") -int handle_sys_enter_file_setattr(struct syscall_trace_enter *ctx) { +/// sys_enter_sendmmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sendmmsg") +int handle_sys_enter_sendmmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FILE_SETATTR; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SENDMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_file_setattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_file_setattr") -int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { +/// sys_exit_sendmmsg is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendmmsg") +int handle_sys_exit_sendmmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1192,43 +1443,42 @@ int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FILE_SETATTR; + ev->trace_id = SYS_EXIT_SENDMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = WRITE_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_fspick is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fspick") -int handle_sys_enter_fspick(struct syscall_trace_enter *ctx) { +/// sys_enter_recvmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_recvmsg") +int handle_sys_enter_recvmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FSPICK; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_RECVMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fspick is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fspick") -int handle_sys_exit_fspick(struct syscall_trace_exit *ctx) { +/// sys_exit_recvmsg is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_recvmsg") +int handle_sys_exit_recvmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1238,20 +1488,20 @@ int handle_sys_exit_fspick(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSPICK; + ev->trace_id = SYS_EXIT_RECVMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_fsconfig is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fsconfig") -int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { +/// sys_enter_recvmmsg is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_recvmmsg") +int handle_sys_enter_recvmmsg(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1261,7 +1511,7 @@ int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSCONFIG; + ev->trace_id = SYS_ENTER_RECVMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1271,9 +1521,9 @@ int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fsconfig") -int handle_sys_exit_fsconfig(struct syscall_trace_exit *ctx) { +/// sys_exit_recvmmsg is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_recvmmsg") +int handle_sys_exit_recvmmsg(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1283,43 +1533,41 @@ int handle_sys_exit_fsconfig(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSCONFIG; + ev->trace_id = SYS_EXIT_RECVMMSG; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; + ev->ret_type = READ_CLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_statfs is a struct path_event -SEC("tracepoint/syscalls/sys_enter_statfs") -int handle_sys_enter_statfs(struct syscall_trace_enter *ctx) { +/// sys_enter_getrandom is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getrandom") +int handle_sys_enter_getrandom(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATFS; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRANDOM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_statfs is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_statfs") -int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { +/// sys_exit_getrandom is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getrandom") +int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1329,7 +1577,7 @@ int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATFS; + ev->trace_id = SYS_EXIT_GETRANDOM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1340,9 +1588,9 @@ int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fstatfs is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fstatfs") -int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { +/// sys_enter_io_uring_register is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_io_uring_register") +int handle_sys_enter_io_uring_register(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1352,7 +1600,7 @@ int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSTATFS; + ev->trace_id = SYS_ENTER_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1362,9 +1610,9 @@ int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fstatfs") -int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { +/// sys_exit_io_uring_register is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_uring_register") +int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1374,7 +1622,7 @@ int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSTATFS; + ev->trace_id = SYS_EXIT_IO_URING_REGISTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1385,30 +1633,31 @@ int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_getcwd is a struct null_event -SEC("tracepoint/syscalls/sys_enter_getcwd") -int handle_sys_enter_getcwd(struct syscall_trace_enter *ctx) { +/// sys_enter_io_uring_enter is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_io_uring_enter") +int handle_sys_enter_io_uring_enter(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_GETCWD; + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_getcwd is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_getcwd") -int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { +/// sys_exit_io_uring_enter is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_uring_enter") +int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1418,7 +1667,7 @@ int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETCWD; + ev->trace_id = SYS_EXIT_IO_URING_ENTER; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1429,32 +1678,30 @@ int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_utimensat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_utimensat") -int handle_sys_enter_utimensat(struct syscall_trace_enter *ctx) { +/// sys_enter_io_uring_setup is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_uring_setup") +int handle_sys_enter_io_uring_setup(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UTIMENSAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_URING_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_utimensat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_utimensat") -int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { +/// sys_exit_io_uring_setup is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_uring_setup") +int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1464,7 +1711,7 @@ int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UTIMENSAT; + ev->trace_id = SYS_EXIT_IO_URING_SETUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1475,32 +1722,30 @@ int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_futimesat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_futimesat") -int handle_sys_enter_futimesat(struct syscall_trace_enter *ctx) { +/// sys_enter_ioprio_set is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ioprio_set") +int handle_sys_enter_ioprio_set(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IOPRIO_SET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_futimesat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_futimesat") -int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { +/// sys_exit_ioprio_set is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioprio_set") +int handle_sys_exit_ioprio_set(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1510,7 +1755,7 @@ int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->trace_id = SYS_EXIT_IOPRIO_SET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1521,9 +1766,9 @@ int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_sync is a struct null_event -SEC("tracepoint/syscalls/sys_enter_sync") -int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { +/// sys_enter_ioprio_get is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ioprio_get") +int handle_sys_enter_ioprio_get(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1533,7 +1778,7 @@ int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYNC; + ev->trace_id = SYS_ENTER_IOPRIO_GET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1542,9 +1787,9 @@ int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_sync is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_sync") -int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { +/// sys_exit_ioprio_get is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioprio_get") +int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1554,7 +1799,7 @@ int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC; + ev->trace_id = SYS_EXIT_IOPRIO_GET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1565,31 +1810,30 @@ int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_syncfs is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_syncfs") -int handle_sys_enter_syncfs(struct syscall_trace_enter *ctx) { +/// sys_enter_landlock_create_ruleset is a struct null_event +SEC("tracepoint/syscalls/sys_enter_landlock_create_ruleset") +int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_SYNCFS; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LANDLOCK_CREATE_RULESET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_syncfs is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_syncfs") -int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { +/// sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_landlock_create_ruleset") +int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1599,7 +1843,7 @@ int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNCFS; + ev->trace_id = SYS_EXIT_LANDLOCK_CREATE_RULESET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1610,31 +1854,30 @@ int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fsync is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fsync") -int handle_sys_enter_fsync(struct syscall_trace_enter *ctx) { +/// sys_enter_landlock_add_rule is a struct null_event +SEC("tracepoint/syscalls/sys_enter_landlock_add_rule") +int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSYNC; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LANDLOCK_ADD_RULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fsync is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fsync") -int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { +/// sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_landlock_add_rule") +int handle_sys_exit_landlock_add_rule(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1644,7 +1887,7 @@ int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSYNC; + ev->trace_id = SYS_EXIT_LANDLOCK_ADD_RULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1655,31 +1898,30 @@ int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fdatasync is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fdatasync") -int handle_sys_enter_fdatasync(struct syscall_trace_enter *ctx) { +/// sys_enter_landlock_restrict_self is a struct null_event +SEC("tracepoint/syscalls/sys_enter_landlock_restrict_self") +int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FDATASYNC; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LANDLOCK_RESTRICT_SELF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fdatasync is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fdatasync") -int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { +/// sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_landlock_restrict_self") +int handle_sys_exit_landlock_restrict_self(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1689,7 +1931,7 @@ int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FDATASYNC; + ev->trace_id = SYS_EXIT_LANDLOCK_RESTRICT_SELF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1700,31 +1942,30 @@ int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_sync_file_range is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_sync_file_range") -int handle_sys_enter_sync_file_range(struct syscall_trace_enter *ctx) { +/// sys_enter_lsm_set_self_attr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_lsm_set_self_attr") +int handle_sys_enter_lsm_set_self_attr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LSM_SET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_sync_file_range is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_sync_file_range") -int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { +/// sys_exit_lsm_set_self_attr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsm_set_self_attr") +int handle_sys_exit_lsm_set_self_attr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1734,7 +1975,7 @@ int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->trace_id = SYS_EXIT_LSM_SET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1745,31 +1986,30 @@ int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_vmsplice is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_vmsplice") -int handle_sys_enter_vmsplice(struct syscall_trace_enter *ctx) { +/// sys_enter_lsm_get_self_attr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_lsm_get_self_attr") +int handle_sys_enter_lsm_get_self_attr(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_VMSPLICE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LSM_GET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_vmsplice is a struct ret_event (TRANSFER_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_vmsplice") -int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { +/// sys_exit_lsm_get_self_attr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsm_get_self_attr") +int handle_sys_exit_lsm_get_self_attr(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1779,43 +2019,41 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_VMSPLICE; + ev->trace_id = SYS_EXIT_LSM_GET_SELF_ATTR; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = TRANSFER_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_setxattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_setxattrat") -int handle_sys_enter_setxattrat(struct syscall_trace_enter *ctx) { +/// sys_enter_lsm_list_modules is a struct null_event +SEC("tracepoint/syscalls/sys_enter_lsm_list_modules") +int handle_sys_enter_lsm_list_modules(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTRAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LSM_LIST_MODULES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_setxattrat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_setxattrat") -int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { +/// sys_exit_lsm_list_modules is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsm_list_modules") +int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1825,7 +2063,7 @@ int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTRAT; + ev->trace_id = SYS_EXIT_LSM_LIST_MODULES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1836,32 +2074,30 @@ int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_setxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_setxattr") -int handle_sys_enter_setxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_add_key is a struct null_event +SEC("tracepoint/syscalls/sys_enter_add_key") +int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_SETXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ADD_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_setxattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_setxattr") -int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_add_key is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_add_key") +int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1871,7 +2107,7 @@ int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SETXATTR; + ev->trace_id = SYS_EXIT_ADD_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1882,32 +2118,30 @@ int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_lsetxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lsetxattr") -int handle_sys_enter_lsetxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_request_key is a struct null_event +SEC("tracepoint/syscalls/sys_enter_request_key") +int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LSETXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_REQUEST_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_lsetxattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_lsetxattr") -int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_request_key is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_request_key") +int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1917,7 +2151,7 @@ int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSETXATTR; + ev->trace_id = SYS_EXIT_REQUEST_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1928,31 +2162,30 @@ int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fsetxattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fsetxattr") -int handle_sys_enter_fsetxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_keyctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_keyctl") +int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FSETXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KEYCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fsetxattr") -int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_keyctl") +int handle_sys_exit_keyctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -1962,7 +2195,7 @@ int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FSETXATTR; + ev->trace_id = SYS_EXIT_KEYCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -1973,32 +2206,30 @@ int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_getxattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_getxattrat") -int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) { +/// sys_enter_mq_open is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_open") +int handle_sys_enter_mq_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTRAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_getxattrat") -int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { +/// sys_exit_mq_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_open") +int handle_sys_exit_mq_open(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2008,7 +2239,7 @@ int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTRAT; + ev->trace_id = SYS_EXIT_MQ_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2019,32 +2250,30 @@ int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_getxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_getxattr") -int handle_sys_enter_getxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_mq_unlink is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_unlink") +int handle_sys_enter_mq_unlink(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_GETXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_getxattr") -int handle_sys_exit_getxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_mq_unlink is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_unlink") +int handle_sys_exit_mq_unlink(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2054,43 +2283,41 @@ int handle_sys_exit_getxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETXATTR; + ev->trace_id = SYS_EXIT_MQ_UNLINK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_lgetxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lgetxattr") -int handle_sys_enter_lgetxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_mq_timedsend is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_timedsend") +int handle_sys_enter_mq_timedsend(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LGETXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_TIMEDSEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_lgetxattr") -int handle_sys_exit_lgetxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_mq_timedsend is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_timedsend") +int handle_sys_exit_mq_timedsend(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2100,42 +2327,11098 @@ int handle_sys_exit_lgetxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LGETXATTR; + ev->trace_id = SYS_EXIT_MQ_TIMEDSEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_fgetxattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fgetxattr") -int handle_sys_enter_fgetxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_mq_timedreceive is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_timedreceive") +int handle_sys_enter_mq_timedreceive(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_TIMEDRECEIVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_timedreceive is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_timedreceive") +int handle_sys_exit_mq_timedreceive(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_TIMEDRECEIVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_notify is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_notify") +int handle_sys_enter_mq_notify(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_NOTIFY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_notify is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_notify") +int handle_sys_exit_mq_notify(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_NOTIFY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mq_getsetattr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mq_getsetattr") +int handle_sys_enter_mq_getsetattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MQ_GETSETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mq_getsetattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mq_getsetattr") +int handle_sys_exit_mq_getsetattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MQ_GETSETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmget") +int handle_sys_enter_shmget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmget") +int handle_sys_exit_shmget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmctl") +int handle_sys_enter_shmctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmctl") +int handle_sys_exit_shmctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmat is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmat") +int handle_sys_enter_shmat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmat") +int handle_sys_exit_shmat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_shmdt is a struct null_event +SEC("tracepoint/syscalls/sys_enter_shmdt") +int handle_sys_enter_shmdt(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SHMDT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_shmdt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_shmdt") +int handle_sys_exit_shmdt(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SHMDT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semget") +int handle_sys_enter_semget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semget") +int handle_sys_exit_semget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semctl") +int handle_sys_enter_semctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semctl") +int handle_sys_exit_semctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semtimedop is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semtimedop") +int handle_sys_enter_semtimedop(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMTIMEDOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semtimedop is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semtimedop") +int handle_sys_exit_semtimedop(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMTIMEDOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_semop is a struct null_event +SEC("tracepoint/syscalls/sys_enter_semop") +int handle_sys_enter_semop(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SEMOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_semop is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_semop") +int handle_sys_exit_semop(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SEMOP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgget") +int handle_sys_enter_msgget(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgget") +int handle_sys_exit_msgget(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGGET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgctl") +int handle_sys_enter_msgctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgctl") +int handle_sys_exit_msgctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgsnd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgsnd") +int handle_sys_enter_msgsnd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGSND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgsnd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgsnd") +int handle_sys_exit_msgsnd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGSND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msgrcv is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msgrcv") +int handle_sys_enter_msgrcv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSGRCV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msgrcv is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msgrcv") +int handle_sys_exit_msgrcv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSGRCV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_quotactl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_quotactl") +int handle_sys_enter_quotactl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_QUOTACTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_quotactl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_quotactl") +int handle_sys_exit_quotactl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_QUOTACTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_quotactl_fd is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_quotactl_fd") +int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_quotactl_fd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_quotactl_fd") +int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_QUOTACTL_FD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_name_to_handle_at is a struct path_event +SEC("tracepoint/syscalls/sys_enter_name_to_handle_at") +int handle_sys_enter_name_to_handle_at(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NAME_TO_HANDLE_AT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_name_to_handle_at") +int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NAME_TO_HANDLE_AT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open_by_handle_at is a struct open_by_handle_at_event +SEC("tracepoint/syscalls/sys_enter_open_by_handle_at") +int handle_sys_enter_open_by_handle_at(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_by_handle_at_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_by_handle_at_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_BY_HANDLE_AT_EVENT; + ev->trace_id = SYS_ENTER_OPEN_BY_HANDLE_AT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->flags = (__s32)ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open_by_handle_at is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_open_by_handle_at") +int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_BY_HANDLE_AT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_flock is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_flock") +int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_flock is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_flock") +int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_setup is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_setup") +int handle_sys_enter_io_setup(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_SETUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_setup is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_setup") +int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_SETUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_destroy is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_destroy") +int handle_sys_enter_io_destroy(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_DESTROY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_destroy") +int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_DESTROY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_submit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_submit") +int handle_sys_enter_io_submit(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_SUBMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_submit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_submit") +int handle_sys_exit_io_submit(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_SUBMIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_cancel is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_cancel") +int handle_sys_enter_io_cancel(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_CANCEL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_cancel") +int handle_sys_exit_io_cancel(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_CANCEL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_getevents is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_getevents") +int handle_sys_enter_io_getevents(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_GETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_getevents is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_getevents") +int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_GETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_io_pgetevents is a struct null_event +SEC("tracepoint/syscalls/sys_enter_io_pgetevents") +int handle_sys_enter_io_pgetevents(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IO_PGETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_io_pgetevents is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_io_pgetevents") +int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IO_PGETEVENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_userfaultfd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_userfaultfd") +int handle_sys_enter_userfaultfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_USERFAULTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_userfaultfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_userfaultfd") +int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_USERFAULTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_eventfd2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_eventfd2") +int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EVENTFD2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_eventfd2") +int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EVENTFD2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_eventfd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_eventfd") +int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EVENTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_eventfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_eventfd") +int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EVENTFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timerfd_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timerfd_create") +int handle_sys_enter_timerfd_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMERFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timerfd_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timerfd_create") +int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMERFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timerfd_settime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timerfd_settime") +int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMERFD_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timerfd_settime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timerfd_settime") +int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMERFD_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timerfd_gettime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timerfd_gettime") +int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMERFD_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timerfd_gettime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timerfd_gettime") +int handle_sys_exit_timerfd_gettime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMERFD_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_signalfd4 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_signalfd4") +int handle_sys_enter_signalfd4(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SIGNALFD4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_signalfd4 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_signalfd4") +int handle_sys_exit_signalfd4(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SIGNALFD4; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_signalfd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_signalfd") +int handle_sys_enter_signalfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SIGNALFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_signalfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_signalfd") +int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SIGNALFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_create1 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_create1") +int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_CREATE1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_create1") +int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_CREATE1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_create") +int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_create") +int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_ctl is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_epoll_ctl") +int handle_sys_enter_epoll_ctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_CTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_ctl") +int handle_sys_exit_epoll_ctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_CTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_wait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_wait") +int handle_sys_enter_epoll_wait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_wait") +int handle_sys_exit_epoll_wait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_pwait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_pwait") +int handle_sys_enter_epoll_pwait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_PWAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_pwait") +int handle_sys_exit_epoll_pwait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_PWAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_epoll_pwait2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_epoll_pwait2") +int handle_sys_enter_epoll_pwait2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EPOLL_PWAIT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_epoll_pwait2") +int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EPOLL_PWAIT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fanotify_init is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fanotify_init") +int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fanotify_init") +int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fanotify_mark is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fanotify_mark") +int handle_sys_enter_fanotify_mark(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[4]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fanotify_mark") +int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FANOTIFY_MARK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_init1 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_inotify_init1") +int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_INIT1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_init1") +int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_INIT1; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_init is a struct null_event +SEC("tracepoint/syscalls/sys_enter_inotify_init") +int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_init") +int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_INIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_add_watch is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_inotify_add_watch") +int handle_sys_enter_inotify_add_watch(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_add_watch") +int handle_sys_exit_inotify_add_watch(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_ADD_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_inotify_rm_watch is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_inotify_rm_watch") +int handle_sys_enter_inotify_rm_watch(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_inotify_rm_watch") +int handle_sys_exit_inotify_rm_watch(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INOTIFY_RM_WATCH; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_file_getattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_file_getattr") +int handle_sys_enter_file_getattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FILE_GETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_file_getattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_file_getattr") +int handle_sys_exit_file_getattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FILE_GETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_file_setattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_file_setattr") +int handle_sys_enter_file_setattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FILE_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_file_setattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_file_setattr") +int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FILE_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsopen is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fsopen") +int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FSOPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsopen") +int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSOPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fspick is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fspick") +int handle_sys_enter_fspick(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FSPICK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fspick is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fspick") +int handle_sys_exit_fspick(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSPICK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsconfig is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fsconfig") +int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSCONFIG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsconfig") +int handle_sys_exit_fsconfig(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSCONFIG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_statfs is a struct path_event +SEC("tracepoint/syscalls/sys_enter_statfs") +int handle_sys_enter_statfs(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_statfs is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_statfs") +int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fstatfs is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fstatfs") +int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fstatfs") +int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSTATFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ustat is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ustat") +int handle_sys_enter_ustat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_USTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ustat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ustat") +int handle_sys_exit_ustat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_USTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getcwd is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getcwd") +int handle_sys_enter_getcwd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETCWD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getcwd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getcwd") +int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETCWD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_utimensat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_utimensat") +int handle_sys_enter_utimensat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UTIMENSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_utimensat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_utimensat") +int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIMENSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futimesat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_futimesat") +int handle_sys_enter_futimesat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futimesat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futimesat") +int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTIMESAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_utimes is a struct null_event +SEC("tracepoint/syscalls/sys_enter_utimes") +int handle_sys_enter_utimes(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UTIMES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_utimes is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_utimes") +int handle_sys_exit_utimes(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIMES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_utime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_utime") +int handle_sys_enter_utime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_utime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_utime") +int handle_sys_exit_utime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sync is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sync") +int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sync is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sync") +int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_syncfs is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_syncfs") +int handle_sys_enter_syncfs(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SYNCFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_syncfs is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_syncfs") +int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNCFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsync is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fsync") +int handle_sys_enter_fsync(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsync is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsync") +int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fdatasync is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fdatasync") +int handle_sys_enter_fdatasync(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fdatasync is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fdatasync") +int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FDATASYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sync_file_range is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_sync_file_range") +int handle_sys_enter_sync_file_range(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_SYNC_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sync_file_range is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sync_file_range") +int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYNC_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_vmsplice is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_vmsplice") +int handle_sys_enter_vmsplice(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_VMSPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_vmsplice is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_vmsplice") +int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_VMSPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_splice is a struct null_event +SEC("tracepoint/syscalls/sys_enter_splice") +int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_splice is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_splice") +int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SPLICE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_tee is a struct null_event +SEC("tracepoint/syscalls/sys_enter_tee") +int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TEE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_tee is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_tee") +int handle_sys_exit_tee(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TEE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setxattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_setxattrat") +int handle_sys_enter_setxattrat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setxattrat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setxattrat") +int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_setxattr") +int handle_sys_enter_setxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setxattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setxattr") +int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lsetxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lsetxattr") +int handle_sys_enter_lsetxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lsetxattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lsetxattr") +int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsetxattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fsetxattr") +int handle_sys_enter_fsetxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsetxattr") +int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getxattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_getxattrat") +int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getxattrat") +int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_getxattr") +int handle_sys_enter_getxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getxattr") +int handle_sys_exit_getxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lgetxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lgetxattr") +int handle_sys_enter_lgetxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lgetxattr") +int handle_sys_exit_lgetxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fgetxattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fgetxattr") +int handle_sys_enter_fgetxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fgetxattr is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fgetxattr") +int handle_sys_exit_fgetxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FGETXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listxattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_listxattrat") +int handle_sys_enter_listxattrat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listxattrat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listxattrat") +int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_listxattr") +int handle_sys_enter_listxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listxattr is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listxattr") +int handle_sys_exit_listxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_llistxattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_llistxattr") +int handle_sys_enter_llistxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_llistxattr is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_llistxattr") +int handle_sys_exit_llistxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_flistxattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_flistxattr") +int handle_sys_enter_flistxattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_flistxattr is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_flistxattr") +int handle_sys_exit_flistxattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FLISTXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_removexattrat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_removexattrat") +int handle_sys_enter_removexattrat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_removexattrat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_removexattrat") +int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_removexattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_removexattr") +int handle_sys_enter_removexattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_removexattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_removexattr") +int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lremovexattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lremovexattr") +int handle_sys_enter_lremovexattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lremovexattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lremovexattr") +int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fremovexattr is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fremovexattr") +int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fremovexattr") +int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FREMOVEXATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_umount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_umount") +int handle_sys_enter_umount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_umount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_umount") +int handle_sys_exit_umount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open_tree is a struct open_event +SEC("tracepoint/syscalls/sys_enter_open_tree") +int handle_sys_enter_open_tree(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open_tree is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_open_tree") +int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mount") +int handle_sys_enter_mount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mount") +int handle_sys_exit_mount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fsmount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fsmount") +int handle_sys_enter_fsmount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FSMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fsmount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fsmount") +int handle_sys_exit_fsmount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FSMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_move_mount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_move_mount") +int handle_sys_enter_move_mount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MOVE_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_move_mount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_move_mount") +int handle_sys_exit_move_mount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOVE_MOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pivot_root is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pivot_root") +int handle_sys_enter_pivot_root(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIVOT_ROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pivot_root") +int handle_sys_exit_pivot_root(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIVOT_ROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mount_setattr is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mount_setattr") +int handle_sys_enter_mount_setattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MOUNT_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mount_setattr") +int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOUNT_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open_tree_attr is a struct open_event +SEC("tracepoint/syscalls/sys_enter_open_tree_attr") +int handle_sys_enter_open_tree_attr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN_TREE_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_open_tree_attr") +int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN_TREE_ATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_statmount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_statmount") +int handle_sys_enter_statmount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_STATMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_statmount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_statmount") +int handle_sys_exit_statmount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_listmount is a struct null_event +SEC("tracepoint/syscalls/sys_enter_listmount") +int handle_sys_enter_listmount(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LISTMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_listmount is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listmount") +int handle_sys_exit_listmount(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LISTMOUNT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sysfs is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sysfs") +int handle_sys_enter_sysfs(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYSFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sysfs is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sysfs") +int handle_sys_exit_sysfs(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYSFS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_close_range is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_close_range") +int handle_sys_enter_close_range(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_close_range is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_close_range") +int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_dup3 is a struct dup3_event +SEC("tracepoint/syscalls/sys_enter_dup3") +int handle_sys_enter_dup3(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_DUP3_EVENT; + ev->trace_id = SYS_ENTER_DUP3; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + ev->flags = (__s32)ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_dup3") +int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DUP3; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_dup2 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_dup2") +int handle_sys_enter_dup2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_DUP2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_dup2") +int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DUP2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_dup is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_dup") +int handle_sys_enter_dup(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_DUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_dup is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_dup") +int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_select is a struct null_event +SEC("tracepoint/syscalls/sys_enter_select") +int handle_sys_enter_select(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SELECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_select is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_select") +int handle_sys_exit_select(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SELECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pselect6 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pselect6") +int handle_sys_enter_pselect6(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PSELECT6; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pselect6 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pselect6") +int handle_sys_exit_pselect6(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PSELECT6; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_poll is a struct null_event +SEC("tracepoint/syscalls/sys_enter_poll") +int handle_sys_enter_poll(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_POLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_poll is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_poll") +int handle_sys_exit_poll(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_POLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ppoll is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ppoll") +int handle_sys_enter_ppoll(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PPOLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ppoll is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ppoll") +int handle_sys_exit_ppoll(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PPOLL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getdents is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getdents") +int handle_sys_enter_getdents(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETDENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getdents is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getdents") +int handle_sys_exit_getdents(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETDENTS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getdents64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_getdents64") +int handle_sys_enter_getdents64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_GETDENTS64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getdents64 is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getdents64") +int handle_sys_exit_getdents64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETDENTS64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ioctl is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_ioctl") +int handle_sys_enter_ioctl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_IOCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ioctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioctl") +int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_IOCTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fcntl is a struct fcntl_event +SEC("tracepoint/syscalls/sys_enter_fcntl") +int handle_sys_enter_fcntl(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FCNTL_EVENT; + ev->trace_id = SYS_ENTER_FCNTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = ctx->args[0]; + ev->cmd = ctx->args[1]; + ev->arg = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fcntl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fcntl") +int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCNTL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mknodat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mknodat") +int handle_sys_enter_mknodat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mknodat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mknodat") +int handle_sys_exit_mknodat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mknod is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mknod") +int handle_sys_enter_mknod(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mknod is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mknod") +int handle_sys_exit_mknod(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKNOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mkdirat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mkdirat") +int handle_sys_enter_mkdirat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mkdirat") +int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIRAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mkdir is a struct path_event +SEC("tracepoint/syscalls/sys_enter_mkdir") +int handle_sys_enter_mkdir(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mkdir") +int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MKDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rmdir is a struct path_event +SEC("tracepoint/syscalls/sys_enter_rmdir") +int handle_sys_enter_rmdir(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rmdir is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rmdir") +int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RMDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_unlinkat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_unlinkat") +int handle_sys_enter_unlinkat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_unlinkat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_unlinkat") +int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_unlink is a struct path_event +SEC("tracepoint/syscalls/sys_enter_unlink") +int handle_sys_enter_unlink(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_unlink is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_unlink") +int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_UNLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_symlinkat is a struct name_event +SEC("tracepoint/syscalls/sys_enter_symlinkat") +int handle_sys_enter_symlinkat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_symlinkat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_symlinkat") +int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_symlink is a struct name_event +SEC("tracepoint/syscalls/sys_enter_symlink") +int handle_sys_enter_symlink(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_symlink is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_symlink") +int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYMLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_linkat is a struct name_event +SEC("tracepoint/syscalls/sys_enter_linkat") +int handle_sys_enter_linkat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_linkat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_linkat") +int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_link is a struct name_event +SEC("tracepoint/syscalls/sys_enter_link") +int handle_sys_enter_link(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_link is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_link") +int handle_sys_exit_link(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_renameat2 is a struct name_event +SEC("tracepoint/syscalls/sys_enter_renameat2") +int handle_sys_enter_renameat2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_renameat2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_renameat2") +int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_renameat is a struct name_event +SEC("tracepoint/syscalls/sys_enter_renameat") +int handle_sys_enter_renameat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_renameat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_renameat") +int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAMEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rename is a struct name_event +SEC("tracepoint/syscalls/sys_enter_rename") +int handle_sys_enter_rename(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NAME_EVENT; + ev->trace_id = SYS_ENTER_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rename is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rename") +int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RENAME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pipe2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pipe2") +int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIPE2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pipe2") +int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIPE2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pipe is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pipe") +int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIPE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pipe is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pipe") +int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIPE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_execve is a struct path_event +SEC("tracepoint/syscalls/sys_enter_execve") +int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_EXECVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_execve is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_execve") +int handle_sys_exit_execve(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXECVE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_execveat is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_execveat") +int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_EXECVEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_execveat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_execveat") +int handle_sys_exit_execveat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_EXECVEAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newstat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_newstat") +int handle_sys_enter_newstat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NEWSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newstat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_newstat") +int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newlstat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_newlstat") +int handle_sys_enter_newlstat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NEWLSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_newlstat") +int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWLSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newfstatat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_newfstatat") +int handle_sys_enter_newfstatat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_newfstatat") +int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_newfstat is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_newfstat") +int handle_sys_enter_newfstat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_newfstat") +int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readlinkat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_readlinkat") +int handle_sys_enter_readlinkat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readlinkat is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_readlinkat") +int handle_sys_exit_readlinkat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINKAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readlink is a struct path_event +SEC("tracepoint/syscalls/sys_enter_readlink") +int handle_sys_enter_readlink(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_READLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readlink is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_readlink") +int handle_sys_exit_readlink(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READLINK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_statx is a struct path_event +SEC("tracepoint/syscalls/sys_enter_statx") +int handle_sys_enter_statx(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_STATX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_statx is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_statx") +int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_STATX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lseek is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_lseek") +int handle_sys_enter_lseek(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_LSEEK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lseek is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lseek") +int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LSEEK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_read is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_read") +int handle_sys_enter_read(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_read is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_read") +int handle_sys_exit_read(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_write is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_write") +int handle_sys_enter_write(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_WRITE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_write is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_write") +int handle_sys_exit_write(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WRITE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pread64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pread64") +int handle_sys_enter_pread64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREAD64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pread64") +int handle_sys_exit_pread64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREAD64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pwrite64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pwrite64") +int handle_sys_enter_pwrite64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pwrite64 is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pwrite64") +int handle_sys_exit_pwrite64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readv is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_readv") +int handle_sys_enter_readv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readv is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_readv") +int handle_sys_exit_readv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_writev is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_writev") +int handle_sys_enter_writev(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_writev is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_writev") +int handle_sys_exit_writev(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_preadv is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_preadv") +int handle_sys_enter_preadv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREADV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_preadv is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_preadv") +int handle_sys_exit_preadv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREADV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_preadv2 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_preadv2") +int handle_sys_enter_preadv2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PREADV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_preadv2") +int handle_sys_exit_preadv2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PREADV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pwritev is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pwritev") +int handle_sys_enter_pwritev(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pwritev is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pwritev") +int handle_sys_exit_pwritev(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pwritev2 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pwritev2") +int handle_sys_enter_pwritev2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PWRITEV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pwritev2 is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pwritev2") +int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PWRITEV2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sendfile64 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sendfile64") +int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SENDFILE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sendfile64 is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sendfile64") +int handle_sys_exit_sendfile64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SENDFILE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_copy_file_range is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_copy_file_range") +int handle_sys_enter_copy_file_range(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_copy_file_range") +int handle_sys_exit_copy_file_range(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = TRANSFER_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_truncate is a struct path_event +SEC("tracepoint/syscalls/sys_enter_truncate") +int handle_sys_enter_truncate(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_TRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_truncate is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_truncate") +int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_ftruncate is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_ftruncate") +int handle_sys_enter_ftruncate(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_ftruncate is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ftruncate") +int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fallocate is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fallocate") +int handle_sys_enter_fallocate(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FALLOCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fallocate") +int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FALLOCATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_faccessat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_faccessat") +int handle_sys_enter_faccessat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_faccessat") +int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FACCESSAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_faccessat2 is a struct path_event +SEC("tracepoint/syscalls/sys_enter_faccessat2") +int handle_sys_enter_faccessat2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FACCESSAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_faccessat2") +int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FACCESSAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_access is a struct path_event +SEC("tracepoint/syscalls/sys_enter_access") +int handle_sys_enter_access(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_ACCESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_access is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_access") +int handle_sys_exit_access(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCESS; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chdir is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chdir") +int handle_sys_enter_chdir(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chdir is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_chdir") +int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchdir is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fchdir") +int handle_sys_enter_fchdir(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fchdir") +int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHDIR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chroot is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chroot") +int handle_sys_enter_chroot(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chroot is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_chroot") +int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHROOT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchmod is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fchmod") +int handle_sys_enter_fchmod(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fchmod") +int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchmodat2 is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fchmodat2") +int handle_sys_enter_fchmodat2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchmodat2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fchmodat2") +int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMODAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchmodat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fchmodat") +int handle_sys_enter_fchmodat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FCHMODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchmodat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fchmodat") +int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHMODAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chmod is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chmod") +int handle_sys_enter_chmod(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chmod is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_chmod") +int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHMOD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchownat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_fchownat") +int handle_sys_enter_fchownat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_FCHOWNAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchownat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fchownat") +int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHOWNAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_chown is a struct path_event +SEC("tracepoint/syscalls/sys_enter_chown") +int handle_sys_enter_chown(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_chown is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_chown") +int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_lchown is a struct path_event +SEC("tracepoint/syscalls/sys_enter_lchown") +int handle_sys_enter_lchown(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_LCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_lchown is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_lchown") +int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_LCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fchown is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fchown") +int handle_sys_enter_fchown(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fchown is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fchown") +int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FCHOWN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_open is a struct open_event +SEC("tracepoint/syscalls/sys_enter_open") +int handle_sys_enter_open(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[1]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_open") +int handle_sys_exit_open(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_openat is a struct open_event +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_sys_enter_openat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = ctx->args[2]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_openat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_openat2 is a struct open_event +SEC("tracepoint/syscalls/sys_enter_openat2") +int handle_sys_enter_openat2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_OPEN_EVENT; + ev->trace_id = SYS_ENTER_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->flags = -1; // Probably OK + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_openat2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_openat2") +int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_OPENAT2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_creat is a struct path_event +SEC("tracepoint/syscalls/sys_enter_creat") +int handle_sys_enter_creat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_PATH_EVENT; + ev->trace_id = SYS_ENTER_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); + bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_creat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_creat") +int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CREAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_close is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_close") +int handle_sys_enter_close(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CLOSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_close is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_close") +int handle_sys_exit_close(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOSE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_vhangup is a struct null_event +SEC("tracepoint/syscalls/sys_enter_vhangup") +int handle_sys_enter_vhangup(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_VHANGUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_vhangup is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_vhangup") +int handle_sys_exit_vhangup(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_VHANGUP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_memfd_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_memfd_create") +int handle_sys_enter_memfd_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MEMFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_memfd_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_memfd_create") +int handle_sys_exit_memfd_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MEMFD_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_memfd_secret is a struct null_event +SEC("tracepoint/syscalls/sys_enter_memfd_secret") +int handle_sys_enter_memfd_secret(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MEMFD_SECRET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_memfd_secret is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_memfd_secret") +int handle_sys_exit_memfd_secret(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MEMFD_SECRET; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_move_pages is a struct null_event +SEC("tracepoint/syscalls/sys_enter_move_pages") +int handle_sys_enter_move_pages(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MOVE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_move_pages is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_move_pages") +int handle_sys_exit_move_pages(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MOVE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_mempolicy_home_node is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_mempolicy_home_node") +int handle_sys_enter_set_mempolicy_home_node(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_MEMPOLICY_HOME_NODE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_mempolicy_home_node is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_mempolicy_home_node") +int handle_sys_exit_set_mempolicy_home_node(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_MEMPOLICY_HOME_NODE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mbind is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mbind") +int handle_sys_enter_mbind(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MBIND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mbind is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mbind") +int handle_sys_exit_mbind(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MBIND; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_mempolicy is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_mempolicy") +int handle_sys_enter_set_mempolicy(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_mempolicy is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_mempolicy") +int handle_sys_exit_set_mempolicy(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_migrate_pages is a struct null_event +SEC("tracepoint/syscalls/sys_enter_migrate_pages") +int handle_sys_enter_migrate_pages(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MIGRATE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_migrate_pages is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_migrate_pages") +int handle_sys_exit_migrate_pages(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MIGRATE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_get_mempolicy is a struct null_event +SEC("tracepoint/syscalls/sys_enter_get_mempolicy") +int handle_sys_enter_get_mempolicy(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_get_mempolicy is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_get_mempolicy") +int handle_sys_exit_get_mempolicy(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GET_MEMPOLICY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_swapoff is a struct null_event +SEC("tracepoint/syscalls/sys_enter_swapoff") +int handle_sys_enter_swapoff(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SWAPOFF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_swapoff is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_swapoff") +int handle_sys_exit_swapoff(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SWAPOFF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_swapon is a struct null_event +SEC("tracepoint/syscalls/sys_enter_swapon") +int handle_sys_enter_swapon(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SWAPON; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_swapon is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_swapon") +int handle_sys_exit_swapon(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SWAPON; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_madvise is a struct null_event +SEC("tracepoint/syscalls/sys_enter_madvise") +int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_madvise is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_madvise") +int handle_sys_exit_madvise(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_madvise is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_madvise") +int handle_sys_enter_process_madvise(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_madvise is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_madvise") +int handle_sys_exit_process_madvise(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_MADVISE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mseal is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mseal") +int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSEAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mseal is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mseal") +int handle_sys_exit_mseal(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSEAL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_vm_readv is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_vm_readv") +int handle_sys_enter_process_vm_readv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_VM_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_vm_readv is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_vm_readv") +int handle_sys_exit_process_vm_readv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_VM_READV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_vm_writev is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_vm_writev") +int handle_sys_enter_process_vm_writev(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_VM_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_vm_writev is a struct ret_event (WRITE_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_vm_writev") +int handle_sys_exit_process_vm_writev(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_VM_WRITEV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = WRITE_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_msync is a struct null_event +SEC("tracepoint/syscalls/sys_enter_msync") +int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_msync is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_msync") +int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MSYNC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mremap is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mremap") +int handle_sys_enter_mremap(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MREMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mremap is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mremap") +int handle_sys_exit_mremap(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MREMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mprotect is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mprotect") +int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mprotect is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mprotect") +int handle_sys_exit_mprotect(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pkey_mprotect is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pkey_mprotect") +int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PKEY_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pkey_mprotect is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pkey_mprotect") +int handle_sys_exit_pkey_mprotect(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PKEY_MPROTECT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pkey_alloc is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pkey_alloc") +int handle_sys_enter_pkey_alloc(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PKEY_ALLOC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pkey_alloc") +int handle_sys_exit_pkey_alloc(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PKEY_ALLOC; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pkey_free is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pkey_free") +int handle_sys_enter_pkey_free(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PKEY_FREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pkey_free") +int handle_sys_exit_pkey_free(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PKEY_FREE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_brk is a struct null_event +SEC("tracepoint/syscalls/sys_enter_brk") +int handle_sys_enter_brk(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_BRK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_brk is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_brk") +int handle_sys_exit_brk(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_BRK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_munmap is a struct null_event +SEC("tracepoint/syscalls/sys_enter_munmap") +int handle_sys_enter_munmap(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MUNMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_munmap is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_munmap") +int handle_sys_exit_munmap(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MUNMAP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_remap_file_pages is a struct null_event +SEC("tracepoint/syscalls/sys_enter_remap_file_pages") +int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_REMAP_FILE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_remap_file_pages is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_remap_file_pages") +int handle_sys_exit_remap_file_pages(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_REMAP_FILE_PAGES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mlock is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mlock") +int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mlock is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mlock") +int handle_sys_exit_mlock(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mlock2 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mlock2") +int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MLOCK2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mlock2 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mlock2") +int handle_sys_exit_mlock2(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MLOCK2; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_munlock is a struct null_event +SEC("tracepoint/syscalls/sys_enter_munlock") +int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MUNLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_munlock is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_munlock") +int handle_sys_exit_munlock(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MUNLOCK; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mlockall is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mlockall") +int handle_sys_enter_mlockall(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mlockall is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mlockall") +int handle_sys_exit_mlockall(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_munlockall is a struct null_event +SEC("tracepoint/syscalls/sys_enter_munlockall") +int handle_sys_enter_munlockall(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MUNLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_munlockall is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_munlockall") +int handle_sys_exit_munlockall(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MUNLOCKALL; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_mincore is a struct null_event +SEC("tracepoint/syscalls/sys_enter_mincore") +int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MINCORE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_mincore is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mincore") +int handle_sys_exit_mincore(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MINCORE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_readahead is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_readahead") +int handle_sys_enter_readahead(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_READAHEAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_readahead is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_readahead") +int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_READAHEAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_fadvise64 is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_fadvise64") +int handle_sys_enter_fadvise64(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_FADVISE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fadvise64") +int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FADVISE64; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_process_mrelease is a struct null_event +SEC("tracepoint/syscalls/sys_enter_process_mrelease") +int handle_sys_enter_process_mrelease(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PROCESS_MRELEASE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_process_mrelease is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_process_mrelease") +int handle_sys_exit_process_mrelease(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PROCESS_MRELEASE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_cachestat is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_cachestat") +int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_cachestat is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_cachestat") +int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CACHESTAT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_rseq is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rseq") +int handle_sys_enter_rseq(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RSEQ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_rseq is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rseq") +int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_RSEQ; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_perf_event_open is a struct null_event +SEC("tracepoint/syscalls/sys_enter_perf_event_open") +int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PERF_EVENT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_perf_event_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_perf_event_open") +int handle_sys_exit_perf_event_open(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PERF_EVENT_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_bpf is a struct null_event +SEC("tracepoint/syscalls/sys_enter_bpf") +int handle_sys_enter_bpf(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_BPF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_bpf is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_bpf") +int handle_sys_exit_bpf(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_BPF; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_seccomp is a struct null_event +SEC("tracepoint/syscalls/sys_enter_seccomp") +int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SECCOMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_seccomp is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_seccomp") +int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SECCOMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kexec_file_load is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kexec_file_load") +int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KEXEC_FILE_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kexec_file_load is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kexec_file_load") +int handle_sys_exit_kexec_file_load(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KEXEC_FILE_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kexec_load is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kexec_load") +int handle_sys_enter_kexec_load(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KEXEC_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kexec_load") +int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KEXEC_LOAD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_acct is a struct null_event +SEC("tracepoint/syscalls/sys_enter_acct") +int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ACCT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_acct is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_acct") +int handle_sys_exit_acct(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ACCT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_set_robust_list is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_robust_list") +int handle_sys_enter_set_robust_list(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_set_robust_list is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_robust_list") +int handle_sys_exit_set_robust_list(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_get_robust_list is a struct null_event +SEC("tracepoint/syscalls/sys_enter_get_robust_list") +int handle_sys_enter_get_robust_list(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_get_robust_list is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_get_robust_list") +int handle_sys_exit_get_robust_list(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GET_ROBUST_LIST; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex") +int handle_sys_enter_futex(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex") +int handle_sys_exit_futex(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_waitv is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_waitv") +int handle_sys_enter_futex_waitv(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_WAITV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_waitv is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_waitv") +int handle_sys_exit_futex_waitv(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_WAITV; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_wake is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_wake") +int handle_sys_enter_futex_wake(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_WAKE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_wake is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_wake") +int handle_sys_exit_futex_wake(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_WAKE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_wait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_wait") +int handle_sys_enter_futex_wait(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_wait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_wait") +int handle_sys_exit_futex_wait(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_WAIT; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_futex_requeue is a struct null_event +SEC("tracepoint/syscalls/sys_enter_futex_requeue") +int handle_sys_enter_futex_requeue(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FUTEX_REQUEUE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_futex_requeue is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_futex_requeue") +int handle_sys_exit_futex_requeue(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FUTEX_REQUEUE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getitimer is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getitimer") +int handle_sys_enter_getitimer(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_getitimer is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getitimer") +int handle_sys_exit_getitimer(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_alarm is a struct null_event +SEC("tracepoint/syscalls/sys_enter_alarm") +int handle_sys_enter_alarm(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ALARM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_alarm is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_alarm") +int handle_sys_exit_alarm(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ALARM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setitimer is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setitimer") +int handle_sys_enter_setitimer(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setitimer is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setitimer") +int handle_sys_exit_setitimer(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETITIMER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_create is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_create") +int handle_sys_enter_timer_create(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_create is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_create") +int handle_sys_exit_timer_create(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_CREATE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_gettime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_gettime") +int handle_sys_enter_timer_gettime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_gettime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_gettime") +int handle_sys_exit_timer_gettime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_getoverrun is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_getoverrun") +int handle_sys_enter_timer_getoverrun(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_GETOVERRUN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_getoverrun is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_getoverrun") +int handle_sys_exit_timer_getoverrun(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_GETOVERRUN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_settime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_settime") +int handle_sys_enter_timer_settime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_settime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_settime") +int handle_sys_exit_timer_settime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_timer_delete is a struct null_event +SEC("tracepoint/syscalls/sys_enter_timer_delete") +int handle_sys_enter_timer_delete(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMER_DELETE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_timer_delete is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_timer_delete") +int handle_sys_exit_timer_delete(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIMER_DELETE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_settime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_settime") +int handle_sys_enter_clock_settime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_settime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_settime") +int handle_sys_exit_clock_settime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_SETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_gettime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_gettime") +int handle_sys_enter_clock_gettime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_gettime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_gettime") +int handle_sys_exit_clock_gettime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_GETTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_adjtime is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_adjtime") +int handle_sys_enter_clock_adjtime(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_ADJTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_adjtime is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_adjtime") +int handle_sys_exit_clock_adjtime(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_ADJTIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_getres is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_getres") +int handle_sys_enter_clock_getres(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_GETRES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_getres is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_getres") +int handle_sys_exit_clock_getres(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_GETRES; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_clock_nanosleep is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clock_nanosleep") +int handle_sys_enter_clock_nanosleep(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLOCK_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_clock_nanosleep is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clock_nanosleep") +int handle_sys_exit_clock_nanosleep(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_CLOCK_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_nanosleep is a struct null_event +SEC("tracepoint/syscalls/sys_enter_nanosleep") +int handle_sys_enter_nanosleep(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_nanosleep is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_nanosleep") +int handle_sys_exit_nanosleep(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_NANOSLEEP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_time is a struct null_event +SEC("tracepoint/syscalls/sys_enter_time") +int handle_sys_enter_time(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_time is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_time") +int handle_sys_exit_time(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_TIME; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_gettimeofday is a struct null_event +SEC("tracepoint/syscalls/sys_enter_gettimeofday") +int handle_sys_enter_gettimeofday(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_gettimeofday") +int handle_sys_exit_gettimeofday(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_GETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_settimeofday is a struct null_event +SEC("tracepoint/syscalls/sys_enter_settimeofday") +int handle_sys_enter_settimeofday(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_settimeofday is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_settimeofday") +int handle_sys_exit_settimeofday(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETTIMEOFDAY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_adjtimex is a struct null_event +SEC("tracepoint/syscalls/sys_enter_adjtimex") +int handle_sys_enter_adjtimex(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ADJTIMEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_adjtimex is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_adjtimex") +int handle_sys_exit_adjtimex(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_ADJTIMEX; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_kcmp is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kcmp") +int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KCMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_kcmp is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kcmp") +int handle_sys_exit_kcmp(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_KCMP; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_delete_module is a struct null_event +SEC("tracepoint/syscalls/sys_enter_delete_module") +int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_DELETE_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_delete_module") +int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_DELETE_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_init_module is a struct null_event +SEC("tracepoint/syscalls/sys_enter_init_module") +int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_INIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_init_module is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_init_module") +int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_INIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_finit_module is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_finit_module") +int handle_sys_enter_finit_module(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FGETXATTR; + ev->trace_id = SYS_ENTER_FINIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_finit_module is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_finit_module") +int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_FINIT_MODULE; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_syslog is a struct null_event +SEC("tracepoint/syscalls/sys_enter_syslog") +int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYSLOG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_syslog is a struct ret_event (READ_CLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_syslog") +int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SYSLOG; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = READ_CLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_membarrier is a struct null_event +SEC("tracepoint/syscalls/sys_enter_membarrier") +int handle_sys_enter_membarrier(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MEMBARRIER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_membarrier is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_membarrier") +int handle_sys_exit_membarrier(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_MEMBARRIER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setscheduler is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setscheduler") +int handle_sys_enter_sched_setscheduler(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setscheduler is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setscheduler") +int handle_sys_exit_sched_setscheduler(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setparam is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setparam") +int handle_sys_enter_sched_setparam(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setparam is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setparam") +int handle_sys_exit_sched_setparam(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setattr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setattr") +int handle_sys_enter_sched_setattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setattr") +int handle_sys_exit_sched_setattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getscheduler is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getscheduler") +int handle_sys_enter_sched_getscheduler(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getscheduler is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getscheduler") +int handle_sys_exit_sched_getscheduler(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETSCHEDULER; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getparam is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getparam") +int handle_sys_enter_sched_getparam(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getparam is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getparam") +int handle_sys_exit_sched_getparam(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETPARAM; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getattr is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getattr") +int handle_sys_enter_sched_getattr(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getattr is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getattr") +int handle_sys_exit_sched_getattr(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETATTR; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_setaffinity is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_setaffinity") +int handle_sys_enter_sched_setaffinity(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_SETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_setaffinity is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_setaffinity") +int handle_sys_exit_sched_setaffinity(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_SETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_sched_getaffinity is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_getaffinity") +int handle_sys_enter_sched_getaffinity(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GETAFFINITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_getaffinity is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_getaffinity") +int handle_sys_exit_sched_getaffinity(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SCHED_GETAFFINITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fgetxattr is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fgetxattr") -int handle_sys_exit_fgetxattr(struct syscall_trace_exit *ctx) { +/// sys_enter_sched_yield is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_yield") +int handle_sys_enter_sched_yield(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_YIELD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_sched_yield is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_yield") +int handle_sys_exit_sched_yield(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2145,43 +13428,41 @@ int handle_sys_exit_fgetxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FGETXATTR; + ev->trace_id = SYS_EXIT_SCHED_YIELD; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_listxattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_listxattrat") -int handle_sys_enter_listxattrat(struct syscall_trace_enter *ctx) { +/// sys_enter_sched_get_priority_max is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_get_priority_max") +int handle_sys_enter_sched_get_priority_max(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTRAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GET_PRIORITY_MAX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_listxattrat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_listxattrat") -int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { +/// sys_exit_sched_get_priority_max is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_get_priority_max") +int handle_sys_exit_sched_get_priority_max(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2191,7 +13472,7 @@ int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTRAT; + ev->trace_id = SYS_EXIT_SCHED_GET_PRIORITY_MAX; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2202,32 +13483,30 @@ int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_listxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_listxattr") -int handle_sys_enter_listxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_sched_get_priority_min is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_get_priority_min") +int handle_sys_enter_sched_get_priority_min(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LISTXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_GET_PRIORITY_MIN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_listxattr is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_listxattr") -int handle_sys_exit_listxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_sched_get_priority_min is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_get_priority_min") +int handle_sys_exit_sched_get_priority_min(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2237,43 +13516,41 @@ int handle_sys_exit_listxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LISTXATTR; + ev->trace_id = SYS_EXIT_SCHED_GET_PRIORITY_MIN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_llistxattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_llistxattr") -int handle_sys_enter_llistxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_sched_rr_get_interval is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sched_rr_get_interval") +int handle_sys_enter_sched_rr_get_interval(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LLISTXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SCHED_RR_GET_INTERVAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_llistxattr is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_llistxattr") -int handle_sys_exit_llistxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_sched_rr_get_interval is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sched_rr_get_interval") +int handle_sys_exit_sched_rr_get_interval(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2283,42 +13560,41 @@ int handle_sys_exit_llistxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LLISTXATTR; + ev->trace_id = SYS_EXIT_SCHED_RR_GET_INTERVAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_flistxattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_flistxattr") -int handle_sys_enter_flistxattr(struct syscall_trace_enter *ctx) { +/// sys_enter_getgroups is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getgroups") +int handle_sys_enter_getgroups(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FLISTXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_flistxattr is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_flistxattr") -int handle_sys_exit_flistxattr(struct syscall_trace_exit *ctx) { +/// sys_exit_getgroups is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getgroups") +int handle_sys_exit_getgroups(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2328,43 +13604,41 @@ int handle_sys_exit_flistxattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FLISTXATTR; + ev->trace_id = SYS_EXIT_GETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_removexattrat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_removexattrat") -int handle_sys_enter_removexattrat(struct syscall_trace_enter *ctx) { +/// sys_enter_setgroups is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setgroups") +int handle_sys_enter_setgroups(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTRAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_removexattrat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_removexattrat") -int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { +/// sys_exit_setgroups is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setgroups") +int handle_sys_exit_setgroups(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2374,7 +13648,7 @@ int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTRAT; + ev->trace_id = SYS_EXIT_SETGROUPS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2385,32 +13659,30 @@ int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_removexattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_removexattr") -int handle_sys_enter_removexattr(struct syscall_trace_enter *ctx) { +/// sys_enter_reboot is a struct null_event +SEC("tracepoint/syscalls/sys_enter_reboot") +int handle_sys_enter_reboot(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_REMOVEXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_REBOOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_removexattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_removexattr") -int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { +/// sys_exit_reboot is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_reboot") +int handle_sys_exit_reboot(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2420,7 +13692,7 @@ int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_REMOVEXATTR; + ev->trace_id = SYS_EXIT_REBOOT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2431,32 +13703,30 @@ int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_lremovexattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lremovexattr") -int handle_sys_enter_lremovexattr(struct syscall_trace_enter *ctx) { +/// sys_enter_listns is a struct null_event +SEC("tracepoint/syscalls/sys_enter_listns") +int handle_sys_enter_listns(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LREMOVEXATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_LISTNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_lremovexattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_lremovexattr") -int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { +/// sys_exit_listns is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_listns") +int handle_sys_exit_listns(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2466,7 +13736,7 @@ int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LREMOVEXATTR; + ev->trace_id = SYS_EXIT_LISTNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2477,9 +13747,9 @@ int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fremovexattr is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fremovexattr") -int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { +/// sys_enter_setns is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_setns") +int handle_sys_enter_setns(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2489,7 +13759,7 @@ int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FREMOVEXATTR; + ev->trace_id = SYS_ENTER_SETNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2499,9 +13769,9 @@ int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fremovexattr") -int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { +/// sys_exit_setns is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setns") +int handle_sys_exit_setns(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2511,7 +13781,7 @@ int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FREMOVEXATTR; + ev->trace_id = SYS_EXIT_SETNS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2522,34 +13792,163 @@ int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_open_tree is a struct open_event -SEC("tracepoint/syscalls/sys_enter_open_tree") -int handle_sys_enter_open_tree(struct syscall_trace_enter *ctx) { +/// sys_enter_pidfd_open is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pidfd_open") +int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIDFD_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pidfd_open") +int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIDFD_OPEN; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_pidfd_getfd is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_pidfd_getfd") +int handle_sys_enter_pidfd_getfd(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_FD_EVENT; + ev->trace_id = SYS_ENTER_PIDFD_GETFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pidfd_getfd") +int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_PIDFD_GETFD; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_setpriority is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setpriority") +int handle_sys_enter_setpriority(struct syscall_trace_enter *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETPRIORITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_exit_setpriority is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setpriority") +int handle_sys_exit_setpriority(struct syscall_trace_exit *ctx) { + __u32 pid, tid; + if (filter(&pid, &tid)) + return 0; + + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + if (!ev) + return 0; + + ev->event_type = EXIT_RET_EVENT; + ev->trace_id = SYS_EXIT_SETPRIORITY; + ev->pid = pid; + ev->tid = tid; + ev->time = bpf_ktime_get_boot_ns(); + ev->ret = ctx->ret; + ev->ret_type = UNCLASSIFIED; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +/// sys_enter_getpriority is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpriority") +int handle_sys_enter_getpriority(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN_TREE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPRIORITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_open_tree is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_open_tree") -int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { +/// sys_exit_getpriority is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpriority") +int handle_sys_exit_getpriority(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2559,7 +13958,7 @@ int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN_TREE; + ev->trace_id = SYS_EXIT_GETPRIORITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2570,32 +13969,30 @@ int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_mount_setattr is a struct path_event -SEC("tracepoint/syscalls/sys_enter_mount_setattr") -int handle_sys_enter_mount_setattr(struct syscall_trace_enter *ctx) { +/// sys_enter_setregid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setregid") +int handle_sys_enter_setregid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MOUNT_SETATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETREGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_mount_setattr") -int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { +/// sys_exit_setregid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setregid") +int handle_sys_exit_setregid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2605,7 +14002,7 @@ int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MOUNT_SETATTR; + ev->trace_id = SYS_EXIT_SETREGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2616,34 +14013,30 @@ int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_open_tree_attr is a struct open_event -SEC("tracepoint/syscalls/sys_enter_open_tree_attr") -int handle_sys_enter_open_tree_attr(struct syscall_trace_enter *ctx) { +/// sys_enter_setgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setgid") +int handle_sys_enter_setgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN_TREE_ATTR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_open_tree_attr") -int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { +/// sys_exit_setgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setgid") +int handle_sys_exit_setgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2653,7 +14046,7 @@ int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN_TREE_ATTR; + ev->trace_id = SYS_EXIT_SETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2664,31 +14057,30 @@ int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_close_range is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_close_range") -int handle_sys_enter_close_range(struct syscall_trace_enter *ctx) { +/// sys_enter_setreuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setreuid") +int handle_sys_enter_setreuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE_RANGE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETREUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_close_range is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_close_range") -int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { +/// sys_exit_setreuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setreuid") +int handle_sys_exit_setreuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2698,7 +14090,7 @@ int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE_RANGE; + ev->trace_id = SYS_EXIT_SETREUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2709,32 +14101,30 @@ int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_dup3 is a struct dup3_event -SEC("tracepoint/syscalls/sys_enter_dup3") -int handle_sys_enter_dup3(struct syscall_trace_enter *ctx) { +/// sys_enter_setuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setuid") +int handle_sys_enter_setuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_DUP3_EVENT; - ev->trace_id = SYS_ENTER_DUP3; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; - ev->flags = (__s32)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_dup3") -int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { +/// sys_exit_setuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setuid") +int handle_sys_exit_setuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2744,7 +14134,7 @@ int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_DUP3; + ev->trace_id = SYS_EXIT_SETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2755,31 +14145,30 @@ int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_dup2 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_dup2") -int handle_sys_enter_dup2(struct syscall_trace_enter *ctx) { +/// sys_enter_setresuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setresuid") +int handle_sys_enter_setresuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_DUP2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_dup2") -int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { +/// sys_exit_setresuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setresuid") +int handle_sys_exit_setresuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2789,7 +14178,7 @@ int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_DUP2; + ev->trace_id = SYS_EXIT_SETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2800,31 +14189,30 @@ int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_dup is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_dup") -int handle_sys_enter_dup(struct syscall_trace_enter *ctx) { +/// sys_enter_getresuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getresuid") +int handle_sys_enter_getresuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_DUP; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_dup is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_dup") -int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { +/// sys_exit_getresuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getresuid") +int handle_sys_exit_getresuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2834,7 +14222,7 @@ int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_DUP; + ev->trace_id = SYS_EXIT_GETRESUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2845,31 +14233,30 @@ int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_getdents is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_getdents") -int handle_sys_enter_getdents(struct syscall_trace_enter *ctx) { +/// sys_enter_setresgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setresgid") +int handle_sys_enter_setresgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_getdents is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_getdents") -int handle_sys_exit_getdents(struct syscall_trace_exit *ctx) { +/// sys_exit_setresgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setresgid") +int handle_sys_exit_setresgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2879,42 +14266,41 @@ int handle_sys_exit_getdents(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS; + ev->trace_id = SYS_EXIT_SETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_getdents64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_getdents64") -int handle_sys_enter_getdents64(struct syscall_trace_enter *ctx) { +/// sys_enter_getresgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getresgid") +int handle_sys_enter_getresgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_GETDENTS64; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_getdents64 is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_getdents64") -int handle_sys_exit_getdents64(struct syscall_trace_exit *ctx) { +/// sys_exit_getresgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getresgid") +int handle_sys_exit_getresgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2924,42 +14310,41 @@ int handle_sys_exit_getdents64(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_GETDENTS64; + ev->trace_id = SYS_EXIT_GETRESGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_ioctl is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_ioctl") -int handle_sys_enter_ioctl(struct syscall_trace_enter *ctx) { +/// sys_enter_setfsuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setfsuid") +int handle_sys_enter_setfsuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_IOCTL; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETFSUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_ioctl is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_ioctl") -int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { +/// sys_exit_setfsuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setfsuid") +int handle_sys_exit_setfsuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -2969,7 +14354,7 @@ int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_IOCTL; + ev->trace_id = SYS_EXIT_SETFSUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -2980,33 +14365,30 @@ int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fcntl is a struct fcntl_event -SEC("tracepoint/syscalls/sys_enter_fcntl") -int handle_sys_enter_fcntl(struct syscall_trace_enter *ctx) { +/// sys_enter_setfsgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setfsgid") +int handle_sys_enter_setfsgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FCNTL_EVENT; - ev->trace_id = SYS_ENTER_FCNTL; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETFSGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = ctx->args[0]; - ev->cmd = ctx->args[1]; - ev->arg = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fcntl is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fcntl") -int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { +/// sys_exit_setfsgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setfsgid") +int handle_sys_exit_setfsgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3016,7 +14398,7 @@ int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCNTL; + ev->trace_id = SYS_EXIT_SETFSGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3027,32 +14409,30 @@ int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_mkdirat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_mkdirat") -int handle_sys_enter_mkdirat(struct syscall_trace_enter *ctx) { +/// sys_enter_getpid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpid") +int handle_sys_enter_getpid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIRAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_mkdirat") -int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { +/// sys_exit_getpid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpid") +int handle_sys_exit_getpid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3062,7 +14442,7 @@ int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIRAT; + ev->trace_id = SYS_EXIT_GETPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3073,32 +14453,30 @@ int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_mkdir is a struct path_event -SEC("tracepoint/syscalls/sys_enter_mkdir") -int handle_sys_enter_mkdir(struct syscall_trace_enter *ctx) { +/// sys_enter_gettid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_gettid") +int handle_sys_enter_gettid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_MKDIR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETTID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_mkdir") -int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { +/// sys_exit_gettid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_gettid") +int handle_sys_exit_gettid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3108,7 +14486,7 @@ int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MKDIR; + ev->trace_id = SYS_EXIT_GETTID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3119,32 +14497,30 @@ int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_rmdir is a struct path_event -SEC("tracepoint/syscalls/sys_enter_rmdir") -int handle_sys_enter_rmdir(struct syscall_trace_enter *ctx) { +/// sys_enter_getppid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getppid") +int handle_sys_enter_getppid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_RMDIR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_rmdir is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_rmdir") -int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { +/// sys_exit_getppid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getppid") +int handle_sys_exit_getppid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3154,7 +14530,7 @@ int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RMDIR; + ev->trace_id = SYS_EXIT_GETPPID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3165,32 +14541,30 @@ int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_unlinkat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_unlinkat") -int handle_sys_enter_unlinkat(struct syscall_trace_enter *ctx) { +/// sys_enter_getuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getuid") +int handle_sys_enter_getuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINKAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_unlinkat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_unlinkat") -int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { +/// sys_exit_getuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getuid") +int handle_sys_exit_getuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3200,7 +14574,7 @@ int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINKAT; + ev->trace_id = SYS_EXIT_GETUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3211,32 +14585,30 @@ int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_unlink is a struct path_event -SEC("tracepoint/syscalls/sys_enter_unlink") -int handle_sys_enter_unlink(struct syscall_trace_enter *ctx) { +/// sys_enter_geteuid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_geteuid") +int handle_sys_enter_geteuid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_UNLINK; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETEUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_unlink is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_unlink") -int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { +/// sys_exit_geteuid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_geteuid") +int handle_sys_exit_geteuid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3246,7 +14618,7 @@ int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_UNLINK; + ev->trace_id = SYS_EXIT_GETEUID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3257,33 +14629,30 @@ int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_symlinkat is a struct name_event -SEC("tracepoint/syscalls/sys_enter_symlinkat") -int handle_sys_enter_symlinkat(struct syscall_trace_enter *ctx) { +/// sys_enter_getgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getgid") +int handle_sys_enter_getgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINKAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[2]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_symlinkat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_symlinkat") -int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { +/// sys_exit_getgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getgid") +int handle_sys_exit_getgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3293,7 +14662,7 @@ int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINKAT; + ev->trace_id = SYS_EXIT_GETGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3304,33 +14673,30 @@ int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_symlink is a struct name_event -SEC("tracepoint/syscalls/sys_enter_symlink") -int handle_sys_enter_symlink(struct syscall_trace_enter *ctx) { +/// sys_enter_getegid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getegid") +int handle_sys_enter_getegid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_SYMLINK; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETEGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; -} - -/// sys_exit_symlink is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_symlink") -int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { +} + +/// sys_exit_getegid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getegid") +int handle_sys_exit_getegid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3340,7 +14706,7 @@ int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYMLINK; + ev->trace_id = SYS_EXIT_GETEGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3351,33 +14717,30 @@ int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_linkat is a struct name_event -SEC("tracepoint/syscalls/sys_enter_linkat") -int handle_sys_enter_linkat(struct syscall_trace_enter *ctx) { +/// sys_enter_times is a struct null_event +SEC("tracepoint/syscalls/sys_enter_times") +int handle_sys_enter_times(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINKAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TIMES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_linkat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_linkat") -int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { +/// sys_exit_times is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_times") +int handle_sys_exit_times(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3387,7 +14750,7 @@ int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINKAT; + ev->trace_id = SYS_EXIT_TIMES; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3398,33 +14761,30 @@ int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_link is a struct name_event -SEC("tracepoint/syscalls/sys_enter_link") -int handle_sys_enter_link(struct syscall_trace_enter *ctx) { +/// sys_enter_setpgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setpgid") +int handle_sys_enter_setpgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_LINK; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_link is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_link") -int handle_sys_exit_link(struct syscall_trace_exit *ctx) { +/// sys_exit_setpgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setpgid") +int handle_sys_exit_setpgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3434,7 +14794,7 @@ int handle_sys_exit_link(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LINK; + ev->trace_id = SYS_EXIT_SETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3445,33 +14805,30 @@ int handle_sys_exit_link(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_renameat2 is a struct name_event -SEC("tracepoint/syscalls/sys_enter_renameat2") -int handle_sys_enter_renameat2(struct syscall_trace_enter *ctx) { +/// sys_enter_getpgid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpgid") +int handle_sys_enter_getpgid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_renameat2 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_renameat2") -int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { +/// sys_exit_getpgid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpgid") +int handle_sys_exit_getpgid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3481,7 +14838,7 @@ int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT2; + ev->trace_id = SYS_EXIT_GETPGID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3492,33 +14849,30 @@ int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_renameat is a struct name_event -SEC("tracepoint/syscalls/sys_enter_renameat") -int handle_sys_enter_renameat(struct syscall_trace_enter *ctx) { +/// sys_enter_getpgrp is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getpgrp") +int handle_sys_enter_getpgrp(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAMEAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETPGRP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[1]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[3]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_renameat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_renameat") -int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { +/// sys_exit_getpgrp is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getpgrp") +int handle_sys_exit_getpgrp(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3528,7 +14882,7 @@ int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAMEAT; + ev->trace_id = SYS_EXIT_GETPGRP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3539,33 +14893,30 @@ int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_rename is a struct name_event -SEC("tracepoint/syscalls/sys_enter_rename") -int handle_sys_enter_rename(struct syscall_trace_enter *ctx) { +/// sys_enter_getsid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getsid") +int handle_sys_enter_getsid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NAME_EVENT; - ev->trace_id = SYS_ENTER_RENAME; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_rename is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_rename") -int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { +/// sys_exit_getsid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getsid") +int handle_sys_exit_getsid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3575,7 +14926,7 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_RENAME; + ev->trace_id = SYS_EXIT_GETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3586,32 +14937,30 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_newstat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_newstat") -int handle_sys_enter_newstat(struct syscall_trace_enter *ctx) { +/// sys_enter_setsid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setsid") +int handle_sys_enter_setsid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NEWSTAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_newstat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_newstat") -int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { +/// sys_exit_setsid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setsid") +int handle_sys_exit_setsid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3621,7 +14970,7 @@ int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWSTAT; + ev->trace_id = SYS_EXIT_SETSID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3632,32 +14981,30 @@ int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_newlstat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_newlstat") -int handle_sys_enter_newlstat(struct syscall_trace_enter *ctx) { +/// sys_enter_newuname is a struct null_event +SEC("tracepoint/syscalls/sys_enter_newuname") +int handle_sys_enter_newuname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NEWLSTAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_NEWUNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_newlstat") -int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { +/// sys_exit_newuname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_newuname") +int handle_sys_exit_newuname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3667,7 +15014,7 @@ int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWLSTAT; + ev->trace_id = SYS_EXIT_NEWUNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3678,32 +15025,30 @@ int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_newfstatat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_newfstatat") -int handle_sys_enter_newfstatat(struct syscall_trace_enter *ctx) { +/// sys_enter_sethostname is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sethostname") +int handle_sys_enter_sethostname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTATAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETHOSTNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_newfstatat") -int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { +/// sys_exit_sethostname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sethostname") +int handle_sys_exit_sethostname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3713,7 +15058,7 @@ int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTATAT; + ev->trace_id = SYS_EXIT_SETHOSTNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3724,31 +15069,30 @@ int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_newfstat is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_newfstat") -int handle_sys_enter_newfstat(struct syscall_trace_enter *ctx) { +/// sys_enter_setdomainname is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setdomainname") +int handle_sys_enter_setdomainname(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_NEWFSTAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETDOMAINNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_newfstat") -int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { +/// sys_exit_setdomainname is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setdomainname") +int handle_sys_exit_setdomainname(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3758,7 +15102,7 @@ int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_NEWFSTAT; + ev->trace_id = SYS_EXIT_SETDOMAINNAME; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3769,32 +15113,30 @@ int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_readlinkat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_readlinkat") -int handle_sys_enter_readlinkat(struct syscall_trace_enter *ctx) { +/// sys_enter_getrlimit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getrlimit") +int handle_sys_enter_getrlimit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINKAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_readlinkat is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_readlinkat") -int handle_sys_exit_readlinkat(struct syscall_trace_exit *ctx) { +/// sys_exit_getrlimit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getrlimit") +int handle_sys_exit_getrlimit(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3804,43 +15146,41 @@ int handle_sys_exit_readlinkat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINKAT; + ev->trace_id = SYS_EXIT_GETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_readlink is a struct path_event -SEC("tracepoint/syscalls/sys_enter_readlink") -int handle_sys_enter_readlink(struct syscall_trace_enter *ctx) { +/// sys_enter_prlimit64 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_prlimit64") +int handle_sys_enter_prlimit64(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_READLINK; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PRLIMIT64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_readlink is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_readlink") -int handle_sys_exit_readlink(struct syscall_trace_exit *ctx) { +/// sys_exit_prlimit64 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_prlimit64") +int handle_sys_exit_prlimit64(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3850,43 +15190,41 @@ int handle_sys_exit_readlink(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READLINK; + ev->trace_id = SYS_EXIT_PRLIMIT64; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_statx is a struct path_event -SEC("tracepoint/syscalls/sys_enter_statx") -int handle_sys_enter_statx(struct syscall_trace_enter *ctx) { +/// sys_enter_setrlimit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_setrlimit") +int handle_sys_enter_setrlimit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_STATX; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_statx is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_statx") -int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { +/// sys_exit_setrlimit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_setrlimit") +int handle_sys_exit_setrlimit(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3896,7 +15234,7 @@ int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_STATX; + ev->trace_id = SYS_EXIT_SETRLIMIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3907,31 +15245,30 @@ int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_lseek is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_lseek") -int handle_sys_enter_lseek(struct syscall_trace_enter *ctx) { +/// sys_enter_getrusage is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getrusage") +int handle_sys_enter_getrusage(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_LSEEK; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETRUSAGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_lseek is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_lseek") -int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { +/// sys_exit_getrusage is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getrusage") +int handle_sys_exit_getrusage(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3941,7 +15278,7 @@ int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LSEEK; + ev->trace_id = SYS_EXIT_GETRUSAGE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -3952,31 +15289,30 @@ int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_read is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_read") -int handle_sys_enter_read(struct syscall_trace_enter *ctx) { +/// sys_enter_umask is a struct null_event +SEC("tracepoint/syscalls/sys_enter_umask") +int handle_sys_enter_umask(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READ; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_read is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_read") -int handle_sys_exit_read(struct syscall_trace_exit *ctx) { +/// sys_exit_umask is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_umask") +int handle_sys_exit_umask(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -3986,42 +15322,41 @@ int handle_sys_exit_read(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READ; + ev->trace_id = SYS_EXIT_UMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_write is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_write") -int handle_sys_enter_write(struct syscall_trace_enter *ctx) { +/// sys_enter_prctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_prctl") +int handle_sys_enter_prctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_write is a struct ret_event (WRITE_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_write") -int handle_sys_exit_write(struct syscall_trace_exit *ctx) { +/// sys_exit_prctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_prctl") +int handle_sys_exit_prctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4031,42 +15366,41 @@ int handle_sys_exit_write(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITE; + ev->trace_id = SYS_EXIT_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = WRITE_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_pread64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pread64") -int handle_sys_enter_pread64(struct syscall_trace_enter *ctx) { +/// sys_enter_getcpu is a struct null_event +SEC("tracepoint/syscalls/sys_enter_getcpu") +int handle_sys_enter_getcpu(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREAD64; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_GETCPU; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_pread64") -int handle_sys_exit_pread64(struct syscall_trace_exit *ctx) { +/// sys_exit_getcpu is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_getcpu") +int handle_sys_exit_getcpu(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4076,42 +15410,41 @@ int handle_sys_exit_pread64(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREAD64; + ev->trace_id = SYS_EXIT_GETCPU; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_pwrite64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pwrite64") -int handle_sys_enter_pwrite64(struct syscall_trace_enter *ctx) { +/// sys_enter_sysinfo is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sysinfo") +int handle_sys_enter_sysinfo(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITE64; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SYSINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pwrite64 is a struct ret_event (WRITE_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_pwrite64") -int handle_sys_exit_pwrite64(struct syscall_trace_exit *ctx) { +/// sys_exit_sysinfo is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sysinfo") +int handle_sys_exit_sysinfo(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4121,42 +15454,41 @@ int handle_sys_exit_pwrite64(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITE64; + ev->trace_id = SYS_EXIT_SYSINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = WRITE_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } - -/// sys_enter_readv is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_readv") -int handle_sys_enter_readv(struct syscall_trace_enter *ctx) { + +/// sys_enter_restart_syscall is a struct null_event +SEC("tracepoint/syscalls/sys_enter_restart_syscall") +int handle_sys_enter_restart_syscall(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READV; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RESTART_SYSCALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_readv is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_readv") -int handle_sys_exit_readv(struct syscall_trace_exit *ctx) { +/// sys_exit_restart_syscall is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_restart_syscall") +int handle_sys_exit_restart_syscall(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4166,42 +15498,41 @@ int handle_sys_exit_readv(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READV; + ev->trace_id = SYS_EXIT_RESTART_SYSCALL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_writev is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_writev") -int handle_sys_enter_writev(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigprocmask is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigprocmask") +int handle_sys_enter_rt_sigprocmask(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_WRITEV; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGPROCMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_writev is a struct ret_event (WRITE_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_writev") -int handle_sys_exit_writev(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigprocmask is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigprocmask") +int handle_sys_exit_rt_sigprocmask(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4211,42 +15542,41 @@ int handle_sys_exit_writev(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_WRITEV; + ev->trace_id = SYS_EXIT_RT_SIGPROCMASK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = WRITE_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_preadv is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_preadv") -int handle_sys_enter_preadv(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigpending is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigpending") +int handle_sys_enter_rt_sigpending(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREADV; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGPENDING; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_preadv is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_preadv") -int handle_sys_exit_preadv(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigpending is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigpending") +int handle_sys_exit_rt_sigpending(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4256,42 +15586,41 @@ int handle_sys_exit_preadv(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREADV; + ev->trace_id = SYS_EXIT_RT_SIGPENDING; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_preadv2 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_preadv2") -int handle_sys_enter_preadv2(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigtimedwait is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigtimedwait") +int handle_sys_enter_rt_sigtimedwait(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PREADV2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGTIMEDWAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_preadv2") -int handle_sys_exit_preadv2(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigtimedwait is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigtimedwait") +int handle_sys_exit_rt_sigtimedwait(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4301,42 +15630,41 @@ int handle_sys_exit_preadv2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PREADV2; + ev->trace_id = SYS_EXIT_RT_SIGTIMEDWAIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_pwritev is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pwritev") -int handle_sys_enter_pwritev(struct syscall_trace_enter *ctx) { +/// sys_enter_kill is a struct null_event +SEC("tracepoint/syscalls/sys_enter_kill") +int handle_sys_enter_kill(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITEV; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_KILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pwritev is a struct ret_event (WRITE_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_pwritev") -int handle_sys_exit_pwritev(struct syscall_trace_exit *ctx) { +/// sys_exit_kill is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_kill") +int handle_sys_exit_kill(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4346,42 +15674,41 @@ int handle_sys_exit_pwritev(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITEV; + ev->trace_id = SYS_EXIT_KILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = WRITE_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_pwritev2 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pwritev2") -int handle_sys_enter_pwritev2(struct syscall_trace_enter *ctx) { +/// sys_enter_pidfd_send_signal is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pidfd_send_signal") +int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PWRITEV2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PIDFD_SEND_SIGNAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pwritev2 is a struct ret_event (WRITE_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_pwritev2") -int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { +/// sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pidfd_send_signal") +int handle_sys_exit_pidfd_send_signal(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4391,42 +15718,41 @@ int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PWRITEV2; + ev->trace_id = SYS_EXIT_PIDFD_SEND_SIGNAL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = WRITE_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_copy_file_range is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_copy_file_range") -int handle_sys_enter_copy_file_range(struct syscall_trace_enter *ctx) { +/// sys_enter_tgkill is a struct null_event +SEC("tracepoint/syscalls/sys_enter_tgkill") +int handle_sys_enter_tgkill(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_COPY_FILE_RANGE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TGKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_copy_file_range") -int handle_sys_exit_copy_file_range(struct syscall_trace_exit *ctx) { +/// sys_exit_tgkill is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_tgkill") +int handle_sys_exit_tgkill(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4436,43 +15762,41 @@ int handle_sys_exit_copy_file_range(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_COPY_FILE_RANGE; + ev->trace_id = SYS_EXIT_TGKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = TRANSFER_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_truncate is a struct path_event -SEC("tracepoint/syscalls/sys_enter_truncate") -int handle_sys_enter_truncate(struct syscall_trace_enter *ctx) { +/// sys_enter_tkill is a struct null_event +SEC("tracepoint/syscalls/sys_enter_tkill") +int handle_sys_enter_tkill(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_TRUNCATE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_TKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_truncate is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_truncate") -int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { +/// sys_exit_tkill is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_tkill") +int handle_sys_exit_tkill(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4482,7 +15806,7 @@ int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_TRUNCATE; + ev->trace_id = SYS_EXIT_TKILL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4493,31 +15817,30 @@ int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_ftruncate is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_ftruncate") -int handle_sys_enter_ftruncate(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigqueueinfo is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigqueueinfo") +int handle_sys_enter_rt_sigqueueinfo(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FTRUNCATE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_ftruncate is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_ftruncate") -int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigqueueinfo is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigqueueinfo") +int handle_sys_exit_rt_sigqueueinfo(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4527,7 +15850,7 @@ int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FTRUNCATE; + ev->trace_id = SYS_EXIT_RT_SIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4538,31 +15861,30 @@ int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fallocate is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fallocate") -int handle_sys_enter_fallocate(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_tgsigqueueinfo is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_tgsigqueueinfo") +int handle_sys_enter_rt_tgsigqueueinfo(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FALLOCATE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_TGSIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fallocate") -int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_tgsigqueueinfo is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_tgsigqueueinfo") +int handle_sys_exit_rt_tgsigqueueinfo(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4572,7 +15894,7 @@ int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FALLOCATE; + ev->trace_id = SYS_EXIT_RT_TGSIGQUEUEINFO; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4583,32 +15905,30 @@ int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_faccessat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_faccessat") -int handle_sys_enter_faccessat(struct syscall_trace_enter *ctx) { +/// sys_enter_sigaltstack is a struct null_event +SEC("tracepoint/syscalls/sys_enter_sigaltstack") +int handle_sys_enter_sigaltstack(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FACCESSAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SIGALTSTACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_faccessat") -int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { +/// sys_exit_sigaltstack is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_sigaltstack") +int handle_sys_exit_sigaltstack(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4618,7 +15938,7 @@ int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FACCESSAT; + ev->trace_id = SYS_EXIT_SIGALTSTACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4629,32 +15949,30 @@ int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_faccessat2 is a struct path_event -SEC("tracepoint/syscalls/sys_enter_faccessat2") -int handle_sys_enter_faccessat2(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigaction is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigaction") +int handle_sys_enter_rt_sigaction(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FACCESSAT2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGACTION; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_faccessat2") -int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigaction is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigaction") +int handle_sys_exit_rt_sigaction(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4664,7 +15982,7 @@ int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FACCESSAT2; + ev->trace_id = SYS_EXIT_RT_SIGACTION; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4675,32 +15993,30 @@ int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_access is a struct path_event -SEC("tracepoint/syscalls/sys_enter_access") -int handle_sys_enter_access(struct syscall_trace_enter *ctx) { +/// sys_enter_pause is a struct null_event +SEC("tracepoint/syscalls/sys_enter_pause") +int handle_sys_enter_pause(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_ACCESS; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PAUSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_access is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_access") -int handle_sys_exit_access(struct syscall_trace_exit *ctx) { +/// sys_exit_pause is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_pause") +int handle_sys_exit_pause(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4710,7 +16026,7 @@ int handle_sys_exit_access(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_ACCESS; + ev->trace_id = SYS_EXIT_PAUSE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4721,32 +16037,30 @@ int handle_sys_exit_access(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_chdir is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chdir") -int handle_sys_enter_chdir(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigsuspend is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigsuspend") +int handle_sys_enter_rt_sigsuspend(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHDIR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGSUSPEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_chdir is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_chdir") -int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigsuspend is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigsuspend") +int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4756,7 +16070,7 @@ int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHDIR; + ev->trace_id = SYS_EXIT_RT_SIGSUSPEND; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4767,31 +16081,30 @@ int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fchdir is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fchdir") -int handle_sys_enter_fchdir(struct syscall_trace_enter *ctx) { +/// sys_enter_ptrace is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ptrace") +int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHDIR; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PTRACE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fchdir") -int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { +/// sys_exit_ptrace is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ptrace") +int handle_sys_exit_ptrace(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4801,7 +16114,7 @@ int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHDIR; + ev->trace_id = SYS_EXIT_PTRACE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4812,32 +16125,30 @@ int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_chroot is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chroot") -int handle_sys_enter_chroot(struct syscall_trace_enter *ctx) { +/// sys_enter_capget is a struct null_event +SEC("tracepoint/syscalls/sys_enter_capget") +int handle_sys_enter_capget(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHROOT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CAPGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_chroot is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_chroot") -int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { +/// sys_exit_capget is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_capget") +int handle_sys_exit_capget(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4847,7 +16158,7 @@ int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHROOT; + ev->trace_id = SYS_EXIT_CAPGET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4858,31 +16169,30 @@ int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fchmod is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fchmod") -int handle_sys_enter_fchmod(struct syscall_trace_enter *ctx) { +/// sys_enter_capset is a struct null_event +SEC("tracepoint/syscalls/sys_enter_capset") +int handle_sys_enter_capset(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHMOD; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CAPSET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fchmod") -int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { +/// sys_exit_capset is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_capset") +int handle_sys_exit_capset(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4892,7 +16202,7 @@ int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMOD; + ev->trace_id = SYS_EXIT_CAPSET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4903,32 +16213,30 @@ int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fchmodat2 is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fchmodat2") -int handle_sys_enter_fchmodat2(struct syscall_trace_enter *ctx) { +/// sys_enter_exit is a struct null_event +SEC("tracepoint/syscalls/sys_enter_exit") +int handle_sys_enter_exit(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FCHMODAT2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EXIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fchmodat2 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fchmodat2") -int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { +/// sys_exit_exit is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_exit") +int handle_sys_exit_exit(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4938,7 +16246,7 @@ int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMODAT2; + ev->trace_id = SYS_EXIT_EXIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4949,32 +16257,30 @@ int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fchmodat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fchmodat") -int handle_sys_enter_fchmodat(struct syscall_trace_enter *ctx) { +/// sys_enter_exit_group is a struct null_event +SEC("tracepoint/syscalls/sys_enter_exit_group") +int handle_sys_enter_exit_group(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FCHMODAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_EXIT_GROUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fchmodat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fchmodat") -int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { +/// sys_exit_exit_group is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_exit_group") +int handle_sys_exit_exit_group(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -4984,7 +16290,7 @@ int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHMODAT; + ev->trace_id = SYS_EXIT_EXIT_GROUP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -4995,32 +16301,30 @@ int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_chmod is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chmod") -int handle_sys_enter_chmod(struct syscall_trace_enter *ctx) { +/// sys_enter_waitid is a struct null_event +SEC("tracepoint/syscalls/sys_enter_waitid") +int handle_sys_enter_waitid(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHMOD; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_WAITID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_chmod is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_chmod") -int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { +/// sys_exit_waitid is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_waitid") +int handle_sys_exit_waitid(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5030,7 +16334,7 @@ int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHMOD; + ev->trace_id = SYS_EXIT_WAITID; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5041,32 +16345,30 @@ int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fchownat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_fchownat") -int handle_sys_enter_fchownat(struct syscall_trace_enter *ctx) { +/// sys_enter_wait4 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_wait4") +int handle_sys_enter_wait4(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_FCHOWNAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_WAIT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fchownat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fchownat") -int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { +/// sys_exit_wait4 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_wait4") +int handle_sys_exit_wait4(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5076,7 +16378,7 @@ int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWNAT; + ev->trace_id = SYS_EXIT_WAIT4; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5087,32 +16389,30 @@ int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_chown is a struct path_event -SEC("tracepoint/syscalls/sys_enter_chown") -int handle_sys_enter_chown(struct syscall_trace_enter *ctx) { +/// sys_enter_personality is a struct null_event +SEC("tracepoint/syscalls/sys_enter_personality") +int handle_sys_enter_personality(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CHOWN; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_PERSONALITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_chown is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_chown") -int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { +/// sys_exit_personality is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_personality") +int handle_sys_exit_personality(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5122,7 +16422,7 @@ int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CHOWN; + ev->trace_id = SYS_EXIT_PERSONALITY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5133,32 +16433,30 @@ int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_lchown is a struct path_event -SEC("tracepoint/syscalls/sys_enter_lchown") -int handle_sys_enter_lchown(struct syscall_trace_enter *ctx) { +/// sys_enter_set_tid_address is a struct null_event +SEC("tracepoint/syscalls/sys_enter_set_tid_address") +int handle_sys_enter_set_tid_address(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_LCHOWN; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_SET_TID_ADDRESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_lchown is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_lchown") -int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { +/// sys_exit_set_tid_address is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_set_tid_address") +int handle_sys_exit_set_tid_address(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5168,7 +16466,7 @@ int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_LCHOWN; + ev->trace_id = SYS_EXIT_SET_TID_ADDRESS; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5179,31 +16477,30 @@ int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fchown is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fchown") -int handle_sys_enter_fchown(struct syscall_trace_enter *ctx) { +/// sys_enter_fork is a struct null_event +SEC("tracepoint/syscalls/sys_enter_fork") +int handle_sys_enter_fork(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FCHOWN; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_FORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fchown is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fchown") -int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { +/// sys_exit_fork is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_fork") +int handle_sys_exit_fork(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5213,7 +16510,7 @@ int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FCHOWN; + ev->trace_id = SYS_EXIT_FORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5224,34 +16521,30 @@ int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_open is a struct open_event -SEC("tracepoint/syscalls/sys_enter_open") -int handle_sys_enter_open(struct syscall_trace_enter *ctx) { +/// sys_enter_vfork is a struct null_event +SEC("tracepoint/syscalls/sys_enter_vfork") +int handle_sys_enter_vfork(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPEN; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_VFORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[1]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_open is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_open") -int handle_sys_exit_open(struct syscall_trace_exit *ctx) { +/// sys_exit_vfork is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_vfork") +int handle_sys_exit_vfork(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5261,7 +16554,7 @@ int handle_sys_exit_open(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPEN; + ev->trace_id = SYS_EXIT_VFORK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5272,34 +16565,30 @@ int handle_sys_exit_open(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_openat is a struct open_event -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_sys_enter_openat(struct syscall_trace_enter *ctx) { +/// sys_enter_clone is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clone") +int handle_sys_enter_clone(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPENAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLONE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_openat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { +/// sys_exit_clone is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clone") +int handle_sys_exit_clone(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5309,7 +16598,7 @@ int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPENAT; + ev->trace_id = SYS_EXIT_CLONE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5320,34 +16609,30 @@ int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_openat2 is a struct open_event -SEC("tracepoint/syscalls/sys_enter_openat2") -int handle_sys_enter_openat2(struct syscall_trace_enter *ctx) { +/// sys_enter_clone3 is a struct null_event +SEC("tracepoint/syscalls/sys_enter_clone3") +int handle_sys_enter_clone3(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_OPEN_EVENT; - ev->trace_id = SYS_ENTER_OPENAT2; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_CLONE3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - ev->flags = -1; // Probably OK bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_openat2 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_openat2") -int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { +/// sys_exit_clone3 is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_clone3") +int handle_sys_exit_clone3(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5357,7 +16642,7 @@ int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_OPENAT2; + ev->trace_id = SYS_EXIT_CLONE3; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5368,32 +16653,30 @@ int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_creat is a struct path_event -SEC("tracepoint/syscalls/sys_enter_creat") -int handle_sys_enter_creat(struct syscall_trace_enter *ctx) { +/// sys_enter_unshare is a struct null_event +SEC("tracepoint/syscalls/sys_enter_unshare") +int handle_sys_enter_unshare(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; - ev->trace_id = SYS_ENTER_CREAT; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UNSHARE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_creat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_creat") -int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { +/// sys_exit_unshare is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_unshare") +int handle_sys_exit_unshare(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5403,7 +16686,7 @@ int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CREAT; + ev->trace_id = SYS_EXIT_UNSHARE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5414,31 +16697,30 @@ int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_close is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_close") -int handle_sys_enter_close(struct syscall_trace_enter *ctx) { +/// sys_enter_map_shadow_stack is a struct null_event +SEC("tracepoint/syscalls/sys_enter_map_shadow_stack") +int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CLOSE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MAP_SHADOW_STACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_close is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_close") -int handle_sys_exit_close(struct syscall_trace_exit *ctx) { +/// sys_exit_map_shadow_stack is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_map_shadow_stack") +int handle_sys_exit_map_shadow_stack(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5448,7 +16730,7 @@ int handle_sys_exit_close(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CLOSE; + ev->trace_id = SYS_EXIT_MAP_SHADOW_STACK; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5459,9 +16741,9 @@ int handle_sys_exit_close(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_msync is a struct null_event -SEC("tracepoint/syscalls/sys_enter_msync") -int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { +/// sys_enter_uretprobe is a struct null_event +SEC("tracepoint/syscalls/sys_enter_uretprobe") +int handle_sys_enter_uretprobe(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5471,7 +16753,7 @@ int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_MSYNC; + ev->trace_id = SYS_ENTER_URETPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5480,9 +16762,9 @@ int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_msync is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_msync") -int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { +/// sys_exit_uretprobe is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_uretprobe") +int handle_sys_exit_uretprobe(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5492,7 +16774,7 @@ int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MSYNC; + ev->trace_id = SYS_EXIT_URETPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5503,31 +16785,30 @@ int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_readahead is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_readahead") -int handle_sys_enter_readahead(struct syscall_trace_enter *ctx) { +/// sys_enter_uprobe is a struct null_event +SEC("tracepoint/syscalls/sys_enter_uprobe") +int handle_sys_enter_uprobe(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_READAHEAD; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_UPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_readahead is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_readahead") -int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { +/// sys_exit_uprobe is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_uprobe") +int handle_sys_exit_uprobe(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5537,7 +16818,7 @@ int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_READAHEAD; + ev->trace_id = SYS_EXIT_UPROBE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5548,31 +16829,30 @@ int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fadvise64 is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_fadvise64") -int handle_sys_enter_fadvise64(struct syscall_trace_enter *ctx) { +/// sys_enter_arch_prctl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_arch_prctl") +int handle_sys_enter_arch_prctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FADVISE64; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_ARCH_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_fadvise64") -int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { +/// sys_exit_arch_prctl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_arch_prctl") +int handle_sys_exit_arch_prctl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5582,7 +16862,7 @@ int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FADVISE64; + ev->trace_id = SYS_EXIT_ARCH_PRCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5593,9 +16873,9 @@ int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_cachestat is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_cachestat") -int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { +/// sys_enter_mmap is a struct fd_event +SEC("tracepoint/syscalls/sys_enter_mmap") +int handle_sys_enter_mmap(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5605,19 +16885,19 @@ int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_CACHESTAT; + ev->trace_id = SYS_ENTER_MMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; + ev->fd = (__s32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_cachestat is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_cachestat") -int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { +/// sys_exit_mmap is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_mmap") +int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5627,7 +16907,7 @@ int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_CACHESTAT; + ev->trace_id = SYS_EXIT_MMAP; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5638,31 +16918,30 @@ int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_finit_module is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_finit_module") -int handle_sys_enter_finit_module(struct syscall_trace_enter *ctx) { +/// sys_enter_modify_ldt is a struct null_event +SEC("tracepoint/syscalls/sys_enter_modify_ldt") +int handle_sys_enter_modify_ldt(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_FINIT_MODULE; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_MODIFY_LDT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_finit_module is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_finit_module") -int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { +/// sys_exit_modify_ldt is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_modify_ldt") +int handle_sys_exit_modify_ldt(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5672,7 +16951,7 @@ int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_FINIT_MODULE; + ev->trace_id = SYS_EXIT_MODIFY_LDT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5683,9 +16962,9 @@ int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_syslog is a struct null_event -SEC("tracepoint/syscalls/sys_enter_syslog") -int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { +/// sys_enter_ioperm is a struct null_event +SEC("tracepoint/syscalls/sys_enter_ioperm") +int handle_sys_enter_ioperm(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5695,7 +16974,7 @@ int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { return 0; ev->event_type = ENTER_NULL_EVENT; - ev->trace_id = SYS_ENTER_SYSLOG; + ev->trace_id = SYS_ENTER_IOPERM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5704,9 +16983,9 @@ int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { return 0; } -/// sys_exit_syslog is a struct ret_event (READ_CLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_syslog") -int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { +/// sys_exit_ioperm is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_ioperm") +int handle_sys_exit_ioperm(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5716,42 +16995,41 @@ int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_SYSLOG; + ev->trace_id = SYS_EXIT_IOPERM; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); ev->ret = ctx->ret; - ev->ret_type = READ_CLASSIFIED; + ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_pidfd_getfd is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_pidfd_getfd") -int handle_sys_enter_pidfd_getfd(struct syscall_trace_enter *ctx) { +/// sys_enter_iopl is a struct null_event +SEC("tracepoint/syscalls/sys_enter_iopl") +int handle_sys_enter_iopl(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_PIDFD_GETFD; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_IOPL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_pidfd_getfd") -int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { +/// sys_exit_iopl is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_iopl") +int handle_sys_exit_iopl(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5761,7 +17039,7 @@ int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_PIDFD_GETFD; + ev->trace_id = SYS_EXIT_IOPL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); @@ -5772,31 +17050,30 @@ int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_mmap is a struct fd_event -SEC("tracepoint/syscalls/sys_enter_mmap") -int handle_sys_enter_mmap(struct syscall_trace_enter *ctx) { +/// sys_enter_rt_sigreturn is a struct null_event +SEC("tracepoint/syscalls/sys_enter_rt_sigreturn") +int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; - ev->trace_id = SYS_ENTER_MMAP; + ev->event_type = ENTER_NULL_EVENT; + ev->trace_id = SYS_ENTER_RT_SIGRETURN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_mmap is a struct ret_event (UNCLASSIFIED) -SEC("tracepoint/syscalls/sys_exit_mmap") -int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { +/// sys_exit_rt_sigreturn is a struct ret_event (UNCLASSIFIED) +SEC("tracepoint/syscalls/sys_exit_rt_sigreturn") +int handle_sys_exit_rt_sigreturn(struct syscall_trace_exit *ctx) { __u32 pid, tid; if (filter(&pid, &tid)) return 0; @@ -5806,7 +17083,7 @@ int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { return 0; ev->event_type = EXIT_RET_EVENT; - ev->trace_id = SYS_EXIT_MMAP; + ev->trace_id = SYS_EXIT_RT_SIGRETURN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 0d439b4..2cc1e52 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -1,270 +1,54 @@ -Ignoring sys_enter_accept sys_exit_accept as possibly not file I/O related -Ignoring sys_enter_accept4 sys_exit_accept4 as possibly not file I/O related -Ignoring sys_enter_acct sys_exit_acct as possibly not file I/O related -Ignoring sys_enter_add_key sys_exit_add_key as possibly not file I/O related -Ignoring sys_enter_adjtimex sys_exit_adjtimex as possibly not file I/O related -Ignoring sys_enter_alarm sys_exit_alarm as possibly not file I/O related -Ignoring sys_enter_arch_prctl sys_exit_arch_prctl as possibly not file I/O related -Ignoring sys_enter_bind sys_exit_bind as possibly not file I/O related -Ignoring sys_enter_bpf sys_exit_bpf as possibly not file I/O related -Ignoring sys_enter_brk sys_exit_brk as possibly not file I/O related -Ignoring sys_enter_capget sys_exit_capget as possibly not file I/O related -Ignoring sys_enter_capset sys_exit_capset as possibly not file I/O related -Ignoring sys_enter_clock_adjtime sys_exit_clock_adjtime as possibly not file I/O related -Ignoring sys_enter_clock_getres sys_exit_clock_getres as possibly not file I/O related -Ignoring sys_enter_clock_gettime sys_exit_clock_gettime as possibly not file I/O related -Ignoring sys_enter_clock_nanosleep sys_exit_clock_nanosleep as possibly not file I/O related -Ignoring sys_enter_clock_settime sys_exit_clock_settime as possibly not file I/O related -Ignoring sys_enter_clone sys_exit_clone as possibly not file I/O related -Ignoring sys_enter_clone3 sys_exit_clone3 as possibly not file I/O related -Ignoring sys_enter_connect sys_exit_connect as possibly not file I/O related -Ignoring sys_enter_delete_module sys_exit_delete_module as possibly not file I/O related -Ignoring sys_enter_epoll_create sys_exit_epoll_create as possibly not file I/O related -Ignoring sys_enter_epoll_create1 sys_exit_epoll_create1 as possibly not file I/O related -Ignoring sys_enter_epoll_ctl sys_exit_epoll_ctl as possibly not file I/O related -Ignoring sys_enter_epoll_pwait sys_exit_epoll_pwait as possibly not file I/O related -Ignoring sys_enter_epoll_pwait2 sys_exit_epoll_pwait2 as possibly not file I/O related -Ignoring sys_enter_epoll_wait sys_exit_epoll_wait as possibly not file I/O related -Ignoring sys_enter_eventfd sys_exit_eventfd as possibly not file I/O related -Ignoring sys_enter_eventfd2 sys_exit_eventfd2 as possibly not file I/O related -Ignoring sys_enter_execve sys_exit_execve as possibly not file I/O related -Ignoring sys_enter_execveat sys_exit_execveat as possibly not file I/O related -Ignoring sys_enter_exit sys_exit_exit as possibly not file I/O related -Ignoring sys_enter_exit_group sys_exit_exit_group as possibly not file I/O related -Ignoring sys_enter_fanotify_init sys_exit_fanotify_init as possibly not file I/O related -Ignoring sys_enter_fork sys_exit_fork as possibly not file I/O related -Ignoring sys_enter_fsmount sys_exit_fsmount as possibly not file I/O related -Ignoring sys_enter_fsopen sys_exit_fsopen as possibly not file I/O related -Ignoring sys_enter_futex sys_exit_futex as possibly not file I/O related -Ignoring sys_enter_futex_requeue sys_exit_futex_requeue as possibly not file I/O related -Ignoring sys_enter_futex_wait sys_exit_futex_wait as possibly not file I/O related -Ignoring sys_enter_futex_waitv sys_exit_futex_waitv as possibly not file I/O related -Ignoring sys_enter_futex_wake sys_exit_futex_wake as possibly not file I/O related -Ignoring sys_enter_get_mempolicy sys_exit_get_mempolicy as possibly not file I/O related -Ignoring sys_enter_get_robust_list sys_exit_get_robust_list as possibly not file I/O related -Ignoring sys_enter_getcpu sys_exit_getcpu as possibly not file I/O related -Ignoring sys_enter_getegid sys_exit_getegid as possibly not file I/O related -Ignoring sys_enter_geteuid sys_exit_geteuid as possibly not file I/O related -Ignoring sys_enter_getgid sys_exit_getgid as possibly not file I/O related -Ignoring sys_enter_getgroups sys_exit_getgroups as possibly not file I/O related -Ignoring sys_enter_getitimer sys_exit_getitimer as possibly not file I/O related -Ignoring sys_enter_getpeername sys_exit_getpeername as possibly not file I/O related -Ignoring sys_enter_getpgid sys_exit_getpgid as possibly not file I/O related -Ignoring sys_enter_getpgrp sys_exit_getpgrp as possibly not file I/O related -Ignoring sys_enter_getpid sys_exit_getpid as possibly not file I/O related -Ignoring sys_enter_getppid sys_exit_getppid as possibly not file I/O related -Ignoring sys_enter_getpriority sys_exit_getpriority as possibly not file I/O related -Ignoring sys_enter_getrandom sys_exit_getrandom as possibly not file I/O related -Ignoring sys_enter_getresgid sys_exit_getresgid as possibly not file I/O related -Ignoring sys_enter_getresuid sys_exit_getresuid as possibly not file I/O related -Ignoring sys_enter_getrlimit sys_exit_getrlimit as possibly not file I/O related -Ignoring sys_enter_getrusage sys_exit_getrusage as possibly not file I/O related -Ignoring sys_enter_getsid sys_exit_getsid as possibly not file I/O related -Ignoring sys_enter_getsockname sys_exit_getsockname as possibly not file I/O related -Ignoring sys_enter_getsockopt sys_exit_getsockopt as possibly not file I/O related -Ignoring sys_enter_gettid sys_exit_gettid as possibly not file I/O related -Ignoring sys_enter_gettimeofday sys_exit_gettimeofday as possibly not file I/O related -Ignoring sys_enter_getuid sys_exit_getuid as possibly not file I/O related -Ignoring sys_enter_init_module sys_exit_init_module as possibly not file I/O related -Ignoring sys_enter_inotify_add_watch sys_exit_inotify_add_watch as possibly not file I/O related -Ignoring sys_enter_inotify_init sys_exit_inotify_init as possibly not file I/O related -Ignoring sys_enter_inotify_init1 sys_exit_inotify_init1 as possibly not file I/O related -Ignoring sys_enter_inotify_rm_watch sys_exit_inotify_rm_watch as possibly not file I/O related -Ignoring sys_enter_ioperm sys_exit_ioperm as possibly not file I/O related -Ignoring sys_enter_iopl sys_exit_iopl as possibly not file I/O related -Ignoring sys_enter_ioprio_get sys_exit_ioprio_get as possibly not file I/O related -Ignoring sys_enter_ioprio_set sys_exit_ioprio_set as possibly not file I/O related -Ignoring sys_enter_kcmp sys_exit_kcmp as possibly not file I/O related -Ignoring sys_enter_kexec_file_load sys_exit_kexec_file_load as possibly not file I/O related -Ignoring sys_enter_kexec_load sys_exit_kexec_load as possibly not file I/O related -Ignoring sys_enter_keyctl sys_exit_keyctl as possibly not file I/O related -Ignoring sys_enter_kill sys_exit_kill as possibly not file I/O related -Ignoring sys_enter_landlock_add_rule sys_exit_landlock_add_rule as possibly not file I/O related -Ignoring sys_enter_landlock_create_ruleset sys_exit_landlock_create_ruleset as possibly not file I/O related -Ignoring sys_enter_landlock_restrict_self sys_exit_landlock_restrict_self as possibly not file I/O related -Ignoring sys_enter_listen sys_exit_listen as possibly not file I/O related -Ignoring sys_enter_listmount sys_exit_listmount as possibly not file I/O related -Ignoring sys_enter_listns sys_exit_listns as possibly not file I/O related -Ignoring sys_enter_lsm_get_self_attr sys_exit_lsm_get_self_attr as possibly not file I/O related -Ignoring sys_enter_lsm_list_modules sys_exit_lsm_list_modules as possibly not file I/O related -Ignoring sys_enter_lsm_set_self_attr sys_exit_lsm_set_self_attr as possibly not file I/O related -Ignoring sys_enter_madvise sys_exit_madvise as possibly not file I/O related -Ignoring sys_enter_map_shadow_stack sys_exit_map_shadow_stack as possibly not file I/O related -Ignoring sys_enter_mbind sys_exit_mbind as possibly not file I/O related -Ignoring sys_enter_membarrier sys_exit_membarrier as possibly not file I/O related -Ignoring sys_enter_memfd_create sys_exit_memfd_create as possibly not file I/O related -Ignoring sys_enter_memfd_secret sys_exit_memfd_secret as possibly not file I/O related -Ignoring sys_enter_migrate_pages sys_exit_migrate_pages as possibly not file I/O related -Ignoring sys_enter_mincore sys_exit_mincore as possibly not file I/O related -Ignoring sys_enter_mknod sys_exit_mknod as possibly not file I/O related -Ignoring sys_enter_mknodat sys_exit_mknodat as possibly not file I/O related -Ignoring sys_enter_mlock sys_exit_mlock as possibly not file I/O related -Ignoring sys_enter_mlock2 sys_exit_mlock2 as possibly not file I/O related -Ignoring sys_enter_mlockall sys_exit_mlockall as possibly not file I/O related -Ignoring sys_enter_modify_ldt sys_exit_modify_ldt as possibly not file I/O related -Ignoring sys_enter_mount sys_exit_mount as possibly not file I/O related -Ignoring sys_enter_move_mount sys_exit_move_mount as possibly not file I/O related -Ignoring sys_enter_move_pages sys_exit_move_pages as possibly not file I/O related -Ignoring sys_enter_mprotect sys_exit_mprotect as possibly not file I/O related -Ignoring sys_enter_mq_getsetattr sys_exit_mq_getsetattr as possibly not file I/O related -Ignoring sys_enter_mq_notify sys_exit_mq_notify as possibly not file I/O related -Ignoring sys_enter_mq_open sys_exit_mq_open as possibly not file I/O related -Ignoring sys_enter_mq_timedreceive sys_exit_mq_timedreceive as possibly not file I/O related -Ignoring sys_enter_mq_timedsend sys_exit_mq_timedsend as possibly not file I/O related -Ignoring sys_enter_mq_unlink sys_exit_mq_unlink as possibly not file I/O related -Ignoring sys_enter_mremap sys_exit_mremap as possibly not file I/O related -Ignoring sys_enter_mseal sys_exit_mseal as possibly not file I/O related -Ignoring sys_enter_msgctl sys_exit_msgctl as possibly not file I/O related -Ignoring sys_enter_msgget sys_exit_msgget as possibly not file I/O related -Ignoring sys_enter_msgrcv sys_exit_msgrcv as possibly not file I/O related -Ignoring sys_enter_msgsnd sys_exit_msgsnd as possibly not file I/O related -Ignoring sys_enter_munlock sys_exit_munlock as possibly not file I/O related -Ignoring sys_enter_munlockall sys_exit_munlockall as possibly not file I/O related -Ignoring sys_enter_munmap sys_exit_munmap as possibly not file I/O related -Ignoring sys_enter_nanosleep sys_exit_nanosleep as possibly not file I/O related -Ignoring sys_enter_newuname sys_exit_newuname as possibly not file I/O related -Ignoring sys_enter_pause sys_exit_pause as possibly not file I/O related -Ignoring sys_enter_perf_event_open sys_exit_perf_event_open as possibly not file I/O related -Ignoring sys_enter_personality sys_exit_personality as possibly not file I/O related -Ignoring sys_enter_pidfd_open sys_exit_pidfd_open as possibly not file I/O related -Ignoring sys_enter_pidfd_send_signal sys_exit_pidfd_send_signal as possibly not file I/O related -Ignoring sys_enter_pipe sys_exit_pipe as possibly not file I/O related -Ignoring sys_enter_pipe2 sys_exit_pipe2 as possibly not file I/O related -Ignoring sys_enter_pivot_root sys_exit_pivot_root as possibly not file I/O related -Ignoring sys_enter_pkey_alloc sys_exit_pkey_alloc as possibly not file I/O related -Ignoring sys_enter_pkey_free sys_exit_pkey_free as possibly not file I/O related -Ignoring sys_enter_pkey_mprotect sys_exit_pkey_mprotect as possibly not file I/O related -Ignoring sys_enter_poll sys_exit_poll as possibly not file I/O related -Ignoring sys_enter_ppoll sys_exit_ppoll as possibly not file I/O related -Ignoring sys_enter_prctl sys_exit_prctl as possibly not file I/O related -Ignoring sys_enter_prlimit64 sys_exit_prlimit64 as possibly not file I/O related -Ignoring sys_enter_process_madvise sys_exit_process_madvise as possibly not file I/O related -Ignoring sys_enter_process_mrelease sys_exit_process_mrelease as possibly not file I/O related -Ignoring sys_enter_process_vm_readv sys_exit_process_vm_readv as possibly not file I/O related -Ignoring sys_enter_process_vm_writev sys_exit_process_vm_writev as possibly not file I/O related -Ignoring sys_enter_pselect6 sys_exit_pselect6 as possibly not file I/O related -Ignoring sys_enter_ptrace sys_exit_ptrace as possibly not file I/O related -Ignoring sys_enter_quotactl sys_exit_quotactl as possibly not file I/O related -Ignoring sys_enter_reboot sys_exit_reboot as possibly not file I/O related -Ignoring sys_enter_recvfrom sys_exit_recvfrom as possibly not file I/O related -Ignoring sys_enter_recvmmsg sys_exit_recvmmsg as possibly not file I/O related -Ignoring sys_enter_recvmsg sys_exit_recvmsg as possibly not file I/O related -Ignoring sys_enter_remap_file_pages sys_exit_remap_file_pages as possibly not file I/O related -Ignoring sys_enter_request_key sys_exit_request_key as possibly not file I/O related -Ignoring sys_enter_restart_syscall sys_exit_restart_syscall as possibly not file I/O related -Ignoring sys_enter_rseq sys_exit_rseq as possibly not file I/O related -Ignoring sys_enter_rt_sigaction sys_exit_rt_sigaction as possibly not file I/O related -Ignoring sys_enter_rt_sigpending sys_exit_rt_sigpending as possibly not file I/O related -Ignoring sys_enter_rt_sigprocmask sys_exit_rt_sigprocmask as possibly not file I/O related -Ignoring sys_enter_rt_sigqueueinfo sys_exit_rt_sigqueueinfo as possibly not file I/O related -Ignoring sys_enter_rt_sigreturn sys_exit_rt_sigreturn as possibly not file I/O related -Ignoring sys_enter_rt_sigsuspend sys_exit_rt_sigsuspend as possibly not file I/O related -Ignoring sys_enter_rt_sigtimedwait sys_exit_rt_sigtimedwait as possibly not file I/O related -Ignoring sys_enter_rt_tgsigqueueinfo sys_exit_rt_tgsigqueueinfo as possibly not file I/O related -Ignoring sys_enter_sched_get_priority_max sys_exit_sched_get_priority_max as possibly not file I/O related -Ignoring sys_enter_sched_get_priority_min sys_exit_sched_get_priority_min as possibly not file I/O related -Ignoring sys_enter_sched_getaffinity sys_exit_sched_getaffinity as possibly not file I/O related -Ignoring sys_enter_sched_getattr sys_exit_sched_getattr as possibly not file I/O related -Ignoring sys_enter_sched_getparam sys_exit_sched_getparam as possibly not file I/O related -Ignoring sys_enter_sched_getscheduler sys_exit_sched_getscheduler as possibly not file I/O related -Ignoring sys_enter_sched_rr_get_interval sys_exit_sched_rr_get_interval as possibly not file I/O related -Ignoring sys_enter_sched_setaffinity sys_exit_sched_setaffinity as possibly not file I/O related -Ignoring sys_enter_sched_setattr sys_exit_sched_setattr as possibly not file I/O related -Ignoring sys_enter_sched_setparam sys_exit_sched_setparam as possibly not file I/O related -Ignoring sys_enter_sched_setscheduler sys_exit_sched_setscheduler as possibly not file I/O related -Ignoring sys_enter_sched_yield sys_exit_sched_yield as possibly not file I/O related -Ignoring sys_enter_seccomp sys_exit_seccomp as possibly not file I/O related -Ignoring sys_enter_select sys_exit_select as possibly not file I/O related -Ignoring sys_enter_semctl sys_exit_semctl as possibly not file I/O related -Ignoring sys_enter_semget sys_exit_semget as possibly not file I/O related -Ignoring sys_enter_semop sys_exit_semop as possibly not file I/O related -Ignoring sys_enter_semtimedop sys_exit_semtimedop as possibly not file I/O related -Ignoring sys_enter_sendfile64 sys_exit_sendfile64 as possibly not file I/O related -Ignoring sys_enter_sendmmsg sys_exit_sendmmsg as possibly not file I/O related -Ignoring sys_enter_sendmsg sys_exit_sendmsg as possibly not file I/O related -Ignoring sys_enter_sendto sys_exit_sendto as possibly not file I/O related -Ignoring sys_enter_set_mempolicy sys_exit_set_mempolicy as possibly not file I/O related -Ignoring sys_enter_set_mempolicy_home_node sys_exit_set_mempolicy_home_node as possibly not file I/O related -Ignoring sys_enter_set_robust_list sys_exit_set_robust_list as possibly not file I/O related -Ignoring sys_enter_set_tid_address sys_exit_set_tid_address as possibly not file I/O related -Ignoring sys_enter_setdomainname sys_exit_setdomainname as possibly not file I/O related -Ignoring sys_enter_setfsgid sys_exit_setfsgid as possibly not file I/O related -Ignoring sys_enter_setfsuid sys_exit_setfsuid as possibly not file I/O related -Ignoring sys_enter_setgid sys_exit_setgid as possibly not file I/O related -Ignoring sys_enter_setgroups sys_exit_setgroups as possibly not file I/O related -Ignoring sys_enter_sethostname sys_exit_sethostname as possibly not file I/O related -Ignoring sys_enter_setitimer sys_exit_setitimer as possibly not file I/O related -Ignoring sys_enter_setns sys_exit_setns as possibly not file I/O related -Ignoring sys_enter_setpgid sys_exit_setpgid as possibly not file I/O related -Ignoring sys_enter_setpriority sys_exit_setpriority as possibly not file I/O related -Ignoring sys_enter_setregid sys_exit_setregid as possibly not file I/O related -Ignoring sys_enter_setresgid sys_exit_setresgid as possibly not file I/O related -Ignoring sys_enter_setresuid sys_exit_setresuid as possibly not file I/O related -Ignoring sys_enter_setreuid sys_exit_setreuid as possibly not file I/O related -Ignoring sys_enter_setrlimit sys_exit_setrlimit as possibly not file I/O related -Ignoring sys_enter_setsid sys_exit_setsid as possibly not file I/O related -Ignoring sys_enter_setsockopt sys_exit_setsockopt as possibly not file I/O related -Ignoring sys_enter_settimeofday sys_exit_settimeofday as possibly not file I/O related -Ignoring sys_enter_setuid sys_exit_setuid as possibly not file I/O related -Ignoring sys_enter_shmat sys_exit_shmat as possibly not file I/O related -Ignoring sys_enter_shmctl sys_exit_shmctl as possibly not file I/O related -Ignoring sys_enter_shmdt sys_exit_shmdt as possibly not file I/O related -Ignoring sys_enter_shmget sys_exit_shmget as possibly not file I/O related -Ignoring sys_enter_shutdown sys_exit_shutdown as possibly not file I/O related -Ignoring sys_enter_sigaltstack sys_exit_sigaltstack as possibly not file I/O related -Ignoring sys_enter_signalfd sys_exit_signalfd as possibly not file I/O related -Ignoring sys_enter_signalfd4 sys_exit_signalfd4 as possibly not file I/O related -Ignoring sys_enter_socket sys_exit_socket as possibly not file I/O related -Ignoring sys_enter_socketpair sys_exit_socketpair as possibly not file I/O related -Ignoring sys_enter_splice sys_exit_splice as possibly not file I/O related -Ignoring sys_enter_statmount sys_exit_statmount as possibly not file I/O related -Ignoring sys_enter_swapoff sys_exit_swapoff as possibly not file I/O related -Ignoring sys_enter_swapon sys_exit_swapon as possibly not file I/O related -Ignoring sys_enter_sysfs sys_exit_sysfs as possibly not file I/O related -Ignoring sys_enter_sysinfo sys_exit_sysinfo as possibly not file I/O related -Ignoring sys_enter_tee sys_exit_tee as possibly not file I/O related -Ignoring sys_enter_tgkill sys_exit_tgkill as possibly not file I/O related -Ignoring sys_enter_time sys_exit_time as possibly not file I/O related -Ignoring sys_enter_timer_create sys_exit_timer_create as possibly not file I/O related -Ignoring sys_enter_timer_delete sys_exit_timer_delete as possibly not file I/O related -Ignoring sys_enter_timer_getoverrun sys_exit_timer_getoverrun as possibly not file I/O related -Ignoring sys_enter_timer_gettime sys_exit_timer_gettime as possibly not file I/O related -Ignoring sys_enter_timer_settime sys_exit_timer_settime as possibly not file I/O related -Ignoring sys_enter_timerfd_create sys_exit_timerfd_create as possibly not file I/O related -Ignoring sys_enter_timerfd_gettime sys_exit_timerfd_gettime as possibly not file I/O related -Ignoring sys_enter_timerfd_settime sys_exit_timerfd_settime as possibly not file I/O related -Ignoring sys_enter_times sys_exit_times as possibly not file I/O related -Ignoring sys_enter_tkill sys_exit_tkill as possibly not file I/O related -Ignoring sys_enter_umask sys_exit_umask as possibly not file I/O related -Ignoring sys_enter_umount sys_exit_umount as possibly not file I/O related -Ignoring sys_enter_unshare sys_exit_unshare as possibly not file I/O related -Ignoring sys_enter_uprobe sys_exit_uprobe as possibly not file I/O related -Ignoring sys_enter_uretprobe sys_exit_uretprobe as possibly not file I/O related -Ignoring sys_enter_userfaultfd sys_exit_userfaultfd as possibly not file I/O related -Ignoring sys_enter_ustat sys_exit_ustat as possibly not file I/O related -Ignoring sys_enter_utime sys_exit_utime as possibly not file I/O related -Ignoring sys_enter_utimes sys_exit_utimes as possibly not file I/O related -Ignoring sys_enter_vfork sys_exit_vfork as possibly not file I/O related -Ignoring sys_enter_vhangup sys_exit_vhangup as possibly not file I/O related -Ignoring sys_enter_wait4 sys_exit_wait4 as possibly not file I/O related -Ignoring sys_enter_waitid sys_exit_waitid as possibly not file I/O related +sys_enter_accept is a struct fd_event +sys_enter_accept4 is a struct fd_event sys_enter_access is a struct path_event +sys_enter_acct is a struct null_event +sys_enter_add_key is a struct null_event +sys_enter_adjtimex is a struct null_event +sys_enter_alarm is a struct null_event +sys_enter_arch_prctl is a struct null_event +sys_enter_bind is a struct fd_event +sys_enter_bpf is a struct null_event +sys_enter_brk is a struct null_event sys_enter_cachestat is a struct fd_event +sys_enter_capget is a struct null_event +sys_enter_capset is a struct null_event sys_enter_chdir is a struct path_event sys_enter_chmod is a struct path_event sys_enter_chown is a struct path_event sys_enter_chroot is a struct path_event +sys_enter_clock_adjtime is a struct null_event +sys_enter_clock_getres is a struct null_event +sys_enter_clock_gettime is a struct null_event +sys_enter_clock_nanosleep is a struct null_event +sys_enter_clock_settime is a struct null_event +sys_enter_clone is a struct null_event +sys_enter_clone3 is a struct null_event sys_enter_close is a struct fd_event sys_enter_close_range is a struct fd_event +sys_enter_connect is a struct fd_event sys_enter_copy_file_range is a struct fd_event sys_enter_creat is a struct path_event +sys_enter_delete_module is a struct null_event sys_enter_dup is a struct fd_event sys_enter_dup2 is a struct fd_event sys_enter_dup3 is a struct dup3_event +sys_enter_epoll_create is a struct null_event +sys_enter_epoll_create1 is a struct null_event +sys_enter_epoll_ctl is a struct fd_event +sys_enter_epoll_pwait is a struct null_event +sys_enter_epoll_pwait2 is a struct null_event +sys_enter_epoll_wait is a struct null_event +sys_enter_eventfd is a struct null_event +sys_enter_eventfd2 is a struct null_event +sys_enter_execve is a struct path_event +sys_enter_execveat is a struct fd_event +sys_enter_exit is a struct null_event +sys_enter_exit_group is a struct null_event sys_enter_faccessat is a struct path_event sys_enter_faccessat2 is a struct path_event sys_enter_fadvise64 is a struct fd_event sys_enter_fallocate is a struct fd_event +sys_enter_fanotify_init is a struct null_event sys_enter_fanotify_mark is a struct path_event sys_enter_fchdir is a struct fd_event sys_enter_fchmod is a struct fd_event @@ -280,19 +64,57 @@ sys_enter_file_setattr is a struct path_event sys_enter_finit_module is a struct fd_event sys_enter_flistxattr is a struct fd_event sys_enter_flock is a struct fd_event +sys_enter_fork is a struct null_event sys_enter_fremovexattr is a struct fd_event sys_enter_fsconfig is a struct fd_event sys_enter_fsetxattr is a struct fd_event +sys_enter_fsmount is a struct null_event +sys_enter_fsopen is a struct null_event sys_enter_fspick is a struct path_event sys_enter_fstatfs is a struct fd_event sys_enter_fsync is a struct fd_event sys_enter_ftruncate is a struct fd_event +sys_enter_futex is a struct null_event +sys_enter_futex_requeue is a struct null_event +sys_enter_futex_wait is a struct null_event +sys_enter_futex_waitv is a struct null_event +sys_enter_futex_wake is a struct null_event sys_enter_futimesat is a struct path_event +sys_enter_get_mempolicy is a struct null_event +sys_enter_get_robust_list is a struct null_event +sys_enter_getcpu is a struct null_event sys_enter_getcwd is a struct null_event sys_enter_getdents is a struct fd_event sys_enter_getdents64 is a struct fd_event +sys_enter_getegid is a struct null_event +sys_enter_geteuid is a struct null_event +sys_enter_getgid is a struct null_event +sys_enter_getgroups is a struct null_event +sys_enter_getitimer is a struct null_event +sys_enter_getpeername is a struct fd_event +sys_enter_getpgid is a struct null_event +sys_enter_getpgrp is a struct null_event +sys_enter_getpid is a struct null_event +sys_enter_getppid is a struct null_event +sys_enter_getpriority is a struct null_event +sys_enter_getrandom is a struct null_event +sys_enter_getresgid is a struct null_event +sys_enter_getresuid is a struct null_event +sys_enter_getrlimit is a struct null_event +sys_enter_getrusage is a struct null_event +sys_enter_getsid is a struct null_event +sys_enter_getsockname is a struct fd_event +sys_enter_getsockopt is a struct fd_event +sys_enter_gettid is a struct null_event +sys_enter_gettimeofday is a struct null_event +sys_enter_getuid is a struct null_event sys_enter_getxattr is a struct path_event sys_enter_getxattrat is a struct path_event +sys_enter_init_module is a struct null_event +sys_enter_inotify_add_watch is a struct fd_event +sys_enter_inotify_init is a struct null_event +sys_enter_inotify_init1 is a struct null_event +sys_enter_inotify_rm_watch is a struct fd_event sys_enter_io_cancel is a struct null_event sys_enter_io_destroy is a struct null_event sys_enter_io_getevents is a struct null_event @@ -303,85 +125,297 @@ sys_enter_io_uring_enter is a struct fd_event sys_enter_io_uring_register is a struct fd_event sys_enter_io_uring_setup is a struct null_event sys_enter_ioctl is a struct fd_event +sys_enter_ioperm is a struct null_event +sys_enter_iopl is a struct null_event +sys_enter_ioprio_get is a struct null_event +sys_enter_ioprio_set is a struct null_event +sys_enter_kcmp is a struct null_event +sys_enter_kexec_file_load is a struct null_event +sys_enter_kexec_load is a struct null_event +sys_enter_keyctl is a struct null_event +sys_enter_kill is a struct null_event +sys_enter_landlock_add_rule is a struct null_event +sys_enter_landlock_create_ruleset is a struct null_event +sys_enter_landlock_restrict_self is a struct null_event sys_enter_lchown is a struct path_event sys_enter_lgetxattr is a struct path_event sys_enter_link is a struct name_event sys_enter_linkat is a struct name_event +sys_enter_listen is a struct fd_event +sys_enter_listmount is a struct null_event +sys_enter_listns is a struct null_event sys_enter_listxattr is a struct path_event sys_enter_listxattrat is a struct path_event sys_enter_llistxattr is a struct path_event sys_enter_lremovexattr is a struct path_event sys_enter_lseek is a struct fd_event sys_enter_lsetxattr is a struct path_event +sys_enter_lsm_get_self_attr is a struct null_event +sys_enter_lsm_list_modules is a struct null_event +sys_enter_lsm_set_self_attr is a struct null_event +sys_enter_madvise is a struct null_event +sys_enter_map_shadow_stack is a struct null_event +sys_enter_mbind is a struct null_event +sys_enter_membarrier is a struct null_event +sys_enter_memfd_create is a struct null_event +sys_enter_memfd_secret is a struct null_event +sys_enter_migrate_pages is a struct null_event +sys_enter_mincore is a struct null_event sys_enter_mkdir is a struct path_event sys_enter_mkdirat is a struct path_event +sys_enter_mknod is a struct path_event +sys_enter_mknodat is a struct path_event +sys_enter_mlock is a struct null_event +sys_enter_mlock2 is a struct null_event +sys_enter_mlockall is a struct null_event sys_enter_mmap is a struct fd_event +sys_enter_modify_ldt is a struct null_event +sys_enter_mount is a struct null_event sys_enter_mount_setattr is a struct path_event +sys_enter_move_mount is a struct null_event +sys_enter_move_pages is a struct null_event +sys_enter_mprotect is a struct null_event +sys_enter_mq_getsetattr is a struct null_event +sys_enter_mq_notify is a struct null_event +sys_enter_mq_open is a struct null_event +sys_enter_mq_timedreceive is a struct null_event +sys_enter_mq_timedsend is a struct null_event +sys_enter_mq_unlink is a struct null_event +sys_enter_mremap is a struct null_event +sys_enter_mseal is a struct null_event +sys_enter_msgctl is a struct null_event +sys_enter_msgget is a struct null_event +sys_enter_msgrcv is a struct null_event +sys_enter_msgsnd is a struct null_event sys_enter_msync is a struct null_event +sys_enter_munlock is a struct null_event +sys_enter_munlockall is a struct null_event +sys_enter_munmap is a struct null_event sys_enter_name_to_handle_at is a struct path_event +sys_enter_nanosleep is a struct null_event sys_enter_newfstat is a struct fd_event sys_enter_newfstatat is a struct path_event sys_enter_newlstat is a struct path_event sys_enter_newstat is a struct path_event +sys_enter_newuname is a struct null_event sys_enter_open is a struct open_event sys_enter_open_by_handle_at is a struct open_by_handle_at_event sys_enter_open_tree is a struct open_event sys_enter_open_tree_attr is a struct open_event sys_enter_openat is a struct open_event sys_enter_openat2 is a struct open_event +sys_enter_pause is a struct null_event +sys_enter_perf_event_open is a struct null_event +sys_enter_personality is a struct null_event sys_enter_pidfd_getfd is a struct fd_event +sys_enter_pidfd_open is a struct null_event +sys_enter_pidfd_send_signal is a struct null_event +sys_enter_pipe is a struct null_event +sys_enter_pipe2 is a struct null_event +sys_enter_pivot_root is a struct null_event +sys_enter_pkey_alloc is a struct null_event +sys_enter_pkey_free is a struct null_event +sys_enter_pkey_mprotect is a struct null_event +sys_enter_poll is a struct null_event +sys_enter_ppoll is a struct null_event +sys_enter_prctl is a struct null_event sys_enter_pread64 is a struct fd_event sys_enter_preadv is a struct fd_event sys_enter_preadv2 is a struct fd_event +sys_enter_prlimit64 is a struct null_event +sys_enter_process_madvise is a struct null_event +sys_enter_process_mrelease is a struct null_event +sys_enter_process_vm_readv is a struct null_event +sys_enter_process_vm_writev is a struct null_event +sys_enter_pselect6 is a struct null_event +sys_enter_ptrace is a struct null_event sys_enter_pwrite64 is a struct fd_event sys_enter_pwritev is a struct fd_event sys_enter_pwritev2 is a struct fd_event +sys_enter_quotactl is a struct null_event sys_enter_quotactl_fd is a struct fd_event sys_enter_read is a struct fd_event sys_enter_readahead is a struct fd_event sys_enter_readlink is a struct path_event sys_enter_readlinkat is a struct path_event sys_enter_readv is a struct fd_event +sys_enter_reboot is a struct null_event +sys_enter_recvfrom is a struct fd_event +sys_enter_recvmmsg is a struct fd_event +sys_enter_recvmsg is a struct fd_event +sys_enter_remap_file_pages is a struct null_event sys_enter_removexattr is a struct path_event sys_enter_removexattrat is a struct path_event sys_enter_rename is a struct name_event sys_enter_renameat is a struct name_event sys_enter_renameat2 is a struct name_event +sys_enter_request_key is a struct null_event +sys_enter_restart_syscall is a struct null_event sys_enter_rmdir is a struct path_event +sys_enter_rseq is a struct null_event +sys_enter_rt_sigaction is a struct null_event +sys_enter_rt_sigpending is a struct null_event +sys_enter_rt_sigprocmask is a struct null_event +sys_enter_rt_sigqueueinfo is a struct null_event +sys_enter_rt_sigreturn is a struct null_event +sys_enter_rt_sigsuspend is a struct null_event +sys_enter_rt_sigtimedwait is a struct null_event +sys_enter_rt_tgsigqueueinfo is a struct null_event +sys_enter_sched_get_priority_max is a struct null_event +sys_enter_sched_get_priority_min is a struct null_event +sys_enter_sched_getaffinity is a struct null_event +sys_enter_sched_getattr is a struct null_event +sys_enter_sched_getparam is a struct null_event +sys_enter_sched_getscheduler is a struct null_event +sys_enter_sched_rr_get_interval is a struct null_event +sys_enter_sched_setaffinity is a struct null_event +sys_enter_sched_setattr is a struct null_event +sys_enter_sched_setparam is a struct null_event +sys_enter_sched_setscheduler is a struct null_event +sys_enter_sched_yield is a struct null_event +sys_enter_seccomp is a struct null_event +sys_enter_select is a struct null_event +sys_enter_semctl is a struct null_event +sys_enter_semget is a struct null_event +sys_enter_semop is a struct null_event +sys_enter_semtimedop is a struct null_event +sys_enter_sendfile64 is a struct null_event +sys_enter_sendmmsg is a struct fd_event +sys_enter_sendmsg is a struct fd_event +sys_enter_sendto is a struct fd_event +sys_enter_set_mempolicy is a struct null_event +sys_enter_set_mempolicy_home_node is a struct null_event +sys_enter_set_robust_list is a struct null_event +sys_enter_set_tid_address is a struct null_event +sys_enter_setdomainname is a struct null_event +sys_enter_setfsgid is a struct null_event +sys_enter_setfsuid is a struct null_event +sys_enter_setgid is a struct null_event +sys_enter_setgroups is a struct null_event +sys_enter_sethostname is a struct null_event +sys_enter_setitimer is a struct null_event +sys_enter_setns is a struct fd_event +sys_enter_setpgid is a struct null_event +sys_enter_setpriority is a struct null_event +sys_enter_setregid is a struct null_event +sys_enter_setresgid is a struct null_event +sys_enter_setresuid is a struct null_event +sys_enter_setreuid is a struct null_event +sys_enter_setrlimit is a struct null_event +sys_enter_setsid is a struct null_event +sys_enter_setsockopt is a struct fd_event +sys_enter_settimeofday is a struct null_event +sys_enter_setuid is a struct null_event sys_enter_setxattr is a struct path_event sys_enter_setxattrat is a struct path_event +sys_enter_shmat is a struct null_event +sys_enter_shmctl is a struct null_event +sys_enter_shmdt is a struct null_event +sys_enter_shmget is a struct null_event +sys_enter_shutdown is a struct fd_event +sys_enter_sigaltstack is a struct null_event +sys_enter_signalfd is a struct null_event +sys_enter_signalfd4 is a struct null_event +sys_enter_socket is a struct null_event +sys_enter_socketpair is a struct null_event +sys_enter_splice is a struct null_event sys_enter_statfs is a struct path_event +sys_enter_statmount is a struct null_event sys_enter_statx is a struct path_event +sys_enter_swapoff is a struct null_event +sys_enter_swapon is a struct null_event sys_enter_symlink is a struct name_event sys_enter_symlinkat is a struct name_event sys_enter_sync is a struct null_event sys_enter_sync_file_range is a struct fd_event sys_enter_syncfs is a struct fd_event +sys_enter_sysfs is a struct null_event +sys_enter_sysinfo is a struct null_event sys_enter_syslog is a struct null_event +sys_enter_tee is a struct null_event +sys_enter_tgkill is a struct null_event +sys_enter_time is a struct null_event +sys_enter_timer_create is a struct null_event +sys_enter_timer_delete is a struct null_event +sys_enter_timer_getoverrun is a struct null_event +sys_enter_timer_gettime is a struct null_event +sys_enter_timer_settime is a struct null_event +sys_enter_timerfd_create is a struct null_event +sys_enter_timerfd_gettime is a struct null_event +sys_enter_timerfd_settime is a struct null_event +sys_enter_times is a struct null_event +sys_enter_tkill is a struct null_event sys_enter_truncate is a struct path_event +sys_enter_umask is a struct null_event +sys_enter_umount is a struct null_event sys_enter_unlink is a struct path_event sys_enter_unlinkat is a struct path_event +sys_enter_unshare is a struct null_event +sys_enter_uprobe is a struct null_event +sys_enter_uretprobe is a struct null_event +sys_enter_userfaultfd is a struct null_event +sys_enter_ustat is a struct null_event +sys_enter_utime is a struct null_event sys_enter_utimensat is a struct path_event +sys_enter_utimes is a struct null_event +sys_enter_vfork is a struct null_event +sys_enter_vhangup is a struct null_event sys_enter_vmsplice is a struct fd_event +sys_enter_wait4 is a struct null_event +sys_enter_waitid is a struct null_event sys_enter_write is a struct fd_event sys_enter_writev is a struct fd_event +sys_exit_accept is a struct ret_event (UNCLASSIFIED) +sys_exit_accept4 is a struct ret_event (UNCLASSIFIED) sys_exit_access is a struct ret_event (UNCLASSIFIED) +sys_exit_acct is a struct ret_event (UNCLASSIFIED) +sys_exit_add_key is a struct ret_event (UNCLASSIFIED) +sys_exit_adjtimex is a struct ret_event (UNCLASSIFIED) +sys_exit_alarm is a struct ret_event (UNCLASSIFIED) +sys_exit_arch_prctl is a struct ret_event (UNCLASSIFIED) +sys_exit_bind is a struct ret_event (UNCLASSIFIED) +sys_exit_bpf is a struct ret_event (UNCLASSIFIED) +sys_exit_brk is a struct ret_event (UNCLASSIFIED) sys_exit_cachestat is a struct ret_event (UNCLASSIFIED) +sys_exit_capget is a struct ret_event (UNCLASSIFIED) +sys_exit_capset is a struct ret_event (UNCLASSIFIED) sys_exit_chdir is a struct ret_event (UNCLASSIFIED) sys_exit_chmod is a struct ret_event (UNCLASSIFIED) sys_exit_chown is a struct ret_event (UNCLASSIFIED) sys_exit_chroot is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_adjtime is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_getres is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_gettime is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_nanosleep is a struct ret_event (UNCLASSIFIED) +sys_exit_clock_settime is a struct ret_event (UNCLASSIFIED) +sys_exit_clone is a struct ret_event (UNCLASSIFIED) +sys_exit_clone3 is a struct ret_event (UNCLASSIFIED) sys_exit_close is a struct ret_event (UNCLASSIFIED) sys_exit_close_range is a struct ret_event (UNCLASSIFIED) +sys_exit_connect is a struct ret_event (UNCLASSIFIED) sys_exit_copy_file_range is a struct ret_event (TRANSFER_CLASSIFIED) sys_exit_creat is a struct ret_event (UNCLASSIFIED) +sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) sys_exit_dup is a struct ret_event (UNCLASSIFIED) sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) +sys_exit_epoll_wait is a struct ret_event (UNCLASSIFIED) +sys_exit_eventfd is a struct ret_event (UNCLASSIFIED) +sys_exit_eventfd2 is a struct ret_event (UNCLASSIFIED) +sys_exit_execve is a struct ret_event (UNCLASSIFIED) +sys_exit_execveat is a struct ret_event (UNCLASSIFIED) +sys_exit_exit is a struct ret_event (UNCLASSIFIED) +sys_exit_exit_group is a struct ret_event (UNCLASSIFIED) sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) +sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) @@ -397,19 +431,57 @@ sys_exit_file_setattr is a struct ret_event (UNCLASSIFIED) sys_exit_finit_module is a struct ret_event (UNCLASSIFIED) sys_exit_flistxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_flock is a struct ret_event (UNCLASSIFIED) +sys_exit_fork is a struct ret_event (UNCLASSIFIED) sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) +sys_exit_fsmount is a struct ret_event (UNCLASSIFIED) +sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) sys_exit_fspick is a struct ret_event (UNCLASSIFIED) sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) sys_exit_fsync is a struct ret_event (UNCLASSIFIED) sys_exit_ftruncate is a struct ret_event (UNCLASSIFIED) +sys_exit_futex is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_requeue is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_wait is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_waitv is a struct ret_event (UNCLASSIFIED) +sys_exit_futex_wake is a struct ret_event (UNCLASSIFIED) sys_exit_futimesat is a struct ret_event (UNCLASSIFIED) +sys_exit_get_mempolicy is a struct ret_event (UNCLASSIFIED) +sys_exit_get_robust_list is a struct ret_event (UNCLASSIFIED) +sys_exit_getcpu is a struct ret_event (UNCLASSIFIED) sys_exit_getcwd is a struct ret_event (UNCLASSIFIED) sys_exit_getdents is a struct ret_event (READ_CLASSIFIED) sys_exit_getdents64 is a struct ret_event (READ_CLASSIFIED) +sys_exit_getegid is a struct ret_event (UNCLASSIFIED) +sys_exit_geteuid is a struct ret_event (UNCLASSIFIED) +sys_exit_getgid is a struct ret_event (UNCLASSIFIED) +sys_exit_getgroups is a struct ret_event (UNCLASSIFIED) +sys_exit_getitimer is a struct ret_event (UNCLASSIFIED) +sys_exit_getpeername is a struct ret_event (UNCLASSIFIED) +sys_exit_getpgid is a struct ret_event (UNCLASSIFIED) +sys_exit_getpgrp is a struct ret_event (UNCLASSIFIED) +sys_exit_getpid is a struct ret_event (UNCLASSIFIED) +sys_exit_getppid is a struct ret_event (UNCLASSIFIED) +sys_exit_getpriority is a struct ret_event (UNCLASSIFIED) +sys_exit_getrandom is a struct ret_event (UNCLASSIFIED) +sys_exit_getresgid is a struct ret_event (UNCLASSIFIED) +sys_exit_getresuid is a struct ret_event (UNCLASSIFIED) +sys_exit_getrlimit is a struct ret_event (UNCLASSIFIED) +sys_exit_getrusage is a struct ret_event (UNCLASSIFIED) +sys_exit_getsid is a struct ret_event (UNCLASSIFIED) +sys_exit_getsockname is a struct ret_event (UNCLASSIFIED) +sys_exit_getsockopt is a struct ret_event (UNCLASSIFIED) +sys_exit_gettid is a struct ret_event (UNCLASSIFIED) +sys_exit_gettimeofday is a struct ret_event (UNCLASSIFIED) +sys_exit_getuid is a struct ret_event (UNCLASSIFIED) sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) +sys_exit_init_module is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) +sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) sys_exit_io_getevents is a struct ret_event (UNCLASSIFIED) @@ -420,65 +492,243 @@ sys_exit_io_uring_enter is a struct ret_event (UNCLASSIFIED) sys_exit_io_uring_register is a struct ret_event (UNCLASSIFIED) sys_exit_io_uring_setup is a struct ret_event (UNCLASSIFIED) sys_exit_ioctl is a struct ret_event (UNCLASSIFIED) +sys_exit_ioperm is a struct ret_event (UNCLASSIFIED) +sys_exit_iopl is a struct ret_event (UNCLASSIFIED) +sys_exit_ioprio_get is a struct ret_event (UNCLASSIFIED) +sys_exit_ioprio_set is a struct ret_event (UNCLASSIFIED) +sys_exit_kcmp is a struct ret_event (UNCLASSIFIED) +sys_exit_kexec_file_load is a struct ret_event (UNCLASSIFIED) +sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) +sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) +sys_exit_kill is a struct ret_event (UNCLASSIFIED) +sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) +sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) +sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) sys_exit_lchown is a struct ret_event (UNCLASSIFIED) sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_link is a struct ret_event (UNCLASSIFIED) sys_exit_linkat is a struct ret_event (UNCLASSIFIED) +sys_exit_listen is a struct ret_event (UNCLASSIFIED) +sys_exit_listmount is a struct ret_event (UNCLASSIFIED) +sys_exit_listns is a struct ret_event (UNCLASSIFIED) sys_exit_listxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_listxattrat is a struct ret_event (UNCLASSIFIED) sys_exit_llistxattr is a struct ret_event (READ_CLASSIFIED) sys_exit_lremovexattr is a struct ret_event (UNCLASSIFIED) sys_exit_lseek is a struct ret_event (UNCLASSIFIED) sys_exit_lsetxattr is a struct ret_event (UNCLASSIFIED) +sys_exit_lsm_get_self_attr is a struct ret_event (UNCLASSIFIED) +sys_exit_lsm_list_modules is a struct ret_event (UNCLASSIFIED) +sys_exit_lsm_set_self_attr is a struct ret_event (UNCLASSIFIED) +sys_exit_madvise is a struct ret_event (UNCLASSIFIED) +sys_exit_map_shadow_stack is a struct ret_event (UNCLASSIFIED) +sys_exit_mbind is a struct ret_event (UNCLASSIFIED) +sys_exit_membarrier is a struct ret_event (UNCLASSIFIED) +sys_exit_memfd_create is a struct ret_event (UNCLASSIFIED) +sys_exit_memfd_secret is a struct ret_event (UNCLASSIFIED) +sys_exit_migrate_pages is a struct ret_event (UNCLASSIFIED) +sys_exit_mincore is a struct ret_event (UNCLASSIFIED) sys_exit_mkdir is a struct ret_event (UNCLASSIFIED) sys_exit_mkdirat is a struct ret_event (UNCLASSIFIED) +sys_exit_mknod is a struct ret_event (UNCLASSIFIED) +sys_exit_mknodat is a struct ret_event (UNCLASSIFIED) +sys_exit_mlock is a struct ret_event (UNCLASSIFIED) +sys_exit_mlock2 is a struct ret_event (UNCLASSIFIED) +sys_exit_mlockall is a struct ret_event (UNCLASSIFIED) sys_exit_mmap is a struct ret_event (UNCLASSIFIED) +sys_exit_modify_ldt is a struct ret_event (UNCLASSIFIED) +sys_exit_mount is a struct ret_event (UNCLASSIFIED) sys_exit_mount_setattr is a struct ret_event (UNCLASSIFIED) +sys_exit_move_mount is a struct ret_event (UNCLASSIFIED) +sys_exit_move_pages is a struct ret_event (UNCLASSIFIED) +sys_exit_mprotect is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_getsetattr is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_notify is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_open is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_timedreceive is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_timedsend is a struct ret_event (UNCLASSIFIED) +sys_exit_mq_unlink is a struct ret_event (UNCLASSIFIED) +sys_exit_mremap is a struct ret_event (UNCLASSIFIED) +sys_exit_mseal is a struct ret_event (UNCLASSIFIED) +sys_exit_msgctl is a struct ret_event (UNCLASSIFIED) +sys_exit_msgget is a struct ret_event (UNCLASSIFIED) +sys_exit_msgrcv is a struct ret_event (UNCLASSIFIED) +sys_exit_msgsnd is a struct ret_event (UNCLASSIFIED) sys_exit_msync is a struct ret_event (UNCLASSIFIED) +sys_exit_munlock is a struct ret_event (UNCLASSIFIED) +sys_exit_munlockall is a struct ret_event (UNCLASSIFIED) +sys_exit_munmap is a struct ret_event (UNCLASSIFIED) sys_exit_name_to_handle_at is a struct ret_event (UNCLASSIFIED) +sys_exit_nanosleep is a struct ret_event (UNCLASSIFIED) sys_exit_newfstat is a struct ret_event (UNCLASSIFIED) sys_exit_newfstatat is a struct ret_event (UNCLASSIFIED) sys_exit_newlstat is a struct ret_event (UNCLASSIFIED) sys_exit_newstat is a struct ret_event (UNCLASSIFIED) +sys_exit_newuname is a struct ret_event (UNCLASSIFIED) sys_exit_open is a struct ret_event (UNCLASSIFIED) sys_exit_open_by_handle_at is a struct ret_event (UNCLASSIFIED) sys_exit_open_tree is a struct ret_event (UNCLASSIFIED) sys_exit_open_tree_attr is a struct ret_event (UNCLASSIFIED) sys_exit_openat is a struct ret_event (UNCLASSIFIED) sys_exit_openat2 is a struct ret_event (UNCLASSIFIED) +sys_exit_pause is a struct ret_event (UNCLASSIFIED) +sys_exit_perf_event_open is a struct ret_event (UNCLASSIFIED) +sys_exit_personality is a struct ret_event (UNCLASSIFIED) sys_exit_pidfd_getfd is a struct ret_event (UNCLASSIFIED) +sys_exit_pidfd_open is a struct ret_event (UNCLASSIFIED) +sys_exit_pidfd_send_signal is a struct ret_event (UNCLASSIFIED) +sys_exit_pipe is a struct ret_event (UNCLASSIFIED) +sys_exit_pipe2 is a struct ret_event (UNCLASSIFIED) +sys_exit_pivot_root is a struct ret_event (UNCLASSIFIED) +sys_exit_pkey_alloc is a struct ret_event (UNCLASSIFIED) +sys_exit_pkey_free is a struct ret_event (UNCLASSIFIED) +sys_exit_pkey_mprotect is a struct ret_event (UNCLASSIFIED) +sys_exit_poll is a struct ret_event (UNCLASSIFIED) +sys_exit_ppoll is a struct ret_event (UNCLASSIFIED) +sys_exit_prctl is a struct ret_event (UNCLASSIFIED) sys_exit_pread64 is a struct ret_event (READ_CLASSIFIED) sys_exit_preadv is a struct ret_event (READ_CLASSIFIED) sys_exit_preadv2 is a struct ret_event (READ_CLASSIFIED) +sys_exit_prlimit64 is a struct ret_event (UNCLASSIFIED) +sys_exit_process_madvise is a struct ret_event (UNCLASSIFIED) +sys_exit_process_mrelease is a struct ret_event (UNCLASSIFIED) +sys_exit_process_vm_readv is a struct ret_event (READ_CLASSIFIED) +sys_exit_process_vm_writev is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_pselect6 is a struct ret_event (UNCLASSIFIED) +sys_exit_ptrace is a struct ret_event (UNCLASSIFIED) sys_exit_pwrite64 is a struct ret_event (WRITE_CLASSIFIED) sys_exit_pwritev is a struct ret_event (WRITE_CLASSIFIED) sys_exit_pwritev2 is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_quotactl is a struct ret_event (UNCLASSIFIED) sys_exit_quotactl_fd is a struct ret_event (UNCLASSIFIED) sys_exit_read is a struct ret_event (READ_CLASSIFIED) sys_exit_readahead is a struct ret_event (UNCLASSIFIED) sys_exit_readlink is a struct ret_event (READ_CLASSIFIED) sys_exit_readlinkat is a struct ret_event (READ_CLASSIFIED) sys_exit_readv is a struct ret_event (READ_CLASSIFIED) +sys_exit_reboot is a struct ret_event (UNCLASSIFIED) +sys_exit_recvfrom is a struct ret_event (READ_CLASSIFIED) +sys_exit_recvmmsg is a struct ret_event (READ_CLASSIFIED) +sys_exit_recvmsg is a struct ret_event (READ_CLASSIFIED) +sys_exit_remap_file_pages is a struct ret_event (UNCLASSIFIED) sys_exit_removexattr is a struct ret_event (UNCLASSIFIED) sys_exit_removexattrat is a struct ret_event (UNCLASSIFIED) sys_exit_rename is a struct ret_event (UNCLASSIFIED) sys_exit_renameat is a struct ret_event (UNCLASSIFIED) sys_exit_renameat2 is a struct ret_event (UNCLASSIFIED) +sys_exit_request_key is a struct ret_event (UNCLASSIFIED) +sys_exit_restart_syscall is a struct ret_event (UNCLASSIFIED) sys_exit_rmdir is a struct ret_event (UNCLASSIFIED) +sys_exit_rseq is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigaction is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigpending is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigprocmask is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigqueueinfo is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigreturn is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigsuspend is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_sigtimedwait is a struct ret_event (UNCLASSIFIED) +sys_exit_rt_tgsigqueueinfo is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_get_priority_max is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_get_priority_min is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getaffinity is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getattr is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getparam is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_getscheduler is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_rr_get_interval is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setaffinity is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setattr is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setparam is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_setscheduler is a struct ret_event (UNCLASSIFIED) +sys_exit_sched_yield is a struct ret_event (UNCLASSIFIED) +sys_exit_seccomp is a struct ret_event (UNCLASSIFIED) +sys_exit_select is a struct ret_event (UNCLASSIFIED) +sys_exit_semctl is a struct ret_event (UNCLASSIFIED) +sys_exit_semget is a struct ret_event (UNCLASSIFIED) +sys_exit_semop is a struct ret_event (UNCLASSIFIED) +sys_exit_semtimedop is a struct ret_event (UNCLASSIFIED) +sys_exit_sendfile64 is a struct ret_event (TRANSFER_CLASSIFIED) +sys_exit_sendmmsg is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_sendmsg is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_sendto is a struct ret_event (WRITE_CLASSIFIED) +sys_exit_set_mempolicy is a struct ret_event (UNCLASSIFIED) +sys_exit_set_mempolicy_home_node is a struct ret_event (UNCLASSIFIED) +sys_exit_set_robust_list is a struct ret_event (UNCLASSIFIED) +sys_exit_set_tid_address is a struct ret_event (UNCLASSIFIED) +sys_exit_setdomainname is a struct ret_event (UNCLASSIFIED) +sys_exit_setfsgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setfsuid is a struct ret_event (UNCLASSIFIED) +sys_exit_setgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setgroups is a struct ret_event (UNCLASSIFIED) +sys_exit_sethostname is a struct ret_event (UNCLASSIFIED) +sys_exit_setitimer is a struct ret_event (UNCLASSIFIED) +sys_exit_setns is a struct ret_event (UNCLASSIFIED) +sys_exit_setpgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setpriority is a struct ret_event (UNCLASSIFIED) +sys_exit_setregid is a struct ret_event (UNCLASSIFIED) +sys_exit_setresgid is a struct ret_event (UNCLASSIFIED) +sys_exit_setresuid is a struct ret_event (UNCLASSIFIED) +sys_exit_setreuid is a struct ret_event (UNCLASSIFIED) +sys_exit_setrlimit is a struct ret_event (UNCLASSIFIED) +sys_exit_setsid is a struct ret_event (UNCLASSIFIED) +sys_exit_setsockopt is a struct ret_event (UNCLASSIFIED) +sys_exit_settimeofday is a struct ret_event (UNCLASSIFIED) +sys_exit_setuid is a struct ret_event (UNCLASSIFIED) sys_exit_setxattr is a struct ret_event (UNCLASSIFIED) sys_exit_setxattrat is a struct ret_event (UNCLASSIFIED) +sys_exit_shmat is a struct ret_event (UNCLASSIFIED) +sys_exit_shmctl is a struct ret_event (UNCLASSIFIED) +sys_exit_shmdt is a struct ret_event (UNCLASSIFIED) +sys_exit_shmget is a struct ret_event (UNCLASSIFIED) +sys_exit_shutdown is a struct ret_event (UNCLASSIFIED) +sys_exit_sigaltstack is a struct ret_event (UNCLASSIFIED) +sys_exit_signalfd is a struct ret_event (UNCLASSIFIED) +sys_exit_signalfd4 is a struct ret_event (UNCLASSIFIED) +sys_exit_socket is a struct ret_event (UNCLASSIFIED) +sys_exit_socketpair is a struct ret_event (UNCLASSIFIED) +sys_exit_splice is a struct ret_event (TRANSFER_CLASSIFIED) sys_exit_statfs is a struct ret_event (UNCLASSIFIED) +sys_exit_statmount is a struct ret_event (UNCLASSIFIED) sys_exit_statx is a struct ret_event (UNCLASSIFIED) +sys_exit_swapoff is a struct ret_event (UNCLASSIFIED) +sys_exit_swapon is a struct ret_event (UNCLASSIFIED) sys_exit_symlink is a struct ret_event (UNCLASSIFIED) sys_exit_symlinkat is a struct ret_event (UNCLASSIFIED) sys_exit_sync is a struct ret_event (UNCLASSIFIED) sys_exit_sync_file_range is a struct ret_event (UNCLASSIFIED) sys_exit_syncfs is a struct ret_event (UNCLASSIFIED) +sys_exit_sysfs is a struct ret_event (UNCLASSIFIED) +sys_exit_sysinfo is a struct ret_event (UNCLASSIFIED) sys_exit_syslog is a struct ret_event (READ_CLASSIFIED) +sys_exit_tee is a struct ret_event (TRANSFER_CLASSIFIED) +sys_exit_tgkill is a struct ret_event (UNCLASSIFIED) +sys_exit_time is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_create is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_delete is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_getoverrun is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_gettime is a struct ret_event (UNCLASSIFIED) +sys_exit_timer_settime is a struct ret_event (UNCLASSIFIED) +sys_exit_timerfd_create is a struct ret_event (UNCLASSIFIED) +sys_exit_timerfd_gettime is a struct ret_event (UNCLASSIFIED) +sys_exit_timerfd_settime is a struct ret_event (UNCLASSIFIED) +sys_exit_times is a struct ret_event (UNCLASSIFIED) +sys_exit_tkill is a struct ret_event (UNCLASSIFIED) sys_exit_truncate is a struct ret_event (UNCLASSIFIED) +sys_exit_umask is a struct ret_event (UNCLASSIFIED) +sys_exit_umount is a struct ret_event (UNCLASSIFIED) sys_exit_unlink is a struct ret_event (UNCLASSIFIED) sys_exit_unlinkat is a struct ret_event (UNCLASSIFIED) +sys_exit_unshare is a struct ret_event (UNCLASSIFIED) +sys_exit_uprobe is a struct ret_event (UNCLASSIFIED) +sys_exit_uretprobe is a struct ret_event (UNCLASSIFIED) +sys_exit_userfaultfd is a struct ret_event (UNCLASSIFIED) +sys_exit_ustat is a struct ret_event (UNCLASSIFIED) +sys_exit_utime is a struct ret_event (UNCLASSIFIED) sys_exit_utimensat is a struct ret_event (UNCLASSIFIED) +sys_exit_utimes is a struct ret_event (UNCLASSIFIED) +sys_exit_vfork is a struct ret_event (UNCLASSIFIED) +sys_exit_vhangup is a struct ret_event (UNCLASSIFIED) sys_exit_vmsplice is a struct ret_event (TRANSFER_CLASSIFIED) +sys_exit_wait4 is a struct ret_event (UNCLASSIFIED) +sys_exit_waitid is a struct ret_event (UNCLASSIFIED) sys_exit_write is a struct ret_event (WRITE_CLASSIFIED) sys_exit_writev is a struct ret_event (WRITE_CLASSIFIED) -- cgit v1.2.3