From 8bd5f17ae2cd662b21fcd45a849c4b701a3aa40f Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Thu, 21 May 2026 11:45:09 +0300 Subject: g7 classify fd-from-air eventfd users --- internal/c/generated_tracepoints.c | 168 ++++++++++++++++++++-------- internal/c/generated_tracepoints_result.txt | 28 ++--- 2 files changed, 133 insertions(+), 63 deletions(-) (limited to 'internal/c') diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index b2fff2e..d85508c 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -1994,7 +1994,7 @@ int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_landlock_create_ruleset is a struct null_event (kind=null) +/// sys_enter_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_landlock_create_ruleset") int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -2004,21 +2004,25 @@ int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_CREATE_RULESET)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_LANDLOCK_CREATE_RULESET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[2]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_landlock_create_ruleset") int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -2028,17 +2032,23 @@ int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_CREATE_RULESET, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_LANDLOCK_CREATE_RULESET; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -4380,7 +4390,7 @@ int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_epoll_create1 is a struct null_event (kind=null) +/// sys_enter_epoll_create1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_epoll_create1") int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4390,21 +4400,25 @@ int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE1)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_CREATE1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[0]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_epoll_create1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_epoll_create1") int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -4414,23 +4428,29 @@ int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE1, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EPOLL_CREATE1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_epoll_create is a struct null_event (kind=null) +/// sys_enter_epoll_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_epoll_create") int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4440,21 +4460,25 @@ int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_EPOLL_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[0]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_epoll_create is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_epoll_create") int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -4464,17 +4488,23 @@ int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_EPOLL_CREATE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -4693,7 +4723,7 @@ int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fanotify_init is a struct null_event (kind=null) +/// sys_enter_fanotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_fanotify_init") int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4703,21 +4733,25 @@ int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_INIT)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_FANOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[0]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_fanotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_fanotify_init") int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -4727,17 +4761,23 @@ int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_FANOTIFY_INIT, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_FANOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -4795,7 +4835,7 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_inotify_init1 is a struct null_event (kind=null) +/// sys_enter_inotify_init1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_inotify_init1") int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4805,21 +4845,25 @@ int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT1)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_INOTIFY_INIT1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[0]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_inotify_init1 is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_inotify_init1") int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -4829,23 +4873,29 @@ int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT1, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_INOTIFY_INIT1; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_enter_inotify_init is a struct null_event (kind=null) +/// sys_enter_inotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_inotify_init") int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -4855,21 +4905,25 @@ int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_INOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_inotify_init is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_inotify_init") int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -4879,17 +4933,23 @@ int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_INOTIFY_INIT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; @@ -5101,7 +5161,7 @@ int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_fsopen is a struct null_event (kind=null) +/// sys_enter_fsopen is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_enter_fsopen") int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -5111,21 +5171,25 @@ int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_FSOPEN)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_EVENTFD_EVENT; ev->trace_id = SYS_ENTER_FSOPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = (__s32)ctx->args[1]; + bpf_map_update_elem(&eventfd_flags_map, &tid, &flags, BPF_ANY); + ev->flags = flags; + ev->ret = -1; bpf_ringbuf_submit(ev, 0); return 0; } -/// sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) (kind=ret) +/// sys_exit_fsopen is a struct eventfd_event (kind=eventfd) SEC("tracepoint/syscalls/sys_exit_fsopen") int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { __u32 pid, tid; @@ -5135,17 +5199,23 @@ int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { if (!ior_on_syscall_exit(tid, SYS_EXIT_FSOPEN, ctx->ret)) return 0; - struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; - ev->event_type = EXIT_RET_EVENT; + ev->event_type = EXIT_EVENTFD_EVENT; ev->trace_id = SYS_EXIT_FSOPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + __s32 flags = 0; + __s32 *pending = bpf_map_lookup_elem(&eventfd_flags_map, &tid); + if (pending) { + flags = *pending; + bpf_map_delete_elem(&eventfd_flags_map, &tid); + } + ev->flags = flags; ev->ret = ctx->ret; - ev->ret_type = UNCLASSIFIED; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index bca5fcf..85dc95f 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -32,8 +32,8 @@ sys_enter_delete_module is a struct null_event (kind=null) sys_enter_dup is a struct fd_event (kind=fd) sys_enter_dup2 is a struct fd_event (kind=fd) sys_enter_dup3 is a struct dup3_event (kind=dup3) -sys_enter_epoll_create is a struct null_event (kind=null) -sys_enter_epoll_create1 is a struct null_event (kind=null) +sys_enter_epoll_create is a struct eventfd_event (kind=eventfd) +sys_enter_epoll_create1 is a struct eventfd_event (kind=eventfd) sys_enter_epoll_ctl is a struct epoll_ctl_event (kind=epoll-ctl) sys_enter_epoll_pwait is a struct fd_event (kind=fd) sys_enter_epoll_pwait2 is a struct fd_event (kind=fd) @@ -48,7 +48,7 @@ sys_enter_faccessat is a struct path_event (kind=pathname) sys_enter_faccessat2 is a struct path_event (kind=pathname) sys_enter_fadvise64 is a struct fd_event (kind=fd) sys_enter_fallocate is a struct fd_event (kind=fd) -sys_enter_fanotify_init is a struct null_event (kind=null) +sys_enter_fanotify_init is a struct eventfd_event (kind=eventfd) sys_enter_fanotify_mark is a struct path_event (kind=pathname) sys_enter_fchdir is a struct fd_event (kind=fd) sys_enter_fchmod is a struct fd_event (kind=fd) @@ -69,7 +69,7 @@ sys_enter_fremovexattr is a struct fd_event (kind=fd) sys_enter_fsconfig is a struct fd_event (kind=fd) sys_enter_fsetxattr is a struct fd_event (kind=fd) sys_enter_fsmount is a struct eventfd_event (kind=eventfd) -sys_enter_fsopen is a struct null_event (kind=null) +sys_enter_fsopen is a struct eventfd_event (kind=eventfd) sys_enter_fspick is a struct path_event (kind=pathname) sys_enter_fstatfs is a struct fd_event (kind=fd) sys_enter_fsync is a struct fd_event (kind=fd) @@ -112,8 +112,8 @@ sys_enter_getxattr is a struct path_event (kind=pathname) sys_enter_getxattrat is a struct path_event (kind=pathname) sys_enter_init_module is a struct null_event (kind=null) sys_enter_inotify_add_watch is a struct fd_event (kind=fd) -sys_enter_inotify_init is a struct null_event (kind=null) -sys_enter_inotify_init1 is a struct null_event (kind=null) +sys_enter_inotify_init is a struct eventfd_event (kind=eventfd) +sys_enter_inotify_init1 is a struct eventfd_event (kind=eventfd) sys_enter_inotify_rm_watch is a struct fd_event (kind=fd) sys_enter_io_cancel is a struct null_event (kind=null) sys_enter_io_destroy is a struct null_event (kind=null) @@ -135,7 +135,7 @@ sys_enter_kexec_load is a struct null_event (kind=null) sys_enter_keyctl is a struct keyctl_event (kind=keyctl) sys_enter_kill is a struct null_event (kind=null) sys_enter_landlock_add_rule is a struct null_event (kind=null) -sys_enter_landlock_create_ruleset is a struct null_event (kind=null) +sys_enter_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) sys_enter_landlock_restrict_self is a struct null_event (kind=null) sys_enter_lchown is a struct path_event (kind=pathname) sys_enter_lgetxattr is a struct path_event (kind=pathname) @@ -399,8 +399,8 @@ sys_exit_delete_module is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_dup is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_dup2 is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_dup3 is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_epoll_create is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_epoll_create1 is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_epoll_create is a struct eventfd_event (kind=eventfd) +sys_exit_epoll_create1 is a struct eventfd_event (kind=eventfd) sys_exit_epoll_ctl is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_epoll_pwait is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_epoll_pwait2 is a struct ret_event (UNCLASSIFIED) (kind=ret) @@ -415,7 +415,7 @@ sys_exit_faccessat is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_faccessat2 is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fadvise64 is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fallocate is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_fanotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_fanotify_init is a struct eventfd_event (kind=eventfd) sys_exit_fanotify_mark is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fchdir is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fchmod is a struct ret_event (UNCLASSIFIED) (kind=ret) @@ -436,7 +436,7 @@ sys_exit_fremovexattr is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fsconfig is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fsetxattr is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fsmount is a struct eventfd_event (kind=eventfd) -sys_exit_fsopen is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_fsopen is a struct eventfd_event (kind=eventfd) sys_exit_fspick is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fstatfs is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_fsync is a struct ret_event (UNCLASSIFIED) (kind=ret) @@ -479,8 +479,8 @@ sys_exit_getxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) sys_exit_getxattrat is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_init_module is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_inotify_add_watch is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_inotify_init is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_inotify_init1 is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_inotify_init is a struct eventfd_event (kind=eventfd) +sys_exit_inotify_init1 is a struct eventfd_event (kind=eventfd) sys_exit_inotify_rm_watch is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_io_cancel is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_io_destroy is a struct ret_event (UNCLASSIFIED) (kind=ret) @@ -502,7 +502,7 @@ sys_exit_kexec_load is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_keyctl is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_kill is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_landlock_add_rule is a struct ret_event (UNCLASSIFIED) (kind=ret) -sys_exit_landlock_create_ruleset is a struct ret_event (UNCLASSIFIED) (kind=ret) +sys_exit_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) sys_exit_landlock_restrict_self is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_lchown is a struct ret_event (UNCLASSIFIED) (kind=ret) sys_exit_lgetxattr is a struct ret_event (READ_CLASSIFIED) (kind=ret) -- cgit v1.2.3