From d29bdc79feb118dcbc27a4aa4a0bd14216b1664e Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Thu, 21 May 2026 18:02:16 +0300 Subject: o7 classify landlock add-rule and restrict-self as fd --- internal/c/generated_tracepoints.c | 14 ++++++++------ internal/c/generated_tracepoints_result.txt | 4 ++-- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'internal/c') diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index 06e486c..4a5bd60 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -2054,7 +2054,7 @@ int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_landlock_add_rule is a struct null_event (kind=null) +/// sys_enter_landlock_add_rule is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_landlock_add_rule") int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -2064,15 +2064,16 @@ int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_ADD_RULE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LANDLOCK_ADD_RULE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; @@ -2104,7 +2105,7 @@ int handle_sys_exit_landlock_add_rule(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_landlock_restrict_self is a struct null_event (kind=null) +/// sys_enter_landlock_restrict_self is a struct fd_event (kind=fd) SEC("tracepoint/syscalls/sys_enter_landlock_restrict_self") int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -2114,15 +2115,16 @@ int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_RESTRICT_SELF)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_FD_EVENT; ev->trace_id = SYS_ENTER_LANDLOCK_RESTRICT_SELF; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->fd = (__s32)ctx->args[0]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 96caaaa..4d44867 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -134,9 +134,9 @@ sys_enter_kexec_file_load is a struct fd_event (kind=fd) sys_enter_kexec_load is a struct null_event (kind=null) sys_enter_keyctl is a struct keyctl_event (kind=keyctl) sys_enter_kill is a struct null_event (kind=null) -sys_enter_landlock_add_rule is a struct null_event (kind=null) +sys_enter_landlock_add_rule is a struct fd_event (kind=fd) sys_enter_landlock_create_ruleset is a struct eventfd_event (kind=eventfd) -sys_enter_landlock_restrict_self is a struct null_event (kind=null) +sys_enter_landlock_restrict_self is a struct fd_event (kind=fd) sys_enter_lchown is a struct path_event (kind=pathname) sys_enter_lgetxattr is a struct path_event (kind=pathname) sys_enter_link is a struct name_event (kind=name) -- cgit v1.2.3