From 6ca4d5ddacaff05d8bd82a5e9a6dfbb39ac111c9 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Wed, 20 May 2026 22:43:32 +0300
Subject: feat: add keyctl ptrace perf_event_open tracing (task 77)

---
 internal/eventloop_runtime.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'internal/eventloop_runtime.go')

diff --git a/internal/eventloop_runtime.go b/internal/eventloop_runtime.go
index 9a818e3..334fa63 100644
--- a/internal/eventloop_runtime.go
+++ b/internal/eventloop_runtime.go
@@ -250,6 +250,7 @@ func (e *eventLoop) initRawHandlers() {
 	e.registerTwoFdHandlers()
 	e.registerMemoryHandlers()
 	e.registerSleepHandlers()
+	e.registerSecurityHandlers()
 }
 
 // registerOpenHandlers wires enter/exit handlers for open-family events.
@@ -482,6 +483,30 @@ func (e *eventLoop) registerSleepHandlers() {
 	}
 }
 
+func (e *eventLoop) registerSecurityHandlers() {
+	e.rawHandlers[types.ENTER_KEYCTL_EVENT] = func(raw []byte, _ chan<- *event.Pair) {
+		keyctlEv, ok := decodeRawEvent(e, types.ENTER_KEYCTL_EVENT, raw, types.NewKeyctlEventFast)
+		if !ok {
+			return
+		}
+		e.tracepointEntered(keyctlEv)
+	}
+	e.rawHandlers[types.ENTER_PTRACE_EVENT] = func(raw []byte, _ chan<- *event.Pair) {
+		ptraceEv, ok := decodeRawEvent(e, types.ENTER_PTRACE_EVENT, raw, types.NewPtraceEventFast)
+		if !ok {
+			return
+		}
+		e.tracepointEntered(ptraceEv)
+	}
+	e.rawHandlers[types.ENTER_PERF_OPEN_EVENT] = func(raw []byte, _ chan<- *event.Pair) {
+		perfOpenEv, ok := decodeRawEvent(e, types.ENTER_PERF_OPEN_EVENT, raw, types.NewPerfOpenEventFast)
+		if !ok {
+			return
+		}
+		e.tracepointEntered(perfOpenEv)
+	}
+}
+
 func decodeRawEvent[T any](e *eventLoop, eventType types.EventType, raw []byte, decode func([]byte) *T) (*T, bool) {
 	decoded := decode(raw)
 	if decoded == nil {
-- 
cgit v1.2.3