From 9310b54d439d4a1a8d4d337987aa63884df0af76 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Wed, 20 May 2026 11:38:19 +0300 Subject: feat: add syscall aggregate sampling infrastructure (task 17) --- internal/c/filter.c | 99 +- internal/c/generated_tracepoints.c | 2202 +++++++++++++++++++++++++++ internal/c/maps.h | 36 + internal/eventloop.go | 32 +- internal/eventloop_aggregate_test.go | 76 + internal/eventloop_runtime.go | 35 + internal/flags/flags.go | 59 +- internal/flags/sampling.go | 88 ++ internal/flags/sampling_test.go | 78 + internal/generate/bpfhandler.go | 12 +- internal/ior.go | 15 + internal/ior_bpfsetup.go | 4 + internal/statsengine/aggregate.go | 46 + internal/statsengine/aggregate_test.go | 57 + internal/statsengine/family.go | 24 + internal/statsengine/histogram.go | 10 + internal/statsengine/syscall.go | 23 + internal/syscall_aggregate_consumer.go | 129 ++ internal/syscall_aggregate_consumer_test.go | 53 + internal/types/family.go | 13 + internal/types/traceid_lookup.go | 46 + 21 files changed, 3113 insertions(+), 24 deletions(-) create mode 100644 internal/eventloop_aggregate_test.go create mode 100644 internal/flags/sampling.go create mode 100644 internal/flags/sampling_test.go create mode 100644 internal/statsengine/aggregate.go create mode 100644 internal/statsengine/aggregate_test.go create mode 100644 internal/syscall_aggregate_consumer.go create mode 100644 internal/syscall_aggregate_consumer_test.go create mode 100644 internal/types/traceid_lookup.go (limited to 'internal') diff --git a/internal/c/filter.c b/internal/c/filter.c index 55632e4..88c4fa0 100644 --- a/internal/c/filter.c +++ b/internal/c/filter.c @@ -2,6 +2,104 @@ #define ACCEPT 0 #define FILTER 1 +#define IOR_HISTOGRAM_BUCKETS 8 + +static __always_inline __u32 ior_histogram_bucket_index(__u64 duration_ns) { + if (duration_ns < 1000) + return 0; + if (duration_ns < 10000) + return 1; + if (duration_ns < 100000) + return 2; + if (duration_ns < 1000000) + return 3; + if (duration_ns < 10000000) + return 4; + if (duration_ns < 100000000) + return 5; + if (duration_ns < 1000000000) + return 6; + return 7; +} + +static __always_inline void ior_update_syscall_aggregate(__u32 enter_trace_id, __u64 duration_ns, __s64 ret) { + __u32 bucket_idx; + struct syscall_aggregate *existing; + struct syscall_aggregate fresh = {}; + + existing = bpf_map_lookup_elem(&syscall_aggregate_map, &enter_trace_id); + bucket_idx = ior_histogram_bucket_index(duration_ns); + if (bucket_idx >= IOR_HISTOGRAM_BUCKETS) + bucket_idx = IOR_HISTOGRAM_BUCKETS - 1; + + if (existing) { + existing->count += 1; + existing->total_duration_ns += duration_ns; + if (ret < 0) + existing->errors += 1; + if (existing->count == 1 || duration_ns < existing->min_duration_ns) + existing->min_duration_ns = duration_ns; + if (duration_ns > existing->max_duration_ns) + existing->max_duration_ns = duration_ns; + existing->duration_histogram[bucket_idx] += 1; + return; + } + + fresh.count = 1; + fresh.total_duration_ns = duration_ns; + fresh.min_duration_ns = duration_ns; + fresh.max_duration_ns = duration_ns; + if (ret < 0) + fresh.errors = 1; + fresh.duration_histogram[bucket_idx] = 1; + bpf_map_update_elem(&syscall_aggregate_map, &enter_trace_id, &fresh, BPF_ANY); +} + +static __always_inline int ior_should_emit_trace(__u32 enter_trace_id) { + __u32 default_rate = 1; + __u32 *configured = bpf_map_lookup_elem(&syscall_sampling_rate_map, &enter_trace_id); + __u32 rate = configured ? *configured : default_rate; + + // A zero rate means aggregate-only mode for this syscall. + if (rate == 0) + return 0; + if (rate == 1) + return 1; + return (bpf_get_prandom_u32() % rate) == 0; +} + +static __always_inline int ior_on_syscall_enter(__u32 tid, __u32 enter_trace_id) { + struct syscall_enter_state state = {}; + + state.start_ns = bpf_ktime_get_boot_ns(); + state.enter_trace_id = enter_trace_id; + state.emit_event = ior_should_emit_trace(enter_trace_id) ? 1 : 0; + bpf_map_update_elem(&syscall_enter_state_map, &tid, &state, BPF_ANY); + return state.emit_event != 0; +} + +static __always_inline int ior_on_syscall_exit(__u32 tid, __u32 exit_trace_id, __s64 ret) { + __u64 now; + __u64 duration = 0; + __u8 emit_event = 1; + struct syscall_enter_state *state; + + state = bpf_map_lookup_elem(&syscall_enter_state_map, &tid); + if (!state) + return 1; + + now = bpf_ktime_get_boot_ns(); + if (now >= state->start_ns) + duration = now - state->start_ns; + + // A tracepoint pair uses enter_id == exit_id + 1 in this codebase. + if (state->enter_trace_id == exit_trace_id + 1) + ior_update_syscall_aggregate(state->enter_trace_id, duration, ret); + + emit_event = state->emit_event; + bpf_map_delete_elem(&syscall_enter_state_map, &tid); + return emit_event != 0; +} static __always_inline int filter(__u32 *pid, __u32 *tid) { u64 pid_tgid = bpf_get_current_pid_tgid(); @@ -21,4 +119,3 @@ static __always_inline int filter(__u32 *pid, __u32 *tid) { return FILTER; } - diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index ad11b06..68aa8a7 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -743,6 +743,9 @@ int handle_sys_enter_socket(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SOCKET)) + return 0; + struct socket_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socket_event), 0); if (!ev) return 0; @@ -767,6 +770,9 @@ int handle_sys_exit_socket(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SOCKET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -790,6 +796,9 @@ int handle_sys_enter_socketpair(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SOCKETPAIR)) + return 0; + struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; @@ -823,6 +832,9 @@ int handle_sys_exit_socketpair(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SOCKETPAIR, ctx->ret)) + return 0; + struct socketpair_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct socketpair_event), 0); if (!ev) return 0; @@ -869,6 +881,9 @@ int handle_sys_enter_bind(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_BIND)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -891,6 +906,9 @@ int handle_sys_exit_bind(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_BIND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -914,6 +932,9 @@ int handle_sys_enter_listen(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTEN)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -936,6 +957,9 @@ int handle_sys_exit_listen(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -959,6 +983,9 @@ int handle_sys_enter_accept4(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCEPT4)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -982,6 +1009,9 @@ int handle_sys_exit_accept4(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCEPT4, ctx->ret)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -1005,6 +1035,9 @@ int handle_sys_enter_accept(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCEPT)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -1028,6 +1061,9 @@ int handle_sys_exit_accept(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCEPT, ctx->ret)) + return 0; + struct accept_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct accept_event), 0); if (!ev) return 0; @@ -1051,6 +1087,9 @@ int handle_sys_enter_connect(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CONNECT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1073,6 +1112,9 @@ int handle_sys_exit_connect(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CONNECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1096,6 +1138,9 @@ int handle_sys_enter_getsockname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSOCKNAME)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1118,6 +1163,9 @@ int handle_sys_exit_getsockname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETSOCKNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1141,6 +1189,9 @@ int handle_sys_enter_getpeername(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPEERNAME)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1163,6 +1214,9 @@ int handle_sys_exit_getpeername(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPEERNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1186,6 +1240,9 @@ int handle_sys_enter_sendto(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDTO)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1208,6 +1265,9 @@ int handle_sys_exit_sendto(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDTO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1231,6 +1291,9 @@ int handle_sys_enter_recvfrom(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVFROM)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1253,6 +1316,9 @@ int handle_sys_exit_recvfrom(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RECVFROM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1276,6 +1342,9 @@ int handle_sys_enter_setsockopt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETSOCKOPT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1298,6 +1367,9 @@ int handle_sys_exit_setsockopt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETSOCKOPT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1321,6 +1393,9 @@ int handle_sys_enter_getsockopt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSOCKOPT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1343,6 +1418,9 @@ int handle_sys_exit_getsockopt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETSOCKOPT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1366,6 +1444,9 @@ int handle_sys_enter_shutdown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHUTDOWN)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1388,6 +1469,9 @@ int handle_sys_exit_shutdown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHUTDOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1411,6 +1495,9 @@ int handle_sys_enter_sendmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1433,6 +1520,9 @@ int handle_sys_exit_sendmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1456,6 +1546,9 @@ int handle_sys_enter_sendmmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDMMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1478,6 +1571,9 @@ int handle_sys_exit_sendmmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDMMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1501,6 +1597,9 @@ int handle_sys_enter_recvmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1523,6 +1622,9 @@ int handle_sys_exit_recvmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RECVMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1546,6 +1648,9 @@ int handle_sys_enter_recvmmsg(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RECVMMSG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1568,6 +1673,9 @@ int handle_sys_exit_recvmmsg(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RECVMMSG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1591,6 +1699,9 @@ int handle_sys_enter_getrandom(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRANDOM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1612,6 +1723,9 @@ int handle_sys_exit_getrandom(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRANDOM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1635,6 +1749,9 @@ int handle_sys_enter_io_uring_register(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_REGISTER)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1657,6 +1774,9 @@ int handle_sys_exit_io_uring_register(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_URING_REGISTER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1680,6 +1800,9 @@ int handle_sys_enter_io_uring_enter(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_ENTER)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -1702,6 +1825,9 @@ int handle_sys_exit_io_uring_enter(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_URING_ENTER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1725,6 +1851,9 @@ int handle_sys_enter_io_uring_setup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_URING_SETUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1746,6 +1875,9 @@ int handle_sys_exit_io_uring_setup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_URING_SETUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1769,6 +1901,9 @@ int handle_sys_enter_ioprio_set(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPRIO_SET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1790,6 +1925,9 @@ int handle_sys_exit_ioprio_set(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPRIO_SET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1813,6 +1951,9 @@ int handle_sys_enter_ioprio_get(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPRIO_GET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1834,6 +1975,9 @@ int handle_sys_exit_ioprio_get(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPRIO_GET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1857,6 +2001,9 @@ int handle_sys_enter_landlock_create_ruleset(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_CREATE_RULESET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1878,6 +2025,9 @@ int handle_sys_exit_landlock_create_ruleset(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_CREATE_RULESET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1901,6 +2051,9 @@ int handle_sys_enter_landlock_add_rule(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_ADD_RULE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1922,6 +2075,9 @@ int handle_sys_exit_landlock_add_rule(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_ADD_RULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1945,6 +2101,9 @@ int handle_sys_enter_landlock_restrict_self(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LANDLOCK_RESTRICT_SELF)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -1966,6 +2125,9 @@ int handle_sys_exit_landlock_restrict_self(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LANDLOCK_RESTRICT_SELF, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -1989,6 +2151,9 @@ int handle_sys_enter_lsm_set_self_attr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_SET_SELF_ATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2010,6 +2175,9 @@ int handle_sys_exit_lsm_set_self_attr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSM_SET_SELF_ATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2033,6 +2201,9 @@ int handle_sys_enter_lsm_get_self_attr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_GET_SELF_ATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2054,6 +2225,9 @@ int handle_sys_exit_lsm_get_self_attr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSM_GET_SELF_ATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2077,6 +2251,9 @@ int handle_sys_enter_lsm_list_modules(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSM_LIST_MODULES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2098,6 +2275,9 @@ int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSM_LIST_MODULES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2121,6 +2301,9 @@ int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ADD_KEY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2142,6 +2325,9 @@ int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ADD_KEY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2165,6 +2351,9 @@ int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REQUEST_KEY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2186,6 +2375,9 @@ int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REQUEST_KEY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2209,6 +2401,9 @@ int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KEYCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2230,6 +2425,9 @@ int handle_sys_exit_keyctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KEYCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2253,6 +2451,9 @@ int handle_sys_enter_mq_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_OPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2274,6 +2475,9 @@ int handle_sys_exit_mq_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2297,6 +2501,9 @@ int handle_sys_enter_mq_unlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_UNLINK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2318,6 +2525,9 @@ int handle_sys_exit_mq_unlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_UNLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2341,6 +2551,9 @@ int handle_sys_enter_mq_timedsend(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_TIMEDSEND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2362,6 +2575,9 @@ int handle_sys_exit_mq_timedsend(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_TIMEDSEND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2385,6 +2601,9 @@ int handle_sys_enter_mq_timedreceive(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_TIMEDRECEIVE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2406,6 +2625,9 @@ int handle_sys_exit_mq_timedreceive(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_TIMEDRECEIVE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2429,6 +2651,9 @@ int handle_sys_enter_mq_notify(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_NOTIFY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2450,6 +2675,9 @@ int handle_sys_exit_mq_notify(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_NOTIFY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2473,6 +2701,9 @@ int handle_sys_enter_mq_getsetattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MQ_GETSETATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2494,6 +2725,9 @@ int handle_sys_exit_mq_getsetattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MQ_GETSETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2517,6 +2751,9 @@ int handle_sys_enter_shmget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2538,6 +2775,9 @@ int handle_sys_exit_shmget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2561,6 +2801,9 @@ int handle_sys_enter_shmctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2582,6 +2825,9 @@ int handle_sys_exit_shmctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2605,6 +2851,9 @@ int handle_sys_enter_shmat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMAT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2626,6 +2875,9 @@ int handle_sys_exit_shmat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2649,6 +2901,9 @@ int handle_sys_enter_shmdt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SHMDT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2670,6 +2925,9 @@ int handle_sys_exit_shmdt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SHMDT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2693,6 +2951,9 @@ int handle_sys_enter_semget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2714,6 +2975,9 @@ int handle_sys_exit_semget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2737,6 +3001,9 @@ int handle_sys_enter_semctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2758,6 +3025,9 @@ int handle_sys_exit_semctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2781,6 +3051,9 @@ int handle_sys_enter_semtimedop(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMTIMEDOP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2802,6 +3075,9 @@ int handle_sys_exit_semtimedop(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMTIMEDOP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2825,6 +3101,9 @@ int handle_sys_enter_semop(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SEMOP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2846,6 +3125,9 @@ int handle_sys_exit_semop(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SEMOP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2869,6 +3151,9 @@ int handle_sys_enter_msgget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2890,6 +3175,9 @@ int handle_sys_exit_msgget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2913,6 +3201,9 @@ int handle_sys_enter_msgctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2934,6 +3225,9 @@ int handle_sys_exit_msgctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -2957,6 +3251,9 @@ int handle_sys_enter_msgsnd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGSND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -2978,6 +3275,9 @@ int handle_sys_exit_msgsnd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGSND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3001,6 +3301,9 @@ int handle_sys_enter_msgrcv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSGRCV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3022,6 +3325,9 @@ int handle_sys_exit_msgrcv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSGRCV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3045,6 +3351,9 @@ int handle_sys_enter_quotactl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_QUOTACTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3066,6 +3375,9 @@ int handle_sys_exit_quotactl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_QUOTACTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3089,6 +3401,9 @@ int handle_sys_enter_quotactl_fd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_QUOTACTL_FD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -3111,6 +3426,9 @@ int handle_sys_exit_quotactl_fd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_QUOTACTL_FD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3134,6 +3452,9 @@ int handle_sys_enter_name_to_handle_at(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NAME_TO_HANDLE_AT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -3157,6 +3478,9 @@ int handle_sys_exit_name_to_handle_at(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NAME_TO_HANDLE_AT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3180,6 +3504,9 @@ int handle_sys_enter_open_by_handle_at(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_BY_HANDLE_AT)) + return 0; + struct open_by_handle_at_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_by_handle_at_event), 0); if (!ev) return 0; @@ -3202,6 +3529,9 @@ int handle_sys_exit_open_by_handle_at(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN_BY_HANDLE_AT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3225,6 +3555,9 @@ int handle_sys_enter_flock(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FLOCK)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -3247,6 +3580,9 @@ int handle_sys_exit_flock(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FLOCK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3270,6 +3606,9 @@ int handle_sys_enter_io_setup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_SETUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3291,6 +3630,9 @@ int handle_sys_exit_io_setup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_SETUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3314,6 +3656,9 @@ int handle_sys_enter_io_destroy(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_DESTROY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3335,6 +3680,9 @@ int handle_sys_exit_io_destroy(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_DESTROY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3358,6 +3706,9 @@ int handle_sys_enter_io_submit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_SUBMIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3379,6 +3730,9 @@ int handle_sys_exit_io_submit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_SUBMIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3402,6 +3756,9 @@ int handle_sys_enter_io_cancel(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_CANCEL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3423,6 +3780,9 @@ int handle_sys_exit_io_cancel(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_CANCEL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3446,6 +3806,9 @@ int handle_sys_enter_io_getevents(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_GETEVENTS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3467,6 +3830,9 @@ int handle_sys_exit_io_getevents(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_GETEVENTS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3490,6 +3856,9 @@ int handle_sys_enter_io_pgetevents(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IO_PGETEVENTS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3511,6 +3880,9 @@ int handle_sys_exit_io_pgetevents(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IO_PGETEVENTS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3534,6 +3906,9 @@ int handle_sys_enter_userfaultfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_USERFAULTFD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3555,6 +3930,9 @@ int handle_sys_exit_userfaultfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_USERFAULTFD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3578,6 +3956,9 @@ int handle_sys_enter_eventfd2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EVENTFD2)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3603,6 +3984,9 @@ int handle_sys_exit_eventfd2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EVENTFD2, ctx->ret)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3632,6 +4016,9 @@ int handle_sys_enter_eventfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EVENTFD)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3657,6 +4044,9 @@ int handle_sys_exit_eventfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EVENTFD, ctx->ret)) + return 0; + struct eventfd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct eventfd_event), 0); if (!ev) return 0; @@ -3686,6 +4076,9 @@ int handle_sys_enter_timerfd_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3707,6 +4100,9 @@ int handle_sys_exit_timerfd_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMERFD_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3730,6 +4126,9 @@ int handle_sys_enter_timerfd_settime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_SETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3751,6 +4150,9 @@ int handle_sys_exit_timerfd_settime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMERFD_SETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3774,6 +4176,9 @@ int handle_sys_enter_timerfd_gettime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMERFD_GETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3795,6 +4200,9 @@ int handle_sys_exit_timerfd_gettime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMERFD_GETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3818,6 +4226,9 @@ int handle_sys_enter_signalfd4(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGNALFD4)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3839,6 +4250,9 @@ int handle_sys_exit_signalfd4(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SIGNALFD4, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3862,6 +4276,9 @@ int handle_sys_enter_signalfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGNALFD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3883,6 +4300,9 @@ int handle_sys_exit_signalfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SIGNALFD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3906,6 +4326,9 @@ int handle_sys_enter_epoll_create1(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE1)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3927,6 +4350,9 @@ int handle_sys_exit_epoll_create1(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE1, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3950,6 +4376,9 @@ int handle_sys_enter_epoll_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -3971,6 +4400,9 @@ int handle_sys_exit_epoll_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -3994,6 +4426,9 @@ int handle_sys_enter_epoll_ctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_CTL)) + return 0; + struct epoll_ctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct epoll_ctl_event), 0); if (!ev) return 0; @@ -4025,6 +4460,9 @@ int handle_sys_exit_epoll_ctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_CTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4048,6 +4486,9 @@ int handle_sys_enter_epoll_wait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_WAIT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4070,6 +4511,9 @@ int handle_sys_exit_epoll_wait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_WAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4093,6 +4537,9 @@ int handle_sys_enter_epoll_pwait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_PWAIT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4115,6 +4562,9 @@ int handle_sys_exit_epoll_pwait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_PWAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4138,6 +4588,9 @@ int handle_sys_enter_epoll_pwait2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EPOLL_PWAIT2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4160,6 +4613,9 @@ int handle_sys_exit_epoll_pwait2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EPOLL_PWAIT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4183,6 +4639,9 @@ int handle_sys_enter_fanotify_init(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_INIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4204,6 +4663,9 @@ int handle_sys_exit_fanotify_init(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FANOTIFY_INIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4227,6 +4689,9 @@ int handle_sys_enter_fanotify_mark(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FANOTIFY_MARK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4250,6 +4715,9 @@ int handle_sys_exit_fanotify_mark(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FANOTIFY_MARK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4273,6 +4741,9 @@ int handle_sys_enter_inotify_init1(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT1)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4294,6 +4765,9 @@ int handle_sys_exit_inotify_init1(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT1, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4317,6 +4791,9 @@ int handle_sys_enter_inotify_init(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_INIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4338,6 +4815,9 @@ int handle_sys_exit_inotify_init(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_INIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4361,6 +4841,9 @@ int handle_sys_enter_inotify_add_watch(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_ADD_WATCH)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4383,6 +4866,9 @@ int handle_sys_exit_inotify_add_watch(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_ADD_WATCH, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4406,6 +4892,9 @@ int handle_sys_enter_inotify_rm_watch(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INOTIFY_RM_WATCH)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4428,6 +4917,9 @@ int handle_sys_exit_inotify_rm_watch(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INOTIFY_RM_WATCH, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4451,6 +4943,9 @@ int handle_sys_enter_file_getattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FILE_GETATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4474,6 +4969,9 @@ int handle_sys_exit_file_getattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FILE_GETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4497,6 +4995,9 @@ int handle_sys_enter_file_setattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FILE_SETATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4520,6 +5021,9 @@ int handle_sys_exit_file_setattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FILE_SETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4543,6 +5047,9 @@ int handle_sys_enter_fsopen(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSOPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4564,6 +5071,9 @@ int handle_sys_exit_fsopen(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSOPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4587,6 +5097,9 @@ int handle_sys_enter_fspick(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSPICK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4610,6 +5123,9 @@ int handle_sys_exit_fspick(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSPICK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4633,6 +5149,9 @@ int handle_sys_enter_fsconfig(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSCONFIG)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4655,6 +5174,9 @@ int handle_sys_exit_fsconfig(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSCONFIG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4678,6 +5200,9 @@ int handle_sys_enter_statfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_STATFS)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4701,6 +5226,9 @@ int handle_sys_exit_statfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_STATFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4724,6 +5252,9 @@ int handle_sys_enter_fstatfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSTATFS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -4746,6 +5277,9 @@ int handle_sys_exit_fstatfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSTATFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4769,6 +5303,9 @@ int handle_sys_enter_ustat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_USTAT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4790,6 +5327,9 @@ int handle_sys_exit_ustat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_USTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4813,6 +5353,9 @@ int handle_sys_enter_getcwd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETCWD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4834,6 +5377,9 @@ int handle_sys_exit_getcwd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETCWD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4857,6 +5403,9 @@ int handle_sys_enter_utimensat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIMENSAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4880,6 +5429,9 @@ int handle_sys_exit_utimensat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UTIMENSAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4903,6 +5455,9 @@ int handle_sys_enter_futimesat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTIMESAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -4926,6 +5481,9 @@ int handle_sys_exit_futimesat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTIMESAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4949,6 +5507,9 @@ int handle_sys_enter_utimes(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIMES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -4970,6 +5531,9 @@ int handle_sys_exit_utimes(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UTIMES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -4993,6 +5557,9 @@ int handle_sys_enter_utime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5014,6 +5581,9 @@ int handle_sys_exit_utime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5037,6 +5607,9 @@ int handle_sys_enter_sync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNC)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5058,6 +5631,9 @@ int handle_sys_exit_sync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5081,6 +5657,9 @@ int handle_sys_enter_syncfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNCFS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5103,6 +5682,9 @@ int handle_sys_exit_syncfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYNCFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5126,6 +5708,9 @@ int handle_sys_enter_fsync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSYNC)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5148,6 +5733,9 @@ int handle_sys_exit_fsync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5171,6 +5759,9 @@ int handle_sys_enter_fdatasync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FDATASYNC)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5193,6 +5784,9 @@ int handle_sys_exit_fdatasync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FDATASYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5216,6 +5810,9 @@ int handle_sys_enter_sync_file_range(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYNC_FILE_RANGE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5238,6 +5835,9 @@ int handle_sys_exit_sync_file_range(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYNC_FILE_RANGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5261,6 +5861,9 @@ int handle_sys_enter_vmsplice(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_VMSPLICE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5283,6 +5886,9 @@ int handle_sys_exit_vmsplice(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_VMSPLICE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5306,6 +5912,9 @@ int handle_sys_enter_splice(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SPLICE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5327,6 +5936,9 @@ int handle_sys_exit_splice(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SPLICE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5350,6 +5962,9 @@ int handle_sys_enter_tee(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TEE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -5371,6 +5986,9 @@ int handle_sys_exit_tee(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TEE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5394,6 +6012,9 @@ int handle_sys_enter_setxattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5417,6 +6038,9 @@ int handle_sys_exit_setxattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5440,6 +6064,9 @@ int handle_sys_enter_setxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5463,6 +6090,9 @@ int handle_sys_exit_setxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5486,6 +6116,9 @@ int handle_sys_enter_lsetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5509,6 +6142,9 @@ int handle_sys_exit_lsetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5532,6 +6168,9 @@ int handle_sys_enter_fsetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSETXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5554,6 +6193,9 @@ int handle_sys_exit_fsetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5577,6 +6219,9 @@ int handle_sys_enter_getxattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5600,6 +6245,9 @@ int handle_sys_exit_getxattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5623,6 +6271,9 @@ int handle_sys_enter_getxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5646,6 +6297,9 @@ int handle_sys_exit_getxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5669,6 +6323,9 @@ int handle_sys_enter_lgetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LGETXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5692,6 +6349,9 @@ int handle_sys_exit_lgetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LGETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5715,6 +6375,9 @@ int handle_sys_enter_fgetxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FGETXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5737,6 +6400,9 @@ int handle_sys_exit_fgetxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FGETXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5760,6 +6426,9 @@ int handle_sys_enter_listxattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5783,6 +6452,9 @@ int handle_sys_exit_listxattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5806,6 +6478,9 @@ int handle_sys_enter_listxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5829,6 +6504,9 @@ int handle_sys_exit_listxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5852,6 +6530,9 @@ int handle_sys_enter_llistxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LLISTXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5875,6 +6556,9 @@ int handle_sys_exit_llistxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LLISTXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5898,6 +6582,9 @@ int handle_sys_enter_flistxattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FLISTXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -5920,6 +6607,9 @@ int handle_sys_exit_flistxattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FLISTXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5943,6 +6633,9 @@ int handle_sys_enter_removexattrat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REMOVEXATTRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -5966,6 +6659,9 @@ int handle_sys_exit_removexattrat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REMOVEXATTRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -5989,6 +6685,9 @@ int handle_sys_enter_removexattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REMOVEXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -6012,6 +6711,9 @@ int handle_sys_exit_removexattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REMOVEXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6035,6 +6737,9 @@ int handle_sys_enter_lremovexattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LREMOVEXATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -6058,6 +6763,9 @@ int handle_sys_exit_lremovexattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LREMOVEXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6081,6 +6789,9 @@ int handle_sys_enter_fremovexattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FREMOVEXATTR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6103,6 +6814,9 @@ int handle_sys_exit_fremovexattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FREMOVEXATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6126,6 +6840,9 @@ int handle_sys_enter_umount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6147,6 +6864,9 @@ int handle_sys_exit_umount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6170,6 +6890,9 @@ int handle_sys_enter_open_tree(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_TREE)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -6195,6 +6918,9 @@ int handle_sys_exit_open_tree(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN_TREE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6218,6 +6944,9 @@ int handle_sys_enter_mount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6239,6 +6968,9 @@ int handle_sys_exit_mount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6262,6 +6994,9 @@ int handle_sys_enter_fsmount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FSMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6283,6 +7018,9 @@ int handle_sys_exit_fsmount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FSMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6306,6 +7044,9 @@ int handle_sys_enter_move_mount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOVE_MOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6327,6 +7068,9 @@ int handle_sys_exit_move_mount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOVE_MOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6350,6 +7094,9 @@ int handle_sys_enter_pivot_root(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIVOT_ROOT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6371,6 +7118,9 @@ int handle_sys_exit_pivot_root(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIVOT_ROOT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6394,6 +7144,9 @@ int handle_sys_enter_mount_setattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOUNT_SETATTR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -6417,6 +7170,9 @@ int handle_sys_exit_mount_setattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOUNT_SETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6440,6 +7196,9 @@ int handle_sys_enter_open_tree_attr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN_TREE_ATTR)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -6465,6 +7224,9 @@ int handle_sys_exit_open_tree_attr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN_TREE_ATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6488,6 +7250,9 @@ int handle_sys_enter_statmount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_STATMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6509,6 +7274,9 @@ int handle_sys_exit_statmount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_STATMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6532,6 +7300,9 @@ int handle_sys_enter_listmount(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTMOUNT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6553,6 +7324,9 @@ int handle_sys_exit_listmount(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTMOUNT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6576,6 +7350,9 @@ int handle_sys_enter_sysfs(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSFS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -6597,6 +7374,9 @@ int handle_sys_exit_sysfs(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYSFS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6620,6 +7400,9 @@ int handle_sys_enter_close_range(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOSE_RANGE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6642,6 +7425,9 @@ int handle_sys_exit_close_range(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOSE_RANGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6665,6 +7451,9 @@ int handle_sys_enter_dup3(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP3)) + return 0; + struct dup3_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct dup3_event), 0); if (!ev) return 0; @@ -6688,6 +7477,9 @@ int handle_sys_exit_dup3(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DUP3, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6711,6 +7503,9 @@ int handle_sys_enter_dup2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6733,6 +7528,9 @@ int handle_sys_exit_dup2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DUP2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6756,6 +7554,9 @@ int handle_sys_enter_dup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DUP)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -6778,6 +7579,9 @@ int handle_sys_exit_dup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6801,6 +7605,9 @@ int handle_sys_enter_select(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SELECT)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6833,6 +7640,9 @@ int handle_sys_exit_select(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SELECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6856,6 +7666,9 @@ int handle_sys_enter_pselect6(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PSELECT6)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6888,6 +7701,9 @@ int handle_sys_exit_pselect6(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PSELECT6, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6911,6 +7727,9 @@ int handle_sys_enter_poll(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_POLL)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6938,6 +7757,9 @@ int handle_sys_exit_poll(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_POLL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -6961,6 +7783,9 @@ int handle_sys_enter_ppoll(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PPOLL)) + return 0; + struct poll_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct poll_event), 0); if (!ev) return 0; @@ -6993,6 +7818,9 @@ int handle_sys_exit_ppoll(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PPOLL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7016,6 +7844,9 @@ int handle_sys_enter_getdents(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETDENTS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -7038,6 +7869,9 @@ int handle_sys_exit_getdents(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETDENTS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7061,6 +7895,9 @@ int handle_sys_enter_getdents64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETDENTS64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -7083,6 +7920,9 @@ int handle_sys_exit_getdents64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETDENTS64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7106,6 +7946,9 @@ int handle_sys_enter_ioctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOCTL)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -7128,6 +7971,9 @@ int handle_sys_exit_ioctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7151,6 +7997,9 @@ int handle_sys_enter_fcntl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCNTL)) + return 0; + struct fcntl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fcntl_event), 0); if (!ev) return 0; @@ -7175,6 +8024,9 @@ int handle_sys_exit_fcntl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCNTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7198,6 +8050,9 @@ int handle_sys_enter_mknodat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKNODAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7221,6 +8076,9 @@ int handle_sys_exit_mknodat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKNODAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7244,6 +8102,9 @@ int handle_sys_enter_mknod(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKNOD)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7267,6 +8128,9 @@ int handle_sys_exit_mknod(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKNOD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7290,6 +8154,9 @@ int handle_sys_enter_mkdirat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKDIRAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7313,6 +8180,9 @@ int handle_sys_exit_mkdirat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKDIRAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7336,6 +8206,9 @@ int handle_sys_enter_mkdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MKDIR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7359,6 +8232,9 @@ int handle_sys_exit_mkdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MKDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7382,6 +8258,9 @@ int handle_sys_enter_rmdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RMDIR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7405,6 +8284,9 @@ int handle_sys_exit_rmdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RMDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7428,6 +8310,9 @@ int handle_sys_enter_unlinkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UNLINKAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7451,6 +8336,9 @@ int handle_sys_exit_unlinkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UNLINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7474,6 +8362,9 @@ int handle_sys_enter_unlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UNLINK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -7497,6 +8388,9 @@ int handle_sys_exit_unlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UNLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7520,6 +8414,9 @@ int handle_sys_enter_symlinkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYMLINKAT)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7544,6 +8441,9 @@ int handle_sys_exit_symlinkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYMLINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7567,6 +8467,9 @@ int handle_sys_enter_symlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYMLINK)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7591,6 +8494,9 @@ int handle_sys_exit_symlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYMLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7614,6 +8520,9 @@ int handle_sys_enter_linkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LINKAT)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7638,6 +8547,9 @@ int handle_sys_exit_linkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7661,6 +8573,9 @@ int handle_sys_enter_link(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LINK)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7685,6 +8600,9 @@ int handle_sys_exit_link(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7708,6 +8626,9 @@ int handle_sys_enter_renameat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAMEAT2)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7732,6 +8653,9 @@ int handle_sys_exit_renameat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RENAMEAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7755,6 +8679,9 @@ int handle_sys_enter_renameat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAMEAT)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7779,6 +8706,9 @@ int handle_sys_exit_renameat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RENAMEAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7802,6 +8732,9 @@ int handle_sys_enter_rename(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RENAME)) + return 0; + struct name_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct name_event), 0); if (!ev) return 0; @@ -7826,6 +8759,9 @@ int handle_sys_exit_rename(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RENAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -7849,6 +8785,9 @@ int handle_sys_enter_pipe2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIPE2)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7878,6 +8817,9 @@ int handle_sys_exit_pipe2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIPE2, ctx->ret)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7918,6 +8860,9 @@ int handle_sys_enter_pipe(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIPE)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7947,6 +8892,9 @@ int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIPE, ctx->ret)) + return 0; + struct pipe_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct pipe_event), 0); if (!ev) return 0; @@ -7987,6 +8935,9 @@ int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVE)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8010,6 +8961,9 @@ int handle_sys_exit_execve(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXECVE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8033,6 +8987,9 @@ int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVEAT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8055,6 +9012,9 @@ int handle_sys_exit_execveat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXECVEAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8078,6 +9038,9 @@ int handle_sys_enter_newstat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWSTAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8101,6 +9064,9 @@ int handle_sys_exit_newstat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWSTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8124,6 +9090,9 @@ int handle_sys_enter_newlstat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWLSTAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8147,6 +9116,9 @@ int handle_sys_exit_newlstat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWLSTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8170,6 +9142,9 @@ int handle_sys_enter_newfstatat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWFSTATAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8193,6 +9168,9 @@ int handle_sys_exit_newfstatat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWFSTATAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8216,6 +9194,9 @@ int handle_sys_enter_newfstat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWFSTAT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8238,6 +9219,9 @@ int handle_sys_exit_newfstat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWFSTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8261,6 +9245,9 @@ int handle_sys_enter_readlinkat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READLINKAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8284,6 +9271,9 @@ int handle_sys_exit_readlinkat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READLINKAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8307,6 +9297,9 @@ int handle_sys_enter_readlink(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READLINK)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8330,6 +9323,9 @@ int handle_sys_exit_readlink(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READLINK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8353,6 +9349,9 @@ int handle_sys_enter_statx(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_STATX)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -8376,6 +9375,9 @@ int handle_sys_exit_statx(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_STATX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8399,6 +9401,9 @@ int handle_sys_enter_lseek(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LSEEK)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8421,6 +9426,9 @@ int handle_sys_exit_lseek(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LSEEK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8444,6 +9452,9 @@ int handle_sys_enter_read(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READ)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8466,6 +9477,9 @@ int handle_sys_exit_read(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READ, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8489,6 +9503,9 @@ int handle_sys_enter_write(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WRITE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8511,6 +9528,9 @@ int handle_sys_exit_write(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WRITE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8534,6 +9554,9 @@ int handle_sys_enter_pread64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PREAD64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8556,6 +9579,9 @@ int handle_sys_exit_pread64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PREAD64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8579,6 +9605,9 @@ int handle_sys_enter_pwrite64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITE64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8601,6 +9630,9 @@ int handle_sys_exit_pwrite64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PWRITE64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8624,6 +9656,9 @@ int handle_sys_enter_readv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8646,6 +9681,9 @@ int handle_sys_exit_readv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8669,6 +9707,9 @@ int handle_sys_enter_writev(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WRITEV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8691,6 +9732,9 @@ int handle_sys_exit_writev(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WRITEV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8714,6 +9758,9 @@ int handle_sys_enter_preadv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PREADV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8736,6 +9783,9 @@ int handle_sys_exit_preadv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PREADV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8759,6 +9809,9 @@ int handle_sys_enter_preadv2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PREADV2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8781,6 +9834,9 @@ int handle_sys_exit_preadv2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PREADV2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8804,6 +9860,9 @@ int handle_sys_enter_pwritev(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITEV)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8826,6 +9885,9 @@ int handle_sys_exit_pwritev(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PWRITEV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8849,6 +9911,9 @@ int handle_sys_enter_pwritev2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PWRITEV2)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8871,6 +9936,9 @@ int handle_sys_exit_pwritev2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PWRITEV2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8894,6 +9962,9 @@ int handle_sys_enter_sendfile64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SENDFILE64)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -8915,6 +9986,9 @@ int handle_sys_exit_sendfile64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SENDFILE64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8938,6 +10012,9 @@ int handle_sys_enter_copy_file_range(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_COPY_FILE_RANGE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -8960,6 +10037,9 @@ int handle_sys_exit_copy_file_range(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_COPY_FILE_RANGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -8983,6 +10063,9 @@ int handle_sys_enter_truncate(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TRUNCATE)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9006,6 +10089,9 @@ int handle_sys_exit_truncate(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TRUNCATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9029,6 +10115,9 @@ int handle_sys_enter_ftruncate(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FTRUNCATE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9051,6 +10140,9 @@ int handle_sys_exit_ftruncate(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FTRUNCATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9074,6 +10166,9 @@ int handle_sys_enter_fallocate(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FALLOCATE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9096,6 +10191,9 @@ int handle_sys_exit_fallocate(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FALLOCATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9119,6 +10217,9 @@ int handle_sys_enter_faccessat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FACCESSAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9142,6 +10243,9 @@ int handle_sys_exit_faccessat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FACCESSAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9165,6 +10269,9 @@ int handle_sys_enter_faccessat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FACCESSAT2)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9188,6 +10295,9 @@ int handle_sys_exit_faccessat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FACCESSAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9211,6 +10321,9 @@ int handle_sys_enter_access(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCESS)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9234,6 +10347,9 @@ int handle_sys_exit_access(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCESS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9257,6 +10373,9 @@ int handle_sys_enter_chdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHDIR)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9280,6 +10399,9 @@ int handle_sys_exit_chdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9303,6 +10425,9 @@ int handle_sys_enter_fchdir(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHDIR)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9325,6 +10450,9 @@ int handle_sys_exit_fchdir(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHDIR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9348,6 +10476,9 @@ int handle_sys_enter_chroot(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHROOT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9371,6 +10502,9 @@ int handle_sys_exit_chroot(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHROOT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9394,6 +10528,9 @@ int handle_sys_enter_fchmod(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMOD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9416,6 +10553,9 @@ int handle_sys_exit_fchmod(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHMOD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9439,6 +10579,9 @@ int handle_sys_enter_fchmodat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMODAT2)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9462,6 +10605,9 @@ int handle_sys_exit_fchmodat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHMODAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9485,6 +10631,9 @@ int handle_sys_enter_fchmodat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHMODAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9508,6 +10657,9 @@ int handle_sys_exit_fchmodat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHMODAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9531,6 +10683,9 @@ int handle_sys_enter_chmod(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHMOD)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9554,6 +10709,9 @@ int handle_sys_exit_chmod(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHMOD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9577,6 +10735,9 @@ int handle_sys_enter_fchownat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHOWNAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9600,6 +10761,9 @@ int handle_sys_exit_fchownat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHOWNAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9623,6 +10787,9 @@ int handle_sys_enter_chown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CHOWN)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9646,6 +10813,9 @@ int handle_sys_exit_chown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CHOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9669,6 +10839,9 @@ int handle_sys_enter_lchown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LCHOWN)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9692,6 +10865,9 @@ int handle_sys_exit_lchown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LCHOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9715,6 +10891,9 @@ int handle_sys_enter_fchown(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FCHOWN)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9737,6 +10916,9 @@ int handle_sys_exit_fchown(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FCHOWN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9760,6 +10942,9 @@ int handle_sys_enter_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPEN)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -9785,6 +10970,9 @@ int handle_sys_exit_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9808,6 +10996,9 @@ int handle_sys_enter_openat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPENAT)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -9833,6 +11024,9 @@ int handle_sys_exit_openat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPENAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9856,6 +11050,9 @@ int handle_sys_enter_openat2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_OPENAT2)) + return 0; + struct open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_event), 0); if (!ev) return 0; @@ -9881,6 +11078,9 @@ int handle_sys_exit_openat2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_OPENAT2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9904,6 +11104,9 @@ int handle_sys_enter_creat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CREAT)) + return 0; + struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); if (!ev) return 0; @@ -9927,6 +11130,9 @@ int handle_sys_exit_creat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CREAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9950,6 +11156,9 @@ int handle_sys_enter_close(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOSE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -9972,6 +11181,9 @@ int handle_sys_exit_close(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOSE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -9995,6 +11207,9 @@ int handle_sys_enter_vhangup(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_VHANGUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10016,6 +11231,9 @@ int handle_sys_exit_vhangup(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_VHANGUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10039,6 +11257,9 @@ int handle_sys_enter_memfd_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMFD_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10060,6 +11281,9 @@ int handle_sys_exit_memfd_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MEMFD_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10083,6 +11307,9 @@ int handle_sys_enter_memfd_secret(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMFD_SECRET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10104,6 +11331,9 @@ int handle_sys_exit_memfd_secret(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MEMFD_SECRET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10127,6 +11357,9 @@ int handle_sys_enter_move_pages(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MOVE_PAGES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10148,6 +11381,9 @@ int handle_sys_exit_move_pages(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MOVE_PAGES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10171,6 +11407,9 @@ int handle_sys_enter_set_mempolicy_home_node(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_MEMPOLICY_HOME_NODE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10192,6 +11431,9 @@ int handle_sys_exit_set_mempolicy_home_node(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_MEMPOLICY_HOME_NODE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10215,6 +11457,9 @@ int handle_sys_enter_mbind(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MBIND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10236,6 +11481,9 @@ int handle_sys_exit_mbind(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MBIND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10259,6 +11507,9 @@ int handle_sys_enter_set_mempolicy(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_MEMPOLICY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10280,6 +11531,9 @@ int handle_sys_exit_set_mempolicy(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_MEMPOLICY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10303,6 +11557,9 @@ int handle_sys_enter_migrate_pages(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MIGRATE_PAGES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10324,6 +11581,9 @@ int handle_sys_exit_migrate_pages(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MIGRATE_PAGES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10347,6 +11607,9 @@ int handle_sys_enter_get_mempolicy(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GET_MEMPOLICY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10368,6 +11631,9 @@ int handle_sys_exit_get_mempolicy(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GET_MEMPOLICY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10391,6 +11657,9 @@ int handle_sys_enter_swapoff(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SWAPOFF)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10412,6 +11681,9 @@ int handle_sys_exit_swapoff(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SWAPOFF, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10435,6 +11707,9 @@ int handle_sys_enter_swapon(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SWAPON)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10456,6 +11731,9 @@ int handle_sys_exit_swapon(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SWAPON, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10479,6 +11757,9 @@ int handle_sys_enter_madvise(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MADVISE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10500,6 +11781,9 @@ int handle_sys_exit_madvise(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MADVISE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10523,6 +11807,9 @@ int handle_sys_enter_process_madvise(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_MADVISE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10544,6 +11831,9 @@ int handle_sys_exit_process_madvise(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_MADVISE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10567,6 +11857,9 @@ int handle_sys_enter_mseal(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSEAL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10588,6 +11881,9 @@ int handle_sys_exit_mseal(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSEAL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10611,6 +11907,9 @@ int handle_sys_enter_process_vm_readv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_VM_READV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10632,6 +11931,9 @@ int handle_sys_exit_process_vm_readv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_VM_READV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10655,6 +11957,9 @@ int handle_sys_enter_process_vm_writev(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_VM_WRITEV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10676,6 +11981,9 @@ int handle_sys_exit_process_vm_writev(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_VM_WRITEV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10699,6 +12007,9 @@ int handle_sys_enter_msync(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MSYNC)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10720,6 +12031,9 @@ int handle_sys_exit_msync(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MSYNC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10743,6 +12057,9 @@ int handle_sys_enter_mremap(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MREMAP)) + return 0; + struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; @@ -10768,6 +12085,9 @@ int handle_sys_exit_mremap(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MREMAP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10791,6 +12111,9 @@ int handle_sys_enter_mprotect(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MPROTECT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10812,6 +12135,9 @@ int handle_sys_exit_mprotect(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MPROTECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10835,6 +12161,9 @@ int handle_sys_enter_pkey_mprotect(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_MPROTECT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10856,6 +12185,9 @@ int handle_sys_exit_pkey_mprotect(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PKEY_MPROTECT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10879,6 +12211,9 @@ int handle_sys_enter_pkey_alloc(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_ALLOC)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10900,6 +12235,9 @@ int handle_sys_exit_pkey_alloc(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PKEY_ALLOC, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10923,6 +12261,9 @@ int handle_sys_enter_pkey_free(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PKEY_FREE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10944,6 +12285,9 @@ int handle_sys_exit_pkey_free(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PKEY_FREE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -10967,6 +12311,9 @@ int handle_sys_enter_brk(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_BRK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -10988,6 +12335,9 @@ int handle_sys_exit_brk(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_BRK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11011,6 +12361,9 @@ int handle_sys_enter_munmap(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNMAP)) + return 0; + struct mem_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct mem_event), 0); if (!ev) return 0; @@ -11036,6 +12389,9 @@ int handle_sys_exit_munmap(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MUNMAP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11059,6 +12415,9 @@ int handle_sys_enter_remap_file_pages(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REMAP_FILE_PAGES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11080,6 +12439,9 @@ int handle_sys_exit_remap_file_pages(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REMAP_FILE_PAGES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11103,6 +12465,9 @@ int handle_sys_enter_mlock(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11124,6 +12489,9 @@ int handle_sys_exit_mlock(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MLOCK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11147,6 +12515,9 @@ int handle_sys_enter_mlock2(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCK2)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11168,6 +12539,9 @@ int handle_sys_exit_mlock2(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MLOCK2, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11191,6 +12565,9 @@ int handle_sys_enter_munlock(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11212,6 +12589,9 @@ int handle_sys_exit_munlock(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MUNLOCK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11235,6 +12615,9 @@ int handle_sys_enter_mlockall(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MLOCKALL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11256,6 +12639,9 @@ int handle_sys_exit_mlockall(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MLOCKALL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11279,6 +12665,9 @@ int handle_sys_enter_munlockall(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MUNLOCKALL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11300,6 +12689,9 @@ int handle_sys_exit_munlockall(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MUNLOCKALL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11323,6 +12715,9 @@ int handle_sys_enter_mincore(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MINCORE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11344,6 +12739,9 @@ int handle_sys_exit_mincore(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MINCORE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11367,6 +12765,9 @@ int handle_sys_enter_readahead(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_READAHEAD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -11389,6 +12790,9 @@ int handle_sys_exit_readahead(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_READAHEAD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11412,6 +12816,9 @@ int handle_sys_enter_fadvise64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FADVISE64)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -11434,6 +12841,9 @@ int handle_sys_exit_fadvise64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FADVISE64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11457,6 +12867,9 @@ int handle_sys_enter_process_mrelease(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PROCESS_MRELEASE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11478,6 +12891,9 @@ int handle_sys_exit_process_mrelease(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PROCESS_MRELEASE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11501,6 +12917,9 @@ int handle_sys_enter_cachestat(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CACHESTAT)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -11523,6 +12942,9 @@ int handle_sys_exit_cachestat(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CACHESTAT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11546,6 +12968,9 @@ int handle_sys_enter_rseq(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RSEQ)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11567,6 +12992,9 @@ int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RSEQ, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11590,6 +13018,9 @@ int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PERF_EVENT_OPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11611,6 +13042,9 @@ int handle_sys_exit_perf_event_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PERF_EVENT_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11634,6 +13068,9 @@ int handle_sys_enter_bpf(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_BPF)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11655,6 +13092,9 @@ int handle_sys_exit_bpf(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_BPF, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11678,6 +13118,9 @@ int handle_sys_enter_seccomp(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SECCOMP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11699,6 +13142,9 @@ int handle_sys_exit_seccomp(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SECCOMP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11722,6 +13168,9 @@ int handle_sys_enter_kexec_file_load(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_FILE_LOAD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11743,6 +13192,9 @@ int handle_sys_exit_kexec_file_load(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KEXEC_FILE_LOAD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11766,6 +13218,9 @@ int handle_sys_enter_kexec_load(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KEXEC_LOAD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11787,6 +13242,9 @@ int handle_sys_exit_kexec_load(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KEXEC_LOAD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11810,6 +13268,9 @@ int handle_sys_enter_acct(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ACCT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11831,6 +13292,9 @@ int handle_sys_exit_acct(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ACCT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11854,6 +13318,9 @@ int handle_sys_enter_set_robust_list(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_ROBUST_LIST)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11875,6 +13342,9 @@ int handle_sys_exit_set_robust_list(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_ROBUST_LIST, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11898,6 +13368,9 @@ int handle_sys_enter_get_robust_list(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GET_ROBUST_LIST)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11919,6 +13392,9 @@ int handle_sys_exit_get_robust_list(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GET_ROBUST_LIST, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11942,6 +13418,9 @@ int handle_sys_enter_futex(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -11963,6 +13442,9 @@ int handle_sys_exit_futex(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -11986,6 +13468,9 @@ int handle_sys_enter_futex_waitv(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAITV)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12007,6 +13492,9 @@ int handle_sys_exit_futex_waitv(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_WAITV, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12030,6 +13518,9 @@ int handle_sys_enter_futex_wake(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAKE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12051,6 +13542,9 @@ int handle_sys_exit_futex_wake(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_WAKE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12074,6 +13568,9 @@ int handle_sys_enter_futex_wait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_WAIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12095,6 +13592,9 @@ int handle_sys_exit_futex_wait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_WAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12118,6 +13618,9 @@ int handle_sys_enter_futex_requeue(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FUTEX_REQUEUE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12139,6 +13642,9 @@ int handle_sys_exit_futex_requeue(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FUTEX_REQUEUE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12162,6 +13668,9 @@ int handle_sys_enter_getitimer(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETITIMER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12183,6 +13692,9 @@ int handle_sys_exit_getitimer(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETITIMER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12206,6 +13718,9 @@ int handle_sys_enter_alarm(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ALARM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12227,6 +13742,9 @@ int handle_sys_exit_alarm(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ALARM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12250,6 +13768,9 @@ int handle_sys_enter_setitimer(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETITIMER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12271,6 +13792,9 @@ int handle_sys_exit_setitimer(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETITIMER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12294,6 +13818,9 @@ int handle_sys_enter_timer_create(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_CREATE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12315,6 +13842,9 @@ int handle_sys_exit_timer_create(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_CREATE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12338,6 +13868,9 @@ int handle_sys_enter_timer_gettime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_GETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12359,6 +13892,9 @@ int handle_sys_exit_timer_gettime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_GETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12382,6 +13918,9 @@ int handle_sys_enter_timer_getoverrun(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_GETOVERRUN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12403,6 +13942,9 @@ int handle_sys_exit_timer_getoverrun(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_GETOVERRUN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12426,6 +13968,9 @@ int handle_sys_enter_timer_settime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_SETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12447,6 +13992,9 @@ int handle_sys_exit_timer_settime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_SETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12470,6 +14018,9 @@ int handle_sys_enter_timer_delete(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMER_DELETE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12491,6 +14042,9 @@ int handle_sys_exit_timer_delete(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMER_DELETE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12514,6 +14068,9 @@ int handle_sys_enter_clock_settime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_SETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12535,6 +14092,9 @@ int handle_sys_exit_clock_settime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_SETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12558,6 +14118,9 @@ int handle_sys_enter_clock_gettime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_GETTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12579,6 +14142,9 @@ int handle_sys_exit_clock_gettime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_GETTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12602,6 +14168,9 @@ int handle_sys_enter_clock_adjtime(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_ADJTIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12623,6 +14192,9 @@ int handle_sys_exit_clock_adjtime(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_ADJTIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12646,6 +14218,9 @@ int handle_sys_enter_clock_getres(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_GETRES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12667,6 +14242,9 @@ int handle_sys_exit_clock_getres(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_GETRES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12690,6 +14268,9 @@ int handle_sys_enter_clock_nanosleep(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLOCK_NANOSLEEP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12711,6 +14292,9 @@ int handle_sys_exit_clock_nanosleep(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLOCK_NANOSLEEP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12734,6 +14318,9 @@ int handle_sys_enter_nanosleep(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NANOSLEEP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12755,6 +14342,9 @@ int handle_sys_exit_nanosleep(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NANOSLEEP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12778,6 +14368,9 @@ int handle_sys_enter_time(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12799,6 +14392,9 @@ int handle_sys_exit_time(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12822,6 +14418,9 @@ int handle_sys_enter_gettimeofday(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETTIMEOFDAY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12843,6 +14442,9 @@ int handle_sys_exit_gettimeofday(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETTIMEOFDAY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12866,6 +14468,9 @@ int handle_sys_enter_settimeofday(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETTIMEOFDAY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12887,6 +14492,9 @@ int handle_sys_exit_settimeofday(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETTIMEOFDAY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12910,6 +14518,9 @@ int handle_sys_enter_adjtimex(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ADJTIMEX)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12931,6 +14542,9 @@ int handle_sys_exit_adjtimex(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ADJTIMEX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12954,6 +14568,9 @@ int handle_sys_enter_kcmp(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KCMP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -12975,6 +14592,9 @@ int handle_sys_exit_kcmp(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KCMP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -12998,6 +14618,9 @@ int handle_sys_enter_delete_module(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_DELETE_MODULE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13019,6 +14642,9 @@ int handle_sys_exit_delete_module(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_DELETE_MODULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13042,6 +14668,9 @@ int handle_sys_enter_init_module(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_INIT_MODULE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13063,6 +14692,9 @@ int handle_sys_exit_init_module(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_INIT_MODULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13086,6 +14718,9 @@ int handle_sys_enter_finit_module(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FINIT_MODULE)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -13108,6 +14743,9 @@ int handle_sys_exit_finit_module(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FINIT_MODULE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13131,6 +14769,9 @@ int handle_sys_enter_syslog(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSLOG)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13152,6 +14793,9 @@ int handle_sys_exit_syslog(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYSLOG, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13175,6 +14819,9 @@ int handle_sys_enter_membarrier(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MEMBARRIER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13196,6 +14843,9 @@ int handle_sys_exit_membarrier(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MEMBARRIER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13219,6 +14869,9 @@ int handle_sys_enter_sched_setscheduler(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETSCHEDULER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13240,6 +14893,9 @@ int handle_sys_exit_sched_setscheduler(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETSCHEDULER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13263,6 +14919,9 @@ int handle_sys_enter_sched_setparam(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETPARAM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13284,6 +14943,9 @@ int handle_sys_exit_sched_setparam(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETPARAM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13307,6 +14969,9 @@ int handle_sys_enter_sched_setattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13328,6 +14993,9 @@ int handle_sys_exit_sched_setattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13351,6 +15019,9 @@ int handle_sys_enter_sched_getscheduler(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETSCHEDULER)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13372,6 +15043,9 @@ int handle_sys_exit_sched_getscheduler(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETSCHEDULER, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13395,6 +15069,9 @@ int handle_sys_enter_sched_getparam(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETPARAM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13416,6 +15093,9 @@ int handle_sys_exit_sched_getparam(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETPARAM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13439,6 +15119,9 @@ int handle_sys_enter_sched_getattr(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETATTR)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13460,6 +15143,9 @@ int handle_sys_exit_sched_getattr(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETATTR, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13483,6 +15169,9 @@ int handle_sys_enter_sched_setaffinity(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_SETAFFINITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13504,6 +15193,9 @@ int handle_sys_exit_sched_setaffinity(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_SETAFFINITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13527,6 +15219,9 @@ int handle_sys_enter_sched_getaffinity(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GETAFFINITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13548,6 +15243,9 @@ int handle_sys_exit_sched_getaffinity(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GETAFFINITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13571,6 +15269,9 @@ int handle_sys_enter_sched_yield(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_YIELD)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13592,6 +15293,9 @@ int handle_sys_exit_sched_yield(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_YIELD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13615,6 +15319,9 @@ int handle_sys_enter_sched_get_priority_max(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GET_PRIORITY_MAX)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13636,6 +15343,9 @@ int handle_sys_exit_sched_get_priority_max(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GET_PRIORITY_MAX, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13659,6 +15369,9 @@ int handle_sys_enter_sched_get_priority_min(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_GET_PRIORITY_MIN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13680,6 +15393,9 @@ int handle_sys_exit_sched_get_priority_min(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_GET_PRIORITY_MIN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13703,6 +15419,9 @@ int handle_sys_enter_sched_rr_get_interval(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SCHED_RR_GET_INTERVAL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13724,6 +15443,9 @@ int handle_sys_exit_sched_rr_get_interval(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SCHED_RR_GET_INTERVAL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13747,6 +15469,9 @@ int handle_sys_enter_getgroups(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETGROUPS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13768,6 +15493,9 @@ int handle_sys_exit_getgroups(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETGROUPS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13791,6 +15519,9 @@ int handle_sys_enter_setgroups(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETGROUPS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13812,6 +15543,9 @@ int handle_sys_exit_setgroups(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETGROUPS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13835,6 +15569,9 @@ int handle_sys_enter_reboot(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_REBOOT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13856,6 +15593,9 @@ int handle_sys_exit_reboot(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_REBOOT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13879,6 +15619,9 @@ int handle_sys_enter_listns(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_LISTNS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13900,6 +15643,9 @@ int handle_sys_exit_listns(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_LISTNS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13923,6 +15669,9 @@ int handle_sys_enter_setns(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETNS)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -13945,6 +15694,9 @@ int handle_sys_exit_setns(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETNS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -13968,6 +15720,9 @@ int handle_sys_enter_pidfd_open(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_OPEN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -13989,6 +15744,9 @@ int handle_sys_exit_pidfd_open(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_OPEN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14012,6 +15770,9 @@ int handle_sys_enter_pidfd_getfd(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_GETFD)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -14034,6 +15795,9 @@ int handle_sys_exit_pidfd_getfd(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_GETFD, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14057,6 +15821,9 @@ int handle_sys_enter_setpriority(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETPRIORITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14078,6 +15845,9 @@ int handle_sys_exit_setpriority(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETPRIORITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14101,6 +15871,9 @@ int handle_sys_enter_getpriority(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPRIORITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14122,6 +15895,9 @@ int handle_sys_exit_getpriority(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPRIORITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14145,6 +15921,9 @@ int handle_sys_enter_setregid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETREGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14166,6 +15945,9 @@ int handle_sys_exit_setregid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETREGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14189,6 +15971,9 @@ int handle_sys_enter_setgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14210,6 +15995,9 @@ int handle_sys_exit_setgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14233,6 +16021,9 @@ int handle_sys_enter_setreuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETREUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14254,6 +16045,9 @@ int handle_sys_exit_setreuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETREUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14277,6 +16071,9 @@ int handle_sys_enter_setuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14298,6 +16095,9 @@ int handle_sys_exit_setuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14321,6 +16121,9 @@ int handle_sys_enter_setresuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRESUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14342,6 +16145,9 @@ int handle_sys_exit_setresuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETRESUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14365,6 +16171,9 @@ int handle_sys_enter_getresuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRESUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14386,6 +16195,9 @@ int handle_sys_exit_getresuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRESUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14409,6 +16221,9 @@ int handle_sys_enter_setresgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRESGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14430,6 +16245,9 @@ int handle_sys_exit_setresgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETRESGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14453,6 +16271,9 @@ int handle_sys_enter_getresgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRESGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14474,6 +16295,9 @@ int handle_sys_exit_getresgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRESGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14497,6 +16321,9 @@ int handle_sys_enter_setfsuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETFSUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14518,6 +16345,9 @@ int handle_sys_exit_setfsuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETFSUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14541,6 +16371,9 @@ int handle_sys_enter_setfsgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETFSGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14562,6 +16395,9 @@ int handle_sys_exit_setfsgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETFSGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14585,6 +16421,9 @@ int handle_sys_enter_getpid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14606,6 +16445,9 @@ int handle_sys_exit_getpid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14629,6 +16471,9 @@ int handle_sys_enter_gettid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETTID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14650,6 +16495,9 @@ int handle_sys_exit_gettid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETTID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14673,6 +16521,9 @@ int handle_sys_enter_getppid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPPID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14694,6 +16545,9 @@ int handle_sys_exit_getppid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPPID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14717,6 +16571,9 @@ int handle_sys_enter_getuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14738,6 +16595,9 @@ int handle_sys_exit_getuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14761,6 +16621,9 @@ int handle_sys_enter_geteuid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETEUID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14782,6 +16645,9 @@ int handle_sys_exit_geteuid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETEUID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14805,6 +16671,9 @@ int handle_sys_enter_getgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14826,6 +16695,9 @@ int handle_sys_exit_getgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14849,6 +16721,9 @@ int handle_sys_enter_getegid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETEGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14870,6 +16745,9 @@ int handle_sys_exit_getegid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETEGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14893,6 +16771,9 @@ int handle_sys_enter_times(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TIMES)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14914,6 +16795,9 @@ int handle_sys_exit_times(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TIMES, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14937,6 +16821,9 @@ int handle_sys_enter_setpgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETPGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -14958,6 +16845,9 @@ int handle_sys_exit_setpgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETPGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -14981,6 +16871,9 @@ int handle_sys_enter_getpgid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPGID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15002,6 +16895,9 @@ int handle_sys_exit_getpgid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPGID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15025,6 +16921,9 @@ int handle_sys_enter_getpgrp(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETPGRP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15046,6 +16945,9 @@ int handle_sys_exit_getpgrp(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETPGRP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15069,6 +16971,9 @@ int handle_sys_enter_getsid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETSID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15090,6 +16995,9 @@ int handle_sys_exit_getsid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETSID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15113,6 +17021,9 @@ int handle_sys_enter_setsid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETSID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15134,6 +17045,9 @@ int handle_sys_exit_setsid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETSID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15157,6 +17071,9 @@ int handle_sys_enter_newuname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_NEWUNAME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15178,6 +17095,9 @@ int handle_sys_exit_newuname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_NEWUNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15201,6 +17121,9 @@ int handle_sys_enter_sethostname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETHOSTNAME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15222,6 +17145,9 @@ int handle_sys_exit_sethostname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETHOSTNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15245,6 +17171,9 @@ int handle_sys_enter_setdomainname(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETDOMAINNAME)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15266,6 +17195,9 @@ int handle_sys_exit_setdomainname(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETDOMAINNAME, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15289,6 +17221,9 @@ int handle_sys_enter_getrlimit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRLIMIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15310,6 +17245,9 @@ int handle_sys_exit_getrlimit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRLIMIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15333,6 +17271,9 @@ int handle_sys_enter_prlimit64(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PRLIMIT64)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15354,6 +17295,9 @@ int handle_sys_exit_prlimit64(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PRLIMIT64, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15377,6 +17321,9 @@ int handle_sys_enter_setrlimit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SETRLIMIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15398,6 +17345,9 @@ int handle_sys_exit_setrlimit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SETRLIMIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15421,6 +17371,9 @@ int handle_sys_enter_getrusage(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETRUSAGE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15442,6 +17395,9 @@ int handle_sys_exit_getrusage(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETRUSAGE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15465,6 +17421,9 @@ int handle_sys_enter_umask(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UMASK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15486,6 +17445,9 @@ int handle_sys_exit_umask(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UMASK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15509,6 +17471,9 @@ int handle_sys_enter_prctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PRCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15530,6 +17495,9 @@ int handle_sys_exit_prctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PRCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15553,6 +17521,9 @@ int handle_sys_enter_getcpu(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_GETCPU)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15574,6 +17545,9 @@ int handle_sys_exit_getcpu(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_GETCPU, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15597,6 +17571,9 @@ int handle_sys_enter_sysinfo(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SYSINFO)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15618,6 +17595,9 @@ int handle_sys_exit_sysinfo(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SYSINFO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15641,6 +17621,9 @@ int handle_sys_enter_restart_syscall(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RESTART_SYSCALL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15662,6 +17645,9 @@ int handle_sys_exit_restart_syscall(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RESTART_SYSCALL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15685,6 +17671,9 @@ int handle_sys_enter_rt_sigprocmask(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGPROCMASK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15706,6 +17695,9 @@ int handle_sys_exit_rt_sigprocmask(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGPROCMASK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15729,6 +17721,9 @@ int handle_sys_enter_rt_sigpending(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGPENDING)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15750,6 +17745,9 @@ int handle_sys_exit_rt_sigpending(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGPENDING, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15773,6 +17771,9 @@ int handle_sys_enter_rt_sigtimedwait(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGTIMEDWAIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15794,6 +17795,9 @@ int handle_sys_exit_rt_sigtimedwait(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGTIMEDWAIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15817,6 +17821,9 @@ int handle_sys_enter_kill(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_KILL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15838,6 +17845,9 @@ int handle_sys_exit_kill(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_KILL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15861,6 +17871,9 @@ int handle_sys_enter_pidfd_send_signal(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PIDFD_SEND_SIGNAL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15882,6 +17895,9 @@ int handle_sys_exit_pidfd_send_signal(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PIDFD_SEND_SIGNAL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15905,6 +17921,9 @@ int handle_sys_enter_tgkill(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TGKILL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15926,6 +17945,9 @@ int handle_sys_exit_tgkill(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TGKILL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15949,6 +17971,9 @@ int handle_sys_enter_tkill(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_TKILL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -15970,6 +17995,9 @@ int handle_sys_exit_tkill(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_TKILL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -15993,6 +18021,9 @@ int handle_sys_enter_rt_sigqueueinfo(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGQUEUEINFO)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16014,6 +18045,9 @@ int handle_sys_exit_rt_sigqueueinfo(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGQUEUEINFO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16037,6 +18071,9 @@ int handle_sys_enter_rt_tgsigqueueinfo(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_TGSIGQUEUEINFO)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16058,6 +18095,9 @@ int handle_sys_exit_rt_tgsigqueueinfo(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_TGSIGQUEUEINFO, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16081,6 +18121,9 @@ int handle_sys_enter_sigaltstack(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SIGALTSTACK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16102,6 +18145,9 @@ int handle_sys_exit_sigaltstack(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SIGALTSTACK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16125,6 +18171,9 @@ int handle_sys_enter_rt_sigaction(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGACTION)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16146,6 +18195,9 @@ int handle_sys_exit_rt_sigaction(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGACTION, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16169,6 +18221,9 @@ int handle_sys_enter_pause(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PAUSE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16190,6 +18245,9 @@ int handle_sys_exit_pause(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PAUSE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16213,6 +18271,9 @@ int handle_sys_enter_rt_sigsuspend(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGSUSPEND)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16234,6 +18295,9 @@ int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGSUSPEND, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16257,6 +18321,9 @@ int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PTRACE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16278,6 +18345,9 @@ int handle_sys_exit_ptrace(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PTRACE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16301,6 +18371,9 @@ int handle_sys_enter_capget(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CAPGET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16322,6 +18395,9 @@ int handle_sys_exit_capget(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CAPGET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16345,6 +18421,9 @@ int handle_sys_enter_capset(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CAPSET)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16366,6 +18445,9 @@ int handle_sys_exit_capset(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CAPSET, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16389,6 +18471,9 @@ int handle_sys_enter_exit(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXIT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16410,6 +18495,9 @@ int handle_sys_exit_exit(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXIT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16433,6 +18521,9 @@ int handle_sys_enter_exit_group(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_EXIT_GROUP)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16454,6 +18545,9 @@ int handle_sys_exit_exit_group(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_EXIT_GROUP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16477,6 +18571,9 @@ int handle_sys_enter_waitid(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WAITID)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16498,6 +18595,9 @@ int handle_sys_exit_waitid(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WAITID, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16521,6 +18621,9 @@ int handle_sys_enter_wait4(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_WAIT4)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16542,6 +18645,9 @@ int handle_sys_exit_wait4(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_WAIT4, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16565,6 +18671,9 @@ int handle_sys_enter_personality(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_PERSONALITY)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16586,6 +18695,9 @@ int handle_sys_exit_personality(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_PERSONALITY, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16609,6 +18721,9 @@ int handle_sys_enter_set_tid_address(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_SET_TID_ADDRESS)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16630,6 +18745,9 @@ int handle_sys_exit_set_tid_address(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_SET_TID_ADDRESS, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16653,6 +18771,9 @@ int handle_sys_enter_fork(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_FORK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16674,6 +18795,9 @@ int handle_sys_exit_fork(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_FORK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16697,6 +18821,9 @@ int handle_sys_enter_vfork(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_VFORK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16718,6 +18845,9 @@ int handle_sys_exit_vfork(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_VFORK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16741,6 +18871,9 @@ int handle_sys_enter_clone(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLONE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16762,6 +18895,9 @@ int handle_sys_exit_clone(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLONE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16785,6 +18921,9 @@ int handle_sys_enter_clone3(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_CLONE3)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16806,6 +18945,9 @@ int handle_sys_exit_clone3(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_CLONE3, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16829,6 +18971,9 @@ int handle_sys_enter_unshare(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UNSHARE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16850,6 +18995,9 @@ int handle_sys_exit_unshare(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UNSHARE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16873,6 +19021,9 @@ int handle_sys_enter_map_shadow_stack(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MAP_SHADOW_STACK)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16894,6 +19045,9 @@ int handle_sys_exit_map_shadow_stack(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MAP_SHADOW_STACK, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16917,6 +19071,9 @@ int handle_sys_enter_uretprobe(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_URETPROBE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16938,6 +19095,9 @@ int handle_sys_exit_uretprobe(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_URETPROBE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -16961,6 +19121,9 @@ int handle_sys_enter_uprobe(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_UPROBE)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -16982,6 +19145,9 @@ int handle_sys_exit_uprobe(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_UPROBE, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17005,6 +19171,9 @@ int handle_sys_enter_arch_prctl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_ARCH_PRCTL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17026,6 +19195,9 @@ int handle_sys_exit_arch_prctl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_ARCH_PRCTL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17049,6 +19221,9 @@ int handle_sys_enter_mmap(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MMAP)) + return 0; + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); if (!ev) return 0; @@ -17071,6 +19246,9 @@ int handle_sys_exit_mmap(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MMAP, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17094,6 +19272,9 @@ int handle_sys_enter_modify_ldt(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_MODIFY_LDT)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17115,6 +19296,9 @@ int handle_sys_exit_modify_ldt(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_MODIFY_LDT, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17138,6 +19322,9 @@ int handle_sys_enter_ioperm(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPERM)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17159,6 +19346,9 @@ int handle_sys_exit_ioperm(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPERM, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17182,6 +19372,9 @@ int handle_sys_enter_iopl(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_IOPL)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17203,6 +19396,9 @@ int handle_sys_exit_iopl(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_IOPL, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; @@ -17226,6 +19422,9 @@ int handle_sys_enter_rt_sigreturn(struct syscall_trace_enter *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_enter(tid, SYS_ENTER_RT_SIGRETURN)) + return 0; + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); if (!ev) return 0; @@ -17247,6 +19446,9 @@ int handle_sys_exit_rt_sigreturn(struct syscall_trace_exit *ctx) { if (filter(&pid, &tid)) return 0; + if (!ior_on_syscall_exit(tid, SYS_EXIT_RT_SIGRETURN, ctx->ret)) + return 0; + struct ret_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ret_event), 0); if (!ev) return 0; diff --git a/internal/c/maps.h b/internal/c/maps.h index 665e4ff..79a1367 100644 --- a/internal/c/maps.h +++ b/internal/c/maps.h @@ -5,6 +5,21 @@ struct { __uint(max_entries, 1 << 24); } event_map SEC(".maps"); +struct syscall_enter_state { + __u64 start_ns; + __u32 enter_trace_id; + __u8 emit_event; +}; + +struct syscall_aggregate { + __u64 count; + __u64 errors; + __u64 total_duration_ns; + __u64 min_duration_ns; + __u64 max_duration_ns; + __u64 duration_histogram[8]; +}; + struct socketpair_ctx { __u64 usockvec; __s32 family; @@ -37,3 +52,24 @@ struct { __type(key, __u32); __type(value, __s32); } eventfd_flags_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 32768); + __type(key, __u32); + __type(value, struct syscall_enter_state); +} syscall_enter_state_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 4096); + __type(key, __u32); + __type(value, struct syscall_aggregate); +} syscall_aggregate_map SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 4096); + __type(key, __u32); + __type(value, __u32); +} syscall_sampling_rate_map SEC(".maps"); diff --git a/internal/eventloop.go b/internal/eventloop.go index 0fe327c..62ffba6 100644 --- a/internal/eventloop.go +++ b/internal/eventloop.go @@ -8,6 +8,7 @@ import ( "ior/internal/event" "ior/internal/file" "ior/internal/globalfilter" + "ior/internal/statsengine" "ior/internal/types" ) @@ -20,8 +21,17 @@ const ( defaultMaxPendingHandleEntries = 8192 defaultMaxProcFdCacheSize = 8192 cacheTrimDivisor = 4 + defaultAggregateDrainEvery = time.Second ) +type syscallAggregateSource interface { + Drain() ([]statsengine.SyscallAggregate, error) +} + +type syscallAggregateSink interface { + IngestSyscallAggregates([]statsengine.SyscallAggregate) +} + type eventLoopConfig struct { pidFilter int filter globalfilter.Filter @@ -34,6 +44,7 @@ type eventLoopConfig struct { synchronousRawProcessing bool fdTracker *fdTracker commResolver *commResolver + aggregateDrainEvery time.Duration } type rawEventHandler func(raw []byte, ch chan<- *event.Pair) @@ -43,14 +54,16 @@ type eventLoop struct { // the TUI can swap filters in place via SetFilter without tearing down // and reattaching the BPF probes (the previous behavior caused a multi- // second 'Attaching tracepoints' overlay every time the filter changed). - filterPtr atomic.Pointer[globalfilter.Filter] - pairs pairTracker // enter/exit pairing state and inter-syscall duration tracking - pendingHandles *pendingHandleTracker // TID → pathname from name_to_handle_at, for open_by_handle_at correlation - fdTracker *fdTracker // fd table and procfs resolution cache - commResolver *commResolver - outputFormatter // pair-emission and warning-notification callbacks (embedded collaborator) - rawHandlers map[types.EventType]rawEventHandler - cfg eventLoopConfig + filterPtr atomic.Pointer[globalfilter.Filter] + pairs pairTracker // enter/exit pairing state and inter-syscall duration tracking + pendingHandles *pendingHandleTracker // TID → pathname from name_to_handle_at, for open_by_handle_at correlation + fdTracker *fdTracker // fd table and procfs resolution cache + commResolver *commResolver + outputFormatter // pair-emission and warning-notification callbacks (embedded collaborator) + rawHandlers map[types.EventType]rawEventHandler + cfg eventLoopConfig + aggregateSink syscallAggregateSink + aggregateSrc syscallAggregateSource // Statistics numTracepoints uint @@ -100,6 +113,9 @@ func newEventLoop(cfg eventLoopConfig) (*eventLoop, error) { cfg: cfg, done: make(chan struct{}), } + if el.cfg.aggregateDrainEvery <= 0 { + el.cfg.aggregateDrainEvery = defaultAggregateDrainEvery + } el.SetFilter(cfg.filter) el.initRawHandlers() el.configureOutputCallback() diff --git a/internal/eventloop_aggregate_test.go b/internal/eventloop_aggregate_test.go new file mode 100644 index 0000000..215c604 --- /dev/null +++ b/internal/eventloop_aggregate_test.go @@ -0,0 +1,76 @@ +package internal + +import ( + "context" + "sync" + "testing" + "time" + + "ior/internal/statsengine" + "ior/internal/types" +) + +type aggregateSourceStub struct { + mu sync.Mutex + rows [][]statsengine.SyscallAggregate +} + +func (s *aggregateSourceStub) Drain() ([]statsengine.SyscallAggregate, error) { + s.mu.Lock() + defer s.mu.Unlock() + if len(s.rows) == 0 { + return nil, nil + } + next := s.rows[0] + s.rows = s.rows[1:] + return next, nil +} + +type aggregateSinkStub struct { + mu sync.Mutex + rows []statsengine.SyscallAggregate +} + +func (s *aggregateSinkStub) IngestSyscallAggregates(rows []statsengine.SyscallAggregate) { + s.mu.Lock() + defer s.mu.Unlock() + s.rows = append(s.rows, rows...) +} + +func TestStartAggregateDrainLoopIngestsRows(t *testing.T) { + src := &aggregateSourceStub{ + rows: [][]statsengine.SyscallAggregate{ + {{TraceID: types.SYS_ENTER_FUTEX, Count: 2}}, + }, + } + sink := &aggregateSinkStub{} + el := &eventLoop{ + cfg: eventLoopConfig{aggregateDrainEvery: 2 * time.Millisecond}, + aggregateSrc: src, + aggregateSink: sink, + } + + ctx, cancel := context.WithCancel(context.Background()) + stop := el.startAggregateDrainLoop(ctx) + deadline := time.Now().Add(100 * time.Millisecond) + for time.Now().Before(deadline) { + sink.mu.Lock() + done := len(sink.rows) > 0 + sink.mu.Unlock() + if done { + break + } + time.Sleep(2 * time.Millisecond) + } + cancel() + stop() + + sink.mu.Lock() + defer sink.mu.Unlock() + if len(sink.rows) == 0 { + t.Fatal("expected drained aggregate rows") + } + if sink.rows[0].TraceID != types.SYS_ENTER_FUTEX || sink.rows[0].Count != 2 { + t.Fatalf("drained row = %+v, want futex count=2", sink.rows[0]) + } +} diff --git a/internal/eventloop_runtime.go b/internal/eventloop_runtime.go index 35714a1..f80f271 100644 --- a/internal/eventloop_runtime.go +++ b/internal/eventloop_runtime.go @@ -14,6 +14,8 @@ import ( func (e *eventLoop) run(ctx context.Context, rawCh <-chan []byte) { defer close(e.done) defer e.shutdownCommResolver() + stopAggregateLoop := e.startAggregateDrainLoop(ctx) + defer stopAggregateLoop() if e.cfg.pprofEnable { fmt.Println("Profiling, press Ctrl+C to stop") @@ -39,6 +41,39 @@ func (e *eventLoop) run(ctx context.Context, rawCh <-chan []byte) { } } +func (e *eventLoop) startAggregateDrainLoop(ctx context.Context) func() { + if e.aggregateSrc == nil || e.aggregateSink == nil { + return func() {} + } + + done := make(chan struct{}) + stop := make(chan struct{}) + go func() { + defer close(done) + ticker := time.NewTicker(e.cfg.aggregateDrainEvery) + defer ticker.Stop() + for { + select { + case <-ctx.Done(): + return + case <-stop: + return + case <-ticker.C: + rows, err := e.aggregateSrc.Drain() + if err != nil { + e.notifyWarning(fmt.Sprintf("syscall aggregate drain failed: %v", err)) + continue + } + e.aggregateSink.IngestSyscallAggregates(rows) + } + } + }() + return func() { + close(stop) + <-done + } +} + func (e *eventLoop) runSynchronously(ctx context.Context, rawCh <-chan []byte) { pairs := make(chan *event.Pair, 1) diff --git a/internal/flags/flags.go b/internal/flags/flags.go index 285569c..3a6456a 100644 --- a/internal/flags/flags.go +++ b/internal/flags/flags.go @@ -12,6 +12,7 @@ import ( appconfig "ior/internal/config" "ior/internal/globalfilter" "ior/internal/tracepoints" + "ior/internal/types" ) // Config captures runtime configuration parsed from CLI flags. @@ -72,6 +73,13 @@ type Config struct { // ResetTimer is the interval at which aggregate dashboard state (flamegraph // trie and stats engine) is automatically cleared; 0 disables auto-reset. ResetTimer time.Duration + // SyscallFamilySamplingRates controls in-kernel syscall sampling by family. + // Rate semantics: 0 aggregate-only, 1 emit every event, N>1 emit 1-in-N events. + SyscallFamilySamplingRates map[types.SyscallFamily]uint32 + // SyscallSamplingRates controls in-kernel syscall sampling by syscall name. + // Keys use syscall names (for example "futex"), not tracepoint names. + // Rate semantics: 0 aggregate-only, 1 emit every event, N>1 emit 1-in-N events. + SyscallSamplingRates map[string]uint32 // ShowVersion prints the banner plus version and exits without running. ShowVersion bool @@ -86,16 +94,18 @@ const DefaultResetTimer = 30 * time.Second // NewFlags returns a configuration instance initialized with project defaults. func NewFlags() Config { return Config{ - PidFilter: -1, - TidFilter: -1, - EventMapSize: appconfig.DefaultEventMapSize, - Duration: 900, - LiveInterval: 200 * time.Millisecond, - TUIFastRefreshInterval: 250 * time.Millisecond, - TUIExportEnable: true, - CollapsedFields: []string{"comm", "tracepoint", "path"}, - CountField: "count", - ResetTimer: DefaultResetTimer, + PidFilter: -1, + TidFilter: -1, + EventMapSize: appconfig.DefaultEventMapSize, + Duration: 900, + LiveInterval: 200 * time.Millisecond, + TUIFastRefreshInterval: 250 * time.Millisecond, + TUIExportEnable: true, + CollapsedFields: []string{"comm", "tracepoint", "path"}, + CountField: "count", + ResetTimer: DefaultResetTimer, + SyscallFamilySamplingRates: make(map[types.SyscallFamily]uint32), + SyscallSamplingRates: make(map[string]uint32), } } @@ -121,6 +131,8 @@ func (f Config) Clone() Config { out.TracepointSelector = f.TracepointSelector.Clone() out.CollapsedFields = slices.Clone(f.CollapsedFields) out.GlobalFilter = f.GlobalFilter.Clone() + out.SyscallFamilySamplingRates = cloneFamilySamplingRates(f.SyscallFamilySamplingRates) + out.SyscallSamplingRates = cloneSyscallSamplingRates(f.SyscallSamplingRates) return out } @@ -136,7 +148,7 @@ func Parse() (Config, error) { // fresh FlagSet and custom argument slices without touching global state. func parseFromFlagSet(fs *flag.FlagSet, args []string) (Config, error) { cfg := NewFlags() - tpsAttach, tpsExclude, fields := registerFlags(fs, &cfg) + tpsAttach, tpsExclude, fields, familySampling, syscallSampling := registerFlags(fs, &cfg) if err := fs.Parse(args); err != nil { return Config{}, err @@ -144,6 +156,9 @@ func parseFromFlagSet(fs *flag.FlagSet, args []string) (Config, error) { if err := resolvePostParseFields(&cfg, tpsAttach, tpsExclude, fields); err != nil { return Config{}, err } + if err := resolveSamplingRates(&cfg, familySampling, syscallSampling); err != nil { + return Config{}, err + } if err := validateConfig(cfg); err != nil { return Config{}, err } @@ -152,7 +167,7 @@ func parseFromFlagSet(fs *flag.FlagSet, args []string) (Config, error) { // registerFlags binds all CLI flags to cfg and returns the string pointers for // fields that require post-parse resolution (tracepoint regexes, collapse fields). -func registerFlags(fs *flag.FlagSet, cfg *Config) (tpsAttach, tpsExclude, fields *string) { +func registerFlags(fs *flag.FlagSet, cfg *Config) (tpsAttach, tpsExclude, fields, familySampling, syscallSampling *string) { validFields := collapse.ValidFields() validCounts := collapse.ValidCountFields() @@ -180,12 +195,16 @@ func registerFlags(fs *flag.FlagSet, cfg *Config) (tpsAttach, tpsExclude, fields fs.BoolVar(&cfg.TUIExportEnable, "tuiExport", cfg.TUIExportEnable, "Enable TUI CSV snapshot export files (separate from Parquet recording)") fs.DurationVar(&cfg.ResetTimer, "resetTimer", cfg.ResetTimer, "Auto-reset interval for aggregate dashboard state (flamegraph trie + stats engine); set to 0 to disable") + familySampling = fs.String("syscall-sampling-families", "", + "Per-family sampling rates, for example \"Time=100,Misc=0\" (0=aggregate-only, 1=all, N=1-in-N)") + syscallSampling = fs.String("syscall-sampling-syscalls", "", + "Per-syscall sampling rates, for example \"futex=0,clock_gettime=200\" (overrides family rates)") fs.BoolVar(&cfg.ShowVersion, "version", false, "Print version banner and exit") fields = fs.String("fields", "", fmt.Sprintf("Comma separated list of fields to collapse, valid are: %v", validFields)) fs.StringVar(&cfg.CountField, "count", cfg.CountField, fmt.Sprintf("Count field to collapse, valid are: %v", validCounts)) - return tpsAttach, tpsExclude, fields + return tpsAttach, tpsExclude, fields, familySampling, syscallSampling } // resolvePostParseFields compiles the tracepoint selector and collapse field @@ -220,6 +239,20 @@ func resolvePostParseFields(cfg *Config, tpsAttach, tpsExclude, fields *string) return nil } +func resolveSamplingRates(cfg *Config, familySampling, syscallSampling *string) error { + familyRates, err := parseFamilySamplingRates(*familySampling) + if err != nil { + return err + } + syscallRates, err := parseSyscallSamplingRates(*syscallSampling) + if err != nil { + return err + } + cfg.SyscallFamilySamplingRates = familyRates + cfg.SyscallSamplingRates = syscallRates + return nil +} + // validateConfig checks numeric/duration bounds that cannot be enforced by the // flag package itself and returns a descriptive error on the first violation. func validateConfig(cfg Config) error { diff --git a/internal/flags/sampling.go b/internal/flags/sampling.go new file mode 100644 index 0000000..19b4f9d --- /dev/null +++ b/internal/flags/sampling.go @@ -0,0 +1,88 @@ +package flags + +import ( + "fmt" + "strconv" + "strings" + + "ior/internal/types" +) + +func cloneFamilySamplingRates(in map[types.SyscallFamily]uint32) map[types.SyscallFamily]uint32 { + out := make(map[types.SyscallFamily]uint32, len(in)) + for family, rate := range in { + out[family] = rate + } + return out +} + +func cloneSyscallSamplingRates(in map[string]uint32) map[string]uint32 { + out := make(map[string]uint32, len(in)) + for syscall, rate := range in { + out[syscall] = rate + } + return out +} + +func parseFamilySamplingRates(raw string) (map[types.SyscallFamily]uint32, error) { + entries, err := parseSamplingEntries(raw) + if err != nil { + return nil, err + } + out := make(map[types.SyscallFamily]uint32, len(entries)) + for key, rate := range entries { + family, ok := types.ParseSyscallFamily(key) + if !ok { + return nil, fmt.Errorf("invalid syscall family in sampling map: %q", key) + } + out[family] = rate + } + return out, nil +} + +func parseSyscallSamplingRates(raw string) (map[string]uint32, error) { + entries, err := parseSamplingEntries(raw) + if err != nil { + return nil, err + } + out := make(map[string]uint32, len(entries)) + for syscall, rate := range entries { + syscall = strings.ToLower(strings.TrimSpace(syscall)) + if syscall == "" { + return nil, fmt.Errorf("invalid syscall sampling key %q", syscall) + } + if _, ok := types.EnterTraceIDByName(syscall); !ok { + return nil, fmt.Errorf("invalid syscall in sampling map: %q", syscall) + } + out[syscall] = rate + } + return out, nil +} + +func parseSamplingEntries(raw string) (map[string]uint32, error) { + out := make(map[string]uint32) + raw = strings.TrimSpace(raw) + if raw == "" { + return out, nil + } + for _, part := range strings.Split(raw, ",") { + part = strings.TrimSpace(part) + if part == "" { + continue + } + key, valueRaw, ok := strings.Cut(part, "=") + if !ok { + return nil, fmt.Errorf("invalid sampling entry %q: expected name=rate", part) + } + key = strings.TrimSpace(key) + if key == "" { + return nil, fmt.Errorf("invalid sampling entry %q: empty name", part) + } + rate, err := strconv.ParseUint(strings.TrimSpace(valueRaw), 10, 32) + if err != nil { + return nil, fmt.Errorf("invalid sampling rate for %q: %w", key, err) + } + out[key] = uint32(rate) + } + return out, nil +} diff --git a/internal/flags/sampling_test.go b/internal/flags/sampling_test.go new file mode 100644 index 0000000..0966c0f --- /dev/null +++ b/internal/flags/sampling_test.go @@ -0,0 +1,78 @@ +package flags + +import ( + "strings" + "testing" + + "ior/internal/types" +) + +func TestParseSamplingRates(t *testing.T) { + cfg, err := parseForTest(t, + "-syscall-sampling-families", "Time=100,misc=0", + "-syscall-sampling-syscalls", "futex=0,clock_gettime=7", + ) + if err != nil { + t.Fatalf("parse returned error: %v", err) + } + + if got := cfg.SyscallFamilySamplingRates[types.FamilyTime]; got != 100 { + t.Fatalf("Time family rate = %d, want 100", got) + } + if got := cfg.SyscallFamilySamplingRates[types.FamilyMisc]; got != 0 { + t.Fatalf("Misc family rate = %d, want 0", got) + } + if got := cfg.SyscallSamplingRates["futex"]; got != 0 { + t.Fatalf("futex rate = %d, want 0", got) + } + if got := cfg.SyscallSamplingRates["clock_gettime"]; got != 7 { + t.Fatalf("clock_gettime rate = %d, want 7", got) + } +} + +func TestParseSamplingFamilyRejectsUnknown(t *testing.T) { + _, err := parseForTest(t, "-syscall-sampling-families", "Nope=4") + if err == nil { + t.Fatal("expected parse error") + } + if !strings.Contains(err.Error(), "invalid syscall family") { + t.Fatalf("unexpected error: %v", err) + } +} + +func TestParseSamplingSyscallRejectsMalformedEntry(t *testing.T) { + _, err := parseForTest(t, "-syscall-sampling-syscalls", "futex") + if err == nil { + t.Fatal("expected parse error") + } + if !strings.Contains(err.Error(), "expected name=rate") { + t.Fatalf("unexpected error: %v", err) + } +} + +func TestParseSamplingSyscallRejectsUnknownName(t *testing.T) { + _, err := parseForTest(t, "-syscall-sampling-syscalls", "not_a_syscall=2") + if err == nil { + t.Fatal("expected parse error") + } + if !strings.Contains(err.Error(), "invalid syscall in sampling map") { + t.Fatalf("unexpected error: %v", err) + } +} + +func TestCloneDeepCopiesSamplingMaps(t *testing.T) { + cfg := NewFlags() + cfg.SyscallFamilySamplingRates[types.FamilyTime] = 5 + cfg.SyscallSamplingRates["futex"] = 9 + + cloned := cfg.Clone() + cloned.SyscallFamilySamplingRates[types.FamilyTime] = 100 + cloned.SyscallSamplingRates["futex"] = 1 + + if got := cfg.SyscallFamilySamplingRates[types.FamilyTime]; got != 5 { + t.Fatalf("original family rate mutated: got %d, want 5", got) + } + if got := cfg.SyscallSamplingRates["futex"]; got != 9 { + t.Fatalf("original syscall rate mutated: got %d, want 9", got) + } +} diff --git a/internal/generate/bpfhandler.go b/internal/generate/bpfhandler.go index e3d0d67..9e6f5d7 100644 --- a/internal/generate/bpfhandler.go +++ b/internal/generate/bpfhandler.go @@ -31,10 +31,10 @@ func generateBPFHandler(tp GeneratedTracepoint) string { eventTypeConst := eventTypeConstant(tp.Classification.Kind, isEnter) extra := generateExtra(tp, isEnter) - return renderHandler(f.Name, ctxStruct, eventStruct, comment, eventTypeConst, extra) + return renderHandler(f.Name, ctxStruct, eventStruct, comment, eventTypeConst, extra, isEnter) } -func renderHandler(name, ctxStruct, eventStruct, comment, eventTypeConst, extra string) string { +func renderHandler(name, ctxStruct, eventStruct, comment, eventTypeConst, extra string, isEnter bool) string { var b strings.Builder fmt.Fprintf(&b, "/// %s is a struct %s\n", name, comment) fmt.Fprintf(&b, "SEC(\"tracepoint/syscalls/%s\")\n", name) @@ -43,6 +43,14 @@ func renderHandler(name, ctxStruct, eventStruct, comment, eventTypeConst, extra b.WriteString(" if (filter(&pid, &tid))\n") b.WriteString(" return 0;\n") b.WriteString("\n") + if isEnter { + fmt.Fprintf(&b, " if (!ior_on_syscall_enter(tid, %s))\n", strings.ToUpper(name)) + b.WriteString(" return 0;\n") + } else { + fmt.Fprintf(&b, " if (!ior_on_syscall_exit(tid, %s, ctx->ret))\n", strings.ToUpper(name)) + b.WriteString(" return 0;\n") + } + b.WriteString("\n") fmt.Fprintf(&b, " struct %s *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct %s), 0);\n", eventStruct, eventStruct) b.WriteString(" if (!ev)\n") b.WriteString(" return 0;\n") diff --git a/internal/ior.go b/internal/ior.go index decdf12..3afb09a 100644 --- a/internal/ior.go +++ b/internal/ior.go @@ -242,6 +242,9 @@ func wireRuntimeBindings(rt *tuiRuntime, bindings runtime.TraceRuntimeBindings) // live-filter setter so the TUI can swap filters without restarting BPF probes. func makeTUIEventLoopConfigurer(ctx context.Context, cfg flags.Config, rt *tuiRuntime) func(*eventLoop) { var recorderWarningOnce sync.Once + type aggregateSink interface { + IngestSyscallAggregates([]statsengine.SyscallAggregate) + } return func(el *eventLoop) { // Seed the event loop's filter from config so subsequent reads via // el.Filter() see the same filter the trace was started with. @@ -271,6 +274,9 @@ func makeTUIEventLoopConfigurer(ctx context.Context, cfg flags.Config, rt *tuiRu el.warningCb = func(message string) { rt.streamBuf.Push(streamrow.NewWarning(rt.streamSeq.Next(), message)) } + if sink, ok := rt.snapSource.(aggregateSink); ok { + el.aggregateSink = sink + } if bindings, ok := runtime.RuntimeBindingsFromContext(ctx); ok { bindings.SetLiveFilterSetter(el.SetFilter) } @@ -566,6 +572,15 @@ func setupTraceInfra( bpfModule.Close() return nil, nil, nil, nil, nil, nil, func() {}, err } + aggregateConsumer, err := newSyscallAggregateConsumer(bpfModule) + if err != nil { + cancel() + stopSignals() + rb.Stop() + bpfModule.Close() + return nil, nil, nil, nil, nil, nil, func() {}, err + } + el.aggregateSrc = aggregateConsumer teardown = func() { // Stop the ring-buffer polling goroutine before the module is closed. diff --git a/internal/ior_bpfsetup.go b/internal/ior_bpfsetup.go index 61009c6..cb2cc95 100644 --- a/internal/ior_bpfsetup.go +++ b/internal/ior_bpfsetup.go @@ -64,6 +64,10 @@ func setupBPFModule(parentCtx context.Context, cfg flags.Config) (*bpf.Module, * bpfModule.Close() return nil, nil, releaseBindings, setupBPFModuleError("load object", err) } + if err := applySyscallSamplingRates(cfg, bpfModule); err != nil { + bpfModule.Close() + return nil, nil, releaseBindings, setupBPFModuleError("configure sampling rates", err) + } mgr := probemanager.NewManager(libbpfTracepointModule{module: bpfModule}) // Per-syscall attach failures are non-fatal: on older kernels the diff --git a/internal/statsengine/aggregate.go b/internal/statsengine/aggregate.go new file mode 100644 index 0000000..03dad5d --- /dev/null +++ b/internal/statsengine/aggregate.go @@ -0,0 +1,46 @@ +package statsengine + +import "ior/internal/types" + +// SyscallAggregate is the kernel-side aggregate for one sys_enter trace ID. +type SyscallAggregate struct { + TraceID types.TraceId + Count uint64 + Errors uint64 + TotalLatencyNs uint64 + MinLatencyNs uint64 + MaxLatencyNs uint64 + LatencyHistogramNs [8]uint64 +} + +// IngestSyscallAggregates folds kernel aggregate rows into the engine. +func (e *Engine) IngestSyscallAggregates(rows []SyscallAggregate) { + if e == nil || len(rows) == 0 { + return + } + + e.mu.Lock() + defer e.mu.Unlock() + + now := e.now() + var batchLatency uint64 + var batchCount uint64 + for _, row := range rows { + if row.Count == 0 { + continue + } + + e.totalSyscalls += row.Count + e.totalErrors += row.Errors + e.totalLatency += row.TotalLatencyNs + e.syscalls.AddAggregate(row) + e.families.AddAggregate(row) + e.latencyHist.AddBucketCounts(row.LatencyHistogramNs) + + batchLatency += row.TotalLatencyNs + batchCount += row.Count + } + if batchCount > 0 { + e.latencySeries.Add(float64(batchLatency)/float64(batchCount), now) + } +} diff --git a/internal/statsengine/aggregate_test.go b/internal/statsengine/aggregate_test.go new file mode 100644 index 0000000..0d11214 --- /dev/null +++ b/internal/statsengine/aggregate_test.go @@ -0,0 +1,57 @@ +package statsengine + +import ( + "testing" + + "ior/internal/types" +) + +func TestIngestSyscallAggregatesUpdatesSnapshot(t *testing.T) { + engine := NewEngine(DefaultTopN) + engine.IngestSyscallAggregates([]SyscallAggregate{ + { + TraceID: types.SYS_ENTER_FUTEX, + Count: 3, + Errors: 1, + TotalLatencyNs: 90, + MinLatencyNs: 10, + MaxLatencyNs: 50, + LatencyHistogramNs: [8]uint64{ + 1, 1, 1, 0, 0, 0, 0, 0, + }, + }, + }) + + snap, err := engine.Snapshot() + if err != nil { + t.Fatalf("snapshot error: %v", err) + } + if snap.TotalSyscalls != 3 { + t.Fatalf("TotalSyscalls = %d, want 3", snap.TotalSyscalls) + } + if snap.TotalErrors != 1 { + t.Fatalf("TotalErrors = %d, want 1", snap.TotalErrors) + } + if snap.LatencyHistogram.Total != 3 { + t.Fatalf("LatencyHistogram.Total = %d, want 3", snap.LatencyHistogram.Total) + } + + syscalls := snap.Syscalls() + var futexRow *SyscallSnapshot + for i := range syscalls { + row := &syscalls[i] + if row.TraceID == types.SYS_ENTER_FUTEX { + futexRow = row + break + } + } + if futexRow == nil { + t.Fatal("expected futex syscall row") + } + if futexRow.Count != 3 || futexRow.Errors != 1 { + t.Fatalf("futex row = %+v, want count=3 errors=1", *futexRow) + } + if futexRow.LatencyMinNs != 10 || futexRow.LatencyMaxNs != 50 { + t.Fatalf("futex min/max = %d/%d, want 10/50", futexRow.LatencyMinNs, futexRow.LatencyMaxNs) + } +} diff --git a/internal/statsengine/family.go b/internal/statsengine/family.go index 3206d57..a97332d 100644 --- a/internal/statsengine/family.go +++ b/internal/statsengine/family.go @@ -59,6 +59,30 @@ func (a *familyAccumulator) Add(pair *event.Pair) { } } +func (a *familyAccumulator) AddAggregate(row SyscallAggregate) { + if a == nil || row.TraceID == 0 || row.Count == 0 { + return + } + + family := row.TraceID.Family() + stats := a.byFamily[family] + if stats == nil { + stats = &familyStats{family: family} + a.byFamily[family] = stats + } + + prevCount := stats.count + stats.count += row.Count + stats.errorCount += row.Errors + stats.totalLatency += row.TotalLatencyNs + if prevCount == 0 || row.MinLatencyNs < stats.minLatency { + stats.minLatency = row.MinLatencyNs + } + if row.MaxLatencyNs > stats.maxLatency { + stats.maxLatency = row.MaxLatencyNs + } +} + func (a *familyAccumulator) snapshotInputs() []familySnapshotInput { if a == nil { return nil diff --git a/internal/statsengine/histogram.go b/internal/statsengine/histogram.go index 4a5e3b4..27d3285 100644 --- a/internal/statsengine/histogram.go +++ b/internal/statsengine/histogram.go @@ -47,6 +47,16 @@ func (h *histogram) Increment(durationNs uint64) { h.total++ } +func (h *histogram) AddBucketCounts(counts [histogramBucketCount]uint64) { + if h == nil { + return + } + for i, count := range counts { + h.counts[i] += count + h.total += count + } +} + // Snapshot returns a HistogramSnapshot of the current histogram state. // It panics on build error, which should never happen for a valid histogram. func (h *histogram) Snapshot() HistogramSnapshot { diff --git a/internal/statsengine/syscall.go b/internal/statsengine/syscall.go index d58e8c9..5c85b2a 100644 --- a/internal/statsengine/syscall.go +++ b/internal/statsengine/syscall.go @@ -99,6 +99,29 @@ func (a *syscallAccumulator) Add(pair *event.Pair) { } } +func (a *syscallAccumulator) AddAggregate(row SyscallAggregate) { + if a == nil || row.TraceID == 0 || row.Count == 0 { + return + } + + stats := a.byID[row.TraceID] + if stats == nil { + stats = &syscallStats{traceID: row.TraceID, name: row.TraceID.Name()} + a.byID[row.TraceID] = stats + } + + prevCount := stats.count + stats.count += row.Count + stats.errorCount += row.Errors + stats.totalLatency += row.TotalLatencyNs + if prevCount == 0 || row.MinLatencyNs < stats.minLatency { + stats.minLatency = row.MinLatencyNs + } + if row.MaxLatencyNs > stats.maxLatency { + stats.maxLatency = row.MaxLatencyNs + } +} + // Snapshot returns a slice of SyscallSnapshots for all tracked syscalls. // It panics on build error, which should never happen for a valid accumulator. func (a *syscallAccumulator) Snapshot(elapsed time.Duration) []SyscallSnapshot { diff --git a/internal/syscall_aggregate_consumer.go b/internal/syscall_aggregate_consumer.go new file mode 100644 index 0000000..108bbeb --- /dev/null +++ b/internal/syscall_aggregate_consumer.go @@ -0,0 +1,129 @@ +package internal + +import ( + "bytes" + "encoding/binary" + "errors" + "fmt" + "syscall" + "unsafe" + + "ior/internal/flags" + "ior/internal/statsengine" + "ior/internal/types" + + bpf "github.com/aquasecurity/libbpfgo" +) + +const ( + syscallAggregateMapName = "syscall_aggregate_map" + syscallSamplingRateMapName = "syscall_sampling_rate_map" +) + +type rawSyscallAggregate struct { + Count uint64 + Errors uint64 + TotalDuration uint64 + MinDuration uint64 + MaxDuration uint64 + Histogram [8]uint64 +} + +type syscallAggregateConsumer struct { + aggregateMap *bpf.BPFMap +} + +func newSyscallAggregateConsumer(module *bpf.Module) (*syscallAggregateConsumer, error) { + if module == nil { + return nil, errors.New("nil bpf module") + } + aggregateMap, err := module.GetMap(syscallAggregateMapName) + if err != nil { + return nil, fmt.Errorf("get %s: %w", syscallAggregateMapName, err) + } + return &syscallAggregateConsumer{aggregateMap: aggregateMap}, nil +} + +func (c *syscallAggregateConsumer) Drain() ([]statsengine.SyscallAggregate, error) { + if c == nil || c.aggregateMap == nil { + return nil, nil + } + + iter := c.aggregateMap.Iterator() + rows := make([]statsengine.SyscallAggregate, 0, 64) + for iter.Next() { + keyRaw := append([]byte(nil), iter.Key()...) + if len(keyRaw) != 4 { + continue + } + key := binary.LittleEndian.Uint32(keyRaw) + valueRaw, err := c.aggregateMap.GetValueAndDeleteKey(unsafe.Pointer(&key)) + if err != nil { + if errors.Is(err, syscall.ENOENT) { + continue + } + return nil, fmt.Errorf("drain aggregate for trace id %d: %w", key, err) + } + raw, err := decodeRawSyscallAggregate(valueRaw) + if err != nil { + return nil, fmt.Errorf("decode aggregate for trace id %d: %w", key, err) + } + rows = append(rows, statsengine.SyscallAggregate{ + TraceID: types.TraceId(key), + Count: raw.Count, + Errors: raw.Errors, + TotalLatencyNs: raw.TotalDuration, + MinLatencyNs: raw.MinDuration, + MaxLatencyNs: raw.MaxDuration, + LatencyHistogramNs: raw.Histogram, + }) + } + if err := iter.Err(); err != nil { + return nil, fmt.Errorf("iterate %s: %w", syscallAggregateMapName, err) + } + return rows, nil +} + +func decodeRawSyscallAggregate(raw []byte) (rawSyscallAggregate, error) { + var out rawSyscallAggregate + expectedSize := binary.Size(out) + if len(raw) != expectedSize { + return rawSyscallAggregate{}, fmt.Errorf("invalid aggregate value size %d (want %d)", len(raw), expectedSize) + } + if err := binary.Read(bytes.NewReader(raw), binary.LittleEndian, &out); err != nil { + return rawSyscallAggregate{}, err + } + return out, nil +} + +func applySyscallSamplingRates(cfg flags.Config, module *bpf.Module) error { + samplingMap, err := module.GetMap(syscallSamplingRateMapName) + if err != nil { + return fmt.Errorf("get %s: %w", syscallSamplingRateMapName, err) + } + for traceID, rate := range buildSyscallSamplingRates(cfg) { + key := uint32(traceID) + value := rate + if err := samplingMap.Update(unsafe.Pointer(&key), unsafe.Pointer(&value)); err != nil { + return fmt.Errorf("set sampling rate for %s to %d: %w", traceID.String(), rate, err) + } + } + return nil +} + +func buildSyscallSamplingRates(cfg flags.Config) map[types.TraceId]uint32 { + rates := make(map[types.TraceId]uint32) + for _, enterID := range types.EnterTraceIDs() { + if rate, ok := cfg.SyscallFamilySamplingRates[enterID.Family()]; ok { + rates[enterID] = rate + } + } + for syscallName, rate := range cfg.SyscallSamplingRates { + enterID, ok := types.EnterTraceIDByName(syscallName) + if !ok { + continue + } + rates[enterID] = rate + } + return rates +} diff --git a/internal/syscall_aggregate_consumer_test.go b/internal/syscall_aggregate_consumer_test.go new file mode 100644 index 0000000..1f6e856 --- /dev/null +++ b/internal/syscall_aggregate_consumer_test.go @@ -0,0 +1,53 @@ +package internal + +import ( + "bytes" + "encoding/binary" + "testing" + + "ior/internal/flags" + "ior/internal/types" +) + +func TestBuildSyscallSamplingRatesFamilyAndSyscallOverride(t *testing.T) { + cfg := flags.NewFlags() + cfg.SyscallFamilySamplingRates[types.FamilyTime] = 100 + cfg.SyscallSamplingRates["clock_gettime"] = 3 + + rates := buildSyscallSamplingRates(cfg) + if got := rates[types.SYS_ENTER_NANOSLEEP]; got != 100 { + t.Fatalf("nanosleep rate = %d, want 100", got) + } + if got := rates[types.SYS_ENTER_CLOCK_GETTIME]; got != 3 { + t.Fatalf("clock_gettime rate = %d, want 3", got) + } +} + +func TestDecodeRawSyscallAggregate(t *testing.T) { + want := rawSyscallAggregate{ + Count: 7, + Errors: 2, + TotalDuration: 1234, + MinDuration: 12, + MaxDuration: 456, + Histogram: [8]uint64{1, 2, 3, 4, 5, 6, 7, 8}, + } + var buf bytes.Buffer + if err := binary.Write(&buf, binary.LittleEndian, want); err != nil { + t.Fatalf("binary write: %v", err) + } + + got, err := decodeRawSyscallAggregate(buf.Bytes()) + if err != nil { + t.Fatalf("decodeRawSyscallAggregate error: %v", err) + } + if got != want { + t.Fatalf("decoded aggregate = %+v, want %+v", got, want) + } +} + +func TestDecodeRawSyscallAggregateRejectsBadSize(t *testing.T) { + if _, err := decodeRawSyscallAggregate([]byte{1, 2, 3}); err == nil { + t.Fatal("expected error for short value") + } +} diff --git a/internal/types/family.go b/internal/types/family.go index 6aee5c0..048f143 100644 --- a/internal/types/family.go +++ b/internal/types/family.go @@ -1,5 +1,7 @@ package types +import "strings" + // AllSyscallFamilies returns the dashboard display order for broad syscall families. func AllSyscallFamilies() []SyscallFamily { return []SyscallFamily{ @@ -37,3 +39,14 @@ func SyscallFamilyRank(family SyscallFamily) int { } return len(AllSyscallFamilies()) } + +// ParseSyscallFamily parses a user-supplied family name. +func ParseSyscallFamily(raw string) (SyscallFamily, bool) { + needle := strings.TrimSpace(strings.ToLower(raw)) + for _, family := range AllSyscallFamilies() { + if strings.ToLower(string(family)) == needle { + return family, true + } + } + return "", false +} diff --git a/internal/types/traceid_lookup.go b/internal/types/traceid_lookup.go new file mode 100644 index 0000000..bf2ccfc --- /dev/null +++ b/internal/types/traceid_lookup.go @@ -0,0 +1,46 @@ +package types + +import ( + "strings" + "sync" +) + +var ( + enterTraceByNameOnce sync.Once + enterTraceByName map[string]TraceId + enterTraceIDsOnce sync.Once + enterTraceIDs []TraceId +) + +// EnterTraceIDByName resolves a syscall name (for example, "futex") to the +// corresponding sys_enter trace ID. +func EnterTraceIDByName(name string) (TraceId, bool) { + enterTraceByNameOnce.Do(initEnterTraceByName) + id, ok := enterTraceByName[strings.ToLower(strings.TrimSpace(name))] + return id, ok +} + +func initEnterTraceByName() { + enterTraceByName = make(map[string]TraceId) + for traceID, name := range traceId2Name { + if !strings.HasPrefix(traceID.String(), "enter_") { + continue + } + enterTraceByName[strings.ToLower(name)] = traceID + } +} + +// EnterTraceIDs returns all known sys_enter trace IDs. +func EnterTraceIDs() []TraceId { + enterTraceIDsOnce.Do(initEnterTraceIDs) + return append([]TraceId(nil), enterTraceIDs...) +} + +func initEnterTraceIDs() { + enterTraceIDs = make([]TraceId, 0, len(traceId2Name)/2) + for traceID := range traceId2Name { + if strings.HasPrefix(traceID.String(), "enter_") { + enterTraceIDs = append(enterTraceIDs, traceID) + } + } +} -- cgit v1.2.3